WASHINGTON, D.C. – U.S. Sens. Sherrod Brown (D-OH) and Bill Cassidy (R-LA) – leaders of the Senate Subcommittee of Social Security – are demanding answers following reports that the Social Security Administration (SSA) contracted with Equifax for the online portal, known as mySocialSecurity. Equifax’s own system was hacked in July, exposing 143 million Americans to identify theft.
According to public records, SSA contracted with Equifax to develop, maintain and support SSA’s E-Authentication program starting on February 25, 2015. According to a press release sent by Equifax on February 10, 2016, SSA had “completed integration,” with Equifax.
Brown and Cassidy are asking SSA to provide a detailed accounting of all steps the Administration has taken to ensure Americans’ data is secure within five business days, and outline whether additional resources are needed to effectively assess potential compromises to the SSA online system. The Senators are also seeking information as to the nature of Equifax’s work for SSA, including whether the Apache web application, which was implicated in the Equifax breach, has been used at SSA. They also seek an outline of all contingency plans SSA has in place to protect Americans’ data if a breach were to occur. The Senators say SSA should conduct a full investigation into Equifax’s contract to determine whether SSA should take steps to nullify that contract and consider recommending Equifax for debarment from all federal contracts in order to protect Americans’ data and taxpayer dollars.
“Given Equifax’s recent security breach, this partnership raises serious questions as to whether the personal data SSA maintains on behalf of all Americans may be at risk of identity theft or other cybersecurity threats. In addition to an immediate threat assessment, we request information regarding the steps you will take to remedy any potential breach of SSA’s online systems and what resources are necessary for SSA to ensure that the data of every single American is safe,” the Senators wrote to SSA Acting Commissioner Nancy Berryhill.
In light of the Equifax breach and ongoing questions about the security of online data, the Senators are also asking SSA to reconsider its Vision 2020 program, which intends to force more Americans to interact with SSA online by downsizing staff and field offices.
Complete text of the Senators’ letter to SSA Acting Commissioner Nancy Berryhill is below. A PDF is available here.
Nancy Berryhill
Acting Commissioner
Office of the Commissioner
Social Security Administration
6401 Security Boulevard
Baltimore, Maryland 21235-6401
Dear Acting Commissioner Berryhill:
We are writing in regards to the partnership between the Social Security Administration (SSA) and Equifax, reported by various news outlets in recent days. Given Equifax’s recent security breach, this partnership raises serious questions as to whether the personal data SSA maintains on behalf of all Americans may be at risk of identity theft or other cybersecurity threats. In addition to an immediate threat assessment, we request information regarding the steps you will take to remedy any potential breach of SSA’s online systems and what resources are necessary for SSA to ensure that the data of every single American is safe.
According to public records, SSA contracted with Equifax to develop, maintain, and support SSA’s E-Authentication program starting on February 25, 2015. According to a February 10, 2016, Equifax press release, SSA had “completed integration,” with Equifax.
On September 7, 2017, Equifax notified the public and Congress that it had been subject to an enormous security breach that compromised the personal data of 143 million Americans. While investigations are ongoing, it appears that Equifax failed to undertake routine security patches, allowing hackers to gain continuous access to extremely sensitive personal data for weeks.
As a result, nearly half of all Americans are exposed to potential credit and identity fraud due to Equifax’s failure to follow security protocols and its delayed and ineffective response to these breaches. While Equifax claims it has resolved this particular security flaw as of July 29, 2017, it has not explained how its network and information security policies allowed for this lapse in the first place.
On September 8, 2017, the following statement was posted to SSA.gov, “Although we sometimes use Equifax to help verify your identity when setting up a mySocial Security account, Social Security never shares Social Security numbers with Equifax. For concerns regarding the Equifax data breach, please contact Equifax directly . . .”
We are concerned, however, that the statement, may not comprehensively describe the relationship between Equifax and SSA. Instead, it appears Equifax built, maintained, and supported, SSA platforms. If that is the case, SAA’s users could be vulnerable to the same breach that targeted Equifax, whether or not SSA proactively shared Social Security numbers with the company.
In light of these circumstances, we respectfully ask that you promptly provide us with detailed answers to the questions below.
Our questions are as follows:
Finally, in addition to prompt and thorough responses to the following questions, we ask for your assurance that after a thorough investigation, SSA will take any and all appropriate actions that the fact pattern warrants including taking steps to nullify its contract with Equifax and assess whether a new contractor would be better equipped to address potential vulnerabilities as well as consideration of the merits of a recommendation of debarment of Equifax to the GSA Interagency Suspension & Debarment Committee – preventing the company from soliciting offers for, obtaining additional, and renewing federal contracts. If any of these steps have already been taken, please provide additional details, including the dates of such steps.
Due to the time sensitive nature of these issues we ask that you transmit answers to us no later than five business days following the receipt of this letter. Thank you for prompt attention to this matter.
Sincerely,
U.S Senator Sherrod Brown (D-OH), Ranking Member of the Senate Subcommittee on Social Security
U.S. Senator Bill Cassidy (R-LA), Chairman of the Senate Subcommittee on Social Security