Warren Unveils New Investigative Report Uncovering Equifax’s Failure to Protect Americans’ Personal Data

 Report Released Amid News that Mick Mulvaney has Pulled Back Equifax Probe Report Highlights Need for Warren-Warner Bill to Hold Credit Reporting Agencies Accountable

Link to report (PDF) Washington, DC – United States Senator Elizabeth Warren (D-Mass.) today released a new 15-page report containing the findings of a four-month long investigation into how Equifax failed to protect the personal data of more than 145 million Americans. The report concludes that Equifax set up a flawed system to prevent and mitigate data security problems, ignored numerous warnings of risks to sensitive data, failed to notify consumers, investors, and regulators about the breach in a timely fashion, took advantage of federal contracting loopholes and failed to protect IRS taxpayer data, and inadequately assisted consumers following the breach.

On September 7, 2017, Equifax revealed an extraordinary breach of sensitive information belonging to over 145 million Americans – one of the largest and most significant data security lapses in history. One week after Equifax revealed this breach, Senator Warren opened an investigation into the causes, impacts, and response to the exposure of millions of Americans’ personal data. She questioned Equifax executives in Senate hearings, consulted outside experts, and sent letters containing dozens of questions to Equifax, to federal regulators, and to other credit reporting agencies. This resulted in robust and important findings on how Equifax failed to protect the data of millions of American consumers.

Reuters recently reported that Office of Management and Budget Director Mick Mulvaney, who has taken over operational control of the Consumer Financial Protection Bureau (CFPB), has “pulled back” from a probe into Equifax’s failure to protect Americans’ personal information. According to Reuters, Mr. Mulvaney “has not ordered subpoenas against Equifax or sought sworn testimony from executives.” He’s also “rebuffed bank regulators at the Federal Reserve, Federal Deposit Insurance Corp and Office of the Comptroller of the Currency when they offered to help with on-site exams of credit bureaus.”

“For years, Equifax and other big credit reporting agencies have been able to get away with profiting off cheating people. Our report provides answers about what went wrong at Equifax and concludes that to hold Equifax and its peers accountable, we need real consequences for when they screw up.”

“The American public deserves answers – and Mick Mulvaney needs to let the CFPB do its job and investigate Equifax’s massive data breach, not shut it down.”

Senator Warren’s report demonstrates that credit reporting agencies like Equifax need much stronger financial incentives to adequately protect consumer data. The Warren-Warner bill would do just that by giving the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, imposing mandatory penalties on CRAs to incentivize adequate protection of consumer data, and providing robust compensation to consumers for stolen data.

Since the Equifax breach was revealed, Senator Warren has:


  • Unveiled legislation with Senator Mark Warner (D-Va.) to hold credit reporting agencies accountable for data breaches.
  • Raised concerns with Senator Ben Sasse (R-Neb.) about $7.2 million IRS contract awarded to Equifax despite the company’s recent massive data breach.
  • Questioned former Equifax CEO Richard Smith if the breach created new business opportunities for the company.
  • Sent a letter with questions to former Equifax CEO Richard Smith and interim Equifax CEO Paulino do Rego Barros about the data breach.
  • Expanded her investigation into Equifax breach information requests to the SEC, Equifax Board of Directors, and Department of Homeland Security.
  • Urged EEOC chair nominee to prevent employers from discriminating based on credit histories following Equifax hack.
  • Introduced legislation with Senator Brian Schatz (D-Hawaii) to give control of credit information back to consumers.