Print

Lipinski Shares Frustration About Equifax Hack; Shows the Need for Greater Focus on Cybersecurity

Congressman Dan Lipinski (IL-3) shares the anger and frustration of his constituents and millions of other Americans following reports of yet another massive cybersecurity breach in our country.  Personal information, including Social Security numbers, for as many as 143 million U.S. consumers was exposed in the Equifax hack.  The attackers stole private data by exploiting a weakness in the commonly-used Apache Struts framework, an open source programming environment for building web applications.

“This is not only the failure of Equifax, but also regulators at the state and federal level, to have permitted such a cyber breach to have occurred,” said Rep. Lipinski.  “Nearly every adult American relies on credit agencies for their day-to-day financial business, and to protect their credit worthiness.  Equifax must be held accountable for the failure of its computer system protections, and Congress must conduct immediate oversight of the Security and Exchange Commission and other agencies that should assure the proper conduct of Equifax and other private credit agencies.  While the offer of credit freezes and some limited reporting is an important step, Equifax can and should do more to protect credit and personal information, and we should consider new federal rules to address this breach and prevent future intrusions.”

In addition, Lipinski has written to Office of Management and Budget (OMB) Director Mick Mulvaney inquiring about the extent of federal agency use of the Apache Struts framework and the potential susceptibility to the type of attack waged against Equifax.  Federal agencies such as the Internal Revenue Service, the Social Security Administration, and the Department of Education store and process significant amounts of sensitive consumer data and the public is justifiably concerned about security.

“Web applications built in the Apache Struts framework are widely used,” stated Lipinski in a letter to Mulvaney.  “By one estimate, at least 65% of Fortune 100 companies make use of the technology.  Given its ubiquity in the private sector, it is likely that the Struts framework was also used to build government web applications.  The Equifax attackers exploited one of two Struts vulnerabilities and, while it is not yet clear which one was targeted, the Apache Software foundation released patches for both this year, with the most recent being issued on September 4th.  While I am encouraged to see that both vulnerabilities and associated patches are listed on the U.S. Computer Emergency Readiness Team’s website, indicating that the appropriate branch of the Government is aware of the issue, I am concerned that not all agency computer systems may have been updated.”

The House Science, Space, and Technology Committee has jurisdiction over cyber issues, particularly with the Federal government.  As a matter of oversight in his role as a senior member of the Committee, Lipinski is asking Director Mulvaney to provide information on how widely-used the Apache Struts framework is within federal agencies, and whether each agency has patched their software to eliminate the vulnerability.

In the 113th Congress, Lipinski’s Cybersecurity Enhancement Act was passed and became law.  This law was designed to increase the security of federal networks and information systems, improve the transfer of cybersecurity technologies to the marketplace, coordinate and prioritize federal cybersecurity research and development efforts, and train a cybersecurity workforce. 

“With so much at stake for everyone, I look forward to hearing what the credit agencies have to say in front of Congress,” Lipinski said.  “These businesses have an especially large impact on the lives of people in my district and across the country, so they need to be held accountable.  We need to learn more about the vulnerability that led to this attack and the steps that are being taken in government and elsewhere to make sure that important customer information is being protected.  It is critical that we build on what my bill started and make cybersecurity more of a priority, both in the public and private sectors.”  

Letter to Equifax (09/18/1704:50 PMET )
Letter to OMB (09/14/1702:48 PMET )