Millions of Americans are worried that their credit information and Social Security numbers may have been among the 143 million records breached in an unprecedented hack that attacked Equifax, the credit reporting company. But there’s more to the story. While Equifax and the Social Security Administration aren’t talking about it, Equifax was also hired a year ago, on a $10 million contract, to “help the SSA manage risk and mitigate fraud for the mySocialSecurity system, a personalized portal for customers to access some of SSA’s services such as the online statement.”
That's how the company put it in a press release on Feb. 10, 2016. In that announcement, Equifax also boasted that the Social Security Administration “has completed integration with Equifax Inc.”
Despite Equifax’s self-described intimate role in providing security and preventing fraud on the Social Security System’s public access website for current workers and beneficiaries, there has been no indication that the Social Security Administration is concerned about whether weaknesses in Equifax’s own customer portal security -- such as the Apache tool on which the company is blaming the breach -- might have been involved in its security work for the mySocialSecurity portal.
Efforts by Salon to ascertain the extent of Equifax’s actual work on the construction and operation of the SSA portal, or what if anything the SSA has done in the wake of its contractor’s security breach to protect that portal’s security, met with no success.
Repeated calls and emails to the public affairs office of the SSA elicited the recommendation to “contact Equifax,” though our questions involved issues concerning the agency, not the corporate contractor.
Chief public information officer Mark Hinkle wrote in an email reply that Social Security, not Equifax, “runs the mySocialSecurity portal.” But when asked whether the SSA was concerned about whether any weaknesses in Equifax’s own security system may have been introduced into the security system and protocol the company set up for the mySocialSecurity portal -- and also when asked when the SSA was informed by Equifax about its security breach (when it happened in mid-July? or six weeks later when the company went public with the news?), Hinkle said the agency would have no comment.
Equifax also failed to respond to phone and email inquiries from Salon about its work for the Social Security Administration portal. A company public relations official only emailed to say the request had been received, and referred the reporter to a company website for consumers concerned about the Equifax breach. There was no reference there to the company’s security work for the Social Security Administration portal.
Especially as budget cuts reduce agency staff, the mySocialSecurity portal is where increasing numbers of people check their Social Security earnings record, and what kinds of benefits they can expect to receive on retirement. It's also where they can make decisions like when to file for benefits as well as how they want to receive them (for example, as checks in the mail or by direct deposit to a bank account).
But since there are other ways to communicate with SSA -- people can still use the phone or visit a Social Security office — it is perhaps surprising, if the portal faces a heightened hacking risk, that it hasn’t been temporarily closed to fix any possible security flaws.
In any event, it is striking that the SSA has been so tight-lipped about its work with Equifax. The only mention of the company and the data breach was a note on the mySocialSecurity login page, posted on Sept. 8, assuring visitors that “Social Security never shares Social Security numbers with Equifax.” That of course is not the issue. In any event, Equifax already has Social Security numbers for virtually everyone in its credit data base, since those numbers are required by lenders, credit card companies and anyone else offering money or goods on credit.
The question the Social Security Administration must address is whether the epic Equifax data breach in any way suggests weaknesses in the security work the company did for the SSA under contract for its customer access portal.
So far, the silence from the SSA regarding the Equifax contract has kept that aspect of the story completely out of mainstream media reports, which have been all about Equifax — even when it comes to the vulnerability of Social Security numbers in its own computer files. But that’s about to change.
Informed by Salon about the Equifax mySocialSecurity security contract, and about the company’s description of itself as “completely integrated” with the Social Security Administration, Sen. Sherrod Brown, D-Ohio, the ranking minority member of the Senate Finance Committee’s subcommittee on Social Security and pensions, said:
The Social Security Administration’s partnership with Equifax raises serious questions about the security of Americans’ most sensitive information, and they owe the American people answers immediately. We need to know whether Social Security data is vulnerable to cybercriminals, and I intend to find out exactly what’s being done to ensure every single American is protected.
Brown’s office says the senator is working on a letter to the agency demanding answers on the security of its customer portal, and that he hopes to find co-signers among Republican members of the subcommittee. Brown's letter will also ask SSA to take steps to nullify its contract with Equifax and seek a new contractor to assess vulnerabilities, as well as ask SSA to recommend Equifax for disbarment, which would prohibit the company from obtaining any further government contracts.