The New Vulnerabilities Equities Policy and Process Charter

An updated “Vulnerabilities Equities Policy and Process for the United States Government” charter was released on 15 NOV 2017 and describes the decision-making process for determining whether new vulnerabilities found by US government departments and agencies are disclosed or restricted.  

According to the White House Fact Sheet (pdf) on the Vulnerability Equities Process (VEP), the new charter “determines whether the Government will notify a private company about a cybersecurity flaw in its product or service or refrain from disclosing the flaw so it can be used for operational or intelligence gathering purposes.”

Rob Joyce, White House Cybersecurity Coordinator, outlined “key tenets” of the new The Vulnerability Equities Process (VEP) in a White House blog post about the process

  • Improved transparency is critical.
  • The interests of all stakeholders must be fairly represented.
  • Accountability of the process and those who operate it is important to establish confidence in those served by it.
  • Our system of government depends on informed and vigorous dialogue to discover and make available the best ideas that our diverse society can generate.

Joyce discussed the difficulties that accompany updating the VEP in his White House blog post, “The challenge is to find and sustain the capability to hold rogue cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace.”

The White House Fact Sheet on the VEP (pdf) states that “new and not publicly known cyber vulnerabilities are reviewed by multiple departments and agencies to determine whether they should be disclosed to the public using what is known as the VEP. At its most basic, the VEP balances whether to disclose vulnerability information in the expectation that the vulnerability will be patched, or temporarily restrict the knowledge of the vulnerability to the Federal Government so it can be used for national security or law enforcement purposes.”

Joyce, formerly of the National Security Agency, would be familiar with what he describes as  “the tension that exists between the desire to publicize every vulnerability discovered by the Federal Government in the conduct of its law enforcement and national security responsibilities and the need to preserve some select capability for action against extremely capable actors whose actions might otherwise go undiscovered and unchecked.”


The White House, Vulnerabilities Equities Policy and Process

for the United States Government

The White House, White House Fact Sheet on VEP

The White House blog (Rob Joyce), Improving and Making the Vulnerability Equities Process Transparent is the Right Thing to Do

Fifth Domain, White House calls for greater transparency in cyber Vulnerability Equities Process

Dark Reading, White House Releases New Charter for Using, Disclosing Security Vulnerabilities

Global Weekly Executive Summary, 09 NOV 2017

Chinese APTs Renew Corporate Espionage Operations Against US Companies

Two years after the US and China agreed not to conduct or support cyber operations against each other in ways that would affect the commercial sector, new threat intelligence research from PwC seems to indicate that China has recently renewed corporate espionage efforts targeting US companies efforts after a period of decreased activity.

Key Details

  • According to the White House Press Office Archives, “On September 24-25, 2015, President Barack Obama hosted President Xi Jinping of China for a State visit.” “The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
  • Recent examples of suspected Chinese cyberespionage operations targeting US companies include the CCleaner supply-chain malware incident and the KeyBoys cyberespionage campaign.
    • The CCleaner malware/backdoor attacks in September 2017 targeted US tech companies Google, Microsoft, Intel, and VMware and seems to have been created to collect corporate intelligence. For more details about the CCleaner, read our CSCC Forensics article on the CCleaner supply-chain malware.
    • The KeyBoys data theft campaign during Fall 2017 targeted Western organizations that included several unnamed US companies.
      • The KeyBoys is a known threat actor who has altered their pattern to target Western organizations, likely for corporate espionage.
      • The KeyBoys are thought to be “a hacking group based in or operating from China, and is mainly engaged in espionage activity” (PwC Blog)
      • The KeyBoys has also updated their TTPs and are now “using a specially crafted Microsoft Word document using the Dynamic Data Exchange (DDE) protocol to fetch/download remote payloads.” (InfoSecurity Magazine)
      • Microsoft issued an advisory for mitigating DDE attacks on 8 November 2017 after multiple threat actors recently began using this style of attack.


  • There was a decrease in corporate espionage activity from China after the 2015 US-China agreement to cease cyberespionage operations, including intellectual property theft, that would affect private sector companies.
  • On 4 October 2017, the US Department of Justice and the Chinese counterpart met and reaffirmed both countries’ support of the 2015 agreements.


The White House Press Office Archives, FACT SHEET: President Xi Jinping’s State Visit to the United States


US Department of Justice, Office of Public Affairs News Release, First U.S.-China Law Enforcement and Cybersecurity Dialogue

InfoSecurity Magazine, Chinese KeyBoy Group Unlocks More Victim Networks

PwC Blog, The KeyBoys are back in town

PwC, The KeyBoys are back in town

Global Weekly Executive Summary, 20 OCT 2017

British Intelligence Suspects Iran in Parliament Email Attacks

British intelligence now suspects that Iran was the source of the June 2017 brute force attacks against 9,000 UK Parliament email accounts.

Key Details:

  • On 23 June of 2017, 9,000 UK parliamentary email accounts were targeted in a 12-hour long brute force attack that included 200,000 attempts to access accounts. (BBC)
  • The accounts of Prime Minister Theresa May and other senior ministers were among those targeted. (Guardian)  
  • Up to 90 Members of Parliament (MP) accounts were compromised because of weak password use. (Times)(Guardian)
  • UK government officials say that although fewer that 1% of the email accounts were compromised, they assume that some sensitive materials were accessed. (Times)
  • Prime Minister May’s emails were considered safe because she uses the more secure account associated with her role as Prime Minister rather than her parliamentary account. (Times)
  • Iran, or groups working in the interests of the Iranian government, have been suspected in major cyber attacks in the past, but they have not been known to target the UK in the past.

Supporting Details:

  • Previously, the attacks were suspected to be state-sponsored, with Russia or North Korea considered to be the possible perpetrators because those countries were believed to be behind previous cyber incidents in the UK. (BBC, Guardian)
  • Articles in The Times and The Guardian revived the story of the June 2017  attack this week, citing “an unpublished assessment by British intelligence” that attributed the attacks to Iran. (Guardian) The Times described “a secret intelligence assessment” as the source for this new attribution.
  • The creator and source of the “unpublished assessment by British intelligence” is not named, but the document was reported on by The Times was independently verified by The Guardian. (SC)
  • The UK National Cyber Security Centre (NCSC) spokesperson declined to confirm or comment on the report “while inquiries are ongoing.” (Guardian)


  • This seems to be Iran’s first “significant cyber-attack on a British target” (SC), This may signal Iran’s desire to be considered a leading global “cyberpower.” (Times)
  • Iran is believed to be behind the destructive Shamoon attacks targeting Saudi Aramco and other energy companies in Saudi Arabia. Other cyber campaigns attributed to  Iran include the 2016-2017 “Mia Ash” espionage campaign thought to have been used to compromise the Deloitte accounting firm, the 2011-2013 DDOS attacks on 46 American banks and financial institutions and an attempt at shutting down a New York dam (Reuters) (Hill), and GPS disruption/spoofing of ships in the Persian Gulf. (Times)
  • The 2015 “The DOD Cyber Strategy” document states, “While Iran and North Korea have less developed cyber capabilities, they have displayed an overt level of hostile intent towards the United States and U.S. interests in cyberspace.”  (DOD pdf)
  • This news comes at a time of increased tension between Iran, The UK, and the United States. President Trump has considered withdrawing from the 2015 Iran nuclear deal while the UK, France, and Germany have reaffirmed support of the deal. (BBC)
  • The Times raised a possible theory, “Some experts believe it is possible that elements of Iran’s Islamic Revolutionary Guard Corps are using cyber-attacks to undermine the deal because they want the country to resume its weapons programme.” (Times)


SC Media, Iran is being blamed for a cyber-attack against Parliamentary emails

BBC, Iran blamed for Parliament cyber-attack

The Times, Iran attacks 9,000 email accounts in parliament

The Times, Hack attack on parliament brings Tehran out from cyber-shadows

The Guardian, Iran to blame for cyber-attack on MPs’ emails – British intelligence

NYT, British Parliament Hit by Cyberattack, Affecting Email Access

The Guardian, Cyber-attack on parliament leaves MPs unable to access emails

BBC, Iran nuclear deal: Global powers stand by pact despite Trump threat

Reuters, U.S. indicts Iranians for hacking dozens of banks, New York dam

BBC, ‘It was always going to happen’: Inside the cyber-attack on parliament

BBC, Parliament cyber-attack ‘hit up to 90 users’

The Hill, US sanctions Iranian nationals for cyberattacks against banks

Forbes, Iranian Hackers Targeted Deloitte Via A Seriously Convincing Facebook Fake, The DOD Cyber Strategy

Hawaii Locations Included in Hyatt Hotels Breach

Hyatt Hotels announced that they had been hit with their second payment card breach in as many years. According the a message from Hyatt’s Global President of Operations, this breach involved “unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations” this spring and summer. Hyatt’s informational webpage on the breach included a list of 41 locations spread across 13 countries affected by the breach, including three locations in Hawaii. The Grand Hyatt Kauai Resort and Spa in Koloa, The Hyatt Regency Maui Resort and Spa in Lahaina, and The Andaz Maui at Wailea Resort in Wailea were all affected from 18 March to 2 July 2017.

The statement continues, “Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems,” and that the data accessed was “cardholder name, card number, expiration date and internal verification code.”

Read more:

Dark Reading, Hyatt Hit With Another Credit Card Breach


Hyatt, Protecting Our Customers, HOTEL LIST

Threatpost, Hyatt Hit By Credit Card Breach, Again

Global Weekly Executive Summary, 13 October 2017

New Security Problem for Equifax Website

On Wednesday, 11 October, a security researcher documented that the Equifax website was redirecting customers looking for credit reports to to a webpage with a false Flash Player Update screen. The fake update downloads the file MediaDownloaderIron.exe and is classified as adware. According to a HelpNet Security article, the malicious script causing the redirects was found to be “part of the code of a third-party vendor that Equifax uses to collect website performance data.” After initially disabling the page, Equifax removed the script causing the redirects.

Read more:

Security Through Absurdity, New Equifax Website Compromise

HelpNet Security, Equifax’s site hacked to redirect info-seeking visitors to adware

HelpNet Security, Compromised analytics provider made Equifax’s site point to malware


Hyatt Hotels Hit with Second Breach

Hyatt Hotels announced that they had been hit with their second payment card breach in as many years. According the a message from Hyatt’s Global President of Operations, this breach involved “unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations” this spring and summer. Hyatt’s informational webpage on the breach included a list of 41 locations spread across 13 countries affected by the breach, including three locations in Hawaii. The Grand Hyatt Kauai Resort and Spa in Koloa, The Hyatt Regency Maui Resort and Spa in Lahaina, and The Andaz Maui at Wailea Resort in Wailea were all affected from 18 March to 2 July 2017.

The statement continues, “Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems,” and that the data accessed was “cardholder name, card number, expiration date and internal verification code.”

Read more:

Dark Reading, Hyatt Hit With Another Credit Card Breach


Hyatt, Protecting Our Customers, HOTEL LIST

Threatpost, Hyatt Hit By Credit Card Breach, Again

Global Weekly Executive Summary, 06 OCT 2017

Yahoo Breaches Affected All 3 Billion Accounts

The 2013-2016 Yahoo data breaches that affected 1 billion user accounts were infamous for being the largest on record since they were announced in December 2016. On 3 October, Yahoo announced that the 2013 breach was larger than previously thought, likely affecting all of the 3 billion Yahoo user accounts that existed at the time.


  • In August 2013, an unknown attacker stole data associated with all existing Yahoo user account.
  • The types of data stolen were “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” (Source: Yahoo 2013 Account Security Update FAQs)
  • Cleartext passwords, payment card data, and bank account information were not among the stolen information.
  • The August 2013 breach was the first of three large Yahoo data breaches. The second occurred in late 2014, and the third occurred in 2015 and 2016.
  • Yahoo has said that they believe that “an unauthorized third party accessed our proprietary code to learn how to forge cookies.” and that they “were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password.” “Outside forensic experts have identified user accounts for which they believe forged cookies were taken or used.”
  • Yahoo stated that “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company” They did not clarify which state they believed was behind the theft.
  • The US Department of Justice has charged two Russian Federal Security Service (FSB) officers and two hackers in connection with the 2014 breach.
  • Yahoo used MD5 to hash passwords prior to the August 2013 breach. They began using the bcrypt password hashing mechanism later in 2013.
  • In December 2016, Yahoo required a password change for all users who had not changed their password since the breach. They also invalidated unencrypted security questions that could be used to access an account.
  • Yahoo was acquired by Verizon and became a part of Oath, an umbrella company that covers AOL, Yahoo, and the brands that operated under those companies like Tumblr, Flickr, MapQuest, HuffPost, Endgaget, and Moviefone.
  • In September 2017, a US District Judge ruled that Yahoo must face litigation on behalf of the users whose personal information was stolen in the breaches.

Significance: The largest data breach in history is now even larger, and it took nearly a year of investigation with the assistance of outside experts to determine the real scope of the breach. We may find this pattern repeating in other breaches like the recent Equifax data breach which initially reported that 143 million US customers were affected before revising the number upward to 145 million in the US with 300,000 in the UK.  Security professional have questioned how billions of user records could have been exfiltrated before the Yahoo security team noticed the they were compromised.


Yahoo, Yahoo 2013 Account Security Update FAQs

Oath, Yahoo provides notice to additional users affected by previously disclosed 2013 data theft

Yahoo, Important Security Information for Yahoo Users

Reuters, Yahoo must face litigation by data breach victims: U.S. judge

Global Weekly Executive Summary, 29 SEPT 2017

Deloitte Data Breach

Multinational accounting and auditing firm Deloitte was the victim of a major cyberattack that lead to unauthorized access to the company’s internal email systems. Staff and client data was stolen, including usernames, passwords, IP addresses, business diagrams, and health information and email “attachments with sensitive security and design details.”

When did it happen?

Deloitte says they discovered the breach in March 2017, but several articles claim the company’s email servers may have been compromised as early as October 2016 when the company sent out a mandatory password reset email.

Who is Deloitte?

Deloitte, a multinational professional services firm with headquarters in London and New York City, is known as one of the “Big Four” professional services companies in the world. According to Deloitte’s American website, they offer the following services: tax, mergers/acquisitions, growth enterprise services, analytics, audit/assurance, consulting, and financial and risk advisory. Their risk advisory services include cyber risk advising and a CyberIntelligence Centre that monitors and assesses for threats and handles incident response.

Who was affected?

According to The Guardian, Deloitte clients include “some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and governmental agencies.”

A Deloitte spokesman said, “As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.” In fact, six unidentified Deloitte clients were notified. The spokesman described the number of emails at risk as a fraction of the 5 million emails estimated to be stored in the Azure cloud service.

An insider source cited by security researcher Brian Krebs in his article says the breach is likely more far-reaching than reported by Deloitte. The source states that the entire internal database and all administrator accounts were compromised. “This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.”

How did this happen?

Deloitte’s global email server was compromised though an administrator’s account which was secured by a password but did not use two-factor authentication. Two-factor authentication could have prevented the breach or notified the account owner of unauthorized access. Multi-factor authentication is available for Azure administrator accounts at no additional cost, according to Microsoft Azure’s Multi-Factor Authentication webpage.

According to the Guardian article, “Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft… In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.”

Who did it?


The perpetrators and the extent of the breach are still unknown or have not been reported to the general public. Investigations are ongoing and have been in process for six month, since the breach was discovered in March 2017.

No group has claimed responsibility, but the motive is likely information/intelligence gathering for a threat group’s own use or for financial gain.

Why is this breach significant?

Deloitte, as one of the “Big Four,” has a client list that includes some of the largest, most well-known, and powerful companies in the world. This client list is made up of organizations with household name recognition but also includes US governmental departments.

A data breach that affects Deloitte also affects their many high-profile clients, but the breach was not announced until six months after it was discovered. Deloitte finally publicly confirmed the data breach after an article was published in The Guardian.

The type of information stolen was also important. Usernames and passwords were stolen, but health information, security details, and intellectual property like design details and diagrams were also taken.

This breach is also significant because Deloitte provides cyber risk assessment and advisory services to their powerful clients, but their own staff did not follow basic security measures such as requiring two-factor authentication and keeping large amounts of data in one location with insufficient security. As a result of this negligence, sensitive client data was entrusted to Deloitte was stolen.


Deloitte, Services

The Guardian, Deloitte hit by cyber-attack revealing clients’ secret emails

CNET, Deloitte hacked, compromising its clients’ emails

Krebs on Security, Source: Deloitte Breach Affected All Company Email, Admin Accounts

Malwarebytes, Deloitte breached by hackers for months

Fortune, Deloitte Gets Hacked: What We Know So Far

Microsoft Azure, Multi-Factor Authentication

Global Weekly Executive Summary, 22 SEPT 2017

Kaspersky Products Banned from US Federal Government Systems

The US Department of Homeland Security ordered a purge of all security products originating from Russian cybersecurity company Kaspersky Lab over national security concerns.

The US Department of Homeland Security (DHS) on 13 September “issued a Binding Operational Directive (BOD) directing Federal Executive Branch departments and agencies to take actions related to the use or presence of information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities.”

Kaspersky Lab is headquartered in Moscow, although according to their USA Kaspersky website, “We are one of the world’s largest privately owned cybersecurity companies. We operate in 200 countries and territories and have 37 offices in 32 countries. Over 3,700 highly-qualified specialists work for Kaspersky Lab.” with “400 million users protected by our technologies and 270,000 corporate clients.”  

DHS cites their priority to safeguard and ensure the integrity and security of federal information systems in their decision to issue the directive. This course of action was based on information security risks presented by the use of Kaspersky products on federal systems.

The security risks, according to the DHS statement, relate to the combination of  factors– Kaspersky products provide access to user files and elevated privileges to systems, and the Moscow-based company may be vulnerable to Russian government influence leading to the compromise of US federal info systems.

Reasons given for BOD-17-01:

  • Kaspersky Lab products/solutions provide broad access to files on systems and elevated privileges which could lead to compromise
  • Concerned about the ties between Kaspersky Lab workers, Russian intelligence, and other Russian government agencies
  • Concerned about requirements under Russian law that would allow Russian intelligence agencies to request or compel assistance from Kaspersky to intercept communications that transit Russian networks
  • The risk that the Russian government may be able to use Kaspersky to gain access and compromise federal info systems would directly affect US national security.

BOD 17-01 Timeline:

  • Within 30 days: Identify use/presence of Kaspersky products on federal government systems
  • Within 60 days: Develop a detailed plan to remove/discontinue use of products
  • Within 90 days: Begin to implement remove/discontinue plans

CEO and co-founder Eugene Kaspersky has accepted an invitation to testify before the House of Representatives Committee on Science, Space, and Technology to address US concerns. He continues to deny any ties to the Russian government and intelligence agencies and has repeatedly said that he would refuse to assist the Russian government with espionage. 

No evidence of instances of data compromise related to Kaspersky products or collusion with the Russian government have been offered to the general public.

On Sept 8, electronics store Best Buy announced that it would be removing Kaspersky products from its stores and website.


Department of Homeland Security, DHS Statement on the Issuance of Binding Operational Directive 17-01

Reuters, Kaspersky Lab co-founder accepts invitation to testify to U.S. Congress

New York Times, Kaspersky Lab Antivirus Software Is Ordered Off U.S. Government Computers

Washington Post, U.S. moves to ban Kaspersky software in federal agencies amid concerns of Russian espionage


Equifax Megabreach Update: How, who, and more

Last week, we reported that the major credit reporting company Equifax announced a massive data breach affecting up to 143 million US customers last week on 7 September, but the developing story over the course of the week has gone from bad to worse.

How the Breach Occurred

After days of speculation, on 13 September, Equifax revealed the initial attack vector that unknown hackers exploited to enable the breach, a known Apache Struts web-application vulnerability,  CVE-2017-5638. This particular vulnerability was disclosed and patched by 8 March of 2017, months before the start of the breach on 13 May 2017, meaning that this dangerous and widespread data breach was easily preventable.

Continuing Technical Problems

Technical problems have plagued Equifax in the week since the breach was announced. The PIN generated to enable and disable security freezes was found to be easily predictable, incorporating the date and time of the freeze request. The credit freeze request link was temporarily unavailable due to “technical issues” related to the high volume of security freeze requests. The Equifax informational breach website has addressed these problems in updates (2, 3, 4 ) and worked to correct them.

The TrustedID Premiere online checker that allows users to determine whether or not they were affected was widely reported to be unreliable, and these problems seem to persist. As of 15 September, the checker still returned different responses for the same user checking multiple times, and checks for the last names “test” and “blahblah” with the social security number “123456” still returned the result “we believe that your personal information may have been impacted by this incident.”

Security researcher Brian Krebs documented the case of an Equifax Argentina employee online portal used to manage customer credit disputes page was secured by only the username/password combination admin/admin even after the massive data breach had already revealed.

On 15 September, Equifax announced two “personnel changes” upon the immediate retirements of their Chief Information Officer and Chief Security Officer. An interim CIO and CSO have been named while the investigation continues with the help of the FBI.

Update: Who Was Affected

Last week’s Equifax statement announcing the breach stated that 143 million US customers, or 44 percent of the US population, may have been affected, while “some data” from Canadian and UK residents may have been affected.

This week, articles by The Guardian and The Telegraph reported that Equifax holds the data of 44 million UK residents, or 67 percent of the population, which was also illegally accessed during the breach. UK residents were not able to use Equifax’s online checker to determine if they had been affected because it required users to enter a US Social Security Number. Equifax UK later clarified on their informational incident webpage that “fewer than 400,000 UK consumers” will  be contacted that their data may have been illegally accessed in the breach. The Equifax UK statement says that “due to a process failure,” some UK customer data was stored in the US from 2011 to 2016, but that the data accessed was more limited in scope than that of the American customers. “The information was restricted to: Name, date of birth, email address and a telephone number and Equifax can confirm that the data does not include any residential address information, password information or financial data.”

Worryingly, the Guardian article also mentioned an Equifax marketing document written for a UK audience that boasts of the company holding “over 10 million child data records, to provide insights to a household.” Equifax has not provided any statements on its informational website or the UK webpage dedicated to the breach about child records being accessed. If fact, no mention of child data records can be found on either websites at all.

Congressional Hearings

This week, two US Congressional panels, the House Financial Services Committee and the House Energy and Commerce Committee, announced that they planned to hold hearings on the Equifax data breach. Equifax CEO Richard Smith has already received a formal letter of request to testify at the House Energy and Commerce Committee hearing scheduled form 3 October.

Read our initial CSCC article on the Equifax breach for more background information. For recommendations and links for those who may have been affected, read our CSCC Best Practices article.


Equifax, Cybersecurity Incident & Important Consumer Information

Equifax, Updates

Equifax, Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes

Equifax, Trusted ID Premiere, Eligibility

Equifax, Equifax Household Composition (pdf)

Equifax UK, Cybersecurity incident – UK update

NIST, National Vulnerabilities Database, CVE-2017-5638 Detail

Krebs on Security, Ayuda! (Help!) Equifax Has My Data!


The Guardian, Equifax told to inform Britons whether they are at risk after data breach

The Telegraph, Equifax hack: 44 million Britons’ personal details feared stolen in major US data breach

Recode, The U.S. Congress is going to hold two hearings on the massive Equifax data breach

The Hill, Equifax CEO formally called to testify before Congress