A number of authorities companies are counting on a safety measure that may be simply bypassed due to massive breaches like the Equifax hack, the US Authorities Accountability Workplace has discovered. In a report launched Friday, the government watchdog group found that the US Postal Service, the Division of Veterans Affairs, the Social Safety Administration and the Facilities for Medicare and Medicaid Providers have nonetheless been utilizing “Information-Based mostly Verification” to ensure individuals who apply for advantages on-line are genuine.
This verification technique requested candidates questions like their date of beginning, Social Safety numbers and addresses, assuming that solely the applicant would have that info. However in Equifax’s breach in 2017, that information had been stolen from 145.5 million Americans, rounding out to greater than half the US inhabitants.
That uncovered many federal companies utilizing Information-Based mostly Verification to widespread fraud, as potential attackers may use the stolen info to use for advantages and get alternative Social Safety playing cards, the GAO discovered.
In 2017, the National Institute of Standards and Technology began advising in opposition to that verification technique.
Lawmakers requested the federal government watchdog to overview what number of federal companies have been nonetheless utilizing the outdated verification technique after the Equifax breach. Whereas the IRS and the Basic Providers Administration dropped Information-Based mostly Verification as a safety measure, the GAO discovered 4 federal companies that have been nonetheless counting on it.
In letters to all 4 companies, Sen. Elizabeth Warren (D-Mass.), Sen. Ron Wyden (D-Ore.) and Rep. Elijah Cummings (D-Md.) asking what steps they have been taking to guard client privateness after Equifax’s breach, and why they have been nonetheless utilizing an outdated verification system.
“It’s troubling that nearly two years after the huge 2017 Equifax knowledge breach federal authorities companies proceed to make use of outdated identity-proofing strategies that put residents at elevated threat of id theft,” the lawmakers stated in a press release. “We have to do extra to stop these sorts of breaches, and the federal government must be higher and smarter about defending residents.”
A Veterans Affairs spokesman stated the company “appreciates the lawmakers’ views and can reply to them instantly.” The Social Safety Administration stated it obtained the letter and also will reply to members of Congress. The opposite two companies recognized within the report did not instantly reply to requests for remark.
The GAO’s report discovered that there have been a number of alternate options to Information-Based mostly Verification, like authentication in-person, or utilizing cell units to verify in. The USPS and SSA advised the GAO they have been trying into alternate options however did not count on to implement it by the top of this yr. The SSA is seeking to implement a safer technique by 2020.
CMS stated it had no plans to take away the verification technique, telling the GAO that its customers desire the insecure measure, regardless of the potential for fraud, in accordance with the report.
VA carried out alternate options however solely as a complement to the outdated safety measure, the report stated.
Officers from these three organizations stated that whereas NIST stopped recommending Information-Based mostly Verification, it didn’t present any viable alternate options. The GAO really useful that NIST enhance its suggestions for federal companies, for presidency organizations to enhance on its verification strategies and for the Workplace of Administration and Finances to require companies to report on their progress.
“However, till these companies take steps to get rid of their use of knowledge-based verification, the people they serve will stay at elevated threat of id fraud,” the GAO stated in its report.
Initially printed June 14, 6 a.m. PT.
Replace, 8:18 a.m. PT: Provides response from the Division of Veterans Affairs; 8:38 a.m. PT: Provides response from the Social Safety Administration.