A recent report[pdf] by the US Government Accountability Office (GAO) highlights a relatively unknown dimension of the impact of the massive 2017 Equifax data breach. The standard method used by many government agencies for identifying US citizens that want to apply for benefits through digital portals, was rendered unsafe by the breach. And as it turns out, some agencies are still using this unsafe method today.
Before Equifax, most US agencies used to verify users by asking them to provide data collected by credit reporting agencies (CRAs). However, some of this data was compromised in the breach, which means that threat actors could now use stolen data to commit identity fraud. Because of this risk, the National Institute of Standards and Technology (NIST) issued new guidelines in 2017 that urge government agencies to ditch CRA-based online identity proofing in favor of more secure methods. However, the GAO recently discovered that four out of the six agencies it audited, still use CRA-based online identity proofing. These agencies are the Centers for Medicare and Medicaid Services (CMS), the Social Security Administration (SSA), the US Postal Service (USPS), and the Department of Veterans Affairs (VA).
Read more: Equifax breach impacted the online ID verification process at many US govt agencies