Equifax Inc. faces multiple state and federal investigations, and congressional grillings, over its disclosure that the personal consumer data of more than 140 million Americans may have been compromised in a cyberattack.
The list of politicians and regulators seeking answers from the credit-reporting company is long and growing. The Consumer Financial Protection Bureau is looking into the data breach and Equifax’s response, while the FBI said it is also reviewing the situation. New York’s attorney general has opened an investigation and at least three U.S. House panel’s said they would hold hearings.
“This is obviously a very serious and very troubling situation and our committee has already begun preparations for a hearing,” House Financial Services Committee chair Jeb Hensarling, a Texas Republican, said in a Friday statement. “Large-scale security breaches are becoming all too common. Every breach leaves consumers exposed and vulnerable to identity theft, fraud and a host of other crimes, and they deserve answers.”
The government response shows the fallout for Atlanta-based Equifax is just beginning. It can expect weeks if not months of scrutiny over whether it could have done more to protect the data, and why it waited so long to inform consumers of a breach that could have put half the U.S. population’s personal information at risk.
The hack, which Equifax said Thursday took place in late July, resulted in the intruders accessing names, Social Security numbers, birth dates, addresses and driver’s license numbers, as well as credit-card numbers for about 209,000 consumers. The incident ranks among the largest cybersecurity breaches in history. Equifax shares fell as much 18 percent Friday, the biggest one-day drop in almost two decades.
Because of the breadth of the information compromised, jurisdiction resides across a number of government agencies and congressional committees.
The CFPB has authority over the consumer-reporting industry and is authorized to pursue enforcement actions against companies that engage in “unfair, deceptive or abusive practices,” spokesman Samuel Gilford said in a statement.
“We are looking into the data breach and Equifax’s response, but cannot comment further at this time,” Gilford said.
The Federal Trade Commission will probably investigate under its authority to enforce unfair and deceptive practices by companies, according to Jeffrey Poston, co-chair of Crowell & Moring LLP’s privacy and cybersecurity practice in Washington.
The agency will examine Equifax’s representations to consumers about how secure their data was before the breach and whether the company was really living up to those promises, he said. If it finds problems, the FTC can sue to force the company to strengthen security practices as well as subject it to ongoing monitoring for years to ensure compliance, Poston added. That is a fact-intensive investigation that could last months, he said.
FTC spokesman Peter Kaplan didn’t respond to requests for comment.
New York Attorney General Eric Schneiderman’s office said in a statement that it had opened an investigation into Equifax because the hack had affected more than 8 million New Yorkers. The New York AG’s office sent a Friday letter to the company seeking additional information, according to the statement. Other states, including Connecticut also said they were reaching out to Equifax.
Democratic lawmakers pounced on the data breach to push an issue that they’ve long advocated for: it should be easier for consumers to sue financial companies.
Equifax requires that consumers who sign up for its free credit-monitoring services agree that any grievances they have with the company be resolved through arbitration. The clause is included in service contracts, and makes it difficult for consumers to join together and file class-action lawsuits.
“It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place,” Ohio’s Sherrod Brown, the top Democrat on the Senate Banking Committee, said in a statement.
The CFPB approved a rule in July that restricts firms from mandating arbitration, though it hasn’t yet taken effect. The CFPB’s Gilford called Equifax’s arbitration clause “troubling” and encouraged the company to remove it from its contracts with consumers.
While the Equifax breach is the latest in a string of cyberattacks, it’s likely to rekindle a debate on Capitol Hill over whether corporations should face stiffer requirements to ensure data isn’t stolen.
U.S. Representative Bob Goodlatte, the Virginia Republican who oversees the House Judiciary Committee, said in an emailed statement that he plans to hold a hearing to determine whether laws should be “strengthened to better prevent cyberattacks and protect Americans’ privacy.”
The House Energy and Commerce Committee also plans a hearing. Democrat staffers for the energy and commerce panel met with an Equifax representative Friday, and were disappointed because they came away from it with no new information about how the breach happened, according to a Democratic aide. Staffer on the House Financial Services Committee also met with the company, said a person with direct knowledge of the matter.
Although Equifax said the attack was carried out by criminals, the FBI will work to determine if there are also “potential national security implications” such as involvement by agents of a foreign government, said Leo Taddeo, a former FBI special agent who led cybersecurity investigations.
“It’s hard to tell the difference these days between an intelligence operation and a criminal operation,” said Taddeo, now chief information security officer for Cyxtera Technologies Inc.
A hacking attack against Yahoo! Inc. that began in 2014 and stole information from about 500 million accounts was initially thought to be criminal in nature, Taddeo said. However, a federal investigation eventually determined it was conducted with the aid of two officers of the Russian Federal Security Service, according to the Justice Department.
The FBI coordinates with other agencies like the National Security Agency and Homeland Security Department through its National Cyber Investigative Joint Task Force.
Critics shouldn’t rush to judgment on Equifax waiting more than a month to disclose the hacking attack, Taddeo said. The company and the FBI need time to investigate before an attack is made public, especially not to tip off the hackers or reveal investigative techniques, Taddeo said.
“These are complex cases and you don’t want to go and publish a public notice of a breach without some confidence of what happened and what the scope is,” he said.