Equifax feels the heat in Washington for breach

Equifax feels the heat in Washington for breach
© Greg Nash

Equifax is under intense scrutiny in Washington for a massive data breach that potentially exposed the personal information of 143 million Americans.

The company, one of the three major credit bureaus in the United States, acknowledged the breach late last week, triggering questions and outrage from members of Congress.


Lawmakers want to know how the breach happened and what the company is doing to limit the damage.

Meanwhile, class-action lawsuits against the company are piling up, as are questions about why three Equifax executives sold stock in the company before the breach was publicly revealed.

“143 million people’s personal data breached. Execs sold stock, making millions. A month later they told you,” Sen. Brian SchatzBrian Emanuel SchatzGOP shrugs off dire study warning of global warming Dems to force health care vote weeks before Nov. midterms This week: Rosenstein set to meet with House GOP MORE (D-Hawaii) tweeted Monday evening. “This is a racket.”

Equifax on Thursday announced that hackers had gained access to consumers’ Social Security numbers, birth dates and some credit card numbers by exploiting a vulnerability in a U.S. website application. That access lasted for more than a month before Equifax discovered the breach on July 29.

“The scope is pretty tremendous here,” observed Amit Yoran, CEO of cyber firm Tenable Network Security. “This is incredibly sensitive information that could be used in many creative and criminal ways.”

Despite the scope of intrusion, Equifax waited more than a month before disclosing the data breach on Sept. 7. That delay has angered lawmakers.

“We are writing with serious concerns about the immense scale of this data breach, and we have a number of questions about whether Equifax took appropriate steps to safeguard the personal information of consumers,” Democrats on the House Energy and Commerce Committee wrote to Equifax CEO Richard Smith on Tuesday.

“We also have concerns about the amount of time it took for Equifax to notify the public of the breach and about the way Equifax is providing information to consumers.”

The letter is among several that lawmakers have sent to Equifax in recent days. Sens. John ThuneJohn Randolph ThuneThrough a national commitment to youth sports, we can break the obesity cycle Florida politics play into disaster relief debate GOP chairman: FEMA has enough money for Hurricane Michael MORE (R-S.D.) and Bill NelsonClarence (Bill) William Nelson'Hamilton' star aims to educate displaced Puerto Ricans about Florida voter ID laws Trump: ‘Maximum effort’ taking place in Hurricane Michael recovery efforts The Hill's Morning Report — Presented by the Coalition for Affordable Prescription Drugs — Trump travels to hurricane-ravaged Florida, Georgia MORE (D-Fla.), who lead the Senate Commerce Committee, volleyed questions on the extent of the breach and the company’s efforts to notify affected parties.

Sens. Orrin HatchOrrin Grant HatchHatch mocks Warren over DNA test with his own results showing '1/1032 T-Rex' Romney defends Trump’s policies as ‘effective,' disputes he led 'never Trump' movement GOP fractured over filling Supreme Court vacancies in 2020 MORE (R-Utah) and Ron WydenRonald (Ron) Lee WydenCollusion judgment looms for key Senate panel Hillicon Valley: Facebook deletes accounts for political 'spam' | Leaked research shows Google's struggles with online free speech | Trump's praise for North Korea complicates cyber deterrence | Senators want Google memo on privacy bug On The Money: Jobless rate hits 49-year low | Officials face legal obstacles to pursuing tax charges against Trump | Tax story prompts calls to revise estate rules MORE (D-Ore.), leaders of the Senate Finance Committee, took their inquiry a step further, pressing the company to provide a “detailed timeline” of the breach that covers notification of senior executives — including three who sold nearly $2 million in company stock in the days after the breach was discovered.

On Tuesday, Sen. Heidi HeitkampMary (Heidi) Kathryn HeitkampElection Countdown: Cruz, O'Rourke fight at pivotal point | Ryan hitting the trail for vulnerable Republicans | Poll shows Biden leading Dem 2020 field | Arizona Senate debate tonight Democrats hold fading odds of winning Senate this November Florida politics play into disaster relief debate MORE (D-N.D.) called for a criminal probe into the executives’ actions. She said it was “disturbing” that they sold their stock in the time between the discovery of the breach and the public disclosure. The company maintains that the executives did not know of the breach at the time they elected to sell the shares.

“If that happened, somebody needs to go to jail,” Heitkamp said at a credit union industry conference. “It’s a problem when people can act with impunity with no consequences. How is that not insider trading?”

The Equifax breach has also generated calls for more regulations. Schatz and Democratic colleagues have reintroduced legislation that would increase requirements on credit reporting agencies in order to help correct errors in consumer credit reports.

White House press secretary Sarah Huckabee Sanders signaled Monday that the hack could warrant more regulations to protect Americans’ personal data.

Equifax is offering free identity theft protection and credit monitoring to those affected by the breach. But the company was put on the defensive when reports noted that the terms of service associated with those services could limit an individual’s right to sue.

Equifax has tried to respond to the mounting public pressure, announcing Monday that it had removed the forced arbitration clause from the terms of use on a website dedicated for breach victims.

The company also says that it is now waiving costs associated with credit freezes after Schatz accused Equifax of “ripping off” consumers.

But the company’s troubles are far from over. More than 20 class-action lawsuits have been filed against the company over the breach, with others likely to follow.

“Some of the potential claims that may be brought are negligence, breach of contract, fraud, violations of various state consumer protection statutes, a possible violation of the Fair Credit Reporting Act,” said Hanley Chew, a privacy and data security lawyer at Fenwick & West.

“I would anticipate that there are going to be a number of additional lawsuits from different parties and that those lawsuits will eventually get consolidated into a single lawsuit.” 

The company also faces investigations from multiple state attorneys general, including those representing Massachusetts, New York and Pennsylvania. Those officials are looking into potential violations of state data breach notification statutes. On Tuesday, the Massachusetts attorney general announced intent to sue Equifax over its “brazen failure to protect consumer data.” Additionally, the company is sure to face continued scrutiny of the stock sale by top executives.

“If it turns out that they did have knowledge of the breach and they sold prior to disclosure of the breach not as part of their regular, predetermined trading plan, then we’re looking at potential insider trading lawsuits and potential law enforcement investigation,” added Chew, a former federal prosecutor specializing in cyber crime.

The breach has also prompted media scrutiny of the company’s lobbying activities. The Wall Street Journal reported late Monday that Equifax had spent a half million dollars lobbying congressional lawmakers and federal regulators this year to limit legal liability for credit reporting firms.

Multiple congressional committees are planning to hold hearings on the breach — meaning that Equifax executives are likely to be grilled by members of Congress.  

“These are very complicated issues, and we expect to be engaging with regulators and legislators in the future,” an Equifax spokesperson told The Hill Tuesday. “We are remaining focused on and listening to the issues that consumers are experiencing, and their suggestions are helping to further inform our actions.”