Equifax feels the heat in Washington for breach
Equifax is under intense scrutiny in Washington for a massive data breach that potentially exposed the personal information of 143 million Americans.
The company, one of the three major credit bureaus in the United States, acknowledged the breach late last week, triggering questions and outrage from members of Congress.
Lawmakers want to know how the breach happened and what the company is doing to limit the damage.
Meanwhile, class-action lawsuits against the company are piling up, as are questions about why three Equifax executives sold stock in the company before the breach was publicly revealed.
“143 million people’s personal data breached. Execs sold stock, making millions. A month later they told you,” Sen. Brian Schatz (D-Hawaii) tweeted Monday evening. “This is a racket.”
Equifax on Thursday announced that hackers had gained access to consumers’ Social Security numbers, birth dates and some credit card numbers by exploiting a vulnerability in a U.S. website application. That access lasted for more than a month before Equifax discovered the breach on July 29.
“The scope is pretty tremendous here,” observed Amit Yoran, CEO of cyber firm Tenable Network Security. “This is incredibly sensitive information that could be used in many creative and criminal ways.”
Despite the scope of intrusion, Equifax waited more than a month before disclosing the data breach on Sept. 7. That delay has angered lawmakers.
“We are writing with serious concerns about the immense scale of this data breach, and we have a number of questions about whether Equifax took appropriate steps to safeguard the personal information of consumers,” Democrats on the House Energy and Commerce Committee wrote to Equifax CEO Richard Smith on Tuesday.
“We also have concerns about the amount of time it took for Equifax to notify the public of the breach and about the way Equifax is providing information to consumers.”
The letter is among several that lawmakers have sent to Equifax in recent days. Sens. John Thune (R-S.D.) and Bill Nelson (D-Fla.), who lead the Senate Commerce Committee, volleyed questions on the extent of the breach and the company’s efforts to notify affected parties.
Sens. Orrin Hatch (R-Utah) and Ron Wyden (D-Ore.), leaders of the Senate Finance Committee, took their inquiry a step further, pressing the company to provide a “detailed timeline” of the breach that covers notification of senior executives — including three who sold nearly $2 million in company stock in the days after the breach was discovered.
On Tuesday, Sen. Heidi Heitkamp (D-N.D.) called for a criminal probe into the executives’ actions. She said it was “disturbing” that they sold their stock in the time between the discovery of the breach and the public disclosure. The company maintains that the executives did not know of the breach at the time they elected to sell the shares.
“If that happened, somebody needs to go to jail,” Heitkamp said at a credit union industry conference. “It’s a problem when people can act with impunity with no consequences. How is that not insider trading?”
The Equifax breach has also generated calls for more regulations. Schatz and Democratic colleagues have reintroduced legislation that would increase requirements on credit reporting agencies in order to help correct errors in consumer credit reports.
White House press secretary Sarah Huckabee Sanders signaled Monday that the hack could warrant more regulations to protect Americans’ personal data.
Equifax is offering free identity theft protection and credit monitoring to those affected by the breach. But the company was put on the defensive when reports noted that the terms of service associated with those services could limit an individual’s right to sue.
The company also says that it is now waiving costs associated with credit freezes after Schatz accused Equifax of “ripping off” consumers.
But the company’s troubles are far from over. More than 20 class-action lawsuits have been filed against the company over the breach, with others likely to follow.
“Some of the potential claims that may be brought are negligence, breach of contract, fraud, violations of various state consumer protection statutes, a possible violation of the Fair Credit Reporting Act,” said Hanley Chew, a privacy and data security lawyer at Fenwick & West.
“I would anticipate that there are going to be a number of additional lawsuits from different parties and that those lawsuits will eventually get consolidated into a single lawsuit.”
The company also faces investigations from multiple state attorneys general, including those representing Massachusetts, New York and Pennsylvania. Those officials are looking into potential violations of state data breach notification statutes. On Tuesday, the Massachusetts attorney general announced intent to sue Equifax over its “brazen failure to protect consumer data.” Additionally, the company is sure to face continued scrutiny of the stock sale by top executives.
“If it turns out that they did have knowledge of the breach and they sold prior to disclosure of the breach not as part of their regular, predetermined trading plan, then we’re looking at potential insider trading lawsuits and potential law enforcement investigation,” added Chew, a former federal prosecutor specializing in cyber crime.
The breach has also prompted media scrutiny of the company’s lobbying activities. The Wall Street Journal reported late Monday that Equifax had spent a half million dollars lobbying congressional lawmakers and federal regulators this year to limit legal liability for credit reporting firms.
Multiple congressional committees are planning to hold hearings on the breach — meaning that Equifax executives are likely to be grilled by members of Congress.
“These are very complicated issues, and we expect to be engaging with regulators and legislators in the future,” an Equifax spokesperson told The Hill Tuesday. “We are remaining focused on and listening to the issues that consumers are experiencing, and their suggestions are helping to further inform our actions.”