The fallout from at least five attorneys general, including those from New York and Illinois, have also launched investigations. At least two class-action lawsuits have also been filed, one in Portland, Oregon, and one in Atlanta, Georgia.
Rep. Ted Lieu, D-Calif., queried why it took so long for the company to announce the breach and asked that all three major credit reporting companies — Equifax, Experian and TransUnion — testify in front of Congress "not only on the breach ... but also to identify how each company is taking proactive, defensive steps to prevent such breaches in the future."
Sen. Richard Blumenthal, D-Conn., has called on the U.S. Federal Trade Commission to investigate the incident. In a Facebook post, Blumenthal wrote, "There is no excuse for Equifax's failure to strengthen its cybersystems after suffering several previous breaches. The Federal Trade Commission must investigate this breach to assess whether Equifax did everything it could to secure all its systems given the sensitive nature of the consumer data it holds." He also said, "Congress must also enact data breach and security legislation immediately — only stiffer enforcement and stringent penalties will make sure companies are taking precautions to guard consumer data with the strongest available technology."
Rep. Maxine Waters, D-Calif., said, "Congress must diligently examine the way our credit reporting agencies are operating and impose additional statutory and regulatory reforms to protect the integrity of the country's credit reporting system. ... I will reintroduce legislation that will enhance consumer protection tools available to minimize harm caused by identity theft."
On top of a written and video response from its CEO last week, Equifax said it has tripled the size of its call center to more than 2,000 agents, with plans to add more. Equifax's tool to help consumers determine whether their data was affected, however, has received criticism due to alleged mixed or inaccurate results.
The company also clarified how it's handling an arbitration clause and class-action waiver that appeared to have said individuals signing up for their free credit monitoring would waive their rights to sue or be part of a class action. "To confirm," Equifax said Sunday, "enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action. According to The Washington Post, Equifax said it has removed the controversial language from its data breach notification site equifaxsecurity2017.com. The response came after a similar clarification from Equifax last Friday, in which it said, "In response to consumer inquiries, we have made it clear that the arbitration clause and class-action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."
Moody's Investors Service last week said the incident will stymie Equifax's growth over the next three to four financial quarters and hurt its reputation for consumer protection. The company will also likely incur higher cyber insurance premiums, but Moody's added, it will not hurt its rating.
Though specifics about how the hack was conducted have been thin, Robert W. Baird & Co. Analyst Jeffrey Meuler told clients, according to Reuters, that adversaries used a flaw in open-sourced Struts software, which is distributed by the Apache Software Foundation. The software is reportedly used by several major companies, but a spokeswoman for Apache said it appears that Equifax had not patched flaws in the software that were discovered earlier this year.
It is not yet clear if this was a state-sponsored data breach.
The Wall Street Journal points out that some Republican lawmakers have recently sought to curb company liabilities when consumer disputes take place. Last Thursday, just before the breach was announced, a congressional panel was debating proposed legislation that would reduce penalties for credit-reporting companies that are accused of harming consumers with inaccurate credit reports. The bill would cap any damages consumers could receive and eliminate punitive damages altogether. As of last Friday, the committee scheduled no further action on the bill.
Top image: screen shot taken from Equifax.