The fallout from last week's hack of consumer credit reporting agency Equifax, affecting the sensitive personal information of nearly 55 percent of Americans aged 18 and older, continues this week as lawmakers and regulators begin looking into the incident.
The U.S. Consumer Financial Protection Bureau said it was investigating the breach and Equifax's response, while two congressional committees — the House Financial Services Committee and the House Energy and Commerce Committee — said they will hold hearings, though dates have not yet been announced. The Federal Bureau of Investigation said it is probing the hack, and at least five attorneys general, including those from New York and Illinois, have also launched investigations. At least two class-action lawsuits have also been filed, one in Portland, Oregon, and one in Atlanta, Georgia.
Rep. Ted Lieu, D-Calif., queried why it took so long for the company to announce the breach and asked that all three major credit reporting companies — Equifax, Experian and TransUnion — testify in front of Congress "not only on the breach ... but also to identify how each company is taking proactive, defensive steps to prevent such breaches in the future."
Sen. Richard Blumenthal, D-Conn., has called on the U.S. Federal Trade Commission to investigate the incident. In a Facebook post, Blumenthal wrote, "There is no excuse for Equifax's failure to strengthen its cybersystems after suffering several previous breaches. The Federal Trade Commission must investigate this breach to assess whether Equifax did everything it could to secure all its systems given the sensitive nature of the consumer data it holds." He also said, "Congress must also enact data breach and security legislation immediately — only stiffer enforcement and stringent penalties will make sure companies are taking precautions to guard consumer data with the strongest available technology."
Rep. Maxine Waters, D-Calif., said, "Congress must diligently examine the way our credit reporting agencies are operating and impose additional statutory and regulatory reforms to protect the integrity of the country's credit reporting system. ... I will reintroduce legislation that will enhance consumer protection tools available to minimize harm caused by identity theft."
On top of a written and video response from its CEO last week, Equifax said it has tripled the size of its call center to more than 2,000 agents, with plans to add more. Equifax's tool to help consumers determine whether their data was affected, however, has received criticism due to alleged mixed or inaccurate results.
Moody's Investors Service last week said the incident will stymie Equifax's growth over the next three to four financial quarters and hurt its reputation for consumer protection. The company will also likely incur higher cyber insurance premiums, but Moody's added, it will not hurt its rating.
Though specifics about how the hack was conducted have been thin, Robert W. Baird & Co. Analyst Jeffrey Meuler told clients, according to Reuters, that adversaries used a flaw in open-sourced Struts software, which is distributed by the Apache Software Foundation. The software is reportedly used by several major companies, but a spokeswoman for Apache said it appears that Equifax had not patched flaws in the software that were discovered earlier this year.
It is not yet clear if this was a state-sponsored data breach.
The Wall Street Journal points out that some Republican lawmakers have recently sought to curb company liabilities when consumer disputes take place. Last Thursday, just before the breach was announced, a congressional panel was debating proposed legislation that would reduce penalties for credit-reporting companies that are accused of harming consumers with inaccurate credit reports. The bill would cap any damages consumers could receive and eliminate punitive damages altogether. As of last Friday, the committee scheduled no further action on the bill.
Top image: screen shot taken from Equifax.
If you want to comment on this post, you need to login.