The FTC on Thursday confirmed it was looking into a breach impacting tens of millions of people.
By Andrew Soergel, Economy Reporter
The Federal Trade Commission confirmed Thursday that it is investigating Equifax (EFX) for a breach that may have exposed the sensitive information of 143 million Americans, sending the company’s stock spiraling further down as investors, investigators and lawmakers continue to search for answers.
Peter Kaplan, a spokesman at the FTC, said in a statement on Thursday that the agency generally doesn’t comment on open investigations but that, “in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”
A separate blog post on the FTC’s website last week warned that “if you have a credit report, there’s a good chance [your] sensitive personal information was exposed.”
Equifax announced last week that it on July 29 detected a cyber intrusion that “primarily” exposed Social Security numbers, birth dates and addresses for tens of millions of Americans. In more isolated cases, driver’s license numbers, credit card information and “dispute documents with personal identifying information” were also accessed.
Fleming Shi, a vulnerability expert and senior vice president at Barracuda Networks, last week referred to the breach as “a Category 5 hurricane in the cyberworld, affecting at least one-third of the U.S. population.”
“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” the company said Wednesday in an updated statement on its website.
That updated statement confirmed that “criminals” gained access to Equifax data through a vulnerability in the Apache Struts web application. The release also apologized for the Equifax system going offline “for approximately an hour” on Wednesday after it was overloaded by consumer requests to initiate credit freezes to protect their identities and keep their credit scores intact.
“The hackers entered through a website exploit and found their way to highly sensitive and private customer information. That customer information should have been deeply encrypted so that even with this exploit, the hackers would have only found indecipherable and useless data,” Richard Blech, an encryption expert and CEO of Secure Channels Inc., said in a statement Monday.
Equifax stock had been gradually trending lower throughout the week before plummeting Thursday on the revelation that the FTC was looking into the incident. The company’s stock was down more than 3 percent in heavy trading Thursday and opened down more than 30 percent from where it closed before the breach was publicized. Trading volume was 24 million shares for the stock, whose shares typically are traded just 1.25 million times per day.
In an effort to mitigate potential consumer losses, Equifax indicated last week that it would begin notifying individuals whose credit card and dispute documents were exposed, and it set up a web portal to help people determine whether their personal information had been compromised.
The company also said it would offer consumers a year of free credit monitoring and identity theft protection, though it received blowback for requiring individuals to input more sensitive information into its servers to determine whether they had been impacted. Some were told to check back in at a later date, while others were simply told that their data may have been accessed but didn’t receive explicit confirmation.
But even this effort was viewed by some as insufficient given the extent of the breach.
“Perhaps the only thing that can provide even some minimal level of safety would be to let people have unlimited, free access to their credit reports – and then encourage people to check them regularly to guard against the hideously serious consequences of identity theft,” Jeffrey Pfeffer, a business professor at Stanford University, wrote in a blog post Sunday.
The company also caught flack for arbitration clauses initially included within the terms of service for Equifax and its TrustedID Premier protective services, as individuals began to express concern that they would not be able to join a class-action lawsuit against the company if they signed up for the services.
A trio of Equifax officials were also found to have collectively sold off nearly $1.8 million in stock after the company had identified the breach but before the public had been informed. Equifax maintains that those individuals had no knowledge of the breach when they decided to offload company stock.
“In most cases, consumers would have the option of ending ties with a company, like Equifax, that is unable to keep their identifiable information confidential. Unfortunately, consumers currently don’t have that option. Since consumers can’t opt out of dealing with this broken industry, it’s long past time for Congress to enact comprehensive reforms,” House Financial Services Committee Ranking Member Maxine Waters, D-Calif., said in a statement Wednesday.
Indeed, lawmakers have seized on the Equifax breach as a call to action – in some cases advocating for intensive credit reporting reform and in others demanding congressional hearings and investigations be established.
Rep. Robert Latta, R-Ohio, and chairman of the House Subcommittee on Digital Commerce and Consumer Protection, on Wednesday sent a letter to Equifax CEO Richard Smith formally thanking him for agreeing to testify before his subcommittee on Oct. 3.
Latta and Rep. Greg Walden, R-Ore., last week announced plans to hold a hearing on the matter, saying in a joint statement that they look forward to hearing Smith’s response to the “serious questions” that have been raised “about the security of consumers’ personal information.”
“We know members on both sides of the aisle appreciate Mr. Smith’s willingness to come before the committee and explain how our constituents might be impacted and what steps are being taken to rectify this situation,” the pair said.
Find the original article here.