The demands by the House and Senate committee members underscore the seriousness of the breach that’s rocked the Fortune 500 company, which plays a crucial role in the American financial system.
“Your company profits from collecting highly sensitive personal information from American consumers — it should take seriously its responsibility to keep data safe and to inform consumers when its protections fail,” the letter from the House committee Democrats said.
FILE - In this June 15, 2017 file photo, credit cards are seen in Haverhill, Mass. Equifax, one of the three main credit reporting companies, said last week that a major data breach exposed Social Security numbers and other important information of millions of people. Hackers had access to Social Security numbers, birth dates, addresses, driver’s license numbers, credit card numbers and other information. Those are all crucial pieces of personal data that criminals could use to commit identity theft. (AP Photo/Elise Amendola)
On Monday after public pressure, Equifax said on Twitter it would waive fees for all applications for credit freezes for the next 30 days. The company also reversed itself and removed language in a suite of credit and identity theft protection services it is offering breach victims that consumer groups said would force users into binding arbitration and ban them from joining a class-action lawsuit.
Equifax, which traces its roots to the 1890s, helps banks decide whether to lend people money for homes and cars and whether to issue credit cards.
Equifax and fellow credit bureaus Experian and TransUnion also weigh in when you’re seeking a job, rental housing or insurance, helping companies verify whether you are who you say you are.
The company counts the federal government as a key customer, including the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies.
Letters from Congress
In a Monday letter to Smith, U.S. Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Ore., sought information about Equifax’s digital security infrastructure and further details about the personal information that was lost, and whether any government data also was exposed by criminal hackers. The senators also requested a detailed timeline of events about the breach and the company’s response.
Rick Smith, CEO of Equifax, inside his office on Tuesday, Aug 2, 2011. AJC File Photo
The senators want answers about Equifax’s business, when it learned of the breach and about sales of stock by three Equifax executives days after the company learned of the incident but before the cyber theft had been made public.
The first question seeks a timeline of the breach, including “when it began, its discovery, the investigation of its scope and source, notification of authorities, efforts to notify customers and consumers, notification to the Equifax board of directors, and notification of Equifax senior executives — including, but not limited to, John Gamble Jr., Rodolfo Ploder, and Joseph Loughran.”
Gamble, Ploder and Loughran are the three executives who sold stock in the days after the July 29 discovery of the breach.
On Tuesday, U.S. Senator Heidi Heitkamp, D-N.D., called for an investigation into the stock sales, calling it "disturbing" that the sale appeared to happen before the incident was public, and stating that if a crime happened "somebody needs to go to jail," according to Reuters.
Equifax has said the executives were not aware of the breach when they sold their shares.
“These are very complicated issues, and we expect to be engaging with regulators and legislators in the future,” Equifax spokeswoman Meredith Griffanti said in a statement about the Senate Finance Committee letter. She said the company plans to respond to the committee’s request for information and Equifax is “listening to issues that consumers are experiencing, and their suggestions are helping to further inform our actions.”
The House Democrats’ letter, which wants answers by Sept. 22, seeks information about steps the company is taking to protect consumers, as well as answers about the stock sales. Hatch and Wyden want answers by Sept. 28.
The matter could come before one or more House committee in the coming weeks.
‘Fumbled out of the gate’
Equifax announced the breach last Thursday after business hours with a YouTube video, news release and a website for consumers.
Equifax gave few details about how the data was accessed and whether it was their own operations that were breached or those of an outside vendor. The company said only that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
143 Million Could Be Affected by Equifax Data Breach
Unauthorized access to the information occurred from mid-May to July, the company said, and was discovered by the company on July 29. Equifax engaged an outside cybersecurity firm for a forensic review.
Consumer groups called Equifax’s response inadequate. Others complained that the website set up to guide potential victims gave conflicting information about whether consumers’ personal information was exposed. Call centers also weren’t adequately prepared, critics said.
The company also took flak for its offer of a package of credit and identity theft protection services because of a clause watchdogs said meant victims of the hack couldn’t sue or join a class-action case against Equifax for the cyber breach.
Conroy Boxhill, an expert in crisis public relations, said Equifax had six weeks from the time it learned of the breach until informing the public, and should have been better prepared.
“They fumbled out of the gate and there’s an erosion of confidence,” Boxhill said. “People think they’re not trustworthy.”
Boxhill said the company needs to address the public directly, inform consumers how the problem will be fixed and stop relying on canned statements. Equifax, he said, needs a public face to help allay people’s fears.
“This is a major, major event. You can’t hide from a situation like this,” he said.
Meuler, the analyst, said missteps are amplified in such situations, though he credited Equifax with waiving fees and taking other steps in response to consumers fears.
“But I do think the company could probably benefit from taking a more proactive approach to engaging with the public, with the consumer,” he said.