The Federal Trade Commission (FTC) became the first economic regulator to formally announce an investigation into Equifax’s handling of a cyber intrusion that left more than 100 million Americans vulnerable to identity theft.
An FTC spokesman confirmed the probe one day after dozens of lawmakers urged the agency and other government bodies to look into the behavior of the credit reporting company before and after the breach was discovered.
“The FTC typically does not comment on open investigations,” said Peter Kaplan on Thursday. “However in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”
The Consumer Financial Protection Bureau (CFPB) and several state attorneys general are also looking into Equifax, according to unattributed statements to journalists.
The company announced earlier this month that the breach resulted in the possible theft of 144 million Americans’ personal information, including social security numbers, dates of birth, and drivers’ license numbers.
On Wednesday, Equifax claimed to USA Today that the compromise was due to a website vulnerability. Cybersecurity professionals told the outlet, however, that Equifax’s failure to install “security updates provided in a timely manner” was responsible for the breach.
Most interesting to lawmakers, and perhaps other investigative bodies, are the actions of company executives prior to the incident. Equifax’s Chief Financial Officer and two other top executives dumped $1.8 million in company stock shortly before the company claims it discovered the breach. The public wasn’t notified until six weeks later.
“Hey, @equifax, just following up. Why did your execs sell stock before your company told the public of security breach? LMK ASAP,” Sen. Brian Schatz (D-Hawaii) tweeted on Tuesday.
Schatz was part of a bipartisan group of 36 Senators that wrote a letter to the FTC, the Securities and Exchange Commission (SEC), and the Department of Justice on Wednesday calling for an investigation.
“We request that you conduct a thorough examination of any unusual trading, including any atypical options trading, for violations of insider trading law,” the lawmakers wrote.
The SEC and the DOJ have not publicly announced any actions.
The company’s post-breach actions are under scrutiny also. After announcing the data loss, the company set up a web portal for customers to find out if they were affected. Before singing up, however, customers were required to agree to a forced-arbitration clause, preventing them from joining a class action suit against the company.
After an intense public backlash, including a push from New York Attorney General Eric Schneiderman, the company clarified that the forced-arbitration provision does not apply to the “cyber security incident.”
Join us in defending the truth before it’s too late
The future of independent journalism is uncertain, and the consequences of losing it are too grave to ignore. To ensure Truthout remains safe, strong, and free, we need to raise $24,000 by the end of today. Every dollar raised goes directly toward the costs of producing news you can trust.
Please give what you can — because by supporting us with a tax-deductible donation, you’re not just preserving a source of news, you’re helping to safeguard what’s left of our democracy.