The Federal Trade Commission (FTC) became the first economic regulator to formally announce an investigation into Equifax’s handling of a cyber intrusion that left more than 100 million Americans vulnerable to identity theft.
An FTC spokesman confirmed the probe one day after dozens of lawmakers urged the agency and other government bodies to look into the behavior of the credit reporting company before and after the breach was discovered.
“The FTC typically does not comment on open investigations,” said Peter Kaplan on Thursday. “However in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”
The Consumer Financial Protection Bureau (CFPB) and several state attorneys general are also looking into Equifax, according to unattributed statements to journalists.
The company announced earlier this month that the breach resulted in the possible theft of 144 million Americans’ personal information, including social security numbers, dates of birth, and drivers’ license numbers.
On Wednesday, Equifax claimed to USA Today that the compromise was due to a website vulnerability. Cybersecurity professionals told the outlet, however, that Equifax’s failure to install “security updates provided in a timely manner” was responsible for the breach.
Most interesting to lawmakers, and perhaps other investigative bodies, are the actions of company executives prior to the incident. Equifax’s Chief Financial Officer and two other top executives dumped $1.8 million in company stock shortly before the company claims it discovered the breach. The public wasn’t notified until six weeks later.
Schatz was part of a bipartisan group of 36 Senators that wrote a letter to the FTC, the Securities and Exchange Commission (SEC), and the Department of Justice on Wednesday calling for an investigation.
“We request that you conduct a thorough examination of any unusual trading, including any atypical options trading, for violations of insider trading law,” the lawmakers wrote.
The SEC and the DOJ have not publicly announced any actions.
The company’s post-breach actions are under scrutiny also. After announcing the data loss, the company set up a web portal for customers to find out if they were affected. Before singing up, however, customers were required to agree to a forced-arbitration clause, preventing them from joining a class action suit against the company.
After an intense public backlash, including a push from New York Attorney General Eric Schneiderman, the company clarified that the forced-arbitration provision does not apply to the “cyber security incident.”