Equifax, the latest company to be embroiled in a massive data breach, is facing questions from two top U.S. senators on both sides of the aisle.
According to a report in Reuters, Senator Orrin Hatch, Chairman of the Senate Finance Committee, and ranking Democrat Ron Wyden want the CEO of Equifax, Rick Smith, to provide a timeline of the breach event. Specifically, they want information on when the breach happened, when the board and authorities were alerted and when the three executives who sold shares in August were notified. One of those executives is the CFO of the company.
Backlash is mounting, particularly since a report surfaced that the three executives sold their shares immediately after the company discovered the cyberattack. “The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” the letter to Equifax’s CEO stated, as Reuters reported. Citing regulatory filings, Reuters previously reported that the executives sold the shares, which were worth around $1. 8 million, three days after the breach was discovered.
The senators gave Smith until Sept. 28 to answer the questions raised in the letter. They want to learn whether the company had a Chief Information Security officer, as well as how many times it employed a third-party security firm to conduct tests of its computer systems, reported Reuters. They also want copies of all of Equifax’s penetration tests and audit reports from external security firms. Meanwhile, 20 Democratic senators are asking Equifax to end the forced arbitration agreements that would limit consumers’ ability to sue the company, according to the Reuters news report.
Last week, Equifax disclosed a data breach that could impact 143 million consumers. In a press release detailing the cybercrime, the company said that hackers potentially exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017, with no evidence of illicit activity on Equifax’s consumer or commercial credit report databases, the company said in the release.
According to Equifax, the compromised information included names, Social Security numbers, birthdates, addresses and, in some instances, drivers’ license numbers. The company also reported that the hackers accessed 209,000 U.S. consumer accounts, as well as certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, putting them at a higher risk of identity theft. As part of its investigation, Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents.