Equifax is facing increased scrutiny from Congress, and the Federal Trade Commission has taken the unusual step of confirming that it's launched its own investigation.
"The FTC typically does not comment on ongoing investigations," Peter Kaplan, the FTC's acting director of public affairs, told me in an emailed statement on Thursday. "However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."
"We need reform of the Fair Credit Reporting Act, which puts the interests of the credit bureaus and their customers so far ahead of those of the subjects of the data."
Meanwhile, late Friday, the company announced that its CIO and CSO are retiring.
Without a doubt, pressure is continuing to mount on Equifax after it revealed that it suffered a breach that exposed personal information - including names and Social Security numbers - for 143 million U.S. consumers. Some U.S. residents also had their credit card numbers exposed. Equifax says that 400,000 British residents and an unspecified number of Canadian residents also had their personal information exposed in the hack of its U.S. systems.
Equifax now faces dozens of lawsuits across the United States and Canada, hearings by multiple Congressional committees, probes by about 40 states and its customers potentially taking their business elsewhere (see Equifax Faces Mounting Anger, $70 Billion Lawsuit).
The company's stock value had decreased substantially since its Sept. 7 data breach alert.
Poor Patching: Bad Business Move
CEO Richard Smith this week took to USA Today, publishing a mea culpa in which he promised: "We will make changes."
But some security experts have accused Equifax of attempting to execute a slight of hand by blaming the breach on Apache Struts. On Wednesday, Equifax admitted that the "U.S. website application vulnerability" exploited by attackers was a flaw in its Apache Struts 2 software, which uses Java Enterprise Edition (see Equifax's Colossal Error: Not Patching Apache Struts Flaw).
The Apache Struts problem, however, was entirely of Equifax's own making. The company failed to upgrade or otherwise safeguard its Struts implementation after the Apache project team released an emergency update in March to fix flaws that were already being exploited via in-the-wild attacks.
Information security expert Jake Williams, founder of U.S. cybersecurity firm RenditionSec and an exploit development instructor for SANS Institute, also points out that Equifax made a business decision to use Struts, which is free, open source software.
When people say "Struts is hard to patch" remember that #Equifax made a business decision to use Struts - and then didn't keep it updated.— Jake Williams (@MalwareJake) September 14, 2017
Equifax says its mega-breach occurred in mid-May. "The attacker accessed a storage table that contained historical credit card transaction related information," the company told security blogger Brian Krebs in a statement. "We have found no evidence during our investigation to indicate the presence of card-harvesting malware, or access to the table before mid-May 2017."
Equifax discovered the breach on July 29. Some information security experts are wondering whether the company might have been hacked by multiple groups, given the ease with which its systems could have been exploited.
Beyond Public Shaming
Despite the increased pressure on Equifax and its executives, however, nothing will change unless Congress bands together to regulate the big credit reporting agencies - Equifax, Experian, TransUnion - and mandate strong privacy protections for U.S. consumers.
"As much as it might be deserved, we do not need more public shaming of Equifax," says information security expert William Hugh Murray. "We need reform of the Fair Credit Reporting Act, which puts the interests of the credit bureaus and their customers so far ahead of those of the subjects of the data."
To that end, Democratic legislators this week introduced at least three bills that would strengthen protections for consumers.
Sen. Elizabeth Warren, D-Massachusetts, who is the top Democrat on the Senate Subcommittee for Financial Institutions and Consumer Protection, is backing a bill that would require all credit agencies to institute a credit freeze for free upon request (see Latest Equifax Bungle: Predictable Credit Freeze PINs).
In the wake of the breach, Warren has also sent letters about her concerns to the three big credit bureaus, as well as the Government Accountability Office and other federal regulators, including the Consumer Financial Protection Bureau, which is the top consumer watchdog, Reuters reports. In her letter to the CFPB, she asks if the bureau, created after the 2007-08 banking crisis, had "adequate statutory authority to regulate credit reporting agencies and protect consumers."
In her letter to Equifax, she wrote: "I am troubled by this attack - described as 'one of the largest risks to personally sensitive information in recent years' - and by the fact that it represents the third recent instance of a data breach of Equifax or its subsidiaries that has endangered American's personal information."
Breach Severity Creates Opportunity
Since it was created, the CFPB has been criticized by many Republicans as being too powerful.
But the scale and severity of the Equifax breach suggests otherwise, and thus might give pro-reform lawmakers the leverage they need to strengthen consumer protections. And some continue to seize the rhetorical advantage.
Last week, in the wake of Hurricane Irma and one day after Equifax announced the breach, Sen. Mark Warner, D-Virginia, likened the data breach to "at least a category 4, if not category 5, cyber hack," referring to the most severe hurricane ratings.
On Thursday, meanwhile, Sen. Chuck Schumer, D-New York, lobbed what may be the worst possible slur in the American business world - comparing Equifax to Enron. That once high-flying U.S. energy and commodities firm was driven into bankruptcy in 2001 after the company's massive accounting fraud came to light.
What has transpired with @Equifax over the past several months is one of the most egregious examples of corporate malfeasance since Enron.— Chuck Schumer (@SenSchumer) September 14, 2017
"Equifax stunningly & epically failed to perform 1 of its 2 essential duties, to protect the sensitive info of the people in its files," Schumer said via Twitter. "We must get to the bottom of this, the murky bottom. Equifax must be held accountable and answer for its actions."
Schumer called on Equifax to directly notify everyone who's been affected, provide credit monitoring and credit freezes, cooperate with all investigations as well as comply with a rule finalized by the CFPB in July that bans financial services firms from using mandatory arbitration clauses to prevent consumers from filing class-action lawsuits against them.
"If @Equifax doesn't agree to these things in 1 week, the CEO & entire Board should step down. It's commonsense & the baseline of decency," Schumer wrote.
There's poetry in Schumer suggesting Equifax is the Enron of the data breach world, as well as deft political maneuvering. After the new CFPB rule was finalized, Republicans began trying to get it thrown out.
With Republicans continuing to hold a majority in Congress, it's unlikely that stronger consumer protection legislation would pass (see Cynic's Guide to the Equifax Breach: Nothing Will Change).
But helping to avoid another Equifax breach will require regulations that punish firms for losing sensitive information on U.S. consumers - even when those consumers are not technically their customers - as well as careful oversight.