The Federal Trade Commission is actively investigating the massive breach revealed last week at credit bureau Equifax, which leaked personal financial information on 143 million people.
"The FTC typically does not comment on ongoing investigations,” spokesman Peter Kaplan wrote in an email to Reuters. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.” Nearly 40 states have also joined a probe of the company’s business practices.
Equifax made a number of severe errors in handling the breach, beginning wth apparent insider trading by Equifax executives more than a month before the breach was made public. Once the compromise was announced, ambiguous language in the recovery site’s Terms of Service made it seem as if anyone accepting Equifax’s credit-monitoring services would waive their right to sue the service. The language was removed after a complaint from New York Attorney General Eric Schneiderman.
More recently, Equifax’s cybersecurity has come under fire. Last night, the service said the core of the compromise was a vulnerability in Apache’s open-source Struts software. First discovered earlier this year, the vulnerability was patched in March, months before the beginning of the Equifax compromise. Had Equifax patched the software when a fix first became available, the breach could have been averted.
Equifax also faces growing pressure from Congress. On Tuesday, a joint letter from Democrats on the Energy and Commerce Committee called on Equifax’s CEO to release more data on the company’s response to the compromise. “Your company profits from collecting highly sensitive personal information from American consumers,” the members wrote. “It should take seriously its responsibility to keep data safe and to inform consumers when its protections fail.” Equifax CEO Richard Smith is schedued to testify before a House of Representatives panel on October 3rd.
Experts recommend a credit freeze for anyone whose information was included in the breach. A freeze will prevent anyone from applying for credit in your name without a specific PIN, which only you hold. More details on obtaining a credit freeze are available here.