By David Shepardson and Dustin Volz
WASHINGTON (Reuters) – Two key U.S. senators on Monday asked Equifax Inc <EFX.N> to answer detailed questions about a breach of information affecting up to 143 million Americans, including whether U.S. government agency records were compromised in the hack.
Senator Orrin Hatch, who chairs the Finance Committee, and ranking Democrat Ron Wyden, also demanded that Equifax Chief Executive Rick Smith provide a timeline of the breach and its discovery. They asked for information on when authorities and the company’s board were notified and when three executives who sold stock in the company in August were first told of the data breach.
Equifax did not immediately respond to a request for comment on the letter. It came amid mounting scrutiny of the company’s response to the breach from lawmakers, regulators and security experts, prompting the credit-monitoring services to issue an apology on Friday and pledge to dedicate more resources to helping affected consumers.
“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” the letter said.
Equifax announced last week that it learned on July 29 that hackers had infiltrated its systems in mid-May, pilfering names, birthdays, addresses and Social Security and driver’s license numbers. Cyber security experts said it was among the largest data hacks ever recorded and was particularly troubling due to the richness of the information exposed.
Three days after Equifax discovered the breach, three top Equifax executives, including Chief Financial Officer John Gamble and a president of a unit, sold Equifax shares or exercised options to dispose of stock worth about $1.8 million, regulatory filings show.
Equifax said in a statement last week that the executives were not aware that an intrusion had occurred when they sold their shares.
Hatch and Wyden asked Smith to respond by Sept. 28. Other congressional committees have announced plans to hold hearings investigating the Equifax breach and want answers.
The senators want to know if Equifax has a chief information security officer and over the past two years “how many times has Equifax employed third-party cyber security experts to conduct penetration tests of its internal and external systems?” The senators want copies of all Equifax penetration test and audit reports by outside cyber security firms.
Separately, a group of 20 Democratic senators asked Equifax to end its use of forced arbitration agreements, which limit the ability of consumers to pursue claims, and not to lobby to reverse a new rule from the Consumer Financial Protection Bureau to limit the use of forced arbitration in the financial services sector.
(Reporting by Dustin Volz and David Shepardson; Editing by Andrew Hay and Jonathan Oatis)