IRS puts Equifax contract on hold during security review

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

By John McCrank

NEW YORK (Reuters) – The U.S. Internal Revenue Service has temporarily suspended a contract worth more than $7 million it recently awarded to Equifax Inc following a security issue with the beleaguered credit reporting agency’s website on Thursday.

Equifax, which disclosed last month that cyber criminals breached its systems between mid-May and late July and made off with sensitive data on 145.5 million people, said on Thursday it shut down one of its website pages after discovering that a third-party vendor was running malicious code on the page.

“The IRS notified us that they have issued a stop-work order under our Transaction Support for Identity Management contract,” an Equifax spokesperson said on Friday.

“We remain confident that we are the best party to perform the services required in this contract,” the spokesperson said. “We are engaging IRS officials to review the facts and clarify available options.”

The IRS is the first organization to say publicly that it is suspending a contract with Equifax since the credit reporting agency’s security problems came to light.

Atlanta-based Equifax said its systems were not compromised by the incident on Thursday, which involved bogus pop-up windows on the web page that could trick visitors into installing software that automatically displays advertising material.

Still, the IRS said it decided to temporarily suspended its short-term contract with Equifax for identity-proofing services.

“During this suspension, the IRS will continue its review of Equifax systems and security,” the agency said in a statement. There was no indication that any of the IRS data shared with Equifax under the contract had been compromised, it added.

The move means that the IRS will temporarily be unable to create new accounts for taxpayers using its Secure Access portal, which supports applications including online accounts and transcripts. Users who already had Secure Access accounts will not be affected, the IRS said.

IRS granted the $7.25 million contract to Equifax on Sept. 29, weeks after Equifax disclosed the massive data hack that drew scathing criticism from several lawmakers.

“From its initial announcement, the timing and nature of this IRS-Equifax contract raised some serious red flags … we are pleased to see the IRS suspend its contract with Equifax,” Republican Representatives Greg Walden and Robert Latta said in a joint statement on Friday.

“Our focus now remains on protecting consumers and getting answers for the 145 million Americans impacted by this massive breach,” they said.

Government contracts in areas such as healthcare, law enforcement, social services, and tax and revenue, are major sources of revenue for Equifax.

In 2016, government services made up 5 percent of Equifax’s overall $3.1 billion in revenue, accounting for 10 percent of its workforce solutions revenues, 3 percent of its U.S. information solutions revenues, and 7 percent of its international revenues, according to a regulatory financial filing.

(Reporting by John McCrank in New York; additional reporting by Dustin Volz in Washington; Editing by Bill Rigby)

Equifax takes down web page after reports of new hack

The logo and trading information for Credit reporting company Equifax Inc. are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., September 26, 2017. REUTERS/Lucas Jackson

By John McCrank

NEW YORK (Reuters) – Equifax Inc said on Thursday it has taken one of its customer help web pages offline as its security team looks into reports of another potential cyber breach at the credit reporting company, which recently disclosed a hack that compromised the sensitive information of 145.5 million people.

The move came after an independent security analyst on Wednesday found part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware, the technology news website Ars Technica reported.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax spokesman Wyatt Jefferies said in an email. “Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

The Atlanta-based company, which has faced seething criticism from consumers, regulators and lawmakers over its handling of the earlier breach, said it would provide more information as it becomes available.

Equifax disclosed on Sept. 7 that its systems had been breached between mid-May and late July. In the fallout, the company has parted ways with its chief executive, chief information officer and chief security officer.

The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice.

As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

(Reporting by John McCrank; Editing by Bill Rigby)

Yahoo says all three billion accounts hacked in 2013 data theft

Yahoo says all three billion accounts hacked in 2013 data theft

By Jonathan Stempel and Jim Finkle

(Reuters) – Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc <VZ.N>.

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients’ claims.

“I think we have those facts now,” he said. “It’s really mind-numbing when you think about it.”

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said “recently obtained new intelligence” showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

“This is a bombshell,” said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo’s former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo’s users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc <EFX.N> and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo’s core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers’ tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to.”

(Reporting by Munsif Vengattil, Jim Finkle, Jim Christie, Jon Stempel, and David Shepardson; writing by Stephen Nellis in San Francisco; Editing by Andrew Hay and Lisa Shumaker)

Former Equifax chief will face questions from U.S. Congress over hack

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

By John McCrank and David Shepardson

WASHINGTON (Reuters) – U.S. lawmakers are due to question the former head of Equifax Inc <EFX.N> at a Tuesday hearing that could shed light on how hackers accessed the personal data of more than 140 million consumers.

Richard Smith retired last week but the 57-year-old executive will answer for the breach that the credit bureau acknowledged in early September.

Late Monday, Equifax said an independent review had boosted the number of potentially affected U.S. consumers by 2.5 million to 145.5 million.

In March, the U.S. Homeland Security Department alerted Equifax to an online gap in security but the company did nothing, said Smith.

“The vulnerability remained in an Equifax web application much longer than it should have,” Smith said in remarks prepared for delivery on Tuesday. “I am here today to apologize to the American people myself.”

Smith will face the House Energy and Commerce Committee on Tuesday but there will be three more such hearings this week.

Equifax keeps a trove of consumer data for banks and other creditors who want to know whether a customer is likely to default.

The cyber-hack has been a calamity for Equifax which has lost roughly a quarter of its stock market value and seen several top executives step down alongside Smith.

Smith’s replacement, Paulino do Rego Barros Jr., has also apologized for the hack and said the company will help customers freeze their credit records and monitor any misuse.

There has been a public outcry about the breech but no more than 3.0 percent of consumers have frozen their credit reports, according to research firm Gartner, Inc.

Smith said hackers tapped sensitive information between mid-May and late-July.

Security personnel noticed suspicious activity on July 29 and disabled web application a day later, ending the hacking, Smith said. He said he was alerted the following day, but was not aware of the scope of the stolen data.

On Aug. 2, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board’s lead director on Aug. 22.

(Patrick Rucker contributed from Washington; editing by Clive McKeef.)

Equifax apologizes as U.S. watchdog calls for more oversight

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

By John McCrank

(Reuters) – Equifax Inc promised to make it easier for consumers to control access to their credit records in the wake of the company’s massive breach after the top U.S. consumer financial watchdog called on the industry to introduce such a system.

Equifax’s interim chief executive officer, Paulino do Rego Barros Jr., vowed to introduce a free service by Jan. 31 that will let consumers control access to their own credit records.

Barros, who was named interim CEO on Tuesday as Richard Smith stepped down from the post amid mounting criticism over the handling of the cyber attack, also apologized for providing inadequate support to consumers seeking information after the breach was disclosed on Sept. 7. He promised to add call-center representatives and bolster a breach-response website.

“I have heard the frustration and fear. I know we have to do a better job of helping you,” Barros said in a statement published in The Wall Street Journal.

Equifax announced the free credit freeze service after the Consumer Financial Protection Bureau’s (CFPB) director, Richard Cordray, told CNBC earlier in the day that the agency would beef up oversight of Equifax and its rivals.

“The old days of just doing what they want and being subject to lawsuits now and then are over,” Cordray said.

He also called for implementing a scheme of preventive credit monitoring.

“They are going to have to accept that. They are going to have to welcome it. They are going to have to be very forthcoming,” Cordray said.

The Equifax hack compromised sensitive data of up to 143 million Americans and prompted investigations by lawmakers and regulators, including the New York Department of Financial Services (DFS), which issued a subpoena to Equifax demanding more information about the breach.

Federal laws give the CFPB the power to supervise and examine large credit-reporting firms to ensure the quality of information they provide. In January, the CFPB fined TransUnion and Equifax $5.5 million in total for deceiving customers about the usefulness and cost of their credit scores.

Cordray called for expanded powers to cover data security to prevent breaches and suggested placing monitors inside credit reporting firms, borrowing a tactic from the regulatory regime for banks.

The CFPB is working with the Federal Trade Commission and New York’s DFS on a new regulatory framework, Cordray said. He also called for Congress to tighten oversight of the industry.

TransUnion said in a statement that it had “long been subject to regulatory oversight from state and federal regulators including the CFPB.”

Experian did not respond to requests for comment.

(Reporting by John McCrank in New York; Additional reporting by Lisa Lambert in Washington and Jim Finkle in Toronto; Writing by Michelle Price; Editing by Tom Brown and Leslie Adler)

Where consumers should turn after the Equifax breach

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

By Gail MarksJarvis

NEW YORK (Reuters) – There is a widespread sense of fear hanging over consumers in the aftermath of the data breach at credit-monitoring firm Equifax revealed in early September that approximately 143 million consumers’ personal and financial records were exposed.

It would be bad enough if people were merely worried about crooks using their Social Security numbers to empty their bank accounts or steal tax refunds. But they also have a feeling of defenselessness as they come to the realization that they cannot even trust where to go for help.

“Trust has vanished completely,” says Neal O’Farrell, executive director of the Identity Theft Council. “If you don’t know who to trust anymore, you don’t even know who to go to for help.”

A worried Chicago resident echoed this in an email after going to the Equifax website to get a credit freeze: “I received the follow-up email a few days ago and had to give the last four digits of my Social Security number and answer some credit questions from my credit history. Now I am wondering if even that email response to my filing for the freeze is even legitimate. I’ve become paranoid about giving any information over the Internet.”

While the main Equifax line (1-866-349-5191) consistently gives out a busy signal if you seek an agent, cyber security experts believe that technologically clever crooks could be creating phony emails and websites that look legit.

The emails may appear to be from the four credit bureaus – Equifax, Experian, TransUnion and Innovis – or financial institutions, credit monitoring firms and even the government.

“Scammers will use realistic-looking sites,” said John Krebs, who heads the Federal Trade Commission’s identity theft program. “Emails may create a sense of urgency so people click on a link.”

But clicking on a link can allow scammers to infiltrate your computer and get your data, if they do not have it already. To stay safe, do not answer questions in emails or phone numbers in those emails, said Krebs. Instead, look up a main number for that institution and call them directly.

You can find contacts at the Federal Trade Commissions website on identity theft (https://identitytheft.gov/Top-Company-Contacts).

BEWARE OF SPOOFS

In one example of vulnerability, a spoof site was created recently to look just like the actual Equifax site (equifaxsecurity2017.com) where people could ask whether their Social Security numbers were stolen. It was so convincing that at one point, an Equifax representative on Twitter mistakenly directed people to the fake site, said Brian Krebs, an investigative reporter for KrebsonSecurity.com – and no relation to the FTC’s John Krebs.

Luckily, the fake site was created by an individual simply to show the weaknesses in the system and it was taken down after making its point, Brian Krebs noted.

There are other alarming signs that you are vulnerable even when trying to protect yourself. KrebsOnSecurity.com recently reported that a credit freeze to keep crooks from opening lines of credit may not be as solid as you think.

The site found a weakness on Experian that would allow a crook to start the process of retrieving a PIN and unlocking the freeze simply by using the Social Security numbers and addresses stolen from Equifax.

Some security questions are also included, but Brian Krebs thinks answers would be easy to figure out using Internet searches. In a statement, Experian said the process of retrieving PINs goes beyond that.

Still, with trust shaken, Brian Krebs worries: “People are going to throw up their hands and say, ‘Who cares?’ But that does them no good.”

Instead, he recommends going through the steps to put the freezes on their credit at the four bureaus while keeping a vigilant eye out for the next scam.

(The opinions expressed here are those of the author, a columnist for Reuters.)

(Editing by Beth Pinsker and G Crosse)

SEC chair grilled by Senate panel over cyber breach, Equifax

Jay Clayton, Chairman of the Securities and Exchange Commission, arrives for a Senate Banking hearing on Capitol Hill in Washington, U.S. September 26, 2017. REUTERS/Aaron P. Bernstein

By Michelle Price and Pete Schroeder

WASHINGTON (Reuters) – The chairman of the U.S. Securities and Exchange Commission (SEC) told a congressional committee on Tuesday he did not believe his predecessor Mary Jo White knew of a 2016 cyber breach to the regulator’s corporate disclosure system, the exact timing of which could not be known “for sure.”

Jay Clayton, who was formally appointed to his role in May, also said listed companies should disclose more detailed information on cyber breaches “sooner,” and that the U.S. regulator was working on new guidelines to ensure this.

The Senate Banking Committee grilled Clayton on Tuesday over a 2016 hack of EDGAR, the agency’s online corporate financial disclosure system, only disclosed last Wednesday, which has shaken confidence in the SEC’s cyber defenses.

Clayton said he had decided last weekend to disclose the breach once he had enough information to establish it was “serious,” but he would not be drawn on who at the agency had known about it and whether there was an attempt to cover it up.

“I have no belief sitting here that Chair White knew,” Clayton said when asked whether his predecessor had been aware of the hack, adding: “I don’t think we can know for sure” on the exact timing of the breach.

Clayton fielded several questions from senators on the recent Equifax Inc data breach in which hackers stole personal data of about 143 million customers of the credit reporting firm, including on the timing of the company’s disclosure.

Although the former Wall Street lawyer declined to comment on whether the SEC was investigating stock sales made by Equifax executives prior to the disclosure, he said he was “not ignoring” the issue.

The hearing, which had been scheduled prior to the disclosure of the SEC’s breach, offered lawmakers, companies and investors the first opportunity to hear from the SEC chief on the incident.

Clayton originally had been scheduled to discuss capital market reform at his first hearing before the committee since being formally appointed in May, but his pro-growth agenda was largely eclipsed by the SEC breach and the Equifax scandal.

Wall Street’s top regulator came under fire last week after disclosing that hackers might have used information stolen from EDGAR, which houses millions of market-sensitive corporate disclosures such as earnings releases, for insider trading.

“When we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug,” Senator Sherrod Brown, the ranking Democratic member of the committee, asked Clayton during opening remarks.

“What else are we not being told, what other information is at risk, and what are the consequences?” Brown asked. “How can you expect companies to do the right thing when your agency has not?”

CYBER DEFENSES EYED

Reuters reported on Monday that the Federal Bureau of Investigation and the U.S. Secret Service have launched investigations into the breach, which occurred in October 2016 and appeared to have been routed through servers in Eastern Europe. The breach appeared to have been one of several cyber incidents documented by the SEC in recent months, Reuters reported.

Clayton said he only learned about the 2016 hack in August and that the SEC’s enforcement staff and inspector general’s office have launched internal probes.

The regulator reported the breach to the Department of Homeland Security’s Computer Emergency Readiness Team when it was first discovered, Clayton said in the testimony, adding the regulator plans to hire more cyber security experts.

Clayton said the hack was possibly the result of a defect in the EDGAR software and said that personally identifiable information did not appear to have been put at risk, but he declined to provide further detail.

He said the SEC was still determining the extent and impact of the breach and that it could take “substantial time” to complete due to the amount of data that needed to be analyzed.

The committee also quizzed Clayton about other potential breaches at the agency and the regulator’s general cyber defenses.

Clayton said he could not say with “100 percent certainty” that the EDGAR breach was the only one suffered by the agency, and added that he planned to ask Congress for more funds to tackle the rising cyber threat.

“We’re going to need more money for cyber security, and I intend to ask for it.”

(Reporting by Michelle Price and Pete Schroeder; editing by Leslie Adler and G Crosse)

Equifax CEO retires following massive cyber attack

The logo and trading information for Credit reporting company Equifax Inc. are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., September 26, 2017. REUTERS/Lucas Jackson

By Dustin Volz and John McCrank

(Reuters) – Equifax Inc said on Tuesday its Chief Executive Officer Richard Smith will step down and forgo his annual bonus, a move that came weeks into a mounting crisis at the credit-monitoring firm stemming from a massive data breach.

Equifax is being investigated by the U.S. Federal Trade Commission, and faces a barrage of questions from Congress and public ire over what has widely been viewed as a bungled response to a hack that exposed the personal details of up to 143 million U.S. consumers.

The credit-monitoring firm disclosed on Sept. 7 that hackers had access to its systems between mid-May and July.

The announcement that Smith, 57, would depart came ten days after the company said its chief information officer and chief security officer were retiring.

Shares of Equifax were down 1.6 percent at $103.35 early on Tuesday.

“At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,” Smith said in a statement.

Paulino do Rego Barros, 61, who was most recently president of Equifax’s Asia-Pacific operations, will be interim CEO.

The announcement comes a week before Smith was expected to testify before multiple congressional committees about the cyber attack.

A spokeswoman for the U.S. House Energy and Commerce Committee said Smith, whose retirement was effective on Tuesday, would still testify before the panel on Oct. 3. The Senate Banking Committee did not immediately respond when asked if Smith would appear as scheduled on Oct. 4.

“Rick Smith is scheduled to testify before Congress. It’s up to the committee to decide if they want another executive,” an Equifax spokeswoman said in an emailed statement. “We will fully cooperate with Congress, as we have since this cybersecurity incident was first disclosed.”

The company and Smith agreed that Equifax will defer any decision related to “any obligations or benefits” owed to him until the company’s board completes an independent review of the breach, according to a regulatory filing. Smith earned a total of $14.96 million in 2016.

Equifax shares have fallen more than 30 percent since the disclosure of the breach amid mounting criticism from lawmakers, regulators and consumers about the hack and the company’s response to it.

In 2014, Target CEO Greg Steinhafel left the retailer after it was revealed hackers had accessed credit card and personal information belonging to tens of millions of shoppers.

(Reporting by John McCrank in New York, Dustin Volz in Washinton and Supantha Mukherjee in Bengaluru; Editing by Sai Sachin Ravikumar and Meredith Mazzilli)

Equifax says 100,000 Canadians likely affected by data breach

Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell

TORONTO (Reuters) – Credit scoring company Equifax Inc said on Tuesday that the personal details of around 100,000 Canadians were exposed in the massive breach it disclosed earlier this month.

The company said criminals got access to files containing personal information of some Canadian consumers – including names, addresses, social insurance numbers and in some cases credit card information – via a consumer website application intended for use by U.S. consumers.

It was the first estimate of Canadian exposure the company has provided since saying on Sept. 7 that Canadian and UK residents were also at risk in the attack, in which details on some 143 million U.S. consumers had been exposed.

Lisa Nelson, the president and general manager of Equifax Canada, apologized to those who may have been affected and acknowledged frustration about a lack of clarity, saying the company would write to them with steps they should take.

Equifax said last week that it would likely need to contact fewer than 400,000 British consumers whose personal information may have been accessed in the breach.

(Reporting by Alastair Sharp; Editing by Dan Grebler)

New York governor wants credit-reporting firms to follow cyber rules

Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell

By Diane Bartz and Suzanne Barlyn

WASHINGTON/NEW YORK (Reuters) – New York Governor Andrew Cuomo said on Monday that he wants credit-reporting firms to comply with the state’s cyber-security regulations, the latest government official to crack down on the industry in the wake of the massive Equifax hack.

Also on Monday, Bloomberg News reported that federal authorities have opened a criminal probe into stock sales by three Equifax Inc <EFX.N> executives before the company disclosed the massive data breach, news that has weighed heavily on the stock price.

The company has said the executives were unaware of the hack when they sold the stock for $1.8 million.

Equifax’s legal woes worsened as the U.S Attorney’s office in Atlanta issued a statement saying it was working with the FBI on a criminal investigation into the breach and theft of personal information.

Equifax shares rose 1.5 percent on Monday after losing about a third of their value since the hack was announced. The Equifax breach discovered on July 29 exposed sensitive data like Social Security numbers of up to 143 million people.

Cuomo said he planned to require all credit-reporting agencies to register with the state and comply with its cyber-security rules.

The proposed regulation would take effect in February, Cuomo said in a statement. If the companies do not register, they risk being barred from doing business with financial companies regulated by New York state.

The state would be able to bar credit-reporting agencies, including TransUnion <TRU.N> and Experian Plc <EXPN.L>, as well as Equifax, from doing business in New York if the state found they engaged in “unfair, deceptive or predatory practices,” Cuomo said.

“The Equifax breach was a wake-up call,” Cuomo said. “And with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Proposed regulations are typically subject to a period for public comment before they become final.

A New York state cyber-security regulation, the first of its kind in the United States, took effect on March 1. It requires financial firms to take measures to protect networks and customer data from hackers and disclose cyber events to regulators.

Maine is the only U.S. state that requires credit agencies to register, said William Lund, superintendent of the Maine Bureau of Consumer Credit Protection. But its law does not cover cyber security, an issue the bureau will have to consider, Lund said.

Maine, which has been registering credit-reporting agencies since the 1990s, has 30 such agencies on its roster, ranging from the largest to those dealing with everything from check approval to tenants’ rental histories, he added.

The three credit-reporting agencies did not respond to requests for comment on Cuomo’s plan.

Bloomberg reported on Monday that the U.S. Justice Department is investigating whether Equifax’s chief financial officer, John Gamble, and two other executives broke insider-trading rules by selling stock after the breach was discovered in July and weeks before it was disclosed this month.

Reuters was not able to confirm the Bloomberg report.

Separately, the company issued a statement saying a second Bloomberg report late on Monday about a second cyber attack in March referred to a breach at Equifax payroll unit that was previously reported to regulators, customers and consumers and also been covered by the press.

“Equifax complied fully with all consumer notification requirements related to the March incident. The two events are not related,” the statement said.

(Reporting by Diane Bartz and Suzanne Barlyn; Additional reporting by Sarah N. Lynch, David Shepardson and Dustin Volz; Editing by Jim Finkle, Leslie Adler and Michael Perry)