United States-based consumer credit reporting agency, Equifax, is facing a storm of criticism over a hack that may have compromised personal data for some 143 million individuals in the US, with consumers clamouring for answers and cyber security experts questioning the response to the massive breach.
Lawmakers and regulators have joined the chorus, scrutinising the company's follow-up as it encouraged potential victims to sign up for free credit monitoring services.
Equifax shares tumbled as much as 18 per cent, the biggest one-day drop in 16 years, as complaints mounted that the company's online and phone support systems were either broken or insufficient.
The hack, which is among the largest ever recorded, was especially alarming due to the richness of the information exposed, which included names, birthdays, addresses and Social Security and driver's license numbers, cyber researchers said.
"Another day, another dumpster fire in cyber security,” said Ryan Kalember, senior vice president of cyber security firm Proofpoint.
The breach was "especially troubling" because companies that have suffered data breaches typically offer free credit monitoring services from firms like Equifax, which has now itself suffered a huge cyber attack, he added.
Bigger hacks, such as those disclosed by Yahoo last year, did not put as much sensitive information at risk.
Responding to criticism, Equifax apologised in a corporate statement Friday evening for any inconvenience caused by its support website or call centre.
It said the site was now functioning properly and that it had tripled the size of its call centre team to more than 2000 agents, with more to be added.
Moody’s Investors Service said on Friday that the breach would impede Equifax’s growth over the next three to four quarters and hurt its reputation as a custodian of consumer data.
The company would incur significant costs to remediate the breach, potential litigation and regulatory action, and higher cyber insurance premiums, Moody's said. But it said that Equifax's rating and stable outlook were not affected.
Credit monitoring services such as Equifax collect vast amounts of financial information from consumers without their knowledge, working with banks and other lenders, for example, to track the creditworthiness of individuals.
At least five state attorneys general, including those of New York and Illinois, said they were formally investigating the breach.
Two proposed class-action lawsuits, one filed in Portland, Oregon, and one in Atlanta, alleged that Equifax had been negligent in protecting consumer data.
Atlanta-based Equifax disclosed the breach on Thursday and said the company had discovered it on 29 July. It said hackers accessed accounts between mid-May and July, and some British and Canadian residents were also affected.
The company has not said specifically how attackers were able to break in or why it did not disclose the breach sooner.
Robert W. Baird & Co analyst Jeffrey Meuler wrote to clients that the hackers used a flaw in open-source Struts software, distributed by the nonprofit Apache Software Foundation.
Meuler in the note did not provide the source of the information, and he did not respond to requests for comment.
Equifax did not respond to questions seeking comment.
Struts is widely used in major companies, and an Apache spokeswoman said it appeared that Equifax had not applied the patches for flaws that have been discovered this year.
In March, Apache warned of one flaw, and attack code soon circulated, with hackers exploiting taking advantage soon after that, researchers said.
The Federal Bureau of Investigation said it is tracking the data breach. A US intelligence official told Reuters it was too soon to know if the attack was strictly criminal in nature or if it had the backing of a foreign government.
(Reporting by Dustin Volz and David Shepardson in Washington; Additional reporting by Aishwarya Venugopal, Sweta Singh, Pete Schroeder, Jonathan Stempel, Mark Hosenball and Joseph Menn; Editing by Meredith Mazzilli and Leslie Adler)
