WASHINGTON – U.S. Sen. Elizabeth Warren said Friday she has begun an investigation into Equifax’s massive data breach, and along with 11 other Democratic senators, introduced a bill to allow consumers to freeze their credit for free.
Equifax came under increased pressure from lawmakers and U.S. states on Friday, while Canada said that it, too, is opening an investigation into a data breach that exposed sensitive information of some 143 million people.
The breach is considered one of the worst-ever — the December 2016 Yahoo attack was considered the biggest as data on as many as 1 billion accounts was leaked — because of the nature of data collected: bank, credit card and Social Security numbers, plus personal information such as addresses that could be of value to hackers and others.
Warren, who has built a reputation as a fierce consumer champion, also signaled in a letter to the Consumer Financial Protection Bureau (CFPB), the agency she helped create in the wake of the 2007-2009 financial crisis, that it may require extra powers to ensure closer federal oversight of credit reporting agencies.
Warren also wrote letters to Equifax and rival credit monitoring agencies TransUnion and Experian, federal regulators and the Government Accountability Office to see if new federal legislation is needed to protect consumers.
Warren said the proposed bill will stop companies like Equifax from charging consumers to freeze their credit files. A credit freeze restricts access to an individual’s credit report, which prevents thieves from applying for credit using another person’s information.
Connecticut Attorney General George Jepsen and more than 30 others in a state group investigating the breach said that while Equifax has agreed to give free credit monitoring to hack victims, they asked Equifax to stop collecting any money to monitor or freeze credit.
“Selling a fee-based product that competes with Equifax’s own free offer of credit monitoring services to victims of Equifax’s own data breach is unfair,” Jepsen said.
Also Friday, the chairman and ranking member of the Senate subcommittee on Social Security urged Social Security Administration to consider nullifying its contract with Equifax and consider making the company ineligible for future government contracts.
The two senators, Bill Cassidy, a Republican, and Democrat Sherrod Brown, said they were concerned that personal information maintained by the Social Security Administration may also be at risk because the agency worked with Equifax to build its e-Authentication security platform.
Equifax has reported that for 2016, state and federal governments accounted for 5 percent of its total revenue of $3.1 billion.
Equifax, which creates individual credit reports used by lenders to assess a consumer’s creditworthiness, has come under intense criticism for what has been described as a slow, inadequate and confusing response to the hack.
The company has hired public relations companies DJE Holdings and McGinn and Company to manage its response to the hack, PR Week reported. Equifax and the two PR firms declined to comment on the report.
Investors have dumped Equifax’s stock, with share prices down more than a third since the company disclosed the hack on Sept. 7. Shares shed another 3.8 percent on Friday to close at $92.98.
Equifax, which disclosed the breach more than a month after it learned of it on July 29, said at the time that thieves may have stolen the personal information of 143 million Americans in one of the largest hacks ever.
The problem is not restricted to the United States.
Equifax said Friday that data on up to 400,000 Britons was stolen in the hack because it was stored in the United States. The data included names, email addresses and telephone numbers but not street addresses or financial data, Equifax said.
Canada’s privacy commissioner said Friday that it has launched an investigation into the data breach. Equifax is still working to determine the number of Canadians affected, the Office of the Privacy Commissioner of Canada said in a statement.
In her letters to the regulators, Warren questioned the overall regulatory framework for credit reporting agencies, which are not subject to the same scrutiny as mortgage lenders or credit card providers.
The CFPB supervises credit reporting firms’ compliance with consumer protection laws but does not directly license or intensively monitor the companies.
A spokesperson for the CFPB did not reply to a request for comment.
Equifax said Friday that two executives entrusted with watching over its computers are retiring. The Equifax chief information officer and head of security will retire, effective immediately, as “part of the company’s ongoing review of the cybersecurity incident.”
An as yet unspecified number of Canadian and British customers may have also been affected by the hack at Equifax, one of the three major credit bureaus that collect consumer financial data.
Filings with the U.S. Securities and Exchange Commission showed that three high-ranking Equifax executives sold shares worth almost $1.8 million in the days after the hack was discovered.
An Equifax spokesperson said the executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”