US-based credit reporting agency Equifax
Lawmakers and regulators joined the chorus, scrutinizing the company's follow-up as it encouraged potential victims to sign up for free credit monitoring services. Equifax shares tumbled as much as 18 percent, the biggest one-day drop in 16 years, as complaints mounted that the company's online and phone support systems were either broken or insufficient.
The hack, among the largest ever recorded, was especially alarming due to the richness of the information exposed, which included names, birthdays, addresses and Social Security and driver's licence numbers, cyber researchers said.
"Another day, another dumpster fire in cyber security,” said Ryan Kalember, senior vice president of cyber security firm Proofpoint. The breach was "especially troubling" because companies that have suffered data breaches typically offer free credit monitoring services from firms like Equifax, which has now itself suffered a huge cyber attack, he added.
Bigger hacks, such as those disclosed by Yahoo last year, did not put as much sensitive information at risk.
Responding to criticism, Equifax apologised in a corporate statement last Friday evening for any inconvenience caused by its support website or call centre.
It said the site was now functioning properly and that it had tripled the size of its call centre team to more than 2000 agents, with more to be added.
Credit monitoring services such as Equifax collect vast amounts of financial information from consumers without their knowledge, working with banks and other lenders, for example, to track the creditworthiness of individuals.
At least five state attorneys general, including those of New York and Illinois, said they were formally investigating the breach.
Two proposed class-action lawsuits, one filed in Portland, Oregon, and one in Atlanta, alleged that Equifax had been negligent in protecting consumer data.
Equifax disclosed the breach on Thursday and said the company had discovered it on July 29. It said hackers accessed accounts between mid-May and July, and some British and Canadian residents were also affected.
The company has not said specifically how attackers were able to break in or why it did not disclose the breach sooner.
Robert W. Baird & Co analyst Jeffrey Meuler wrote to clients that the hackers used a flaw in open-source Struts software, distributed by the nonprofit Apache Software Foundation.
Meuler in the note did not provide the source of the information, and he did not respond to requests for comment.
Equifax did not respond to questions seeking comment.
Struts is widely used in major companies, and an Apache spokeswoman said it appeared that Equifax had not applied the patches for flaws that have been discovered this year.
In March, Apache warned of one flaw, and attack code soon circulated, with hackers exploiting taking advantage soon after that, researchers said.
The Federal Bureau of Investigation said it was tracking the data breach. A US intelligence official told Reuters it was too soon to know if the attack was strictly criminal in nature or if it had the backing of a foreign government.
Waived legal rights?
Equifax drew scrutiny for terms of service that accompanied a free credit monitoring offering to all U.S. consumers worried about the data breach that it promoted on its support website.
Agreeing to the terms appeared to forfeit some rights to sue individually or join a class-action suit, but Equifax said on its website that the arbitration clause applied only to the credit monitoring offer and not to any damages caused by the recently discovered data breach.
The U.S. Consumer Financial Protection Bureau, however, still had concerns with the terms associated with the free credit monitoring offer. It is "troubling that Equifax is forcing people to waive legal rights in order to receive fraud monitoring after the company’s breach put their personal information at risk," a CFPB spokesman said in a statement.
Some cyber security experts criticized Equifax for setting up a support website under a different domain than the company's main website, mirroring a tactic that can be used to fraudulently collect data.
Reporting by Dustin Volz, David Shepardson, Aishwarya Venugopal, Sweta Singh, Pete Schroeder, Jonathan Stempel, Mark Hosenball and Joseph Menn. Editing by Meredith Mazzilli and Leslie Adler