(Reuters) – Equifax Inc (EFX.N) faced a storm of criticism on Friday over a hack that may have compromised personal data for some 143 million Americans, with customers clamoring for answers and cyber security experts questioning the response to the massive breach.
Lawmakers and regulators also joined the chorus, scrutinizing the company’s follow-up as it encouraged potentially affected customers to sign up for free credit monitoring services, and Equifax shares tumbled as much as 18 percent.
The hack, among the largest ever recorded, was especially alarming due to the richness of the information exposed, which included names, birthdays, addresses and Social Security and driver’s license numbers, cyber researchers said.
”Another day, another dumpster fire in cyber security,” said Ryan Kalember, senior vice president of cyber security firm Proofpoint. The breach was “especially troubling” because companies typically offer free credit monitoring services from firms like Equifax, which has now itself suffered a huge cyber attack, he added.
Bigger hacks, such as those disclosed by Yahoo last year, did not put as much sensitive information at risk.
At least five state attorneys general, including New York and Illinois, said they were formally investigating the breach.
”My office intends to get to the bottom of how and why this massive hack occurred,” said New York Attorney General Eric Schneiderman said in a statement.
Two proposed class-action lawsuits, one filed in Portland, Oregon, and another in Atlanta, Georgia, alleged that Equifax had been negligent in protecting consumer data.
Equifax disclosed on Thursday the breach it had discovered on July 29. It said hackers accessed accounts between mid-May and July and some British and Canadian residents were also affected.
The Atlanta-based company has not said specifically how attackers were able to break in or why it did not disclose the breach sooner.
The FBI said it is tracking the matter and a U.S. intelligence official told Reuters it was too soon to know if the attack was strictly criminal in nature or if it had the backing of a foreign government.
Twitter users on Friday reported customer service representatives were difficult to reach and either unhelpful or unaware that the breach had occurred.
WAIVED LEGAL RIGHTS?
The company also drew scrutiny for terms of service that accompanied its offer of credit monitoring.
Agreeing to the terms appeared to forfeit some rights to sue individually or join a class-action suit, but Equifax said on its website the arbitration clause applied only to the credit monitoring offer and not the original hack.
Schneiderman said on Twitter that his staff had asked Equifax to remove language from its terms asking consumers to waive rights as part of a class-action suit.
“After conversations w my office, @Equifax has clarified its policy re: arbitration. We are continuing to closely review,” he tweeted.
A U.S. Consumer Financial Protection Bureau spokesman had in a statement flagged concerns with the original terms, noting it was “troubling that Equifax is forcing people to waive legal rights in order to receive fraud monitoring after the company’s breach put their personal information at risk.”
The CFPB recently established rules barring so-called mandatory arbitration language in financial contracts.
But those regulations are due to take effect later this month and only apply to contracts going forward, meaning Equifax is within its right to mandate arbitration to settle disputes currently.
Republicans in Congress are attempting to do away with the rule. In July, the U.S. House of Representatives passed legislation that would scrap it, and a similar effort is pending in the Senate.
Equifax did not immediately respond on Friday when asked about criticism of its response or its terms of service.
A Reuters reporter attempted to enroll late on Thursday in the service Equifax set up to let customers know if they had been affected and received a confirmation that said enrollment would begin next Tuesday.
“Please be sure to mark your calendar as you will not receive additional reminders,” the confirmation said. It did not state whether the reporter had been impacted by the breach.
Some cyber security experts criticized Equifax for setting up a support website under a different domain than the company’s main website, mirroring a tactic that can be used to fraudulently collect data.
CALLS FOR HEARINGS
The House Financial Services Committee will hold a hearing on the breach, though no date had been set, a committee spokesman told Reuters.
U.S. Representative Ted Lieu asked Equifax why it waited so long to disclose the breach and has asked the House Judiciary Committee to also hold a hearing with the three major credit reporting agencies to explain how they will prevent future attacks.
Within the past two years, Equifax has had W-2 tax data stolen from its website and a subsidiary. Larger rival Experian Plc (EXPN.L) reported a data breach two years ago involving some 15 million people.
Democratic Senator Richard Blumenthal pointed to Equifax’s previous incidents and said it had “no excuse” for not strengthening cyber security, and called on the U.S. Federal Trade Commission to investigate whether the firm had done enough to secure its systems.
Equifax shares were last down 13 percent on the day at $123.18 after touching a more than seven-month low.
“Obviously the size and scope of this breach will likely drive a number of negative headlines for EFX that will weigh on its brand for the foreseeable future,” Barclays analyst Manav Patnaik wrote in a note.
Shares of rival TransUnion (TRU.N) were down 4 percent, while Experian fell 1.3 percent.
Three Equifax executives, including Chief Financial Officer John Gamble, sold shares worth nearly $1.8 million three days after the breach was detected, according to regulatory filings.
The company said in a statement the executives were not aware an intrusion had occurred when they sold their shares.
Equifax handles data on more than 820 million consumers and 91 million businesses worldwide and manages employee information from more than 7,100 employers, according to its website.
Reporting by Dustin Volz and David Shepardson in Washington, additional reporting by Aishwarya Venugopal, weta Singh, Pete Schroader, Jonathan Stempel, and Mark Hosenball; Editing by Meredith Mazzilli