The Jim Bakker Show

Where consumers should turn after the Equifax breach

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

By Gail MarksJarvis

NEW YORK (Reuters) – There is a widespread sense of fear hanging over consumers in the aftermath of the data breach at credit-monitoring firm Equifax revealed in early September that approximately 143 million consumers’ personal and financial records were exposed.

It would be bad enough if people were merely worried about crooks using their Social Security numbers to empty their bank accounts or steal tax refunds. But they also have a feeling of defenselessness as they come to the realization that they cannot even trust where to go for help.

“Trust has vanished completely,” says Neal O’Farrell, executive director of the Identity Theft Council. “If you don’t know who to trust anymore, you don’t even know who to go to for help.”

A worried Chicago resident echoed this in an email after going to the Equifax website to get a credit freeze: “I received the follow-up email a few days ago and had to give the last four digits of my Social Security number and answer some credit questions from my credit history. Now I am wondering if even that email response to my filing for the freeze is even legitimate. I’ve become paranoid about giving any information over the Internet.”

While the main Equifax line (1-866-349-5191) consistently gives out a busy signal if you seek an agent, cyber security experts believe that technologically clever crooks could be creating phony emails and websites that look legit.

The emails may appear to be from the four credit bureaus – Equifax, Experian, TransUnion and Innovis – or financial institutions, credit monitoring firms and even the government.

“Scammers will use realistic-looking sites,” said John Krebs, who heads the Federal Trade Commission’s identity theft program. “Emails may create a sense of urgency so people click on a link.”

But clicking on a link can allow scammers to infiltrate your computer and get your data, if they do not have it already. To stay safe, do not answer questions in emails or phone numbers in those emails, said Krebs. Instead, look up a main number for that institution and call them directly.

You can find contacts at the Federal Trade Commissions website on identity theft (https://identitytheft.gov/Top-Company-Contacts).

BEWARE OF SPOOFS

In one example of vulnerability, a spoof site was created recently to look just like the actual Equifax site (equifaxsecurity2017.com) where people could ask whether their Social Security numbers were stolen. It was so convincing that at one point, an Equifax representative on Twitter mistakenly directed people to the fake site, said Brian Krebs, an investigative reporter for KrebsonSecurity.com – and no relation to the FTC’s John Krebs.

Luckily, the fake site was created by an individual simply to show the weaknesses in the system and it was taken down after making its point, Brian Krebs noted.

There are other alarming signs that you are vulnerable even when trying to protect yourself. KrebsOnSecurity.com recently reported that a credit freeze to keep crooks from opening lines of credit may not be as solid as you think.

The site found a weakness on Experian that would allow a crook to start the process of retrieving a PIN and unlocking the freeze simply by using the Social Security numbers and addresses stolen from Equifax.

Some security questions are also included, but Brian Krebs thinks answers would be easy to figure out using Internet searches. In a statement, Experian said the process of retrieving PINs goes beyond that.

Still, with trust shaken, Brian Krebs worries: “People are going to throw up their hands and say, ‘Who cares?’ But that does them no good.”

Instead, he recommends going through the steps to put the freezes on their credit at the four bureaus while keeping a vigilant eye out for the next scam.

(The opinions expressed here are those of the author, a columnist for Reuters.)

(Editing by Beth Pinsker and G Crosse)

SEC chair grilled by Senate panel over cyber breach, Equifax

Jay Clayton, Chairman of the Securities and Exchange Commission, arrives for a Senate Banking hearing on Capitol Hill in Washington, U.S. September 26, 2017. REUTERS/Aaron P. Bernstein

By Michelle Price and Pete Schroeder

WASHINGTON (Reuters) – The chairman of the U.S. Securities and Exchange Commission (SEC) told a congressional committee on Tuesday he did not believe his predecessor Mary Jo White knew of a 2016 cyber breach to the regulator’s corporate disclosure system, the exact timing of which could not be known “for sure.”

Jay Clayton, who was formally appointed to his role in May, also said listed companies should disclose more detailed information on cyber breaches “sooner,” and that the U.S. regulator was working on new guidelines to ensure this.

The Senate Banking Committee grilled Clayton on Tuesday over a 2016 hack of EDGAR, the agency’s online corporate financial disclosure system, only disclosed last Wednesday, which has shaken confidence in the SEC’s cyber defenses.

Clayton said he had decided last weekend to disclose the breach once he had enough information to establish it was “serious,” but he would not be drawn on who at the agency had known about it and whether there was an attempt to cover it up.

“I have no belief sitting here that Chair White knew,” Clayton said when asked whether his predecessor had been aware of the hack, adding: “I don’t think we can know for sure” on the exact timing of the breach.

Clayton fielded several questions from senators on the recent Equifax Inc data breach in which hackers stole personal data of about 143 million customers of the credit reporting firm, including on the timing of the company’s disclosure.

Although the former Wall Street lawyer declined to comment on whether the SEC was investigating stock sales made by Equifax executives prior to the disclosure, he said he was “not ignoring” the issue.

The hearing, which had been scheduled prior to the disclosure of the SEC’s breach, offered lawmakers, companies and investors the first opportunity to hear from the SEC chief on the incident.

Clayton originally had been scheduled to discuss capital market reform at his first hearing before the committee since being formally appointed in May, but his pro-growth agenda was largely eclipsed by the SEC breach and the Equifax scandal.

Wall Street’s top regulator came under fire last week after disclosing that hackers might have used information stolen from EDGAR, which houses millions of market-sensitive corporate disclosures such as earnings releases, for insider trading.

“When we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug,” Senator Sherrod Brown, the ranking Democratic member of the committee, asked Clayton during opening remarks.

“What else are we not being told, what other information is at risk, and what are the consequences?” Brown asked. “How can you expect companies to do the right thing when your agency has not?”

CYBER DEFENSES EYED

Reuters reported on Monday that the Federal Bureau of Investigation and the U.S. Secret Service have launched investigations into the breach, which occurred in October 2016 and appeared to have been routed through servers in Eastern Europe. The breach appeared to have been one of several cyber incidents documented by the SEC in recent months, Reuters reported.

Clayton said he only learned about the 2016 hack in August and that the SEC’s enforcement staff and inspector general’s office have launched internal probes.

The regulator reported the breach to the Department of Homeland Security’s Computer Emergency Readiness Team when it was first discovered, Clayton said in the testimony, adding the regulator plans to hire more cyber security experts.

Clayton said the hack was possibly the result of a defect in the EDGAR software and said that personally identifiable information did not appear to have been put at risk, but he declined to provide further detail.

He said the SEC was still determining the extent and impact of the breach and that it could take “substantial time” to complete due to the amount of data that needed to be analyzed.

The committee also quizzed Clayton about other potential breaches at the agency and the regulator’s general cyber defenses.

Clayton said he could not say with “100 percent certainty” that the EDGAR breach was the only one suffered by the agency, and added that he planned to ask Congress for more funds to tackle the rising cyber threat.

“We’re going to need more money for cyber security, and I intend to ask for it.”

(Reporting by Michelle Price and Pete Schroeder; editing by Leslie Adler and G Crosse)

Equifax CEO retires following massive cyber attack

By Dustin Volz and John McCrank

(Reuters) – Equifax Inc said on Tuesday its Chief Executive Officer Richard Smith will step down and forgo his annual bonus, a move that came weeks into a mounting crisis at the credit-monitoring firm stemming from a massive data breach.

Equifax is being investigated by the U.S. Federal Trade Commission, and faces a barrage of questions from Congress and public ire over what has widely been viewed as a bungled response to a hack that exposed the personal details of up to 143 million U.S. consumers.

The credit-monitoring firm disclosed on Sept. 7 that hackers had access to its systems between mid-May and July.

The announcement that Smith, 57, would depart came ten days after the company said its chief information officer and chief security officer were retiring.

Shares of Equifax were down 1.6 percent at $103.35 early on Tuesday.

“At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,” Smith said in a statement.

Paulino do Rego Barros, 61, who was most recently president of Equifax’s Asia-Pacific operations, will be interim CEO.

The announcement comes a week before Smith was expected to testify before multiple congressional committees about the cyber attack.

A spokeswoman for the U.S. House Energy and Commerce Committee said Smith, whose retirement was effective on Tuesday, would still testify before the panel on Oct. 3. The Senate Banking Committee did not immediately respond when asked if Smith would appear as scheduled on Oct. 4.

“Rick Smith is scheduled to testify before Congress. It’s up to the committee to decide if they want another executive,” an Equifax spokeswoman said in an emailed statement. “We will fully cooperate with Congress, as we have since this cybersecurity incident was first disclosed.”

The company and Smith agreed that Equifax will defer any decision related to “any obligations or benefits” owed to him until the company’s board completes an independent review of the breach, according to a regulatory filing. Smith earned a total of $14.96 million in 2016.

Equifax shares have fallen more than 30 percent since the disclosure of the breach amid mounting criticism from lawmakers, regulators and consumers about the hack and the company’s response to it.

In 2014, Target CEO Greg Steinhafel left the retailer after it was revealed hackers had accessed credit card and personal information belonging to tens of millions of shoppers.

(Reporting by John McCrank in New York, Dustin Volz in Washinton and Supantha Mukherjee in Bengaluru; Editing by Sai Sachin Ravikumar and Meredith Mazzilli)

Investor group seeks probe into SEC hack, urges data rules delay

FILE PHOTO: The headquarters of the U.S. Securities and Exchange Commission (SEC) are seen in Washington,U.S., on July 6, 2009. REUTERS/Jim Bourg/File Photo

By Michelle Price

WASHINGTON (Reuters) – A global investor group on Friday called for an independent investigation into a cyber breach at the U.S. Securities and Exchange Commission (SEC) and urged the regulator to delay new data-gathering rules until it could assure investors that its computer systems were secure.

Wall Street’s top regulator came under fire on Thursday after admitting hackers had breached its database of corporate announcements in 2016 and might have used it for insider trading.

The Investment Company Institute (ICI), which represents over 95 million U.S. shareholders, wants the SEC to clear up concerns about its cyber defenses before requiring funds to submit monthly performance data to the regulator, Paul Schott Stevens, the group’s chief executive, told Reuters in a phone interview.

“What the SEC breach now makes very clear is precisely what we were concerned about – that market-sensitive information of that nature can be exploited to the disadvantage of millions and millions of investors,” Stevens said.

ICI, whose members hold $20 trillion plus in assets, has raised concerns about how the SEC safeguarded industry data it gathers since 2015.

“I’m certain there will be a full inquiry by the Government of Accountability Office – and there should be, so we understand exactly what happened here,” Stevens said.

In a July report, the Government Accountability Office (GAO), a congressional watchdog, criticized the SEC for failing to fully protect its computer networks from cyber attacks and recommended a slew of improvements. Some of recommendations it had made in previous reports had still not been implemented, it noted.

Former SEC Chair Mary Jo White, in office when the hack occurred, told Reuters in 2016 that cyber security posed the biggest risk to the U.S. financial system.

Her successor, Jay Clayton, uncovered the full extent of the hack after launching a review of the SEC’s cyber security standards earlier this year.

“Some recommendations the GAO made haven’t yet been implemented. There’s obviously a failure here of some kind. That’s why we’re so glad Chairman Clayton has moved to address this,” said Stevens.

The SEC declined to comment.

New reporting rules which start to come into force in December would require funds for the first time to confidentially file complete monthly portfolio holdings with the SEC, data which the ICI has said could easily be used for insider trading if obtained by hackers.

“Until that information security environment has been established, funds should continue to collect data quarterly, not monthly information, as quarterly data is not nearly as sensitive,” said Stevens.

The SEC disclosure came two weeks after credit-reporting company Equifax Inc said a breach had exposed sensitive personal of data up to 143 million U.S. customers. This followed last year’s cyber attack on SWIFT, the global bank messaging system.

Stevens said rules governing the disclosure of such breaches should be tighter for both public and private organizations.

“That disclosure obligation fixes the mind on need to fix the breach in the first instance.”

(Reporting by Michelle Price; editing by Richard Chang and Jonathan Oatis)

Exclusive: U.S. Homeland Security found SEC had ‘critical’ cyber weaknesses in January

By Sarah N. Lynch

WASHINGTON (Reuters) – The U.S. Department of Homeland Security detected five “critical” cyber security weaknesses on the Securities and Exchange Commission’s computers as of January 23, 2017, according to a confidential weekly report reviewed by Reuters.

The report’s findings raise fresh questions about a 2016 cyber breach into the U.S. market regulator’s corporate filing system known as “EDGAR.” SEC Chairman Jay Clayton disclosed late Wednesday that the agency learned in August 2017 that hackers may have exploited the 2016 incident for illegal insider-trading.

The January DHS report, which shows its weekly findings after scanning computers for cyber weaknesses across most of the federal civilian government agencies, revealed that the SEC at the time had the fourth most “critical” vulnerabilities.

It was not clear if the vulnerabilities detected by DHS are directly related to the cyber breach disclosed by the SEC. But it shows that even after the SEC says it patched “promptly” the software vulnerability after the 2016 hack, critical vulnerabilities still plagued the regulator’s systems.

The hack, two weeks after credit-reporting company Equifax <EFX.N> said hackers had stolen data on more than 143 million U.S. customers, has sent shockwaves through the U.S. financial sector.

An SEC spokesman did not have any comment on the report’s findings.

It is unclear if any of those critical vulnerabilities, detected after a scan of 114 SEC computers and devices, still pose a threat.

During the Obama administration, such scans were done on a weekly basis.

“I absolutely think any critical vulnerability like that should be acted on immediately,” said Tony Scott, the former federal chief information officer during the Obama administration who now runs his own cybersecurity consulting firm.

“This is what was at the root of the Equifax hack. There was a critical vulnerability that went unpatched for some long period of time. And if you’re a hacker, you are going to … try to see if you can exploit it in some fashion or another. So there is a race against the clock.”

For the past several years, the Department of Homeland Security has been producing a report known as the “Federal Cyber Exposure Scorecard.” It provides a weekly snapshot to more than 80 civilian government agencies about potential outstanding cyber weaknesses and how long they have persisted without being patched.

A directive by Homeland Security requires agencies to address critical vulnerabilities within 30 days, though sometimes that deadline can be difficult to meet if it might disrupt a government system.

The January snapshot shows improvements have been made across the government since May 2015, when there were a total of 363 critical vulnerabilities on devices across all of the civilian agencies, according to the report.

As of January 23, by contrast, there were a total of 40 critical vulnerabilities across the agencies reviewed by DHS and another 280 weaknesses categorized as “active high,” which is the second more severe category.

The top four agencies with the most “critical” vulnerabilities as of January 23 included the Environmental Protection Agency, the Department of Health and Human Services, the General Services Administration and the SEC.

However, more vulnerabilities do not necessarily mean one agency is worse than another because things depend on how many computers or devices known as “hosts” were scanned and what kinds of information could potentially be exposed.

“All it takes is one,” Scott said. “You can have one host and one vulnerability and your risk might be 10 times as high as someone who has 10 hosts and ten vulnerabilities.”

(Reporting by Sarah N. Lynch; Editing by Nick Zieminski)

Equifax says 100,000 Canadians likely affected by data breach

Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell

TORONTO (Reuters) – Credit scoring company Equifax Inc said on Tuesday that the personal details of around 100,000 Canadians were exposed in the massive breach it disclosed earlier this month.

The company said criminals got access to files containing personal information of some Canadian consumers – including names, addresses, social insurance numbers and in some cases credit card information – via a consumer website application intended for use by U.S. consumers.

It was the first estimate of Canadian exposure the company has provided since saying on Sept. 7 that Canadian and UK residents were also at risk in the attack, in which details on some 143 million U.S. consumers had been exposed.

Lisa Nelson, the president and general manager of Equifax Canada, apologized to those who may have been affected and acknowledged frustration about a lack of clarity, saying the company would write to them with steps they should take.

Equifax said last week that it would likely need to contact fewer than 400,000 British consumers whose personal information may have been accessed in the breach.

(Reporting by Alastair Sharp; Editing by Dan Grebler)

New York governor wants credit-reporting firms to follow cyber rules

By Diane Bartz and Suzanne Barlyn

WASHINGTON/NEW YORK (Reuters) – New York Governor Andrew Cuomo said on Monday that he wants credit-reporting firms to comply with the state’s cyber-security regulations, the latest government official to crack down on the industry in the wake of the massive Equifax hack.

Also on Monday, Bloomberg News reported that federal authorities have opened a criminal probe into stock sales by three Equifax Inc <EFX.N> executives before the company disclosed the massive data breach, news that has weighed heavily on the stock price.

The company has said the executives were unaware of the hack when they sold the stock for $1.8 million.

Equifax’s legal woes worsened as the U.S Attorney’s office in Atlanta issued a statement saying it was working with the FBI on a criminal investigation into the breach and theft of personal information.

Equifax shares rose 1.5 percent on Monday after losing about a third of their value since the hack was announced. The Equifax breach discovered on July 29 exposed sensitive data like Social Security numbers of up to 143 million people.

Cuomo said he planned to require all credit-reporting agencies to register with the state and comply with its cyber-security rules.

The proposed regulation would take effect in February, Cuomo said in a statement. If the companies do not register, they risk being barred from doing business with financial companies regulated by New York state.

The state would be able to bar credit-reporting agencies, including TransUnion <TRU.N> and Experian Plc <EXPN.L>, as well as Equifax, from doing business in New York if the state found they engaged in “unfair, deceptive or predatory practices,” Cuomo said.

“The Equifax breach was a wake-up call,” Cuomo said. “And with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Proposed regulations are typically subject to a period for public comment before they become final.

A New York state cyber-security regulation, the first of its kind in the United States, took effect on March 1. It requires financial firms to take measures to protect networks and customer data from hackers and disclose cyber events to regulators.

Maine is the only U.S. state that requires credit agencies to register, said William Lund, superintendent of the Maine Bureau of Consumer Credit Protection. But its law does not cover cyber security, an issue the bureau will have to consider, Lund said.

Maine, which has been registering credit-reporting agencies since the 1990s, has 30 such agencies on its roster, ranging from the largest to those dealing with everything from check approval to tenants’ rental histories, he added.

The three credit-reporting agencies did not respond to requests for comment on Cuomo’s plan.

Bloomberg reported on Monday that the U.S. Justice Department is investigating whether Equifax’s chief financial officer, John Gamble, and two other executives broke insider-trading rules by selling stock after the breach was discovered in July and weeks before it was disclosed this month.

Reuters was not able to confirm the Bloomberg report.

Separately, the company issued a statement saying a second Bloomberg report late on Monday about a second cyber attack in March referred to a breach at Equifax payroll unit that was previously reported to regulators, customers and consumers and also been covered by the press.

“Equifax complied fully with all consumer notification requirements related to the March incident. The two events are not related,” the statement said.

(Reporting by Diane Bartz and Suzanne Barlyn; Additional reporting by Sarah N. Lynch, David Shepardson and Dustin Volz; Editing by Jim Finkle, Leslie Adler and Michael Perry)

Equifax two top technology executives leave company ‘effective immediately’

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell

By Dustin Volz and Diane Bartz

WASHINGTON (Reuters) – Equifax said on Friday that it made changes in its top management as part of its review of a massive data breach, with two technology and security executives leaving the company “effective immediately.”

The credit-monitoring company announced the changes in a press release that gave its most detailed public response to date of the discovery of the data breach on July 29 and the actions it has since taken.

The statement came on a day when Equifax’s share price continued to slide following a week of relentless criticism over its response to the data breach,

Lawmakers, regulators and consumers have complained that Equifax’s response to the breach, which exposed sensitive data like Social Security numbers of up to 143 million people, had been slow, inadequate and confusing.

Equifax on Friday said that Susan Mauldin, chief security officer, and David Webb, chief information officer, were retiring.

The company named Mark Rohrwasser as interim chief information office and Russ Ayres as interim chief security officer, saying in its statement, “The personnel changes are effective immediately.”

Rohrwasser has led the company’s international IT operations, and Ayres was a vice president in the IT organization.

The company also confirmed that Mandiant, the threat intelligence arm of the cyber firm FireEye, has been brought on to help investigate the breach. It said Mandiant was brought in on Aug. 2 after Equifax’s security team initially observed “suspicious network traffic” on July 29.

The company has hired public relations companies DJE Holdings and McGinn and Company to manage its response to the hack, PR Week reported. Equifax and the two PR firms declined to comment on the report.

Equifax’s share prices has fallen by more than a third since the company disclosed the hack on Sept. 7. Shares shed 3.8 percent on Friday to close at $92.98.

U.S. Senator Elizabeth Warren, who has built a reputation as a fierce consumer champion, kicked off a new round of attacks on Equifax on Friday by introducing a bill along with 11 other senators to allow consumers to freeze their credit for free. A credit freeze prevents thieves from applying for a loan using another person’s information.

Warren also signaled in a letter to the Consumer Financial Protection Bureau, the agency she helped create in the wake of the 2007-2009 financial crisis, that it may require extra powers to ensure closer federal oversight of credit reporting agencies.

Warren also wrote letters to Equifax and rival credit monitoring agencies TransUnion and Experian, federal regulators and the Government Accountability Office to see if new federal legislation was needed to protect consumers.

Connecticut Attorney General George Jepsen and more than 30 others in a state group investigating the breach acknowledged that Equifax has agreed to give free credit monitoring to hack victims but pressed the company to stop collecting any money to monitor or freeze credit.

“Selling a fee-based product that competes with Equifax’s own free offer of credit monitoring services to victims of Equifax’s own data breach is unfair,” Jepsen said.

Also on Friday, the chairman and ranking member of the Senate subcommittee on Social Security urged Social Security Administration to consider nullifying its contract with Equifax and consider making the company ineligible for future government contracts.

The two senators, Republican Bill Cassidy and Democrat Sherrod Brown, said they were concerned that personal information maintained by the Social Security Administration may also be at risk because the agency worked with Equifax to build its E-Authentication security platform.

Equifax has reported that for 2016, state and federal governments accounted for 5 percent of its total revenue of $3.1 billion.

400,000 BRITONS AFFECTED

Equifax, which disclosed the breach more than a month after it learned of it on July 29, said at the time that thieves may have stolen the personal information of 143 million Americans in one of the largest hacks ever.

The problem is not restricted to the United States.

Equifax said on Friday that data on up to 400,000 Britons was stolen in the hack because it was stored in the United States. The data included names, email addresses and telephone numbers but not street addresses or financial data, Equifax said.

Canada’s privacy commissioner said on Friday that it has launched an investigation into the data breach. Equifax is still working to determine the number of Canadians affected, the Office of the Privacy Commissioner of Canada said in a statement.

(Reporting by Dustin Volz and Diane Bartz; Additional reporting by Chris Sanders, Michelle Price and Jim Finkle; Editing by Chris Reese and Leslie Adler)

China beefs up cyber defenses with centralized threat database

A map of China is seen through a magnifying glass on a computer screen showing binary digits in Singapore in this January 2, 2014 photo illustration. REUTERS/Edgar Su

BEIJING (Reuters) – China said on Wednesday it will create a national data repository for information on cyber attacks and require telecom firms, internet companies and domain name providers to report threats to it.

The Ministry of Industry and Information Technology (MIIT) said companies and telcos as well as government bodies must share information on incidents including Trojan malware, hardware vulnerabilities, and content linked to “malicious” IP addresses to the new platform.

An MIIT policy note also said that the ministry, which is creating the platform, will be liable for disposing of threats under the new rules, which will take effect on Jan. 1.

Companies and network providers that fail to follow the rules will be subject to “warnings, fines and other administrative penalties”, it said, without giving any details.

The law is the latest in a series of moves by Chinese authorities designed to guard core infrastructure and private enterprises against large-scale cyber attacks.

In June, China’s cyber watchdog formalized a nationwide cyber emergency response plan, which included the construction of a central response system and mandated punitive measures for government units that failed to safeguard the system.

Earlier this year, the same ministry introduced rules requiring state telecommunications firms to take a more active role in removing VPNs and other tools used to subvert China’s so-called Great Firewall.

(Reporting by Cate Cadell; Editing by Richard Borsuk)

Key U.S. senators demand answers on Equifax hacking

By David Shepardson and Dustin Volz

WASHINGTON (Reuters) – Two key U.S. senators on Monday asked Equifax Inc <EFX.N> to answer detailed questions about a breach of information affecting up to 143 million Americans, including whether U.S. government agency records were compromised in the hack.

Senator Orrin Hatch, who chairs the Finance Committee, and ranking Democrat Ron Wyden, also demanded that Equifax Chief Executive Rick Smith provide a timeline of the breach and its discovery. They asked for information on when authorities and the company’s board were notified and when three executives who sold stock in the company in August were first told of the data breach.

Equifax did not immediately respond to a request for comment on the letter. It came amid mounting scrutiny of the company’s response to the breach from lawmakers, regulators and security experts, prompting the credit-monitoring services to issue an apology on Friday and pledge to dedicate more resources to helping affected consumers.

“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” the letter said.

Equifax announced last week that it learned on July 29 that hackers had infiltrated its systems in mid-May, pilfering names, birthdays, addresses and Social Security and driver’s license numbers. Cyber security experts said it was among the largest data hacks ever recorded and was particularly troubling due to the richness of the information exposed.

Three days after Equifax discovered the breach, three top Equifax executives, including Chief Financial Officer John Gamble and a president of a unit, sold Equifax shares or exercised options to dispose of stock worth about $1.8 million, regulatory filings show.

Equifax said in a statement last week that the executives were not aware that an intrusion had occurred when they sold their shares.

Hatch and Wyden asked Smith to respond by Sept. 28. Other congressional committees have announced plans to hold hearings investigating the Equifax breach and want answers.

The senators want to know if Equifax has a chief information security officer and over the past two years “how many times has Equifax employed third-party cyber security experts to conduct penetration tests of its internal and external systems?” The senators want copies of all Equifax penetration test and audit reports by outside cyber security firms.

Separately, a group of 20 Democratic senators asked Equifax to end its use of forced arbitration agreements, which limit the ability of consumers to pursue claims, and not to lobby to reverse a new rule from the Consumer Financial Protection Bureau to limit the use of forced arbitration in the financial services sector.

(Reporting by Dustin Volz and David Shepardson; Editing by Andrew Hay and Jonathan Oatis)

Sign up for Jim Bakker Show