Leaders of the Senate Finance Committee on Monday demanded answers from Equifax about its major data breach, including pressing for more details about three Equifax executives who sold shares after the breach was discovered.
The stock sales have added to the consumer backlash over the breach, which may have compromised the Social Security numbers and other sensitive information of 143 million Americans.
Three senior executives, including the company's chief financial officer, John W. Gamble Jr., sold shares worth almost $1.8 million in the days after the breach was discovered, but before it was disclosed. The shares were not part of a sale planned in advance.
More from The New York Times:
Equifax Says Cyberattack May Have Affected 143 Million in the US
Equifax's Instructions Are Confusing. Here's What to Do Now.
After Equifax Breach, Here's Your Next Worry: Weak PINs
The letter — from the committee's leaders, Orrin Hatch, Republican of Utah, and Ron Wyden, Democrat of Oregon — asked for a timeline of the breach. It pushed for specifics on when the three executives, which also included Rodolfo O. Ploder and Joseph M. Loughran III, were notified of the problem.
Equifax did not immediately respond to calls and emails seeking comment.
Although the stock sales by Equifax executives have prompted concerns, securities regulators have seldom, if ever, brought an insider trading case arising from a data breach. It all comes down to what an executive knew about a breach at the time of a stock sale.
It is not uncommon for information about data breaches to develop over time. Initial reports of a relatively minor breach can be proved wrong with further investigation by a company's security team. If a corporate executive sold shares before the full extent of the breach was known, the trading might not be deemed to have been material at the time, even though in retrospect it looks especially prescient.
The regulatory environment for credit reporting bureaus like Equifax has been a subject of debate in Congress.
On Thursday, the day the Equifax breach was announced, the House Financial Services Committee was holding hearings about legislation that could reduce accountability for credit bureaus and other companies. One bill, for example, would eliminate punitive damages under the Fair Credit Reporting Act, the main law that governs the three big credit bureaus, according to Chi Chi Wu, a staff lawyer at the National Consumer Law Center. It would also cap statutory and actual damages.
After the breach, senators are looking closer at the company's operations, like how management dealt with previous security breaches. Among other things, the Senate leaders asked about Equifax's use of third-party security experts to test its systems — and whether they worked to fix any of the issues that were identified.
"The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers," the senators wrote in the letter, addressed to Richard F. Smith, Equifax's chief executive. "To make matters worse, Equifax is a critical partner of the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies that are the sources and recipients of the some of the most sensitive information affecting individuals."
The letter also tackled issues that consumers had raised on social media. For example, the legislators asked whether Equifax intended to charge customers after the period it provides free monitoring ended. "Does the firm plan to promote its paid service to these individuals at the end of the year?"
The senators asked that Equifax respond to the letter by Sept. 28.
—Matthew Goldstein contributed reporting.