×

UPDATE 4-Criticism of Equifax data breach response mounts, shares tumble

(Adds terms of service concerns, lawmaker quotes, statement from New York attorney general, details on House Financial Services Committee hearing)

Sept 8 (Reuters) - Equifax Inc faced a storm of criticism on Friday over a hack that may have compromised personal data for some 143 million Americans, with customers clamoring for answers and cyber security experts questioning the response to the massive breach.

Lawmakers also joined the chorus, scrutinizing the company's follow up as it encouraged potentially affected customers to sign up for free credit monitoring services, and Equifax shares tumbled as much as 18 percent.

The hack, among the largest ever recorded, was especially alarming due to the richness of the information exposed, which included names, Social Security numbers, birthdays, addresses and driver's license numbers, cyber researchers said.

"Another day, another dumpster fire in cyber security, said Ryan Kalember, senior vice president of the cyber security firm Proofpoint. The breach was "especially troubling" because companies typically offer free credit monitoring services from firms like Equifax, which has now itself suffered a huge cyber attack, he added.

Bigger hacks, such as those disclosed by Yahoo last year, did not put as much sensitive information at risk.

The New York and Illinois state attorneys general said they had opened separate formal investigations into the breach.

"My office intends to get to the bottom of how and why this massive hack occurred, said New York Attorney General Eric Schneiderman said in a statement.

Two proposed class-action lawsuits, one filed in Portland, Oregon, and another in Atlanta, Georgia, alleged that Equifax had been negligent in protecting consumer data.

Equifax disclosed on Thursday the breach it had discovered on July 29, and said criminals exploited a vulnerability in a website application to gain access to certain files.

The Atlanta-based company said hackers accessed accounts between mid-May and July and accounts of some British and Canadian residents were also compromised.

Equifax has not said specifically how attackers were able to break in.

The FBI said it is tracking the matter and a U.S. intelligence official told Reuters it was too soon to know if the attack was strictly criminal in nature or if it had the backing of a foreign government.

Twitter users on Friday reported customer service representatives were difficult to reach and either unhelpful or unaware that the breach had occurred.

'READ THE FINE PRINT'

The company also drew scrutiny for terms of service that accompanied its offer of credit monitoring.

Agreeing to the terms appeared to forfeit some rights to sue individually or join a class-action suit, but privacy lawyers said that likely only applied to the credit monitoring offer and not the original hack.

"Equifax victims: read the fine print before signing up for credit monitoring," Democratic Senator Sherrod Brown said on Twitter. "You could be signing away your rights."

Schneiderman also said on Twitter that his staff had contacted Equifax to demand it remove language from its terms of service asking consumers to waive rights as part of a class action suit.

Equifax did not immediately respond on Friday when asked about criticism of its response or its terms of service.

A Reuters reporter attempted to enroll late on Thursday in the service Equifax set up to let customers know if they had been affected and received a confirmation page that said enrollment would begin next Tuesday.

"Please be sure to mark your calendar as you will not receive additional reminders," the confirmation said. It did not state whether the reporter had been impacted by the data breach.

Some cyber security experts criticized Equifax for setting up a support website under a different domain than the company's main website, a practice mirroring a tactic that can be used to fraudulently collect data.

The House Financial Services Committee would hold a hearing on the breach, though no date had been set, a spokesman for the committee's chairman told Reuters.

U.S. Representative Ted Lieu asked Equifax why it waited until September to disclose the breach and has asked the House Judiciary Committee to hold a hearing with the three major credit reporting agencies to explain how they will prevent future attacks.

Britain's Information Commissioner's Office said the breach "gives us cause for concern," and ICO Deputy Commissioner James Dipple-Johnstone said the office would advise Equifax to alert affected British customers as soon as possible.

Within the past two years, Equifax has had W-2 tax data stolen from its website and a subsidiary. Its larger rival Experian Plc reported a data breach two years ago involving some 15 million people.

Equifax shares were last down 13 percent on the day at $123.18 after touching their lowest in more than seven months.

"Obviously the size and scope of this breach will likely drive a number of negative headlines for EFX that will weigh on its brand for the foreseeable future," Barclays analyst Manav Patnaik wrote in a note.

Shares of rival TransUnion were down 4 percent, while Experian shares were down 1.3 percent.

Equifax handles data on more than 820 million consumers and 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website. (Reporting by Dustin Volz in Washington and Aishwarya Venugopal and Sweta Singh in Bengaluru, additional reporting by David Shepardson, Jonathan Stempel, and Mark Hosenball; Editing by Meredith Mazzilli)