The pressure is rising on Equifax after FTC confirms investigation and Schumer calls out CEO

Key Points
  • Equifax says the breach came through a software application called Apache Struts.
  • Apache Software Foundation says the breach happened because Equifax didn't do security upgrades in a timely manner.
Credit reporting company Equifax corporate offices are pictured in Atlanta, Georgia.
Tami Chappell | Reuters

The Federal Trade Commission said Thursday it is investigating the data breach at Equifax that exposed the personal information of 143 million people, and New York's Sen. Chuck Schumer said the company's CEO and board should be be held accountable.

"The FTC typically does not comment on open investigations," FTC spokesman Peter Kaplan said. "However in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."

Equifax shares rebounded Thursday morning after plunging more than 8 percent in early trading. They have lost nearly a third of their value since Sept. 7, when the company reported the breach after market hours. The stock was last down slightly in midday trading.

Also Thursday, Senate Minority Leader Schumer called for Equifax executives to agree to testify in the Senate, to contact everyone affected by the breach, extend free credit monitoring and credit freezes to consumers for 10 years and remove mandatory arbitration clauses from its terms of use. If they can't agree to those conditions in the next week, he said, the CEO and the board should step down.

"If Equifax can't commit to them, their leadership is not up to the job and the entire leadership must be replaced," he said.

The credit reporting company said in an updated post on its website that the breach, which it identified internally in late-July and disclosed to the public last week, was the result of criminals exploiting a vulnerability in a website application called Apache Struts. "We continue to work with law enforcement as part of our criminal investigation," the company said.

The hack exposed names, Social Security numbers, birth dates, and other identifying information as well as credit card numbers.

Apache Struts is an open-source code used by companies to develop web applications and is used in Internet of Things devices for financial institutions, government organizations, technology service providers and telecommunications agencies.

A flaw was exposed in it several months ago, and the Apache Software Foundation issued a patch to fix it. On Thursday, the foundation said in a statement: "The Equifax data compromise was due to their failure to install the security updates in a timely manner."

Equifax did not return a call and e-mail for comment.

— With reporting by CNBC's Tom Franck

Note: Homeland Security Advisor Tom Bossert and Palo Alto Networks CEO Mark McLaughlin headline the Cambridge Cyber Summit on Oct.4 in Boston. Click here for more information and tickets.