- Equifax says the breach came through a software application called Apache Struts.
- Apache Software Foundation says the breach happened because Equifax didn't do security upgrades in a timely manner.
The Federal Trade Commission said Thursday it is investigating the data breach at Equifax that exposed the personal information of 143 million people, and New York's Sen. Chuck Schumer said the company's CEO and board should be be held accountable.
"The FTC typically does not comment on open investigations," FTC spokesman Peter Kaplan said. "However in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."
Equifax shares rebounded Thursday morning after plunging more than 8 percent in early trading. They have lost nearly a third of their value since Sept. 7, when the company reported the breach after market hours. The stock was last down slightly in midday trading.
"If Equifax can't commit to them, their leadership is not up to the job and the entire leadership must be replaced," he said.
The credit reporting company said in an updated post on its website that the breach, which it identified internally in late-July and disclosed to the public last week, was the result of criminals exploiting a vulnerability in a website application called Apache Struts. "We continue to work with law enforcement as part of our criminal investigation," the company said.
The hack exposed names, Social Security numbers, birth dates, and other identifying information as well as credit card numbers.
Apache Struts is an open-source code used by companies to develop web applications and is used in Internet of Things devices for financial institutions, government organizations, technology service providers and telecommunications agencies.
A flaw was exposed in it several months ago, and the Apache Software Foundation issued a patch to fix it. On Thursday, the foundation said in a statement: "The Equifax data compromise was due to their failure to install the security updates in a timely manner."
Equifax did not return a call and e-mail for comment.
— With reporting by CNBC's Tom Franck
Note: Homeland Security Advisor Tom Bossert and Palo Alto Networks CEO Mark McLaughlin headline the Cambridge Cyber Summit on Oct.4 in Boston. Click here for more information and tickets.