FTC to Probe Equifax Data Breach; Senators Introduce Consumer Protection Bills
The FTC confirmed Thursday that "in light of the intense public interest and the potential impact of this matter," it's investigating the Equifax data breach of a 143 million Americans, said a spokesman in a statement. The commission typically doesn't comment on current investigations. Meanwhile, Democratic Sens. Richard Blumenthal of Connecticut, Al Franken of Minnesota, Ed Markey of Massachusetts and Sheldon Whitehouse of Rhode Island introduced the Data Broker Accountability and Transparency Act that would require data brokers like Equifax to establish comprehensive data and security programs and provide "reasonable notice" when a data breach occurs. The bill would give consumers the right to access their records and correct inaccuracies and the right to stop data brokers from "using, sharing, or selling their personal information for marketing purposes," said a joint news release. The bill would directs the FTC to enforce the law and promulgate rules within a year, including a centralized website that provides a list of covered entities and consumer rights, the release said. Sen. Ron Wyden, D-Ore., introduced the Free Credit Freeze Act in a news release to let consumers use personal identification numbers to freeze and unfreeze their credit reports for free instead of a typical $15 charge imposed by credit bureaus. Meanwhile, the Apache Software Foundation said Equifax was at fault for not patching a website application vulnerability called Apache Struts CVE-2017-5638 that led to the theft of personal data of 143 million Americans. "This vulnerability was patched on 7 March 2017, the same day it was announced," wrote Sally Khudairi, vice president-marketing and publicity for the all-volunteer Apache, in a Thursday alert. "The Equifax data compromise was due to their failure to install the security updates provided in a timely manner." A day earlier, Equifax said its probe with an unnamed independent cybersecurity firm found hackers exploited the Apache vulnerability that led to breach from mid-May through July. "We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement," said Equifax.