The Federal Trade Commission said Thursday it is investigating the massive data breach at credit reporting firm Equifax, adding America's top consumer watchdog to the chorus of federal lawmakers and regulators expressing alarm over the unauthorized access of 143 million Americans' personal data.
The FTC's disclosure of an ongoing probe is highly unusual, underscoring the enormous stakes involved in the incident affecting what amounts to half the country.
"The FTC typically does not comment on ongoing investigations," said Peter Kaplan, the agency's acting director of public affairs. "However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."
It is unclear what aspects of the breach the agency is examining. The FTC is broadly empowered to go after companies accused of misleading consumers with their public statements or of engaging in unfair business practices. It frequently investigates companies, but rarely does it acknowledge the existence of those investigations, leaving the public to find out about lawsuits and settlements only after they have been filed.
Meanwhile, Equifax said the hackers exploited a vulnerability in one of its U.S. websites.
Brian Krebs, a cybersecurity expert and author of KrebsonSecurity.com, said the attackers gained access to the inner workings of the software of the site, which "allowed the hackers to behave as if they were inside the company accessing that data."
"It's like you left the back door open to your house — wide open," he said.
The software at issue is widely used by companies and others, and Krebs said its vulnerability to attack was first spotted by the industry in March and that a patch was available to fix it.
"But Equifax didn't patch it until after the damage was done," Krebs said. "The bad guys beat them to it."
The FTC isn't the only federal agency looking closely at the Equifax incident.
The Consumer Financial Protection Bureau also has said it is looking into the company's response to the breach. And on Capitol Hill, the leading members of the House's energy and commerce, financial services and judiciary committees have all called for hearings on the matter. Sens. Orrin G. Hatch (R-Utah) and Ron Wyden (D-Ore.) have written strongly worded letters to Equifax, and the FTC will now add its own power to the mix.
FTC Acting Chairman Maureen Ohlhausen didn't immediately respond to a request for comment. The agency's top Democrat, Terrell McSweeny, said she is "very concerned" about the size of the breach, as well as Equifax's response.
Equifax shares fell 2.4% on Thursday, to $96.66.
Fung writes for the Washington Post. Times staff writer James F. Peltz contributed to this report.
1:55 p.m.: This article was updated with Equifax's stock movement.
10:45 a.m.: This article was updated with comments from cybersecurity expert Brian Krebs.