The Federal Trade Commission said Thursday it is investigating the massive data breach at credit reporting firm Equifax, adding America’s top consumer watchdog to the chorus of federal lawmakers and regulators expressing alarm over the unauthorized access of 143 million Americans’ personal data.
The FTC’s disclosure of an ongoing probe is highly unusual, underscoring the enormous stakes involved in the incident affecting what amounts to half the country.
“The FTC typically does not comment on ongoing investigations,” said Peter Kaplan, the agency’s acting director of public affairs. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”
Meanwhile, Equifax said the hackers exploited a vulnerability in one of its U.S. websites.
Brian Krebs, a cybersecurity expert and author of KrebsonSecurity.com, said the attackers gained access to the inner workings of the software of the site, which “allowed the hackers to behave as if they were inside the company accessing that data.”
“It’s like you left the back door open to your house — wide open,” he said.
The software at issue is widely used by companies and others, and Krebs said its vulnerability to attack was first spotted by the industry in March and that a patch was available to fix it.
“But Equifax didn’t patch it until after the damage was done,” Krebs said. “The bad guys beat them to it.”
The FTC isn’t the only federal agency looking closely at the Equifax incident.
FTC Acting Chairman Maureen Ohlhausen didn’t immediately respond to a request for comment. The agency’s top Democrat, Terrell McSweeny, said she is “very concerned” about the size of the breach, as well as Equifax’s response.
Equifax shares fell 2.4% on Thursday, to $96.66.
Fung writes for the Washington Post. Times staff writer James F. Peltz contributed to this report.
1:55 p.m.: This article was updated with Equifax’s stock movement.
10:45 a.m.: This article was updated with comments from cybersecurity expert Brian Krebs.
This article was originally published at 8:10 a.m.