New York state's attorney general will probe the huge data breach at Equifax, one of the U.S.’s three major credit reporting agencies, to determine when and how the company learned of the attack and to find out whether customer information has been offered for sale on the black market, a source familiar with the investigation tells Newsweek.
Equifax said Thursday that hackers gained access to consumer information from 143 million Americans, including names, Social Security numbers, birth dates and addresses, according to the Federal Trade Commission.
“The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred,” Attorney General Eric Schneiderman said in a statement Friday afternoon. “I encourage all New Yorkers to immediately call Equifax to see if their data was compromised and to consider additional measures to protect themselves.”
Schneiderman’s office sent a letter to Equifax on Friday seeking information about the breach.
The letter also asked Equifax about the “attack vectors and intrusion causes” and for any evidence of identity theft or wrongful use of financial information, according to the source with knowledge of the probe.
Under New York state law, businesses with customers in the state are required to inform both customers and the Attorney General’s Office about security breaches that put personal information in jeopardy, the office said in its press release about the letter. The release added that it probes security breaches (like the Equifax fiasco) to determine whether companies properly notified customers and whether they had appropriate safeguards to protect the data.
And while Equifax set up a site so customers can check whether their personal information was compromised, the site appears to require consumers to agree to waive some of their legal rights in order to use it. “Buried in the terms of service is language that bars those who enroll in the Equifax checker program from participating in any class-action lawsuits that may arise from the incident,” The Washington Post reported Friday.
Schneiderman tweeted that the language is “unenforceable” and that his office contacted Equifax about the issue.
“They can’t be telling people who are going online to see if their information was hacked that they give up their right to sue. That’s not acceptable,” says the source with knowledge of the probe.
Representative Ted Lieu (D-Calif.) sent a similar letter on Friday, writing the House Judiciary Committee's leadership asking for an investigation into the Equifax data breach, The Hill reported.