A U.S. consumer protection watchdog agency said Thursday it has begun an investigation into a massive data breach at credit bureau Equifax that may have leaked sensitive information on 143 million people.
The Federal Trade Commission joins US congressional committees promising to probe the causes and implications of what could be the worst breach of personal information in the United States.
“The FTC typically does not comment on ongoing investigations,” said Peter Kaplan, the agency’s acting director of public affairs.
“However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”
The hack disclosed last week at Equifax, one of the three major credit bureaus which collect consumer financial data, potentially affects more than half the adult population.
While not the largest breach — Yahoo attacks leaked data on as many as one billion accounts — the Equifax incident could be the most damaging because of the nature of data collected: bank and social security numbers and personal information of value to hackers and others.
US lawmakers have expressed concern over the implications of the hack and have called for hearings.
The House Energy and Commerce Committee announced it would hold an October 3 hearing with Equifax chief executive Richard Smith.
“We know members on both sides of the aisle appreciate Mr Smith’s willingness to come before the committee and explain how our constituents might be impacted and what steps are being taken to rectify this situation,” said a statement from Senators Greg Walden and Bob Latta.
Smith earlier this week offered an expanded apology to consumers in a column in USA Today.
“Consumers and media have raised legitimate concerns about the services we offered and the operations of our call center and website. We accept the criticism and are working to address a range of issues,” Smith wrote.
“We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again.”
Equifax said in a “progress report” on its website that criminals exploited a vulnerability in a website application called Apache Struts.
Security researcher Kevin Beaumont said in a blog post that he warned of the vulnerability in March and urged companies to fix it. “I kept reissuing warnings,” Beaumont said in a blog this week. “And then I gave up. Many Fortune 500 companies are still running these systems.”
Related: Industry Reactions to Equifax Hack
Related: Massive Credit Bureau Hack Raises Troubling Questions