The Federal Trade Commission announced Thursday it’s investigating the recently revealed hack of sensitive information on 143 million Americans from credit firm Equifax, a move indicating the regulator suspects substantial harm resulted from the breach.
“The FTC typically does not comment on ongoing investigations,” Peter Kaplan, the agency’s acting director of public affairs, said in a statement. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”
Equifax suffered a cybersecurity breach in May that persisted until its discovery in July. By then, hackers stole Social Security numbers, birth dates, and home addresses for 143 million Americans — almost half the U.S. population — and other sensitive data belonging to British and Canadian nationals.
An unknown number of driver’s license numbers, 209,000 credit card numbers, and 182,000 credit dispute documents were also taken, and a group claiming to be the hackers threaten to release the stolen data online unless they receive $2.6 million in ransom this week. Equifax neglected to alert the public to the hack until Thursday.
It’s a rare occurrence for the FTC — the federal government’s top privacy regulator — to confirm an active investigation at all, but even more so for Acting FTC Chairwoman Maureen Ohlhausen, the Republican commissioner President Trump selected to lead the agency shortly after his January inauguration.
That same month Ohlhausen said if she were picked to lead the FTC, she said she would be reticent to use the agency’s investigatory and penalty powers, and more willing to give companies the benefit of the doubt.
While speaking at a technology conference Ohlhausen said she would direct the agency, primarily charged with enforcing consumer protection law, to look for “substantial harm” in cases, rather than practices by companies that only show the potential for harm.
Too much of the former defined the previous administration and thereby hurt innovation, according to Ohlhausen.
“I would hope my remaining colleague Commissioner McSweeny would of course want to act on those kinds of cases,” the Republican said. “Starting a dialogue about substantial harm, that doesn’t require a commission vote.”
Given Ohlhausen’s previous comments, it’s likely FTC Commissioner Terrell McSweeny — a Democrat and the only other sitting member of the five-commissioner agency — agrees the Equifax breach potentially caused significant harm to consumers, and that the credit firm was negligent.
McSweeny reportedly told the Los Angeles Times Thursday she’s “very concerned” about the breach’s size and Equifax’s solution, which initially included forcing victims to surrender their legal right to sue the company in exchange for a year of free credit monitoring.
Last week she tweeted the “breach underscores need for Congress to pass comprehensive data security legislation that includes FTC civil penalty authority.” Lawmakers on both sides of the aisle in both chambers are pitching legislation to boost cybersecurity standards and even overhaul the entire credit reporting sector. Multiple committees have already scheduled hearings to discuss the impact of the hack and Equifax’s liability.
The two would need to vote unanimously to find fault with Equifax, at least until the Senate confirms antitrust lawyer Joseph Simons, Trump’s nominee to lead the commission on a permanent basis. Simons is co-chairman of the antitrust arm of law firm Paul Weiss and former director of the FTC’s competition bureau during the George W. Bush administration.