A U.S. senator on Tuesday called for a criminal investigation of executives from credit bureau Equifax Inc. for stock sales after a massive data breach this summer, and said their actions were comparable to insider trading.
The breach, which the company learned about in July but did not acknowledge until this month, also prompted expressions of concern from U.S. Treasury Secretary Steven Mnuchin and the Federal Trade Commission.
Cyber security experts believe it is one of the largest data hacks ever disclosed.
Senator Heidi Heitkamp, a Democrat who sits on the Senate Banking Committee, said it was disturbing that it appeared executives sold nearly $2 million worth of company stock in the time between learning of a sweeping hacker intrusion and making it public.
“If that happened, somebody needs to go to jail,” Heitkamp said at a credit union industry conference in Washington. “It’s a problem when people can act with impunity with no consequences. How is that not insider trading?”
Heitkamp is the latest U.S. senator to ask that Equifax be held to account for alleged missteps after it discovered the hack. On Monday, Senator Orrin Hatch, who chairs the Finance Committee, and ranking Democrat Ron Wyden, demanded that Equifax Chief Executive Rick Smith provide a timeline of the breach and its discovery.
On Wall Street, on September 12, Equifax traded 2.5 percent higher, to $115.29, reversing slightly a 21 percent slide since the hack was first reported on September 7.
Equifax announced last week that it had learned on July 29 that hackers had infiltrated its systems in mid-May, gaining access to a wide swath of personal information.
The hackers pilfered names, birthdays and addresses, as well as Social Security and driver’s license numbers, a treasure trove for identity thieves. Data of up to 143 million people may have been affected.
Three days after Equifax discovered the breach, three top company executives, including Chief Financial Officer John Gamble and a president of a unit, sold Equifax shares or exercised options to dispose of stock worth about $1.8 million, regulatory filings show.
Equifax said in a statement last week that the executives were not aware that an intrusion had occurred when they sold their shares.
Any investigation of alleged insider trading would likely involve the Securities and Exchange Commission. A spokesman for SEC Chairman Jay Clayton declined to comment, citing a policy of refusing to confirm or deny ongoing investigations.
The Federal Bureau of Investigation said it was investigating the Equifax hack. “We understand the significance of this incident and take these types of breaches very seriously,” said Special Agent Stephen Emmett at the FBI’s Atlanta office.
U.S. Treasury Secretary Steve Mnuchin on Tuesday called the Equifax breach quite unfortunate and insisted that his top priority is to make sure financial data is safe.
“I am concerned about the global financial system and keeping it safe,” Mnuchin said at the CNBC Institutional Investor Delivering Alpha Conference in New York, adding that he was having meetings about the cyber attack.
Also on Tuesday, Senator Gary Peters, a Democrat, called on the FTC to launch a probe on whether the company misled consumers by saying it considered protecting customer information a top priority.
The acting FTC chair, Maureen Ohlhausen, said her agency was aware of the massive breach but declined to say if an investigation was underway.
“We’re trying to get a handle on the scope of all of this. We’re certainly taking this very seriously,” she told reporters on the sidelines of an antitrust conference.
Massachusetts Attorney General Maura Healey said she intended to sue Equifax with allegations of failing to maintain appropriate safeguards to protect customers’ data, including that of nearly three million Massachusetts residents.
“In all of our years investigating data breaches, this may be the most brazen failure to protect consumer data we have ever seen,” Healey said in a statement.
In an opinion piece in USA Today, Equifax Chief Executive Officer Richard Smith apologized for the breach and vowed the company will make changes.
He said more than 15 million people have visited the firm’s support website and 11.5 million are enrolling in credit monitoring and identity theft protection.
The company at first thought the intrusion was limited, Smith said.
Equifax hired a cybersecurity firm and spent thousands of hours investigating before informing the public six weeks after the breach was discovered, he said.
“We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” Smith said.
Smith did not address the stock sale issue.
In their letter, the lawmakers, led by Jack Reed, a Democrat, and John Kennedy, a Republican, requested a thorough examination of any unusual trading, including any atypical options trading, for violations of insider trading law.
“We request that you spare no effort in your investigations and in enforcing the law to the fullest extent,” the lawmakers said.
The agency has historically probed big breaches but only sued companies that it deemed had been sloppy in protecting consumer data.