New York AG -- among others -- examining massive Equifax hack
New York Attorney General Eric Schneiderman announced on Friday that his office is investigating Equifax, a consumer credit reporting agency that was the target of a massive cyber attack in the summer, which has likely exposed personal information of up to 140 million people across the U.S.
In a press release, Schneiderman said he sent a letter to Equifax on Friday inquiring about the company's established safeguards before the attack and how it alerted affected customers.
"The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred," Schneiderman said. "I encourage all New Yorkers to immediately call Equifax to see if their data was compromised and to consider additional measures to protect themselves."
Included in the release is an Equifax hotline New Yorkers can call to check if personal data, such as Social Security numbers, dates of birth, home addresses, telephone numbers, names and more were compromised. However, a busy signal prevented CBS News' from communicating with a hotline operator.
In an effort to counteract the cyber breach's negative fallout, Equifax Chairman and CEO Rick Smith announced that the company is offering all U.S. customers a "package of identity theft protection and credit file monitoring at no cost."
"Today is a humbling experience for all of us," Smith said in a video apology on Thursday. "Equifax will not be defined by this incident, but rather by how we respond."
But shortly after a website was established by Equifax to learn if personal information was compromised and sign-up for the free service, social media and internet users found a legal disclaimer inside a 7,000-word terms-of-use document. The clause appears to place legal restrictions on consumers, preventing them from participating in class-action lawsuits against the company if they sign up for the free TrustID product.
Consumer Financial Protection Bureau (CFPB) spokesperson Samuel Gilford took issue with the clause in the terms of use, saying the agency was looking into the company's data breach and response effort but would not comment any further on its search.
"Equifax's credit monitoring product contains a mandatory arbitration clause that denies people their right to join together to sue the company for wrongdoing," Gilford said. "It is troubling that Equifax is forcing people to waive legal rights in order to receive fraud monitoring after the company's breach put their personal information at risk. Equifax could remove this clause so that consumers can receive this service without condition."
Sen. Sherrod Brown, D-Ohio, shared the CFPB's sentiment about the clause in a statement released Friday afternoon.
"If Equifax is genuine about wanting to protect customers, it must remove forced arbitration immediately from TrustedID and any other services offered to victims of the data breach," Sen. Brown said.
In addition, the House Financial Services Committee said it would also be exploring the breach in a later hearing.
"This is obviously a very serious and very troubling situation and our committee has already begun preparations for a hearing. Large-scale security breaches are becoming all too common," Rep. Jeb Hensarling, R-Texas, said.
The hack has resurfaced talk among experts and politicians about the government's role in protecting private institutions from criminal hackers.
Co-founder of the Senate Cybersecurity Caucus, Sen. Mark Warner, D-Virginia, reacted to the hack on Friday, suggesting a stronger potential role for the government later down the road.
"Should Congress create a uniform data breach notification standard for attacks like #EquifaxHack?" Warner asked in a Tweet. "Is it time to rethink data protection policies dealing with these large, centralized sets of highly sensitive data on millions of Americans?"
When reached for comment, an FBI spokesperson said that the agency is "aware of the reporting and tracking the situation as appropriate."
Equifax did not reply to CBS News' request for comment about the arbitration clause.
CBS News' Paula Reid contributed to this report.