Consumers Union, the policy and mobilization arm of Consumer Reports, sent a letter to Equifax CEO Richard Smith on Thursday, expressing deep concern over the immediate and lasting effects for the 143 million consumers potentially compromised by the data breach the company announced last week.

In the letter, the consumer advocacy organization called Equifax’s response “wholly inadequate” and outlined seven steps it believes Equifax must take to remediate the situation, including paying for credit freezes, processing disputes promptly, and setting aside funds to compensate consumers. 

"Given the extraordinary nature of this breach and the threat posed to nearly half of all Americans, Equifax has a responsibility to offer consumers the best resources and tools to help them protect themselves," said Jessica Rich, vice president of Policy and Mobilization at Consumers Union.

Consumer Reports reached out to Equifax late afternoon for reaction to the demands and will update the story with any comments. 

The credit bureau today did provide some more details about the breach, saying on its website, "We know that criminals exploited a U.S. website application vulnerability," adding that it was working with law enforcement.

Equifax also said that customers affected by the breach who have signed up for free credit monitoring will not be subjected to a binding arbitration clause.

On Sept. 7, Equifax, one of the big three credit monitoring bureaus, announced that it had been aware—since July—that it was the victim of a massive hack affecting more than 100 million accounts.

According to Equifax, the information exposed included Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, Equifax said the credit card numbers of approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers, were accessed.

More on the Equifax Data Breach

Equifax says it moved quickly to help people potentially impacted by the breach. The credit bureau says it took steps to stop the intrusion, engaging an independent cybersecurity firm to forensically investigate the breach. The cybersecurity firm Equifax hired will also determine the scope of the hack and provide recommendations to help prevent a similar incident in the future.

Equifax also established a dedicated website, www.equifaxsecurity2017.com, where it provides a tool for users to determine if their information may have been stolen. The company is also offering U.S. consumers an identity theft protection and credit file monitoring product called TrustedID Premier, free for one year. It includes credit monitoring of Equifax, Experian, and TransUnion credit reports; copies of a user's Equifax credit report; the ability to lock and unlock an Equifax credit report; and identity theft insurance. The company will also scan the internet for Social Security numbers. Users must enroll by November 21, 2017.

Consumers Union says these steps don’t go far enough. (Read the full text of the letter.)

CU: What Equifax Should Do

1. Pay for credit freezes. “Consumers who wish to freeze their credit in response to Equifax’s announced breach still must pay to freeze their records with other major credit bureaus in order to make the freeze effective. We urge Equifax to pay any fees associated with credit freezes at other credit bureaus so that consumers can prevent their data from being improperly used in connection with other credit bureau records,” Consumers Union said.

2. Extend credit monitoring for affected consumers. Consumers Union points out that Equifax has offered affected consumers “only one year of credit monitoring and, following public outcry, a limited and narrow opportunity to obtain a free credit freeze.” Because risks to consumers due to this breach are not limited to one year, Consumers Union demands that "Equifax should extend credit monitoring indefinitely for all consumes potentially affected by the breach."

3. Provide more detailed information about the security incident. Consumers Union says the company provided “inadequate and unreliable information” about which consumers were victimized and what data was compromised, limiting consumers’ ability to take steps to protect themselves. "To prevent further harm to consumers seeking to protect themselves, Equifax must upgrade its tool to provide more detailed information about precisely what types of data were breached for each affected consumer," Consumers Union said.

4. Remove all mandatory arbitration clauses. Equifax has been criticized for forcing victims visiting its site to waive their right to sue the company. Equifax says that it has corrected this issue, but Consumers Union says the remedy is confusing and insufficient. “Equifax has repeatedly changed its story about whether and how the mandatory arbitration clause impacts consumers,” the letter said.

For example, after Equifax said its arbitration clause was moot, Consumers Union notes that another—broader—arbitration clause remained in effect. According to Consumers Union, Equifax is now saying that none of these clauses will apply to consumers harmed by the data breach or who sign up for credit monitoring services. However, the clauses remain in print and, Consumers Union says, “it’s unclear whether or how they could still be used to prevent consumers from having their day in court.”

5. Commit to hiring and training sufficient staff to review and process disputes promptly. “Given the enormity of the exposure, Equifax needs to be prepared for a deluge of problems and must have sufficient resources on hand to resolve these problems quickly and effectively,” Consumers Union said. “The company should not wait for these problems to pile up and then address a mounting backlog.”

6. Set aside a fund to compensate consumers whose data has been exposed. “Equifax has an obligation to American consumers to compensate them for the injury they may incur for years to come. Accordingly, Equifax should create a substantial and dedicated reserve account to compensate consumers affected by this breach,” Consumers Union wrote.

7. Investigate allegations of insider trading and hold wrongdoers accountable. “The company does not appear to have fully investigated—and certainly has not explained to the public—the sales of stock by three executives just prior to public announcement of the breach,” Consumers Union said. "The timing of these sales—a handful of days after the initial uncovering of a massive security incident—raises major red flags. However, Equifax’s initial reaction was disappointing and troubling: first, its press statement sought to minimize the scope of $2 million in sales as 'small.' Second, rather than stating an intention to investigate the issue, Equifax casually and summarily dismissed the allegation of trading on nonpublic information with no apparent inquiry at all—much less a rigorous one." 

Consumers Union says that Equifax should immediately act to preserve all documents and communications of the executives in question, and commit to an independent investigation of the possibility of insider trading.

What's Next

The letter concludes with an acknowledgment of the magnitude of the fast-moving situation, but stresses that “the consumers injured by this breach should be the company’s first and foremost priority, and Equifax should commit to their protection and to making them whole.”

The Equifax CEO is scheduled to testify before the House Energy and Commerce committee on October 3. That committee has jurisdiction over the Federal Trade Commission and Consumer Financial Protection Bureau, the agencies responsible for regulating data security.

On Thursday the FTC announced that it had launched an investigation into the Equifax breach.

"The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach," Peter Kaplan, the FTC’s Acting Director of Public Affairs, told Consumer Reports in an email.

Also, Connecticut Attorney General George Jepsen has announced that his office has initiated a formal multi-state investigation into the breach.