WASHINGTON — The top Republican and Democrat on the Senate Finance Committee sent a letter Monday to Equifax Chief Executive Richard Smith scrutinizing the breadth of the company's data breach and probing the firm's response.

“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” wrote Senate Finance Committee Chairman Orrin Hatch, R-Utah, and the top Democrat on the panel, Sen. Ron Wyden of Oregon.

“To make matters worse, Equifax is a critical partner of the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies that are the sources and recipients of the some of the most sensitive information affecting individuals, as well as the targets of the vast majority of identity theft fraud against taxpayers,” they added.

Sen. Orrin Hatch, R-Utah.
“The scope and scale of this breach appears to make it one of the largest on record," said a letter co-written by Senate Finance Committee Chairman Orrin Hatch. Bloomberg News

The letter asked a series of questions, including how Equifax responded after discovering the breach, when three company executives who unloaded stock between the time the hack was discovered and when it was disclosed, and how the firm is helping consumers whose data has been compromised.

They also questioned the company’s use of a mandatory arbitration agreement that was included in the terms of use of a credit monitoring service the company is offering for free for a year. The agreement would prevent consumers from suing if something went wrong with the credit monitoring service. The company has since withdrawn the agreement, but consumers who have already opted in need to provide written notice to opt out.

“Are there any technical barriers preventing Equifax from providing consumers the ability to opt out on the equifaxsecurity2017.com site?” the senators asked, referencing the website the company set up to address the hack.

They also asked whether Equifax plans to rely on consumers to visit the website to see if they were hacked or will notify consumers, and what sort of cyberprotections Equifax had in place.

"Please describe the resources that Equifax has focused on its own information security," the letter said.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.