36 U.S. senators on Tuesday called on federal authorities to investigate the sale of nearly $2 million in shares of credit bureau Equifax Inc by company executives after a massive data breach, and one compared their actions to insider trading.
"If that happened, somebody needs to go to jail," Senator Heidi Heitkamp, a Democrat on the Senate Banking Committee, said at a credit union industry conference in Washington. "It's a problem when people can act with impunity with no consequences. How is that not insider trading?"
Cyber security experts believe the breach is one of the largest data hacks ever disclosed.
On Wall Street on Tuesday, Equifax closed 2.5 percent higher at $115.96, slightly reversing a 21 percent slide since the hack was reported.
In an opinion piece in USA Today, Equifax Chief Executive Officer Richard Smith apologized for the breach and vowed the company "will make changes."
He said more than 15 million people have visited the firm's support website and 11.5 million are enrolling in credit monitoring and identity theft protection.
The company at first thought the intrusion was limited, Smith said. Equifax hired a cybersecurity firm and spent "thousands of hours" investigating before informing the public six weeks after the breach was discovered, he said.
"We are devoting extraordinary resources to make sure this kind of incident doesn't happen again," Smith said.
Smith did not address the stock sale issue.
In their letter, the lawmakers, led by Jack Reed, a Democrat, and John Kennedy, a Republican, requested "a thorough examination of any unusual trading, including any atypical options trading, for violations of insider trading law."
"We request that you spare no effort in your investigations and in enforcing the law to the fullest extent," the lawmakers said.
The Federal Bureau of Investigation has already said it was investigating the Equifax hack. A spokesman for SEC Chairman Jay Clayton declined to comment.
Acting FTC head Maureen Ohlhausen declined to say if that agency was investigating the breach. "We're trying to get a handle on the scope of all of this. We're certainly taking this very seriously," she told reporters at an antitrust conference.
The agency has historically probed big breaches but only sued companies that had been sloppy in protecting consumer data.
The breach also prompted expressions of concern from U.S. Treasury Secretary Steven Mnuchin, while the Massachusetts attorney general said her state planned to sue.
Hackers pilfered names, birthdays and addresses, as well as Social Security and driver's license numbers - a treasure trove for identity thieves. Data of up to 143 million people may have been exposed.
Following revelations of the stock sales by Chief Financial Officer John Gamble and two other people, Equifax said in a statement last week that the executives were not aware that an intrusion had occurred when they sold their shares.
Massachusetts Attorney General Maura Healey said she intended to sue Equifax with allegations of failing to maintain appropriate safeguards to protect customers' data, including that of nearly three million Massachusetts residents.
"In all of our years investigating data breaches, this may be the most brazen failure to protect consumer data we have ever seen," Healey said in a statement.
Equifax had initially appeared to offer credit monitoring to breach victims only if they forfeited their right to file a lawsuit. New York Attorney General A.G. Schneiderman said Tuesday that Equifax removed that language from its website.
U.S. Treasury Secretary Steve Mnuchin on Tuesday called the Equifax breach "quite unfortunate" and insisted that his top priority is to make sure financial data is safe.
"I am concerned about the global financial system and keeping it safe," he said at the CNBC Institutional Investor Delivering Alpha Conference in New York.
Equifax did not respond to Reuters requests for comment.