(Reuters) – Equifax Inc (EFX.N) shares tumbled as much as 18 percent on Friday as cyber security experts and customers criticized the consumer credit score provider’s response to a hack that may have stolen personal details of up to 143 million Americans.
The hack, among the largest ever recorded, was especially alarming due to the richness of the information exposed, which included names, social security numbers, birthdays, addresses and driver’s license numbers, cyber researchers said.
Bigger hacks, such as those disclosed by Yahoo last year that affected a billion and half a billion accounts, did not put as much sensitive information at risk.
”Another day, another dumpster fire in cyber security,” said Ryan Kalember, senior vice president of the cyber security firm Proofpoint.
Two proposed class-action lawsuits, one filed in Portland, Oregon, and another in Atlanta, Georgia, alleged that Equifax had been negligent in protecting consumer data.
Equifax disclosed on Thursday the breach it had discovered on July 29, and said criminals had exploited a vulnerability in a website application to gain access to certain files.
Twitter users reported customer service representatives were difficult to reach and either unhelpful or unaware that the breach had occurred.
Equifax did not immediately respond on Friday when asked about criticism of its response.
A Reuters reporter attempted to enroll late on Thursday in a service Equifax set up to let customers know if they had been affected and received a confirmation page that said enrollment would begin next Tuesday.
“Please be sure to mark your calendar as you will not receive additional reminders,” the confirmation page said. It did not state whether the reporter had been impacted by the data breach.
Some cyber security experts criticized Equifax for setting up a support website, equifaxsecurity2017.com, under a different domain than the company’s main website, equifax.com, a practice that mirrored a tactic that can be used to fraudulently collect data.
U.S. lawmakers also expressed concern and congressional aides were expected to receive a briefing from Equifax on Friday about the breach, a spokesman for the House Financial Services Committee said.
Atlanta-based Equifax said hackers breached the accounts between mid-May and July. Accounts of some British and Canadian residents were also compromised.
“Obviously the size and scope of this breach will likely drive a number of negative headlines for EFX that will weigh on its brand for the foreseeable future,” Barclays analyst Manav Patnaik wrote in a note.
Britain’s Information Commissioner’s Office said the breach “gives us cause for concern,” and ICO Deputy Commissioner James Dipple-Johnstone said the office would advise Equifax to alert affected British customers as soon as possible.
Equifax’s larger rival Experian Plc (EXPN.L) reported a data breach two years ago that exposed sensitive personal data of some 15 million people.
Equifax shares, which had gained 21 percent this year, were last down 13 percent at $123.18 after earlier touching their lowest in more than seven months.
Shares of rival TransUnion (TRU.N) were down 4 percent, while Experian shares were down 1.3 percent.
“We expect Equifax and, to a lesser extent, TransUnion and Experian, to face pressure near-term given the magnitude of the breach and attention on data integrity,” analyst Michael Tarkan from Compass Point wrote in a note.
Equifax handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.
Reporting by Dustin Volz in Washington and Aishwarya Venugopal and Sweta Singh in Bengaluru, additional reporting by David Shepardson and Jonathan Stempel; Editing by Meredith Mazzilli