The hits just keep coming for Equifax in the wake of last Thursday’s disclosure of a security breach that may have exposed personal data on up to 143 million people.
Late Monday, the U.S. Senate Committee on Finance informed Equifax CEO Richard Smith that it wants to hear more—a lot more—about the breach. Senators want more information specifically about the types of data that may have been accessed beyond social security numbers and birthdates. Information on some 200,000 credit card holders may have also been compromised. And the committee really wants to know what safeguards Equifax had been using to keep consumer data secure.
In its letter, which is copied in the committee’s press release, the committee asked if Equifax (EFX) has a chief information security officer (CISO) and, if so, to whom that executive reports. The committee also wants a tally of how many employees are dedicated to data security and how often Equifax used an outside experts to conduct penetration tests of both internal and external systems in the past two years.
Companies typically conduct penetration, or “pen tests,” by security experts to find vulnerabilities that could be exploited before bad guys can find and exploit them.
In the days since Equifax disclosed the breach on September 7, claims and counterclaims have swirled around the cause. All Equifax itself has said is that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
Clearly, more information is needed by regulators and consumers alike. Equifax’s response to date has been slammed. Critics said the company used the breach to tout its own paid credit protection services. Additionally, the website it put up to help customers figure out if they were impacted, itself posed security problems.
“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” according to the letter from the committee, which is chaired by by Orrin Hatch (R-Utah) with ranking Democrat Ron Wyden (D-Ore.).
The committee also wants to hear about an earlier breach in which W-2 and employee records data was taken from TALX, an Equifax subsidiary that handles payroll for companies.
On Friday, Jeb Hensarling, (R.-Texas) said the House Financial Services Committee wants its own look into the Equifax mess.
Get Data Sheet, Fortune’s technology newsletter.
There have been third-hand claims that Equifax’s use of particular piece of open-source software is at the core of this problem. But that’s a red herring, says a long-time security consultant. He requested anonymity because he works for government agencies and is not authorized to speak to the media.
“Forget the particular patches or bugs,” he says. “What is Equifax’s overall approach to security? Does it work with third-party auditors and security folks to protect what is essentially a good chunk of the U.S. economy?”
All software, including aging Java software that is used by most Fortune 500 and other large companies, has vulnerabilities. And that is true even if those companies use a commercially supported version of open-source software purchased from a vendor. Those frailties, if found by criminals before a company’s own security experts, can and will be exploited.
The issue here is how much due diligence this credit agency put into bullet-proofing that software. And that is apparently what the senators on the Finance Committee aim to find out.
The Committee set a deadline of September 28 for Equifax to respond.