US lawmakers have questioned the former head of credit-scoring company Equifax about a cyber attack which may have exposed personal information of more than 145 million people.
Richard Smith, who retired last week, apologised repeatedly for the breach.
Some Congressional committee members said it should spur stronger data protection laws and prompt the US to rethink the role of credit agencies.
Others said different rules would not have been enough to prevent this hack.
Equifax has said about 145.5 million people in the US, 400,000 in the UK and about 8,000 in Canada may have had their data compromised in attacks that occurred between May and July.
Hackers took advantage of a software vulnerability that Equifax was warned about in March and failed to address.
At the hearing in Washington on Tuesday Mr Smith said it took the firm weeks to establish the extent of the attack after it identified suspicious activity in July.
Representative Jan Schakowsky, an Illinois Democrat, said the attack should prompt a broader conversation about credit agencies, which collect credit data on consumers from businesses often without people’s knowledge.
“Equifax deserves to be shamed in this hearing but we should also ask what Congress has done or failed to do to stop data breaches from occurring,” she said.
New rules may face opposition in Washington, where US President Donald Trump and many Republicans frequently call for less regulation.
Representative Greg Walden, an Oregon Republican, said companies have a responsibility to guard data under existing law. He questioned how effective new rules might be in incidents like this.
“I can’t fix stupid,” he said.
But both Democrats and Republicans at the energy and commerce subcommittee hearing were united in their anger.
Representative Joe Barton, a Texas Republican, said he wants a federal law that would penalise companies in the event of attacks.
“I think it’s time at the federal level to put some teeth into this,” said
Equifax faces legal claims in dozens of states over the breach, which exposed data including dates of birth, Social Security numbers and credit card information.
Three Equifax executives sold millions of dollars worth of shares after the attack was detected on July 29, but before it was made public.
However, Mr Smith said they were not aware at the time that personal information had been stolen.