Washington — Lawmakers on Tuesday expressed frustration when pressing the former Equifax Inc. CEO on his company’s response to a massive data breach affecting 145.5 million Americans, asking why Equifax failed to catch the intrusion or alert consumers sooner.
“How does that happen with as sophisticated company as you headed? With this much at risk, how does this happen?” House Energy and Commerce Chairman Greg Walden of Oregon asked.
“I don’t think we can pass a law that — pardon me for saying — that fixes stupid.”
Richard F. Smith, who stepped down last week as chairman and CEO, told the House panel that the company was alerted in March to a software vulnerability, but due to “human error and technology error” the security patch was not applied. It created the opportunity for hackers to obtain the personal information of millions of consumers.
The individual Equifax employee responsible for notifying others inside Equifax that the security patch was needed didn’t communicate that information, and a backup computer scan didn’t catch the vulnerability for reasons that are under investigation, Smith said.
Rep. Joe Barton, R-Texas, suggested that Congress might have to pass a law in an attempt to force companies to better protect consumers’ private information. Under current law, companies must inform individuals when their data has been compromised but there’s no penalty for the act, he said.
“I understand that the company has to stay in business and has to make money, but it seems to me you might have to pay more attention to security if you had to pay everyone who got hacked about a 1,000 bucks,” Barton said. “Only way I know how to do it is some sort of fine per account hacked.”
Smith acknowledged that mistakes were made when the company rolled out a program to help consumers respond to the data breach. Equifax’s consumer-response website and call centers were overwhelmed in the early days after the hack was revealed publicly Sept. 7.
“The criminal hack happened on my watch and, as CEO, I’m ultimately responsible. I take full responsibility,” Smith said. “I’m here today to say to each and every person affected by this breach, I’m truly and deeply sorry for what happened.”
Michigan Attorney General Bill Schuette last week joined more than 40 other state attorneys general in an investigation of the cyberattack on Equifax. Schuette’s office has estimated that more than 4 million Michiganians may have had their personal information compromised.
Smith said the Atlanta-based Equifax hired forensic cybersecurity experts from the firm King & Spalding in early August to try to examine “suspicious activity” detected in its systems, as well as what the hackers had accessed and any footprints they left behind.
He said it was not until the end of August that it was determined the company had experienced a “major breach,” Smith said, claiming that he personally did not learn that personal data had been compromised until Aug. 15.
Smith said under questioning that Equifax’s chief general counsel John J. Kelley III didn’t know about the extent of the data breach at the time that Kelley signed off on the sale of $1 million worth of Equifax stock by three company executives on Aug. 1 and 2.
Smith was then asked about when the three executives learned of the breach.
“I don’t know the exact date that they were informed but, to the best of my knowledge, they had no knowledge at the time they cleared their trades with general counsel,” Smith said in response to Rep. Jan Schakowsky of Illinois, the panel’s ranking Democrat.
“Do you know for sure that they didn’t know?” Schakowsky said.
“To the best of my knowledge, they did not know,” Smith replied.
Schakowsky, citing interviews by committee staffers with Equifax’ chief security officer, disputed Smith’s statement about whether the general counsel knew that personal data had been stolen by hackers at the time he approved the stock sales.
Rep. Fred Upton, R-St. Joseph, held up a Equifax credit report for someone he knows.
“It’s 131 pages long. Unbelievable in terms of the data that has been collected on this particular individual,” Upton said.
“I would guess that most individuals have no clue that there’s that much data that has been assembled on their own personal family account.”
Upton asked Smith whether there’s any evidence that the hackers manipulated the personal data that it accessed in Equifax’s systems.
“The forensic experts that we engaged ... have led us to believe there’s no indication the data left behind has been manipulated,” Smith said.
Smith also told Upton that the compromised data was not from individuals’ credit report files but from a system associated with consumer disputes over their credit reports.
Rep. Debbie Dingell, D-Dearborn, echoed the displeasure expressed by her colleagues on the Subcommittee on Digital Commerce and Consumer Protection, but said the episode should have awoken the American consciousness about the vulnerability of credit and privacy.
“In the past, folks changed their passwords. Maybe you got a new credit card and that was it,” Dingell said. “That’s not so simple when it’s a Social Security number or other personal info. You can’t change your Social Security number, and I can’t change my mother’s maiden name. This information is out there forever.”
When Dingell asked, Smith would not comment on whether he believes the attack came from a foreign government.
“We’ve engaged the FBI, and at this point that’s all I’ll say,” Smith replied.
Dingell asked how Americans can take reasonable steps to secure their private information and “security their identify” if they don’t even know who has stored it.
“Most people had no idea that Equifax was even holding their data,” she said.
Smith said companies like Equifax can help consumers protect their credit info by offering to “lock and unlock” their credit files repeatedly, for life, for free.
“There needs to be greater awareness. I understand your point clearly,” Smith said. “I think by making this available to all Americans is one step in doing that.”
Dingell said she has introduced legislation that would give the Federal Trade Commission the rule-making authority to ensure that any entity storing personal data such as a consumer’s address or Social Security number takes steps to secure it.
Asked by a lawmaker Tuesday whether he supports such rule-making authority for the FTC, Smith said he has no opinion.
He wouldn’t directly answer a question about how long consumers will face the potential for identity theft from the Equifax breach.
“Unfortunately, the number of breaches around SSNs have been on the rise,” Smith said. “The question to give thought to is how secure really is an SSN and should that be an identifier going forward.”