Lawmakers grill former Equifax chairman over data breach

October 3, 2017 by Kevin Freking
Lawmakers call Equifax response to breach inadequate
Former chairman and CEO of Equifax Richard F. Smith testifies before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee on Capitol Hill in Washington, Tuesday, Oct. 3, 2017. (AP Photo/Carolyn Kaster)

House Republicans and Democrats on Tuesday grilled Equifax's former chief executive over the massive data hack of the personal information of 145 million Americans, calling the company's response inadequate as consumers struggle to deal with the breach.

Former Equifax CEO Richard Smith apologized for the compromise of such information as names, addresses, birth dates and Social Security numbers. Smith was the lone witness at the first of several Capitol Hill hearings this week. No current Equifax official testified.

"The criminal hack happened on my watch, and as CEO, I am ultimately responsible, and I take full responsibility," Smith said. "I am here today to say to each and every person affected by this breach, I am truly and deeply sorry for what happened."

Democrats favor legislation that they say would establish strong data security standards and prompt notification and relief for consumers when their information is hacked. But Republicans tamped down expectations for any congressional action as this year the GOP-led Congress has rolled back several Obama-era rules affecting businesses and the financial sector.

"Equifax deserves to be shamed in this hearing, but we should also ask what Congress has done, or failed to do, to stop data breaches from occurring," said Rep. Jan Schakowsky, D-Ill.

Lawmakers call Equifax response to breach inadequate
Former chairman and CEO of Equifax Richard F. Smith, talks with former Sen. Saxby Chambliss, R-Ga., as he takes his seat to testify before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee on Capitol Hill in Washington, Tuesday, Oct. 3, 2017. AP Photo/Carolyn Kaster)

Rep. Bob Latta, R-Ohio, the chairman of the subcommittee examining the breach, said there are already laws on the books that require companies to secure sensitive consumer data. He said that hearings before four House and Senate panels this week should run their course before lawmakers make a decision about what to do next.

"The big thing we heard today is it was a very human error on their part" Latta said.

Smith offered a timeline of what went wrong, saying the Department of Homeland Security warned the company on March 8 about the need to patch a particular vulnerability in software used by Equifax and other businesses. The company disseminated that warning by email the next day and requested that applicable personnel install the upgrade. The company's policy requires the upgrade to occur within 48 hours, but that did not occur. The company's information security department also ran scans on March 15 that did not pick up the vulnerability.

In late July, data security officials noticed suspicious activity on a website, which Smith said "happens routinely around our business." He said an internal investigation ensued and he was alerted the next day, but he had no knowledge at that time that consumers' personal information had been accessed.

Lawmakers call Equifax response to breach inadequate
Richard F. Smith, former chairman and CEO of Equifax, testifies during a hearing before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee on Capitol Hill, Tuesday, Oct. 3, 2017, in Washington. (AP Photo/Carolyn Kaster)

Lawmakers pressed Smith about company executives selling stock in the company after the suspicious activity had been detected. On Aug. 1 and 2, Equifax Chief Financial Officer John Gamble and two other executives, Rodolfo Ploder and Joseph Loughran, sold a combined $1.8 million in stock.

Smith described the executives as "honorable men, men of integrity." He said at that point in time the company was unaware that consumer data had been accessed.

Schakowsky said "for a lot of Americans, that just doesn't pass the smell test."

Smith said the full extent of what occurred emerged during a meeting he had with cybersecurity experts and outside counsel on August 17. The board was alerted the following week and the public on Sept. 7, after the company had made plans for how it would try to help consumers respond.

Lawmakers call Equifax response to breach inadequate
Former chairman and CEO of Equifax Richard F. Smith pauses as he testifies before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee on Capitol Hill in Washington, Tuesday, Oct. 3, 2017. (AP Photo/Carolyn Kaster)

The timeline laid out by Smith didn't satisfy many lawmakers, who accused the company of being too slow.

"I worry that your job today is about damage control. You put a happy face on your firm's disgraceful actions, and then depart with a golden parachute," said Ben Ray Lujan, D-N.M. "Unfortunately, if fraudsters destroy my constituent's savings and financial futures, there's no golden parachute awaiting them."

Lawmakers said that at one point Equifax tweeted the wrong link for consumers to check to learn if they were part of the breach.

"Talk about ham-handed responses, this is simply unacceptable," said Rep. Greg Walden, R-Ore.

Lawmakers call Equifax response to breach inadequate
Former chairman and CEO of Equifax, Richard F. Smith, testifies before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee on Capitol Hill, Tuesday, Oct. 3, 2017 in Washington. (AP Photo/Carolyn Kaster)

Smith said he was disappointed in the rollout of call centers and a website designed to help the people affected by the breach. He said the company has increased its number of customer service representatives and the website has been improved. He said more than 400 million consumers contacted the company in the weeks following the announcement of the breach. He said the company wasn't prepared for that kind of volume.

Lawmakers said they're getting scores of calls from constituents concerned that their information was stolen and the potential ramifications in the years ahead. Rep. Ryan Costello, R-Pa., said hundreds of constituents have contacted his office about the company's response.

"The slow rollout and how poorly it was done. To me, it was just inexcusable," Costello said.

Explore further: Former Equifax chairman apologizes for data breach

Related Stories

Former Equifax chairman apologizes for data breach

October 2, 2017

The former chairman and CEO of Equifax says the company was entrusted with personal information of 140 million Americans and "we let them down" as human error and technology failures allowed a massive data breach.

Former Equifax CEO says response should have been better

October 3, 2017

The former chairman and CEO of Equifax says the challenge of responding to the concerns of tens of millions of consumers in the wake of a massive data breach proved overwhelming, and regrettably, his company made mistakes.

Equifax says 100,000 Canadians' data hacked

September 19, 2017

The personal information of 100,000 Canadians may have been compromised in a hack of Equifax revealed earlier in the month, the credit data company said Tuesday.

US watchdog confirms probe of huge Equifax data breach

September 14, 2017

A US consumer protection watchdog agency said Thursday it has begun an investigation into a massive data breach at credit bureau Equifax that may have leaked sensitive information on 143 million people.

Recommended for you

A not-quite-random walk demystifies the algorithm

December 15, 2017

The algorithm is having a cultural moment. Originally a math and computer science term, algorithms are now used to account for everything from military drone strikes and financial market forecasts to Google search results.

US faces moment of truth on 'net neutrality'

December 14, 2017

The acrimonious battle over "net neutrality" in America comes to a head Thursday with a US agency set to vote to roll back rules enacted two years earlier aimed at preventing a "two-speed" internet.

FCC votes along party lines to end 'net neutrality' (Update)

December 14, 2017

The Federal Communications Commission repealed the Obama-era "net neutrality" rules Thursday, giving internet service providers like Verizon, Comcast and AT&T a free hand to slow or block websites and apps as they see fit ...

The wet road to fast and stable batteries

December 14, 2017

An international team of scientists—including several researchers from the U.S. Department of Energy's (DOE) Argonne National Laboratory—has discovered an anode battery material with superfast charging and stable operation ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.