Ex-Equifax chief takes D.C. lumps
WASHINGTON — House Republicans and Democrats on Tuesday lashed out at the former head of Equifax, demanding answers for the huge data breach that compromised sensitive personal information of an estimated 145 million Americans.
Rep. Frank Pallone, D-N.J., said that if Equifax wants to remain in business, its entire corporate culture needs to change to one that values security and transparency.
“We want answers for consumers because Equi-
fax’s response to this breach has been unacceptable,” said Pallone, the top Democrat of the House Energy and Commerce Committee.
Former Equifax Chairman and Chief Executive Officer Richard Smith testified before a House panel, the first of four hearings on Capitol Hill this week as Congress examines what went wrong. Smith was the only witness at the hearing. No current Equifax employee testified.
The sessions can turn into public shamings, especially this year as the Republican-led Congress has worked to ease government regulations on businesses.
“Equifax deserves to be shamed in this hearing. But we should also ask what Congress has done — or failed to do — to stop data breaches from occurring,” said Rep. Jan Schakowsky, D-Ill.
Republican Rep. Greg Walden of Oregon, the committee’s chairman, said the hearing was necessary to do something that Equifax has failed to do in recent months: “Put Americans first.”
Walden said legislation to avert future data breaches will fall short because none can fully prevent human error.
“How does this happen when so much is at stake?” Walden asked. “I don’t think we can pass a law that fixes stupid.”
Separately, Equifax signed a $7.25 million contract last month with the Internal Revenue Service to verify taxpayer identities. The no-bid contract, first reported by Politico, is for Equifax to provide the IRS taxpayer and personal identity verification services.
The contract stated that Equifax was the only company capable of providing these services to the IRS, and it was deemed a “critical” service that couldn’t lapse.
The revelation last month of the hack to Equifax’s computer system rocked the company, which faces several state and federal inquiries and several class-action lawsuits. Smith said the company was cooperating with the FBI and state agencies.
Smith attributed the breach to human error and technological error and said both errors have been addressed.
He also told lawmakers that when he first learned of the breach on July 31, compa- ny officials did not realize that personal information about consumers had been stolen. He described suspicious activity against the company’s database as routine. The public was notified of the breach on Sept. 7.
“As we all painfully learned, data security is a national security problem,” Smith told lawmakers.
He said no single company can solve the problem on its own and that a system is needed to let consumers control access to their personal data.
“Let me close by saying how sorry I am for the breach,” Smith said.
Smith, who resigned after overseeing the company for a dozen years, said Equifax was hacked by a yet-unknown entity. He said information stolen included names, Social Security numbers, birth dates and addresses. In addition, the credit card information for about 209,000 consumers was also stolen as well as certain documents with personally identifying information for approximately 182,000 consumers.
Smith said the Department of Homeland Security warned the company on March 8 about the need to patch a particular vulnerability in software used by Equifax and other businesses. The company disseminated that warning by email the next day and requested that applicable personnel install the upgrade. The company’s policy requires the upgrade to occur within 48 hours, but Smith said that did not occur. The company’s information security department also ran scans on March 15 that did not pick up the vulnerability.
Smith also said he was disappointed in the rollout of call centers and a website designed to help the people affected by the breach. He said the company has increased its number of customer service represen- tatives and the website has been improved. He said more than 400 million consumers contacted the company in the weeks since the announcement of the breach. He said the company wasn’t prepared for that kind of volume.
“The scale of the reaction was unprecedented,” Smith said.
Several Democratic lawmakers on the committee signed on to legislation that they said would establish data security standards that companies would have to follow and require prompt notification of consumers of the breach. Comparable legislation in past congressional sessions has failed to gain significant traction.
The biggest hack in U.S. corporate history happened to Yahoo. The Internet company acquired by Verizon Communications Inc. this year, said Tuesday that it now believes a 2013 security breach affected all 3 billion of its users at the time.
The assessment, based on new intelligence obtained after the $4.5 billion acquisition, compares with Yahoo’s initial estimate that 1 billion accounts
were compromised. The information stolen didn’t include passwords in clear text, payment data or bank accounts. Yahoo is notifying users.
Verizon, which is combining Yahoo with its AOL business, had negotiated a $350 million price cut on the deal after Yahoo disclosed the 2013 breach and a subsequent hack in 2014. The attacks exposed user accounts and threatened Yahoo’s trust with consumers.
Yahoo has said it wasn’t able to identify who was responsible for the 2013 breach, though the U.S. government has accused Russia of directing the 2014 hack. The 2013 intrusion was discovered by Andrew Komarov, chief intelligence officer for Info-Armor, who had been tracking a prolific Eastern European hacker group that he spotted offering 1 billion Yahoo accounts for $300,000 in a private sale.
Information for this article was contributed by Kevin Freking of The Associated Press; and by Crayton Harrison and Elizabeth Dexheimer of Bloomberg News.