Equifax’s ex-CEO to face House committee
He will detail missteps by firm in testimony about data breach.
WASHINGTON — The former chief executive of Equifax Inc. plans to apologize for the credit reporting company’s massive data breach when he testifies Tuesday before a congressional committee.
He also will detail the missteps before and after the hack, which exposed the Social Security numbers and birth dates of as many as 145.5 million U.S. customers. The company on Monday revised up the total from an initial estimate of 143 million following the completion of a review by an outside cybersecurity firm.
“Equifax was entrusted with Americans’ private data and we let them down,” Richard Smith said in written testimony for the hearing that the House Energy and Commerce Committee released Monday. “To each and every person affected by this breach, I am deeply sorry that this occurred.”
Smith stepped down last week in the wake of the breach, which has sparked numerous federal and state investigations as well as outrage from lawmakers. His appearance Tuesday before the House panel will be the first of three before congressional committees this week.
In his written testimony, Smith blamed the breach on “human error and technology failures” and said the company was a victim of “a massive theft.”
“The company failed to prevent sensitive information from falling into the hands of wrongdoers,” he said.
“The people affected by this are not numbers in a database. They are my friends, my family, members of my church, the members of my community, my neighbors,” Smith said. “This breach has impacted all of them. It has impacted all of us.”
Smith also said Equifax was “disappointed” with the rollout of a special website and call centers to deal with the fallout from the breach. The company “struggled with the initial effort” to help consumers, he said.
Equifax has been criticized for waiting nearly six
weeks to notify the public after learning of the hack July 29, and then initially making consumers give up their right to sue if they wanted free credit monitoring and identity theft protection. Equifax later backtracked on that requirement.
Smith said in his testimony that “regrettably, mistakes were made” in the company’s effort to help millions of consumers deal with the data breach.
The arbitration provision “had simply been inadvertently” included in the terms of conditions for the credit monitoring after someone “essentially ‘cut and pasted’ ” the wording from a different Equifax product, he said.
In response to criticism of its efforts, Equifax said last week it that would stop charging customers to freeze access to their credit records so that no data would be released to scammers. In his testimony, Smith called for such free credit freezes to be the industry standard and said that the nation should consider replacing Social Security numbers “as the touchstone for identity verification.”
“We believe redirecting the debate in this manner is a big positive for the firm,” wrote Jaret Seiberg, an analyst with brokerage and investment bank Cowen & Co., in a research report. “This is a way to give members of Congress a way to react to the crisis where Equifax is part of the solution rather than the target of attack.”
But Seiberg noted that Smith’s prepared testimony failed to address the controversy regarding possible insider trading by some Equifax executives before the data breach became public.
On Aug. 1, three Equifax executives sold thousands of shares of stock. All the shares sold for about $146 each. The company’s stock sharply declined after the data breach was announced. Shares closed at $107.81 Monday, up about 1.7% but still down about 24% since the hack.
Equifax’s board of directors has formed a special committee and is “conducting a thorough review of the trading at issue,” Theodore M. Hester, an attorney retained by Equifax, said in a letter Friday to Democrats on the House Energy and Commerce Committee.
“Equifax takes these matters seriously,” Hester wrote.
The stock sales were among several topics related to the data breach that the lawmakers had asked Smith about in a Sept. 12 letter.
Smith said the data breach problems started March 8 when the Department of Homeland Security’s Computer Emergency Readiness Team sent a notice to Equifax and other companies about the need to patch a vulnerability in software known as Apache Struts.
Equifax sent emails about the federal warning to workers responsible for the software, which is used in the company’s consumer online disputes portal. But the “vulnerable versions” of the software were not identified or patched, Smith said.
“Equifax’s efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax web application much longer than it should have,” Smith said. The company is investigating why.
Hackers appear to have first used the software vulnerability to access sensitive information May 13 and continued to do so for weeks before Equifax’s security team identified suspicious network traffic July 29.
The next day, Equifax took the web portal offline.
Smith said he learned about the problem July 31 from the company’s chief information officer. A full response began Aug. 2, including contacting the FBI, Smith said.
Equifax and an independent cybersecurity forensic consulting firm, Mandiant, worked “literally around the clock” to figure out what happened, Smith said. But despite numerous internal discussions, Equifax did not publicly announce the breach until Sept. 7.
Smith said one reason for the delay was that experts had told company executives that notifying the public “would provoke ‘copycat attempts’ and other criminal activity.”
Equifax said Monday that Mandiant had completed the forensic portion of its review and found that as many as 2.5 million more U.S. customers might have been affected.
The review also has concluded that there is no evidence the attackers accessed databases located outside of the United States, the company said.
Equifax is trying to help consumers while also fixing its security systems, he said. The company’s “vulnerability scanning and patch management processes and procedures” have been enhanced, Smith said.
Smith noted that in addition to his departure, the company’s chief information officer and chief security officer also left the company after the breach.