Senators slam Equifax over business model
WASHINGTON — Senators on Wednesday slammed Equifax Inc. for making money off its massive data breach and said Americans should have more control over the vast amount of sensitive personal information that credit reporting companies have about them.
“Equifax and this whole industry should be completely transformed,” Sen. Elizabeth Warren, DMass., told the company’s former chief executive, Richard Smith, at a hearing. “Consumers — not you — should decide who gets access to their own data.”
Warren and other members of the Senate Banking Committee questioned a business model that allows Equifax and the other credit reporting companies to collect consumers’ data and then charge them to monitor for misuse of that information by identity thieves.
“I don’t pay extra in a restaurant to prevent the waiter from spitting in my food,” said Sen. John Kennedy, R-La. “I think this is a very clever business model you’ve come up with.”
Smith, who stepped down last week in the wake of the breach, faced a second straight day of sharp bipartisan criticism on Capitol Hill for the hack that exposed the Social Security numbers and birthdates of as many as 145.5 million U.S. customers.
Senators also were outraged about the revelation that Equifax last week was awarded a $7.3-million, nobid contract by the Internal Revenue Service to verify taxpayer identities and prevent fraudulent access to the data.
“I won’t ask for a show of hands in the room but I don’t know who would want to say we should buy fraud protection from the people who were just hacked and dumped 145 million American records,” said Sen. Ben Sasse, R-Neb.
The IRS said that Equifax was awarded a short-term contract to prevent a lapse in services and it was told by the company that no IRS data was involved in the breach.
“Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems,” the statement said.
But the chairman and top Democrat on the Senate Finance Committee, which oversees the IRS, wrote to the agency’s commissioner Wednesday saying they were “taken aback” by the contract and asking for more details.
Sen. Mike Crapo, RIdaho, committee chairman, said that he believed there was bipartisan interest in legislation strengthening data security laws.
“The amount of data that the private industry and the government collect and store is very concerning,” Crapo told Smith.
As he did at a House hearing Tuesday, Smith apologized for human and technical errors that led to the data breach. But senators hammered him for Equifax’s failure to protect its data and then taking almost six weeks to notify the public of the breach.
Warren quoted a speech Smith gave in August in which he said fraud was a “huge opportunity” for Equifax because it could sell credit monitoring services.
“So the breach of your system has created more business opportunities for you,” she said.
Equifax has offered a year of free credit monitoring to customers. So far 7.5 million people have signed up for it, Warren said. If 1 million of those decided to buy another year’s protection at $17 a month, that would generate more than $200 million for Equifax, Warren said.
The company also sells credit monitoring services to businesses and the government, she said. And Equifax is compensated for providing credit monitoring to LifeLock, an identity theft protection company that has seen a surge in business since the hack, Warren said.
“You’ve got three different ways Equifax is making money — millions of dollars — off its own screw-up,” Warren said.
“The incentives in this industry are completely out of whack,” she said.