The Atlanta Journal-Constitution
Senators urge more aid for hack victims
Some lawmakers upset that Equifax is making money off data breach.
As former Equifax Chief Executive Richard Smith appeared Wednesday for the second of three congressional hearings this week, senators called for the company to do more to make amends to almost 146 million Americans affected by a massive hacking incident.
The suggestions ranged from calls for Equifax to take more legal and financial responsibility for the likely harm to consum- ers, to demands that the company pay big fines for allowing
the hack to happen.
Some lawmakers said Congress also needs to draft stronger legislation to require companies to tell consumers sooner after hacking attacks occur, and to require tougher data security standards.
Smith, who stepped down last week from Equifax, also had a suggestion. Businesses, academics and the federal government, he said, need to come up with a better universal identifier than Social Security numbers — some of the key information stolen.
“I look forward to being part of that dialogue,” he said early in the hearing, which followed Tuesday’s appearance before House lawmakers.
Then the fireworks began. Equifax has made much of its revenue from fraud protection products that will now be needed more than ever because of the giant data theft, said Sen. Ben
Sasse, R-Neb.
“It feels like a broken windows business model,” he said, in which the company profits from damage it had a role in causing, he said. “You provided the bricks.”
“Senior executives like you should be held personally accountable,” Massachusetts Sen. Elizabeth Warren told Smith, the sole witness at the hearing before the Senate Banking, Housing and Urban Affairs Committee. Equifax should face “severe financial penalties,” she said.
Stock sales by three top Equifax executives and a recently renewed contract with the IRS to provide fraud prevention services also drew the ire of several senators.
“They should give the money back,” Sen. Heidi Heitkamp, D-N.D., said of the roughly $655,000 in losses that the three executives avoided by selling stock before Equifax disclosed the breach, sending its stock plunging.
Likewise, she called on Equifax to back away from the recently renewed $7.25 million contract with the IRS to provide fraud prevention and taxpayer identification services to the IRS, according to media reports.
“Many times it’s the symbolic acts” that matter, said Heitkamp. “My advice to you is to do some things that are very, very visible, and that’s two things you could do.”
Equifax had disclosed on Sept. 7, along with the hacking incident, that three of its top executives, including its chief financial officer, had sold $1.8 million worth of company stock. The sales occurred on Aug. 1 and Aug. 2, days after the company first discovered signs of a serious hacking incident. The public disclosure came more than a month later, raising suspicions of illegal insider trading.
Equifax has said the executives had no knowledge of the breach at the time they sold stock.
Smith said in hearings Tuesday and Wednesday that the company didn’t know at the time that hackers had stolen large amounts of data, including millions of folks’ Social Security numbers and other sensitive information.
But some senators weren’t buying it.
Under questioning, Smith said that Equifax’s chief lawyer was first notified of “suspicious activity” by hackers on Aug. 2. The chief attorney approved the executives’ stock sales on Aug. 1 and Aug. 2.
Smith also said that on Aug. 2, Equifax officials and a big Atlanta law firm working for the company, King & Spalding, had notified the FBI of the breach on Aug. 2, the same day as some of the executives’ stock sales.
Equifax had detected the activity on July 29 and shut down a web portal hackers had broken into on July 31, according to a timeline in Smith’s prepared testimony before the hearings.
But Smith said “millions” of hacking attempts occur at Equifax every year, and that the company didn’t know by Aug. 2 that a theft of personal data had actually occurred.
“To the best of my knowledge, they had no knowledge,” Smith said of the executives.
After the data theft was disclosed to the public more than a month later, Equifax’s stock dropped about 36 percent, wiping out more than $6 billion of the value of investors’ stake in the company.
“This really stinks. It smells really bad. And I guess smelling bad isn’t a crime,” said Sen. Jon Tester, D-Mont.
Heitkamp wanted to know how often Equifax notified the FBI after detecting suspicious activity.
“I don’t know that information,” said Smith, adding that he would ask the company to look into it.
Warren lambasted Equifax for a history of past hacking incidents that she said have allowed the company to profit from selling fraud-prevention and related products to consumers.
“The whole thing is staggering,” said Warren, the Democratic senator from Massachusetts, who is often a critic of financial institutions. Equifax “should have the best security in the nation, and it has the worst,” she said.
She asked Smith if fraud is more likely now as a result of the most recent hacking incident.
“Senator, yes it is,” Smith answered.
So, Warren asked, it has created a “business opportunity” for Equifax to sell fraud protection products to consumers?
Smith said the “best thing’ for consumers to do is sign up for Equifax’s free credit monitoring and credit freeze products it offered after disclosing the data breach.
Equifax “is making millions of dollars on its own screw-up,” said Warren. “From 2013 to today, Equifax has disclosed at least four different hacks.” She asked if Equifax’s profits increased during that period.
“Yes, it did,” Smith answered.
By about 80 percent, Warren added. “The incentives in this industry are completely out of whack,” she said.
Consumers and businesses will be harmed by the fallout from Equifax’s data breach, she added, but “Equifax will be just fine. In fact, it could come out ahead.”