Former Equifax CEO takes a lashing
Richard Smith falls short of reasons for massive data breach
“Stupid.” “Unprecedented.” “Shocking.” “Completely lacking.” “Deserves to be shamed.”
Those were just some of the phrases members of the House Digital Commerce and Consumer Protection subcommittee flung at Equifax, the breached credit reporting company.
Forcibly retired former Equifax CEO Richard Smith visibly flinched a few times during his testimony Tuesday as he was grilled over the hack that was first made public on Sept. 7.
The most venom came for Smith’s lack of explanation as to how the massive breach, which exposed the personal information of 145.5 million Americans, happened.
Just as consumers are constantly urged to update their software to guard against problems that can be exploited by hackers, large corporations also get notices that it’s time to upgrade, known in the industry as patching.
In Equifax’s case, that patch notice came two months before the hack was discovered and a week before the company was hacked. Despite that, every internal system that should have put it in place or found out if it hadn’t been somehow failed — much to the distress of lawmakers.
“How does this happen when so much is at stake? I don’t think we can pass a law that can fix stupid,” said Rep. Greg Walden, R- Ore.
Smith admitted that the company had sent a warning to security staffers March 9 about a known flaw in software it used called Apache Struts. The warning came from a vulnerability notice distributed on March 7 by the U.S. Computer Emergency Readiness Team.
According to Smith, Equifax’s own protocols required that any vulnerable software be patched within 48 hours.
But the person on the Equifax computer security team who was responsible for patching the vulnerability didn’t, Smith told the representatives. When questioned, he did not name the person.
A week later, the company’s information security department ran scans that should have found any systems still running the vulnerable version of Apache Struts.
Somehow, those scans didn’t do that.
Had the scans worked, everything might have been different. The hackers who broke into Equifax appear to have first accessed sensitive information on May 13, two days before those scans took place.
Instead of being discovered, the hackers were able to plunder information of 45% of all Americans until they were finally found out July 29.
225 CYBERPROFESSIONALS
When pushed on the response of Equifax security staff, Smith cited the company’s enormous buildup of security infrastructure.
When he was first hired 12 years ago, Equifax had almost no cybersecurity. Today it employs 225 professionals on its cybersecurity team and in the past three years has invested at least a quarter-billion dollars in security, he said.
“How could 225 professionals let a breach like this happen?” asked Rep. Jerry McNerney, D-Calif.
The answer was human error followed by technological error, Smith said.
NOTHING BUT ‘SO SORRY’
Rep. Joe Barton, R-Texas, was angry that there’s no penalty for Equifax’s security failings unless someone files a lawsuit, which didn’t seem to be motivating the company to do a better job.
“So really, you’re just required to notify everybody and say, ‘ So sorry. So sad.?” he said.
“It seems to me you might pay a little more attention to security if you had to pay everybody who got hacked 500 bucks or something,” Barton suggested.
Smith had no answer to that suggestion.
Several representatives said they’d introduced various bills that would further regulate and potentially penalize credit-reporting companies for releasing consumer data.
Business attorney Stuart Slotnick with Buchanan, Ingersoll & Rooney said in an email interview that as long as Equifax complied with current laws there was little affected consumers could do other than join class-action suits against the company.
WHY A SEPARATE WEBSITE?
Another issue that has been confusing to consumers is that the website Equifax created to help customers is a different address from Equifax. Consumers must go to trustedidpremier.com rather than Equifax.com.
Many worry the address was a fake and were afraid to use it. Even Equifax’s own support staff got confused by the new address, at one point directing users to a false website.
The entire system was excoriated by the representatives, from the confusing Web addresses to Equifax staff tweeting out the wrong address to crashing websites and long phone hold times.
“Talk about ham-handed responses,” Walden said.
When asked why a different Web address was needed, Smith said the company had to create a new site because its usual Web address simply wasn’t able to deal with the anticipated deluge of visitors. The company’s Web address typically serves between 700,000 to 800,000 consumers a day. “We had 20 million consumers come to visit in the first weeks. Our traditional website could not have handled that from Day One,” he said.
“How does this happen when so much is at stake? I don’t think we can pass a law that can fix stupid.”
Rep. Greg Walden, R- Ore.
STOCK SALES
The sale of nearly $1.8 million in Equifax stock by three staffers on Aug. 1 and 2 was another point of concern brought up by multiple representatives during the hearing.
Federal prosecutors are examining the stock sales by Equifax Chief Financial Officer John Gamble, Joseph Loughran, president of the company’s information solutions division, and Rodolfo Ploder, president of the firm’s workforce solutions unit.
Smith was adamant that the men knew nothing of the breach at the time they sold their stock.
3 MORE HEARINGS TO GO
Tuesday’s hearing was the first of four this week.
On Wednesday, company brass will speak before a Senate Banking committee and a Senate Judiciary subcommittee and on Thursday before a House Financial Services committee.