Lawmakers grill former Equifax chief executive on breach response

  • Former chairman and CEO of Equifax Richard Smith pauses as he testifies before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee on Capitol Hill in Washington, Tuesday, Oct. 3, 2017. (AP Photo/Carolyn Kaster) AP

  • Former chairman and CEO of Equifax, Richard F. Smith, testifies before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee on Capitol Hill, Tuesday, Oct. 3, 2017 in Washington. (AP Photo/Carolyn Kaster) Carolyn Kaster

  • Former chairman and CEO of Equifax Richard F. Smith testifies before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee on Capitol Hill in Washington, Tuesday, Oct. 3, 2017. (AP Photo/Carolyn Kaster) Carolyn Kaster

Washington Post
Wednesday, October 04, 2017

Former Equifax chief executive Richard Smith was grilled by animated lawmakers Tuesday, during the first congressional hearing after the company disclosed a massive security breach.

Lawmakers from both parties questioned Smith on his role at the embattled credit reporting agency and indicated that tighter data security standards are long overdue.

Rep. Greg Walden, R-Ore., the chairman of the House Energy and Commerce Committee, described Equifax’s response to the breach as “ham-fisted” and “unacceptable,” echoing several other lawmakers on the panel. In a remarkable exchange, Walden held up a thick stack of paper, which he said was a full Equifax consumer credit report, and asked Smith how such a sophisticated company responsible for so much data could allow the breach to occur. “How does this happen?” he said, with exasperation.

Smith confirmed at the hearing that intruders were able to penetrate the company’s network by exploiting a known vulnerability that Equifax had failed to patch. But for the first time, Smith acknowledged that the employee responsible for assigning a correction to that vulnerability failed to do so, even though that person knew the patch was needed.

Smith also fielded questions concerning reports that his former colleagues sold an unusual amount of stock after the breach was known to the company but before it was disclosed to the public. Smith said that at the time, Equifax knew only that suspicious activity had been detected, and not that personal information had been stolen from the company. “To the best of my knowledge they did not know,” Smith said.

The former Equifax chief executive declined to directly answer whether Equifax suspects a nation state was involved in the breach. “I have no opinion,” he said, when asked by Rep. Leonard Lance, R-N.J., several times. Smith said that the FBI is involved.

The morning hearing before the House Digital Commerce and Consumer Protection subcommittee has been a fact-finding mission - one peppered with public reprimands and calls for sweeping improvements. Lawmakers said that they want to hold Equifax accountable for what they called glaring security lapses, a limp response to widespread outrage and possible insider trading.

The hearing comes a day after Equifax said that the data of an additional 2.5 million consumers may have been compromised by the cyber breach, bringing the total number of consumers who may have been affected to a staggering 145.5 million.

Last week, Equifax tried to get ahead of what may be an intense round of questioning. On Thursday, the company announced a new, free service that will allow consumers to lock and unlock their credit information for life, starting next year. It has also been considering clawbacks for some of its executives, according to the Wall Street Journal. But that may not be enough for lawmakers and consumer advocates who have asked the credit agency for more extensive remedies and protections. There have even been calls to change the entire credit reporting industry.

While many high-profile companies have suffered damaging data breaches, the Equifax hack stands out because of the company’s sprawling influence on American commerce. The crucial, identifying information belonging to millions of people, including Social Security numbers and home addresses, may have been compromised.

The hack has prompted dozens of lawmakers, state attorneys general and federal agencies to examine the breach. Security experts have said that the ripple effects will be felt for years to come and that the ultimate costs are hard to discern.

After Equifax disclosed the breach in September, the public outcry was swift and resounding. Reports quickly surfaced that several Equifax executives had sold an unusual amount of stock after the company discovered the breach but before it was made public. Not only did consumers feel exposed after learning that their sensitive information may have been stolen, but they also were angered by Equifax’s bungled response. The call center was understaffed, and a help website that the company put up had the trademarks of a phishing scam while offering little guidance as how to protect affected people, experts and consumers said.

A week later, the company’s chief security officer and the chief information officer announced their sudden retirements. Then Smith, the former chief executive, said that he, too, would step down.

Smith will also testify in three other hearings this week. It’s not clear whether the company’s attempts at reform will preempt new cybersecurity regulations backed by some lawmakers.

Sen. Jeff Flake, R-Ariz., chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, another panel that will question Smith, told The Washington Post in a statement that he hopes the hearing before his committee will offer insight into how data brokers can better protect sensitive information from large-scale breaches. Democrats Rep. Ted Lieu, Calif., and Sen. Mark Warner, Va., said the hearings would help build momentum for a federal data breach notification law. Echoing the concerns of their constituents, many lawmakers stressed their unease with Equifax’s delayed disclosure.

“This reemphasizes the need for data breach legislation, so there is a standard – so you don’t have a company decide when they want to disclose when a breach has occurred,” Warner said.