Less than 24 hours before Equifax's former chief executive Richard Smith will face the first of four congressional hearings on the credit reporting agency's massive data breach, the company said that 2.5 million US consumers were "potentially impacted" by the breach, bringing the total to 145.5 million.
Equifax said that the additional potential victims were due to its "completion of the remaining investigative tasks and quality assurance procedures built into the investigative process." All of those affected by the hack in the US will get mailed notices by Oct. 8.
Smith will surely face questions about why his company did not know that the full number of people who might be affected until now.
The former CEO will tell the House Subcommittee on Digital Commerce and Consumer Protection Tuesday that Equifax started becoming aware of the hack on July 29, according to his prepared testimony.
Smith is expected to unveil more details of the hack and his and Equifax's response over three days of congressional testimony scheduled for this week. After his testimony on Tuesday, he will appear before the Senate Banking Committee and Senate Judiciary Committee on Wednesday before returning to the House to testify in front of the House Financial Services Committee on Thursday.
"The stakes are high this week for Equifax in Washington as Rick Smith comes to explain the company's response to the breach," Cowen analyst Jaret Seiberg wrote in a note Monday. Seiberg said that the first hearing on Tuesday "is by far the most important of the three" because it will be Smith's, and by extension Equifax's, "only one chance to frame the issue."
Smith's questioners from both parties will likely pepper him with aggressive questions about Equifax's security policies, the hack itself, and the company's much-criticized response and notification to the public.
Equifax declined to comment for this story.
While Smith did not know what his security team had seen until July 31, he did not learn that personal information had likely been stolen for another two weeks and did not inform the company's board of directors until Aug. 22, according to his eight-page testimony, released by the subcommittee on Monday.
The hackers were able to access Equifax's systems, Smith will say, thanks to a software vulnerability in the portal customers use to dispute parts of their credit report.
While Equifax officials had asked for the software to be patched in March, it never was, "and the vulnerability remained in an Equifax web application much
longer than it should have," Smith's testimony says. The company's investigation indicates that hackers had first "accessed sensitive information" as early as May 13.
The public was not notified of the hack until Sept. 7 because of concern that it might provoke "copycat" hacks and "other criminal activity," Smith says in his testimony.
Smith resigned as chief executive officer last week but will still appear before the congressional committees. The last major financial services executive to appear in front of Congress following a massive company scandal, then-Wells Fargo chief executive John Stumpf, resigned a few weeks later after he received a lashing from Massachusetts Sen. Elizabeth Warren that included her telling him "You should resign."
One issue Smith's testimony does not address is the stock sales by some executives in the days following the initial hack.
Three senior Equifax executives sold just under $2 million worth of Equifax shares on Aug. 1 and 2, and the sales were reported to regulators on Aug. 3. Smith first became aware of the hack in late July before contacting the FBI and asking outside lawyers and Mandiant to investigate on Aug. 2. The Securities and Exchange Commission is investigating the sales, and Equifax has said that the executives were not aware of the hack when the sales took place. The Wall Street Journal reported Friday that Equifax's general counsel John Kelley was being reviewed by Equifax's board.
"The biggest question Equifax must be able to answer centers on the stock sales," wrote Cowen analyst Seiberg. "Lawmakers may not understand the details of how hacking works, but they get this side of the controversy."
Smith will acknowledge many shortcomings with how Equifax publicly responded to the hack in his House subcommittee testimony, including not having enough call center employees. Equifax as a whole only had 500, according to Smith, and "needed to hire and train thousands more...in less than two weeks."
Equifax also "essentially 'cut and pasted'" legal language indicating that customers would waive their rights to participate in a class action if they signed up for its free services offered to people affected by the breach, according to the former CEO. The language confused many people, including experts, and was harshly criticized by law enforcement officials including New York's Attorney General Eric Schneiderman.
"There is nothing Mr. Smith can do to stop the Congressional flogging in store for him, but he could blunt the condemnations with a conciliatory tone and detailed responses," Isaac Boltansky, an analyst at Compass Point, said in a note.
Equifax has substantially overhauled its offerings to customers following the hack. The company early next year will offer a free product that will allow people with credit files to lock and unlock them for life.
"We do not envy Rick Smith. This is an extraordinarily difficult maze to navigate," Seiberg wrote. "Many lawmakers are lawyers and they know how to question a witness."
The current CEO of Wells Fargo, Tim Sloan, will also appear before the Senate Banking Committee this week, with testimony on Tuesday morning.
Sloan's testimony is full of contrition for the company's past behavior and details of how they are trying to make things right both for affected customers and how to improve the company's culture.
"When my predecessor testified here last year, we had not fully grappled with the damage the sales practices scandal had done to our customers, our team members, and their trust in the bank. We came to Congress without a good plan and all of you were right to criticize us," Sloan will say in his testimony.
The company said in August that there had been 1.4 million more "potentially unauthorized" accounts opened by Wells Fargo employees, bringing the total up to 3.5 million. Wells employees would create the accounts in order to meet the company's aggressive sales goals.
"I want to be clear that Wells Fargo is committed to addressing every concern any customer may have about an unwanted product or service — no matter where or when it may have occurred," Sloan will say.
The company had also disclosed that its employees had "potentially enrolled" over 500,000 people into online bill pay services. A Wells Fargo spokesperson said at the time that it was still looking into other lines of business.
Sloan's apologies and commitment to do better are not likely to impress some of his bank's harshest critics, including Democrats in Congress.
Maxine Waters, the top Democrat on the House Financial Services Committee, released a report last week alleging that Wells Fargo "has demonstrated a pattern of egregiously abusing its customers" and that its regulators, including the Federal Reserve, "have failed to use their most severe tools to shut down repeat offender megabanks or otherwise hold their executives accountable."
Some Democrats are pressuring banking regulators to remove Wells Fargo's board of directors. Sen. Warren wrote a letter in August to Janet Yellen, chair of the Federal Reserve, saying that "the case for removing these directors [has] gotten even stronger."
While Seiberg wrote that it's unlikely regulators will take such drastic action, "It will be much harder for Wells Fargo CEO Tim Sloan to use his Tuesday testimony before the Senate Banking Committee to put this controversy to rest. We fully expect Sen. Elizabeth Warren will be armed from this report and will quote from it often."