Over the course of about three hours, Richard Smith, who was until last week the chief executive officer of the credit reporting agency Equifax, repeatedly apologized to American consumers while Congress grilled him about how his company could have let sensitive personal information of up to 145.5 million Americans get hacked, exposing all of them to potential harm.
Smith explained to a subcommittee of the House Energy and Commerce Committee that hackers were able to get into Equifax's data because of a "human error." Specifically, that after the company was notified that there was a software vulnerability that needed to be patched, "the individual who was responsible for communication within the organization to apply the patch" did not tell the appropriate people to do so.
He also told the panel — again, several times — that the company was offering a suite of products that allowed people whose data had been exposed to monitor their credit file. Starting in January, any US consumer will be able to lock and unlock their Equifax credit report from a mobile app.
These words did not seem to mollify the members of Congress, who may have found, in Equifax, one thing that Democrats and Republicans can agree on.
"It seem to me you’ve accomplished something no one else has been able to accomplish: you’ve brought Democrats and Republicans together in outrage and frustration over what’s happened," Anna Eshoo, a California Democrat, told Smith towards the end of his three-hour testimony, the first of four hearings he is scheduled to attend this week.
"I appreciate that you’re sorry, my question is 'What now?" Ben Ray Lujan, a New Mexico Democrat, told Smith. "I’m worried that your job today is damage control. If fraudsters destroy my constituents’ savings and financial futures, there’s no golden parachute waiting for them." (While Smith did not receive a bonus or severance when he left Equifax, he will get a $18 million pension at the very least plus other likely enrichments.)
“Equifax deserves to be shamed," said Jan Schakowsky, an Illinois Democrat and the subcommittee co-chair.
Mandiant has completed the forensic portion of its investigation of the cybersecurity incident at Equifax. Read more https://t.co/sQ3AC3wSj9
While Smith pointed to a lifetime credit lock for Equifax credit reports, all he could do with the other two credit bureaus, Experian and TransUnion, was suggest they offer a similar service.
"It's time we change the paradigm of who controls and who accesses credit data," he said. When a consumer applies for a mortgage or credit card or some other line of credit, the lender can look up credit reports from any of the three companies.
Credit locks, like the product offered by Equifax, allow consumers to toggle on and off whether a new lender can access a credit report. A more comprehensive service, a credit freeze, blocks access to credit files unless a consumer provides a personal identification number to the agency.
Smith insisted that from a security perspective, locks and freezes were equally effective. "As far as protection to the consumer, as far as ability to lock and unlock as opposed to freeze and unfreeze, the lock is far more consumer friendly," Smith said.
House members from both parties also asked about the timeline of the breach: Equifax officials first learned in March of a vulnerability that had to be patched, Smith first learned that there was a security issue in late July, and finally that there was a breach of personal information by August 17. The company waited until September to announce that the vital personal information of at least 143 million people had been exposed.
Greg Walden, the Oregon Republican who chairs the larger Committee, pressed Smith on how it happened that the company learned that it needed to patch software used on part of its consumer-facing website — a portal to process consumer disputes — but did not do so. And, he asked, why was it that a software scanner never detected that the vulnerability went unfixed? "How does this happen?' Walden said. "We can't pass a law that fixes stupid."
A Texas Republican, Joe Barton, suggested that companies that allow people's sensitive information to be exposed by a hack should face a fine for each person whose data is stolen.
"I think it’s time to put some teeth into this," Barton said.