Corrections & Clarifications: An earlier version of this story gave the incorrect party affiliations for Rep. Greg Walden, R-Ore., and Rep. Jerry McNerney, D-Calif.
“Stupid.” “Unprecedented.” “Shocking.” “Completely lacking.” “Deserves to be shamed.”
Those were just some of the phrases members of the House Digital Commerce and Consumer Protection subcommittee flung at Equifax, the breached credit reporting company.
Forcibly retired former Equifax CEO Richard Smith visibly flinched a few times during his testimony Tuesday as he was grilled over the hack that was first made public on Sept. 7.
The most venom came for Smith’s lack of explanation as to how the massive breach, which exposed the personal information of 145.5 million Americans, happened.
Just as consumers are constantly urged to update their software to guard against problems that can be exploited by hackers, large corporations also get notices that it’s time to upgrade, known in the industry as patching.
A timeline of events surrounding the Equifax data breach
In Equifax’s case, that patch notice came two months before the hack was discovered and a week before the company was hacked. Despite that, every internal system that should have put it in place or found out if it hadn’t been somehow failed — much to the distress of lawmakers.
“How does this happen when so much is at stake? I don’t think we can pass a law that can fix stupid,” said Rep. Greg Walden, R-Ore.
Smith admitted that the company had sent a warning to security staffers on March 9 about a known flaw in software it used called Apache Struts. The warning came from a vulnerability notice distributed on March 7 by the U.S. Computer Emergency Readiness Team.
According to Smith, Equifax’s own protocols required that any vulnerable software be patched within 48 hours.
But the person on the Equifax computer security team who was responsible for patching the vulnerability didn’t, Smith told the representatives. When questioned, he did not name the person.
A week later, the company’s information security department ran scans that should have found any systems still running the vulnerable version of Apache Struts.
Somehow, those scans didn’t do that.
Had the scans worked, everything might have been different. The hackers who broke into Equifax appear to have first accessed sensitive information on May 13, two days before those scans took place.
Instead of being discovered, the hackers were able to plunder information of 45% of all Americans until they were finally finally found out on July 29.
When pushed on the response of Equifax security staff, Smith cited the company’s enormous build-up of security infrastructure.
When he was first hired 12 years ago Equifax had almost no cyber security. Today it employs 225 professionals on its cybersecurity team and in the last three years has invested at least a quarter billion dollars in security, he said.
“How could 225 professionals let a breach like this happen?” asked Rep. Jerry McNerney, D-Calif.
The answer was human error followed by technological error, Smith said.
Nothing but ‘So sorry.’
Rep. Joe Barton, R-Texas, was angry that there’s no penalty for Equifax’ security failings unless someone files a lawsuit, which didn’t seem to be motivating the company to do a better job.
“So really, you’re just required to notify everybody and say, ‘So sorry. So sad.’?” he said.
“It seems to me you might pay a little more attention to security if you had to pay everybody who got hacked 500 bucks or something,” Barton suggested.
Smith had no answer to that suggestion.
Several representatives said they’d introduced various bills that would further regulate and potentially penalize credit reporting companies for releasing consumer data.
Business attorney Stuart Slotnick with Buchanan, Ingersoll & Rooney said in an email interview that as long as Equifax complied with current laws there was little affected consumers could do other than join class action suits against the company.
Why a separate website?
Another issue that has been confusing to consumers is that the website Equifax created to help customers is a different address from Equifax. Consumers must go to trustedidpremier.com rather than Equifax.com.
Many worry the address was a fake and were afraid to use it. Even Equifax’s own support staff got confused by the new address, at one point directing users to a false website.
It was when talking about helping consumers whose information had been stolen that Smith uttered the phrase considered anathema to public relations experts.
“In the roll out of our remediation effort, mistakes were made,” he told the subcommittee.
The entire system was excoriated by the representatives, from the confusing web addresses to Equifax staff tweeting out the wrong address to crashing websites and long phone hold times.
“Talk about ham-handed responses,” said Walden.
When asked why a different web address was needed, Smith said the company had to create a new site because its usual web address simply wasn’t able to deal with the anticipated deluge of visitors.
The company’s web address typically serves between 700,000 to 800,000 consumers a day. The new site had a capacity to surge to a much higher number, he said.
“We had 20 million consumers come to visit in the first weeks. Our traditional website could not have handled that from day one,” he said.
The sale of nearly $1.8 million in Equifax stock by three staffers on August 1 and 2 was another point of concern brought up by multiple representatives during the hearing.
Federal prosecutors are examining the stock sales by Equifax Chief Financial Officer John Gamble, Joseph Loughran, president of the company’s information solutions division, and Rodolfo Ploder, president of the firm’s workforce solutions unit.
Smith was adamant that the three men knew nothing of the breach at the time they sold their stock.
“I’ve know these individual for up to 12 years. They’re men of integrity. I have no indication that they had any knowledge of the breach when they made this sale,” he said.
Staffers have a window to sell stock that opens after the company reports its quarterly earnings and these sales came during that window.
“It is not unusual for stock to be sold,” at that point, he said.
3 more hearings to go
Tuesday’s hearing was the first of four this week. They come after information was released by Equifax Monday that increased by 2.5 million the number of people whose information was stolen. These were not victims of a new attack but rather people who the company had not counted before.
On Wednesday company brass will speak before a Senate Banking committee and a Senate Judiciary subcommittee and on Thursday before a House Financial Services committee.