Breach Notification , Breach Response , Data Breach

Congress Grills Equifax Ex-CEO on Breach

House Subcommittee Scrutinizes What Happened, Considers Next Steps
Congress Grills Equifax Ex-CEO on Breach
Richard F. Smith, former CEO of Equifax, testifies before a House subcommittee,

During the first of three Congressional hearings this week to examine the Equifax mega-breach, members of both parties Tuesday grilled - and at times roasted - the firm's former CEO for three hours about details surrounding the incident.

See Also: Ransomware: The Look at Future Trends

The scrutiny included questioning Richard F. Smith - who "retired" from Equifax on Sept. 26 - about the credit reporting company's security practices and handling of the incident as well as the sale of $1.8 million in stock by three top executives weeks prior to the public disclosure of the breach.

"There's no such thing as perfect security, but there's a responsibility to protect consumer information," said Rep. Greg Walden, R-Ore. "We're here today to do what Equifax failed to do, and that's put consumers first." But in the Equifax incident, "it's like the guards of Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults," he said.

Commenting on Equifax's missteps after the breach, Rep. Jan Schakowsky, D-Ill., said: "Consumers deserve a lot more than what they got from Equifax."

At the hearing, members of the House Committee on Energy and Commerce's Subcommittee on Digital Commerce and Consumer Protection also weighed in on potential regulatory or legislative action that's needed to better protect consumers from devastating breaches involving highly personal information.

Smith declined to answer a question about who is suspected to be behind the attacks, including whether the breach involved a nation-state. "The FBI is investigating," he testified.

Calls for Action

Republicans and Democrats alike called on Congress and regulators to take further action to examine why breaches involving consumer data are so prevalent and what's needed to better address the issues.

"I'd call [the Equifax breach] shocking, but is it really?" Schakowsky asked.

"I think it's time at the federal level to put teeth into this," says Rep. Joe Burton, R-Texas, saying that potential penalties for each consumer account impacted by breaches could provide the industry with incentives to better protect data.

Schakowsky and several other Democrats touted proposed legislation, repeatedly introduced and stalled in Congress, that aims to establish data security standards, require prompt breach notification and require relief for consumers affected by incidents.

Rep. Ben Ray Lujan, D-N.M., said he hopes Congress sees "mark-ups and bills by the holidays to give consumers confidence again. This is a mess."

Meanwhile, Smith, the former Equifax CEO, argued that it's time to go come up with a way to replace the use of Social Security numbers to identify consumers.

Stock Sale Questioned

Members of the Congressional panel expressed serious concerns about three Equifax executives selling more than $1 million worth of stock several weeks before the company disclosed the breach. Schakowsky says the stock sale "doesn't pass the smell test."

Smith said that the stock sales on Aug. 1 and Aug. 2 by the three executives occurred during the 30-day window when insiders can sell stock following the company's quarterly call with financial analysts. And the sales were signed off by Equifax chief legal counsel John Kelly, he noted.

When asked if the three executives knew about the breach at the time of the stock sales, Smith said, "to the best of my knowledge, they didn't."

Rep. Tony Cardenas, D-Calif., said he wants Equifax to provide a trail of the communication regarding the incident and its timeline. He said he would request a hearing on the stock sale issues with testimony from Kelly.

'Human and Tech Failures'

The root of Equifax's breach was "human and technology failures" involving unpatched vulnerabilities in open source Apache Struts software, Smith testified.

After the Department of Homeland Security sent out a notification in March about the need to patch a particular Apache Struts software vulnerability, the individual within Equifax responsible for communicating that information to the Equifax patch team failed to do so, Smith testified. Then a few days later, a scanning device failed to detect the vulnerability, he says.

"The technology did not find the vulnerability, and that's still under investigation," he says.

Rep. Tim Murphy, R-Pa., asked if the devices responsible for scanning vulnerabilities were misconfigured. "I have no knowledge of that," Smith replied.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network