Lawmakers questioning former Equifax CEO Richard Smith Tuesday made it clear, one after the other, they were not impressed with Smith's management of the massive breach that affected 145.5 million Americans. Each took a turn doling out admonishments, some more brazen than others, but almost all using the word "failure."
At the outset, Rep. Ben Ray Luján, D-N.M., told Smith — whose official job title is "retired" now — that he shouldn't expect to "put a happy face on your company's failures and leave with a golden parachute. We have questions, and it's our expectation you have concrete answers."
Rep. Greg Walden, R-Ore., wanted to know how a breach at a company like Equifax, where the protection of its customers' personal information is its primary responsibility, was ever able to happen in the first place. "How could a major U.S. company like Equifax, which holds the most sensitive and personal data on Americans, so let them down?" Walden asked. "It’s like the guards at Fort Knox forgot to lock the doors and failed to notice thieves emptying the vaults."
But Smith wasn't there to play the blame game. The Indiana-native spoke softly, often thanking each lawmaker as "Congressman" or "Congresswoman" for their question before offering up an answer he hoped would pass muster. He apologized often. Were the hearing a legal proceeding, this wasn't a jury trial. It was the sentencing phase. And Smith was there to plead for the mercy of the court, knowing he was going to get the proverbial book thrown at him either way.
"I'm here today to say to each and every person affected by this breach, I am truly and deeply sorry for that," he said. "Equifax is committed to making it whole for you."
The breach was a criminal attack, the success of which was made possible by both human and technological error, Smith said. In laymen's terms: In March, Equifax was notified by the Department of Homeland Security of the need to patch a vulnerability in Apache Struts, software Equifax used for its online disputes portal, where consumers can argue perceived errors on their credit reports. Equifax's security team notified the tech team responsible for finding the vulnerability and applying a patch.
The patch was not applied.
Days later, the security team ran a scan to detect vulnerabilities to Apache Struts. That scan failed to detect the problem, leaving Equifax exposed to hackers.
"Both the human deployment and the scanning deployment did not work," Smith said. "The human error was the individual responsible for communicating within the organization to apply the patch, did not."
Walden was incredulous: "Do you not have a double-check of some sort? An audit of some sort?"
Smith said the double-check should have been the scan, which was deployed after Equifax was alerted to the vulnerability, but the scan just didn't work.
The first time hackers accessed data, which Smith revealed was not encrypted at rest, appears to have been May 13. Equifax detected "suspicious activity" July 29, but it wasn't until Aug. 15 that Smith was told consumers' personal information had been exposed. On Aug. 22, Smith alerted the company's board of directors, and he told the public Sept. 7. A number of lawmakers expressed disappointment with that timeline. Smith said the lag was because forensic investigations of that scale take time.
The massive breach exposed a lot of sensitive data, sure. But it also exposed a larger problem, lawmakers said at the hearing.
"I would call [the breach] shocking, but is it really?" Rep. Jan Schakowsky, D-Ill. asked. "We have these unregulated, for-profit credit reporting agencies collecting detailed personal and financial information about consumers." She said credit reporting agencies can't be trusted to self-regulate. Instead, there should be embedded regulators at such agencies to protect consumers' sensitive information.
Rep. Joe Barton, R-Texas, suggested the solution to the problem was change at a federal level.
"I don't want to drive credit bureaus out of business," he said, "but we could have this hearing every year from now on if we don't do something to change the current system."
He suggested doing something that creates some sort of incentive to the industry to protect consumer data.
"The only way I know how to do it is some fine-per-account-hacked," he said, "that's large enough that even a company that's worth 13 billion would rather protect that data, and probably not collect as much data, than just come up here and say, 'We're sorry.'"
Smith suggested the answer is a paradigm shift. Equifax has announced a new service, to be available in January 2018, which aims to give consumers control of their credit data. The free service will allow consumers to lock and unlock their credit reports at their own will.
"Will it make [consumers] whole?" Luján asked.
"It will protect them going forward," Smith said. "It's hard for me to know if someone has been harmed. So I can't answer that question."
Smith will have the opportunity to answer, if not that question, many more, as he appears today before the Senate Committee on Banking, Housing and Urban Affairs.
To watch yesterday's hearing in full, see the archive here.