Sitting alone before a panel of dozens of lawmakers in Washington, D.C., former Equifax CEO Richard Smith tried Tuesday to explain how the Atlanta company he recently headed allowed hackers to steal the most private identifying information for half a nation.
“My name is Rick Smith,” said the executive, calm but appearing chastened. An apology quickly followed.
“The criminal hack happened on my watch … and I take full responsibility,” he said. “I’m truly and deeply sorry for what happened….Equifax is committed to make it whole for you.”
Thus began a three-hour interrogation before the House Energy and Commerce Committee, in which many lawmakers criticized Equifax’s handling of a data breach that led to the theft of almost 146 million Americans’ sensitive information, including Social Security numbers.
Smith, who stepped down and retired from Equifax last week, will appear again in two more House and Senate hearings on Wednesday and Thursday.
Several of the Congress members vented their anger on Smith. Some wondered if there was criminal negligence. One asked if Equifax shouldn’t go out of business after such a serious security failure.
“You’ve brought Republicans and Democrats together in their outrage,” said Rep. Anna Eshoo, D-California, calling that “rare.”
Smith faced numerous questions from lawmakers on how the company failed to install a needed software patch after being warned of a weakness months earlier by the U.S. Department of Homeland Security.
Smith said the hacking incident happened because of a combination of human error and the company’s faulty security technology.
On March 8, Equifax got a notice from the U.S. Department of Homeland Security that software it used, called Apache Struts, had a “vulnerability” to hackers.
The next day, he said, Equifax followed its standard policy for dealing with security threats, telling “a large number of people” on the company’s 225-member security staff to check for the flawed software. But an individual that he didn’t name failed to communicate that the company was using the flawed software in one application and that a software patch was needed.
“The protocol was followed,” said Smith. “It did not work.”
Rep. Greg Walden, R-Oregon, was incredulous.
How, he asked, could a “sophisticated company … with so much at stake” drop the ball? “Do you not have a double check?”
“The double check was to have the scanning device,” Smith answered, referring to technology that Equifax used a week later to check for vulnerable versions of the Apache Struts software. But it failed to detect the still-faulty software, he said.
Other sore points lawmakers probed Tuesday included the company’s slow disclosure of the data leak to consumers, failure to prepare for heavy call and online volumes from panicked consumers, and $1.8 million in company stock sales by three top executives weeks before the data breach was disclosed on Sept. 7.
“That just doesn’t pass the smell test,” Rep. Jan Schkowsky, D-Ill., said of the stock sales in early August, days after the company noticed what Smith called “suspicious activity.”
“Equifax deserves to be shamed at this hearing,” she said, but Congress needs to come up with legislation that will require companies to quickly notify consumers and regulators of breaches, and provide “appropriate relief” for consumers.
Smith said it took several days before a cybersecurity firm Equifax had hired determined that a large data breach had occurred.
He defended the three executives, including Equifax’s chief financial officer, saying the stock sales were “normal” sales during a 30-day window when top executives can trade after the company reports its quarterly financial results.
No one at the company knew that personal information had been taken, or the scale or depth of the data breach at the time, he said.
“I’ve known these men for up to 12 years. They’re honorable people,” he said.
Smith admitted Equifax did a poor job of getting ready for the onslaught of worried consumers after the Sept. 7 disclosure, even though it spent more than a week getting ready. He said more than 400 million calls swamped the company’s phone banks and online site to find out if their information had been compromised and to seek help.
“In the roll out of our remediation program, mistakes were made,” he said. “And for that, I deeply apologize.”
He said Equifax has worked to improve the situation, adding 2,200 more call center operators and announcing a new, free service that will allow anyone to lock or unlock their credit files for life, starting in January. The company rolled out a similar free credit freeze service until then.
That was not good enough for Schkowsky, who wanted to know why consumers can’t “opt out” of being included in Equifax’s massive database of personal ID information, addresses, incomes, employment histories and other private data the company has on 800 million consumers and 100 million businesses around the globe.
Smith said the information is part of a “federally regulated ecosystem” that depends on information from banks, employers and other data providers to enable modern commerce.
“The data as you know doesn’t come from consumers,” he said.
Schkowsky said she had re-introduced her “Secure and Protect Americans’ Data Act,” which would require tougher security standards and quicker notification of breaches. The Democratic-backed bill will likely have a hard time in the Republican-controlled Congress.
“Because consumers don’t have a choice, we can’t trust credit reporting agencies to self-regulate,” she said.
Timeline of the hacking of Equifax
Ex-Equifax CEO Richard Smith told lawmakers Monday that “both human error and technology failures” opened the way for a massive hacking incident in which thieves got away with sensitive information on more than 145 million Americans. Here’s a chronology of what happened, based on his prepared testimony before a hearing Tuesday by the House Energy and Commerce Committee. Smith stepped down and retired from Equifax on Sept. 26.
March 8: The U.S. Department of Homeland Security warns Equifax and many other users that a patch is needed on software called Apache Struts to fix security weaknesses.
March 9: Equifax forwards the U.S. warning internally to its information security team and requests a fix within 48 hours, but the patch isn’t installed.
March 15: Equifax’s security team runs software scans that should have caught the weak spot in Apache Struts. But it doesn’t spot any vulnerable versions of the software. “It was this unpatched vulnerability that allowed hackers to access personal identifying information,” Smith said.
May 13: Hackers apparently get their first batch of sensitive data. “The company was not aware of that access at the time,” Smith said. Equifax doesn’t detect the ongoing attack for another two months plus.
July 29: Equifax’s security team sees “suspicious network traffic” tied to its website where consumers dispute alleged errors in their credit profiles or other problems. The team investigates and “immediately” blocks the traffic, Smith said. The website is shut down the next day when more questionable activity appears.
July 31: Equifax’s chief information officer tells Smith about the attack, and that the website was shut down. “I certainly did not know that personal identifying information … had been stolen, or have any indication of the scope of the attack,” Smith said. (Equifax’s CIO at the time of the hack, David Webb, retired in the wake of the scandal on Sept. 15.)
Aug. 2: Equifax hires King & Spalding to “guide the investigation” into the data breach, and calls the FBI. The Atlanta law firm hires cybersecurity consultant Mandiant to investigate the hacking incident.
Aug. 11: Mandiant and Equifax determine that hackers may have gotten “a large amount of consumers” sentive data, Smith said, from a separate database in addition to the attack on the complaint portal.
Aug. 15: Smith said he is told that “it appeared likely that consumer (data) had been stolen. He said he requested “a detailed briefing to determine how the company should proceed.”
Aug. 17: Smith meets with “a senior leadership team” on the hacking investigation. By this time, the company knows “large volumes of consumer data … had been compromised,” he said. “This information was deeply concerning to me, although the team needed to continue their analysis to understand the scope and specific consumers potentially affected.” (Equifax eventually concluded the total was 145.5 million people — most of the adults in America.)
Aug. 22: Smith tells Mark Feidler on the company’s board of directors of the breach, as well as the heads of Equifax’s business units. The rest of the board is told of the situation on August 24-25 in conference call meetings. The company starts drawing up “remediation” plans for consumers. (Feidler was named Equifax’s interim chairman when Smith stepped down.)
Sept. 1: The Equifax board meets to discuss the scale of the attack, remediation plans, and the risk of “exponentially more attacks” by copycat hackers, Smith said.
Sept. 4: Equifax draws up a list of 143 million potentially affected consumers — later bumped up to 145.5 million — and sets up a call center and a website for consumers to check if their data is compromised, and to sign up for help. The FBI is told about Equifax’s plans to go public with the breach.
Sept. 7: Equifax discloses the massive breach after the stock market closes.