Mr. Smith goes to Washington

Snapshots from the Equifax hearing:

Breach happened because someone didn’t get the memo

Equifax CEO Richard Smith told lawmakers at a Tuesday hearing that the company’s massive investments in data security didn’t work because one individual failed to tell the right people to patch faulty software.

On March 8, Equifax got a notice from the U.S. Department of Homeland Security that software it used, called Apache Struts, had a “vulnerability” to hackers.

The next day, Smith told lawmakers in opening remarks, Equifax followed its standard policy for dealing with security threats, telling “a large number of people” on the company’s 225-member security team to check for the flawed software. But an individual that he didn’t name failed to communicate that the company was using the flawed software in one application and that a software patch was needed.

“The protocol was followed,” said Smith. “It did not work.”

Rep. Greg Walden, R-Oregon, was incredulous.

How could a “sophisticated company ... with so much at stake” drop the ball? he asked. “Do you not have a double check?”

“The double check was to have the scanning device,” Smith answered, referring to technology that Equifax used a week later to check for vulnerable versions of the Apache Struts software. But it failed to catch the unpatched software, he said.   

Equifax criticized for “lax attitude”

Rep. Frank Pallone, D-N.J., called Equifax’s failure to prevent a data breach a sign of a “lax attitude” toward protecting consumer’s personal data.

Equifax’s “entire corporate culture needs to change,” he said, to focus on security. “After all, this is not Equifax’s first data breach.”

Legislation needed to protect consumers

Rep. Jan Schkowsky, D-Ill., said re-introduced her “Secure and Protect Americans’ Data Act” to require tougher security standards and quicker notification of breaches.

“Because consumers don’t have a choice, we can’t trust credit reporting agencies to self-regulate,” she said at the hearing.

She said Equifax had suffered three major data breaches in the past two years, and taken months to detect the latest hacking incident and months more to inform consumers.

“Equifax deserves to be shamed at this hearing,” she said, but Congress needs to come up with legislation that will require quick notification and “appropriate relief” for consumers. 


Original story:

Former Equifax CEO Richard Smith is expected to tell lawmakers Tuesday that a string of human and technology lapses at the Atlanta credit-tracking firm allowed hackers to steal key personal data, including Social Security numbers, on nearly 146 million Americans.

Smith, who stepped down last week, is set to testify before the House Energy and Commerce Committee at 10 a.m. Tuesday.

“We at Equifax clearly understood that the collection of American consumer information and data carried with it enormous responsibility to protect that data,” Smith said in prepared testimony released Monday. “We did not live up to that responsibility.”

But Smith is likely to face numerous questions from lawmakers on how the company failed to install a needed software patch after being warned of a weakness months earlier by the U.S. Department of Homeland Security.

Other sore points lawmakers are likely to probe include the company’s slow disclosure of the data leak to consumers, failure to prepare for heavy call and online volumes from panicked consumers, and company stock sales by three top executives before the data breach was disclosed.

The company has said the executives didn’t know about the data leak at the time of their sales.

Reader Comments ...

Next Up in Business

Delta ending discount for NRA members
Delta ending discount for NRA members

Delta Air Lines announced Saturday it is ending a discount for National Rifle Association members. Atlanta-based Delta said it is ending its contract for discounted rates through the airline’s group travel program. “We will be requesting that the NRA remove our information from its website,” Delta said in a written statement...
Should you talk about your pay? Career experts weigh in
Should you talk about your pay? Career experts weigh in

Even with nearly every cultural taboo thrown to the wind− from discussing sexual orientation to politics; one last conversational taboo still exist among Americans − how much we get paid. "These days, it's okay to talk about the troubles we're having with our children or even our marriages," noted one blogger from PayScale...
BB&T recovering after 'technical issue' left customers without access to accounts, cash
BB&T recovering after 'technical issue' left customers without access to accounts, cash

Millions of BB&T customers were locked out of their accounts Thursday night and Friday morning due to an outage that bank officials said was caused by a "technical issue." The interruption of services was first reported Thursday night and appeared to last until just before noon Friday. “At this time, many of our services...
Krog Street Market developer plans redo of aging Atlanta hotel
Krog Street Market developer plans redo of aging Atlanta hotel

The developer of Atlanta’s Krog Street Market plans to convert an aging extended stay hotel in the Piedmont Heights neighborhood of the city into an eclectic boutique hotel. Atlanta-based Paces Properties said it has signed a deal with Texas hotelier Liz Lambert and her Austin-based hospitality company Bunkhouse to retrofit the...
UPS to add new electric delivery trucks to fleet
UPS to add new electric delivery trucks to fleet

UPS plans to deploy 50 electric delivery trucks as part of its fleet of brown vehicles, a move it expects could give a boost to adoption of electric vehicles across the industry. Sandy Springs-based UPS in its Thursday announcement said the trucks – which it is partnering with electric vehicle manufacturer Workhorse Group Inc....
More Stories