This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.nytimes.com/2017/10/03/business/equifax-congress-data-breach.html

The article has changed 3 times. There is an RSS feed of changes available.

Version 0 Version 1
Lawmakers Berate Former Equifax C.E.O. Over Huge Data Breach Equifax Breach Caused by Lone Employee’s Error, Former C.E.O. Says
(about 4 hours later)
WASHINGTON — Members of Congress tore into Equifax on Tuesday, berating the company’s former chief executive for a breach of its computer systems that potentially exposed the sensitive personal information of more than 145 million Americans. WASHINGTON — The Equifax data breach, which exposed the sensitive personal information of nearly 146 million Americans, happened because of a mistake by a single employee, the credit reporting company’s former chief executive told members of Congress on Tuesday.
Richard F. Smith, who stepped down last week as Equifax’s chief executive, appeared Tuesday morning before a House subcommittee that is investigating the breach. No current Equifax executives appeared at the hearing. Richard F. Smith, who stepped down last week, repeatedly apologized to the members of the House Energy and Commerce Committee and the American people for the security lapse.
“I’m truly and deeply sorry for what happened,” Mr. Smith said at the start of his testimony to a House Energy and Commerce subcommittee. But he also sought to play down the severity of the problems that had led to the breach, defended the company’s response to the crisis and deflected questions about how far Equifax would go to compensate consumers who were financially harmed.
But under questioning from lawmakers, he refused to commit Equifax to making whole any people who were financially harmed as a result of the breach. On multiple occasions, Mr. Smith referred to an “individual” in Equifax’s technology department who had failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach. A company spokesman did not respond to questions about that employee’s status with the company.
Lawmakers were unsatisfied by the company’s apologies. Representative Joe L. Barton, Republican of Texas, called for new federal laws to “put some teeth” behind penalties for data breaches. Angry members of the committee tore into Mr. Smith and pressed him on how a credit bureau of Equifax’s size, responsible for safeguarding billions of sensitive records on Americans’ financial lives, could have allowed so much data to escape, unnoticed.
“We could have this hearing every year from now on if we don’t do something to change the current system,” Mr. Barton said. “How does this happen when so much is at stake?” asked Representative Greg Walden, Republican of Oregon. “I don’t think we can pass a law that, excuse me for saying this, fixes stupid. I can’t fix stupid.”
He said he would like to see companies fined for every account that gets breached — with penalties large enough “that even a company that’s worth $13 billion would rather protect the data, and probably not collect as much data, than have to come up here and appear and say ‘we’re sorry.’” The congressional hearing the first of four this week at which Mr. Smith was scheduled to testify presented lawmakers with an opportunity to showcase their populist ire, albeit aimed at the former executive of a previously obscure company.
The Equifax hacking sparked widespread outrage, as well as bipartisan demands for more information from the company on how the security debacle happened and what steps the company is taking to handle the fallout. The outcry has increased the odds of new rules or laws governing the credit-reporting industry. On the opposite side of Capitol Hill, senators were ripping into the current chief executive of a better-known but similarly beleaguered financial institution, Wells Fargo. The giant bank’s chief, Timothy J. Sloan, was testifying about the company’s responses to a series of scandals that have rocked Wells Fargo over the past year.
Representative Frank Pallone Jr., Democrat of New Jersey, called for Congress to pass legislation that would do more to protect consumers whose personal data is stolen in such breaches. “Of course, breaches will continue to occur but they occur more often when there is no accountability and when no preventative measures are in place,” Mr. Pallone said. “At best you are incompetent; at worst you were complicit,” said Elizabeth Warren, Democrat of Massachusetts. “Either way, you should be fired.”
After Tuesday’s grilling, Mr. Smith is scheduled to testify at three additional congressional hearings this week. Equifax already got rid of Mr. Smith, who announced his retirement last week. Even though he no longer works at Equifax, he was the only representative of the company to testify at the hearing. An Equifax spokesman, Wyatt Jefferies, declined to say whether any current executives had been invited to appear on Capitol Hill.
On Monday, Equifax said the personal information of nearly 146 million Americans may have been stolen, an increase of more than two million from the company’s previous estimate. The company previously said that an unpatched software flaw had been to blame for the massive security breach, but on Tuesday, Mr. Smith went a step further, describing the “human error and technology failures” that turned a single oversight into a data breach that allowed attackers to obtain personal details on nearly half of America’s population.
Mr. Smith provided some new details about the breach. In early March, the Department of Homeland Security sent Equifax and other companies an alert about a critical vulnerability in software that Equifax used in an online portal for recording customer disputes.
In early March, the Department of Homeland Security sent Equifax and others an alert about a critical vulnerability in software that Equifax used in an online portal for recording customer disputes. The company sent out an internal email requesting that its technical staff fix the software, but that was not done, Mr. Smith said. The company sent out an internal email requesting that its technical staff fix the software, but “an individual did not ensure communication got to the right person to manually patch the application,” Mr. Smith told the subcommittee. That was compounded by a technical error: The scanning software that Equifax used to detect vulnerabilities failed to find the unpatched hole, he said.
By mid-May, attackers had found the unpatched software and used the flaw to gain access to sensitive information. Their actions went undetected until late July, when Equifax finally registered suspicious traffic on its network. Lawmakers from both parties many of them citing anecdotes from family members, staffers or constituents who have been caught up in the breach called for greater government oversight of the largely unregulated credit reporting industry.
Equifax cut off the attackers at that point and began an investigation, but it did not grasp the scale of the theft including the discovery that consumers’ personal information had been breached until mid-August. “We could have this hearing every year from now on if we don’t do something to change the current system,” said Representative Joe L. Barton, Republican of Texas. He called for new federal laws to “put some teeth” into penalties for data breaches.
The company’s full board was not notified until the end of the month, nearly four weeks after Equifax discovered the breach. Mr. Smith maintained an even-keeled appearance and spoke in a muted tone throughout his testimony. “I’m truly and deeply sorry for what happened,” he said in his opening remarks.
“Mistakes were made,” Mr. Smith said, referring to extensive problems with Equifax’s call centers and with the website that it set up to provide information to those whose information may have been exposed. But Mr. Smith refused to commit Equifax to making whole any people who had been financially harmed as a result of the breach. He evaded the question when asked if Equifax would allow consumers to remove themselves from its files.
Some lawmakers have called for new consumer protections such as stricter monitoring of the credit bureaus and a federal rule standardizing requirements to notify victims of data breaches. “I never opted in,” said Representative Jan Schakowsky, Democrat of Illinois. “I never said it was O.K. to have all my information, and now I want out. I want to lock out Equifax. Can I do that?”
Mr. Smith said he would be amenable to rethinking the role that Social Security numbers play in identity verification. Critics have long condemned the widespread reliance on and use of the numbers as insecure. Mr. Smith responded, “That requires a much broader discussion around the role of the credit reporting agencies.”
Mr. Smith said he would like companies and government agencies to “begin a dialogue” about replacing Social Security numbers as a key verifier. Mr. Smith got tangled up several times trying to explain the difference between credit freezes, which allow people to block access to their credit reports, and locks, an industry-backed alternative that the bureaus say are easier for consumers to use. Freezes are regulated by the states; credit locks are not.
“It is time to have identity verification procedures that match the technological age in which we live,” he said. Equifax has said that on Jan. 31 it will introduce a free lock that customers can turn on and off through a mobile phone app. But some lawmakers are pushing for credit reporting companies to offer complimentary credit freezes.
“Getting a free freeze, I think, is possible even in a divided Congress,” said Ed Mierzwinski, consumer program director at the advocacy group U.S. PIRG who attended the hearing. “Everybody understands it.”
On Monday. Ms. Schakowsky and Representative Frank Pallone Jr., Democrat of New Jersey, introduced the Secure and Protect Americans’ Data Act, an updated version of an unpassed bill that has been around for at least a decade. The latest iteration would require tougher security standards and faster notification of breaches.
If the bill had been law during the Equifax breach, it would have required that affected individuals were notified of the breach in writing, and they would have been entitled to 10 years of free credit monitoring and credit freezes, according to a Democratic congressional aide.
Lawmakers also grilled Mr. Smith about the stock sales by three senior Equifax executives, who sold shares worth almost $1.8 million in the days after the breach was discovered, but before it was disclosed. The sales were approved by John J. Kelley III, Equifax’s chief legal officer, who knew at the time that the company’s technical department had detected suspicious activity on Equifax’s network.
The three executives who sold stock are “honorable men of integrity” who were unaware of the technical investigation, Mr. Smith said.
Equifax’s public response to the breach — “ham-handed” and “unacceptable,” in Mr. Walden’s words — drew heavy condemnation. The company had extensive problems with its call centers and the website that it had set up to provide information to those whose information may have been exposed.
One by one, Democrats and Republicans took turns blasting the company. It was a rare moment of bipartisanship, Representative Anna G. Eshoo, Democrat of California, observed.
“You have brought Republicans and Democrats together in outrage and distress and frustration over what’s happened,” she said.