When Richard Smith voluntarily testified before Congress on Tuesday members of the House Energy and Commerce Committee questioned the former Equifax CEO with a voracity reflective of Rep. Jan Schakowsky's, D-IL, opening sentiment that "Equifax deserves to be shamed in this hearing."
Smith and committee members hashed out the timeline of the breach and subsequent handling, which has been condensed into the following timeline:
Equifax employee detects suspicious activity in a "dispute portal".
Equifax brings down the dispute portal and launches an internal investigation.
CIO David Webb informs CEO Richard Smith about an "incident" of "suspicious movement of data" out of a dispute portal. John Kelley III, chief legal officer, learns of the "suspicious activity" but, like Smith, reportedly knows nothing about compromised personally identifiable information (PII).
CSO Susan Mauldin engages forensic experts and law firm King & Spalding to look into the incident. Three executives sell $1.8 million worth of company shares, which were signed off by Kelley. Equifax and Smith claim these individuals had no knowledge of the breach at the time.
The forensic investigation determines consumer PII may have been compromised. Smith says he did not know about compromised PII at this time.
Smith asks for a briefing on the breach and is made aware criminal hackers may have compromised PII.
Smith meets with Equifax cybersecurity experts and outside counsel.
Smith notifies the presiding director of the board about the breach.
The full board of directors is briefed on the breach, and a remediation plan for customers is initiated.
Equifax publicly discloses the breach and offers customers a remediation product, including a lock on credit files.
Webb and Mauldin retire.
Timeline of the Equifax breach according to the House Energy and Commerce Committee hearing
Smith retired on Sept. 26, 11 days after the CIO and CSO similarly left the company. Changes in top leadership came as little surprise given the scope of the breach, and Smith has accepted responsibility.
Though the breach was immediately caused by a combination of human and technical errors, the security environment in place which allowed this combination may be more at fault. If the hearing made one thing clear, it is that this breach is making consumers take a hard look at where their data is going and reevaluating their dynamic with corporations storing it.
How could this have happened?
As representatives ran Smith through close to three hours of questioning, an inability to comprehend how a company handling such sensitive data could have experienced such a breach was evident. While Smith maintained the fault ultimately lies with him as CEO, he cited the familiar combination of human and technical errors as specifically leading to the breach.
On the human side, an Equifax employee knew the Apache Struts software needed patching because of a vulnerability the company was made aware of, but the employee did not communicate this information to the team who would fix it, according to Smith.
On the technical side, a "scanning device" deployed by the security team did not pick up on the vulnerability. The scanner, which needs to be told what to look for, did not know about the Struts vulnerability because the security team was not informed on the matter, said Smith, and the technology’s failure is still being investigated.
"In the end, Equifax has had to apologize for its post breach response almost as much as it has apologized for the breach itself."
As committee members continued to grill Smith on why stronger actions were not taken after he first heard of the breach on July 31, Smith repeatedly said "incidents" and "suspicious movement of data" are regular occurrences for the company. "We have experienced millions of suspicious activity against our database any given year," said Smith, adding that it is "not uncommon" for the CSO to personally inform the CEO of such events.
Equifax conducted IT and security reviews at least quarterly, and Smith was thereby briefed on the company's IT and security at an equivalent frequency, according to his testimony. For companies handling a trove of personally identifiable information (PII), routine and frequent checks are key to a successful security strategy.
"I think its time at the federal level to put some teeth into this ... I don't want to drive credit bureaus out of business and all of that, but we could have this hearing every year from now on if we don't do something to change the current system."
While Equifax uses a variety of security measures to protect data, from tokenization to encryption to masking, the compromised data was not, in fact, encrypted at rest, Smith said.
The breach timeline extends across three quarters, and committee members repeatedly brought up the lag between Smith being informed of the incident, the board being informed and beginning remediation efforts for customers and the public disclosure. Smith stuck to a consistent timeline of the event, but his responses did not resolve suspicions on how the events unfolded.
How do consumers opt out if they never opted in?
No amount of sincere apologies or remediation efforts will make up for Equifax's security shortcomings, and the handling of the breach will financially and legally take years to bounce back from. But this incident may serve as a cultural turning point in how corporations handle cybersecurity and consumer data.
The legislative future governing the protection of consumer data is an ineffective environment, and, as Rep. Greg Walden, R-OR, bluntly put it, "I don't think we can pass a law that, excuse me for saying this, fixes stupid."
Committee members expressed frequent disbelief at just how much data Equifax had on customers. Rep. Joe Barton, R, T.X., described viewing the Equifax report of a staffer impacted by the breach and said, "the amount of information that's collected is way beyond what you need to determine if [someone]'s creditworthy."
But the line of what information a company collects on consumers is complicated because for firms like Equifax most of the information comes from what Smith described as "furnishers" instead of from customers directly.
"In the context of this breach, if the data that you hold is about me, do I own it? ... Can you explain what makes data about me mine compared to somebody else's?"
Another thing likely to face reevaluation is the watchdog of cybersecurity, the FTC. The commission has no rule-making authority despite its role as an enforcement body, said Rep. Jerry McNerney, D-CA, and attempts to gauge Smith's opinion on the matter proved fruitless. As companies collect more data for consumer analytics, the need for legislation or a governing body to address the issue is becoming clear.
Courts have generally sided with companies in lawsuits similar to those filed against Equifax, and corporations will continue to do everything possible to avoid handing down legal and financial punitive measures. Equifax lobbied for F.C.R.A. Liability Harmonization Act proposals in a recent House hearing, reports the New York Times. The company conducted these lobbying efforts in early September for measures to scale back consumer protections and protect credit reporting agencies from class action suits, even as it was publicly disclosing the news of its breach, said Schakowsky.
A change in how customers are identified is needed, said Smith, who encouraged lawmakers to rethink the Social Security number system. Yet grand propositions on such matters ultimately lie years and decades down the road to reality. While industry members, politicians and consumers may criticize the vulnerabilities and flaws of such PII, it is the reality which must be dealt with today, and the burden falls to corporations investing proper resources, talent, time and attention to their infrastructure.
News broke shortly after the hearing that Equifax was awarded a $7.25 million contract by the IRS to prevent fraud and verify taxpayer identities, as first reported by Politico. The contract, awarded to the company Sept. 29, raised more than a few eyebrows and criticisms.
Smith will testify before the Senate Banking Committee on Wednesday and the House Financial Services Committee on Thursday.