During the week of October 2, Congressional committees held four hearings on the Equifax data breach scandal. The House Energy & Commerce, Senate Banking, Housing, and Urban Affairs, Senate Judiciary, and House Financial Services committees all had hearings on the incident throughout the week. At all four hearings, former Equifax CEO Richard Smith testified and answered Members’ questions.
Major points of contention for the members hearing Smith’s testimony included the recent no-bid contract renewal that Equifax received from the Internal Revenue Service (IRS), the stock sales of three Equifax executives after the company discovered the breach but before it was made public, and a series of missteps before and after the breach (such as the revelation that the breach was due to an unpatched security vulnerability, and the company’s Twitter account sending consumers to a fake website for breach assistance).
Representatives and Senators also lambasted Smith for the perceived unfair impact of the breach on consumers. Members noted that consumers did not ask to be involved with Equifax’s service, and there is no way to opt out. Consumers may be subjected to identity theft or a loss of creditworthiness in the future due to the breach. A number of Members made the point that consumers are not Equifax’s customers – they, or more accurately their data, are more like the product. Businesses are Equifax’s customers.
A number of members implied that the executives’ stock sales may not have been on the up-and-up. Equifx CFO John Gamble, U.S. Information Solutions President Joseph Loughran and President of Workforce Solutions Rodolfo Ploder sold stock worth a total of $1.8 million. Smith told the committees that the company has a process for executive stock sales that allow them to sell shares for a certain time window after the company has reported financial information, and that the sale was approved by Equifax’s Chief Legal Officer, John Kelley.
Sen. Tim Scott (R-SC) viewed these claims with skepticism. Scott characterized Smith’s description of the sales as indicating “pure luck and nothing else,” and noted that everyday investors such as those with Equifax stock in their retirement accounts saw major losses. Equifax stock was trading at $142.72 on September 7 when the company announced the breach; it fell nearly $20 per share in value by the next day and hit a low point of $92.98 on September 15. As of this writing it has rebounded to $111.97 per share. Scott added, “I find it hard to believe,” that the executives were merely lucky that they sold their shares before news broke one of the biggest hacks ever.
Sen. Elizabeth Warren (D-MA) touched on the potential risk for further damage to consumers, asking whether the hack might lead to more fraud in the future. Smith answered in the affirmative. Sen. Al Franken (D-MN) expressed the frustration of many that the breach was allowed to take place in the first place. He stated that this was not a “novel” vulnerability with a novel solution – Smith confirmed this.
Franken continued, “Why is the security of 145 million Americans all in the hands of one guy? Why is it all up to ‘Gus?’ How did you, knowing the seriousness of this, put it in the hands of one guy to screw up?” This was a reference to a particularly shocking admission that Smith had made in this hearing and in a previous hearing as well – that the responsibility to apply the security patch that would have prevented hackers from gaining to access to the system was down to one sole employee, who failed to direct a security IT team to apply the patch. At other points Smith also laid the blame on a “scanner” that failed to detect that the patch hadn’t been applied. During one of the House hearings, Rep. Carolyn Maloney (D-NY) noted that her office received a response letter from Equifax rival Experian, in which Experian indicated that they have a patch management system which will actually shut down their systems if a patch is not applied. Smith did not know why Equifax didn’t have that system in place nor why the company’s patch scanner didn’t function as intended.
At another point in the hearing, Smith confirmed that the company has cybersecurity liability insurance to cover their potential losses over the incident and the company is hiring a consultant to revamp the company’s security approach.
At one point in the hearing, Smith expressed criticism towards the very concept of modern identity verification. He asked, “Is social security and date of birth a secure way to validate someone’s ID in 2017?” A number of commentators have expressed similar sentiments. We are still using a very old, and very easy to steal, number in all manner of transactions requiring identification. Smith said that Equifax is exploring the possibility of a public-private partnership to “rethink the concept” of ID and the widespread use of an SSN.
Sen. Richard Blumenthal (D-CT) noted that Smith was the “fall guy” for the scandal. Smith resigned after the scandal broke with a $90 million parting salary. He told Members that he is serving the company in an unpaid capacity as an advisor. Likely, members would have been interested to speak with two executives who were more directly responsible for the breach – the Chief Security Officer, Susan Mauldin, and Chief Information Officer, Dave Webb. Mauldin and Webb also resigned but have not continued to be involved with the company as Smith has.
The second session of the Senate Judiciary hearing heard the testimony of Jamie Winterton, the Director of the Global Security Initiative at Arizona State University, and Tyler Moore, Assistant Professor Of Cyber Security & Information Assurance at the University of Tulsa. These two experts offered their testimony on what happened during the hack and what the consequences might be.
Winterton criticized Smith’s earlier assertion that Equifax has a culture of cybersecurity, noting that the events leading up to and after the breach have not backed that up. Moore emphasized that in the wake of an attack like this, accountability and tracking progress and improvement is important.
Winterton noted that there could be a national security threat from the breach – as it is not yet known publicly what actor perpetrated the hack. In the event that a foreign power carried out the hack, then the information could give that hacker a complex picture of the U.S. economy. Winterton stated that an opt-in / opt-out model is a potential solution for consumers to the risks posed by breaches such as this.
In the midst of the very serious inquiries that Members made of Mr. Smith, there was a lighthearted moment as well. An individual dressed as the Monopoly Man attended the Senate Banking committee hearing, and sat two rows behind Smith. Because of their fortuitous position, viewers of the hearing’s video cast were treated to this amusing spectacle throughout the whole hearing. It turns out the person was Amanda Werner, an activist with Public Citizen and Americans for Financial Reform.
Interested readers can view the archived video casts, opening statements, and written testimony from the Senate Banking committee here, the Senate Judiciary committee here, the House Financial Services committee here, and the House Energy & Commerce committee here.
Photo Credit: Screenshot by David Weissman of the live videocast of the Senate Committee on Banking, Housing, and Urban Affairs.