- Russell Grantham The Atlanta Journal-Constitution
Snapshots from the Equifax hearing:
Breach happened because someone didn’t get the memo
Equifax CEO Richard Smith told lawmakers at a Tuesday hearing that the company’s massive investments in data security didn’t work because one individual failed to tell the right people to patch faulty software.
On March 8, Equifax got a notice from the U.S. Department of Homeland Security that software it used, called Apache Struts, had a “vulnerability” to hackers.
The next day, Smith told lawmakers in opening remarks, Equifax followed its standard policy for dealing with security threats, telling “a large number of people” on the company’s 225-member security team to check for the flawed software. But an individual that he didn’t name failed to communicate that the company was using the flawed software in one application and that a software patch was needed.
“The protocol was followed,” said Smith. “It did not work.”
Rep. Greg Walden, R-Oregon, was incredulous.
How could a “sophisticated company ... with so much at stake” drop the ball? he asked. “Do you not have a double check?”
“The double check was to have the scanning device,” Smith answered, referring to technology that Equifax used a week later to check for vulnerable versions of the Apache Struts software. But it failed to catch the unpatched software, he said.
Equifax criticized for “lax attitude”
Rep. Frank Pallone, D-N.J., called Equifax’s failure to prevent a data breach a sign of a “lax attitude” toward protecting consumer’s personal data.
Equifax’s “entire corporate culture needs to change,” he said, to focus on security. “After all, this is not Equifax’s first data breach.”
Legislation needed to protect consumers
Rep. Jan Schkowsky, D-Ill., said re-introduced her “Secure and Protect Americans’ Data Act” to require tougher security standards and quicker notification of breaches.
“Because consumers don’t have a choice, we can’t trust credit reporting agencies to self-regulate,” she said at the hearing.
She said Equifax had suffered three major data breaches in the past two years, and taken months to detect the latest hacking incident and months more to inform consumers.
“Equifax deserves to be shamed at this hearing,” she said, but Congress needs to come up with legislation that will require quick notification and “appropriate relief” for consumers.
Former Equifax CEO Richard Smith is expected to tell lawmakers Tuesday that a string of human and technology lapses at the Atlanta credit-tracking firm allowed hackers to steal key personal data, including Social Security numbers, on nearly 146 million Americans.
Smith, who stepped down last week, is set to testify before the House Energy and Commerce Committee at 10 a.m. Tuesday.
“We at Equifax clearly understood that the collection of American consumer information and data carried with it enormous responsibility to protect that data,” Smith said in prepared testimony released Monday. “We did not live up to that responsibility.”
But Smith is likely to face numerous questions from lawmakers on how the company failed to install a needed software patch after being warned of a weakness months earlier by the U.S. Department of Homeland Security.
Other sore points lawmakers are likely to probe include the company’s slow disclosure of the data leak to consumers, failure to prepare for heavy call and online volumes from panicked consumers, and company stock sales by three top executives before the data breach was disclosed.
The company has said the executives didn’t know about the data leak at the time of their sales.