Snapshots from the Equifax hearing:
Breach happened because someone didn’t get the memo
Equifax CEO Richard Smith told lawmakers at a Tuesday hearing that the company’s massive investments in data security didn’t work because one individual failed to tell the right people to patch faulty software.
On March 8, Equifax got a notice from the U.S. Department of Homeland Security that software it used, called Apache Struts, had a “vulnerability” to hackers.
The next day, Smith told lawmakers in opening remarks, Equifax followed its standard policy for dealing with security threats, telling “a large number of people” on the company’s 225-member security team to check for the flawed software. But an individual that he didn’t name failed to communicate that the company was using the flawed software in one application and that a software patch was needed.
“The protocol was followed,” said Smith. “It did not work.”
Rep. Greg Walden, R-Oregon, was incredulous.
How could a “sophisticated company ... with so much at stake” drop the ball? he asked. “Do you not have a double check?”
“The double check was to have the scanning device,” Smith answered, referring to technology that Equifax used a week later to check for vulnerable versions of the Apache Struts software. But it failed to catch the unpatched software, he said.
Equifax criticized for “lax attitude”
Rep. Frank Pallone, D-N.J., called Equifax’s failure to prevent a data breach a sign of a “lax attitude” toward protecting consumer’s personal data.
Equifax’s “entire corporate culture needs to change,” he said, to focus on security. “After all, this is not Equifax’s first data breach.”
Legislation needed to protect consumers
Rep. Jan Schkowsky, D-Ill., said re-introduced her “Secure and Protect Americans’ Data Act” to require tougher security standards and quicker notification of breaches.
“Because consumers don’t have a choice, we can’t trust credit reporting agencies to self-regulate,” she said at the hearing.
She said Equifax had suffered three major data breaches in the past two years, and taken months to detect the latest hacking incident and months more to inform consumers.
“Equifax deserves to be shamed at this hearing,” she said, but Congress needs to come up with legislation that will require quick notification and “appropriate relief” for consumers.
Former Equifax CEO Richard Smith is expected to tell lawmakers Tuesday that a string of human and technology lapses at the Atlanta credit-tracking firm allowed hackers to steal key personal data, including Social Security numbers, on nearly 146 million Americans.
Smith, who stepped down last week, is set to testify before the House Energy and Commerce Committee at 10 a.m. Tuesday.
“We at Equifax clearly understood that the collection of American consumer information and data carried with it enormous responsibility to protect that data,” Smith said in prepared testimony released Monday. “We did not live up to that responsibility.”
But Smith is likely to face numerous questions from lawmakers on how the company failed to install a needed software patch after being warned of a weakness months earlier by the U.S. Department of Homeland Security.
Other sore points lawmakers are likely to probe include the company’s slow disclosure of the data leak to consumers, failure to prepare for heavy call and online volumes from panicked consumers, and company stock sales by three top executives before the data breach was disclosed.
The company has said the executives didn’t know about the data leak at the time of their sales.
Timeline of the hacking of Equifax
Ex-Equifax CEO Richard Smith told lawmakers Monday in prepared remarks before Tuesday’s hearing that “both human error and technology failures” opened the way for a massive hacking incident in which thieves got away with sensitive information on more than 145 million Americans. Here’s a chronology of what happened, based on his prepared testimony before a hearing Tuesday by the House Energy and Commerce Committee. Smith stepped down and retired from Equifax on Sept. 26.
March 8: The U.S. Department of Homeland Security warns Equifax and many other users that a patch is needed on software called Apache Struts to fix security weaknesses.
March 9: Equifax forwards the U.S. warning internally to its information security team and requests a fix within 48 hours, but the patch isn’t installed.
March 15: Equifax’s security team runs software scans that should have caught the weak spot in Apache Struts. But it doesn’t spot any vulnerable versions of the software. “It was this unpatched vulnerability that allowed hackers to access personal identifying information,” Smith said.
May 13: Hackers apparently get their first batch of sensitive data. “The company was not aware of that access at the time,” Smith said. Equifax doesn’t detect the ongoing attack for another two months plus.
July 29: Equifax’s security team sees “suspicious network traffic” tied to its website where consumers dispute alleged errors in their credit profiles or other problems. The team investigates and “immediately” blocks the traffic, Smith said. The website is shut down the next day when more questionable activity appears.
July 31: Equifax’s chief information officer tells Smith about the attack, and that the website was shut down. “I certainly did not know that personal identifying information … had been stolen, or have any indication of the scope of the attack,” Smith said. (Equifax’s CIO at the time of the hack, David Webb, retired in the wake of the scandal on Sept. 15.)
Aug. 2: Equifax hires King & Spalding to “guide the investigation” into the data breach, and calls the FBI. The Atlanta law firm hires cybersecurity consultant Mandiant to investigate the hacking incident.
Aug. 11: Mandiant and Equifax determine that hackers may have gotten “a large amount of consumers” sentive data, Smith said, from a separate database in addition to the attack on the complaint portal.
Aug. 15: Smith said he is told that “it appeared likely that consumer (data) had been stolen. He said he requested “a detailed briefing to determine how the company should proceed.”
Aug. 17: Smith meets with “a senior leadership team” on the hacking investigation. By this time, the company knows “large volumes of consumer data … had been compromised,” he said. “This information was deeply concerning to me, although the team needed to continue their analysis to understand the scope and specific consumers potentially affected.” (Equifax eventually concluded the total was 145.5 million people — most adult Americans.)
Aug. 22: Smith tells Mark Feidler on the company’s board of directors of the breach, as well as the heads of Equifax’s business units. The rest of the board is told of the situation on August 24-25 in conference call meetings. The company starts drawing up “remediation” plans for consumers. (Feidler was named Equifax’s interim chairman when Smith stepped down.)
Sept. 1: The Equifax board meets to discuss the scale of the attack, remediation plans, and the risk of “exponentially more attacks” by copycat hackers, Smith said.
Sept. 4: Equifax draws up a list of 143 million potentially affected consumers — later bumped up to 145.5 million — and sets up a call center and a website for consumers to check if their data is compromised, and to sign up for help. The FBI is told about Equifax’s plans to go public with the breach.
Sept. 7: Equifax discloses the massive breach after the stock market closes.