Former Republican U.S. Sen. Saxby Chambliss of Georgia, standing, advises former Equifax CEO Richard Smith prior to his testimony Wednesday before the U.S. House Energy and Commerce Committee. Chambliss now works for the law firm DLA Piper, which is reportedly aiding Equifax in the aftermath of a breach that affected the personal data of as many as 146 million Americans. (Photo by Chip Somodevilla/Getty Images)
Photo: Chip Somodevilla
Photo: Chip Somodevilla

Five lessons learned following Congress’ Equifax hearings

Bipartisanship isn’t completely dead on Capitol Hill. As it turns out, there’s nothing like the compromise of the personal information of nearly 146 million Americans to bring the two parties together.

That is just one of a handful of lessons learned this week after former Equifax CEO Rick Smith faced lawmakers for a four-part grilling, all broadcast live on C-SPAN. It was the Atlanta credit bureau’s first extended public reckoning since it disclosed on Sept. 7 that hackers had stolen the sensitive personal details of more than half of American adults.

Smith, who stepped down last week following more than a decade at the helm of the company, apologized as he sat alone at the witness table. He attributed the hack to a mixture of “human error and technology failures.”

Here’s what else we learned about the Equifax breach and its aftermath this week:

Equifax was warned in March that its system had a vulnerability. Smith disclosed in his testimony that the U.S. Department of Homeland Security alerted the company on March 8 that a software it used called Apache Struts had a flaw that made it vulnerable to hackers. That’s a full two months before the company was reportedly hacked and four before the company noticed the suspicious activity, according to Smith’s timeline. Executives did not fully ramp up their internal damage control operations until August and tell the public until early September. Smith said that during the more than monthlong delay between when the company noticed the hack on July 29 and when it notified the public the firm was still figuring out the scope of the breach and setting up call centers for customers affected by the hack. Lawmakers were heavily critical of the response time.

Apparently one person is responsible for the internal communication breakdown that made the hack possible. According to Smith’s testimony, Equifax followed its standard security protocol and told “a large number of people” on its security staff to check out the reported flaw the day after the company was contacted by Homeland Security. But the vulnerability was never fixed because of a single person at the company who failed to properly communicate that a software patch was needed, Smith said. He did not name that person, and it was unclear whether the individual still works for Equifax.

Outrage is bipartisan. Lawmakers are divided on just about everything when it comes to regulation of the financial services industry, but the indignation stretched across party lines this week. Lawmakers patiently waited their turns to slam the company’s behavior before, during and after the hack on behalf of their constituents. Many of the same notes were sounded from House Financial Services Chairman Jeb Hensarling, R-Texas, an advocate for unwinding federal rules on corporations, to Massachusetts Democratic U.S. Sen. Elizabeth Warren, a prominent voice on consumer advocacy issues.

During the hearings, lawmakers from both parties discussed the possibility of passing legislation that would mandate when corporations would have to disclose cyberbreaches to their customers. Others mentioned implementing some sort of pre-emptive security standard for companies. Similar legislation has eluded Congress in recent years, but some lawmakers have indicated that the mammoth scale of the hack could persuade members of Congress to find consensus this time.

The Internal Revenue Service is still willing to give Equifax money. Another patch of bipartisanship emerged this week in the form of widespread scorn after media outlets reported that the feds’ tax collectors quietly awarded Equifax a $7.25 million no-bid contract last week. The money is for fraud prevention and taxpayer identification services. Louisiana Republican U.S. Sen. John Kennedy was one of the most blunt. “You realize, to many Americans right now, that looks like we’re giving Lindsay Lohan the keys to the minibar,” he said, according to the Los Angeles Times. The IRS said in a statement that the short-term contract is aimed at preventing a lapse in services. IRS data, according to the agency, were not included in the breach.

The Monopoly man makes the occasional trek to Capitol Hill. This week’s hearings were tense, highly charged — and more than a little repetitive. A dash of levity came Wednesday morning, when a woman dressed as Monopoly mascot Rich Uncle Pennybags — complete with a lush fake handlebar mustache, top hat and monocle — took a seat just over Smith’s left shoulder as he testified before the Senate Banking Committee. The woman was a consumer protection advocate for the left-leaning Public Citizen, reportedly looking to make a point about forced arbitration clauses used by companies such as Equifax. Pennybags was seated directly behind former U.S. Sen. Saxby Chambliss. The Georgia Republican left Congress in 2015 and has since been working as a consultant at DLA Piper, a law firm that faced a hack of its own earlier this year and is reportedly aiding Equifax in the aftermath of the breach. Chambliss and DLA Piper did not respond to requests for comment.

Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.

Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.