Lawmakers shamed former Equifax CEO Richard Smith Tuesday over the company’s humongous data breach, scolding him over everything from allowing the breach to happen to the long list of issues that stemmed from the company’s public response.
Smith took questioning from the House Energy and Commerce’s Subcommittee on Digital Commerce and Consumer Protection, the first of three breach-related hearings scheduled for this week. While the panel lambasted him for the company’s actions, Smith offered little details outside of his prepared testimony.
In an exchange with Rep. Greg Walden, R-Ore., Smith explained that the breach occurred because IT and security personnel at Equifax failed to find and patch the software vulnerability after being notified by the Department of Homeland Security.
“It appears this breach happened because the company didn’t know it was running certain software on it’s system,” Walden said. “How does this happen when so much is at stake? I don’t think we can pass a law that – excuse me for saying this – fixes stupid.”
When asked by multiple representatives on the panel about what consumers can do to protect themselves in the attack’s wake, Smith reiterated that Equifax is offering free services to all Americans to monitor and protect their credit information.
According to Smith, DHS’s Computer Emergency Readiness Team (US-CERT) notified the credit monitoring agency on March 8 of a software vulnerability in Apache Struts, the open-source application Equifax was using in its online consumer disputes portal.
Smith said it wasn’t until July 29 that Equifax detected suspicious activity on the website. After failing to block the suspicious traffic, Equifax took down the site. Smith said he was notified for the first time on July 31, but that it wasn’t clear until August 15 that personal information was stolen.
The company announced on Sept. 7 that 143 million may be affected. That number went up to 145.5 million on Monday.
The CEO also fielded questions about Equifax’s website set up after the breach was made public. That site wasn’t owned by Equifax and was riddled with security flaws.
“This was extremely challenging given that the company needed to build a new capability to interface with tens of millions of consumers, and to do so in less than two weeks. That challenge proved overwhelming, and, regrettably, mistakes were made,” Smith said in his testimony.
On Monday, the subcommittee’s ranking Democrat, Jan Schakowsky of Illinois, reintroduced a bill entitled the Secure Protect Americans’ Data Act, “which seeks to enhance data security and require prompt notification and ongoing assistance to consumers in the event of a breach,” according to a statement on her website.
“Equifax deserves to be shamed in this hearing, but we should also ask what Congress has done to stop data breaches from occurring,” Schakowsky said.