One week after retiring, and less than a month after disclosing potentially one of the most consequential data breaches in U.S. history, former Equifax CEO Richard F. Smith faced a barrage of questions on the theft of Americans’ financial data. New details about the incident, including a timeline of events, also surfaced during Smith’s testimony to the House Digital Commerce and Consumer Protection Subcommittee on Tuesday.
Smith’s testimony came after Equifax disclosed in a press release late Monday that the number of consumers affected by the breach had risen from 143 million to 145.5 million.
Energy and Commerce Committee Chairman Greg Walden, R-Oregon, aptly summarized the hearing in his opening statement: “Today gives whole new meaning to Mr. Smith goes to Washington. It’s not a run on the bank that’s an issue. It’s a run on financial records of 145 million Americans, and the consequences and inconveniences for our fellow citizens is every bit as important to discuss today as why this breach occurred in the first place.”
A soft-spoken Smith conveyed humility from the beginning and remained composed amidst sometimes fiery questioning from Republicans and Democrats alike.
“The criminal hack happened on my watch, and as CEO, I am ultimately responsible,” Smith said in prepared remarks. “And I take full responsibility. I’m here today to say to each and every person affected by this breach: I am truly and deeply sorry for what happened.”
But, stoked by the outrage of millions of Americans, politicians came ready to make an example of the beleaguered company. “Equifax deserves to be shamed in this hearing,” Subcommittee Ranking Member Jan Schakowsky, D-Illinois, said in opening remarks.
Ben Ray Lujan, D-New Mexico, told Smith, even before Smith had given his opening remarks, “I worry that your job today is about damage control, to put a happy face on your firm’s disgraceful actions and then to part with a golden parachute. Unfortunately, if fraudsters destroy my constituents’ savings and financial futures, there is no golden parachute awaiting them.”
In opening remarks and through extended questioning, Smith gave a detailed timeline of the events that occurred from Equifax’s discovery of “suspicious activity” on July 29-30 to the company’s public disclosure of the breach on Sept. 7.
Smith said in prepared remarks that the breach was caused partly by “human error,” namely the failure to apply an available security patch to the Apache Struts software used for what Smith called Equifax’s “consumer dispute portal,” a website that was the main target of data exfiltration.
Smith noted during questioning that there were no consumer credit files stolen and that cybersecurity consultants had not detected any manipulation of data left behind in Equifax’s systems.
Smith said the breach was also caused partly by “technological error,” namely the failure of scanning software designed to alert the company of security vulnerabilities and available security patches. Smith said the company has since addressed both errors.
Smith said the Equifax security team first detected the suspicious activity via “decryptor” software on July 29-30. It was not immediately clear to Equifax security staff whether the hackers had exfiltrated data, and if so, if the stolen data included consumers’ personally identifiable information (PII), such as Social Security numbers.
Smith said former CIO David C. Webb first told him of the suspicious activity on July 31. That same day, the security team took down the website and opened an investigation.
On Aug. 2, Equifax engaged outside consultants to assist with the investigation, including computer forensics company Mandiant and the law firm King & Spaulding LLC for legal and regulatory advice.
However, Smith said it took the company weeks to determine that a breach had occurred and that the breach did, in fact, entail consumers’ PII. Smith was first briefed on the breach on Aug. 15. On Aug. 17, Smith met with the company’s outside security consultants and legal counsel.
Smith notified the presiding director of the company’s board, Mark Fiedler, on Aug. 22 and then briefed the entire board on the breach on Aug. 24, providing regular updates up until the company’s public disclosure.
That same day, Aug. 24, Smith said company leadership began working on a comprehensive incident response plan, which included four major components:
- When and how to notify the public of the breach.
- Building a website to help consumers get answers on the breach, staffing up call centers, and offering one year of free identity and fraud protection to victims.
- Scaling up cybersecurity in anticipation of additional attacks on the company, which outside consultants advised Equifax to expect.
- Coordinating with the FBI on a criminal investigation into the incident, as well as alerting federal and state agencies.
The company’s breach disclosure and incident response have been widely criticized. “In the rollout of our remediation program,” Smith said, “mistakes were made, which again, I deeply apologize.”
But the company was hampered by external factors as well. Hurricane Irma took down two larger call centers in the first few days after the breach, Smith told the subcommittee.
Smith said, in just over three weeks, 420 million consumers visited the company’s website created to handle questions about the breach. The company’s call centers fielded millions of calls, although Smith was unable to say how many consumers were unable to reach Equifax call center associates.
Of concern to many House representatives was precisely when three Equifax executives, which do not include Smith, came to learn of the breach, and how that knowledge may have affected the timing of the three executives’ sale of $1.8 million in Equifax stock on Aug. 1 and Aug. 2.
Central to this question was when John Kelly, Equifax chief legal officer, learned of the incident. According to company protocol, Kelly is required to sign off on all sales of company stock by employees.
Smith said Kelly learned of the suspicious activity on July 30. At approximately the same time, Kelly approved the three Equifax executives’ stock sale.
Ambiguity around this situation led Schakowsky to a line of extended questioning. Schakowsky asked Smith, “Did any of the three executives who sold stock have knowledge of the security incident at the time they sold stock?”
Smith replied, “To the best of my knowledge, congresswoman, no.”
“When were they informed the incident had occurred?” Schakowsky asked.
Smith answered, “I don’t know the exact date they were informed, but to the best of my knowledge, they had no knowledge at the time they cleared their trades through the general counsel.”
“Do you know for sure that they didn’t know?” Schakowsky pressed.
Smith: “To the best of my knowledge, they did not know.”
Schakowsky continued, “And Mr. Kelly, who we were told knew of the breach and that it contained personal information and yet still approved the stock sale, is he still chief legal officer for Equifax?”
Smith replied, “Congresswoman, I would come back to it again: [Kelly] did not know it was a breach when he approved –”
At which point Schakowsky interrupted, “But it could have been a breach.”
Smith: “All he knew at the time, it is my understanding, is suspicious activity when he approved the sales.”
An exasperated Schakowsky replied, “What the heck does suspicious – it could be a breach, right?”
Smith held firm: “It was deemed suspicious activity. We had no indication that PII was, in fact, compromised at that time. We had no idea if data was exfiltrated at that time.”
In later questioning, Leonard Lance, R-New Jersey, continued questioning on the timing of the stock sale, asking Smith if it appeared above board to him.
Smith said it is common for Equifax employees to sell stock after a quarterly earnings report, that the window remains open for about 30 days, and that the company encourages employees to sell shares as early as possible.
Smith added, “And that’s what occurred here.”
Lance pressed further, and Smith said the sale of the stock followed the “normal process.” Smith said he had long known the three executives who sold stock and called them “honorable men, men with integrity.” He noted the executives followed due process in their transactions.
Smith added, “I have no information to indicate they had knowledge of the breach at the time of the sell.”
Lance was one of the representatives who asked whether a nation-state had a hand in the hack. The questions followed a report last week by Bloomberg in which sources familiar with the investigation said the attack showed signs of nation-state involvement.
Bloomberg’s report said some investigators thought the Equifax attack had similarities to the 2014 and 2015 breaches of the U.S. Official of Personnel Management, which compromised data on individuals holding government security clearances, and the 2015 Anthem Inc. breach, which involved healthcare data on millions of Americans. The Chinese government is widely thought to be behind the OPM and Anthem hacks.
Still others, Bloomberg reported, said there appears to be nation-state involvement, but not by the Chinese. Bloomberg’s sources declined to name the suspected country.
Against this backdrop, Lance began by asking, “Criminals perpetrated this fraud. Is it possible these criminals are from another country?”
Smith replied, “It’s possible but at this time –”
Lance interjected, “It’s possible. Number two: Is it possible it’s the government of another country?”
Smith said, “We engaged the FBI. They’ll make that conclusion.”
After Smith deferred several more questions to the FBI, a visibly frustrated Lance replied: “Yes, I know we have the FBI involved. Do you have an opinion on the two questions I’ve just asked?”
“I have no opinion,” Smith said.
Representative Doris Matsui, D-California, pursued a line of questioning around ownership of the data at the heart of Equifax’s business model. “In the context of this breach,” Matsui asked, “if the data that you hold is about me, do I own it?”
Smith replied, “We are part of a federally regulated ecosystem that has been around a long time. It’s there to help consumers get access, with their consent, to credit when they want credit.”
Matsui continued, “Can you explain what makes data about me mine versus someone else’s?”
Smith answered by referring to a new product Equifax has recently announced, which will allow consumers to lock and unlock their credit via an online portal. Smith replied to Matsui, “The intent of the solution we have recommended we implement and are going live with in January 2018 is, in fact, to give you as the consumer the ability to control who accesses your personal information and who does not.”
Matsui then asked, “At that time, I can say I own my data. Is that right?”
Smith repeated his talking point, “You’ll have the ability to control who accesses, and when they access, your data.”
Many representatives made strong statements about the need to more heavily regulate the credit reporting agencies, which include Experian and TransUnion. But ideas on how to go about it appear to vary.
Several of the representatives – including Frank Pallone, D-New Jersey, Schakowsky, Lujan, and Debbie Dingell, D-Michigan – have introduced bills to bolster national data breach laws and stiffen penalties for victims.
Joe Barton, R-Texas, suggested nothing but financial consequences would work. “It would seem to me you might pay a little more attention to security if you had to pay everybody whose account got hacked a couple thousand bucks or something,” Barton said and then asked, “What would the industry reaction be to that if we passed a law that did that?”
Smith replied, “I think the path the company was on when I was there, and the company has continued, is the right path, and that’s the path of allowing the consumers to control the power of who and when access their credit file going forward.”
Barton continued, “The consumer can’t control the security of your system.”
To which Smith conceded, “That is true, sir.”
Lujan, who along with Schakowsky and Dingell were visibly impassioned throughout the hearing, asked Smith, “Will Equifax pay to make consumers whole?”
Smith deferred several times, referring to the “comprehensive set of products” – primarily the one year of free credit monitoring – that Equifax has made available to victims.
Walden, who seemed to range from gravely serious to incredulous throughout the hearing, at one point questioned how external regulation could “fix stupid.” Walden said:People ask us: How does that happen? If as sophisticated a company you headed is, with so much at risk, how does this happen? And, you know, we have colleagues who say we’re going to double the fines, triple the fines, put fines in, do all these things, but how does this happen when so much is at stake? I don’t think we can pass a law that, excuse me for saying this, but fixes stupid. I can’t fix stupid, as a colleague of mine used to say.
Regardless of the ultimate form future regulation may take, Barton summed up what seemed to be a common perspective across both parties: “I think it’s time at the federal level to put some teeth into this and some sort of per-account payment” to consumers who fall victim to future breaches.