Former Equifax chief executive Richard Smith was grilled by animated lawmakers Tuesday at the first congressional hearing after the company disclosed a massive security breach.
Lawmakers from both parties questioned Smith on his role at the embattled credit-reporting agency and indicated that tighter data security standards are long overdue.
Rep. Greg Walden, R-Ore., the chairman of the House Energy and Commerce Committee, described Equifax's response to the breach as "ham-fisted" and "unacceptable," echoing several other lawmakers on the panel. In a remarkable exchange, Walden held up a thick stack of paper, which he said was a full Equifax consumer credit report, and asked Smith how such a sophisticated company responsible for so much data could allow the breach to occur. "How does this happen?" he said, with exasperation.
Smith confirmed at the hearing that intruders were able to penetrate the company's network by exploiting a known vulnerability that Equifax had failed to patch. But for the first time, Smith acknowledged that the employee responsible for assigning a correction to that vulnerability failed to do so, even though that person knew the patch was needed.
Smith also fielded questions concerning reports that his former colleagues sold an unusual amount of stock after the breach was known to the company but before it was disclosed to the public. Smith said that at the time, Equifax knew only that suspicious activity had been detected, and not that personal information had been stolen from the company. "To the best of my knowledge they did not know," Smith said.
The former Equifax chief executive declined to directly answer whether Equifax suspects a nation state was involved in the breach. "I have no opinion," he said, when asked by Rep. Leonard Lance, R-N.J., several times. Smith said that the FBI is involved.
The hearing comes a day after Equifax said that the data of an additional 2.5 million consumers may have been compromised by the cyber breach, bringing the total number of consumers who may have been affected to a staggering 145.5 million.
Last week, Equifax tried to get ahead of what may be an intense round of questioning. On Thursday, the company announced a new, free service that will allow consumers to lock and unlock their credit information for life, starting next year. It has also been considering clawbacks for some of its executives, according to the Wall Street Journal. But that may not be enough for lawmakers and consumer advocates who have asked the credit agency for more extensive remedies and protections. There have even been calls to change the entire credit reporting industry.
While many high-profile companies have suffered damaging data breaches, the Equifax hack stands out because of the company's sprawling influence on U.S. commerce. The crucial, identifying information belonging to millions of people, including Social Security numbers and home addresses, may have been compromised.
After Equifax disclosed the breach in September, the public outcry was swift and resounding. Reports quickly surfaced that several Equifax executives had sold an unusual amount of stock after the company discovered the breach but before it was made public. Not only did consumers feel exposed after learning that their sensitive information may have been stolen, but they also were angered by Equifax's bungled response. The call center was understaffed, and a help website that the company put up had the trademarks of a phishing scam while offering little guidance as how to protect affected people, experts and consumers said.
A week later, the company's chief security officer and the chief information officer announced their sudden retirements. Then Smith said that he, too, would step down.
Smith will also testify in three other hearings this week. It's not clear whether the company's attempts at reform will pre-empt new cybersecurity regulations backed by some lawmakers.