Lawmakers are angry over Equifax’s massive data breach. Where do we go from here?
Richard Smith went to Washington this week to face panel upon panel of angry lawmakers who questioned the former Equifax CEO on the hows and whys of last month’s massive data breach, which compromised the financial and personal information of more than 145 million Americans.
In the span of three days, Smith faced a barrage of questions from House and Senate committees in four separate congressional hearings, each providing several moments of political theater.
- Democratic Sen. Elizabeth Warren, who has co-sponsored a bill that would allow consumers to freeze their credit reports for free, said Equifax was profiting “off its own screw-up.”
- Republican Rep. Greg Walden asked why one of the nation’s three major credit reporting agencies could allow such a hack to happen. “I don’t think we can pass a law that … fixes stupid,” he said.
- And Republican Sen. John Neely Kennedy referenced Lindsey Lohan to express shock over Equifax’s recent $7.5 million no-bid contract with the Internal Revenue Service: “You realize, to many Americans right now, that looks like we’re giving Lindsay Lohan the keys to the mini-bar.”
(The Monopoly Man even photobombed Smith during one of the Senate hearings, pulling on his fake mustache and holding up a monocle to his right eye.)
Amid the sharp criticism, Smith repeatedly offered up apologies, saying he was “truly, deeply sorry” for what happened.
The pomp and circumstance, entertaining as it was, was fairly predictable — and it’s not clear if the sharp words will translate into legislation that sets better security protocols for safeguarding consumer data, such as phone numbers, Social Security numbers and other personally identifiable information (PII) found on a credit report.
We asked two cybersecurity experts about what we should take away from this week’s hearings — and what’s next.
A quick refresh on the breach
The Equifax breach was unprecedented in its reach, affecting nearly half of the U.S. population, along with at least 400,000 people in the United Kingdom and another 100,000 across Canada.
Initial reports mentioned that hackers possibly plundered critical data through a software vulnerability. The condensed timeline is that Equifax originally reported that it was breached sometime mid-May; the company first discovered the hack on July 29; and the public was notified of the problem on Sept. 7 — six weeks between when Equifax discovered the breach, and when it alerted the public.
This week’s hearings were designed to be educational, with lawmakers hoping to shed more light on what exactly led to the Equifax hack.
Smith, who had stepped down as CEO in late September, said the breach was both a technological error and a human one. But Wired, who was also watching the hearings, noted that the timeline Smith painted was “pretty leisurely.” Lawmakers grew increasingly frustrated with Smith’s explanation of the hack, which appeared to show a lack of urgency on the company’s part.
Republican Rep. Joe Barton of Texas wasn’t having any of it. “You’re just required to notify everybody and say, ‘So sorry, so sad,’” he said to Smith, while consumers are left to deal with the real-life consequences.
Why you should (still) care
The Equifax hack follows a series of high-profile breaches of consumer data at Target, Home Depot and Yahoo, which, during the same week of the Equifax hearings, announced its 2013 hack actually affected all three billion of its customers. Yahoo originally reported it affected one billion. That’s a separate breach from the one in 2014, which affected 500 million accounts. This week, Equifax, too, updated the number of people affected in its hack, from 143 million to 145.5 million.
The Yahoo breaches have been much bigger than the latest at Equifax, Anthem and the Office of Personnel Management. But these smaller breaches involve more vulnerable information, the Social Security numbers in particular, which are the most valuable for thieves.
- Identity theft can cost victims, on average, $1,343 in stolen assets and costs associated with the damage, like legal fees and overdraft charges, according to a Department of Justice survey released in 2015.
- Once the information is exposed, it’s out there, Justin Shipe, vice president of information security at CardConnect, told the Washington Post.
- Any sensitive information gleaned from the hack could have repercussions that could take years to resolve.
What we learned in the hearings (and what we didn’t)
Smith’s 4,000-word prepared testimony added more details to the timeline, but it didn’t fully explain how a company who is legally allowed to sell consumers’ personal data to lenders wasn’t able to adequately safeguard the sensitive information.
Smith has maintained that he didn’t know the scope of the breach. And that’s part of the problem. “Every major company holding consumer data should assume ‘the frontline will always be breached’ at one time or another,” said Avi Chesla, co-founder and chief executive of empow cyber security.”Companies like Equifax should always anticipate a breach. The question is: What are they doing to identify what happened and contain it as soon as they can?” he added.
Can one person be blamed for a hack this size? Smith placed the problem squarely on an “individual” who failed to promptly fix the software before the hack could take place. But experts, including Chelsa, say one person isn’t to blame.
Rep. Barton said that Equifax may have “paid more attention to security” if the company had to pay a penalty for everyone that was hacked. Smith didn’t respond to that suggestion.
We don’t know enough about Equifax’s infrastructure for responding to hacks.
Chesla told the NewsHour that Smith’s explanation for the hack had some gaps and, overall, was “not good enough.”
“[T]hey never provided the details of their architecture,” he said in an email. “If an air bag fails and the passenger dies, we can analyze the air bag to determine what went wrong. Equifax needs to reveal their security architecture as a service to the world, so that won’t happen again,” he added.