Senators in hearings this week denounced Equifax’s handling of the data breach that is now estimated to have affected 145 million Americans.
Equifax Chairman and former CEO Richard Smith testified before the Senate Committee on Banking, Housing, and Urban Affairs on Oct. 4. Smith announced that the company will release an application on Jan. 31, 2018, that will allow consumers to lock and unlock their credit data on demand.
Senators expressed concern that this tool wouldn’t be enough to earn back consumer trust and keep data secure, saying that consumers should be able to ask Equifax to relinquish their data altogether.
“This simply is not a company that deserves to be trusted with Americans’ data,” said Sen. Sherrod Brown, D-Ohio.
The United States Computer Emergency Readiness Team (US-CERT) notified Equifax of the vulnerability that was responsible for the hack on March 8. Equifax’s staff failed to patch the vulnerability because of a breakdown in communication. The team responsible for patching never received the notice to patch the system, according to Smith. Then the scanner that Equifax uses to find vulnerabilities never detected a vulnerability.
Equifax detected “suspicious activity” on its networks in July. Equifax sought outside counsel and notified the FBI on Aug. 2.
“At that time, we did not know the nature or the scope of the incident,” Smith said.
In late August, Equifax determined when to tell the public about the attack, set up extra call centers and services to help consumers, cooperated with the FBI on its criminal investigation into the breach, and prepared for more attacks after the announcement. Cyber experts told Equifax that bad actors tend to converge on companies that publicly announce that they’ve been hacked to further exploit vulnerable systems.
“This could have been avoided if you had taken the simple step of doing security patches,” said Brown.
Smith stepped down as CEO of Equifax on Sept. 26 but continues to work for free for the company.
Rep. Joe Donnelly, D-Ind., said that he sent a letter to Smith after the hack asking how the company would help active military personnel who were overseas and might not have time or access to correct the problems related to their credit data after the hack. Equifax sent a form letter back, which never mentioned service members, according to Donnelly. Smith said that all that the members of the military could do is to hire a lawyer to act on their behalf.
Despite the major breach, Equifax received a no-bid contract from the Internal Revenue Service (IRS) for fraud protection on Oct. 4, that’s worth about $7.25 million. Several senators expressed concern about this.
“Your remediation efforts don’t pass basic cyber 101 hygiene,” said Sen. Mark Warner, D-Va.
Sen. Elizabeth Warren, D-Mass., said that companies should have to pay “severe” penalties whenever a consumer’s personal data gets stolen, in order to ensure that similar lapses in cybersecurity don’t continue.
“They didn’t have a reason to care to protect our data,” Warren said. “The incentives in this business are out of whack.”