October 03, 2017

Ex-Equifax CEO testifies, says breach was due to human error

While testifying before the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection yesterday, ex-Equifax CEO Richard Smith said more can be done protect consumers' financial information in light of the company's recent data breach.

Smith, who acknowledged Equifax's failure to apply a patch to a known security issue prior to the breach, indicated business and industry cooperation with legislation that might come from these congressional hearings.

During Tuesday's hearing, Smith defended the timeline and the actions he and other employees took after the breach was discovered. It was the first of four congressional hearings Smith is set to testify in this week.

Members of the subcommittee were mostly concerned with who knew what details of the breach, when details were revealed and what processes Equifax had in place to detect and recover from system breaches. Smith announced his retirement from the company last week; two senior security executives retired earlier in September.

Smith reiterated that the suspicious activity was first detected on July 31, but it was unclear for a few weeks whether personal identifiable information was stolen. He blamed the incident on a human failure to apply a software patch to a known issue in March 2017, as well as a technological failure of a scanner that didn't detect vulnerability in the affected portal.

When asked if Equifax would compensate consumers for damage caused by the breach, Smith gave no direct answer to that question but apologized again for what happened. To provide consumers with more control of their financial data, Smith said, Equifax is creating a free product that will allow consumers to lock and unlock their personal information.

He also told subcommittee members that, to the best of his knowledge, executives who sold stock immediately after the incident was detected were not aware of the breach.

Mandiant, the company Equifax hired to investigate the data breach, revealed Monday that an additional 2.5 million Americans may be affected by the hack, bringing the total number to more than 145 million Americans. The breach revealed information such as names, driver's license numbers, Social Security numbers and birthdates.

Smith will testify in two hearings focused on the breach today: the Senate Banking Committee hearing begins at 10 a.m. Eastern, followed by a hearing at 2:30 p.m. Eastern with the Senate Judiciary Subcommittee on Privacy, Technology and the Law.

NAFCU President and CEO Dan Berger again sent letters to the committees ahead of the hearings, calling for congressional action to ensure that credit unions do not bear the cost of negligent data practices by entities like Equifax.

Berger urged that all entities that handle personal financial data be subject to the same standards credit unions and other financial depository institutions follow under the Gramm-Leach-Bliley Act (GLBA), and he specifically called for credit rating agencies already subject to the GLBA, like Equifax, to undergo the same examinations for compliance as credit unions.