Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Congress Grills Former Equifax CEO Over Data Breach

    By
    SEAN MICHAEL KERNER
    -
    October 5, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Equifax CEO testimonty

      Some breaches have more fallout than others. For two days this week, former Equifax CEO Richard Smith was on Capitol Hill answering questions from lawmakers and taking heated criticism of his handling of a breach that exposed personally identifiable information on 145.5 million Americans.

      Throughout the ordeal, Smith mostly sat calmly, hands clasped on the desk in front of him, as he politely responded to questions about the breach his company first publicly disclosed on Sept. 7. As a result of the breach, a number of Equifax executives retired, including the company’s chief information officer and chief security officer. Smith himself retired from Equifax on Sept. 26.

      The first day of Smith’s testimony was Oct. 3, when he appeared before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee. Smith began his appearance with prepared remarks, in which he admitted the company was aware of a known vulnerability but failed to patch it.

      During questioning by members of the committee, Smith revealed additional details about the patching oversight. The root CVE-2017-5638 vulnerability that enabled attackers to breach Equifax was identified as a flaw in the open-source Apache Struts framework.

      Smith attributed the missed patch to human error on the part of a single individual who did not properly alert the correct teams within Equifax to patch. Smith noted that Equifax also used a scanner that was intended to find potentially vulnerable and unpatched software and, for reasons unknown, that scanner also failed to find the unpatched Struts software.

      The former Equifax CEO was also asked about data protection policies. As it turns out, the data that was stolen was not encrypted. “To be very specific, this data was not encrypted at rest,” Smith said. “There are varying levels of security techniques that the team deploys in different environments around the business.”

      Senate

      Smith returned to Capitol Hill on Oct. 4 for another grueling session, this time in front of the Senate Banking Committee. Smith did not receive a warm welcome from the senators, who berated his company’s security and data collection practices and questioned the ability of Equifax to work with the U.S. government.

      Sen. Sherrod Brown, D-Ohio, noted during the hearing that Equifax spent $250 million in cyber-security over the past three years, for an average of $85 million a year. He added that Smith earned approximately $69 million per year.

      “In hindsight, do you think Equifax should have spent more money protecting people’s data rather than compensating you so well?” Brown asked.

      In hindsight, perhaps money could have been spent differently, Smith responded. That said, there is an industry benchmark for financial services security spending as a percentage of total IT spend, he said. According to Smith, that benchmark is for a spend of between 10 and 14 percent, with Equifax coming in at 12 percent.

      Sen. Elizabeth Warren, D-Mass., did not mince her words when questioning Smith. She noted that Equifax has been hacked several times in recent years and that Equifax has consistently been rated as having some of the worst data security practices in the financial services industry.

      “This latest hack happened through a hole in your system that had been identified months before and could have been fixed pretty easily,” Warren said. “The whole thing is staggering, a company like Equifax that has sensitive personal information on most Americans should have the best data security in the industry, and instead it has the worst.”

      Warren also took aim at Smith and Equifax for profiting from the breach by selling additional fraud and identity protection services to consumers. She stated that Equifax did a terrible job of protecting data because the incentives and revenue model in the credit reporting and monitoring industry are “out of whack.”

      “Because of this breach, consumers will spend the rest of their lives worrying about identity theft,” Warren said. “But Equifax will be just fine. Heck, it could actually come out ahead.”

      Sen. Ben Sasse, R-Neb., was the last senator to speak at the Oct. 4 hearing, and he echoed much of what Warren said. Sasse noted that Equifax has what he referred to as a “broken windows” business model, where the company first breaks and then offers to fix the metaphorical window. Sass also questioned the integrity and ability of Equifax to handle U.S. government business, in particular an Internal Revenue Service (IRS) contract that it was recently awarded for fraud prevention.

      “I appreciate the fact that you have resigned from the company,” Sasse said. “But as an American, why should anybody hire Equifax for fraud protection right now?”

      Smith responded by saying that while he understands the senator’s point, Equifax should not be judged by a single incident.

      “It was a horrific breach, and I apologize on behalf of the company for that breach. We’ll make it right as best we can,” Smith said. “But it doesn’t wipe out 118 years of good work we’ve done.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×