Some breaches have more fallout than others. For two days this week, former Equifax CEO Richard Smith was on Capitol Hill answering questions from lawmakers and taking heated criticism of his handling of a breach that exposed personally identifiable information on 145.5 million Americans.
Throughout the ordeal, Smith mostly sat calmly, hands clasped on the desk in front of him, as he politely responded to questions about the breach his company first publicly disclosed on Sept. 7. As a result of the breach, a number of Equifax executives retired, including the company’s chief information officer and chief security officer. Smith himself retired from Equifax on Sept. 26.
The first day of Smith’s testimony was Oct. 3, when he appeared before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee. Smith began his appearance with prepared remarks, in which he admitted the company was aware of a known vulnerability but failed to patch it.
During questioning by members of the committee, Smith revealed additional details about the patching oversight. The root CVE-2017-5638 vulnerability that enabled attackers to breach Equifax was identified as a flaw in the open-source Apache Struts framework.
Smith attributed the missed patch to human error on the part of a single individual who did not properly alert the correct teams within Equifax to patch. Smith noted that Equifax also used a scanner that was intended to find potentially vulnerable and unpatched software and, for reasons unknown, that scanner also failed to find the unpatched Struts software.
The former Equifax CEO was also asked about data protection policies. As it turns out, the data that was stolen was not encrypted. “To be very specific, this data was not encrypted at rest,” Smith said. “There are varying levels of security techniques that the team deploys in different environments around the business.”
Senate
Smith returned to Capitol Hill on Oct. 4 for another grueling session, this time in front of the Senate Banking Committee. Smith did not receive a warm welcome from the senators, who berated his company’s security and data collection practices and questioned the ability of Equifax to work with the U.S. government.
Sen. Sherrod Brown, D-Ohio, noted during the hearing that Equifax spent $250 million in cyber-security over the past three years, for an average of $85 million a year. He added that Smith earned approximately $69 million per year.
“In hindsight, do you think Equifax should have spent more money protecting people’s data rather than compensating you so well?” Brown asked.
In hindsight, perhaps money could have been spent differently, Smith responded. That said, there is an industry benchmark for financial services security spending as a percentage of total IT spend, he said. According to Smith, that benchmark is for a spend of between 10 and 14 percent, with Equifax coming in at 12 percent.
Sen. Elizabeth Warren, D-Mass., did not mince her words when questioning Smith. She noted that Equifax has been hacked several times in recent years and that Equifax has consistently been rated as having some of the worst data security practices in the financial services industry.
“This latest hack happened through a hole in your system that had been identified months before and could have been fixed pretty easily,” Warren said. “The whole thing is staggering, a company like Equifax that has sensitive personal information on most Americans should have the best data security in the industry, and instead it has the worst.”
Warren also took aim at Smith and Equifax for profiting from the breach by selling additional fraud and identity protection services to consumers. She stated that Equifax did a terrible job of protecting data because the incentives and revenue model in the credit reporting and monitoring industry are “out of whack.”
“Because of this breach, consumers will spend the rest of their lives worrying about identity theft,” Warren said. “But Equifax will be just fine. Heck, it could actually come out ahead.”
Sen. Ben Sasse, R-Neb., was the last senator to speak at the Oct. 4 hearing, and he echoed much of what Warren said. Sasse noted that Equifax has what he referred to as a “broken windows” business model, where the company first breaks and then offers to fix the metaphorical window. Sass also questioned the integrity and ability of Equifax to handle U.S. government business, in particular an Internal Revenue Service (IRS) contract that it was recently awarded for fraud prevention.
“I appreciate the fact that you have resigned from the company,” Sasse said. “But as an American, why should anybody hire Equifax for fraud protection right now?”
Smith responded by saying that while he understands the senator’s point, Equifax should not be judged by a single incident.
“It was a horrific breach, and I apologize on behalf of the company for that breach. We’ll make it right as best we can,” Smith said. “But it doesn’t wipe out 118 years of good work we’ve done.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.