House Subcommittee Scrutinizes What Happened, Considers Next Steps
During the first of three Congressional hearings this week to examine the Equifax mega-breach, members of both parties Tuesday grilled – and at times roasted – the firm’s former CEO for three hours about details surrounding the incident.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The scrutiny included questioning Richard F. Smith – who “retired” from Equifax on Sept. 26 – about the credit reporting company’s security practices and handling of the incident as well as the sale of $1.8 million in stock by three top executives weeks prior to the public disclosure of the breach.
“There’s no such thing as perfect security, but there’s a responsibility to protect consumer information,” said Rep. Greg Walden, R-Oregon. “We’re here today to do what Equifax failed to do, and that’s put consumers first.” But in the Equifax incident, “it’s like the guards of Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults,” he said.
Commenting on Equifax’s missteps after the breach, Rep. Jan Schakowsky, D-Ill., said: “Consumers deserve a lot more than what they got from Equifax.”
At the hearing, members of the House Committee on Energy and Commerce’s Subcommittee on Digital Commerce and Consumer Protection also weighed in on potential regulatory or legislative action that’s needed to better protect consumers from devastating breaches involving highly personal information.
Smith declined to answer a question about who is suspected to be behind the attacks, including whether the breach involved a nation-state. “The FBI is investigating,” he testified.
Calls for Action
Republicans and Democrats alike called on Congress and regulators to take further action to examine why breaches involving consumer data are so prevalent and what’s needed to better address the issues.
“I’d call [the Equifax breach] shocking, but is it really?” Schakowsky asked.
“I think it’s time at the federal level to put teeth into this,” says Rep. Joe Burton, R-Texas, saying that potential penalties for each consumer account impacted by breaches could provide the industry with incentives to better protect data.
Schakowsky and several other Democrats touted proposed legislation, repeatedly introduced and stalled in Congress, that aims to establish data security standards, require prompt breach notification and require relief for consumers affected by incidents.
Rep. Ben Ray Lujan, D-N.M., said he hopes Congress sees “mark-ups and bills by the holidays to give consumers confidence again. This is a mess.”
Meanwhile, Smith, the former Equifax CEO, argued that it’s time to go come up with a way to replace the use of Social Security numbers to identify consumers.
Stock Sale Questioned
Members of the Congressional panel expressed serious concerns about three Equifax executives selling more than $1 million worth of stock several weeks before the company disclosed the breach. Schakowsky says the stock sale “doesn’t pass the smell test.”
Smith said that the stock sales on Aug. 1 and Aug 2 by the three executives occurred during the 30-day window when insiders can sell stock following the company’s quarterly call with financial analysts. And the sales were signed off by Equifax chief legal counsel John Kelly, he noted.
When asked if the three executives knew about the breach at the time of the stock sales, Smith said, “to the best of my knowledge, they didn’t.”
Rep. Tony Cardenas, D-Calif., said he wants Equifax to provide a trail of the communication regarding the incident and its timeline. He said he would request a hearing on the stock sale issues with testimony from Kelly.
‘Human and Tech Failures’
The root of Equifax’s breach was “human and technology failures” involving unpatched vulnerabilities in open source Apache Struts software, Smith testified.
After the Department of Homeland Security sent out a notification in March about the need to patch a particular Apache Struts software vulnerability, the individual within Equifax responsible for communicating that information to the Equifax patch team failed to do so, Smith testified. Then a few days later, a scanning device failed to detect the vulnerability, he says.
“The technology did not find the vulnerability, and that’s still under investigation,” he says.
Rep. Tim Murphy, R-Pa., asked if the devices responsible for scanning vulnerabilities were misconfigured. “I have no knowledge of that,” Smith replied.