WASHINGTON — House Republicans and Democrats on Tuesday lashed out at the former head of Equifax, demanding answers for the massive data breach that compromised the sensitive personal information of an estimated 145 million Americans.
Rep. Frank Pallone, D-N.J., said that if Equifax wants to stay in business, its entire corporate culture needs to change to one that values security and transparency.
“We want answers for consumers because Equifax’s response to this breach has been unacceptable,” said Pallone, the top Democrat of the House Energy and Commerce Committee.
Republican Rep. Greg Walden of Oregon, the committee’s chairman, said the hearing was necessary to do something that Equifax has failed to do in recent months: “Put Americans first.”
Former Equifax chairman and CEO Richard F. Smith testified before a House panel, the first of four hearings on Capitol Hill this week as Congress examines what went wrong. Smith was the only witness at the hearing. No current Equifax employee testified.
The sessions typically turn into a public shaming, and this year the Republican-led Congress has worked to ease government regulations on businesses.
“Equifax deserves to be shamed in this hearing. But we should also ask what Congress has done – or failed to do – to stop data breaches from occurring,” said Rep. Jan Schakowsky, D-Ill.
The revelation last month of the disastrous hack to Equifax’s computer system rocked the company which faces several state and federal inquiries and several class-action lawsuits. Smith said the company was cooperating with the FBI and state agencies.
Smith attributed the breach to human error and technological error, and said both errors have been addressed.
He also told lawmakers that when he first learned of the breach on July 31, company officials did not realize that personal information about consumers had been stolen. He described suspicious activity against the company’s database as routine. The public was notified of the breach on Sept. 7.
“As we all painfully learned, data security is a national security problem,” Smith told lawmakers.
He said no single company can solve the problem on its own and said a system was needed that would let consumers control access to their personal data.
“Let me close by saying how sorry I am for the breach,” Smith said.
Smith, who resigned after overseeing the company for a dozen years, says Equifax was hacked by a yet-unknown entity. He said the information stolen included names, Social Security numbers, birth dates and addresses. In addition, the credit card information for about 209,000 consumers was also stolen as well as certain documents with personally identifying information for approximately 182,000 consumers.
Smith said the Department of Homeland Security warned the company on March 8 about the need to patch a particular vulnerability in software used by Equifax and other businesses. The company disseminated that warning by email the next day and requested that applicable personnel install the upgrade. The company’s policy requires the upgrade to occur within 48 hours, but Smith said that did not occur. The company’s information security department also ran scans on March 15 that did not pick up the vulnerability.
Smith also said he was disappointed in the rollout of call centers and a website designed to help the people affected by the breach. He said the company has increased its number of customer service representatives and the website has been improved. He said more than 400 million consumers contacted the company in the weeks following the announcement of the breach. He said the company wasn’t prepared for that kind of volume.
“The scale of the reaction was unprecedented,” Smith said.
Rep. Ryan Costello, R-Pa., said hundreds of constituents have contacted his office with their concerns about the breach and the company’s response.
“The slow rollout and how poor it was done. To me, it was just inexcusable,” Costello said.
Several Democratic lawmakers on the committee signed on to legislation that they said would establish data security standards that companies would have to follow and require prompt notification of consumers of the breach. Comparable legislation in past congressional sessions has failed to gain significant traction.