Five takeaways from Equifax’s brutal week

Frustrated lawmakers last week put Equifax through the wringer over a massive data breach that affected more than 145 million Americans.

Richard Smith, the former CEO of the credit reporting agency, testified before Congress on four separate occasions, all of them providing lawmakers an opportunity to air their grievances.

Here are five key takeaways from the hearings. 

Equifax waited to notify the public at the advice of attorneys

Equifax initially provided little information on the timeline for the breach, saying only that the activity was first detected on July 29, more than a month before the company notified the public of the incident on Sept. 7.

Smith, who is still advising the interim CEO, clarified this week that he was first notified of “suspicious activity” on a dispute portal on July 31, but that he didn’t know until Aug. 15 that the incident constituted a breach in which hackers accessed “some” consumers’ personal information. 

“We did not know how much data was compromised,” Smith told the House Energy and Commerce Committee on Tuesday.

Smith said he briefed the presiding director of the board on Aug. 22, and the full board days later. The company took more than two weeks to publicly disclose the breach, Smith said, because Equifax’s outside counsel, King & Spaulding, and cybersecurity firm Mandiant advised the company to first have a plan in place to protect consumers affected by the breach. 

The company’s investigation into the breach continues. Equifax raised the count of Americans affected from 143 million to 145.5 million on Monday, in advance of Smith’s testimony.

The company says human, technology errors caused breach 

Hackers exploited a vulnerability in a version of Apache Struts software that was used by Equifax but had not been patched, despite a March alert from the Department of Homeland Security directing companies to apply the patch.

Smith blamed a combination of human and technological errors for Equifax’s failure to fix the vulnerability. The individual designated to notify personnel to apply the patch failed to do so, Smith said.

Moreover, a technology that scans for vulnerabilities in the company’s systems did not detect the vulnerability later on in mid-March. As a result, hackers were able to intrude on May 13 and maintained access to sensitive information until July 30.

Smith also told lawmakers that the individual responsible for the patching failure has stepped down, in addition to himself, the company’s chief technology officer and chief security officer.

Still, that didn’t appease lawmakers.

“Four out of the total [10,000 employees]. Wouldn’t you agree with me, that many more than four are responsible here?” said Sen. Richard Blumenthal (D-Conn.) during the Senate Banking Committee hearing on Wednesday. 

Smith also revealed that the personal data accessed was not encrypted at the time it was accessed, prompting further scrutiny.

“How could a company that deals in data not protect that data?” Rep. Ed Royce (R-Calif.) said Thursday during the House Financial Services Committee meeting. 

“I think the answer lies in what your company did not do. You did not protect their personal information, you did not encrypt that data, you did not patch a vulnerability that you were alerted to on March 8, you did not disclose the breach to the public until 117 days after it occurred,” he said. 

Support is growing for a national breach notification standard

Lawmakers on both sides of the aisle expressed support for legislating a national standard for companies to notify individuals impacted by data breaches, as they questioned why it took Equifax weeks to publicly notify consumers of the breach.

The calls intensified this week, with Sen. Chuck Grassley (R-Iowa), chairman of the Senate Judiciary Committee, forecasting plans to introduce bipartisan legislation establishing a uniform breach notification standard along with Sen. Dianne Feinstein (D-Calif.), the ranking member.

“It’s long past time for a uniform national data security and breach notification standard,” Grassley said ahead of Smith’s testimony before the committee on Wednesday. “I remain committed to getting a good bill put together and over the finish line.” 

Currently, 48 states have their own rules for when companies must notify the victims of breaches.

House Financial Services Committee Chairman Jeb Hensarling (R-Texas) similarly expressed support for a national standard.

“I do believe that we need to ensure we have a consistent national standard for both data security and breach notification in order to better protect our consumers, hold companies accountable, and ensure that this affair does not repeat itself,” he said Thursday.

Meanwhile, Rep. Jim Langevin (D-R.I.) reintroduced legislation following the Equifax breach that would establish a 30-day national standard for breach notifications and mandate that the Federal Trade Commission help coordinate the disclosures.

Nation state-sponsored hackers are not being ruled out

Smith offered up little information on the hackers behind the breach, repeatedly referring to an FBI investigation. When questioned, Smith would not rule out that the hackers were sponsored by a nation state.

“We’ve engaged the FBI at this point, that’s all I’ll say,” he said Tuesday.

Bloomberg reported last week that hackers used techniques that have been previously linked to state-sponsored hackers.

While Smith said that investigators tracked the IP addresses of the criminals, he said their identities and whereabouts remain unknown. 

Smith did, however, acknowledge the sophistication with which the criminals moved through the company’s system, evading the company’s security personnel for more than a month.

“They’re very fairly sophisticated, they being the criminal hackers. They moved about the system without moving what we define in our environment as large files. So the files themselves in size were not suspicious,” he said Thursday. “They were also careful to move at … very high speeds.” 

The suspicions about stock trades aren’t going away

Smith’s testimony failed to assuage concerns about senior Equifax executives who sold nearly $2 million in company stock in the days after the suspicious activity was detected. 

The revelation in September made waves on Capitol Hill and has reportedly generated a Justice Department investigation into possible violations of insider trading laws. 

Smith repeatedly told lawmakers this week that, to the best of his knowledge, the executives were not aware of the activity at the time they made the trades and that they followed normal protocols. He also emphasized that the company did not know personal information had been accessed at the time.

The company’s general counsel approved the trades, and he became aware of the suspicious activity around the same time.

“That’s a problem because it looks pretty suspicious,” said Sen. Heidi Heitkamp (D-N.D.) on Wednesday. “And your chief legal officer has some explaining to do, because even after he knew that there was a notification to the FBI about this level of breach, he did not claw back or try to undo those transactions … what clearly appears to be a pretty beneficial situation for three of your employees.” 

Rep. David Scott (D-Ga.) demanded further investigation into the stock sales on Thursday. 

“That has to be investigated and cleared in order to get the confidence of the American people back,” Scott said.