Lawmakers are angry over Equifax's massive data breach. Where do we go from here?
Richard Smith went to Washington this week to face panel upon panel of angry lawmakers who questioned the former Equifax CEO on the hows and whys of last month's massive data breach, which compromised the financial and personal information of more than 145 million Americans.
In the span of three days, Smith faced a barrage of questions from House and Senate committees in four separate congressional hearings, each providing several moments of political theater.
- Democratic Sen. Elizabeth Warren, who has co-sponsored a bill that would allow consumers to freeze their credit reports for free, said Equifax was profiting "off its own screw-up."
- Republican Rep. Greg Walden asked why one of the nation's three major credit reporting agencies could allow such a hack to happen. "I don't think we can pass a law that … fixes stupid," he said.
- And Republican Sen. John Neely Kennedy referenced Lindsey Lohan to express shock over Equifax's recent $7.5 million no-bid contract with the Internal Revenue Service: "You realize, to many Americans right now, that looks like we're giving Lindsay Lohan the keys to the mini-bar."
(The Monopoly Man even photobombed Smith during one of the Senate hearings, pulling on his fake mustache and holding up a monocle to his right eye.)
Amid the sharp criticism, Smith repeatedly offered up apologies, saying he was "truly, deeply sorry" for what happened.
The pomp and circumstance, entertaining as it was, was fairly predictable — and it's not clear if the sharp words will translate into legislation that sets better security protocols for safeguarding consumer data, such as phone numbers, Social Security numbers and other personally identifiable information (PII) found on a credit report.
We asked two cybersecurity experts about what we should take away from this week's hearings — and what's next.
A quick refresh on the breach
The Equifax breach was unprecedented in its reach, affecting nearly half of the U.S. population, along with at least 400,000 people in the United Kingdom and another 100,000 across Canada.
Initial reports mentioned that hackers possibly plundered critical data through a software vulnerability. The condensed timeline is that Equifax originally reported that it was breached sometime mid-May; the company first discovered the hack on July 29; and the public was notified of the problem on Sept. 7 — six weeks between when Equifax discovered the breach, and when it alerted the public.
This week's hearings were designed to be educational, with lawmakers hoping to shed more light on what exactly led to the Equifax hack.
Smith, who had stepped down as CEO in late September, said the breach was both a technological error and a human one. But Wired, who was also watching the hearings, noted that the timeline Smith painted was "pretty leisurely." Lawmakers grew increasingly frustrated with Smith's explanation of the hack, which appeared to show a lack of urgency on the company's part.
Republican Rep. Joe Barton of Texas wasn't having any of it. "You're just required to notify everybody and say, 'So sorry, so sad,'" he said to Smith, while consumers are left to deal with the real-life consequences.
Why you should (still) care
The Equifax hack follows a series of high-profile breaches of consumer data at Target, Home Depot and Yahoo, which, during the same week of the Equifax hearings, announced its 2013 hack actually affected all three billion of its customers. Yahoo originally reported it affected one billion. That's a separate breach from the one in 2014, which affected 500 million accounts. This week, Equifax, too, updated the number of people affected in its hack, from 143 million to 145.5 million.
The Yahoo breaches have been much bigger than the latest at Equifax, Anthem and the Office of Personnel Management. But these smaller breaches involve more vulnerable information, the Social Security numbers in particular, which are the most valuable for thieves.
- Identity theft can cost victims, on average, $1,343 in stolen assets and costs associated with the damage, like legal fees and overdraft charges, according to a Department of Justice survey released in 2015.
- Once the information is exposed, it's out there, Justin Shipe, vice president of information security at CardConnect, told the Washington Post.
- Any sensitive information gleaned from the hack could have repercussions that could take years to resolve.
What we learned in the hearings (and what we didn't)
Smith's 4,000-word prepared testimony added more details to the timeline, but it didn't fully explain how a company who is legally allowed to sell consumers' personal data to lenders wasn't able to adequately safeguard the sensitive information.
Smith has maintained that he didn't know the scope of the breach. And that's part of the problem. "Every major company holding consumer data should assume 'the frontline will always be breached' at one time or another," said Avi Chesla, co-founder and chief executive of empow cyber security."Companies like Equifax should always anticipate a breach. The question is: What are they doing to identify what happened and contain it as soon as they can?" he added.
Can one person be blamed for a hack this size? Smith placed the problem squarely on an "individual" who failed to promptly fix the software before the hack could take place. But experts, including Chelsa, say one person isn't to blame.
Rep. Barton said that Equifax may have "paid more attention to security" if the company had to pay a penalty for everyone that was hacked. Smith didn't respond to that suggestion.
We don't know enough about Equifax's infrastructure for responding to hacks.
Chesla told the NewsHour that Smith's explanation for the hack had some gaps and, overall, was "not good enough."
"[T]hey never provided the details of their architecture," he said in an email. "If an air bag fails and the passenger dies, we can analyze the air bag to determine what went wrong. Equifax needs to reveal their security architecture as a service to the world, so that won't happen again," he added.
What can be done?
There ought to be more rigor in setting standards for data companies, said Mark Testoni, president and CEO of SAP National Security Services. He cited the financial services industry as a model, including banks, where there's some level of government oversight and industry collaboration. "[Those institutions] know we're all in this together," he said. Testoni doesn't see the same level of regulation and collaboration within the cyber arena.
One approach to making that happen: The government creates a set of standards that is paired with peer evaluation and other methods to help individual companies get better at cyber security.
It's not a perfect answer to the problem, but it's at the least a model to improve on, Testoni said.
But the threat is getting exponentially greater and our response has to be greater — and legislation is only a part of the equation, Testoni said.
"We don't want Congress to tell us how to protect something. We want Congress a framework to evolve security overtime," Testoni said. "Personal databases are part of our critical infrastructure in our country. We need to acknowledge that and apply some standards on how this needs to be protected," he added. The breach, Testoni hopes, can be a "call to action."
At the end of the day, a lot of the problem also lies with us.
"Ultimately, most cyber penetrations are because somebody let them in inadvertently," he said. This would mean spear-phishing emails, visiting bad websites, among other ways hackers can lure unsuspecting people into compromising their information.
"There needs to be education that's not so different from when we started educating people on tobacco use, littering and pollution, he said.
That way we can raise our collective IQ around cyber as Americans, he said.
Where do we go from here?
The hearings have come and gone. But how do we translate the lessons of this hack into legislation that properly addresses the changing notions around cybersecurity?
Despite all the negative consequences, the breach fallout has provided an opportunity to also have a conversation over how we evolve beyond the "static" identifiers, like Social Security numbers, which are highly vulnerable in these types of cyberattacks.
Testoni doesn't think the country will get rid of static identifiers like SSNs, created in 1936, anytime soon, but he says the country could "augment" them by requiring additional identifiers or authenticators.
Part of the response now partly requires the average consumer to learn a "new 'self-defense,'" Chesla said. "The processes of cybersecurity are simply too complex for the average consumer, however that does not preclude the fact that they should be aware of the threats that exist," he said in an email to NewsHour.
There have been a wave of lawsuits filed by state attorneys against Equifax. There have also been new calls for legislation. By The Wall Street Journal's count, there are at least eight bills that hope to push the credit reporting industry toward better cybersecurity practices and quicker responses to breaches. A Republican-controlled Congress could complicate that process. As a reminder, the sweeping Cybersecurity Act of 2015 was years in the making and had several false starts.
Should consumers have greater control over their credit reports? Also, months before the breach was disclosed, Equifax was lobbying to relax the "legal liability of credit-reporting companies," the Journal reported. During one of the hearings, there were calls for consumers having greater control over their credit reports. Smith agreed. He announced that the company was going to offer customers the ability to lock their reports next year, available for free. He then urged the company's competitors TransUnion and Experian to do the same.
"It's time we change the paradigm and give the power back to the consumer to control who accesses his or her credit," he said.
Any paradigm-shifting path forward was quickly dashed hours later. Experian issued a response: No.