Equifax’s former chief executive faced the Senate Banking Committee this morning in the first of two congressional hearings in one day.
Lawmakers on Capitol Hill continued to grill Equifax’s former CEO Richard Smith on Wednesday over this year’s massive data breach that may have affected 145.5 million American consumers.
After testifying before a House subcommittee on Monday, Smith is scheduled to field questions from Senate lawmakers today in two separate hearings. By the end of the week, Smith will have testified in four congressional hearings.
Among the highlights from Tuesday’s hearings, from the Associated Press:
Sen. Elizabeth Warren, D-Mass., who has introduced legislation aimed at better protecting consumer data, said Equifax wasn’t motivated enough to protect that information. Her proposal calls for tougher penalties when companies fail to protect consumer data. Smith agreed that consumers be should control who gets access to their financial data, adding that Equifax had planned on rolling out an online service in January that would allow consumers to decide when to lock or unlock their credit reports.
But the biggest sore point for lawmakers appeared to be Equifax’s new $7.25 million contract with the Internal Revenue Service signed last month. Both sides of the aisle condemned the no-bid contract. The credit reporting agency is tasked with providing data services that “verify taxpayer identity” and “assist in ongoing identity verification and validation” for the IRS, according to a contract award flagged by Politico.
In a letter to IRS Commissioner John Koskinen, Democratic Rep. Earl Blumenauer of Oregon said, “I was initially under the impression that my staff was sharing a copy of the Onion, until I realized this story was, in fact, true.”
In today’s hearings, other lawmakers were similarly gobsmacked. “Why in the world should you get a no-bid contract right now?” Republican Sen. Ben Sasse of Nebraska asked Smith this morning. Republican Sen. John Kennedy of Louisiana took it a step further by bringing Lindsay Lohan into the mix for his heightened simile.
“You realize, to many Americans right now, that looks like we’re giving Lindsay Lohan the keys to the mini-bar,” he said.
In a statement explaining the decision, the IRS confirmed the contract renewal, adding that it was done to prevent a lapse in service.
“Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems,” the statement also read.
Equifax’s former chief executive fielded questions from senators in his second hearing of the days.
On Monday, Smith told a House Energy and Commerce subcommittee that the data breach earlier this year could be traced back to the mistakes of a single employee that compromised the personal and financial information, including home addresses and Social Security numbers, of millions of consumers.
Smith said the security lapse could have been prevented if the “individual” had properly administered the software fixes to protect the sensitive data from hackers, The New York Times reported.
When the breach was originally disclosed to the public, the total number of affected consumers stood around 143 million people. On Monday, the credit reporting agency increased that number by 2.5 million people.
During Monday’s hearing, Smith apologized for the breach but also downplayed the seriousness of the problem. Smith said there was no indication that the data, while hacked, wasn’t removed from their system. Lawmakers, however, said the company’s lackluster safeguards to consumer data was inadequate. A recap of that first hearing can be found here.
Democratic Rep. Frank Pallone of New Jersey also honed in on the company’s response to the breach, saying its customer service was “confusing and unhelpful,” a common Equifax customer complaint in the wake of the hack.
Republican Rep. Greg Walden of Oregon asked how this could happen “when so much is at stake?”
“I don’t think we can pass a law that, excuse me for saying this, fixes stupid. I can’t fix stupid,” he said.
That last part is telling, a possible signal to what could — or could not happen — after this week’s hearings. The Associated Press has pointed out the historical narrative that tends to play out after every major breach in recent years, including those at Target, Home Depot and Yahoo, which announced Tuesday that all 3 billion of its accounts were affected by a 2013 hack. The company originally reported last year that 1 billion consumers were affected. Namely, despite the public angry on display from lawmakers, actual legislation to better safeguard consumer data doesn’t tend to follow.
The AP said this is partly due to a lack of support from a Republican-controlled Congress.