Former Equifax Inc. chief Richard Smith repeatedly told legislators Tuesday that he and other executives weren't aware of the significance of the company's data breach until weeks after it was detected in late July.
Those assertions failed to mollify members of Congress who slammed Mr. Smith and Equifax for allowing the hack to happen, failing to immediately realize its significance and the handling of the problem after disclosing it publicly.
Continue Reading Below
Lawmakers also raised questions about the current structure of credit-reporting companies, whether they need more regulation and the amount of consumer information that they gather.
Mr. Smith, testifying before a subcommittee of the House Committee on Energy and Commerce, said the company initially knew there was an incident involving "suspicious activity," but not that millions of Americans' personal information had been compromised.
"It is unconscionable that Equifax failed so spectacularly to protect people's most sensitive personal data," said Rep. Ben Ray Luján (D., N.M.), who questioned what the company was doing to prevent another attack and how it would compensate affected consumers.
The grilling of Mr. Smith, who stepped aside last week as the company's chairman and chief executive, kicked off a series of congressional hearings this week set to examine the company's hack.
Under questioning by committee members, Mr. Smith provided more details about how the stage was set for the breach, which has affected potentially 145.5 million Americans. After the company received a public notice of a security vulnerability, an employee failed to notify other staff to patch the software issue, Mr. Smith said. He didn't name the employee.
Mr. Smith told legislators the error was compounded by a scanning system that failed to pick up the vulnerability. Subsequent investigations found this vulnerability allowed hackers to enter Equifax's systems.
"It's like the guards at Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults," said Rep. Greg Walden, (R., Ore.), the chairman of the full Energy and Commerce Committee. He called Equifax's response to consumers "ham-handed."
Mr. Smith said the reason the scanning system failed to pick up on the vulnerability is still under investigation.
The former CEO faced questions about when he was notified of the breach and what exactly he knew about it. Equifax said its security team noticed suspicious activity on July 29. Mr. Smith said he was informed two days later, on July 31, by his then-chief information officer.
Mr. Smith said a "suspicious movement of data" had occurred in a dispute portal, which is where consumers go to contest information on their credit reports.
Lawmakers pressed Mr. Smith on what the company's chief legal officer, John J. Kelley, knew regarding the incident at the end of July. Mr. Smith said Mr. Kelley was also informed July 31 of suspicious activity.
Lawmakers also asked about three senior executives who sold shares on Aug. 1 and 2. Mr. Smith confirmed that Mr. Kelley would have been required to sign off on such sales. Earlier this week, The Wall Street Journal reported that Equifax's board is reviewing Mr. Kelley's actions in regard to the share sales. Rep. Tony Cárdenas (D., Calif.) said he would like to request a hearing with Mr. Kelley.
The company has said those three executives who sold shares weren't aware of a breach at the time. Mr. Smith said all three executives are "honorable men, men of integrity" and that they followed proper procedures in selling the shares. All three are still at Equifax.
The Equifax hackers haven't been identified, and Mr. Smith wouldn't say whether he thought the cyberattack was state-sponsored. He said only that the company has "engaged the FBI."
Mr. Smith said Equifax has spent $250 million over the past three years on beefing up its data security. From when he became CEO in 2005, when the company had virtually no focus on cybersecurity, Equifax now has a team of 225 professionals around the world, Mr. Smith said.
Lawmakers were broadly critical of the credit-reporting industry, which is headed by three major companies: Equifax, Experian PLC and TransUnion. The industry is underregulated and collects detailed information on Americans who don't have a choice in the matter, Rep. Jan Schakowsky (D., Ill.) said.
"We can't trust credit-reporting (companies) to self-regulate," she said.
Equifax has offered free services to help protect consumers from identity theft. But Rep. Luján jousted with Mr. Smith over what the company could do to compensate consumers who might be harmed because of the Equifax breach. For example, Mr. Lujan asked if Equifax would compensate consumers whose identity was stolen.
"It's hard for me to tell if someone has been harmed," Mr. Smith replied, "so I can't answer the question."
One of the biggest concerns expressed by committee members was the notion that consumers now face a continuing threat because of the theft of Social Security numbers. Those in theory could be used to steal consumers' identities at any time from now on. "This is forever, right?" asked Rep. Jerry McNerney (D., Calif.).
--Yuka Hayashi contributed to this article.
Write to AnnaMaria Andriotis at firstname.lastname@example.org, Michael Rapoport at Michael.Rapoport@wsj.com and Christina Rexrode at email@example.com
(END) Dow Jones Newswires
October 03, 2017 17:04 ET (21:04 GMT)