Former Equifax (NYSE:EFX) CEO Richard Smith will assume the hot seat before the Senate Banking Committee on Wednesday, where he is expected to face another round of tough questions about a megabreach that compromised the personal information of 145.5 million individuals.
Continue Reading Below
Smith, who stepped down as CEO last week, warmed up before the House Energy and Commerce Committee on Tuesday morning. Here are the key takeaways from that hearing and more questions that could arise Wednesday.
Timeline: Who knew what when?
A chief concern among many lawmakers on Tuesday was the timeframe, if the hack was discovered in July, why did it take so long to disclose?
The hack occurred between Mid-May and the end of July. Smith was notified of “suspicious activity” on July 31 after security personnel had identified and shut down the hacking. At this time, he said, he was unaware of the scope of the damage. On Aug. 2 the company called the FBI about the intrusion and retained the services of an outside law firm. In mid-August, Smith was notified that personally identifiable information had been stolen. On Aug. 17, he was briefed that large quantities of information had been stolen. The board was notified on Aug. 22.
The breach was publicly announced on Sept. 7.
How did the breach occur?
Smith said repeatedly on Tuesday that the breach happened as a result of both human and technological error. An Equifax employee failed to alert the company that it needed to apply a patch to the vulnerable system. Subsequently, a computer scan also failed to identify the weak spot.
Smith said Equifax has 225 individuals devoted to cybersecurity and the company has invested nearly a quarter of a billion dollars in security over the past couple of years.
Who is affected?
The database breached was the consumer dispute portal, the system for consumers to dispute activity with the company. That is separate from the core credit side of the company, which is why Smith said on Tuesday that no small business data was compromised.
He also said he did not believe minors, whose information could be listed under their parents, were breached.
In regards to the three company executives that sold nearly $2 million worth of stock on Aug.1 and Aug. 2, just days after the company discovered there had been some sort of “suspicious activity”, Smith said, to the best of his knowledge, these executives were unaware of the cyber intrusion. He referred to these colleagues, some of whom he has worked with for years, as “honorable men” and “men with integrity.”
Smith also said the sales occurred after quarterly earnings were reported, which is a common practice within the company.
Still, the chief legal counsel for Equifax approved the stock sale and he may have known about the suspected intrusion, causing concern among some lawmakers on Tuesday.
Equifax will roll out a new program that intends to give consumers more control over their own personal data. Under this system, consumers can lock and unlock access to their credit data for free. That will be available beginning in January of next year.