Lawmaker to former Equifax CEO: 'I don't think we can pass a law that fixes stupid'

Equifax's former CEO blamed human error, a security scan glitch and failure to encrypt sensitive data for the breach, but U.S. representatives were not appeased.

U.S. lawmakers berate former Equifax CEO about data breach
REUTERS/Kevin Lamarque

On Monday, Equifax admitted that an additional 2.5 million Americans may have been affected by the breach reported in September. On Tuesday, Equifax’s former CEO Richard Smith testified about that breach that resulted in 145.5 million Americans having their personal information accessed or stolen.

Smith may be “sorry,” but that simply doesn’t cut it — especially in light of some of the tidbits that came from Smith’s testimony at Tuesday’s Congressional hearing.

For starters, the timeline for when Smith knew about the hack is bizarre. At that time, he was CEO of Equifax, but he claimed he wasn’t told about the “suspicious activity” — which was first discovered on July 29 — until July 31. On Aug. 2, he hired cybersecurity experts to investigate. Smith couldn’t be bothered to even check in on the investigation for nearly two weeks. He finally asked for a briefing about the suspicious activity on Aug. 15, but he didn’t receive it until Aug. 17. Smith claimed it didn’t cross his mind to ask if personally identifiable information (PII) was affected.

That is beyond belief, considering Equifax stored Americans’ sensitive information in plaintext. In fact, the company holding all our information — even though we never asked it to — can only be bothered to encrypt “some” data.

The timeline of discovery means the sale of $1.8 million in stock by three people in the company on Aug. 1 and 2 was within the time period that they would have known about the hack. Yet Smith claimed they are “men of integrity” that he has known for a dozen years.

“I have no indication that they had any knowledge of the breach when they made this sale,” he said.

The big fat finger of blame for the hack was eventually pointed at human error, all boiling down to one person who didn’t do their job. Apache went public about the vulnerability in the Apache Struts platform and made the patch available on March 6. According to Smith’s written testimony (pdf), US-CERT notified Equifax about patching Apache Struts in its online dispute portal on March 8. Equifax security policy meant the vulnerability was to be patched within 48 hours.

Despite 225 people working in the security department, the flaw did not get patched. Smith blamed it on “human error” — the person responsible for communicating that the hole needed patched did not do so.

Out of 225 security professionals, someone surely reads the news and knew about Apache Struts issue! Maybe someone did because on March 15, Equifax’s security department ran scans that should have identified the bug but did not. It is unknown why technology glitched and failed to do its job — maybe it was channeling the lax security mindset of its masters?

“It’s like the guards at Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults,” U.S. Rep. Greg Walden (R-Ore.), the committee’s chairman, told Smith. “How does this happen when so much is at stake?” Walden asked before adding:

"I don’t think we can pass a law that fixes stupid."

IRS awarded $7.25 million fraud prevention contract to Equifax!

Speaking of stupid, the IRS handed over $7.25 million in taxpayer money to Equifax for the purpose of verifying taxpayers’ identities. The money was awarded for a fraud prevention contract posted to the Federal Business Opportunities database on Sept. 30. The IRS did not bother to take bids from multiple companies because the contract was a “sole source order,” meaning the IRS regarded Equifax as the only company capable of doing the job.

Equifax is “to verify taxpayer identity and to assist in ongoing identity verification” for the IRS.

The IRS defended its decision, saying IRS data was not involved in the Equifax breach even though the agency already provides similar services for the IRS under a previous contract. It is a “critical service that cannot lapse,” the IRS said.

Senate Finance Chairman Orrin Hatch told Politico, “In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed.”

Read also:

NEW! Download the Fall 2018 issue of Security Smart