Lawmakers Slam Equifax Ex-CEO Over Hack -- 2nd Update
By AnnaMaria Andriotis, Michael Rapoport and Christina Rexrode
Former Equifax Inc. chief Richard Smith repeatedly told legislators Tuesday that he and other executives weren't aware of the significance of the company's data breach until weeks after it was detected in late July.
Those assertions failed to mollify members of Congress who slammed Mr. Smith and Equifax for allowing the hack to happen, failing to immediately realize its significance and the handling of the problem after disclosing it publicly.
Lawmakers also raised questions about the current structure of credit-reporting companies, whether they need more regulation and the amount of consumer information that they gather.
Mr. Smith, testifying before a subcommittee of the House Committee on Energy and Commerce, said the company initially knew there was an incident involving "suspicious activity," but not that millions of Americans' personal information had been compromised.
"It is unconscionable that Equifax failed so spectacularly to protect people's most sensitive personal data," said Rep. Ben Ray Luján (D., N.M.), who questioned what the company was doing to prevent another attack and how it would compensate affected consumers.
The grilling of Mr. Smith, who stepped aside last week as the company's chairman and chief executive, kicked off a series of congressional hearings this week set to examine the company's hack.
Under questioning by committee members, Mr. Smith provided more details about how the stage was set for the breach, which has affected potentially 145.5 million Americans. After the company received a public notice of a security vulnerability, an employee failed to notify other staff to patch the software issue, Mr. Smith said. He didn't name the employee.
Mr. Smith told legislators the error was compounded by a scanning system that failed to pick up the vulnerability. Subsequent investigations found this vulnerability allowed hackers to enter Equifax's systems.