[Senate Hearing 115-129]
[From the U.S. Government Publishing Office]
S. Hrg. 115-129
AN EXAMINATION OF THE EQUIFAX CYBERSECURITY BREACH
=======================================================================
HEARING
before the
COMMITTEE ON
BANKING,HOUSING,AND URBAN AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
ON
EXAMINING THE EQUIFAX CYBERSECURITY BREACH AND ITS IMPACT ON
APPROXIMATELY 143 MILLION U.S. CONSUMERS
__________
OCTOBER 4, 2017
__________
Printed for the use of the Committee on Banking, Housing, and Urban Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available at: http: //www.govinfo.gov /
_________
U.S. GOVERNMENT PUBLISHING OFFICE
28-123 PDF WASHINGTON : 2018
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS
MIKE CRAPO, Idaho, Chairman
RICHARD C. SHELBY, Alabama SHERROD BROWN, Ohio
BOB CORKER, Tennessee JACK REED, Rhode Island
PATRICK J. TOOMEY, Pennsylvania ROBERT MENENDEZ, New Jersey
DEAN HELLER, Nevada JON TESTER, Montana
TIM SCOTT, South Carolina MARK R. WARNER, Virginia
BEN SASSE, Nebraska ELIZABETH WARREN, Massachusetts
TOM COTTON, Arkansas HEIDI HEITKAMP, North Dakota
MIKE ROUNDS, South Dakota JOE DONNELLY, Indiana
DAVID PERDUE, Georgia BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana CATHERINE CORTEZ MASTO, Nevada
Gregg Richard, Staff Director
Mark Powden, Democratic Staff Director
Elad Roisman, Chief Counsel
Joe Carapiet, Senior Counsel
Brandon Beall, Professional Staff Member
Elisha Tuku, Democratic Chief Counsel
Laura Swanson, Democratic Deputy Staff Director
Corey Frayer, Democratic Professional Staff Member
Dawn Ratliff, Chief Clerk
Cameron Ricker, Deputy Clerk
James Guiliano, Hearing Clerk
Shelvin Simmons, IT Director
Jim Crowell, Editor
(ii)
C O N T E N T S
----------
WEDNESDAY, OCTOBER 4, 2017
Page
Opening statement of Chairman Crapo.............................. 1
Opening statements, comments, or prepared statements of:
Senator Brown................................................ 2
WITNESS
Richard F. Smith, former Chairman and Chief Executive Officer,
Equifax, Inc................................................... 4
Prepared statement........................................... 39
Responses to written questions of the Senate Banking
Committee.................................................. 45
Additional Material Supplied for the Record
Letter Submitted by the Credit Union National Association........ 96
Equifax, Inc., ``Insider Trading Policy''........................ 97
Equifax, Inc., ``Corporate Crisis Management Plan, Part I''...... 111
Equifax, Inc., ``Corporate Crisis Management Plan, Part II''..... 156
Equifax, Inc., ``Corporate Crisis Management Program, Appendix
H''............................................................ 180
Equifax, Inc., ``Regional Crisis Management Plan''............... 199
Equifax, Inc., ``Security Incident Handling Policy and
Procedures''................................................... 233
(iii)
AN EXAMINATION OF THE EQUIFAX CYBERSECURITY BREACH
----------
WEDNESDAY, OCTOBER 4, 2017
U.S. Senate,
Committee on Banking, Housing, and Urban Affairs
Washington, DC.
The Committee met at 10:03 a.m., in room SD-538, Dirksen
Senate Office Building, Hon. Michael Crapo, Chairman of the
Committee, presiding.
OPENING STATEMENT OF CHAIRMAN MIKE CRAPO
Chairman Crapo. This Committee will come to order.
This morning, we will hear testimony from Richard Smith,
former chairman and chief executive officer of Equifax, who
held those positions until last week.
I understand that you are now serving as an unpaid advisor
to the company and appreciate your willingness to testify here
and appear and testify about the events surrounding the breach
and Equifax's response while you were leading the company.
Given the severity of this data breach, Congress will
continue to examine the facts behind it and what can be done to
prevent similar situations.
Cybersecurity is one of the most pressing issues facing
companies, as well as consumers and Governments alike, and is
one of the biggest threats to our financial system. The amount
of data that the private industry and Government collect and
store is very concerning. There is intrinsic vulnerability in
collecting and storing personal financial information, and we
need to have a meaningful discussion on how to protect and
limit access to it.
The Banking Committee takes its oversight of credit bureaus
seriously, as they are financial institutions under the Gramm-
Leach-Bliley Act.
Credit bureaus serve a critical function in our financial
system and have become a daily part of every American's life.
Every day, these institutions intersect in people's attempts to
get credit cards, car loans, mortgages, and other items.
Consumers may know about their involvement in their lives,
such as when they directly request a credit report, but
sometimes they do not, like when a company requests a
background check to determine their eligibility for a cell
phone.
The ability of Americans to easily access credit is one of
the many things that make our economy and our country the envy
of the world. It is also why this breach is so shocking and
concerning.
Here is what we know based on information from Equifax.
Equifax experienced a cybersecurity breach which potentially
impacted more than 145 million U.S. consumers. The data that
was taken included the names, Social Security numbers, birth
dates, addresses, and in some cases driver's license numbers.
In addition, credit card numbers for approximately 209,000
consumers and dispute documents with personally identifiable
information for approximately 182,000 consumers were accessed.
According to Equifax, the unauthorized access took place
from mid-May through July 2017, with Equifax discovering the
situation on July 29 and then finally cutting off the
intruders.
Here is what we need to know. Why did it take Equifax 6
weeks from the time it learned of the breach to tell the
public, the regulators, and the 145 million American victims
about it? Why were Equifax executives trading during this time?
How strong were and are Equifax's cybersecurity practices?
After the breach, what interactions did the company have
with other credit bureaus and Government agencies, in order to
understand what, if anything, can be improved in terms of
information sharing and mitigating consumer harm?
Additionally, there are valid and important questions about
the steps Equifax has taken to remediate customers and whether
more needs to be done to minimize the potential harm to those
affected.
In an op-ed last week, your successor admitted that answers
to key consumer questions were often delayed, incomplete, or
both. That same op-ed asserted that it is important to give
consumers the power to protect and control access to their
personal credit data.
I look forward to having these questions answered and
exploring different options on how companies can better
safeguard consumers' information.
Senator Brown.
OPENING STATEMENT OF SENATOR SHERROD BROWN
Senator Brown. Thank you, Chairman Crapo.
The story of this data breach is a familiar one. A big
financial institution screwed up. Executives walk away with
millions of dollars. Tens of millions of Americans end up
holding the bag.
Unfortunately, Americans have come to expect that the
Equifax scandal will play out the same way as the Wells Fargo
scandal. A couple executives retire. Some of them lose some of
their bonuses. A couple fines are issued, and only later do we
find out the problems go much, much deeper.
Most Americans never chose to have their data scooped up by
Equifax. You have said that since 2005, Equifax has been
rapidly transforming itself into a--your words--``global
analytics company'' by collecting huge troves of information on
people that you can sell to marketers and employers, but you
almost never ask people if they want to be tracked.
Most of the 145 million people--that number seems to climb
every week or so--well over half of all adults in the United
States, most of the 145 million people whose data you allowed
to be stolen probably only had a vague idea of what Equifax
was, if they had heard of you at all. Then they read in the
paper that their personal information has, in fact, been
compromised.
But while they might not have known the name Equifax, they
should have been able to expect that a company that gathers the
most private information about them would have state-of-the-art
protections for that information. A gold mine for hackers
should be a digital Fort Knox when it comes to security.
But security does not generate short-term profits.
Protecting consumers apparently is not important to your
business model, so you gathered more and more information. You
peddled it to more and more buyers.
For example, you bought a company called TALX so you could
get access to detailed payroll information--the hours people
worked, how much they were paid, even where they lived--7,000
businesses.
You were hacked there, too, exposing the workers of one
proud Ohio company, 400,000 workers at Kroger, and an unknown
number of people's information to criminals who used it to
commit tax fraud.
In May of this year, your outside law firm stated that
Equifax had instituted additional security measures in order to
prevent a recurrence of the TALX incident, just like you are
claiming you are doing now. Yet at that same time, hackers had
already taken advantage of another security flaw to get into
Equifax's system.
It has been 10 weeks since you discovered this latest
breach, but I still do not think we have a complete answer to
the question what happened and why.
We do know that this breach could have been avoided if you
had taken the simple step of administering security patches,
but your response after the fact may have been just as
negligent.
You told the House yesterday that Equifax knew at least
some people's data had been exposed on August 15th. Rather than
giving victims a chance to protect themselves, you withheld
this information from the public for weeks.
You claim that you delayed telling the public about this
hack so you could get an appropriate consumer response put
together, but when you finally did tell people what happened,
Equifax's website and call centers were immediately
overwhelmed.
You even tried to take advantage of the situation by
sticking victims with a forced arbitration clause buried in the
credit monitoring product you were shopping to victims. Think
about that. You tried to take advantage further, even with all
this, when the public was so upset because you had betrayed
their trust and the public trust. You stick the victims with a
forced arbitration clause buried in the credit monitoring
product you were shopping to victims. At least in this
instance, you backed down under public pressure, unlike Wells
Fargo, which yesterday under withering questions continued to
resist.
Chairman Crapo and I sent a letter to you on September 22nd
requesting basic information. For example, is there a company
policy on stock sales? I would guess so, but the best we got
from the company was, quote, ``Equifax will work with Committee
staff to provide a copy of the policy,'' unquote. We are not
talking about trade secrets here. I just do not get the
obfuscation.
Despite your promise to deliver a free CreditLock product
next year, all of Equifax's actions up to this point
demonstrate that this simply is not a company that deserves to
be trusted with Americans' personal data.
Your actions have exposed over half the country's adults to
financial harm. Equifax has forfeited its right to corporate
secrets. So please do not make the same mistake that Wells
Fargo did. Now is the time to give this Committee the whole
story.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you, Senator Brown.
And now we will proceed to the testimony. We will hear
testimony from Mr. Richard Smith, former chairman and chief
executive officer of Equifax, Inc.
Mr. Smith, your written statement will be made a part of
the record in its entirety, and you may proceed with your oral
remarks.
STATEMENT OF RICHARD F. SMITH, FORMER CHAIRMAN AND CHIEF
EXECUTIVE OFFICER, EQUIFAX, INC.
Mr. Smith. Thank you, and good morning. Thank you, Chairman
Crapo, Ranking Member Brown, and Honorable Members of the
Committee. Thank you for the opportunity to testify before you
this morning.
My name again is Rick Smith, and for the last 12 years, I
have had the honor of serving as chairman and CEO as Equifax.
As noted, I have submitted written testimony, which addresses
the details of my testimony in far more detail than I will get
in my oral comments.
I have talked to many consumers, and I have read their
letters. I understand how frustrated and fearful many Americans
are about what happened at Equifax. This criminal attack took
place on my watch, and I take full responsibility as CEO at the
time. I want to say to every American, I am truly and deeply
sorry for what happened.
Americans have the right to know how this happened, and I
am prepared to testify today about what I learned and what I
did about the incident and my role as CEO and chairman of the
board and also what I know and what I have learned about the
incident as a result of being briefed by the company's
investigation, which is ongoing.
As we now know, this criminal attack was made possible
because a combination of a human error and a technological
error. The human error involved the failure to apply a patch to
our dispute portal in March of 2017. The technological error
involved a scanner, which failed to detect the vulnerability on
this particular portal, which had not been patched. Both errors
have since been addressed.
On July 29th and July 30th, suspicious activity was
detected. We followed our security incident response protocol
at that time. The team immediately shut down the portal and
began our internal security investigation.
On August 2nd, we hired top security, cybersecurity,
forensic, and legal experts, and we notified the FBI. At that
time, we did not know the nature or the scope of the incident.
It was not until late August that we concluded that we had
experienced a major data breach.
Over the weeks leading up to September 7th, our team
continued working around the clock to prepare to make things
right. We took four steps to protect consumers: first,
determining when and how to notify the public, relying on the
advice of our experts that we needed to have a plan in place as
soon as we announced; two, helping consumers by developing a
website and staffing up a mass of call centers and offering
free services to every American; three, preparing for increased
cyberattacks, which we were advised are common after the notice
of a breach; and finally, number four, continue to coordinate
with the FBI and their criminal investigation of the hackers
and notifying other Federal and State agencies.
In the rollout of our remediation program, mistakes were
made for which again I am deeply apologetic. I regret the
frustration that many Americans felt when our websites and call
centers were overwhelmed in the early weeks. It is no excuse,
but it certainly did not help that two of our larger call
centers were shut down for days by Hurricane Irma.
Since then, however, the company has dramatically increased
its capacity, and I can report to you today that we have
handled more than 420 million consumer visits to our website,
and the wait time at our call centers have been dramatically
reduced.
At my direction, the company offered a broad package of
service offerings to all Americans, all of them free to help
protect consumers.
In addition, we developed a new service that will be
available January 31st, 2018, that will give all consumers the
power to control access to their credit data by allowing them
to lock and unlock their credit files whenever they want for
free and for life, putting the power to control access to data
in the hands of the American consumer. I am looking forward to
discussing this tool with you in detail during my testimony.
As we have all painfully learned, data security is a
national security problem. Putting consumers in control of
their credit data is a first step toward a long-term solution
to the problem of identity theft.
But no single company could solve the larger problem on its
own. I believe we need a public-private partnership to evaluate
how to best protect American consumers' personal data ongoing.
I look forward to being a part of that dialogue.
Chairman Crapo, Ranking Member Brown, and the Honorable
Members of the Committee, thank you again for inviting me to
speak before you today.
I will close again by saying how sorry I am about this
breach. On a personal note, I want to thank the many
hardworking and dedicated people who have worked with me so
tirelessly over the last 12 years. Equifax is a very good
company with thousands of great people trying to do the right
thing each and every day. I know that they will continue to
work tirelessly, as we have over the past few months to right
this wrong.
Thank you.
Chairman Crapo. Thank you, Mr. Smith.
Mr. Smith, you recently discussed the need to give
consumers control of their own data. Yesterday, you said, ``It
is time we change the paradigm, give the power back to the
consumer to control who accesses his or her credit data. It is
the right thing to do.''
But we are far from that reality today with credit bureaus.
First, what needs to be changed to give consumers this power?
Mr. Smith. Mr. Chairman, the start is this product we are
introducing, which will come out in January of next year, which
gives the consumer the ability to control who and when accesses
the credit data. It will be a simple tool, Web-enabled on an
application, and the consumer can simply dictate who gets
access, who does not, and if he or she wants to go to a bank to
get a credit card or a car loan, they simply can toggle on,
open the access for the underwriter to look at their credit
file, once complete, toggle off, and secure.
Chairman Crapo. And it seems to me if that solution works
that that is a solution or a part of the solution with regard
to other private-sector actors or illegal actors. What about
the Government? Does the Federal Reserve or the CFPB have
access to your data, to Equifax's data?
Mr. Smith. Sir, Mr. Chairman, if a consumer locks their--at
the consumer level, is that the question?
Chairman Crapo. Yes.
Mr. Smith. If the consumer locks their file, they lock out
anyone's access to that data.
Chairman Crapo. So you are not in a position of being
required by any Federal agency to provide this personally
identifiable data to that agency?
Mr. Smith. Mr. Chairman, I am not sure I understand the
question. If a consumer locks their file to prevent access to
their file from any other bank or telecommunications company,
they would be the only ones who could unlock that file. We
could not unlock that file on their behalf, if I understand the
question correctly.
Chairman Crapo. Even if asked by a Government agency as
opposed to an inquiring bank?
Mr. Smith. I would have to check that.
Chairman Crapo. All right. Thank you. I would appreciate
that.
Mr. Smith. Thank you.
Chairman Crapo. In the hearing yesterday, you mentioned
that we may need to think about how secure Social Security
numbers really are and if they are really the best identifier
going forward for consumers. Could you give us your thoughts on
that?
Mr. Smith. Yes. Mr. Chairman, I worry about the fact that
Social Security numbers have been out there since 1936 and used
to be on our driver's license and used in our employment. You
talked to many cybersecurity experts, and they say they vast
majority of all SSNs have already been compromised.
I am in no way skirting the issue of the horrific breach
that we had. It was horrific, and I once again apologize to
this Committee and to all Americans. But I would encourage a
dialogue to talk about what is a better way to identify
individuals, something beyond the SSN.
Chairman Crapo. Do you have any ideas as to what that might
be, what could we effectively transfer into?
Mr. Smith. I do not, but I would love to be part of that
dialogue, the combination of public and private partnership
with academic, to think about that. There is a lot of thinking
going on right now. I am sure with the right thought and a
priority, we could crack that code.
Chairman Crapo. All right. Thank you.
There have been some issues and confusion relating to the
product you just discussed and services that Equifax has
offered in light of the breach. Some of my constituents have
said they are having trouble gaining access to the remediation
products being offered. What exactly are customers being
offered today, and what do they need to do to obtain these
products and services?
Mr. Smith. Thank you.
We are offering five different services for free, and to
repeat, this is to all Americans, not just the victims of the
criminal attack.
Number one, it is a three-bureau monitoring, where you can
monitor activity against your credit file from ourselves,
TransUnion, and Experian. Two is the ability to lock the file.
Number three is the ability to scan. We scan the dark web on
behalf of the consumer looking for Social Security activity
that might occur. Number four is access to our file for free,
and number five is an insurance product that helps recoup costs
up to a million dollars if a consumer has costs in trying to
fight, repair their credit.
So those are the five services we offer today to all
Americans, and the other, Chairman, is the one we talked about
that is available in 2018, January 31st of 2018, which is the
next generation of Lock.
Chairman Crapo. All right. Thank you very much.
Senator Brown.
Senator Brown. Thank you, Mr. Chairman.
According to your testimony in the House yesterday, over
the last 3 years, you have spent $250 million on cybersecurity.
That is about $85 million a year, correct?
Mr. Smith. Yes. That was an estimate that over the last 3
years, it is approaching a quarter billion dollars.
Senator Brown. And since 2016, you have made personally
about $69 million; is that correct?
Mr. Smith. I have not tracked that number, to be honest.
Senator Brown. In hindsight, do you think Equifax should
have spent more money protecting people's data rather than
compensating you so well?
Mr. Smith. I look back at the money we have spent. It is
not a matter of the dollars spent. It was not a financial
constraint, by any means. Obviously, when you look at the issue
in hindsight, it is could you have spent money differently, not
the total dollars spent.
There is a benchmark out there that was done by IBM that
benchmarks financial services company, and their total security
spend is a percent of IT. And their benchmark talks about a
range of 10 to 14 percent. Our range is in the range of 12
percent. So, again, we are spending money in a range that----
Senator Brown. Well, I am going to interrupt you because I
know that in the House, House hearing, there were not nearly as
many questions because your answers were pretty long, and I
understand the complexities of this. But you are an IT company,
and that is just not acceptable.
Last August, this past August at a business school event at
the University of Georgia, you bragged that Equifax gets its
data basically cost-free. You were also asked how you approach
data fraud, and you responded, quote, ``Fraud is a huge
opportunity for us.'' Your SEC filings back that up. They state
that a significant portion of your revenue comes from selling
credit monitoring and fraud protection services to consumers.
So do you think, Mr. Smith, it is fair that Equifax gets to
take its consumers' data at almost no cost, make millions by
selling it to data-mining companies and marketers, then charge
fees to those consumers for credit monitoring products after
they become identity theft victims?
Mr. Smith. Senator, the vast majority of what we do is
allowing consumers to get access to credit. We take their data
combined with analytics and allow underwriters at banks, credit
card lenders, automotive lenders, to make loans to consumers.
We make very little money as a percent of our total revenue
from selling monitoring products to consumers.
Senator Brown. But the point is you keep making money off
people's sensitive data either way.
Equifax does not get its data directly from consumers, as
you know, and as several on this Committee have pointed out, it
gets it from their banks, their utility companies, their
employers, all without consent of the borrowers and the
employees.
Congress long ago, as I think you know, decided that
companies could not traffic in people's medical records for
obvious and good reason and that they needed to consent to a
transfer. Why should not we do the same with financial records?
You know how important that personal financial data is to
people. Why not do the same with financial records? Do you
think we need to change the consumer reporting industry in this
country to give Americans ownership of the data? For example,
should they be allowed to request that you delete the data from
your systems?
Mr. Smith. Senator, two thoughts. One is we are a vital
part to the global economy. We provide a great service to the
consumer enabling them to get access to credit.
We also enable the unbanked because of our data to have the
opportunity to get into the credit market. So it is a vital and
very important role we play and have played for many, many
years.
Yes, there are things we can do better as an industry and
working with Government, and the one thing I would like to see
us talk about as an industry is this concept of giving the
consumer the power to control their data. One small step
forward is the concept of this lock for life. I would like to
see the entire industry move in that direction.
Senator Brown. I am trying to read between the lines. Is
that a yes or a no to the question of should consumers be
allowed to request you delete their data from your system,
their data that you gather without their knowledge?
Mr. Smith. I believe a better way to get at that is through
this lock concept.
Senator Brown. So that means no?
Mr. Smith. Correct.
Senator Brown. Even though we do it with medical data and
even though--I mean, fundamentally, if you do not think
consumers should be allowed to control their own data, the
question is why should a company that has had so many security
failures be allowed to control their data. That is the
fundamental question that this company has not--apparently has
not asked or certainly has not answered to the public.
Thank you.
Chairman Crapo. Thank you.
And I would note to the Senators that Senator Brown and I
both stayed within our 5 minutes. I encourage all of you to
follow that pattern.
Senator Sasse. It was kind of impressive.
Senator Kennedy. It was kind of unusual.
[Laughter.]
Chairman Crapo. Senator----
Senator Sasse. I think it is me. Yeah.
Chairman Crapo. ----Sasse.
Senator Sasse. Thank you, Chairman.
Mr. Smith, let us take a minute to talk about why we are
here. Big picture, it is this. There is a really small group of
credit bureaus in America, and by really small, I mean three.
And if you are an American who buys a home or a car, you
typically have to be cleared by one of those three, and even if
you do not have a relationship with one of the three, if you
are a consumer who did not choose this, so you think about the
OPM hack, people were at least choosing to apply for a security
clearance or to work for the Federal Government. We have people
here who did not have any relationship with you and did not
choose to engage with you.
If you get a credit card from one of the countless offers
that Americans get every day in their mailbox from department
stores or gas stations or airlines, it is not uncommon for one
of the three credit bureaus to then obtain your information. So
what happens when something goes wrong? What happens when one
of you big three is hacked? What happens if you are one of the
145 million Americans who, in this case, had their information
stolen? What happens if 5 years from now an American has their
identity information stolen? What happens when there is a
reasonable suspicion that folks at your organization may have
engaged in insider trading?
There is a lot of anxiety that Americans feel, and they are
Americans who do not have the benefit of powerful attorneys and
lobbyists. And for them, this hearing is one of their only
shots at getting a full account of what went wrong, who is to
blame, and what is going to happen about it in the future.
So I would like to discuss this question about those who
were impacted by the breach and how long you think Equifax's
exposure or responsibility lasts. If you are an American, if
you are one of those 145 million, you do not have the ability
to change your name, your mother's maiden name, your birth
date, your Social Security number, and your organization has
committed to providing identity monitoring services for the
next year.
But I am curious about whether or not Equifax and your
board have deliberated. Do you think your responsibility ends
in 1 year, in 2 years, in 5 years, in 10 years? And if you
think it ends at some point, have you tried to think about the
goodwill and balance sheet impact of all this? How can you
explain to an American whose identity might be stolen later,
because of this breach, why your responsibility would ever end?
Does it end?
Mr. Smith. I understand the question, and it ends--it
extends well beyond a year, Senator.
The first step we took was the five services we mentioned
to the Chairman a minute ago, which gets the consumer through 1
year. The ultimate control for security for a consumer is going
to the lifetime lock, the ability for a consumer to lock down
his or her file to determine who they want to have access for
life.
Senator Sasse. But is not this--I would just interrupt. Is
not this about people who might be breached in the future?
I am talking about the 145 million whose data has already
been stolen. Does your responsibility end, or what do you think
your legal obligations are to them?
Mr. Smith. I think the combination of the five services we
are offering combined with a lifetime lock is a good
combination of services.
Senator Sasse. I actually think the innovation of some of
the stuff you have proposed for the big three going forward is
quite interesting, but why does any of that five really do much
for the data that has already been stolen?
Mr. Smith. Senator, again, the combination of the five
offerings today plus the lifetime lock, we think is the best
offering for the consumer.
Senator Sasse. OK. I do not think you have really answered
the question about whether your exposure legally ends for the
145 million.
Do you know the number? Can you do the 145 million
breakdown by State? Not off the top of your head, but do you
have the data that we on the Committee could have by tomorrow?
Just to--have you got it in your 145 million records? Can you
parse it by State so each of us understands how many
constituents we have----
Mr. Smith. I believe so.
Senator Sasse. ----who have been exposed?
Mr. Smith. We should have that capability. I am just
hesitating on by tomorrow, but let me take that back to----
[Pause to confer.]
Mr. Smith. We do have it.
Senator Sasse. OK. Great. Thank you.
It is being reported in the media this morning that you
have just received a no-bid contract from the IRS for fraud
prevention. Can you explain to the American people, not just as
consumers who have been exposed and breached here, but as
taxpayers, why in the world should you get a no-bid contract
right now?
Mr. Smith. I am not sure it was a no-bid. My
understanding--I do not profess to have the details there,
Senator--it is with the IRS. It is a contract we have had in
the past. I think it is being renewed.
Senator Sasse. OK. We are going to follow up with the IRS
as well, but if you could clarify back with us, my team will
follow up with you.
I have less than a minute left, but I want to open at least
the allegations that Equifax executives engaged in insider
trading relating to knowledge of this cyberbreach. One of the
clearest times and definitions of insider trading occurs when a
business executive trades their company's stock because of
confidential knowledge that they have gained from their job.
I am sure you can imagine why Americans are very mad about
the possibility that this occurred here. Well, insider trading
is going to be discussed a lot more later in this hearing. I
wish you could just very quickly give us a timeline of the
first steps. When did Equifax first learn of the May 2017
breach, and when did you inform the FBI of that breach?
Mr. Smith. Thank you. I will answer as quickly as I can.
We notified the FBI cybersecurity forensic team and an
outside global law firm on August 2nd. At that time, all we saw
was suspicious activity. We had no indication, as I said in my
oral testimony, of a breach at that time.
You might recall that the three individuals sold stock on
August 1st and 2nd. We did not have an indication of a breach
until mid to late August.
Senator Sasse. So you are saying that those three
executives--Mr. Chairman, I will stop. You are saying those
three executives had no knowledge of a breach on August 1st or
2nd?
Mr. Smith. To the best of my knowledge, they had no
knowledge, and they also followed our protocol to have their
stock sales cleared through the proper channels, which is our
general counsel.
Senator Sasse. We will have follow-ups on that, please.
Thanks.
Chairman Crapo. Senator Tester.
Senator Tester. Thank you, Mr. Chairman, and I want to
thank you for being here today, Mr. Smith.
I apologize for not being here during your presentation. I
had a business meeting on another committee, so I did not hear
your timeline. So I will give you mine, and I will start with
the first notification in March of this year by U.S.-CERT that
you guys had a vulnerability. Did you do anything with that
notification?
Mr. Smith. Yes, Senator, we did. We were notified on March
8th and on March 9th, following the traditional patch protocol.
Communication was sent out.
Senator Tester. Communication was sent out. Did you do
anything to fix the potential vulnerability?
Mr. Smith. There were two steps that I discussed in my oral
testimony----
Senator Tester. Yeah. Go ahead.
Mr. Smith. ----which I will walk through. One was there was
a communication breakdown in the patching organization within
IT. The message did not get to the right person down to the
utilization of patch.
Senator Tester. So, ultimately, nothing happened?
Mr. Smith. Well, two things happened.
Senator Tester. You did the notification, but ultimately,
in the end, there was nothing done with that notification to
fix that vulnerability?
Mr. Smith. Senator, yes. A scan was applied looking for the
vulnerability. A technology scan was applied, did not find it,
so the patch was not applied. Correct.
Senator Tester. OK. So let us fast forward to the 29th of
July, and you learned for the first time that your company has
been hacked, do not know how big the hack is, but it has been
hacked, and it was preceded by this notification from U.S.-
CERT.
Three days after, as Senator Sasse pointed out, you had
three high-level execs sell $2 million in stock. That very same
day, you notified the FBI of the breach. Can you tell me if
your general counsel was held accountable for allowing this
stock sale to go forward, or did he not know about the breach?
Mr. Smith. Senator, a clarification. On the 29th and 30th,
a security person saw suspicious activity, shut the portal down
on the 30th. There was no indication of a breach at that time.
The internal forensics began on the 30th. On the 2nd, we
brought in outside cyberexperts--forensic auditors, law firm,
and the FBI. The trades took place on the 1st and the 2nd. At
that time, the general counsel, who clears the stock sales, had
no indication--or did the company--of a security breach.
Senator Tester. Well, I am going to tell you something, and
this is just a fact. And it may have been done with the best of
intentions and no intent for insider trading, but this really
stinks. I mean, it really smells really bad, and I guess
smelling bad is not a crime.
But the bottom line here is that you had a hack that you
found out about on the 29th. You did not know how severe it
was. You told the FBI about the breach. On that same day, high-
level execs sell $2 million worth of stock, and then you do
some investigation, evidently, and you find out at the end of
the month that--or at least by the first part of September that
this is a huge hack, and you finally notify the public. And as
was pointed out already in this Committee, these are people
that did not ask for your service. You gathered it, and now it
is totally breached.
And then, as Senator Sasse said, ``What is the length of
exposure here?'' and you said, ``Well, we are doing these five
things.'' That is proactive, and I think we can all applaud
those efforts. But I have got to tell you, that does not do a
damn thing for the people who have been--had their identity
stolen and their credit rating stolen.
So let me ask you this. So their credit rate goes up a
little bit, and they go buy a house for 250,000 bucks on a 30-
year note, and it cost them 25 grand. Are you liable for that?
Mr. Smith. Senator, I understand your anger and your
frustration. We apologize for the breach. We have done
everything in our power to make it right for the consumer, and
we think these services we are offering is a right first step.
Senator Tester. Well, I would just tell you this, and I
think Equifax must have--must be or been a good a company at
one point in time, but this length of time on a breach this big
in this day and age when we have folks that are pretty damn
good at this stuff, especially when the Department of Homeland
Security through U.S.-CERT says you got a problem, and was not
really dealt with in a way like it was really a problem--I
mean, you can say you sent out the directives, but in the end,
3, 4 months later, you end up with a very severe breach.
The problem we have got here--and I will just tell you
this--is that the impact and the numbers by State is important.
I think it is about 600,000 adults, and I think it is about
two-thirds of the adults in Montana, which is about probably 4
to 500,000 people, and in a State of a million, that is a lot,
OK?
And so, consequently, those people are going to be impacted
negatively for a long, long time. Why? Because this happened,
and you can say, ``Jeez, I am sorry it happened,'' but the
notification for 6 weeks in this 21st century we live in is
absolutely unacceptable. And I will just tell you that. It is
unbelievable.
And I appreciate you coming in front of the Committee.
Chairman Crapo. Senator Scott.
Senator Scott. Thank you, Mr. Chairman.
Mr. Smith, thank you for being here this morning, and
certainly, we all are a tad confused about the knowledge that
you had and your execs had that seem to--at least their stock
sales seem to suggest more information than we are getting
here.
So I just want to walk through the numbers as well as the
timeline to better understand and appreciate what happened. You
say that they did not know about the breach, but there was
suspicious activity that was reported. Did you know about the
suspicious activity on July the 29th?
Mr. Smith. No, sir, I did not. So----
Senator Scott. You were not notified about the suspicious
activity?
Mr. Smith. I was but not on the 29th. So on the 29th, a----
Senator Scott. So the 31st, you were notified?
Mr. Smith. Yes, correct.
Senator Scott. OK. So the very next day after you were
notified, your senior executives, including your CFO, sold $1.8
million, nearly $2 million of stock, for a profit of--
comparatively speaking to your September 7th devalued stock,
for about $655,000. So at the price that the execs sold their
stock for netted them, comparatively speaking, to the stock
price that would have been on September 7th had they sold it on
September 7th--they netted $655,000 during the same window that
the average person who learned about the breach lost $6.4
billion or 36 percent of the stock value. Is that accurate?
Mr. Smith. I have not done the math. I trust it is.
Senator Scott. OK. So Equifax tells the public about the
breach on September the 7th, which is 6 weeks later, and just
walk through the math with me, then. The stock dropped to
$92.98 a share, and it dropped from $146.26 per share, or a 36
percent loss. The executives who sold the 1.8--1.8 trillion--
$1.8 million benefited about $655,000 if you average in that 36
percent difference.
There are roughly 120 million outstanding shares of
Equifax. That means that folks who have Equifax stock in their
retirement accounts, the mom-and-pop businesses that are saving
for the future for a large purchase and they decided to invest
in Equifax, all those folks bore the burden of a $6.4 billion
drop in valuation at the same time that the general counsel who
did not know, the CEO who did not know, so all the folks in the
executive suite had no clue, but they were the luckiest
investors on August the 1st to sell the stock at the best price
to net $655,000. This was pure luck and nothing else. Question.
Is it? Was it?
Mr. Smith. No, sir. A few thoughts.
Senator Scott. Thank you.
Mr. Smith. Go back to the 29th and 30th. We have--we
experience millions of suspicious potential attacks each year.
It is not like the suspicious attack that occurred on the 29th
and the 30th was the first of that year, of that month.
Suspicious attacks occur all the time. That is number one.
Number two----
Senator Scott. Let me ask you a question right there, sir.
If you were to look back at the executives' stock sales on the
other millions of suspicious activity, was there ever a
suspicious activity that led to, within a 48-hour window, sale
of stock?
Mr. Smith. The window was open post the second quarter
earnings call. It is only open for a short period of time, as
you might guess. We encourage executives to sell the first part
of that window's opening. As you get into the opening, you know
more and more about the quarter and the financial performance
of the company, so you tend to discourage sales later on in
that month. So the behavior you saw was normal behavior. That
is point number one.
Point number two is they did follow the protocol. They got
the clearance. The general counsel approved the sale. The
window was not closed by the general counsel until mid-August.
The last point I will make, Senator, if I may. These are
three men I have known for a long time, two of them for 11 to
12 years. One has been my CFO for 3, 3\1/2\ years. These are
honorable men who follow the protocol that was outlined by the
organization.
Senator Scott. Well, I will just close with this, Mr.
Ranking Member.
I believe in the rule of law for everyone. I believe that
you are innocent until proven guilty, but I will say that what
you guys want us to believe as a Committee, the U.S. Senate,
the Congress, the investors in Equifax, and the entire Nation,
what you all want us to believe is that the three luckiest
investors who sold their stock did so without any knowledge
that that suspicious activity may be bigger and more powerful
than any other suspicious activity perhaps in the history of
the company. I find that hard to believe.
Senator Brown [presiding]. Senator Warner.
Senator Warner. Thank you, Mr. Chairman.
Mr. Smith, appreciate you being here, but we have seen a
history of other companies, of Yahoo! announcing today their
breach was actually 3 billion, not the billion they initially
acknowledged.
But for a company like yours, where American citizens have
no right to opt in, we enter into no customer-based
relationship with you, I think it raises a whole host of policy
questions we cannot get into today, but I think this Committee
needs to look at. I think we have to ask honest questions. Who
owns this data? How do you get the right to this data that is
our personal information, and yet your company's practices of
cyberhygiene are sloppy in the extreme?
The fact that there was known vulnerability, that you did
not have appropriate internal controls in place to easily patch
this is inexcusable. The fact that it took so long for the
senior leadership to get its act together is inexcusable, and
what I find, what I want to spend my time, because I could echo
what my colleagues have said about how long it took and
everything else, but then once the breach was known, the
complete, sloppy, haphazard approach you took on remediation is
again inexcusable.
The fact that the site you put up, rather than you directed
customers to go to, did not use your existing domain. You
created a whole new domain site. In that domain site, there
were known software glitches. You initially offered people what
I believe was a bait-and-switch scam to say, ``We are going to
give you a year of free protection, but, oh, by the way, you
are going to give up all of your legal rights by agreeing to
some small-print arbitration agreement.''
The fact that the site that you directed people to was so
faulty and so sloppily put together, that even entities like
the Architect for the Capitol would not allow users to access
the site because they thought it was so vulnerable, the fact
that you then also required individuals after their information
had been hacked into, abused, potentially now vulnerable for
who knows how long to enter in your last name and your last six
digits of your Social Security number, what in heaven's name
were you all thinking?
The fact that your official Twitter account mistakenly
tweeted a phishing link four times instead of the company's
actual breach response page, I mean, even if I want to try to
give you the benefit of the doubt of sloppy cyberhygiene and
somebody made a mistake and you did not find until after the
fact and there were mistakes made, when this was all known and
you said that you created a company that was an information-
based company, you had this level of sloppy cyber-response?
What do you say to the 143 million-plus Americans who have had
their private information violated, that even after the fact,
your response was inadequate and on every level would not meet
basic cyber-101-hygiene standards?
Mr. Smith. Senator, I understand your frustration and the
anger of the American public. I apologize not only for the----
Senator Warner. But, sir, I am not asking you to apologize.
I am asking you to say how do we tell the American people. How
should any American say again, ``I have got no option of opting
in whether you are going to get my personal credit
information''? Why should any of us have any faith that you are
putting anything in place that is appropriate when the
immediate actions you took after the knowledge of the hack too
place was so sloppy and so inadequate in terms of your
remediation site?
Mr. Smith. Again, Senator, the ramp-up was overwhelming for
a company that is largely doing business with other companies,
and we had to go from 500 call center people to almost 3,000 in
2 weeks. We went to the Cloud Computing Amazon site for scale.
We had, I think I mentioned in my oral testimony, over 400
million consumers come to a website.
Senator Warner. Sir, my time is up, but I would only say
telling me how many more people you hired and scaled up, that
is not what my question was. My question was, Why was your site
so technically flawed? Why did you send people to a new domain
site that was not properly registered? Why was your Twitter
account sending people to the wrong site? Why was this site so
badly put together that institutions like the Architect of the
Capitol would not even allow consumers to touch it because it
was so faulty? For a company that claims to be an information-
based company, even giving you the benefit of the doubt on
everything that happened beforehand, your remediation efforts
do not pass basic cyber-101-hygiene.
Thank you, Mr. Chairman.
Senator Roberts. Senator Perdue.
Senator Perdue. Thank you, Ranking Member.
Thank you, Mr. Smith, for being here today.
Mr. Smith, just for the record, are you the current CEO of
Equifax today?
Mr. Smith. No, sir. I am retired.
Senator Perdue. And you resigned your position; is that
correct?
Mr. Smith. Correct.
Senator Perdue. Would you tell the Committee why you did
that?
Mr. Smith. Senator, I thought it was the best for the
company to have a new leader come in and resurrect this great
company. I have agreed, Senator, to work with the company for
as long as needed. It has been a company I have loved working
for, for 12 years. The company has done a lot of great things
around the world. I have agreed to assist in any way I can for
free for as long as they need.
Senator Perdue. So, today, there are two issues before this
Committee. I only have time in the few minutes here to get at
one of these. The two issues are what happened, how did it
happen, and what is going to be done to rectify that with the
current individuals that were harmed by this.
The second issue is a bigger issue, and that is this entire
cybersecurity issue. When the now Chairman Jay Clayton of the
SEC was before this Committee, we asked this same question.
Under the antitrust laws, there are limitations for
corporations like yours and the other guys in this business to
talk to each other when you are threatened by cyberattacks; is
that correct?
Mr. Smith. There are ways for us to talk to different
entities when needed. The agency is an example. There is a
network we belong to where we talk about issues and trends in
cybersecurity. We take advantage of that.
Senator Perdue. So in this situation, were you able to talk
to your two biggest competitors when you were warned earlier in
March and then when you discovered it in July?
Mr. Smith. No, Senator.
Senator Perdue. So why were you not able to talk to them
and warn them of similar activity?
Mr. Smith. I am not sure it was that we were not able to,
but we did not know enough at that time either to talk to them.
Senator Perdue. So later when you did know enough
internally, were you limited by antitrust law or
considerations, or were you able to fully talk to these other
two competitors?
Mr. Smith. That, I am not aware of.
Senator Perdue. OK. We think there is a problem in that the
Secretary--I mean the SEC Chairman is aware of that. Actually,
Senator Cardin and Senator Blunt are working on a data security
act that would provide a national standard and make it clear--
because if you look at the current law, it is not clear--on
these cyberbreach notifications for people within an industry
and also between the companies and different agencies in the
Federal Government.
A national standard like this, would that be helpful for
your predecessor or your successors and other people in this
industry?
Mr. Smith. I believe so.
Chairman Crapo. Let us talk about credit report freezes. It
seems to me that in the day of the app, when my 6-year-old
grandson knows how to get on and get unlimited access to apps,
that a person who has data stored in one of these credit
companies could go on an app that--and they are online right
now, how to manage your credit scores and so forth. Intuit has
got them. They are all out there. What keeps you from giving
the ability to freeze an account?
Today, as I understand it, if you want to freeze your
account, you have to go to your firm and each of the two
biggest competitors and possibly others, pay a fee, get a PIN,
remember the PIN, and then freeze it for--it is your
determination, but to unfreeze it, you have to go back and
activate the entire process again. That seems most Americans
are not going to be able to do that.
So what keeps the industry from actually moving toward a
simple app that some individual can be informed about to
preclude this sort of exposure?
Mr. Smith. Senator, that is a great question. That is where
we are heading. That is the July--or the January 31st product
or service that we are offering, which is--will be an
application on a smartphone, on a PC. It allows you to freeze
or lock and unlock instantly at the time you want.
I would encourage our two other competitors in the
industry, Senator, to come together as an industry and offer
that service to all consumers on one site. The things you could
do if you had the consumers, the power at their fingertips, to
lock and unlock anytime they want that for all three credit
reporting agencies would be powerful. It would be a paradigm
shift for the consumer.
Senator Perdue. What would you tell your successor in terms
of the number one--in most businesses, the number one entity
they worry about is their customer. The individuals we are
talking about, they really were not customers of Equifax. What
advice would you give--and we have just got a few seconds
left--what advice would you give your success to rectify this
situation?
Mr. Smith. Senator, we are a 118-year-old company. We have
always prided ourselves as being a trusted steward of data. The
number one thing we have got to do now as a company is regain
the trust of the consumer in America.
Senator Perdue. How do you do that?
Mr. Smith. By doing what is right for the consumer. We are
starting by doing, offering these five services, offering the
lifetime lock. It takes time. When you have the size of
criminal attack that we allowed to occur, it takes time to
regain that trust.
Senator Perdue. Thank you for being here.
Mr. Smith. Thank you.
Senator Perdue. Thank you, Mr. Ranking Member.
Senator Roberts. Senator Warren.
Senator Warren. Thank you, Mr. Chairman.
Now, Mr. Smith, Equifax has been hacked several times in
the past few years. It is consistently rated as having some of
the worst data security practices in the financial services
industry, and this latest hack happened through a hole in your
system that had been identified months before and could have
been fixed pretty easily. The whole thing is staggering. A
company like Equifax that has sensitive personal information on
most Americans should have the best data security in the
industry, and instead, it has the worst. And I want to
understand why.
So I started to look into this, and one thing jumped out at
me. In August, just a couple of weeks before you disclosed this
massive hack, you said--and I want to quote you here--``Fraud
is a huge opportunity for us. It is a massive growing business
for us.''
Now, Mr. Smith, now that information for about 145 million
Americans has been stolen, is fraud more likely now than before
that hack?
Mr. Smith. Yes, Senator, it is.
Senator Warren. Yeah. So the breach of your system has
actually created more business opportunities for you.
For example, millions of people have signed up for the
credit monitoring service that you announced after the breach.
Equifax is offering 1 year of free credit monitoring, but
consumers who want to continue that protection after the first
year will have to pay for it, will not they, Mr. Smith?
Mr. Smith. Senator, the best thing a consumer could do is
get the lifetime lock.
Senator Warren. I am asking you the question. You are
offering free credit monitoring, which you say is worth
something, and you are offering it for only 1 year. If
consumers want it for more than 1 year, they have to pay for
it; is that right?
Mr. Smith. Yes, Senator, but the most--the best thing a
consumer can do is the lock product. That is better than
monitoring.
Senator Warren. OK. But they are going to have to pay after
1 year if they want your credit monitoring, and that could be a
lot of money. So far, 7.5 million people have signed up for
free credit monitoring through Equifax since the breach. If
just 1 million of them buy just one more year of monitoring
through Equifax at the standard rate of $17 a month, that is
more than $200 million in revenue for Equifax because of this
breach.
But there is more. LifeLock, another company that sells
credit monitoring, has now seen a tenfold increase in
enrollment since Equifax announced the breach. According to
filings with the SEC, LifeLock purchases credit monitoring
services from Equifax, and that means someone buys credit
monitoring through LifeLock. LifeLock turns around and passes
some of that revenue directly along to Equifax. Is that right,
Mr. Smith?
Mr. Smith. That is correct.
Senator Warren. That is correct.
OK. So from the second Equifax announced this massive data
breach, Equifax has been making money off consumers who
purchased their credit monitoring through LifeLock.
Now, Equifax also sells products to businesses and
Government agencies to help them stop fraud by potential
identity thieves. Is that right, Mr. Smith?
Mr. Smith. Yes, Senator. There is one clarification. You
had mentioned the LifeLock relationship----
Senator Warren. Uh-huh.
Mr. Smith. ----which was accurate. At the same time, the
majority of that revenue we normally generate is direct to
consumer. We have shut that down. We are no longer selling a
consumer product directly.
Senator Warren. I am sorry. My question is every time
somebody buys through LifeLock--and they have seen a tenfold
increase since the breach--you make a little more money. We
actually called the LifeLock people to find this out. So I
asked you the question, but I already know the answer. It is
true. You are making money off this.
So let me go to the third one. Equifax sells products to
businesses and Government agencies to help them stop fraud by
potential identity thieves, right?
Mr. Smith. To the Government, yes, not to the business.
Senator Warren. You do not sell the businesses, to small
businesses?
Mr. Smith. We sell to business, but it is not to prevent
fraud. That is not the primary focus or business----
Senator Warren. But to stop identity theft, you do not have
any products that you are touting for identity theft purposes?
Mr. Smith. Senator, all I am saying is the vast majority of
what we do for businesses is not fraud.
Senator Warren. Look, you have got three different ways
that Equifax is making money, millions of dollars, off its own
screw-up, and meanwhile, the potential costs to Equifax are
shockingly low. Consumers can sue, but it turns out that the
average recovery for data breaches is less than $2 per
consumer, and Equifax has insurance that could cover some big
chunk of any potential payment to consumers.
So I want to look at the big picture here. From 2013 until
today, Equifax has disclosed at least four separate hacks in
which it compromised sensitive personal data. In those 4 years,
has Equifax's profit gone up? Mr. Smith.
Mr. Smith. Yes, Senator.
Senator Warren. Yes, it has gone up, right? In fact, it has
gone up by more than 80 percent over that time.
You know, here is how I see this, Mr. Chairman. Equifax did
a terrible job of protecting our data because they did not have
a reason to care to protect our data. The incentives in this
industry are completely out of whack. Because of this breach,
consumers will spend the rest of their lives worrying about
identity theft. Small banks and credit unions will have to pay
to issue new credit cards. Businesses will lose money to
thieves, but Equifax will be just fine. Heck, it could actually
come out ahead.
Consumers are trapped. There is no competition, nowhere
else for them to go. If we think Equifax does a lousy job
protecting our data, we cannot take our data to someone else.
Equifax and this whole industry should be completely
transformed. Consumers--not you--consumers should decide who
gets access to their own data.
And when companies like Equifax mess up, senior executives
like you should be held personally accountable, and the company
should pay mandatory and severe financial penalties for every
consumer record that is stolen.
Mr. Chairman, we have got to change this industry before
more people are injured.
Thank you.
Chairman Crapo [presiding]. Senator Tillis.
Senator Tillis. Thank you, Mr. Chair.
Mr. Smith, thank you for being here.
I have one question that I want to get to. First, can you
explain to me why you believe as a strategy the lock versus the
delete option is in the best interest of the consumer?
Mr. Smith. Yes. Senator, we, I think, provide a very
valuable service to the consumer, allowing he or she to get
access to credit when they want access to credit. If they are
not in the system, they hinder their ability to get credit.
Senator Tillis. How do you think that would--let us say
that you had a delete option, so there was not a transactional
opportunity for a consumer to have that information available
to people who are maybe underwriting a loan. Let us say that if
you took that to the logical conclusion and had all three of
the information providers delete your financial record, how do
you think that would affect somebody who is trying to apply for
a mortgage or a loan or a credit card?
Mr. Smith. We know what would happen. If you are not in the
credit ecosystem, you do not get a loan.
Senator Tillis. Do you think that is maybe even
particularly more pronounced, given some of the changes that we
have with financial regulations and underwriting practices and
scrutiny from the Federal Government?
Mr. Smith. I do.
Senator Tillis. Look, the point that I am trying to make
here is you all have a problem. I associate myself with a lot
of the concerns.
One thing I would ask you to do, you said the three
individuals in question for a stock disposition are honorable
people, that you have known them for several years. They have
been employed by Equifax for several years. I think it would be
very helpful to see what their pattern of stock dispositions
have been over the years to see the process they have gone
through, because I think that that would be helpful for this
Committee. I think there is an appearance issue there that you
all should--or that Equifax and the individuals should step up
and address.
Look, here is the other thing that we could be missing
here. You all made a big mistake. You sound like you have got
some remediation practices in place. I think you do have to get
right on the long-term obligation you may have. There is a
difference between a breach and exploitation.
At least the other day, when I asked about any evidence of
exploitation of the data breach, we have not seen any yet, but
it seems to me, you have got to create some sort of a footprint
on the data that was exploited so that over time, you could
make a reasonable decision about whose problem it is to
remediate any exploitation beyond the year pathway.
Another thing--I mentioned it yesterday with Wells Fargo--
that I think is very important, the problem that resulted for
maybe controls and processes at Equifax should be your problem,
not the consumer's problem. In other words, you need to make it
very easy and no cost to the consumer to fix a problem that
they became a part of, and rather than you get into the details
in this Committee, it would be helpful for me to get some
assurances that that is the case.
I use an example of an inappropriate parking ticket that I
got using a park mobile app in Charlotte. When I called the
folks up and said, ``I got a receipt right here,'' they said,
``Well, you can go through 2 or 3 weeks. You can appeal. You
can file it, and we are sure that it was because maybe your
license tag got mixed up.'' I said, ``My license tag at the
time was a 3.'' So I think they should have been able to figure
it out, but they were trying to make their problem my problem.
And you need to be absolutely certain--or Equifax and the
people that are taking the helm need to be absolutely certain
that they can convince us that you are addressing this and not
making your problem the consumer's problem.
I do think it is very important for people to understand
the potential chilling effect that you could have if you erase
your financial history from the system. We expect you all to
protect it, and we expect you all to be good stewards of it. In
this case, a variety of factors led to that not being the case,
but we have to get there.
I had another--just a comment to make. You are an
aggregator of data. What this Committee and every committee
that is taking a look at for cybersecurity needs to understand,
the broad exposure that we have in this country. You are an
aggregator of data. Again, I would think that your systems
should be more impervious to attacks than mom-and-pop shops and
other people who are aggregators of data based on their
purchasing platforms and their supply chains.
Congress needs to start thinking big picture here and how
we can get the U.S. economy to a point to where when you become
difficult or more difficult to penetrate, then I just go to the
sources. And then I can pick it off and maybe actually do it in
organizations that are far less sophisticated than you.
If people think that the credit reporting agencies and the
big banks are the only ones that are vulnerable, I would
suggest that you go get a book that I have got on my desk right
now in my office. It is called ``Hacking for Dummies''. It is a
very important book for you all to understand, for the industry
to understand, and for Congress to understand.
You need to be held accountable. Equifax needs to be held
accountable. We need to be held accountable for actually
getting beyond the shiny objects of this breach, which are
really important, and you need to protect the consumers and
recognize we have a role to play to protect this economy,
otherwise this is not going to end. It will be the CEO of the
week and the breach of the week, and that is not the way that
we should be leading from Capitol Hill.
Thank you for being here, and we will potentially submit
some other questions for the record. But I think it is in your
best interest or those who are working with Equifax to give us
more information on the stock disposition patterns for the
executives in question.
Thank you very much.
Mr. Smith. Thank you. I understand, Senator.
Chairman Crapo. Senator Heitkamp.
Senator Heitkamp. Thank you, Mr. Chairman.
North Dakota is a State of about 740,000 people. Our
Attorney General estimates that 248,000 North Dakota families
have been affected by this, and let me tell you, I have heard
from a lot of them. And I want to just tell you that I am
deeply concerned about the remedial efforts and how all of that
rolled out to begin with.
First off, if you have this level of information on
consumers that they did not give you--that is all part of this
thing that Elizabeth was talking about--and you do not have a
system in place for a fire drill on what you do if you are
breached, after you told us that you get notifications all the
time of potential breaches--and then you say, ``Oh, we had to
create all of this system. We had to create this thing out of
whole cloth,'' right? That is what you have told us--why the
roll-out after the breach was notified, why it went so poorly,
and why people were not protected, and why in many cases, it
was like, ``OK. We are going to charge you a fee if you do
this. We are going to do this,'' my consumers are like, ``Why
do I have to now spend money to protect myself when it is their
fault?''
And so I think it is not enough for you to say, ``My
goodness, look at the magnitude of this,'' when you should have
anticipated it, the same way you should anticipate whether you
have a fire in a building. You should be ready when it happens,
and it goes to what Senator Tillis just said. We all know it is
going to happen again, and I am saying this because I want all
CEOs who have access to this kind of information to know I am
going to ask a question on what they are doing to prepare, to
prepare for a breach.
Now I want to get back to the FBI. You said, ``Look, we get
a lot of these breaches. You know, this happens all the time.
We did not realize it was as serious as what it was.'' What is
the date you notified the FBI, and who made that notification?
Mr. Smith. Senator, the date was August 2nd. The head of
security at that time would have notified the FBI, the
cybersecurity forensic team, and King & Spalding.
Senator Heitkamp. And when would the head of security have
notified your chief legal counsel or chief legal officer?
Mr. Smith. On and around that same time.
Senator Heitkamp. Yeah. And when did he approve the stock
trades?
Mr. Smith. Senator, he approved the stock trades on the 1st
and the 2nd for the three individuals. At that time, as I
alluded to earlier, it was a suspicious activity. There was no
indication of a breach at that time.
Senator Heitkamp. How many times do you notify the FBI? You
do that every day, every week?
Mr. Smith. I do not have that specific data, but it is not
unusual. I mentioned earlier that we have millions----
Senator Heitkamp. I get that. I want to know how many times
when you are notified, you actually turned around and notified
the FBI.
Mr. Smith. We can get that information. I do not have that.
Senator Heitkamp. Yeah. Well, that is a problem because it
looks pretty suspicious, and your chief legal officer has some
explaining to do because even after he knew that there was a
notification to the FBI about this level of breach, he did not
clawback or try to undo those transactions and reverse what
clearly appears to be a pretty beneficial situation for three
of your employees.
I want to talk about remedial measures and go back to
consumers. Obviously, we are in this very big discussion about
what we are going to do with mandatory forced arbitration.
You know, it is interesting because if I go out there and
sign a contract with somebody, maybe I can protect myself.
Maybe I cannot. I do not think that fine print in a contract is
exactly anything other than illusory, but we can argue that
point. But why should you ever make that choice and mandate
forced arbitration in your business?
Mr. Smith. Senator, a point of clarification--and this is
part of our--my apology earlier--the intent was never to have
arbitration clause in the product that--the services offered to
the consumer at that time. It was a part of a boilerplate. It
was a part of a product we were offering to consumers prior to
the breach. It was a mistake we made.
Senator Heitkamp. But let us just ignore for a minute the
breach. Why should the consumer not be able to make that
choice, especially in this situation when the consumer is not
your community?
Mr. Smith. Again, to be clear, that was not the intent for
the breach. Arbitration clause is a legally, viable path for us
to take at this time. That is why it was in the consumer
offering.
Senator Heitkamp. Yeah. Well, I think we have got some real
challenges in taking a look at how we provide a real remedy to
consumers in this situation, and this will not be the first
time that we have a hearing like this. We had one yesterday; we
are having one today.
But I guess my warning, Mr. Chairman, would be I am going
to ask every person out there who has responsibility as a CEO
for consumer data to do the right thing, and that is right now
start thinking about if this happens to me, how do I treat my
consumers and the people who have lost their personal data. And
maybe we ought to start thinking about opting in as opposed to
opting out.
And so I want my credit locked until I do not--until I
unlock it. Why cannot I have that option? Why do I have to pay
to have my credit locked?
Mr. Smith. Senator, you do not. It is free. It is part of
the offering we just made.
Senator Heitkamp. For the breach, yeah.
Mr. Smith. For lifetime.
Chairman Crapo. Senator Schatz.
Senator Schatz. Thank you, Mr. Chairman.
You are retired as of last week. You leave with your base
salary, unvested options, and a pension, roughly valued at $90
million. Help me to understand why that is fair.
Mr. Smith. Those numbers do not resonate with me, Senator.
Senator Schatz. Well, what is the number, then? You should
know.
Mr. Smith. Clarification. I stepped down last week. I told
the board at the time I stepped down, I will not take a bonus.
There is on severance. I will work for as long as the company
needs for free. I have asked for nothing. What I walk away with
is a pension that I have earned over my career and unvested
equity that was given to me and I earned in the past.
Senator Schatz. Is it fair to say that is in the tens of
millions of dollars?
Mr. Smith. It is in the proxy. The proxy discloses the
value of the----
Senator Schatz. Right. And that is how we got to $90
million, but if it is $45 million or it is $23 million or it is
$38 million, my question stands. How is that fair?
Mr. Smith. The pension, Senator, is something I have earned
for my career, and the other piece is the earned equity I have
already been given.
Senator Schatz. Do you think that is fair?
Mr. Smith. Senator, I grew up as a young guy in Midwest. I
never envisioned having a career like I have had for the last
36 years. I have been fortunate. I have worked hard, and I do
not set those compensation levels. The board does, and the
board is elected every year.
Senator Schatz. Your investor presentation from August
16th, 2017, mentions nothing about the data breach, even though
by July 29th, you knew that your system had been compromised.
By August 2nd, you had retained outside counsel and informed
the FBI. I understand that you periodically inform the FBI. I
assume you do not necessarily consistently retain outside
counsel. I assume at some point around August 2nd, you knew
that something more significant than usual was up; is that
true?
Mr. Smith. No, that is not true, Senator.
It was not until later in August that we had some
indication, the size, the scope, and the complexity of the
breach. It was not on August 2nd.
Senator Schatz. So August 16th, your message to investors
was, quote, ``Enduring business fundamentals support long-term
growth,'' and the first time data security is mentioned is at
the end of your materials where you tout your role as a trusted
steward of consumers' data. Do you think that Equifax should
have disclosed the possibility of a major data breach to its
investors?
Mr. Smith. Senator, we talk to investors routinely. We
disclose in our 10-K and Q's that one of the greatest risks we
pose each and every day and fight every day is cybersecurity.
Senator Schatz. Right. But you retained outside counsel.
You informed the FBI. People are liquidating their stock, and I
guess I am wondering whether that pattern seems to indicate
that somebody knew something pretty significant was up. But
somebody made a judgment to not disclose that, not just to 143
million Americans but also investors. It seems to me that that
is material. It seems to me that that is reportable, and
whether or not you follow the letter of the law, it seems to me
that investors ought to know if something is going to impact
the company. And you had to have some clue that this was
percolating in a negative way.
Mr. Smith. Senator, we are very transparent with our
investors that security is always a risk. They are very well
aware of that. They price that into their value of the company.
Obviously, on the 16th, I think, is what you refer to, the
investor relations team had a presentation, on or around the
16th. We had not gone public with anything. We did not know the
scope or the size of a breach, so obviously, we could not
disclose that at the investor meeting.
Senator Schatz. Right. So you did not know the total scope
and size of the breach. I get that. So you decided not to
disclose it at all?
Mr. Smith. To the investors?
Senator Schatz. Yes.
Mr. Smith. Yes. Because at that time, we were even
uncertain if there was a breach at that time, and you could not
go to an investor base and tell an investor base something
before we had gone public with something.
Senator Schatz. And why would not you inform the public
about it?
Mr. Smith. Sir, the timeline, as I walk through, from the
28th, 29th, and 30th of July through September 7th lays that
out, and it was not until late August we actually had an
indication of the breach.
Senator Schatz. So what happened on July 29th?
Mr. Smith. July 29th is when a security individual saw
suspicious activity, on the 30th saw it again, shut down the
portal to stop the incident.
Senator Schatz. And then it took you 6 weeks to figure it
all out?
Mr. Smith. Yes. Again, we bring in the cybersecurity
experts who do this for a living, and the complexity, the size,
the movement----
Senator Schatz. You do not do it very well for a living,
except to the extent that you make massive profits off of
making mistakes. I understand you do this for a living, but to
the extent that none of us have the volition to enter into a
contract with you, you are not doing it well for a living,
except that you are all making a very nice living at it.
Thank you, Mr. Chairman.
Senator Brown [presiding]. Thank you, Senator Schatz.
Before calling Senator Kennedy, I want to do a
clarification. Senator Sasse asked about if you had State-by-
State information. You seemed unsure. Your team informed you in
real time that, in fact, you did have that.
Chairman Crapo and I had sent a letter September 22nd
requesting that State-level data on victims, so it appears that
your team has this information. Why was it not provided to us
in response to our September 22nd letter to the Chairman and
me, the State-by-State data?
[Pause to confer.]
Mr. Smith. I was just informed by Senator Chambliss that it
was given to each of the State AGs earlier. There are, as you
saw, a released by the company--I believe it was Monday--of
another 2.5 million consumers impacted. That has not yet been
distributed to the AGs. I am told the AGs, State AGs have that
record.
Senator Brown. OK. We are not the State AGs, and the
Chairman of the Banking Committee and the Ranking Member
cosigned a letter. We do a lot of things bipartisanly in this
Committee, and that letter was sent--it looks like 2 full weeks
ago, and it was not provided, so I hope that you will get that
to us quickly. And that is not the way that you should operate.
Senator Kennedy.
Senator Kennedy. Thank you, Mr. Chairman.
Thank you for being here. I am over here, Mr. Smith.
I found out about Equifax's contract with the Internal
Revenue Service in an interview this morning with Stuart
Varney. How big is that contract?
Mr. Smith. Senator, I saw it this morning as well. Maybe it
was last night, and it referenced a $7.5 million contract. I am
not sure if that is multiyear.
Senator Kennedy. Do you have other contracts with the
Internal Revenue Service?
Mr. Smith. We may, sir, but I am not aware of it.
Senator Kennedy. Could you get me a list of all of
Equifax's contracts with various Governments?
Mr. Smith. Yes, Senator, we can do that.
Senator Kennedy. The contract, the 7-million-and-change
contract, does that involve taxpayer information that you would
have access to?
Mr. Smith. Senator, it is my understanding--I am not
professed to be deep in this particular contract--it is to
prevent fraudulent access to the IRS, but beyond that, I--if
you want more information, we can get that for you.
Senator Kennedy. Well, you realize to many Americans right
now, that looks like we are giving Lindsay Lohan the keys to
the mini bar.
Mr. Smith. I understand your point.
Senator Kennedy. Let me ask you about a credit freeze. I
went through that. I have frozen my credit at all four of the
bureaus. I would like a commitment from you today that you are
going to ask your former company, though I think you still own
quite a few shares--I want you to make a commitment to putting
a free app available to anybody so that you can just go to your
app, toggle on and off, access to your credit files.
Mr. Smith. Senator, I agree with you. We like that idea.
That is going to go live for every American consumer the end of
January 2018. That will be free for life.
Senator Kennedy. So you are committing to do it?
Mr. Smith. Yes. Senator, we have been working on that for
months.
Senator Kennedy. OK. This whole unfortunate experience, Mr.
Smith, has raised larger issues, and one of the issues that it
has raised is to whom does your former company--I will call it
your current company because you are still working there. To
whom does your company have an obligation?
My understanding of your business model is that you collect
my information without my permission. You get the information.
You take it along with everyone else's information, and you
sell that information to businesses. Is that basically correct?
Mr. Smith. That is largely correct.
Senator Kennedy. And you also have a premium service to
monitor the information that you collect about me. So if there
is some bad information that you collect about me, you sell me
a service to monitor it and correct it; is that right?
Mr. Smith. Senator, just a clarification. Roughly 90
percent of everything we do is helping banks and others make
informed decisions about lending money to consumers. The
monitoring you are referring to, to consumers, is a very small
piece of what we do.
Senator Kennedy. But it just seems incongruent to me that
you have my information. You do not pay me for it. You do not
have my permission. You make money collecting that information,
selling it to businesses, and I think you do a service there.
Do not misunderstand me.
And you also come to me--you cannot run your business
without me. My data is the product that you sell, and you also
offer me a premium service to make sure that the data you are
collecting about me is accurate. I mean, I do not pay extra in
a restaurant to prevent the waiter from spitting in my food.
You understand my concern?
Mr. Smith. I understand your point, I believe, but another
way to think about that is the monitoring part that you are
referring to, Senator, in the future is far less required if
you as a consumer have the ability to freeze or lock, as we
call it, and unlock your file. And that is free for life.
Senator Kennedy. But it is not just the freeze part. What
if you have bad information about me? Have you ever--has an
agency ever had bad information about you, and you had to go
through the process of correcting it?
Mr. Smith. Yes, Senator. There is a process that if----
Senator Kennedy. It is a pain in the elbow, isn't it? I
mean, the burden is kind of on--you have my data, which you
have not paid me for. You are earning a good living, which I do
not deny you. I believe in free enterprise. I think this is a
very clever business model you have come up with, but you are
earning your money by selling my data, which you get from me
and do not pay me for, to other people. But if the data is
wrong that you have about me, I would think you would want to
make it as easy as possible to correct it, not as hard as
possible.
Mr. Smith. I understand your point, and it is an important
point for the entire industry to make the process as consumer-
friendly as possible. If there is an error on your utility
bill, if there is an error on your bank bill, your credit card
statement, to work with consumers and make that----
Senator Kennedy. Well, can you commit to me today that
Equifax is going to set up a system where a consumer who
believes that Equifax has bad information about him can pick up
the phone and call a live human being with a beating heart and
say, ``Here is this information you have about me that you are
selling to other people. You are ruining my credit, and it is
not true. And I want to get it corrected. How are you going to
correct it? What information do you need from me to prove that
it is incorrect, and when are you going to get back to me? And
give me your name and phone number so I can call you''?
Mr. Smith. Senator, I understand your point. There is a
process that exists today. I would be more than happy----
Senator Kennedy. Yeah. And it is difficult, Mr. Smith.
Mr. Smith. I would be more than happy to get the company to
reach out to your staff, explain what we do and what we are
doing to improve that process. I hear you.
Senator Brown. OK. I thank you, Senator Kennedy.
Senator Kennedy. I am sorry. I went way over. I apologize.
Senator Brown. That is all right.
Senator Donnelly. Thank you, Mr. Chairman.
Mr. Smith, on September 19th, myself, Senator Heller,
Senator Tester, Senator Menendez sent you a letter, and the
letter we sent expressed concerns about the impact on the
roughly 1.3 million active duty U.S. military personnel,
especially the nearly 200,000 currently stationed overseas who
may lack the access and resources required to place a credit
freeze on their files or take other necessary measures to
adequate protect their personal information.
We requested you immediately detail the specific actions
Equifax will take to ensure our servicemembers are not
victimized any further by thieves with access to personal
information, such as Social Security numbers, dates of birth,
and home addresses.
In response, I received a generic letter from Equifax that
never even mentioned servicemembers, that basically said thank
you for your interest.
In your written testimony today, you also make no mention
of our servicemembers or the military. So I will again ask a
question that should have been answered: What specific actions
will Equifax take to ensure our servicemembers are not
victimized any further?
Mr. Smith. Senator, let me apologize if we did not get back
to you. That was--someone dropped the ball, and I will look
into that quickly for you.
The servicemembers around the world have the same ability,
if they have access to the Internet, to freeze, lock, get
access to products. If not, they have the ability to have a
power of attorney in the U.S. to act on their behalf.
Senator Donnelly. Well, let me ask you about some of our
young men and women who are at forward operating bases in Iraq
or in Afghanistan, who may be somewhat other occupied----
Mr. Smith. Yeah.
Senator Donnelly. ----than having the chance to get on the
computer and get their lock going on. So let me ask again and
say for those members who are serving in remote or high-
conflict areas, what is it that you can do to make sure that
their identities and financial information are safe?
Mr. Smith. Again, they have the ability to have a power of
attorney, and that power of attorney can act on their behalf.
Senator Donnelly. You know, that is pretty weak tea for
someone who is in a location where they may be occupied keeping
our country safe and having their hands full with others.
Mr. Smith. Senator, let me take that on. I will get back
with the company and see if there is anything else we can do
specifically for those overseas.
Senator Donnelly. Let me ask you another question. Due to
the cyberattack, roughly 145 million Americans have had their
information compromised, and Equifax has said you now offer
free credit freeze. But there is also Experian and TransUnion,
and what I want to know is, Will Equifax also offer free credit
freezes at Experian and TransUnion to ensure consumers are
protected from theft and fraud?
Mr. Smith. Senator, the lock that we offer for free for
life is a product that I believe the entire industry should
rally around. It is my understanding that TransUnion, one of
the two other credit reporting agencies, also offers a lock
product for free. It is my understanding it is not for life at
this time, but they offer it for free.
Senator Donnelly. Well, this breach was caused by Equifax.
What will Equifax do to ensure that there are free credit
freezes for those 145 million Americans at Experian and
TransUnion as well? I do not want to see folks have to rally
around this or rally around that or try to figure out how to
navigate the Internet to get it done for themselves. What will
you do for those 145 million Americans, our friends and
neighbors, millions in my State, that will provide a free
credit freeze at Experian and TransUnion?
Mr. Smith. Again, Senator, the things we have done is the
five services we offered for 1 year combined with a lock for
life--and I would invite TransUnion and Experian to follow
suit----
Senator Donnelly. But those services you just described do
not include a free credit freeze at Experian and TransUnion.
Mr. Smith. That is correct.
Senator Donnelly. So, in other words, Equifax will not do
anything to provide that?
Mr. Smith. Again, we are offering our five services plus
lock of life.
Senator Donnelly. Well, I guess that answers the question
that I was asking, which then leads to my next question which
is, What is Equifax's obligation to consumers who fall victim
to identity theft or financial fraud in the future due to this
breach? The damage caused to their credit, the money they may
lose, how does Equifax plan to address the financial harm that
can come to our families?
Mr. Smith. Senator, the design, the thought was offer these
five services, allow someone to lock their file for life to
minimize the downstream harm.
Senator Donnelly. But what happens if someone is harmed?
Mr. Smith. Senator, that is the extent of our offering.
Senator Donnelly. So because of your failure to stop this
breach and a family is damaged financially, there will be no
compensation provided?
Mr. Smith. Again, Senator, the five services we are
offering are for free. The lifetime lock is for free.
Senator Donnelly. Which does not touch at all upon the
question I just asked.
Thank you, Mr. Chairman.
Chairman Crapo [presiding]. Senator Rounds.
Senator Rounds. Thank you, Mr. Chairman.
Mr. Smith, I would like to go back into a little bit
different question for a little while. I would suspect that
there are probably thousands of CEOs and board chairmen for
publicly traded companies as well as some large private
companies that when they heard about the theft of data that was
in your care, custody, and control, that they looked back at
their own operations and said, ``Can that happen to us?'' And I
would suspect that there were a number of chief information
officers out there who were being called into the front offices
to explain and to reassure that they did not have the same
vulnerabilities that were found within your operation.
I also suspect that since you have got experience in
working in multiple major organizations that you have seen how
boards work and that you have seen how the bosses do their own
type of a command and control and get feedback.
I would imagine that you have lost a lot of sleep wondering
what it was that you could have done differently and what
message you would send to other individuals if given the
opportunity.
We are going to have a lot of people that get hurt on this,
and they are people that you had data from. If you could go
back a year and look at your operation and tell us what you
would do differently to demand things be changed, if there was
any inkling at all, what would you do?
Mr. Smith. Senator, as you might guess, since early August,
myself and the entire team that has been focusing on addressing
this issue has been working around the clock trying to, first
and foremost, understand the forensic of what occurred and
maybe why it occurred and then communicating to consumers and
regulators and State AGs and the like. I have had no time to
reflect on, as a leader who has apologized and takes full
responsibility, what I would do differently. I am sure when I
have time to reflect, there will be things I look back on and
say, ``If I only had done this.'' That time will come, but,
Senator, to be honest, I have not had that time to reflect.
Senator Rounds. As many board members or chairmen would do,
they rely on a CIO to provide them with assurances. Did you as
a member or with the board doing their due diligence--do you
feel that the due diligence that was expected of you as a board
and as the chief operating--or the chief executive officer--do
you feel like you did the due diligence necessary to assure
yourselves and to get second opinions, that the CIO was
actually doing the job that they needed to do, and that they
were doing their own sense of due diligence in this process?
Mr. Smith. The CIO I had has been there for 8 years. He was
a very seasoned CIO. Ultimately, the responsibility stops with
me, not him. He is no longer with the company nor is the chief
security officer, but ultimately, that responsibility stops
with me, Senator.
Senator Rounds. I read your article. I read through your
statement, your written statement, and I caught time and
again--and we sometimes--we go for the fact that you were the
victim of theft as well. There were bad people that got into
your system. The obligation that you had to protect that
information that was in your care, custody, and control is
clear. And I think that sometimes organizations that have that
data, they assume that somebody else is doing their job. They
assume that there are reasonable expectations of due diligence
being completed.
I guess what I was hoping to hear is something along the
lines of ``Yeah. If I could send a message to other CEOs out
there, it is do not just listen. Do the double-checks. Find
out. Ask for the outside assistance,'' and I guess I am not
hearing that. And I know that this is early in your process,
but nonetheless, it seems like that would have been one of the
first things that most CEOs would have said is ``If I could do
this over again, I would have fixed this. I could have had an
opportunity. Why did not I think of it?'' I just--I am looking
for that.
And I know that you did make a point in there saying, ``We
are using Social Security numbers out there, and we have got to
go to a different system.'' If nothing else, you have thought
about that. What would you do or what would you recommend in
terms of a different system for identifying and maintaining
data that belongs to individuals safe in a case like this? What
can we do different?
Mr. Smith. Yeah. I do not have that answer. I have spent a
lot of time talking to people in the cyberworld, and they are
convinced--they have convinced me that there has to be a better
solution than an instrument that was introduced in 1936. It was
never intended as an identifier for an individual.
I am convinced that if you get the public, private, and
academic partnership, we can crack that.
Senator Rounds. But no real answer yet?
Mr. Smith. Not yet.
Senator Rounds. Thank you.
Thank you, Mr. Chairman.
Chairman Crapo. Senator Van Hollen.
Senator Van Hollen. Thank you, Mr. Chairman.
Mr. Smith, it is good to have you here. Consumers do not
authorize Equifax or any credit reporting agency to collect
their personal information, do they?
Mr. Smith. Not to collect it.
Senator Van Hollen. No. So you vacuum up lots of
information, and you provide it to people who say they are
interested in the credit of somebody who may be applying for a
car loan or a home loan or other loan, right?
Mr. Smith. Yes.
Senator Van Hollen. So you have an incredible amount of
power over people's lives, right? You collect all their
personal information, and yet their life decisions may, in many
cases, depend on what you say to a bank or another lender. Is
not that right? OK. Is not it a fact that when someone goes for
a loan, if you tell a lender that someone is a bad risk, they
are a lot less likely to lend?
Mr. Smith. Senator, I thought that is where you were going.
We do not make that delineation for the bank. We have that
data, may provide some analytics behind it, but ultimately, the
banks----
Senator Van Hollen. But you provide the credit scoring,
right?
Mr. Smith. There is an individual firm called FICO that
provides the score.
Senator Van Hollen. And they do that based on the
information you provide, right?
Mr. Smith. Correct.
Senator Van Hollen. OK. Now, are you aware of the fact that
when the Consumer Financial Protection Bureau did a survey,
they found that Equifax, Experian, and TransUnion are the three
most complained-about companies in America? Are you familiar
with that finding?
Mr. Smith. Yes. It is a little misleading.
Senator Van Hollen. Well----
Mr. Smith. That is the CFPB Complaint Portal. If I may,
Senator?
Senator Van Hollen. Well, no. Unfortunately, if the
Chairman wants to give me more time, I will, but I will--I will
just--you can submit something for the record, if you are
interested, but I think the point I wanted to make is this was
actually from September 8, 2016. I mean, this is even before we
had the incredible introductions into the data and the exposure
of data.
People pay many other companies billions of dollars in the
event that you make a mistake that needs to be corrected. Is
not that the case?
Mr. Smith. I am sorry. State that again?
Senator Van Hollen. People, consumers who have information
incorrectly included on one of your reports, they often have to
pay a lot of money to other firms to get it corrected. Is not
that the case?
Mr. Smith. No, that is not the case. If a consumer has a--
you referred to in the CFPB----
Senator Van Hollen. I am talking about the credit repair
services. What do they do?
Mr. Smith. Yeah, but the process the consumer could use, if
they think they----
Senator Van Hollen. No, but what about--what--the credit--I
am asking these credit repair service companies--they are
making money now to try to help consumers correct mistakes that
are often put in your reports or other credit rating agencies.
Is not that the case?
Mr. Smith. There is an industry that does that, Senator. A
consumer can come to us directly and dispute that issue.
Senator Van Hollen. So I guess those industries are making
billions of dollars, but they really do not need to exist, in
your testimony. All they have to do is come to you.
Are you aware of the fact that--I just--Mr. Chairman, I
would like to put in the record, a Washington Post story from
2008--16, how the careless errors of credit reporting agencies
are ruining people's lives.
Chairman Crapo. Without objection.
Senator Van Hollen. I would also like to include in the
record something from CNBC, a piece by Aaron Klein, a fellow at
the Brookings Institute, titled ``The Real Problem With Credit
Reports Is the Astounding Number of Errors''.
Chairman Crapo. Without objection.
Senator Van Hollen. And I would also, Mr. Chairman, like to
put in the report the FTC study from February 2013 that said 5
percent of consumers had errors on their credit reports that
could result in less favorable terms for loans.
Chairman Crapo. Without objection.
Senator Van Hollen. Because the whole model of this
industry is you collect information without permission from
consumers, and yet their lives depend, in many ways--their
economic lives depend on decisions you make.
So I want to go back to something Senator Heitkamp asked
you with respect to forced arbitration because, clearly, we
have a powerful company that is often up against one individual
who is trying to get something corrected on their credit rating
report or whatever it may be, and yet in the aftermath of this
incredible breach, you said that you would provide credit
protection but only if consumers gave up their right to get
their day in court. You want to have forced arbitration.
Now, your testimony today is that was a mistake, that you
did not mean to apply it in this case; is that right?
Mr. Smith. That is correct.
Senator Van Hollen. All right. But you do apply forced
arbitration in many other situations, don't you?
Mr. Smith. In the consumer products.
Senator Van Hollen. And so if you are looking out for the
rights of consumers, why do not you give them the choice of how
they seek their remedy?
Mr. Smith. Senator, I understand your issue today. That
arbitration clause is a legal provision, and we follow that.
Senator Van Hollen. And you have been--not just legal, but
you have paid lobbyists on Capitol Hill--I am asking you a
question, then. Have you paid lobbyists on Capitol Hill to
fight the rule that was put forward by the Consumer Financial
Protection Bureau?
Mr. Smith. If you are referring to the harmonization bill
that was proposed, which I think you are referring to--is that
the bill?
Senator Van Hollen. I am referring to the legislation----
Mr. Smith. Arbitration specifically?
Senator Van Hollen. ----that would overturn the Consumer
Financial Protection Bureau's rule that prohibits forced
arbitration clauses.
Mr. Smith. Senator, if we spent time on that, I am not
aware of that.
Senator Van Hollen. So are you in favor, then? You said it
is part of the law, and so you are just abiding by the law. But
as somebody who has experience in this area, would you agree
that consumers should have the right to decide how best to
protect themselves in legal matters?
Mr. Smith. Senator, if that becomes law, we will follow the
law.
Senator Van Hollen. No, that is not my question.
Mr. Smith. I understand.
Senator Van Hollen. My question is, Where do you stand on
the issue of allowing consumers to choose how they seek
recourses when they believe they have been wronged?
Mr. Smith. Senator, I understand the question, and today,
arbitration is a part of the law, and we are following the law.
Senator Van Hollen. Yeah. And so you are following it even
though it may be unfairly treating consumers; is that right?
Mr. Smith. I understand your question.
Senator Van Hollen. But, Mr. Chairman, if I just--but you
chose to suspend that law. You could have enforced that on
these individuals, right?
Mr. Smith. It was never the intent, as it related to the
breach----
Senator Van Hollen. But it was the law. The law would have
allowed you to do it, right?
Mr. Smith. But it was never the intent----
Senator Van Hollen. That is not what I am asking. The law
would have allowed you to do that, right?
Mr. Smith. Yes.
Senator Van Hollen. And you chose not to because you
thought in that circumstances, consumers would be better
protected by having choices, and my only question to you, if it
is good in that circumstances, why is not it good for consumers
all the time?
Thank you, Mr. Chairman.
Chairman Crapo. Thank you.
Now, that concludes the questioning, however, we have had a
couple of requests for a second round, and so I will go with a
brief 3-minute second round.
Senator.
Senator Brown. Thank you, Mr. Chairman.
Following up on, I thought, Senator Van Hollen's very good
line of questioning about your rather curious statement that
you are following the law, but you are not following the law on
the--in the one case, but you are in the other, I do not
entirely get that.
But let me take it a different way. In your written
testimony, you state that terms and conditions attached to the
free solutions that Equifax offered included an arbitration
clause. You said this provision of forced arbitration clause
was never, in this case, intended to apply, and you were
informed the clause was included. Apparently, it was sent out
to your customers, and you did not know it was in there, the
clause, as customers often do not know these forced arbitration
clauses are in there, the fine print. And I assume you are more
sophisticated in these financial instruments and transactions
than most of your customers, but leave that alone.
You were informed the clause--and clause was included
because it was, quote, your words, ``essentially 'cut and
pasted' from a different Equifax offering.'' But this
inadvertent error could have prevented, if not--if not
unearthed and then protested, then pushed back and you dropped
it, this inadvertent error could have prevented 145 million
victims from pursuing their legal rights in court.
So make that case again. Your company failed by allowing
this breach of 145 million victims. You sent out a piece. You
sent out a restitution to them with forced arbitration. You
backed off the forced arbitration.
So do not you think it is fundamentally unfair that the
ability of 145 million Americans to seek justice in court could
have been taken away simply by a cut-and-paste job? Does not
that show how unfair forced arbitration is to customers?
Mr. Smith. Senator, to be specific to this particular
issue, it was an error, as you noted. We were made aware of the
error, and I believe within 24 hours removed that clause. It
was never intended to be a clause applied to the breach.
Senator Brown. But that was not really the question.
So, first of all, you say it was an error. I guess I
believe that, that it was an error, although your company has
given us cause to not believe some other things. But does not
that show how unfair forced arbitration is? You did not ask--
you did not answer that question. If this inadvertent error,
this cut-and-paste error had taken away forced--forced
arbitration of 145 million Americans, does not that show how
unfair forced arbitration is?
Mr. Smith. I have no opinion on that.
Senator Brown. But you used forced arbitration in other
cases?
Mr. Smith. Correct.
Senator Brown. So you must not think it is--so it is unfair
to those 145 million in that circumstance, but it is not unfair
to customers in other circumstances on whom you oppose forced
arbitration, both?
Mr. Smith. Again, I go back, Senator. It was never the
intent for us to have that arbitration clause in the breach
service itself.
Senator Brown. And I will close, Mr. Chairman. I appreciate
your indulgence.
I just cannot understand why you think--for those 145
million in that case that forced arbitration is unfair, but in
other uses in your company, you seem to think it is fair. It
just puzzles me.
Senator Brown. Senator Heitkamp.
Senator Heitkamp. Thank you, Mr. Chairman.
And I just wanted to come back and offer a couple
suggestions because we are all struggling, and obviously, your
company has had a huge hit to its reputation.
We found out today that the IRS has been forced to continue
your contract by your protest. That is why that contract was
continued, and we, in spite of some very interesting timelines,
the belief that you have that there was no insider training--
and so I am just going to offer a couple of suggestions for
you.
Number one, tell the IRS it is OK to migrate the contract
someplace else and say, ``We are fixing, getting our house in
order. We understand that we have a ways to walk back, our
reputation, and we are going to withdraw our protest on the
loss of that contract.''
And the other thing I would suggest to the three
individuals, who may be completely innocent--but the rest of
the shareholders who took the hit--they are more innocent than
employees of that company, of your company--they should give
the money back. They should give the money back.
And so I think there is other things. I think there is an
attitude that we come here, we do everything possible, we are
trying to do our level best, but many, many times, it is the
symbolic things. It is like forcing the IRS to take this
contract for another year, like a very suspicious timeline that
has led us all to believe that there should at least, at a
minimum, be an investigation. All of that could be undone with
a gesture of goodwill.
And so I understand you are not the CEO of the company. You
said you are still in an advisory role. My advice to you is do
some things that are very, very visible, and those are two
things that you could do that would give us some certainty that
this is being taken as seriously as it what it should be taken.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you.
And I will conclude with 3 minutes of questions as well.
Mr. Smith, I wanted to get back to my original question. A
lot of the questions you have gotten today appropriately have
been very specific with regard to Equifax and the Equifax
breach.
I want to focus on the broader issue as we conclude. In my
initial questioning to you, I talked to you about whether there
were--whether any Experian data went to other entities, and I
was referring to governmental entities--the CFPB, the Federal
Reserve. We just had discussion about the IRS, and there are
contractual relationships, I understand, with the use of this
data.
Let me just talk about a the CFPB as an example. In
September of 2014, the GAO did a report which I requested for
on CFPB data collection. They found that CFPB at that time--
that is 3 years ago now--had access to account-level credit
card data on between 546 to 596 million consumer accounts on a
monthly basis, representing 87 percent of the credit card
market. GAO also found that at that time, there was not
adequate protection at the CFPB of this data that they were
collecting.
In this report, it indicated--again, this was in 2014--all
of the sources of data that the CFPB was collecting--and
Experian shows up in that report--700,000 vehicles per month,
information procedure from Experian, vehicle purchases, and the
data on those purchases, 10.7 million consumers, cosigners, and
borrowers with consumer credit information from Experian, and
another 600,000 samples of consumer credit reports and consumer
credit scores on those reports from Experian.
Now, Experian is not the only entity that is providing data
to the CFPB. There are, in this same report, for example, nine
unidentified large financial institutions using a commercial
data aggregator who provided 25 to 75 million total account
sets of data involving individual consumers' credit card
account-level data with linkages to their credit reporting
data.
The reason, what I am getting into here, is this. Experian
is not the only company or entity in America collecting data.
There is massive data collection being undertaken in this
country, and it is not just the three credit bureaus that are
collecting this data.
I believe that Congress need to address not only the issue
with Experian, but the broader issue of the collection and use
and protection of personally identifiable information that is
being collected by the Government, by the private sector, and
others with regard to this personally identifiable data.
And I guess this is really more of a statement than a
question, but I would like to know your opinion on that. Well,
actually, there is a question first, and that is, Does Experian
face requests from Federal regulators that are mandatory to
provide data to them?
Mr. Smith. Senator, Mr. Chairman, I assume you mean
Equifax?
Chairman Crapo. Yes. Excuse me.
Mr. Smith. Yes.
Chairman Crapo. Equifax.
Mr. Smith. A general observation, a reaction to your
thoughts there, if there was a better way to ensure that those
that aggregate and manage significant amounts of data like we
do, banks do, others in the industry, we would welcome that
dialogue if there is a better path forward.
But to answer your question specifically, do we aggregate
and provide data to different Government entities, the answer
is yes.
Chairman Crapo. All right. Thank you.
And I apologize. In fact, I gave the Experian examples, and
that was just a mistake.
But your answer is that, yes, Equifax also provides data to
those regulators, and it is not always voluntary, is it? In
other words, you must provide it on occasion when it is
required from agencies?
Mr. Smith. Yes.
Chairman Crapo. So let me ask you the general question,
then. As Congress looks at this issue, it seems to me that it
should be obvious that we should look much more broadly than
even just one private-sector company and even then just the
private sector, but to the data collection that is going on
across our society, including the data collection that the
Government itself is collecting. Would you agree?
Mr. Smith. The rate and pace of cyberattacks is increasing
at a rate that is unbelievable. If there is a way for public-
private partnership to intelligently sit around a table and
debate that and find better ways to manage and secure data, we
would welcome that dialogue.
Chairman Crapo. Thank you.
And I note that Senator Sasse came in, so he will get the
last word. We are doing a 3-minute round, Senator Sasse.
Senator Sasse. Thank you, Mr. Chairman, and I would like to
just associate myself with your comments right there about the
digital revolution moment we are at, and the speed and pace of
data aggregation and collection should push the Congress to
have some real hard discussions about data ownership and
transmission and implicit contracts where individuals are not
contracting with one of the three credit bureaus and their data
is still being managed and shipped in ways that they cannot
control. I agree with you that we should have hearings and a
lot of debate about this important topic in the digital
revolution.
Mr. Smith, I want to just see if I can be clear about where
I think we stand nearly 2 hours into this hearing. Your
company, which has only two competitors, right? Really you only
have two competitors--has lost the data of 145 million
Americans, and this is not a spreadsheet problem. This is a
real human problem where 2 and 3 and 4 years from now, you are
going to have real Americans whose identity is going to be
stolen, and their credit is going to be abused in the future.
And they are going to have difficulty qualifying for a home
loan or a car loan or they are going to pay a differential
interest rate than they should be paying because of the rotten
credit score that they are going to have.
And in response, your company could potentially make a
profit from selling LifeLock products. Again, I agreed with you
earlier that a lot of the forward-looking innovation that may
come from this could incrementally improve things, but I think
we are most interested right now in the retrospective moment
for these 145 million.
You are going to have a product that could potentially be
sold to the very victims. It feels like a broken-windows
business model where you did not actively chuck the bricks, but
your company allowed bricks to be tossed through windows, and
then you might potentially be able to sell new windows to some
of the same people whose windows were just broken.
And I think the way you explained your LifeLock product in
your testimony makes some sense for what you plan to roll out
in January of 2018, but it is still really hard to understand
it as a fraud protection product when you think about the
victims historically. So I want to go back for just a minute to
this contract with the IRS.
So we checked, and it appears to be a no-bid, even if it is
a revolving contract that is a no-bid, but the purpose of the
contract with the IRS looks like it is fraud prevention, right?
You are trying to prevent fraudulent access.
I will not ask for a show of hands in the room, but I do
not know who would want to say we should buy fraud protection
from the people who were just hacked and dumped 145 million
American records.
So just honestly as an American--and I appreciate the fact
that you have resigned from the company, but as an American,
why should anybody hire Equifax for fraud protection right now
after the exposure?
Mr. Smith. Senator, I understand your point. We are a
company that has been around for 118 years and for most of
those 118 years have done good things for many stakeholders,
including the Government, and one of those things we have done
very proudly is prevent fraud for many entities, including the
Government.
I come back. It was a horrific breach, and I apologize on
behalf of the company for that breach. We will make it right as
best we can, but it does not wipe out 118 years of good work we
have done.
Senator Sasse. Thank you.
I am going to be following up with the IRS and asking them
why this contract should go forward, but thank you for your
willingness to appear before the Committee today.
Mr. Smith. Thank you.
Chairman Crapo. Thank you, Senator.
And that concludes the questioning.
Mr. Smith, we do appreciate you coming before the Committee
and appearing today.
For all Senators, all follow-up questions need to be
submitted by next Wednesday, October 11th.
And, Mr. Smith, we ask that you please respond promptly to
those questions. We usually like to see the responses within a
week, if possible.
With that, this hearing is adjourned.
Mr. Smith. Thank you.
[Whereupon, at 12:01 p.m., the hearing was adjourned.]
[Prepared statements, responses to written questions, and
additional material supplied for the record follow:]
PREPARED STATEMENT OF RICHARD F. SMITH
Former Chairman and Chief Executive Officer, Equifax, Inc.
October 4, 2017
Preliminary Statement
Chairman Crapo, Ranking Member Brown, and Honorable Members of the
Committee, thank you for the opportunity to testify today.
I am here today to recount for this body and the American people,
as best I am able, what happened when Equifax was hacked by a yet
unknown entity and sensitive information of over 140 million Americans
was stolen from its servers, and to outline the remediation steps the
company took. We at Equifax clearly understood that the collection of
American consumer information and data carries with it enormous
responsibility to protect that data. We did not live up to that
responsibility, and I am here today to apologize to the American people
myself and on behalf of the Board, the management team, and the
company's employees.
Let me say clearly: As CEO I was ultimately responsible for what
happened on my watch. Equifax was entrusted with Americans' private
data and we let them down. To each and every person affected by this
breach, I am deeply sorry that this occurred. Whether your personal
identifying information was compromised, or you have had to deal with
the uncertainty of determining whether or not your personal data may
have been compromised, I sincerely apologize. The company failed to
prevent sensitive information from falling into the hands of
wrongdoers. The people affected by this are not numbers in a database.
They are my friends, my family, members of my church, the members of my
community, my neighbors. This breach has impacted all of them. It has
impacted all of us.
I was honored to serve as the Chairman and Chief Executive Officer
of Equifax for the last 12 years, until I stepped down on September 25.
I will always be grateful for the opportunity to have led the company
and its 10,000 employees. Equifax was founded 118 years ago and now
serves as one of the largest sources of consumer and commercial
information in the world. That information helps people make business
and personal financial decisions in a more timely and accurate way.
Behind the scenes, we help millions of Americans access credit, whether
to buy a house or a car, pay for college, or start a small business.
During my time at Equifax, working together with our employees,
customers, and others, we saw the company grow from approximately 4,000
employees to almost 10,000. Some of my proudest accomplishments are the
efforts we undertook to build credit models that allowed and continue
to allow many unbanked Americans outside the financial mainstream to
access credit in ways they previously could not have. Throughout my
tenure as CEO of Equifax, we took data security and privacy extremely
seriously, and we devoted substantial resources to it.
We now know that criminals executed a major cyberattack on Equifax,
hacked into our data, and were able to access information for over 140
million American consumers. The information accessed includes names,
Social Security numbers, birth dates, addresses, and in some instances,
driver's license numbers; credit card information for approximately
209,000 consumers was also stolen, as well as certain dispute documents
with personally identifying information for approximately 182,000
consumers.
Americans want to know how this happened and I am hopeful my
testimony will help in that regard. As I will explain in greater detail
below, the investigation continues, but it appears that the breach
occurred because of both human error and technology failures. These
mistakes--made in the same chain of security systems designed with
redundancies--allowed criminals to access over 140 million Americans'
data.
Upon learning of suspicious activity, I and many others at Equifax
worked with outside experts to understand what had occurred and do
everything possible to make this right. Ultimately we realized we had
been the victim of a massive theft, and we set out to notify American
consumers, protect against increased attacks, and remediate and protect
against harm to consumers. We developed a robust package of remedial
protections for each and every American consumer--not just those
affected by the breach--to protect their credit information. The relief
package includes: (1) monitoring of consumer credit files across all
three bureaus, (2) access to Equifax credit files, (3) the ability to
lock the Equifax credit file, (4) an insurance policy to cover out-of-
pocket costs associated with identity theft; and (5) dark web scans for
consumers' social security numbers. All five of these services are free
and without cost to all Americans. Equifax also recently announced an
important new tool that has been under development for months that will
allow consumers to lock and unlock their credit files repeatedly, for
life, at no cost. This puts the control of consumers' credit
information where it belongs--with the consumer. We have also taken
steps to better protect consumer data moving forward.
We were disappointed with the rollout of our website and call
centers, which in many cases added to the frustration of American
consumers. The scale of this hack was enormous and we struggled with
the initial effort to meet the challenges that effective remediation
posed. The company dramatically increased the number of customer
service representatives at the call centers and the website has been
improved to handle the large number of visitors. Still, the rollout of
these resources should have been far better, and I regret that the
response exacerbated rather than alleviated matters for so many.
How It Happened
First and foremost, I want to respond to the question that is on
everyone's mind, which is, ``How did this happen?'' In my testimony, I
will address both what I learned and did at key times in my role as
CEO, and what I have since learned was occurring during those times,
based on the company's ongoing investigation. Chronologically, the key
events are as follows:
On March 8, 2017, the U.S. Department of Homeland Security,
Computer Emergency Readiness Team (U.S.-CERT) sent Equifax and many
others a notice of the need to patch a particular vulnerability in
certain versions of software used by other businesses. Equifax used
that software, which is called ``Apache Struts'', in its online
disputes portal, a website where consumers can dispute items on their
credit report.
On March 9, Equifax disseminated the U.S.-CERT notification
internally by email requesting that applicable personnel responsible
for an Apache Struts installation upgrade their software. Consistent
with Equifax's patching policy, the Equifax security department
required that patching occur within a 48-hour time period. We now know
that the vulnerable version of Apache Struts within Equifax was not
identified or patched in response to the internal March 9 notification
to information technology personnel.
On March 15, Equifax's information security department also ran
scans that should have identified any systems that were vulnerable to
the Apache Struts issue identified by U.S.-CERT. Unfortunately,
however, the scans did not identify the Apache Struts vulnerability.
Equifax's efforts undertaken in March 2017 did not identify any
versions of Apache Struts that were subject to this vulnerability, and
the vulnerability remained in an Equifax web application much longer
than it should have. I understand that Equifax's investigation into
these issues is ongoing. The company knows, however, that it was this
unpatched vulnerability that allowed hackers to access personal
identifying information.
Based on the investigation to date, it appears that the first date
the attacker(s) accessed sensitive information may have been on May 13,
2017. The company was not aware of that access at the time. Between May
13 and July 30, there is evidence to suggest that the attacker(s)
continued to access sensitive information, exploiting the same Apache
Struts vulnerability. During that time, Equifax's security tools did
not detect this illegal access.
On July 29, however, Equifax's security department observed
suspicious network traffic associated with the consumer dispute website
(where consumers could investigate and contest issues with their credit
reports). In response, the security department investigated and
immediately blocked the suspicious traffic that was identified. The
department continued to monitor network traffic and observed additional
suspicious activity on July 30, 2017. In response, they took the web
application completely offline that day. The criminal hack was over,
but the hard work to figure out the nature, scope, and impact of it was
just beginning.
I was told about the suspicious activity the next day, on July 31,
in a conversation with the Chief Information Officer. At that time, I
was informed that there was evidence of suspicious activity on our
dispute portal and that the portal had been taken offline to address
the potential issues. I certainly did not know that personal
identifying information (PII) had been stolen, or have any indication
of the scope of this attack.
On August 2, consistent with its security incident response
procedures, the company: (1) retained the cybersecurity group at the
law firm of King & Spalding LLP to guide the investigation and provide
legal and regulatory advice; (2) reached out, though company counsel,
to engage the independent cybersecurity forensic consulting firm,
Mandiant, to investigate the suspicious activity; and (3) contacted the
Federal Bureau of Investigation (FBI).
Over the next several weeks, working literally around the clock,
Mandiant and Equifax's security department analyzed forensic data
seeking to identify and understand unauthorized activity on the
network. Their task was to figure out what happened, what parts of the
Equifax network were affected, how many consumers were affected, and
what types of information was accessed or potentially acquired by the
hackers. This effort included identifying and analyzing available
forensic data to assess the attacker activity, determining the scope of
the intrusion, and assessing whether the intrusion was ongoing (it was
not; it had stopped on July 30 when the portal was taken offline).
Mandiant also helped examine whether the data accessed contained
personal identifying information; discover what data was exfiltrated
from the company; and trace that data back to unique consumer
information.
By August 11, the forensic investigation had determined that, in
addition to dispute documents from the online web portal, the hackers
may have accessed a database table containing a large amount of
consumers' PII, and potentially other data tables.
On August 15, I was informed that it appeared likely that consumer
PII had been stolen. I requested a detailed briefing to determine how
the company should proceed.
On August 17, I held a senior leadership team meeting to receive
the detailed briefing on the investigation. At that point, the forensic
investigation had determined that there were large volumes of consumer
data that had been compromised. Learning this information was deeply
concerning to me, although the team needed to continue their analysis
to understand the scope and specific consumers potentially affected.
The company had expert forensic and legal advice, and was mindful of
the FBI's need to conduct its criminal investigation.
A substantial complication was that the information stolen from
Equifax had been stored in various data tables, so tracing the records
back to individual consumers, given the volume of records involved, was
extremely time consuming and difficult. To facilitate the forensic
effort, I approved the use by the investigative team of additional
computer resources that significantly reduced the time to analyze the
data.
On August 22, I notified Equifax's lead member of the Board of
Directors, Mark Feidler, of the data breach, as well as my direct
reports who headed up our various business units. In special telephonic
board meetings on August 24 and 25, the full Board of Directors was
informed. We also began developing the remediation we would need to
assist affected consumers, even as the investigation continued apace.
From this point forward, I was updated on a daily--and sometimes
hourly--basis on both the investigative progress and the notification
and remediation development.
On September 1, I convened a Board meeting where we discussed the
scale of the breach and what we had learned so far, noting that the
company was continuing to investigate. We also discussed our efforts to
develop a notification and remediation program that would help
consumers deal with the potential results of the incident. A mounting
concern also was that when any notification is made, the experts
informed us that we had to prepare our network for exponentially more
attacks after the notification, because a notification would provoke
``copycat'' attempts and other criminal activity.
By September 4, the investigative team had created a list of
approximately 143 million consumers whose personal information we
believed had been stolen, and we continued our planning for a public
announcement of a breach of that magnitude, which included a rollout of
a comprehensive support package for consumers. The team continued its
work on a dedicated website, www.equifaxsecurity2017.com, where
consumers could learn whether they were impacted and find out more
information, a dedicated call center to assist consumers with
questions, and a free credit file monitoring and identity theft
protection package for all U.S. consumers, regardless of whether they
were impacted.
I understand that Equifax kept the FBI informed of the progress and
significant developments in our investigation, and felt it was
important to notify the FBI before moving forward with any public
announcement. We notified the FBI in advance of the impending
notification.
On September 7, 2017, Equifax publicly announced the breach through
a nationwide press release. The release indicated that the breach
impacted personal information relating to 143 million U.S. consumers,
primarily including names, Social Security numbers, birth dates,
addresses and, in some instances, driver's license numbers.
These are the key facts as I understand them. I also understand
that the FBI's investigation and Equifax's own review and remediation
are ongoing, as are, of course, numerous other investigations.
Protecting U.S. Consumers Affected by the Breach
From the third week in August, when it became clear that our worst
fears had come true and Equifax had experienced a significant breach,
my direction was to continue investigating but first and foremost to
develop remediation to protect consumers from being harmed and comply
with all applicable notification requirements, based on advice of
outside cybersecurity counsel and Mandiant. Significantly, a major task
was the need to deploy additional security measures across the entire
network because we were advised that as soon as Equifax announced the
hack, there would be a dramatic increase in attempted hacking. There
were three main components to Equifax's plan: (1) a website where
consumers could look up if they were affected by the breach and then
register for a suite of protective tools; (2) a call center to answer
questions and assist with registration; (3) the package of tools
themselves that the company was offering to everyone in the country.
The task was massive--Equifax was preparing to explain and offer
services to every American consumer.
First, a new website was developed to provide consumers with
additional information--beyond the press release--about the nature,
extent, and causes of the breach. This was extremely challenging given
that the company needed to build a new capability to interface with
tens of millions of consumers, and to do so in less than 2 weeks. That
challenge proved overwhelming, and, regrettably, mistakes were made.
For example, terms and conditions attached to the free solutions that
Equifax offered included a mandatory arbitration clause. That
provision--which was never intended to apply in the first place--was
immediately removed as soon as it was discovered. (I was informed later
that it had simply been inadvertently included in terms and conditions
that were essentially ``cut and pasted'' from a different Equifax
offering.)
The initial rollout of Equifax's call centers had frustrating
shortcomings as well. Put simply, the call centers were confronted by
an overwhelming volume of callers. Before the breach, Equifax had
approximately 500 customer service representatives dedicated to
consumers, so the company needed to hire and train thousands more,
again in less than 2 weeks. To make matters worse, two of the larger
call centers in Florida were forced to close for a period of time in
the wake of Hurricane Irma. The closure of these call centers led to a
reduction in the number of available customer service representatives
and added to the already significant wait times that callers
experienced. Many needlessly waited on hold or were otherwise unable to
have their questions answered through the call centers, which I deeply
regret. My understanding is that the call centers are now fully
functional. The number of customer service representatives, which is
now over 2,500, continues to increase, and I am informed that wait
times have decreased substantially.
Beyond the website and the call centers, the company also developed
a comprehensive support package for all American consumers, regardless
of whether they were directly affected by the incident or not, that
includes free: (1) credit file monitoring by all three credit bureaus;
(2) Equifax credit lock; (3) Equifax credit reports; (4) identity theft
insurance; and (5) Social Security Number ``dark web'' scanning for one
year. Importantly, enrolling in the program is free, and will not
require consumers to waive any rights to take legal action for claims
related to the free services offered in response to the cybersecurity
incident or for claims related to the cybersecurity incident itself.
Despite these challenges, it appears that Equifax's efforts are
reaching many people. As of late September, the website had received
over 420 million hits. And similarly, as of late September, over 7.5
million activation emails have been sent to consumers who registered
for the program.
Equifax also recently announced a new service that I understand
will be available by January 31, 2018, that will allow consumers to
control their own credit data, by allowing them to lock and unlock
their credit files at will, repeatedly, for free, for life. I was
pleased to see the company move forward with this plan, which we had
put in motion months ago, and which I directed the company to
accelerate, as we were constructing the remedial package in response to
the breach.
The hard work of regaining the trust of the American people that
was developed over the course of the company's 118 year history is
ongoing and must be sustained. I believe the company, under the
leadership of Lead Director Mark Feidler, and interim CEO Paulino do
Rego Barros, Jr., will continue these efforts with vigor and
commitment.
How To Protect Consumer Data Going Forward
It is extremely important that notwithstanding the constant threat
of cybercriminals, the American people and the Members of this
Committee know that Equifax is doing everything in its power to prevent
a breach like this from ever happening again. Since the potential
breach was discovered, those inside and outside the company have worked
around-the-clock to enhance the Company's security measures. While I am
limited in what I can say publicly about these specific measures, and
going forward these questions are best directed to new management, I
want to highlight a few steps that Equifax has already taken to better
protect consumer data moving forward, including the website developed
to respond to the hack, and some changes still to come.
In recent weeks, vulnerability scanning and patch management
processes and procedures were enhanced. The scope of sensitive data
retained in back-end databases has been reduced so as to minimize the
risk of loss. Restrictions and controls for accessing data housed
within critical databases have been strengthened. Network segmentation
has been increased to restrict access from internet facing systems to
back-end databases and data stores. Additional web application
firewalls have been deployed, and tuning signatures designed to block
attacks have been added. Deployment of file integrity monitoring
technologies on application and web servers has been accelerated. The
company is also implementing additional network, application, database,
and system-level logging. These are just a few of the steps Equifax has
taken in recent weeks to shore up its security protocols.
Importantly, Equifax's forensic consultants have recommended a
series of improvements that are being installed over the next 30, 60,
and 90 day periods, which the company was in the process of
implementing at the time of my retirement. In addition, at my direction
a well-known, independent expert consulting firm (in addition to and
different from Mandiant) has been retained to perform a top-to-bottom
assessment of the company's information security systems.
Beyond the recent technological enhancements, Equifax has also made
several strategic personnel changes at the highest levels of the
company. Accountability starts at the top and I, therefore, decided to
step down as CEO and retire early to allow the company to move forward.
Before I retired, our Chief Information Officer and Chief Security
Officer also left the company. Equifax's interim appointments for each
of these positions, including Paulino do Rego Barros, Jr., the interim
CEO, are ready, able and qualified to step into their new roles and to
help consumers, and the company, recover from this regrettable
incident.
It is my hope and expectation that, at the conclusion of the
investigation, we will have an even more complete account of what
happened, how future attacks by criminal hackers can be deterred and
suspicious activity curbed more quickly, and most importantly, how
consumers' concerns about the security of their personal data can be
alleviated.
Toward a New Paradigm in Data Security
Where do we go from here? Although I have had little time for
reflection regarding the awful events of the last few weeks, this
humbling experience has crystalized for me two observations: First, an
industry standard placing control of access to consumers' credit data
in the hands of the consumers should be adopted. Equifax's free
lifetime lock program will allow consumers, and consumers alone, to
decide when their credit information may be accessed. This should
become the industry standard. Second, we should consider the creation
of a public-private partnership to begin a dialogue on replacing the
Social Security Number as the touchstone for identity verification in
this country. It is time to have identity verification procedures that
match the technological age in which we live.
The list of companies and Government agencies that have suffered
major hacks at the hands of sophisticated cybercriminals is sadly very
long, and growing. To my profound disappointment, Equifax now finds
itself on that list. I have stepped away from a company I have led and
loved and help build for more than a decade. But I am not stepping away
from this problem and I am strongly committed to helping address the
important questions this episode has raised. Part of that starts today,
as I appear at this hearing and others voluntarily to share what I
know. Going forward, however, Government and the private sector need to
grapple with an environment where data breaches will occur. Giving
consumers more control of their data is a start, but is not a full
solution in a world where the threats are always evolving. I am hopeful
there will be careful consideration of this changing landscape by both
policymakers and the credit reporting industry.
Conclusion
Chairman Crapo, Ranking Member Brown, and Honorable Members of the
Committee, thank you again for inviting me to speak with you today. I
will close by saying again how so sorry I am that this data breach
occurred. On a personal note, I want to thank the many hard-working and
dedicated people who worked with me for the last 12 years, and
especially over the last 8 weeks, as we struggled to understand what
had gone wrong and to make it right. This has been a devastating
experience for the men and women of Equifax. But I know that under the
leadership of Paulino and Mark they will work tirelessly, as we have in
the past 2 months, to making things right.
I realize that what I can report today will not answer all of your
questions and concerns, but I can assure you and the American public
that I will do my level best to assist you in getting the information
you need to understand this incident and to protect American consumers.
RESPONSES TO WRITTEN QUESTIONS OF
THE SENATE BANKING COMMITTEE FROM RICHARD F. SMITH
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Additional Material Supplied for the Record
LETTER SUBMITTED BY THE CREDIT UNION NATIONAL ASSOCIATION
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
EQUIFAX, INC., ``INSIDER TRADING POLICY''
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
EQUIFAX, INC., ``CORPORATE CRISIS MANAGEMENT PLAN, PART I''
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
EQUIFAX, INC., ``CORPORATE CRISIS MANAGEMENT PLAN, PART II''
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
EQUIFAX, INC., ``CORPORATE CRISIS MANAGEMENT PROGRAM, APPENDIX H''
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
EQUIFAX, INC., ``REGIONAL CRISIS MANAGEMENT PLAN''
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
EQUIFAX, INC., ``SECURITY INCIDENT HANDLING POLICY AND PROCEDURES''
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]