Why do these hacks seem never ending? Why don’t more firms require two-factor authentication? What is the latest on the Equifax hack? While I was in Washington D.C. for the hearings on Equifax, Adam Levin and I appeared in-studio at WTOP to talk with host Dimitri Sotis.
Meanwhile, here’s more of my impressions from the hearing.
Former Equifax CEO Richard Smith answered questions for three hours before Congress on Tuesday, but offered little new information for consumers concerned about perhaps the most important hack of personal information in America’s history.
Smith took questions about the failure to install a security update that would have stopped the hack, the firm’s offer of a new credit “lock” product, and suspicious stock sales by executives. He refused to address who might be behind the hack, or even offer an opinion if a nation-state might be involved.
Smith largely blamed “human error” for the incident, saying there was a single person responsible for flagging security patches who failed to communicate the need to install a critical update back in March.
Rep. Greg Walden (R-Oregon) expressed astonishment at that explanation, which suggests a single point of failure.
“Do you not have a double check?” he said. “You can’t pass a law that fixes stupid.”
That employee is no longer with the company, Smith said.
Smith said the backup plan put in place was technological — a software scan for vulnerabilities — and that failed, too.
“That is still under investigation,” Smith said.
The hearing was a bit odd, as many members asked probing questions about what Equifax will do going forward to make consumers whole, but Smith is no longer employed by the firm.
Smith also made at least one obvious error, first confirmed by Ron Lieber at the New York Times — that security freezes require bureaus to mail a PIN code to consumers, which can create days or weeks long delays. Smith said it by way of promoting the benefits of Equifax’s new “lock” product. PINs can be mailed, but that is not a requirement.
It’s possible Smith made other mistakes, too. At one point, he asserted that only consumers who had occasion to used Equifax’s dispute resolution portal were impacted by the data heist — Equifax has said hackers used that site to gain access. He said this to assure Congress members that core credit report files were not compromised or altered. But it’s unclear how 145 million consumers would have encountered the dispute portal or process.
“I worry that your job today is damage control. Put a happy face (on this) and then leave with a golden parachute,” said Rep. Ben Ray Lujan (D-New Mexico). “It’s unconscionable Equifax failed so spectacularly. It’s reprehensible that the same company (could profit) from the pain they have caused.”
Smith said that consumers who were initially given a vague response by Equifax’s website about the potential hack of their data should have received clarity now.
“That backlog is completely drained,” he said. But it’s still easy to find consumers online complaining about having trouble with Equifax’s website.
Smith was asked twice who was responsible for the hack and demurred. When he was specifically asked if a nation-state could be behind it, he said only, “We engaged the FBI. That’s all I’ll say.”
The testiest exchange occurred when Lujan tried to pin Smith down on the difference between the new credit lock product and traditional freezes. Lujan asked if Equifax would pay for freezes at the other two credit bureaus, Trans Union and Experian, Smith obfuscated.
“I’ll take that as a no,” Lujan said.
To read a stream of Tweets from me at the hearing, click here
Smith blames human error for failure to apply patch. Can one person ever really make such a mistake? It takes a broken system.. #Equifax
— Bob Sullivan (@RedTapeChron) October 3, 2017