Former and current Equifax and Yahoo executives appeared on Capitol Hill on Wednesday to testify about the major consumer data breaches that occurred under their watch. An executive at Verizon, which acquired Yahoo this summer, was also called as a witness.
The hearing took place this morning before the Senate Commerce, Science and Transportation Committee. Former Yahoo CEO Marissa Mayer, Interim CEO of Equifax Paulino do Rego Barros, and former Equifax CEO Richard Smith testified, as well as Verizon Chief Privacy Officer Karen Zacharia and Entrust Datacard CEO Todd Wilkinson.
Certain themes popped up throughout the hearing. One is that the companies confessed to being essentially helpless in the face of state-sponsored cyberattacks, such as those routinely attributed by the US government to China, Russia, and North Korea. There appeared to be a consensus among the witnesses that without a direct partnership with the government—the National Security Agency (NSA) was mentioned several times—there would be little use in trying to combat persistent foreign threats.
There’s been no evidence presented so far that the Equifax breach was a state-sponsored event.
Two of the CEOs conceded that Social Security numbers should no longer be used as the primary means of identifying consumers. Overall, the use of Social Security numbers was portrayed as an antiquated security measure that could only lead to future harm.
Announced in September, the Equifax breach is considered one of the most potentially damaging in US history, particularly due to the huge amount of Social Security numbers compromised. It is estimated that the personal information of up to 145 million Americans may have been stolen. Moreover, the breach appears to have been easily avoidable—the credit-reporting agency admittedly failed, repeatedly, to properly patch its systems or take other measures to avert the disaster.
The company’s CEO Richard Smith, who retired in the wake of the incident, previously admitted to Congress that the company failed to address a critical Apache Struts vulnerability. More recently, an as-of-yet unidentified security researcher claimed that he warned the company about a critical gap in its security six months before the breach occurred. Last month, the company attempted to pin the blame on a single employee.
In contrast, the Yahoo breach, which occurred in August 2013 and was reportedly initiated by a state-sponsored actor, is considered the biggest in history. The names, email addresses, and passwords, of roughly three billion accounts—including Tumblr and Flickr—were compromised. Essentially, all of its users were in some way impacted, though no Social Security numbers or financial information was involved. The company was also struck by hackers the following year.
At the start of the hearing, Equifax interim CEO Barros stated that in the wake of the breach, Equifax has focused heavily on improving its customer relations, adding that he himself has visited call centers and taken calls from consumers. The company, he said, has expanded its use of customer interaction over social media, improved its website, added staff to call centers and “made the overall experience more consumer friendly.”
Equifax’s chief security officer, he added, now reports directly to Barros. Traditionally, the person in that role reports to the chief technology or chief information officer, something a majority of security experts advise against. Equifax is currently focused, he continued, on “rapidly” improving its security infrastructure and hardening its networks by changing up its vulnerability detection procedures.
Mayer, Yahoo’s CEO from 2012 until this summer when the company was sold to Verizon, had to be compelled to appear by subpoena. She said in her opening statement that Yahoo promptly reported the breach to law enforcement—including the Federal Bureau of Investigation—after discovering it had been targeted by a state-sponsored actor. Initially, Yahoo was not aware that all of its users had been impacted, she said, but notified those understood to be compromised at the time.
“We now know that Russian intelligence officers and state-sponsored actors were responsible for highly complex and sophisticated attacks on Yahoo’s systems,” Mayer said. The threat from state-sponsored attacks, she added, “has changed the playing field so dramatically that today all companies, even the most well defended ones, could fall victim to these crimes.”
Mayer later said that, to this day, Yahoo has not been able to identify the intrusion that led to the theft of its users’ data.
With an admission from Mayer that Yahoo was seemingly defenseless against state-sponsored attacks, Sen. Bill Nelson, the committee’s ranking Democrat, turned to Verizon’s representative, Zacharia, to ask what the company would do to solve that problem. Working with the government, she said, was key, adding: “Verizon has long believed there should be national data security and data breach legislation.”
Seemingly unsatisfied by most of the solutions offered by the company—beefing up their security and improving customer relations—Sen. Nelson insisted more work was required. “It’s going to take an attitude change among companies such as yours, that we’ve got to go to extreme limits to protect our customers’ privacy.”
Turning to Equifax, Nelson said the company holds a “financial guillotine” over its customers: “If your data is not protected, a poor little fella that goes to buy a house, and he’s got it ready and he’s got the down payment, and he can’t get a mortgage because now he’s got something, a black mark, on his credit rating that’s not real, but has been placed there because of a data breach and the poor little fella can’t close on his house. This has huge consequences.”
“Mr. Senator, there’s no doubt that securing data is the core value of our company,” replied Smith, apologizing “deeply” for letting the public down. Cooperation between the government and the private sector is sorely needed, he insisted, to address the threat.
Sen. Roger Wicker, Republican of Mississippi, was first to raise the issue of whether “dynamic identities” were needed to replace the practice of using Social Security numbers—which never change throughout a citizen’s lifetime—as the primary means of identifying consumers. Several of the witnesses had pointed, as a solution, to the Brazilian government, which issues three-year digital identities to its citizens.
Wicker asked the witnesses whether Brazil’s system truly benefited the country’s consumers. Both Wilkinson, Datacard’s CEO, and Smith, the former Equifax CEO, said digital identity systems were worth consideration, and that aspects of those systems would be a vast improvement on the more than 80-year-old Social Security system used by the United States. “Some combination of digital, multi-factor authentication I think is the right path,” Smith said.
Sen. Richard Blumenthal, Democrat of Connecticut, also pressed Equifax on the issue of arbitration clauses, which are widely used by financial companies and require consumers to address grievances behind closed doors—as opposed to civil action. In response, Equifax interim CEO Barros repeatedly refused to guarantee that his company would never limit the ability of data breach victims to avail themselves of courts.
“I believe consumers have a choice to choose their products,” Barros said.