Skip to main content

tv   Former Equifax CEO Testifies Before House Panel  CSPAN  October 3, 2017 10:03am-1:05pm EDT

10:03 am
10:04 am
b . good morning. the subcommittee on digital commerce and consumer protection will come to order. the chair now recognizes himself for five minutes for an opening statement. good morning. today we are here to get the facts to learn what happened at equifax that led to the personal information of over 143. americans information being stolen. we must find out what happened. the public deserves to know what happened and what steps are being taken to protect their sensitive data going forward. today's hearing needs to shed some much needed information and light on this breach. we have received ashursurances m equifax that mr. smith can speak on concrete remediation steps that the company took in the
10:05 am
aftermath to secure its computer systems and protect the affected u.s. customers as well as what happened when he was chief executive. as chairman of the digital commerce and consumer protection subcommittee i often speak about the fact that we live in a digitally connected world. that fact of life can have implications far and wide ranging for commercial, communications and entertainment. the breach is a massive reminder of the bad actors out there and the security challenges confronting our data powered economy. in this case. sensitive personal information that is used to build credit history and allow individuals to engage in commerce, open credit cards, buy cellphones and appliances and secure mortgages has been compromised. reasonable security measures must be implemented, practiced and continually improved by companies that collect and store data in order to guard against unauthorized access to sensitive personal information. otherwise, consumers are face
10:06 am
substantial financial harm. this risk is deeply concerning to me, and i know that the other members of the subcommittee share this view. priority number one. we must protect americans and work to safeguard their personal information online. the recent equifax data breach is unprecedented and is also unique because of the sensitivity of the information stolen, including full nine-digit social security numbers, over 143 million americans are potentially impacted. this represents approximately 44% of the total u.s. population. in my home state of ohio, approximately 5.2 million customers are likely affected. based on the information released by equifax we are informed that the massive amounts of personal and financial information was assessed from mid-may through july 2017, including names, birth dates, addresses and in some cases driver's license information. in addition, over 200,000 people
10:07 am
had their credit card information stolen and over 180,000 people had credit dispute documentation stolen. this is a staggering amount of sensitive personal information and impacts an extraordinary number of credit-viable americans that is in the hands of criminals that could result in fraud or identity theft. we need these numbers confirmed. today we must understand the following. first, how did the hackers get into equifax's system for so many weeks and pull so much information out of the system without being detected? second. what proses and procedures were in place in the event of a breach and were those processes followed? there are many questions as to who knew what and when this information was known. this will have implications and other ongoing investigations. further, the chief information officer and chief security officer made retirement announcements shortly after the public announcements of the breach and have not been
10:08 am
available for questions about their role. again, despite months of delay, why was equifax's notification and consumer production processes still met with misinformation, glitches and overall confusion. for example, there are numerous reports of difficulties assessing equifax's dedicated website or call centers. and there were dismaying reports that the official equifax twitter account directed consumers to a fake website. i believe the american public deserves to know the facts about when and how mr. smith, company management, the board of directors, were made aware its systems were vulnerable to hackers and how over 143 million sensitive personal data records were stolen. to that end, what were the steps taken and in what time frame to notify and help individuals who were impacted. i look forward to getting these answers today and many more questions for the american people answered this morning. and at this time i will ask the
10:09 am
gend gentle lady from illinois, the ranking member or five minutes for her opening statement. >> thank you, mr. chairman, for holding this hearing. the equifax data breach was massive in scale. 145.5 million american victims as of yesterday. i would call it shocking, but is it really? we have these unregulated private, for-profit credit reporting agencies collecting detailed personal and financial information about american consumers. it's a treasure trove for hackers. consumers don't have a choice over what information equifax or, for example, transunion or experian have collected, stored and sold. if you want to participate in today's modern economy, if you want to get a credit card, rent
10:10 am
an apartment, or even get a job often, than a credit reporting agency may hold the key because consumers don't have a choice, we can't trust credit reporting agencies to self-regulate. it's not like when you get sick at a restaurant and decide not to go there anymore. equifax collects your data whether you want to have it collected or not. if it has incorrect information about you, it's really an arduous process. i have tried it, to get it corrected. when it comes to information security, you are at the mercy of whatever equifax decides is right and once your information is compromised the damage is ongoing. given vast quantities of information and lack of accountability, a major breach at equifax, i would say, would be predictable, if not inevitable. i should really say breaches. this is the third major breach equifax has had in the past two
10:11 am
years. from media reports and the subcommittee's meeting with equifax after the breach it's clear that the company lact appropriate policies around data security. this particular breach occurred when hackers exploited a known vulnerability that was not yet patched. it was months later before equifax first discovered the bleach and another several weeks before equifax shared news with the consumers, this committee, the federal trade commission and the consumer financial protection bureau. senior officials at the company are saying they weren't immediately aware that the breach occurred and, yet, by the way, there were executives who sold over a million dollars in stock just days after the breach was discovered, but yet not reported. and for a lot of americans, that just doesn't pass the smell test.
10:12 am
the response to the breach was its own debacle. equifax offered consumers credit monitoring services that initially came with a mandatory arbitration clause, which fortunately has been corrected. equifax tweeted links to the wrong url directing victims to a fake website. the call center was understaffed. in the end. equifax has had to apologize for its post-breach response almost as much as it has apologized for the breach itself. equifax deserves to be shamed in this hearing, but we should also ask what congress has done or failed to do to stop data breaches from occurring and what equifax plans to do the same day that equifax breach went public, the house financial services committee held a hearing on ficra liability harmony act, a bill to protect credit reporting agencies like equifax from
10:13 am
class-action suits. imagine. in fact, equifax was lobbying for this bill after the breach was discovered in july, still not reported, and the 14 republican sponsoring this bill should ask themselves were this is really the industry they want to be in bed with. companies like equifax need more accountability, not less. i agree with the cfbd director richard cordray, that the credit reporting agencies need embedded regulators to protect consumers' sensitive information. then we need to go further. last night i reintroduced the secure and protect americans' data act, along with ranking member pallone and seven other members of the energy and commerce committee. and our bill would establish one strong data security standards, two, require prompt breach notification which we didn't get and, three, provide appropriate relief for breached victims.
10:14 am
chairman latta, american consumers don't just need answers, they need action. i hope that our bill can be a starting point for discussion on strengthening protections for americans' data. consumers deserve a whole lot better than they got from equifax. and i yield back. >> thank you. the gentle lady yields back. chair recognizes the gentleman from oregon, the chairman of the full committee for five minutes. >> i thank the chairman. we're here to do today what it appears equifax failed to do over the last several months and that's put consumers first. our job is to get answers for the more than 145 million americans who have had their personal information compromised and now fear they could be victims of fraud at any time. how could a major u.s. company like equifax, which holds the most sensitive and personal data on americans, so let them down. it's like the guards at fort
10:15 am
knox forgot to lock the doors and failed to notice the thieves were emptying the vaults. the american people deserve to know what went wrong. we want a clear time line of events and to understand what to expect moving forward. as chairman i have always tried to put consumers first on everything we do on public policy. today we'll begin to get the answers for the public, hold equifax accountable and make clear that businesses hold the america's most sensitive data have a responsibility under existing laws to protect those data. today gives whole new meaning to mr. smith goes to washington. it's not a run on the bank that's at issue, it's a run on financial records of 145 million americans. and the consequences and the inconveniences for fellow citizens is every bit as important to discuss today as the reasons behind why this breach occurred in the first place. mr. smith, as former chairman and ceo of equifax at the helm during and immediately after the breach, we appreciate your being here, and we expect your candor and full cooperation as we march
10:16 am
toward getting the facts in this case. while there is no such thing as perfect security, companies do have a legal obligation to protect sensitive consumer data. this diligence is necessary to both comply with existing laws and maybe more importantly earn and keep the public's trust in a data-driven economy. given the size of the breach and the sensitivity of the data we expect to learn more about how equifax failed to secure its systems and what contingency plans were in place. further, we need to understand how information flowed through the organization and when you and other senior executives were notified about the breach. in other words how important was cyber security to you as the ceo and the rest of the executive team. d while there are still many questions that need answers, a few details have emerged. first, the vublnerability that the hackers used to get into the
10:17 am
equifax system was discovered in early march. from the beginning the vulnerability was described as critical and easily exploitable. the information was pushed out through multiple security information sharing channels including by the u.s. computer emergency readiness team to equifax's chief security officer. for some period of time between march and august of 2017, the hackers were able to sit on equifax's system and siphon out 145 million records without being detected. how did this go unnoticed? further, is there a process in place to raise flags or alarms when massive amounts of data are pulled out of the equifax system? then there are questions about equifax's response for consumers that we need answers to. why was the consumer facing website created on a separate domain from the main equifax website? did anyone raise concerns about creating more consumer confusion with a separate website? are consumers able to sign up for the products offered by
10:18 am
equifax today? how many consumers have placed a fraud alert on their account or frozen their credit? on top of all the other issues, multiple times equifax tweeted the wrong url, directing consumers to the wrong website to check if they were part of a breach. talk about ham-hadded -- handed responses this is unacceptable. i have to agree with the interim ceo when he said there is insufficient support for consumers. it's important that, as congress does its work on public policy issues, that the federal trade commission and other agencies, including law enforcement agencies, continue their work, especially in light of recent reports that indicated there are markers of nation-state activity involved with this hack. but today, mr. smith, i and the rest of the committee and congress and the country expect the answers. after all, the buck does stop with you as ceo.
10:19 am
and i thank you for being here. and i return the balance of my time. >> thank you very much. the gentleman yields back. the chair now recognizes the gentleman from new jersey, the chairman -- or the ranking member of the full committee. >> thank you, mr. chairman. while i understand that law enforcement and internal investigations into this incident are still ongoing, i expect to get more information today on what happened and why it took so long to inform the public. most importantly, we want answers for consumers because equifax's response to this breach has been unacceptable. so too has been equifax's ongoing lax attitude when it comes to protecting consumer data. it's been four weeks since the breach was made public and at least ten weeks since it was discovered by equifax's employees, yet equifax's customer service has been confusing and unhelpful.
10:20 am
equifax even tweeted a link to a fake website. many of the remedies now offered to consumers were not offered up front or in good faith. they were forced out of the company only after public outcry and are still inadequate. it's hard to imagine that anyone at equifax thought it was a good idea to offer only one year of credit monitoring with an arbitration clause at first to boot. free and comprehensive monitoring and identity theft protection should be offered for far longer than a year. most recently equifax added lifetime credit locks to its offering, which consumer advocates suggest are weaker than credit freezes. regardless, a lock or a freeze at only one credit bureau is almost useless. equifax should work with the other credit bureaus to immediately create a free, quick and easy-to-use freeze and unfreeze, one-stop shop. because credit freezes or locks may not work for everyone, going forward equifax should do more than credit locks. it should give consumers more control over how their data is used and stored.
10:21 am
in addition. if equifax wants to stay in business, its entire corporate culture needs to change to one that values security and transparency. after all, this is not equifax's first data breach in the past year. consumers do not have any say in whether or not the equifax collects and shares their data. and that's what makes this breach so concerning. this is unlike other breaches at stores such as target and michael's where consumers could make a choice and change their shopping habits if they were upset with how the companies protected data. that's simply not the case with equifax. while data breaches have unfortunately become commonplace it's long past time for congress, beginning with this committee, to act. since at least 2005 this subcommittee has been considering data breach legislation but it's never become law. and it's time we change that. yesterday ranking member schakowsky and i reintroduced the secure and protect america's data act. the bill would require enforceable. robust data security practices and meaningful notice to
10:22 am
consumers. it would give additional protections to consumers after a breach. of course, breaches will continue to occur. but they occur more often when there is no accountability and no preventive meshurasures are place. we need to start somewhere. mr. smith, i read your op-ed in "usa today" last month and the sue ceo's op-ed in the "wall street journal" last week. i appreciate that you're sorry but my question is what now. i yield back. >> i thank the committee's leadership for organizing this important hearing. 145, 500,000, a million americans. 145.5 million people at risk because of equifax's failure. now, mr. smith, the american people deserve answers, and i hope you are prepared to provide
10:23 am
them. not just about what caused the breach, but what equifax is doing to prevent this from happening again. and to ensure that those who were harmed are made whole. i worry that your job today is about damage control. to put a happy face on your firm's disgraceful actions and then depart with a golden parachute. unfortunately, if fraudsters destroy my constituents' savings and financial futures there is no golden parachutes awaiting them. we have questions and it's our expectation that you have concrete answers. we need to work together to hammer out real solutions. i recently took a step in that direction by introducing the freeze credit freeze -- the free credit freeze act to allow consumers to protect themselves by freezing and unfreezing their credit at no charge. it is unconscionable that
10:24 am
equifax failed so spectacularly to protect people's most sensitive personal data. it's even more reprehensible that the same company profits from the pain that they have caused. and i certainly hope that we can get some assurances from the committee's leadership that we will have a markup and a hearing on legislation to address this mess. and i hope that that assurance can be given before the holidays of 2017. i yield back the balance of my time. >> thank you very much. the gentleman yields back. and this concludes the -- our member opening statements. the chair would remind members that pursuant to committee rules all members' opening statements will be made part of the record. today we have mr. richard smith, the former chairman and ceo of equifax, inc., who is here to testify before the subcommittee. he'll have an opportunity to give an opening statement followed by a round of questions from the members.
10:25 am
mr. smith, you are recognized for five minutes. thank you. thank you. the honorable members of the sxhit it's an honor to be here before you today. my name is rick smith. for the last 12 years i have had the honor of being the ceo and the chairman of equifax. earlier this week i submitted a written testimony which at this time i don't plan on going through any detail on that, but rather i am here today to explain to you, the american -- you and the american people how criminal hackers were able to steal personal information on over 145 million americans from our servers and, as importantly, to discuss with you today what the company's response was to that criminal hack. the criminal hack happened on my watch. and as ceo, i am ultimately responsible and i take full
10:26 am
responsibility. i am here today to say to each and every person affected by this breach, i am truly and deeply sorry for what happened. i have talked to many consumers. i have read your letters. and equifax is committed to make it whole for you. americans have a right to know how this happened. i have prepared to testify today about what i have learned and what i did about this incident. in my role as ceo and as chairman of the board. and also, what i know about the incident as a result of being briefed by the company's investigation which is ongoing. we know now that this criminal attack was made possible because of a combination of human error and technological error. the human error involved the failure to apply a software patch to our dispute portal in march of 2017.
10:27 am
technological error involved the scanner which failed to detect that vulnerability on that particular portal. both errors have since been addressed. on july 29th, and july 30th, suspicious activity was detected and the team followed our security incident protocol. the team immediately shut down the portal and began our internal security investigation. on august 2nd, we hired top cyber security forensic and legal experts and at a time we notified the fbi. at that time, to be clear, we did not know the nature or the scope of the incident. it was not until late august that we concluded that we had experienced a major breach. over the weeks leading up to september 7th, our team
10:28 am
continued working around the clock to prepare. we took four steps to protect consumers. step number one. determining when and how to notify the public, relying on the advice of our experts that we needed to have a plan in place as soon as we announced. step two, helping consumers by developing a website, staffing up massive call centers, and offering services free to every american. three, preparing for increased cyb cyber attacks which we were advised by the cyber security experts that we should expect. and finally, continuing to coordinate with the fbi and their criminal investigation of the hackers. and also to notify other federal and state agencies. in the rollout of our remediation program, mistakes were made for which, again, i
10:29 am
deeply apologize. i regret the frustration that many americans felt when our websites and call centers were overwhelmed in the early days. it's no excuse. but it certainly did not help that hurricane irma took down two of our larger call centers in the first few days after the breach. since then, however, the company has dramatically increased its capacity, and i can report to you today that we have handled over 420 million consumer visits to our website in just over three weeks. and the weight times ait times centers have been substantially reduced. at my direction the company offered a broad package of services to all americans. in addition, we developed a new service, available on january
10:30 am
31st, 2018, that will give all consumers the power to control access to their credit data by allowing them to lock and unlock their credit files when they want. and they can do that for free, for life. putting the power to control access to credit data in the hands of the american consumer is a step forward. i look forward to discussing this new tool with you during my testimony. as we have all painfully learned, data security is a national security problem. putting the consumer in control of their credit data is a first step towards a long-term solution to the industry or the problem of identity theft, but no single company can solve a larger problem on its own. i believe we need a partnership to evaluate how to protect data going forward. i look forward to being a part
10:31 am
of that dialogue. chairman latta. ranking member sta cowski. thank you for inviting me to speak to you. i will close again by saying, again, how sorry i am for this breach. on a personal note. i want to thank the many hard-working and dedicated employees who have worked with me so tirelessly over the past 12 years at equifax. equifax is a very good company with thousands of great people waking up every day trying to do what is right. i know they'll continue to work tirelessly as we have over the past two months to right the wrong. i am looking forward to answering your questions. thank you. >> thank you very much. this concludes our witness testimony. we'll move into the question and answer portion of our hearing. i will begin with recognizing
10:32 am
myself for five minutes. i remind the members to try to keep the five-minute rule on questions in place. you'll hear the tapping. i will begin with the questioning. mr. smith, the time line of events is raising some red flags i would like to ask you about. according to your statement, the first time you heard about the breach in security was on july the 31st of 2017. is that correct? >> yes, congressman, that is correct. >> you first asked for a briefing about the breach on august the 15th. is that correct? >> yes. that is correct. >> the first time the board of directors was notified about the breach was august 24th. is that correct? full board? >> congressman, on the 22nd of august i notified our presiding director at that time. the full board was briefed on the 24th, again on the 25th and subsequent meetings after that. >> you notified the public about the breach on september 7th,
10:33 am
correct? >> that is correct. >> you state in your testimony that you began developing the remediation for consumers on august the 24th or the 25th. why was there a ten-day delay between you fiennding out that personal stolen had been likely stolen and beginning to develop the remediation plan. and do you think the ten-day window was responsible to start talking about how to talk to the consumers. >> i understand the question. if i may go back to the time frame of the 31st. the 29th and 30th someone in security had detected what they deemed as suspicious activity. that is something that happens routinely around our business. on the 30th, bring down this particular portal. and they start their own internal investigation. as i had mentioned in my opening comments and my written testimony, on the 2nd of august they had engaged leading
10:34 am
forensic experts, cyber experts and leading king & spallingding security team. when you talk to forensics experts, they will tell you the complications of trying to understand where these criminals were, the footprints they had left, the inquiries they had made, it's a cumbersome process. that's why it took weeks before we had an indication for the breadth and the depth of the issue which brought us to the august 24th date you had mentioned. >> let's back up to july 31st when you learned -- you were talking with the experts. and you testified you did not know that personal information had been stolen at that point. did you ask anyone if personal information had been stolen when you found out about that breach? >> congressman.
10:35 am
on the 31st all i was told at a time was that security had noticed a suspicious movement of data out of an environment we call a dispute portal. it wasn't until later that they understood that was an actual dispute document. we have no indication on the 31st of july that there was any p.i.i. information that was vulnerable. >> again, not knowing if that information -- the personal information had been stolen at that time -- your company is built on data. at any point did you think it was important or somebody in the company start looking at if personal data had been stolen at that point? >> i can tell you we were working with the best forensic auditors in the business. they do this for a living. we had a great cyber team from king & spalding with us. it took them tame. at that time they didn't know if
10:36 am
data had been compromised, ex fi filtrated or what the situation was. >> how did mr. webb exactly tell you there had been a breach? phone call, e-mail, in pern? how did he notify you of the breach? >> surfait was a face-to-face b meag meeting on the 31st. he had just learned as well. the data was very fresh to him. the incident was described as an incident, not as a breach. >> is that the normal way for this information, if there had been a breach at the company, to notify someone, for the cio to come and give a face-to-face? >> at that time we had no indication it was a breach. it was a suspicious activity. >> did you tell anyone else in senior management or other members of the board of directors about the breach at
10:37 am
that time? or was it just not until you told the -- on august the 22nd when you had the one call and the 24th before the rest of the board of directors? did anyone else know about the breach. >> on july 31st we did not know it was a breach at that time. suspicious activity only. the first notification to the board was the lead director on the 22nd of august, which followed in the chronology of events a meeting i had with our cyber security experts and our outside counsel, occurred on the 17th of august. that's when the pirkcture was starting to develop. >> thank you. pli time has expired. i recognize the gentle lady from illinois, the ranking member, for five minutes. >> thank you, mr. chairman. i'm going to get right to it. i wanted to ask some questions about john kelly, the chief leal
10:38 am
officer who i understand is responsible for security at equifax or was at least at the time of the breach and its discovery. is that correct? >> that's correct. >> mr. kelly reports directly to you, the ceo, correct? >> correct. >> so we were told that mr. kelly was informed by the chief security officer the week of july 30th. we've just been talking about that. this a cyber security incident. you mentioned that, had occurred. is that correct. >> he was notified of suspicious s.w.i.f. activity in a web portal. >> our staff was told about mr. kelly was informed at the same time that the incident might have compromised personally identifiable information. is that correct? >> the only knowledge i have is he was notified on the 31st that there was suspicious activity in a consumer dispute portal.
10:39 am
>> we were told that mr. kelly then wrote a short memo to you regarding the incident. is that correct? >> correct, congress woman. in his e-mail it said, some suspicious activity. >> okay. around that same time, three equifax executives sold over $1 million of equifax stock. that's on august 1st and august 2nd. and it's reported that mr. kelly was ultimately responsible for approving those sales. is it true that mr. kelly, or one of his direct reports, would have been required to sign off on the stock sales? >> yes. mr. kelly, who is our general counsel, owns the clearance process -- >> i have a lot of questions. so the answer is yes. he had to -- he was supposed to sign off. >> yes.
10:40 am
>> did anyone of these three stu executives have knowledge the cyber security incident had occurred. >> to the best of my knowledge, no. >> when were they informed that the incident had occurred? >> i don't know exactly the date that they were informed, but they were not -- best of my knowledge they had no knowledge at the time they cleared their trades with general counsel. >> do you know for sure that they didn't know? >> to the best of my knowledge they did not know. >> and mr. kelly, who we were told knew of the breach and that it contained personal information and yet still approved the stock sale, is he still chief legal officer for equifax? >> congresswoman, i come back to it again, he did not know it was a breach -- >> that it could have been a breach. >> all he knew at the time, is my understanding, is suspicious activity when he approved the sales. >> what the heck does suspicious mean.
10:41 am
it could be a breach, right? >> it was deemed suspicious activity. we had no indication that p.i.i. was in fact compromised at that time. we had no idea if data was ex filtrated at that time. >> i understand you agreed to forego your 2017 bonus which has been about $3 million for the past two years, correct? >> that is correct. >> it's been reported that you'll still remain $18 million from pension benefits from equifax. is that accurate? >> that is correct. >> retiring, which is the category right now although the company maintains the right to change that designation, also means you'll be free to sell your equifax stock, which is worth about $24 million? is that correct? >> congresswoman that calculation -- it's hard to say. it's a complicated calculation. it depends on the total shareholder return at the time of the stock's vest.
10:42 am
i have seen different estimates. it's hard to say what the number is. we won't know until the end of the year. >> that's in addition to equifax stock you sold earlier this year for $19 million. is that correct? >> that sounds correct. >> and according to one report you could be eligible for $22 million in performance-based compensation depending how equifax stock performs in the next three years. is that right? >> let me be very clear if i may, congresswoman. when i announced my retirement and thought it was best for the company to move forward with a new leader, i agreed to step down at that time with no further compensation. i agreed i should not get a bonus. i agreed it would be no severance. i asked for nothing beyond what i had already earned. >> i was just informed by staff that the chief security officer told the chief legal officer verbally that there was pii that, according to a call with
10:43 am
staff yesterday, that actually there was a mention of the breach of personally identifiable information. the cso told -- yeah, told us in a call yesterday is what i just heard from staff. >> congresswoman, i have no documentation, no insight, no knowledge that anyone in the company informed me or in that case the chief security officer -- or the chief general counsel that there was a breach on july 31st? is that what you said? >> yes. oh, we didn't say a date, i am told. our staff didn't say a date. okay. let me just say i am glad the fbi is looking into it. many state attorneys general, the city of chicago has sued. so we'll probably get more information that way as well. thank you. >> thank you very much. the gentle lady's time expired. the chair now recognizes the chairman of the full committee, the gentleman from oregon, for five minutes.
10:44 am
>> thank you, mr. chairman. mr. smith, thanks again for being here today. as you know this is a sample of a copy of an equifax credit report in my hand. it lists social security numbers, address, credit history. debts, all the sort of personal financial information. it's the life-blood of equifax, right? i mean these data points are really, really important to what you do. as a company. >> congressman, that's correct. >> it's a $3 billion company. data on 820 million customers worldwide. yet, it appears this breach happened because the company didn't know it was running certain software on its system, right, the apache struts software that had the patch requirement? >> congressman, as i alluded to in my opening comments and written testimony, it was a human error and technology error that did not allow us to identify -- >> i think that's what we're trying to get to here. if i understand it right your
10:45 am
own information technology system did not tell the equifax security division that the apache struts software which contained the vulnerability that led to this breach was running on the equifax system. how did that happen? >> congressman, the day after the notification came out, from c.e.r.t.s, the security team notified a wide range of people in the technology team who were responsible for then finding the patch -- finding the vulnerability, applying the patch, and then days later, as is typical protocol, to deploy a technology scanner to then go look for the vulnerability, find the vulnerability, if it found a vulnerability, knew it was not patched. both the human deployment, the patch, and the scanning deployment, did not work. the protocol was followed. >> okay. so then people ask us how does that happen.
10:46 am
if, as a sophisticated a company as you headed is, with so much at risk, how does this happen? and, you know, we have colleagues that say we're going to, you know, double the fines, triple the fines, put fines in, do all these things, but how does this happen when so much is at stake? i don't think we can pass a law that, excuse me for saying this, but fixes stupid. i can't fix stupid as a colleague of mine used to say. with so much at risk -- i have talked to other software companies and people in the space who say some companies have an automated system that when a patch comes out it automatically gets installed. that's not what you had, necessarily, right? >> i am unaware of an automatic patch. system we have in place is security gets notification, and it's not uncommon to get notifications from software providers routinely, about vulnerabilities that are discovered. they follow the protocol which
10:47 am
is to notify the appropriate people, within the time frame that the protocol called for. unfortunately the human error was they did not find of the the of of of -- the patch. >> the human error piece you researchesed is that they didn't know the apache struts was running? because that's what needed patching, right? >> congressman, great question. if i may clarify. >> please. >> human error was the individual who was responsible for communicating in the organization to apply the patch did not. >> so does that mean that that individual knew that the software was there and it needed to be patched and did not communicate that to the team that does the patching? is that the heart of the issue here? >> that is my understanding, sir. >> and there is no -- i was on a bank board for a while. we always had sort of double-checks on everybody, right?
10:48 am
do you not have a double-check of some sort, an audit of some sort? is there -- it seems like that was a single point. >> the double-check was the scanning device that was deployed a few days later. >> but did the scanning device -- was -- i don't know how that process works. does it know you have that software, or do you have to tell it that's what you're scanning for? >> it's the latter. you have to tell it what it's looking for. it scans the environment. >> the individual who didn't tell the i.t. team, whatever, the security team, that's where the individual failed, was that the same person telling them wlo to look for? >> no. the scanner is deployed by the security team. i should clarify the rationale, the reason why the scanner, the technology piece, did not locate the vulnerability is still under investigation by outside counsel. >> all right. one final question. you have referenced this suspicious data, you referenced incident, american people think all of that is breach.
10:49 am
how regularly did you have incidents or suspicious movement of data? is this a routine thing that people, hey, we had another incident, another suspicious movement of data, or was this sort of outside normal operations? >> as you alluded to in your comments, we do have a lot of data. and our primary goal is to protect that data. and we have experienced millions of suspicious activity against our database any given year. >> but to the point that the head of your security team comes to you and says, hey, we've got another one? >> oh, that is not uncommon. >> how often would that happen in the course of a week? that they would come to the ceo and say, heads up? >> i don't have a number for you congressman but it's not uncommon. it's not uncommon for us to engage forensic audit firms. it's not uncommon for us to engage outside counsel to help
10:50 am
us think things through when there is a suspicious activity. it's part of doing business in the business you alluded to. >> thank you. i yield the balance of my time. >> the chair recognizes the ranking member of yields bank ad chair recognizes the gentleman from new jersey for five minutes. >> thank you. mr. smith you testified on august 11th, you were informed hackers had stolen, quote, a large amount of consumers personal information in this incident. on august 17th, i guess a week later, you said in the speech, and i quote, a huge fuopportuni for equifax, a massive opportunity for us, unquote. i'm looking for a number. at the time you gave that speech, roughly how many consumers did you believe had been compromised by the breach, if you could. >> congressman, if i may clarify. i think you alluded to august 11th date. >> then august 17th. >> august 11th i had no
10:51 am
indication. i was not informed at that time. my notification was before the august 17th meeting. you alluded to a speech from the in the 17th you said fraud is a huge opportunity for equifax. it's a massive growing business for us. i'm looking for a number. at the time roughly how many consumers did you believe had been compromised by the bleach. >> august 16th, on or about the date you talked about i gave a speech we did not how much data was compromised, what data was compromised. that story was still developing. that speech you're alluding to is a very common speech we have in communities. this happened to be at a university. we talked to them. at that time when i gave that speech, i did not know the size, the scope of the breach. >> all right. during your tenure at ex fax you expanded the business expanding and packaging data. in the speech, free data with
10:52 am
gross margin of profit of about 90% is, and i quote, a pretty unique model. i get this unique model is a good deal for equifax but can you explain how it's a good deal for consumers? >> thank you, congressman. i think i understand the question. our industry has been around for a number of years, as you know. in fact, equifax is a 118-year-old company. we're part of federally regulated ecosystem that enables consumers to get access to credit when they want access to credit and hopefully the best rates available to them at the time. we're very vital to the flow of the economy, not just the u.s. but around the world. >> i want to turn to what equifax is turning to consumers in the wake of the speech. free credit lock introduced next year. we're told free credit lock service could require consumers sharing, selling information it
10:53 am
collects to third parties with whom the individual already has a business relationship for marketing or other purse. that is true? >> this product will be a web enabled, mobile enabled application that will allow a consumer at the time he or she if they decide they want access to credit, toggle on and toggle off that application to give the bank, credit card issue we are, auto lender access to their credit file to approve their loan. >> well, by agreeing to use the equifax's lock service, will consumers also be opting into additional marketing arrangements either via equifax or partners? >> congressman, we're trying to change the paradigm. what i mean is this will be an environment viewed as a service, a utility, not a product. no cross-selling, upselling or any products available to the consumer. when they go to get and sign up for locked product, it's a service to them. that's the only product, service
10:54 am
they will be able to get. >> will equifax give consumers an easy and free method to choose not to share their data this way, even if the consumer already has a relationship with the party. >> common, i envision as this evolves over time, the consumer will have an opportunity to invite into their world who they want to have access and who they do not. it will be their choice, their power, not ours, to mat decision. >> the interim ceo announced january 31st of 2018 equifax would make locking and unlocking of a person's credit report free forever. a credit report lock is already included in trusted id, premier and other services like credit monitoring and identity theft insurance. will that still end after one year? >> congressman, a couple of differences. number one, the product we offer today for consumers protects the consumer at the same level of
10:55 am
protection they would get january 31st. the difference is today's browser enabled product or service, 391st of january will be an application much simpler and easier for the consumer to use. the protection is largely the same. so they get this free service. they sign up for one year. at the end of one year effective january 31st, 2018, goes into the locked product. >> the difference between not expiring between the credit lock part of trusted id premier and credit locking tools that will be available in january, why not just extend the freeze program? >> there's a difference between the freeze, which came to pass back in 2003, passed the law in 2004. that is now governed by state laws in all states, and it's a cumbersome process for a
10:56 am
consumer. in many cases some states require to you mail in your request for a freeze, and we must mail you a pin. so your ability to get access to credit hen you want credit is encumbered. a consumer could go to a car dealer or bank to get a credit card, forget the pin, go back home, ge the pin, mail the pin in. it's a cumbersome product. the lock product we're offering today is a step forward. lock product for the 31st of january is an even further step forward. >> my time has run out, mr. chairman. >> thank you very much. the time has expired. the chair recognizes chair emeritus of the full committee, the gentleman from texas for five minutes. >> thank you, mr. chairman. since i'm not a member of the subcommittee, thank you for your courtesy allowing me to ask questions. mr. smith, what's the market value of equifax? what's your company worth?
10:57 am
>> congressman, last time i checked, it's somewhere close to $13 billion. >> $13 billion. i'm told by my staff that this current -- this latest data breach was about 143 million people. is that right? >> we were informed yesterday from the company that is typical forensic audit there was some slight movement. the numbers adjusted, press release came out 145.5. >> i appreciate your accuracy the there. but under current law you're basically required to alert each of those that their account has been hacked, but there's really no penalty unless there is some sort of a lawsuit filed and federal trade commission or state attorney general files a class action lawsuit against
10:58 am
your company. so you're really only -- you're just required to for the ninoti everybody and say so sorry, so sad. i understand that your company has to stay in business harks to make money, but it would seem to me you might pay more attention to security if you had to pay everybody whose account got hacked a couple thousand bucks or something. what would the industry reaction be to that if we passed a law that did that? >> congressman, i understand your question. i think the path we were on when i was there and the company continued is the right path. that's the path of allowing the consumers to control the power of who and when accesses their credit file going forward. >> the consumer can't control security of your system. >> that is true, sir. >> your security people knew there was a problem.
10:59 am
according to staff briefings that i've been a part of, they didn't act in a very expeditious fashion until the system had already been hacked. i mean, you're to be commended for being here. i don't think we subpoenaed you. i think you appeared voluntarily, which shows a commendable amount of integrity on your part. but i'm tired of almost every month there's another security breach, and we have to alert you. i checked my file to see if i was one of the ones that got breached, and i apparently i wasn't. i don't know how i escaped, i didn't get breached, but my staff person did. we looked at her reports last night. the amount of information that's collected is way beyond what you need to determine if she's creditworthy for a consumer
11:00 am
loan. basically her entire adult history going back 10 years. everywhere she lived, name, date of birth, social security number, addresses, credit card, student loans, security clearance applications for federal employment, car insurance, even employment history of jobs that she worked when she was in high school. that's not needed to determine whether she's worthy of getting a $5,000 credit card loan or something. now it's all netherworld of who hacked it. i can't speak for anybody myself but i think it's time at the federal level to put some teeth into this and some sort of a per account payment. again, i don't want to drive
11:01 am
credit buyers out of business and all of that, but we could have this hearing every year from now on if we don't do something to change the current system. so i would you'd go back to your peers and work with the security chairman member and figure out something to do that gives incentive to the industry to protect ourselves. the om way i know to do it is it some find their account hacked, a company that's large number, worth $113 billion would probably rather collect data and not collect as much data than have to come up here and appear and say we're sorry. with that, mr. chairman, thank you for your courtesy and i yield back. >> the gentleman yields back. the chair recognizes the gentleman from new mexico for
11:02 am
five minutes. >> thank you, mr. chairman. mr. smith, there is a difference between a locked product and a freeze, correct? those are two different things? >> congressman, there's a process that's a little different. as far as the consumer and the protection that he or she would get from doing one versus the other is virtually, if not exactly the same. >> virtually almost exactly is not the same. are they different? >> it's the same. >> so your locked product is the same as a freeze? >> as far as the protection. >> we'll get into that later. i appreciate that clarification. will equifax be willing to pay for this freeze at ex perrian and transunion where the information was stolen. >> the freeze or the lock. >> you say they are the same. >> right now we offer a free lock product, as, you know, for one year. a free lifetime product for life
11:03 am
start january 1st, 2018. >> that extends to experian and transunion? >> no, sir. it does not. >> let me repeat the question. will equifax be willing to pay for that freeze for that lock at experian and transunion for consumers whose information was stolen by equifax. >> congressman, the company comes out with what they feel is comprehensive five different service das with life lock. i would encourage, to be clear, i would encourage transunion and experian to do the same. it's time we change the paradigm, give the power back to the consumer to control who accesses his or her credit data. >> i'm down to limited time. i apologize. i'll take that for a no, equifax will not pay for experian and transunion. do you think pay for identity theft, false accounts, medical identity theft or do you commit
11:04 am
to compensating any consumers who surf harm as a result of your breach. >> we take this seriously. i apologize again to the american consumer. we've offered a con comprehensive set of products for free. >> mr. smith, will those products make consumers whole. >> it will protect them going forward. >> will it make them whole, yes or not? >> it's hard for me to tell if someone has been harmed so i can't answer the question. >> if someone's credit has baseball stolen and someone opened a bunch of accounts, bought cell phones, credit cards, and they can't fix their history, they have been harmed. in that case will ex fax make that person whole? >> congressman, as i said, i apologize. we've offered them a comprehensive -- >> i want to go back to the line of question earlier, in august 11 in your prepared testimony you were aware of a large amount of consumer pii. august 15th, in your prepared testimony pii had been stolen.
11:05 am
it appeared likely, requested a detailed briefing to make sure how much the company should proceed. you held meeting for the detailed investigation. you gave a speech also on the 17th about profiting off of fraud with these new markets. you shared with mr. pollone you were not aware of pii being stolen. what is it? >> congressman, on the 17th i had the full debrief of forensic auditors, outside counsel and my team. i was aware on the 15th there's been pii compromised. how much, the scope -- >> i appreciate that clarification. you were aware it was stolen, just not how much. >> i was not aware it was stolen. >> it says in your prepared testimony you were aware you asked for a detailed briefing to determine how the company should proceed. you weren't aware pii was stolen on the 15th. is that true or not true? >> 17th was the detailed review
11:06 am
of when i learned about pii. even at that time, which pii was stolen, was it not stolen? those details came to life, congressman, for the first of august. >> mr. smith on august 15th, were you aware that there was pii that was stolen or not? >> august 15th. >> regardless of the amount. were you away of that? >> august 15th i was made aware hackers, crennel hackers got into the system and had pii information. >> we can revert to your prepared testimony. the other question i have that was working on, is chief john kelly still employed by you or equifax? >> yes, he is. >> you were the ceo at the time that approved terms of retirement for david webb and susan maldean. is it permanent or changed to
11:07 am
fired for cause like yours. >> an investigation going on by the board at this time. >> mr. chairman, i know that my time has collapsed here, if you will. but there's an article in wgn tv that talks about equifax doing their own investigation spot three executives that sold their stock and profited. i just -- i guess they must have a pretty good investigative team there because between the press release that happened friday and whenever it came out and the story on sunday and today we have a revolution that those folks didn't know that this breach took place. i just hope we get to the bottom of this. again, mr. chairman, i hope we can be given assurance to the committee and american people this committee will have a markup and hearing with bills before the holidays to give american people consumers confidence again because this is a mess. thank you, mr. chairman. >> thank you. the gentleman's time has
11:08 am
expired. the chair now recognizes the gentleman from mississippi. the vice chairman of the subcommittee for five minutes. >> thank you, mr. chairman, mr. smith. thank you for being here to testify today. in your written testimony and in response to some of the chairman's questions, you stated that you were informed of suspicious activity on july the 31st by your chief information officer and went on to discuss that you said i certainly did not know that personal identifying information, pii, had been stolen or had any information on the scope of the attack. did you ask him had there been any personal identifying information that had been obtained? >> congressman, at that time i was informed it was a dispute portal document. dispute portal document is something that typically houses if a consumer is disputing with us they paid off a utility bill. he or she may take a picture of the utility bill.
11:09 am
at that time that was the conversation. >> not to interrupt. but my question was did you ask if any pii had been accessed? >> no, i did not. >> were you made aware at that point of the patch. >> no, sir, i was not. >> hu had any meetings with your chief information officer or security department about any of this issue prior to july 31st? >> no, congressman, i did not. >> hu had any meetings with him about any other security information during that time from march until july 31st? >> yes. we would have routine meetings. security reviews, i.t. reviews. >> how obvious do you have those. >> congressman practice would be at least quarterly. >> why did you not have this discussion come up. obviously that's more than a quarter. so how many meetings did you have between that time of march 8th until july 31st with your security team. >> understand your question why didn't --
11:10 am
>> no, how many meetings did you have during that time mar 8th to july 31st. >> i don't have that information with me. if that's important we can get that. >> how many do you remember? >> normally we would have i.t. reviews at least quarterly and security revows at least quarterly. then augment that on an as needed basis. >> with those meetings and time lines of march 8th to july 31st we're covering into three-quarters. not a total of nine months but touch into three-quarters of that year. at any point at any of that did you have any information about this going on? >> no, sir, i did not. >> in your testimony you indicate security department ran scans in march for vulnerability but failed to identify it. can you explain how this is possible and why was there never any dation of anybody coming back and checking to see, okay, we have this identified information. there was a failure of someone
11:11 am
on the team to identify this, that it was being used, the software was being used. was there no one coming in to verify that? do you have an outside person prior to the one you hired to look at this? >> congressman, we get notifications routinely. the i.t. and security team do to apply applications. this individual, as i mentioned earlier, did not communicate to the right level to apply the patch. the follow-up was, as you mentioned -- >> you said this individual. >> uh-huh. >> so you had one person responsible for this. >> the owner of the patch process. there's information comes out broad-paced communication. once they receive notification of a software company or in this case dhs they notify appropriate people. the individual that owns the patch process cascades that information. >> for everyone that's on your equifax team, is there anything more important than protecting
11:12 am
pii of the consumers? >> no, sir. >> would we identify that as number one responsibility of the company and everybody in your company? >> we have for years, sir, yes. >> so it just appears, obvious ly, the job wasn't done. we know that. we're trying to look at this. i know, too, it was equifax spokeswoman who said short-term remediation steps and continued to implement and accelerate long-term security improvements as part of ongoing action toss help prevent this type of incident from happening again. we have 145.5 million people whose pii has been compromised. how many files do you have in the system? >> worldwide? >> yes, sir. >> i think some i mentioned earlier, public number out there over 800 some-odd million consumers and 100 million companies roughly. >> you know this breach includes some from canada, some from the uk. would that be fair to say even
11:13 am
at this point? >> congressman, point of clarification there. there was some data we had on 7,000 canadians in the u.s. so data was in the u.s., same environment. we had some data on uk citizens also in the u.s. that piece is still you said investigation. >> my home state of mississippi has 3 million people. 3 million people. almost 1.4 million files have been breached in my state. if you take away people that are minors, who don't have a file yet, almost my entire state is going to be impacted. so this is a travesty, something that was preventible, we know. saying we want to protect what goes forward doesn't bring us a lot of comfort today. thank you and i yield back. >> the gentleman yields back. the chair now recognizes the gentleman from california for five minutes.
11:14 am
>> thank you very much. i thought i prepared for this committee but i have no chicken scratch notes. i don't know where to start. mr. smith, welcome to washington. are you currently employed by equifax? >> no, sir. >> you are not. >> when you decided to come back this committee, were you specifically requested by name to come to this committee, by this committee or offered up by equifax as the representative of equifax to come and represent equifax before this committee. >> i believe i was asked specifically to come before the committee. >> by equifax or the committee. >> my understanding is by the committee. >> okay. apparently the committee asked for the ceo at the time. at that time you were still the ceo, but you're no longer the ceo. did you inquire as to why the
11:15 am
current ceo or interim ceo didn't come before this committee? >> i did not. but i felt personally as my obligation the bleach occurred under my watch. as i said in my written testimony, my oral testimony, i ultimately take that responsibility so i thought it was important i be here. >> thank you. i get the picture. on august 31st -- july 31st, you were notified of the suspicious activity that eventually, as we now know, is 145 million person breach. was it july 31st, was it? >> a breach interaction. >> verbal interaction. >> you referenced as an answer to another one of my colleague's questions on august 31st you received some kind of e-mail referring to the possible breach? >> point of clarification. i was notified on the 31st of july by the chief information
11:16 am
officer, dave webb, in a very brief interaction that this portal seemed to have a suspicious incident. there was a communication trail internally between others also referenced i was aware of this incident through a minor -- >> that written trail was not mentioned to you. you were just mentioned in that trail you had been verbally notified. >> that's my recollection. >> mr. chairman, is it appropriate for this committee to ask for that trail of documents? >> ask the counsel. >> if it's appropriate. ask this committee to receive that trail that's been referenced on this committee, this congressional committee. it's come to my attention that
11:17 am
several people are no longer with the corporation. you're not officially with the corporation anymore. cio at that time is no longer the cio of the corporation, of equifax. >> that's correct. >> there's another higher up that is no longer. >> the chief security officer. >> chief security officer. however, the then conkelly chief legal officer was the chief local officer at that time but still is colonel the chief legal officer, correct nf that is correct. >> apparently the chief legal officer on or about between july 29th and august 1st went to outside counsel and hired outside counsel, correct. >> no. it occurred august 7th, the chief security officer reached out to cyber expert and outside
11:18 am
counsel, spaulding, and she engaged them at that time. >> thank you. when executives at equifax want to sell stock, they need to get chief legal officer to sign off? >> yes, correct, congressman. as a protocol, that requires the general counsel of equifax to approve that sale. >> and john gamble, joseph lundgren, potter, they are all high ups with equifax, they apparently sold stock on or about august 1st or 2nd in the amount of approximately $1.8 million, give or take. so they had to get an okay from john kelly before they did that, correct? >> that's correct, sir. >> apparently they did get the okay? >> yes, that's my understanding. >> you were the ceo at the time they sold the stock. >> i have no -- >> i get it.
11:19 am
i'm referring to -- but you were the ceo at the time. thank you, mr. chairman, just a little latitude on my time, what i would like to request from you and the ranking member that we can for some of hearing of this committee where we get john kelly chief legal officer, then chief legal officer of equifax and currently still chief legal officer hopefully when and if we get him here sehe'll still have the title. i'm concerned congress having a hearing and equifax has before us someone who no longer works for them. i hope we can ask for that hearing where we have john kelly chief legal officer before us. >> thank you. the chair recognizes former chair of the full committee the gentleman from michigan for five minutes. >> thank you, mr. chairman. mr. smith, every family watches
11:20 am
over their financial data with grave concern. it impacts their daily life. whether a mortgage, a loan, a c car, they have to have that credit score that gets often a job. they view that data as it relates to them as very, very private. and they want it to be secure. here is an equifax credit report for somebody i know. it's 131 long. unbelievable the data collected on this particular individual. i would guess most individuals have no clue there's that much data assembled on their own personal family account. you said earlier that the data was compromised. the question i have to ask is
11:21 am
does that word "compromise" include the word or term manipulated? are those folks who broke into that account, are they able to actually change the accurate data that might be reflective of their own personal story? could that be changed? >> congressman, i understand your question. the database was attacked by criminals. that we know. forensic experts we engaged has led taos believe there's no indication the data left behind has been manipulated. >> now, one of the things in this report, any credit report, "you verify the income of that individual to make sure it's accurate. as i understand it, and i good again personal experience, when
11:22 am
one goes to get a loan, whether it's a mortgage or a car, often one of those little boxes that you check, you are allowing permission to look at that tax return of the individual. is that not correct? regardless of self-employed income, underwriting findings when used for documentation required, most recent two years of their individual federal tax reform, returns with all schedules in k-2s and 1s, most two years business returns irs forms 1120, 1120s, 1065 which ownership interest of 25% or more and a complete and signed irs form 4506t is required for every borrower on their loan application, validated by irs required for each year
11:23 am
documented in the loan file. so the question is if that is collected, is someone -- a bad actor actually able to use the personal information stolen from this report to then perhaps file a false tax return come the first of the year. >> congressman, i think i understand your question, couple of points of clarification. credit report does this contain employment and income information. there are many lenders who will ask you as a consumer going to get a loan validate your income, alluded to in readings how you might do that. the credit report does not contain employment income data. number two, the unfortunate criminal hack that we refer to this morning, written testimony and press release for the past month or so was clear to say it
11:24 am
did not include credit report information you just picked up there. it was limited to nonetheless a large number, but limited to an environment we call a consumer dispute portal, not the credit file itself. >> last question i have is how did you know? how -- we've had a lot of hearings, a number of them classified. breaches made spot department of energy, utility, a whole different major players where hackers are coming in trying to break and penetrate daily. what tripped these guys up? what was the -- how did you identify that, in fact, a breach had been made? what was their mistake? >> congressman, there's a piece of technology called a
11:25 am
decrypter, and there was a did he crypter that allowed us to see some of the data. once we saw the data, that's what the start of the conversation earlier in the testimony here, that's when we saw the suspicious data and were able to shut off the portal at the end of july. >> yield back. my time has expired. >> thank you very much. the gentleman yields back and the chair recognizes the gentlelady from michigan for five minutes. >> thank you, mr. chairman. mr. smith, i first want to say we appreciate your coming in to testify today. we spent a lot of time talking today about the what, the when, the where, and the whys of this breach. i agree with all of my colleagues that we need to be expressing extreme displeasure, but i want to ask a few questions about where we go from here because i hockey this has
11:26 am
awoken american consciousness about privacy and credit they need to be paying far more attention to. this breach is different than most. not only the scale of those affected by the type of information taken. in the past folks usually just changed your passwords, maybe you get a new credit card and that was it. it was an annoyance but had no real impact on your life. that's not so simple when it's your social security number or other personal information. you can't change your social security number and i can't change my mother's maiden name. this data is out there forever. clearly something needs to be done. we can all sit here and talk about what went wrong but we are doing the public a disservice to not at least begin the discussion on how to improve data security. that's why i am a proud co-sponsor of the bill, it's a good first step that needs to be given serious consideration.
11:27 am
i'm also introducing data production of 2017. whatever path going forth, it's important we tea action on the topic and all american consumers pay attention. i'd like to ask a few questions. nobody has asked this question yet. just a quick yes or no. have you or anyone on your team seen signs that the attackers were backed by a nation state? >> congresswoman, we've engaged the fbi. at this point that's all i'll say. >> i don't think it's all the same but thank you. after your security department blocked suspicious traffic you mentioned in your testimony, did anyone from your team or outside companies venture beyond the perimeter of your network to attempt to locate where they came from?
11:28 am
>> yes we had the ability to track the ip address of the criminals. as, you know, finding the ip address doesn't necessarily tell you where they are from. it's easy to set up ip addresses all around the world. >> i want to move to this other topic. i share your belief accessing credit data should be placed in the hands of the consumer but most people have no idea equifax was holding their data. i unfortunately learned a long time ago. this wasn't the first data theft and doris and i were part of something elsewhere they got our social security numbers and mother's maiden names. it's one thing to take steps to mitigate damage after a breach has occurred. going forward we must give consumers a chance to protect themselves before a breach happens. do you believe consumers can take reasonable steps to secure their identity and information if they don't even know who has
11:29 am
it? >> congresswoman, i think we can help. i think we can help by the announcement offering to all americans the ability to lock and unlock your credit file for life for free. there needs to be greater awareness. i understand your point clearly. i think by making this available to all americans, it's one step in doing that. >> so i was just actually even educating my colleagues up here about credit karma, and they were stunned by how easy it was with two little factoids to suddenly unleash the money they had on every one of their credit card companies, what any data inquiries have been in all of the different factors. i think most people don't understand that it's not just you but experian and transunion who are also collecting this data. why do consumers have to pay you to access their credit report?
11:30 am
why should that data not be free? >> congresswoman, the consumer has the ability to access the credit report for free, from each of the free credit reporting agencies each year. you combine that with the ability to lock your credit file for life for free. again as a step forward. >> well, i'm running out of time. but like my colleague over here, when you find mistakes, which a number of us have, and we're luckier than 99.9, it's very difficult to fix. when you do fix it, you still have to pay. i think we need a longer debate about who owns this data and how we educate the american people. thank you, mr. chairman. >> the gentlelady's time is expired. the chair recognizes the gentleman from new jersey for five minutes. >> thank you, mr. chairman. good morning to you, mr. smith. criminals perpetrated this fraud. is it possible these criminals are from another country?
11:31 am
>> congressman, it's possible. but at this time -- >> it's possible. number two, is it possible it's the government of another country? >> as i mentioned to the congresswoman a few minutes ago, we've engaged the fbi, they will make that conclusion. >> do you have any suspicions in that regard, either persons electric other countries or the government of another country? >> congressman, at this time i'll defer that. we have the fbi involved? >> yes, noi we have the fbi involved. do you have the opinion to the two questions i just asked? >> i have no opinion. >> you have no opinion. the stock that was sold by your colleagues, mr. gamble, mr. lockrin, mr. plodder, as i understand that stock was sold august 2nd. is it usual executives of a mature company, not a company that's just come onto an exchange, is it usual that the significant amounts of stock are sold. >> congressman, a few points of
11:32 am
clarification, stocks sold first and second. >> i said the second. >> the first was the first day it was sold. >> yes. >> not unusual for stock to be sold at the end of a quarter, a window opens up and we encourage those who are going to sell to sell as early in the window. the windows is open 30 days. the sell is early, it's possible, and that's what occurred here. >> you believe this stock was sold merely as a matter of course as would be true in any other quarter? >> yes. >> you do not believe it was based upon knowledge known by these gentlemen related to the breach. >> congressman, i've known these individuals some up to 12 years they are honorable, men of integri integrity, followed due process, went through the processs counsel, i had no indication they had any knowledge of the breach at the time of the sale. >> did you have knowledge of the breach at that time? >> i did not, sir.
11:33 am
>> weren't you warned in advance of this that there was suspicious activity? >> i was notified july 31st and conversation with chief information officer that there was suspicious activity detected in an environment called the web portal consumer dispute. no indication of a breach. >> that was prior to the sale of the stock. is that accurate? >> 31st of july. there's no indication of a breach at that time. >> from my perspective as a layman, the difference between a breach and suspicious activity is not one that i believe is particularly relevant. a breach might have technical connotations to it, but certainly you were aware of untoward activity prior to that date. is that accurate? >> no, congressman, it is not. on the 31st we had no indication the documents were taken out of the system, what information was included. it was very early days. it took the forensic experts, as
11:34 am
i mentioned earlier, from then to the 24th to develop a clear picture. that picture has still changed, the 24th, as we heard just last night, the additional announcement. >> many calls have been received by equifax at your call center since september 7th. do you know how many calls have been dropped or missed due to staffing extortages or other issues. >> congressman, i don't have the exact number. as i said in my opening testimony i apologize for that startup. it was overwhelming in volume, overwhelming. i think i mentioned over 400 million u.s. consumers coming to a website in three weeks. we went live in a very short period of time with call centers. our two larger call centers were taken down in the first two days by hurricane maria. the team is committed, was committed to make the experience better for the consumer. i'm told each and every day that the process is getting better. >> august 22nd, you notified a
11:35 am
lead director, mr. fiedler, i hope i'm pronouncing that right, of the data breach. the full board was informed later, two days later. why was there nearly a week between august 17th and august 22nd before members of the board were alerted. >> congressman, the picture was very fluid. >> fluid. fluid. what does that mean? >> we're learning new pieces of information each and every day. as soon as we thought we had information that was of value to the board, i reached out to the director, as you said, art fiedler on the 22nd, board meeting on the 25th, had subsequent board meetings routinely, if not daily, in some cases as close as last week. >> thank you. my time has expired. >> thank you. the gentleman's time has
11:36 am
expired. recognize the gentlelady from california for five minutes. >> thank you for appearing here today. as many of my colleagues highlighted events that led to the data breach and actions equifax management took after the fact are very upsetting. it seems many americans are in a place of breach fatigue. this latest event that nearly impacts half of all americans should light a fire under every single member here. i think you noticed it has lit a fire. we cannot follow the same script after the next inevitable data breach. that's why i'm supporting swom schakowsky secure americans data act. it's not like this type of legislation is unprecedented. 48 states implemented laws that require consumers to be notified of security breaches. i'm pleased that my home state of california was the first state to pass this kind of notification law in 2002. today if california resident's
11:37 am
personal data is hacked state law requires they are notified in the most expedient time possible and without unreasonable delay. we nus ensure all americans are subject to protections like this at the federal level. mr. smith, because equifax without doubt has information that many california residents, the company is subject to california data breach law. can you please describe to me how equifax complied with the state law. were california residents notified of the breach as required. >> congresswoman, i don't have specific knowledge of the california law. i can tell you, though, that we worked as a team, including with our counsel, to help us ensure what we're doing is right for the consumer in the most expedient possible. we're aware of the requirements for the different state laws. i just don't have specific knowledge as it relates to the state of california. so you also don't know because
11:38 am
the laws require equifax to submit a copy of the breach notification to the california attorney general, you don't know where this was done? >> congresswoman, i do not, but we can have our team follow up with your staff, if that would be helpful. >> okay. in the context of this breach, if data that you hold is about me, do i own it? do i own my data? >> could you please repeat the question? >> in the context of this breach, if the data that you hold is about me, do i own it? >> congresswoman, we are part of federally regulated ecosystem that's been around for a long time, and it's there to help consumers get access with their consent to credit when they want access to credit. >> well, can you explain what makes data about me mine compared to what makes it
11:39 am
someone els? >> the intent, if you will, of the solution we've recommended we implement and going live with in january of 2018 is, in fact, to give you, as the consumer, this lock product for life for free, the ability to control who accesses your personal information and who does not. >> so at that point in time you believe that i own -- i can say i own my data. is that right? >> you'll have the ability to control who accesses and when they access your data. >> okay. could i ask you some further questions following along to what others have asked about credit locks and credit freezes? now, limiting access to credit even for a short amount of time can have real financial consequences especially for low income populations. how quickly will a file be able to be locked and unlocked and how will you ensure that speed?
11:40 am
>> congresswoman, thank you for that question. that is a great advantage of the product we're offing for free versus the freeze, which was, again, came about in 2004, a regulation. there are states dictate how quickly you get access to freezing and unfreezing your file. oftentimes that can take days if not weeks because we're mailing data back and forth to the consumer. in this case the intent is in january 2018, on your iphone, you can freeze and unfreeze your file instantly at the point you want it locked and unlocked. >> so i recall that one of my colleagues asked whether a credit lock was the same thing as a credit freeze and you said it was. is that correct? >> as far as protection to the consumer, congresswoman, it is. as far as the ability to lock or unlock or freeze and unfreeze, a lock is far more user friendly. >> okay.
11:41 am
so you currently offer a credit lock product now. and you plan to offer this other one for free starting the end of january. and can you describe for me why you consider that. would a lock be more economical for you, or would a freeze be? i'm trying to get the sense of the difference. i think there is a difference here. >> if i may, one more time to try to clarify, as far as protection are the same. the lock you're getting that we offer to consumers on september 7th gives you the same level of security you would get from a freeze or from the product that's going out in july -- january. the difference is today's lock is browser enabled. january's lock will be an app on iphone.
11:42 am
secondly, instant on, instant off versus freeze or today's lock. >> i've got more question but i've run out of time. thank you. >> thank you very much. the gentleman from illinois is recognized for five minutes. >> thank you, mr. chairman. and thank you for being here today. this is 145 1/2 million people affected by this data breach, nearly half of americans. it's a failure on all levels a failure to keep consumer information secure. a failure to respond to the preach and a failure to respond to the public and much more. my constituents and american people want answers. they what want assurances they are not going to be financially ruined by this. i want to make a point, you were asked if people harmed by this would be made whole. you made a statement and i understand there's probably legal and technical reasons and you said, i don't know if consumers were harmed. i just want to make it a point that i think that idea that
11:43 am
people are not harmed in this is ludicro ludicrous, of course they are harmed, even if there's no financial harm, just having information exposed is a huge deal. i fear we're going to see bigger repercussions than that. i was surprised equifax had a requirement consumers submit to mandatory arbitration clause. why did that happen? why was at the beginning part of the rollout? >> congressman, thank you for that question. i want to clarify. the product offer that went live on the 7th, it was never intended to have that arbitration clause apply to the breach. it was a standard boilerplate clause as a part of the product. as soon as we learned the boilerplate term was applied to this free service, i think it was within 24 hours. we removed that and tried to clarify it. that was a miss attachment one of the mistakes i alluded to
11:44 am
more oral testimony, remediation on the 7th. >> does equifax require consumers to commit to arbitration with respect to other products? if not, is that information prominently disclosed to the consumer. >> not as it relates to the breach, congressman. >> the question is what other products do you require arbitration. >> some of the consumer products we have there's an arbitration clause in there, standard claw. >> what's the reason for that? >> i don't have that answer other than it's a standard clause. >> if you could get that to me, that would be good. your press release shows your company found no unauthorized activity on equifax core consumer data, reporting databases. what are they and how are they distinct from the databases containing information subject to the unauthorized theft? >> congressman, the area that was impacted here was a consumer
11:45 am
dispute portal for consumers who come in and dispute activity with us. it's separate, a congressman talked about credit file on their hand. separate from the core credit data consumers have in our database. >> so in essence were there 145.5 million people at one point had disputed credit issues then, if that was the -- >> it's the portal they used. they could have been in that portal for multiple reasons. we also by regulation have to keep data for extended periods of time. in some cases seven plus years. so it's a lot of data for a lot of years. outside of the core credit file itself. >> which company databases were accessed? why wouldn't you consider that? maybe this is a change. why wouldn't you consider that to be part of the core consumer databases. >> the way we define it.
11:46 am
the credit file itself is housed in a completely separate environment from a database consumers come into directly. the core credit file itself is largely actioned by companies we deal with versus consumers. >> so i just want to make sure. you have to forgive me i'm not an i.t. expert. to get 145 million people's records in only the dispute database, i guess i'm trying to figure out if you didn't really answer the question in terms of were there 145 million people disputed, half of americans, or another entry that went into that that went into other information. maybe i don't understand the i.t. part of this. >> the only entry was the consumer dispute portal. that is a completely separate environment from the credit file itself. we also, as you might recall, has a lot of data for small businesses in america. that environment part of the
11:47 am
definition you're alluding to was not compromised either. >> lastly, are your core consumer or commercial credit reporting databases encrypted? >> we use many techniques to protect data. encryption, tokenization, masking, encryption in motion, encrypting at rust. to be specific this wasn't encrypted at rust. >> this wasn't but your core is? >> some, not all. some data is encrypted, some tokenized, varg levels of security techniques the team deploys different environments around the business. >> thank you. i yield back. >> thank you. yields back. the chair recognizes the gentleman from california for five minutes. >> i thank the chair for holding this hearing. mr. smith, my understanding compromise information due to
11:48 am
unpatched vulnerability and framework apache struts. so as the company's online consumer dispute resolution portal, does equifax have any other portals that use apache struts? >> no, sir. this was the environment that deployed struts. >> all right. that was a simple answer. we might to restart my time. in addition to equifax's credit monitoring and reporting services the company has equifax for business offerings. in this capacity operates as data broker. as part of these services, the company collects large amounts of data about consumers without consumers having any knowledge of this happening. was this information compromised in the breach? >> i think i understand the question. could you repeat that one more time, please, to get it right? >> you're familiar with the equifax for business offerings. >> yes. we do have product offerings and
11:49 am
solutions for small businesses, medium sized businesses and large businesses across the country, correct? >> equifax for business also compromised in the breach? >> no, congressman, it was not. goes back to the question what we call core credit data. it was not compromised. >> in your testimony throughout my tenure as ceo of equifax, we took data security and privacy extremely seriously and devoted substantial resources to it. would you tell about what investments equifax made in cyber security during your tenure. >> yes, congressman. when i came to the company 12 years ago, i had virtually no focus on cyber security. at that time cyber security was not as sophisticated as it is today. we've gone from that environment to a team now of over 225 professionals focusing each and every day on security around the world. >> so what timeframe is that?
11:50 am
>> that was from the time i started 12 years ago. >> so you said you hired up to 250 personal -- >> i didn't hire them, sir.225 y experts around the world. we have made substantial investments over that timeframe. in the last three years ago, we have invested approaching a quarter billion dollars in security. there's an ibm benchmark that says financial services companies tend to be best in class, spend somewhere between 10% and 14% of their i.t. budget on security. >> the company was notified of the vulnerability in the apache struts system days before the attack occurred. >> yes, we were notified boo the department of homeland security in march of 2017. >> and the attack occurred after the notification.
11:51 am
>> yes. >> so was there a human failure? how could 250 professionals that are designed, hired for that purpose let a breach like that happen after they were notified? >> yes, congressman, what happened, it was in my oral testimony, was the notification comes out. we had a communication process in place. i described it as a human error. where an individual did not insure communication got to the right person to manually patch the application. that was subsequently followed by a technological error where a piece of equipment we use, which scans the environment looking for that vulnerability, did not find it. >> in your opening testimony. that seems like -- a lack of competence or professional error of some kind. would you call it --
11:52 am
>> i described it as a human error and a technology error, and i apologize for that, but that is what happened. >> okay, moving on. do you believe that the ftc has an important role in protecting consumers from future data breaches? how much of the role should the ftc be playing at this point given what's happened? >> i think there's a role for the business to do more, the industry to do more. we talked about it earlier this concept of offering the consumer the ability to control their data. and lock and unlock when he or she so chooses. if there's particular legislation that arises out of this horrific breach, i'm sure you would find the manager of equifax and the industry willing to work and cooperate with the regulators. >> the reason i'm asking is the federal trade commission is an enforcement body but it doesn't have any rule making authority. do you think the ftc should have rule making authority, do you think it would make a difference in the poirn, or do you have an
11:53 am
opinion? >> i have no opinion. >> my final question is how long will individuals be vulnerable to identity theft problems due to this breach? >> we, congressman, offered five different individual services, as you may or may not be aware in september. one is the ability to monitor your credit files from all three of us for free. another is to lock your file. another is a dark -- >> that doesn't answer my question. how long are we going to be vulnerable? our social security numbers are out there. this is forever, right? >> unfortunately, the number of breaches of our social security number has been on the rise, as you know, and many even this year. so there's another thought, do we think about how secure really is an ssn and is that the best identifier for consumers going forward. >> thank you, mr. chairman.
11:54 am
>> thank you very much. the gentleman's time has expired and the chair now recognizes the gentleman from kentucky for five minutes. >> thank you, mr. chairman. thank you for being here, mr. smith. we appreciate you being here to testify. there's a medical hearing going on upstairs so i have been back and forth, so i'm trying not to double a question, and when i was here earlier, a lot of us wondered, july 31st was the suspicious activity and then it seemed the activity and the notice to the board was three weeks later, august 24th to 25th. not to repeat before, i know i heard you say it was suspicious activity and therefore you didn't realize it was a breach and the action took place three weeks later when you did. looking back now on how colossal it is and how big it is, would you have done different? from july 31st to august 24th, what would you have done different than equifax didn't do? >> that's an appropriate question. to be honest, time for reflection will come.
11:55 am
there's been no time for reflection. this has been a team of people, including myself, working around the clock for the last six to eight weeks trying to understand the forensics, trying as best we could to stand up an environment to offer consumers services to protect themselves. there will be an opportunity where i'll have the time to catch my breath and reflect, but i have not had a chance to do so. >>ia appreciate that. 1.9 million kentuckians were exposed by this hack, and one of the questions we have about the process of equifax underwent to determine to help people determine that, and one was setting up a new website, not just a portal within your website, for consumers to visit. was that an appropriate response? i know there were issues with getting onto the website, and the question is, were you part of the deliberation? why did you choose to set up a new website that seemed to cause issues as opposed to doing a
11:56 am
portal on your current website? >> good question. it was strictly due to the sheer volume of incoming visitors that we had expected. the traditional website that we have use to interact with consumers services a total of maybe 700,000, 800,000 consumers at any one given point and time over a period of time. i mentioned in my opening comments earlier, this new microside as we call it, that we set up, had a capacity to surge to much higher levels. we had some 400 and i think 20 million consumers come to visit us in the first three weeks on that website. our traditional equifax website could not have handled that volume day one. >> okay. according to reports, many consumers were unable to determine with certainty if their information was breached, so why was equifax unable to provide clarity or certainty on if their information was breached? >> when you went to the website,
11:57 am
you typed in six of your nine digits of your social security number. if it was likely that you were breached, it would say something along the lines of, it looks like you may have been compromised or breached as opposed to definitely you have been breached. that's because it's six versus nine. the point is we offer this service, it's five different services, to every american. didn't matter if you were compromised or not. every american was offered the same services. >> so and just going forward, because we have to also do an analysis, and so what we're going to do as a legislative body going forward to protect the american people. and what your business does and what the people in your business do are important. it's when you can sit down at a car dealer, i think you mentioned earlier, walk away a that afternoon because someone can check that you're credit worthy. having those types of services available. so what steps is equifax doing
11:58 am
to rebuild the confidence? people aren't confident that their information is floating out there, but the ability to be able to access credit almost immediately if you have the proper credit, is something that your services provide, but the risk is having all that information in one place plus the convenience of what your type business sold, so how can people be confident this can go forward? >> that's a really good question. we're a 118-year-old company. we have done a lot of great things for consumers over this 118 years. we take being a trusted steward seriously. step one is to make sure we think more holistically, broadly about steps we can and have taken to make sure we're more secure today than at the time of the breach. the second thing is offer the services to consumers. we offered on september 7th to make sure they're protected. and third is to launch this
11:59 am
whole paradigm shift effective january ofthex year which is put the power and the control of the consumer credit in the consumer's hands, not our hands. >> thank you. and that would be helpful. i appreciate that. my time has expired. i yield back. >> thank you very much. the gentleman's time has expired. pursuant to committee rules, we'll go with the members on the subcommittee by order of appearance and then after that, the non-subcommittee members. the chair will recognize the gentleman from florida for five minutes. >> thank you, mr. chairman. i appreciate it. mr. smith, one of my constituents accessed equifax's website, to determine if they were effected. they inform me that whether you submit your own identifying information or whether you submit a random name and social security number, you get the same message that you may be
12:00 pm
affected. what course of action should consumers who haven't received correspondence yet as to whether they're effected or not, what is the course of action, and if they were affected, what are the next steps? >> congressman, it's my understanding that those have gone online to register and that were not notified immediately, that that backlog is completely now drained, if you will. so if you are trying to sign up for the service, i understand your question correctly, you have now been notified. >> okay. i understand that equifax currently is waiving fees to freeze and unfreeze your credit. how long is that exemption going to stay in place because it's so very important? >> it is important, congressman. we have announced september 7th the ability to lock and unlock your file at equifax for free. for one year from the time you sign up. we have also announced on a
12:01 pm
product we have been working on for quite some time effective in january of 2018, the ability to lock and unlock your file with equifax for life for free. that will be the next generation of the lock that we offered in september. >> okay. as ceo, what level of involvement did you have with regard to the data security and data protection? >> yes -- >> obviously, the buck stops with you. i understand that, but what level of involvement did you have? >> so data security reported to a direct report of mine, my general counsel. and i would have active involvement with my general counsel, with the head of security, routinely throughout the year. >> okay. what responsibilities did ms. mullven, again, the chief security officer at equifax at the time of the breach, have with respect to data security,
12:02 pm
data protection, and data breach notification? what were her responsibilities? >> those were a quarter of her responsibilities. she was the head of cybersecurity and physical security in all 24 countries that we operate. >> how many briefings did you have with ms. mullven between march 8th and july 29th of 2017? how many briefings? >> i don't recall. the congressman asked earlier, routine meetings which we go through security strategy, security quarterly reviews, investment decisions required for security. the actual number of times in that timeframe, i don't recall. >> okay, so say half a dozen? a dozen? >> that would be a guess. >> it would be a guess. more than three? >> if it's important to you, congressman, we can find that information. >> give me that information.
12:03 pm
i appreciate that. what responsibilities did mr. webb, the chief information officer at equifax at the time of the breach, have with respect to data security, data protection, and data breach notification? >> directly none, sir. he was expected obviously as the head of technology to work closely with the head of security, but the security function is a separate function. you can't do security without i.t. you can't do i.t. without security. >> how many briefings did you have with mr. webb, again, between march 8th and july 27th of 2016? >> if i may just clarify again, on march 8th is when the sert came out saying there was a vulnerability in apache struts. i was not even notified. to put in perspective there was an incident. didn't know what the incident was until july 31st. so a number of meetings i would have with dave webb would not
12:04 pm
have been related to this incident. >> all right, mr. chairman. i yield back. >> thank you very much. the gentleman yields back. and the chair recognizes the gentleman from indiana for five minutes. >> thank you, mr. chairman. thank you for being here. and again, i was at the health subcommittee hearing too so i'm back and forth. sorry about that. but is it possible people who never signed up or used equifax directly could have been impacted by the breach? >> yes, congressman. >> okay. so how does equifax get the information on people who have never directly associated with equifax? i'm not familiar with that. >> we get it from banks, telecommunications companies, credit card issuers. so on and so forth. >> just like, you know, we go to apply for a loan. they send you the information because they want to get the data. they want to get the information on my credit rating, for example? >> correct. as i define it, we're part of
12:05 pm
the federally regulated eco system that allows banks -- >> it's up to banks to notify the individual which credit agencies they're utilizing to assess their credit risk? or is it up to the credit -- >> traditionally, the contributors to the data, in that case, congressman, the banks would give their data all three of us the benefit of the system as you get a holistic view of an individual's credit risk. >> my point is, i guess, because a lot of people i talk to back in indiana, southern indiana, have no idea who equifax is, right? and many of those people have applied for home loans and other things and, as a matter of fact, probably at some point, you have their information, but they just may or may not have been notified who sent the information to them, probably the bank or other agency. and that's just, you know, that's something i think that is also maybe an issue. you know, that people don't understand, don't understand or have not been told who is being
12:06 pm
used to assess their credit risk and hence something like this happens, they have no idea whether or not their information has been compromised. >> i understand your point. >> yeah. i also have a lot of constituents in rural and lower-income areas that may or may not have access to internet and wi-fi. the penetrance of that, it's interesting depending on where you are, people who have wi-fi and the internet, it's not as high as you might think in rural america. but some of those people still have probably applied for loans and other things where their information could have been acquired by your company. how are you notifying all of those people other than, you know, saying that you have a website. you may have already answered that, and i apologize if you have. but that's important because, again, the penetrance of people having access to internet may be not as high as you think when you come out to rural indiana and other areas. >> coming from indiana, i understand rural indiana. >> there you go. >> congressman, we have set up the website that you mentioned.
12:07 pm
we did a press release across the country. we have also set up, for those who don't have access to the web, the internet, call centers. we staffed up. we went from some 500 call center agents to over 2,700. so i guess -- >> i guess that's, again, i understand the call centers and all that. i knew you had done that, but i guess that's, again, making the assumption people have watched the news and know there has been a breach and that they take the -- they're proactive in trying to find out whether or not they have been involved or not. is there any, other than passive way for them to find out, is there anything proactive from equifax's point of view that might notify them that they have been -- their data may have been compromised? >> in many states, there's local state requirements, they have advertisements in newspapers and so on and so forth. we follow these. one indication i did mention earlier, may or may not help those in rural indiana, but the visibility of this has gotten is
12:08 pm
extremely high. i mentioned 400 some odd million consumers had come to our website. so it's -- it's gotten the press. >> and probably after today, it will be more people will know. so thank you for answering those questions. like i said, my main concern is that my constituents understand whether or not their data has been compromised, and then what are their options going forward. you have outlined most of those things today. i'm not going to ask you that again. but i do think it's important to recognize that, you know, although they are important passive ways to help people become aware of their data may be compromised is one approach, but also an actively informing people proactively might very well be important in certain areas of the country. thank you. i yield back. >> the chair now recognizes the gentleman from texas for five
12:09 pm
minutes. >> thank you, mr. chairman. i apologize. we have a health subcommittee upstairs and i appreciate it. that's not to take away the importance of this hearing. i want to thank you and our ranking member for setting it. we're here to discuss one of the worst and most impactful hacks that we have seen. it's a breach that entirely preventable due to a level of negligence that's in some industries could be considered criminal. the credit reporting industry is famously unforgiving. if it's an industry that helps perpetuate the cycle of property, agencies like equifax force those with lower credit scores to pay more for loans and mortgages, less than perfect credit scores can result in higher rates for products that don't require credit, like our auto insurance premiums. these people have a higher time paying back higher interest rates make it more likely they won't be able to pay their debt back on time and will hurt their
12:10 pm
credit further. yet equifax and the rest of the credit reporting industry expect forgiveness for breach after breach, lobbying congress for even less liability. when restaurants fail regular health inspections, they're routinely shut down for violations. they're shut down even if problems aren't even yet occurred as a consequence of their violations. is it clear why equifax is beyond that point should be allowed to continue operating when they have failed spectacularly at their core business and endangered the public? in the next couple months, senate republicans may repeal the consumer financial protection bureau's arbitration rule, thus allowing companies like equifax to put clauses in their fine print forcing individuals into arbitrary -- arbitration agreements instead of class action agreements where they stand a chance at being able to recover some of their office, but it should be clear to us by all that is now not the time to roll back consumer safeguards in the financial industry.
12:11 pm
and i support my colleague and ranking member, congress woman schakowsky's secure and protect america's data act. look forward to hearing what our witness has to say. mr. smith, i.d. theft protection companies have seen a big jump in business in share price since the breach of your company. including lifelock, who has reported a ten-fold increase in enrollment for their credit monitoring in other services. lifetrack has a contract to purchase monitoring services from equifax, meaning that every time someone signs up for lifelock protection through the impact of equifax, they were breached, they're again volunteering sign-up for equifax to provide those services and equifax makes money on that breach. what's the value of that contract that lifelock has with equifax? >> congressman, i don't recall what that is, but at the same time, the same consumers have the ability to come to us
12:12 pm
directly and get free product. >> okay. if it's available, i hope you would share it with the committee. mr. smith, equifax report marketed to its business customers says that leading lifestyle databases available commercially offer hundreds of response segments covering almost every conceivable aspect of how consumers live and what they spend their money on and what interests they have. can you tell me, tell us as granular level as possible what the sources are for the data for every conceivable aspect of a consumer's life? >> congressman, i am not quite sure what you're referring to. we're not a data provider in the area of behavioral analytics. behavioral data, social media data. i'm not quite sure what you're referring to. >> i have a lot of constituents concerned about, for example, they say i don't need to worry
12:13 pm
about this breach. i haven't applied for credit for ten years. but that's not always the case because these hundreds of millions who were released, maybe they bought a, you know, a car 20 years ago, and that data still goes forward, i assume. mr. smith, equifax customers are businesses who purchase data and credit reports on consumers. the american public is essentially equifax's product. how many times per year on average does equifax sell access to a given individual's credit file and to a potential creditor and how much do they make every time they sell it? >> if i understand the question, congressman, we take the data that is given to us by the credit ecosystem of the u.s., add analytics to it. then when a consumer wants credit, again, through a credit card, a home loan, a car, the bank then comes to us for that
12:14 pm
data and analytics and we charge them for that. >> the question was how many times does equifax receive payment for that individual credit file? every time? if my local car dealer contacts equifax, so they pay a fee to equifax for that information? >> yes, congressman. if you as an individual want to go to that car dealership and get a loan for a car, they come to us or our two competitors, and when they take your data, access your data, we do get paid for it, correct. >> the clock wasn't started. you have about 15 seconds. >> i'm sorry? >> you have about 15 seconds. the clock didn't start up on you. >> okay. i thought i just had a perpetual -- >> no. >> mr. chairman, i just have one more question. the products at equifax are so far providing victims of the breach to not include anything they won't need if it wasn't for
12:15 pm
equifax's lapses on their data. you and i have made more than $69 million in 2016, so that's the concern that the committee has, and i know we have for all of our constituents, and i thank you for your time. >> thank you very much. i appreciate the gentleman's questions, and the chair now recognizes the gentleman from oklahoma for five minutes. >> thank you, mr. chairman. mr. smith, what is your current job? >> i'm retired. >> you're retiring? are you still getting paid by the company? >> no, sir. >> you're fully retired, so you have no affiliation at all with the company? as a contractor, as -- >> no, congressman. i agreed to do because i love this company, it's been 12 years with 10,000 people trying to do the right thing. is i told the board it was right for me to step down. had new leadership take this company in a new direction. so when i retired, i agreed to
12:16 pm
work for as long as the board required for free. to help make it right for the consumers. so the affiliation is to do free work with the board of directors and the interim ceo. >> so you're not getting paid in any manner, not to any type of shares, stocks, anything? >> nothing. the day i announced my retirement -- >> do you still own stock in the company? >> i'm sorry. >> do you still have stock in the company? >> oh, yes. >> had you sold any of it? >> i have been there for 12 years. yes, sir. >> recent, since this has become aware to the public. >> during this breach? >> yes. >> northwest. >> are you aware of the individuals who have? >> yes, there are three individuals who are reported directly to me while i was their ceo. >> that sold stock? >> yes. and all three of them are men i have known, i mentioned earlier, for a number of years. two for almost 12 years and one
12:17 pm
for three or four years and they're men of high integrity. >> did they sell it before this went public? >> yes. as i said before, the knowledge, we went public with this on september 7th. >> when did they sell their stock? >> august 1st and 2nd. >> so after the breach? >> no. the timeline of the end of july, 29th and 30th, the notification on the 31st of suspicious activity, at that time, one and two days prior to their selling, there was no indication -- >> what would cause them to sell it? >> there is a what we call section 16 officer. >> mm-hmm. >> there's a limited window in which they can sell. >> okay. >> tends to be right after the earnings call for no more than 30 days. this is a natural process. the window opened after the second quarter window.
12:18 pm
>> in your opening statement, you made mention there's an error in the portal. and it was three weeks before you were notified of a breach. >> if i can clarify. >> yes. >> there was a software called an open source software that was deployed in this environment, this consumer portal. >> right. >> we never found a vulnerability to patch that vulnerability. that was the issue. >> who was in charge of overseeing that? who was supposed to watch the portals for you? >> ultimately me. >> i get that. but who did you have hired that was supposed to watch that? >> it was -- the vulnerability side, there was -- >> you have department that's dedicated to this? >> a chief information officer was ultimately responsibility. >> is that person still over that department? >> no, sir. he's gone. >> he's gone. you said you put in, once you
12:19 pm
were made aware of the breach, you put in four plans of action, right? the first one was, do you remember? >> notification. >> notification. the second one was a call center. the third one was increase cyberattacks, preparing for that. fourth was coordinating with law enforcement. i'm also or was ceo, not on the company side that you have, but from the companies that my wife and i have had. and we have protocols put in place of what could happen. we know cyberattacks happen. you hear it every day on the news. these four things that you named were common sense. things that should have been put in place to begin with. it should have been the fire alarm. you're in that world. this should be on the side of the wall where you pull the handle and immediately goes into
12:20 pm
place. how was it that it was just now thought of that you need to have four co commonsense principles put in place on how to react to something in a world where we kn knew you were vulnerable to be hacked? >> we have protocol, the team followed protocol. this is well known what to do from hiring a cyberforensic expert, we knew what to do. we had done it before, engaging a world leading cyberarm of a law firm. we knew what to do. these are all protocols where they knew what to do. the one thing, congressman, that's not a switch on the wall. the ability to stand up, the environment we had to stand up -- >> it took a long time to stand up. that's the issue that we have here. is you are on the leading front of this. and the four things you identify to me, i don't mean to simplify it by saying a switch on a wall. but these protocols should have already been put in place and you should have been able to
12:21 pm
react much, much sooner than what took place. with that, i'm sorry, i don't mean to cut you off, but the chairman has indulged me longer than he should have. >> the gentleman's time has expired. the chair now recognizes the gentle lady from california, ms. waters, for five minutes. >> thank you, mr. chairman. mr. smith, before i get to my question, i just want to say that on behalf of the 15 million californians whose information was exposed, we expect better. your business model was based on collecting and maintaining the most sensitive information on folks, and you let us all down. and that happened on your watch. and from my briefings, it appears this could have been and frankly should have been prevented. as equifax's business model depends on gathering consumer information, repackaging it, and selling it. equifax has set up a website in which consumers can enter information to determine if they are at risk and sign up for
12:22 pm
credit monitoring and credit lock. to participate, a person has to give equifax the same type of personal information, including social security number, which equifax put at risk in this breach. i want to know what equifax is planning to do with this information besides offering credit monitoring and credit locks. can you insure me that equifax will not plug this information back into its core business operation and sell it to its lenders? equifax should not benefit from this situation and i want to know that equifax is going to wall off this information and guarantee that the company will not profit from this situation. >> congresswoman, thank you for your comments. and as i mentioned in my written testimony, my oral testimony, i said throughout the morning and i'll say again today. as a ceo, it was under my watch. i'm responsible. i'm accountable. and i apologize. to all of your consumers in california. the intent of this offering
12:23 pm
we're giving to your constituents in california and across the country is an environment where we're not going to sell other products. it's being serviced with protection of the five offerings you had mentioned, not to sell and take your data and monetize that. it's to take and protect you with these five services. >> okay. equifax's breach notification website uses a stock installation of word press. this causes me a lot of concern because it seems to have insufficient security for a site asking people to provide part of their social security number. can you assure me that this website is secure and will not further endanger the personal information of my constituents? >> congresswoman, we took we believe is the right amount of time looking hastily from late august, going live on the 7th, one of the four work streams the congressman mentioned is prep e
12:24 pm
insuring we were prepared for what were increased cyberattacks as told to us by our forensic examiners. one of the first things we did is insure the website we're bringing consumers to to get these free services was as secure as possible. that was one of our top priorities. >> okay, and finally, my last question is, how many u.s. consumers have enrolled in the credit monitoring service trusted i.d.? i'll just finish here, because i know multiple people who have enrolled, including my immediate family. and they were told that they would receive an e-mail to complete the process. after days of waiting, they have not received an e-mail. and wanted to know what the delay and cost to add this protection and when will they be able to complete the process to help protect their information? >> i understand the question. i mentioned earlier over 400 million consumers have come to the website. obviously, we don't have 400 million consumers in the country, so a number of them came back multiple times, but it's a lot of volume. number two, i was told in the
12:25 pm
last few days, that the backlog waiting for those e-mails has now been fulfilled, drained as you come into the system, a more immediate response. so the teams have made great progress in the last couple weeks. >> thank you. i yield back the balance of my time. >> thank you very much. the gentle lady yields back. the chair now recognizes the gentleman from pennsylvania for five minutes. >> thank you, mr. chairman. i have heard from hundreds of constituents in my congressional district. there are approximately 5.5 million in pennsylvania. i have reviewed each and every one of the constituents stories i have received, and amongst my growing concerns, your baseline security practices leading up to the breach, the company ps awareness of the breach developments and relevant timing, how consumers can get assistance in securing their accounts. how reliable the recovery efforts are in the wake of the breach, and the path forward, long-term, for consumers' personal information and making sure they're safe despite the breach. it's this last one that is so
12:26 pm
particularly angering because it is going to potentially be so destructive to hundreds of millions of americans what might happen to them in the years to come. and as the head of the company, and throughout the company, the culture of that company has to know how predictable the damage can potentially be. and so i ask you, is it not predictable how bad it might get for the individuals who have been compromised? in terms of how much damage could be wrought upon them individually in the years to come? >> congressman, let me start by saying that like you, i have talked to constituents, consumers, across this country. who have been impacted. i personally read letters from consumers complaining, voicing their anger and frustration.
12:27 pm
so i know what you're seeing back home in pennsylvania. >> see, i think the anger is going to be multiplied thousands of times when something actually happens. and so when you talk about how predictable some of this is, the rollout of the call centers and the second rollout and the third rollout, it has to be predictable how massive this is and what would need to be put in place from a protocol perspective in order to address what's coming. and the slow rollout and how poor it was done, to me, is just inexcusable. you have to have departments dedicated to dealing with this potential, and it doesn't appear to me as though that was planned. or if it was planned, it was planned extremely poorly. >> i understand your point. but it requires a little more color. we went from 500 call center agents to a need of almost
12:28 pm
3,000. properly handled call center agents to handle consumer calls. we did the best we could in a short period of time to ramp those up. i mentioned in my opening comments, two of our larger call centers -- >> in the hurricane. >> taken out by hurricane irma. we were not prepared for that kind of call volume. >> how couldn't you be? how couldn't you be? >> it's not our traditional business model. our traditional business model is dealing with companies, not 400 million consumers. >> but your business model has a couple hundred million customers, so on a breach of this scale, obviously, you're going to have at least that number and probably twice that amount of people calling and inquires as to whether or not they're subject to the breach, and that wasn't done. >> congressman, the difference is the primary business model we have is dealing with companies, not with hundreds of millions of consumers. we did the best we could to react as quickly as we can.
12:29 pm
i mention the service is getting better. each and every day. we have listened to consumers' feedback, tried to make changes to the website, to the call center. >> you're familiar with the safeguards rule? it's essentially what you operate under. >> yes. >> how often does a forensic consultant issue a letter or a certification or a law firm issue a certification that they feel your protocol is in compliance with the safeguards rule? >> we are in compliance, i'm not sure how often it's communicated. >> how would you know you're in compliance then? because if you say you follow protocol, and protocol led to this, it's difficult -- that calls into question whether the safeguards rule is sufficient enough. if you're saying you're in compliance with it and you file a protocol and this still happened, that unearths a whole other set of question. >> the speed of reaction and the scale of the reaction was unprecedented. i'm not making excuses. >> yes. but there's a corporate governance issue here as i see
12:30 pm
it. that is your board of directors gets together, you're ceo yorxia have a chief information officer, a security officer, and at least once a year and probably quarterly, you have, i presume, outside forensic consultants doing this stuff every day for you on retainer. the speed at which you have to do this just to run your company operationally, you don't ever stop. it's obviously ongoing. and persistent. and it just seems to me that through insurance policies, through reporting to your board, through your board wanting to make sure they're doing their job, that you're looking for certifications from your forensic consultants saying you're doing good, you're doing good. here are the new threats. here's how we're updating. i just don't see, that's the kind of information i think would be extremely helpful that we have not received any information from today. but i would ask you, since i'm well over my time, that i would like to know how often your board asks you to certify
12:31 pm
whether or not you're in compliance, and what is that protocol, and when was the last time you updated the protocol? you said you complied with protocol. when was the last time that was updated? >> i understand your question. we'll get you that information. >> do you yield back after you're already well over? i yield back. >> the time has expired. how's that? the chair now recognizes the gentleman from georgia -- i'm sorry. i'm sorry. gentleman from new york. five minutes. >> thank you, mr. chair. americans should know their sensitive personal information is safe. their security is exposed when private companies, including equifax, can collect their private information without their direct knowledge or consent, and it's why i'm co-sponsoring representative schakowsky's measure, hr-3896, the secure and protect americans' data act. mr. smith, we are here today because months after the breach
12:32 pm
actually took place, your company, equifax, revealed that's its for-profit business practices have exposed the highly sensitive personal information of some 145.5 million americans and counting. your data breach exposed a critical vulnerability in the american economy and the information security of the american people. the victims of this breach span every age group, every race, class, and other demographic. they now face a lifetime at risk of fraud, identity theft, and other crimes as a result of the private data that you exposed. i have many, many questions. allow me to be the conduit through which my constituents ask you, mr. smith, their questions. i'll go first to a constituents pointed out to me, it would be wrong to call the victims of this breach equifax customers. most of them never asked to be tracked and judged by a private company with little public oversight or accountability.
12:33 pm
this is unacceptable. and he asks why he's been impacted in this manner. any comments to the question? >> again, congressman, i have read many similar letters and talked to people back home in atlanta who voiced that same concern. i can tell you this. we're a company that's been around for 118 years. 10,000 employees trying to do what's right each and every day. i apologize to the individual who wrote you that letter. i apologize to america for what happened, and we're going to try to make it right. >> my constituent jason from albany asked, mr. smith, to the best of your knowledge employ the best and most effective defense available to you to prevent this breach? >> a kricrisis never occurs if everything has gone right. in this case, we had a human error and a technology error. it wasn't because we were unwilling or unable to make the
12:34 pm
financial investments in people, process, or technology, though. >> my constituent tanya asks, how do i get equifax to fix this without signing over my rights? and what related costs will i, tanya, be expected to pay over my lifetime? >> the five products we launched, services we offered in september are all free. they're all spelled out in the press release. they give that individual significant protection. the most comprehensive change is coming in january of next year when is the ability for consumers to lock and unlock their data when they want and only when they want. >> and any relates costed she should expect to pay? >> services are all free. >> number of my constituents would like to know given that the sole purchase of credit agencies secure handling of consumers' confidential information, which they spectacularly failed to do, why is this company allowed to continue to exist? >> we have a rich history of
12:35 pm
helping those who want to get access to credit, to get access to credit. the company has done many great things to help those in the unbanked world who would never otherwise have access to credit, because what we do, bring them into the credit world. >> constituent lee from albany asks why are you using this gross misconduct to turn your victims into customers for a paid monsterring service that you will profit from. >> this is not our intent. our intent is to offer the five services for free, followed by a sixth lifetime lock for free. >> my constituent karen says why haven't you notified each person whose data was compromised, folks who never asked to you to score their information. so where are the representatives and why should they be responsible for your malpractice? >> following the recommendation of those who advised us, we did
12:36 pm
notify through the press release, notifying the entire population not just those who were the victim of the criminal hack, but all americans to get access to these products and services for free. >> and my constituent james from new york asked why did it take so long to announce the data breach and why shouldn't you be held responsible for every day of failing to report? >> i think hopefully my written testimony, my oral testimony, and the dialogue we have had today has talked about the timeline in enough granularity to help that person understand what occurred from march through september 7th. >> and a constituent stephanie asked, do they know if the people were targeted or randomly picked? why some but not others? >> at this point, all indications are it was at random. it was targeting of individuals specifically. >> i have exhausted my time, but
12:37 pm
let me assure you, mr. smith, i have many, many, many constituents questions that continue to pour forth and we're going to provide those after the hearing here. and would expect that they would all be answered, and again, thank you for your response. i yield back. >> thank you very much. the gentleman yields back. the chair now recognizes the gentleman from pennsylvania for five minutes. >> thank you. thank you, mr. chairman, for allowing me to sit on this hearing. my fellow members have already asked a lot of questions, very important high-level questions, but i want to take a memant to dig more deeply into a few specific issues. we now know that equifax information security department ran scans that should have detected systems that were exploitable, but that the scans didn't detect any. i foresee at least one system was vulnerable. if the scan was improperly configured to catch this vulnerability, in other words,
12:38 pm
you missed a major breach, is it possible that it has also been improperly configured to detect similar vulnerabilities? >> i no knowledge of that. i have no knowledge of that being the case. >> you have to feed the information in these scans and it has to be complete and accurate information. and this information apparently wasn't fed in -- was fed in an incomplete way, is that true? >> can you repeat the question please? >> in order to scan something, a human has to feed it information, right? >> i am not a scanning expert, congressman. my understanding is that you have to configure the scanner in certain ways to look for certain vulnerabilities. >> a lot of what is going on is you're saying no humans are involved, but configuring is done from a human being, right? and inaccurate information got in there, too. if it was improperly configured to catch the vulnerability, is it possible it is improperly
12:39 pm
configured to detect similar vulnerabilities? >> i have no information that is the case. >> scammers were using it for sfishing. someone switched two words and made it into a phishing website that looked identical. luckily, this person was just trying to make a point, but the point is well taken. you said today you set up this external website because equifax wouldn't be able to handle the sheer amount of traffic. it doesn't make sense. a company of your size and knowledge doesn't understand how to handle traffic for over 100 million people. don't you use an elastic cloud computing service that would have accounted for that. >> a point of clarification, the phishing site you refer to was mentioned a few times today, was an error by a individual in the call center. >> let me ask the question, we have that established, but i want to ask this question,
12:40 pm
though. you wouldn't be able to handle the sheer amount of traffic. don't use use something like a sheer elastic cloud. >> the environment microcyte is in a cloud environment. it's very, very scalable. the traditional environment we operate in could not handle 400 million consumer visits in three weeks. >> i want to come back to some of this stuff, too. i want to come back to the issue of patching the vulnerability. i know this has come up a few times but i want to make sure to highlight this point. our understanding is that the vulnerability required more effort than simply installing a patch. we also understand when equifax patched the vulnerability, it took less than three days to do so. the patch only took a few days to apply, why did equifax fail to install it immediately after it was announced as critical? >> patching takes a variety of time. i'm not sure where you got the note that it's three days. patching can take days to up to a week or more.
12:41 pm
>> did you notify everybody it was going to take some time. >> i'm sorry? >> did you notify your customers it was going to take some sometime? did you notify people there was a risk that you were trying to apply the patch. >> no standard protocol? >> i didn't ask about standard protocol. i asked if you notified people. >> no knowledge that we notified consumers of a patching process. >> you didn't notify people a patch was going to take place and the risk existed. did other executives of your company, were you aware of it? >> as i said before, i was not. >> you were not aware that there was a problem with vulnerability? you just told me it takes a few days to a few weeks. you weren't aware it existed? >> that's correct. >> let me wrap with one final thought. you state the breach occurred because of human error and technology failures. looking at the three issues i highlighted, these are not failures of technology. human misconfigured the scan, a human selected the website name,
12:42 pm
a human failed to apply the patch. while i understand cybersecurity is a mentally complicated field, we have dealt with this many times on the committee, and i also think it's important to be up front about the cause of breaches like this. if we continue to blame human technology, i think we'll have a very difficult time improving our capabilities and preventing future cyber threats. mr. chairman, i recognize i'm out of time. we'll see you again in my subcommittee. >> thank you very much. the gentleman's time has expired. and the chair now recognizes the gentleman from maryland for five minutes. >> thank you, mr. chairman. mr. smith, thank you for being here. you have been the president of the company for, ceo for 12 years, is that right? >> that is correct. >> there's three things i think that the public is angry about, certainly as my colleague was indicating, we're getting a lot of messages and contacts,
12:43 pm
inquiries from our constituents across the country. first of all, they want to understand, and you have tried to explain it today, but i'm not sure it's going to be satisfactory why there wasn't sufficient protections in place on the front end so that this kind of breach wouldn't happen in the first place, given the sensitivity of the information that you're keeping in the company. the second thing is how quickly once a breach was discovered you came clean to the public and provided information on what was happening. there seems to have been a delay there that concerns people. the third is whether the services that you're now providing to people you have enumerated five or six free services that you're providing to people. whether that's going to be a sufficient assurance to folks going forward that their identity can be protected, that
12:44 pm
their information is safe and so forth. so you're trying to fish thix t now, but there's going to continue to be, i think, serious questions about all three of those things that i just mentioned. i wanted to ask you about the kind of remedies you have out there because there's some confusion. i got a question from a constituent who had purchased a monitoring service that would cover his family, including a child under the age of 18. so first of all, can you tell me, it is possible for someone under the age of 18 to have their identity stolen, is that correct? as far as you understand? >> is it possible? >> yes? >> as it relates to this breach? >> just generally. identity, if certain information
12:45 pm
about a minor is divulged to some unscrupulous actor, that can be used to steal the identity of the person. >> if someone has a social security number at any age, can that be compromised, yes. it cannot be compromised in this case because this database they got into, from my understanding, was only for people who have credit active or inactive. they have been in the credit environment. >> but my understanding is when you provide a family service, you're collecting information and holding information that includes the social security number of people who may be under the age of 18. >> i have no knowledge that under 18, not credit active, was compromised here. i can look into that. i have no knowledge. >> if that is the case, is the free service that you are
12:46 pm
providing going to cover any exposure or information that's related to a minor as opposed to somebody who's over the age of 18, if you had information on that minor? >> i can look into that, congressman. the intent of the coverage was to cover anyone in america who is in the credit system. so if you're under 18 and not in the credit system, i'll check your one point which is on this concept called family plan that you're alluding do where you lockdown consumers. i don't believe their security numbers were in the system but we can verify that. >> if i can interrupt. we had a clock issue. you have about 30 seconds left. >> thank you. i think it's important because it may be that with respect to credit reporting, implications of this breach are only attached to people who are 18 or older. but if you're holding
12:47 pm
information about minors like a social security number, that's part of the portfolio of information you're getting from a family, for example, particularly when the family has paid for this service. you're holding their social security number. so any breach that makes that information available outside of the arena in which it's supposed to be kept close, creates vulnerability for that person. it's not like we get a new social security number when we turn 18. so that's going to follow them all the way through and create some real risk for them. so i think that's a piece of this that we need to understand much better. and i want to thank my constituents for sort of bringing that to our attention. >> i understand your point. to the best of my knowledge, that data is not included in the breach. i'll look into it. >> thank you. i yield back. >> thank you very much. the chair now recognizes the gentleman from georgia. for five minutes. >> thank you. i want to thank you for allowing me to sit in on this today.
12:48 pm
mr. smith, thank you for being here. i know it's been a tough day. it's been a tough past couple weeks. i appreciate you being here. that's important. i'm not going to apologize for my colleagues and their questions and their aggressiveness, if you will, because as you know, people are upset. they're mad. you get it and i get it. we all understand it, but nor am i going to pile on. i want to kind of go a different route, if you will. one of the things that i have learned in two and a half years i have been up here is to be very careful about my southern phrases, but one of my southern phrases has always been that, you know, fool me once, shame on you. fool me twice, shame on me. i want to go what we can learn from this. this is not the first time a data breach has happened. perhaps it's the biggest it's ever happened, but it's happened to other companies before. to the extent you weren't prepared for this or it happened to you, and i hope that was not due to complacency, i hope it was not due to you not doing everything you could to have
12:49 pm
prevented it. but my question is this. can you share with us any information about the attackers? now, what do you know and what do you not know about them at this point? >> congressman, thank you for that. as i mentioned in my opening comments and my written testimony earlier this week, we engaged the fbi, and they currently have the investigation in their hands. so this juncture, we're not disclosing what we know about the hackers. >> how is your cooperation with the fbi been? is your experience with them thus far been good? this is important. it's important for everyone. yeah, everyone is upset, and rightfully so. they should be upset. when your personal data is out there, obviously, it's very upsetting. but i'm trying to go to a different direction. i'm trying to figure out how we can prevent this from happening. >> the cooperation with the fbi, as best i know has been good. it's on going. we have lines of communication
12:50 pm
into the fbi, not just after the breach but routinely throughout the year. so i would say it's been a very good cooperation, congressman. >> let me ask you this. through this scenario,this, thr this scenario, through this experience, rather, if you had to do anything different, what would you have done? >> congressman, i was asked that question earlier, and my answer will be the same now as it was earlier. there will be time for reflection personally and as an organization. that coupled with the investigation that we continue to undertake to look at processes in-house. but at this juncture, since i was notified in mid august through this morning it's all been about the forensics. it's been about trying to protect and do what's right for the consumer and there has been no time to reflect on what i would do differently into when that time comes, we need to know. we don't need to let this happen
12:51 pm
again. and other companies need to learn from it. this is obviously as i said earlier -- you are not the first company to suffer from there, you are not the first georgia company to suffer from this. we understand that. doesn't make it any lessee griedgeous to what has happened. but where i'm trying to go is what can we do better to prevent this from happening again. these guys are good. we know that. listen, cyber security is hard. it's way above my pay grade, i can tell you that. >> congressman, thank you for that. as i mentioned in my comments, i take full responsibility as ceo. >> i understand in a, and i appreciate that. >> if there is one thing i would love to see this country think about, it's the concept of a social security number in this environment being private and secure, i think it's time as a country to think beyond that. what is a better way to identify consumers in our country in a
12:52 pm
very secure way? i think that way is something different than an ssn, a date of birth, and a name. >> well, you are exactly right. i rr my time in the georgia state legislature when we changed -- you know, you used to have your social security number on your driver's license. it used to be your driver's license number. we i think changed. that was not that long ago. that's what tells me, this is something that is changing dramatically and quickly. and we need to be prepared for it. so i know that you are putting out fires right now. but at some point, we need to learn from this. we need to know, look, we shouldn't have done this, we should have done that. what could we have done differently? what will benefit another company to allow that this doesn't happen? and i hope, thus far you appear to have been honest about all of this. i hope that if part of what the problem was was complacency that you would admit that and say
12:53 pm
don't, don't ever let your guard down. >> thank you, congressman. i would love to be part of that dialogue about what lies ahead to protect individuals' identities. >> again, want to thank you for being here. it satisfies a lot about you and about your company. >> thank you. >> thank you mr. chairman. >> the gentleman yields lack. the chair now recognizes the gentle lady from california for five minutes. >> thank you mr. chairman. first i would like to recognize recognize saxby chand list who served in the house and the senate. it's good to see you. very nice to see you. mr. smith, it seems to me that you have accomplished something that no one else has been able to accomplish, and that is that you have brought republicans and democrats together in outrage
12:54 pm
and distress and frustration over what's happened. because this is huge. this is almost half of the country and their information. you know, the american people are -- i think they have privacy in their dna. way don't like big brother. we don't like people having information on us. we know in an information and in a digital age that that's impossible, but boy, when that's breached, when the privacy goes out the window, it really puts a department in people's lives. i equate it with -- because, they don't feel they can do anything about it. they feel helpless. i come from earthquake country, and when that rattle first starts, you really do feel helpless. you feel absolutely helpless.
12:55 pm
now, it's been -- the question is kind of been posed retorically by some members because i have been sitting in for a while at this hearing, what can be done? i have the privilege of representing most of silicon valley. i have asked this question about the protection in terms of privacy, breaches in our country, to just about every ceo i've met. and they have responded like a chorus and said that there are two main reasons for breaches in our country. number one, a lack of hygiene in systems, and very poor security management. that's why we have legislation. senator hatch is the lead sponsor in the senate. i have the bill in the house. so it's distressing to me
12:56 pm
knowing this information that homeland security notified equifax -- this is almost seven months ago. this has to do with a patch. so i know there are a lot of questions that have probed this, but you as ceo at the time, when homeland security informed your company that there was a breach, what did your -- what did you say to your cio officer? did you understand what the breach was? did you understand what the patch meant? did you understand the timeliness, the need for timeliness to have this fixed? and did anything change in that department? was there a new policy put in place by you? >> congress woman, to clarify,
12:57 pm
when the search came out in march, there was no notification of a breach. there was notification -- >> what did it mean? >> what it meant was -- >> if i got a notice from homeland security that's like the fbi knocking on the door. that's the federal government. that in and of itself is a bit menacing, isn't it? >> what it meant was an open source software called apache struts had a vulnerability. and the notification was the vulnerability should be patched. >> all right. did you ask if it was patched? >> we get notifications -- >> no. you got the notification from homeland security. all right? what did you do about it the day you found out? the company was notified on i believe the 9th of march. when did you know? >> the team, security team, followed protocol and instptly,
12:58 pm
within a day sent notification out the many people in the organization that a patch needed to be applied to apache struts. >> did you ask your team when it was applied? >> the security team did, and i spoke with the i.t. team as well. >> when did they take care of it? >> throughout the testimony we talked about what occurred was. >> tell me when it happened. when was it actually -- >> the following day, communication was sent out to those who needed to be notified. >> you already said that. i want to know when they did it. when they took care of it. >> they took care of it in july because we never found it. it wasn't until your call -- we had the human error, we did the scan, the technology never found it. in july, we saw suspicious activity, took the portal down, found the vulnerability, applied the patch. >> well, i thank the chairman.
12:59 pm
we have in the rules of the full committee which are approved at the beginning of every congress that members of the full committee can participate in subcommittees where they are not members. and i appreciate the legislative courtesy. and i think that there is a lot more to be done on this issue, mr. chairman, if i might make the recommendation, i think we should have the cio, the chief information officer, come in because i don't think that this is resolved. so thank you. >> thank you very much. >> nice to see you saxby. >> the gentle lady's time has expired. we are going to ask one quick follow up question. i yield to the ranking member first. >> first of all, mr. chairman, i would like to insert for the record letter from consumers group to letter from credit union national association, and article from wgn tv. >> without objection, so
1:00 pm
ordered. >> oh, sorry. so, in closing, mr. smith, i want to quote again from you -- from your testimony. you mentioned the five fixes, so-called, and you put -- this puts the control of consumers' credit information where it belongs, with the consumer. so i want to ask you a question. what if i want to opt out of equifax? i don't want you to have my information anymore. i want to be in control of my information. i never opted in. i never said it was okay to have all my information. and now i want out. i want to lock out equifax. can i do that? >> congresswoman, that requires a much broader discussion of the rule of the credit reporting agencies. the data as you know today doesn't come from the consumer.
1:01 pm
it comes were the furnishers. and if furnishers provide that data to the entire industry. >> no. i understand that. and that's exactly where we need to go, to a much larger discussion. because most americans really don't know how much information, what it is, that you have it, and they never said okay. so i'm hoping that will lead to wider discussion. thank you. >> thank you very much. the gentle lady yields back. and if i may just go back to what we had a little discussion earlier' he the beginning. going back to your testimony from auction 15th when you reported likely that consumer information likely had been stolen. again, why was there again a ten-day delay between finding out about that personal information that could have likely been stolen to developing that remediation plan? that ten-day window.
1:02 pm
why did it take ten days to start that remediation? >> well, congressman, there was continuous work going on around the clock from that time through yesterday trying to develop the product, develop the communication plan, stand up website, inform those that needed to be informed. it wasn't like on a certain date something occurred. it was continueual motion by many people prosecutor many, many weeks. >> let me ask a follow up on that then. because again with that ten-day period of time, when was the appropriate time really to start talking to the consumers at that point in time or again waiting until you did in september? again, there was that lag time where information could have been stolen on individuals. >> yeah, the whole goal was to make sure that the data we had was as accurate as clear for the u.s. consumer as possible. number two it was to make sure for the forensic cyber security
1:03 pm
specialists that our environment was as secure as possible. remember they said expect increased attacks. number three was the stand up the call centers and the website for hundreds of millions of consumers. and that just took time as i alluded to earlier. >> thank you very much. and seeing that there are no other members present to ask questions we want to thank you very much for testifying before the subcommittee today. pursuant to committee rules i remind members they have ten additional days to submit questions for the record. i ask that the witness submit his response within ten business days of any request submitted. without objection, the subcommittee is adjourned.
1:04 pm
there will be more testimony from former equifax ceo richard smith as he appears tomorrow before the senate banking committee. that will be at 10:00. then on thursday he appears at 9:30 eastern testifying before the house financial services committee. both of those hearings by the way on c-span2, or linen the free c-span radio app. go live now to capitol hill as defense secretary james mattis and general


info Stream Only

Uploaded by TV Archive on