Former Equifax CEO Apologizes for Data Breach, Details Remediation Efforts

Former Equifax CEO Richard F. Smith said that he is "deeply sorry" for the Equifax data breach and detailed the company's remediation efforts.

In testimony before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, Mr. Smith, who resigned from his position on September 25, 2017, acknowledged that the data of 140 million consumers had been stolen from Equifax servers. He also acknowledged that the compromised data included names, social security numbers, birthdates, addresses and credit card information. Mr. Smith conceded that the Department of Homeland Security warned about a vulnerability in software used by Equifax on March 8, 2017, but the vulnerability was never addressed. As a result, between May 15 and July 30, attackers continuously accessed customers' private, personally identifiable information.

Equifax announced that the breach occurred on September 7. Mr. Smith stated that the company instituted remedial measures, including (i) a website for customers to determine whether they were affected by the breach, (ii) a call center to address customers' questions, and (iii) the development of identity protection and monitoring tools for customers. Mr. Smith said that the rollout of the remedial measures included various missteps, such as the accidental inclusion of a mandatory arbitration clause and understaffed call centers.

Mr. Smith asserted that cybersecurity issues have plagued various other companies and government agencies, and encouraged policymakers and corporations to remain vigilant about emerging cybersecurity issues.

Commentary

Equifax will face scrutiny from shareholders, Congress, and the SEC not only on why this breach happened, but why it took nearly six weeks to disclose the intrusion to consumers and the investing public. There are several lessons to be learned from the Equifax breach. First, companies must take cyber hygiene seriously and ensure that software patches are installed quickly and system-wide. Fewer than ten percent of attacks are so-called “zero day” attacks (meaning an attack on a newly-discovered vulnerability). The vast majority of attacks take advantage of known vulnerabilities that firms fail to address. Second, firms must have an incident response plan enabling a rapid response to a breach. A cyber-intrusion is only compounded if there is a delay in responding to it. Finally, companies across industries must realize that hackers no longer just go after banks and retailers – anyone holding sensitive customer, financial, or IP data is now a potential target.

Premium Content

Available only to Premium subscribers.

 

Tags