Lawmakers got their first crack at former Equifax CEO Richard Smith on Tuesday, bombarding him with criticism for the massive data breach that occurred on his watch.
The lawmakers could barely mask their anger as they pressed Smith on why the company’s data security practices were inadequate, given the mass amounts of personal data the company handles.
Smith opened his testimony with a public apology.
“The criminal hack happened on my watch and as CEO I’m ultimately responsible,” said Smith, who retired from the company last week.
In one exchange with Rep. Ben Ray Luján (D-N.M.), Smith repeatedly dodged questions about whether Equifax’s response will make consumers whole.
“Do you think consumers should have to pay a penalty for your mistake, including potential identify theft, false credit accounts, fraudulent tax returns or medical identity theft?” Luján asked. “Or do you commit to compensating any consumers who suffer harm as a consequence of your breach?”
“We take this seriously,” Smith responded. “I’ve apologized, apologized again to the American consumer. We’ve offered a comprehensive set of products for free.”
“Mr. Smith, will those comprehensive sets of products make consumers whole?” Luján shot back.
“It will protect them going forward,” Smith said. When Luján repeated the question, Smith responded, “It is hard for me to tell if someone’s been harmed, so I can’t answer the question.”
Equifax revealed the breach last month, saying that hackers had stolen personal information for 143 million people. This week, the company said that 2.5 million more people were affected by the breach than had been initially estimated.
The stolen data included Social Security numbers, names, birth dates and addresses.
Smith said the breach could be attributed to a “combination of human error and technological error.” The company neglected to patch key software, leaving consumer data vulnerable, and Equifax’s security scanners did not detect the vulnerability, Smith said.
The company has since offered free credit locking services for those affected by the breach, but lawmakers have questioned whether Equifax was equipped handle the influx of consumer queries about their data.
Rep. Joe Barton (R-Texas) suggested that organizations like Equifax should pay a fine for every customer that’s affected by data breaches.
“We could have this hearing every year from now on if we don’t do something to change the current system,” said Barton, a founding member of the bipartisan Congressional Privacy Caucus.
“So I would hope that you’d go back to your peers and work with the committee chairman and the subcommittee chairman, ranking member, and let’s figure out something to do that actually gives an incentive to the industry to protect ourselves,” he added.
Equifax has also faced questions about why two of its executives sold large amounts of stock before the breach became public. Smith said the extent of the breach was not known when they made the sales.
Smith’s testimony Tuesday before a House subcommittee is just the start of his time on Capitol Hill this week; he’ll be testifying before three more committees.
“Mr. Smith, it seems to me that you’ve accomplished something that no one else has been able to accomplish,” said Rep. Anna Eshoo (D-Calif.). “And that is that you have brought Republicans and Democrats together in outrage and distress and frustration over what’s happened because this is huge. This is almost half of the country and their information.”