Lawmakers railed against former CEOs of Yahoo and Equifax over massive cybersecurity breaches that occurred on their watch and floated potential policy solutions to crack down on the hacks impacting hundreds of millions of Americans.
Frustrated members of the Senate Commerce Committee pressed former Yahoo CEO Marissa Mayer, former Equifax CEO Richard Smith and its current CEO Paulino do Rego Barros Jr. on how their companies allowed such enormous breaches and pushed for answers as to how they would handle the fallout.
{mosads} Committee Chairman Sen. John Thune (R-S.D.) opened the hearing by asking Mayer to explain how, despite the increased investments she touted during her opening, 3 billion of its accounts were hacked into in 2013.
“Despite these investments, Yahoo failed to detect the 2013 breach,” Thune said, noting it also took years for Yahoo to understand the full scale of the problem.
“With such a strong security team in place, how did Yahoo fail to recognize all 3 billion of its user accounts had been compromised?” he asked.
Mayer replied that such breaches are complex and required time to understand. Indeed, she said, the company is still trying to determine who was responsible.
“We still have not been able to identify the intrusion that led to that breach,” the former Yahoo CEO explained.
The firm did not initially understand the scope of the breach and only notified users that it had been hacked in 2017. It revealed just last month that the 3 billion accounts were compromised.
In July, credit bureau Equifax also was the subject of a large cybersecurity breach in which sensitive information, including Social Security numbers, of 145.5 million people was stolen by hackers.
Sen. Brian Schatz (D-Hawaii) critically highlighted that after stepping down following the enormous intrusions, Mayer and Smith still walked away with tens of millions of dollars.
Mayer stepped down after Verizon’s acquisition of Yahoo was complete in June.
“People where I live, people where we all live, cannot understand how the CEO of Yahoo walked away with [millions of dollars] worth of stocks,” Schatz said.
“Regular people don’t understand that, and they shouldn’t understand how you walk away with money that a small city … would have as their budget,” he added. “It’s not fair.”
Lawmakers also voiced potential legislative and policy solutions to prevent future cyber breaches that could compromise the public’s data and questioned the executives’ commitment to fixing cybersecurity vulnerabilities.
“Of course it does,” Schatz responded when asked by reporters if Mayer’s refusal to testify until she was subpoenaed by the Senate Commerce Committee raised accountability concerns.
“This is why Congress needs to legislate in this area.” Schatz told reporters later. “I have no belief that they’re going to fix this on their own.”
The committee’s top Democrat, Sen. Bill Nelson (Fla.), told witnesses that “there’s going to have to a be cooperation between the most sophisticated player in the U.S., which is the NSA, and all of you.”
Nelson’s comment was aimed at addressing the threat of state-sponsored attacks, which Mayer said that firms like Yahoo would not be able to handle alone.
A 2014 attack in which 500 million Yahoo accounts were stolen, was perpetrated by Russian spies and hackers.
“Only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information and promptly notify them when their data has been compromised,” Nelson said.
Lawmakers during the hearing pointed out that consumers could be affected by the breaches and have their identities stolen at any point during the rest of their lives.
Senators were skeptical that Equifax’s solutions would sufficiently protect the public.
Sen. Gary Peters (D-Mich.) ripped Barros for making Equifax’s credit monitoring free for only a year, after the executive conceded that consumers could be affected at any point.
Sen. Richard Blumenthal (D-Conn.) hammered Equifax further about its arbitration clauses that consumers agree to when using the company’s products to monitor their credit and see if they were affected in the breach.
The firm took criticism in the wake of the breach for including a clause that forced consumers to waive their right to sue the company in court. Instead, they would have to resolve legal disputes with Equifax in private arbitration, which critics say unfairly benefits corporations over consumers.
Equifax ultimately said that the tools it set up to help consumers affected by the breach, Equifaxsecurity2017.com, would be exempt from the arbitration clause.
But Barros did not commit to removing this clause from Equifax’s other products and services on Wednesday.
“I believe consumers have a choice to choose their products,” Barros said to Blumenthal.