Arizona expert tells panel Equifax breach could be worse than thought

WASHINGTON – A Senate committee Wednesday chastised the former head of Equifax for a data breach that exposed financial data of as many as 143 million Americans to hackers – a number that one Arizona expert said could be even higher.

Jamie Winterton, director of strategy at the Global Security Initiative at Arizona State University, told a Senate Judiciary subcommittee that Equifax estimates of the size of the breach have changed.

“Do they even know?” she asked. “When I wrote my initial testimony, it was 143 million and then they revised that to 145.5 million. They certainly know who has been breached but they may not know the full extent of that breach.”

The Senate hearing came on the first of two days of congressional hearings where former Equifax CEO Richard Smith has been called to answer for what one senator called a showing of “gross negligence and total disregard for its customers.”

The firm was hit earlier this year when it failed to patch a vulnerability in its system, exposing financial data, personal records, Social Security numbers and more to hackers. Smith, who resigned Sept. 26, apologized in his testimony, both for the breach and the response that followed.

“To each and every person affected by this breach, I am deeply sorry that this occurred,” he said. “Whether your personal identifying information was compromised, or you have had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize.”

Smith conceded that the company was not prepared for a response of the size that was required, mainly due to the fact that Equifax does not normally deal directly with customers. He also noted that “two of the larger call centers in Florida were forced to close for a period of time in the wake of Hurricane Irma,” hampering the response.

Sen. Al Franken, D-Minnesota, said the issue is a recurring theme for the committee, which met two years ago to discuss a data breach at Experian, another credit rating company.

“We were here just two years ago … talking about such companies as being the perfect target for cyber criminals,” Franken said.

Winterton and other witnesses said there are steps that can be taken, both large and small. One option, she said, would be for industries to pool their resources for research to better understand the issue.

“To craft a research agenda that can solve the real challenges facing our nation, we must first understand the impacts of large-scale data breaches,” she said.

Another option would be legislation to let customers choose to keep their information from being shared with certain companies or people. In such a plan, Winterton said, people could opt in to sharing their information when buying a car or getting a loan, for example, but otherwise keep their information locked and secure.

Tyler Moore, an assistant professor of cybersecurity at the University of Tulsa’ Tandy School of Computer Science, agreed that individuals need to better control access to credit reports.

“We need a comprehensive approach that changes from today’s practice of allowing access by default to the more secure approach of denying access by default,” he said in his written testimony.

“In a world where bad actors already know most everyone’s name, Social Security number and address, we cannot continue with a system where authentication is based solely on information that has been compromised.”

Sen. Patrick Leahy, D-Vermont, noted that he had sponsored legislation known as the Consumer Privacy Protection Act that would have required that consumers be notified when a breach occurred.

But Equifax “had more of a regard for protecting its own people and its profits, even having a couple of your executives cash in stock … before the breach was disclosed to the public,” said Leahy, noting that the firm spent a quarter-million to defeat his bill.

Winterton said legislation doesn’t always work well when dealing with technology, and that the problem needed to be fully understood before it could be solved.

“The problem with legislation is that it tends to lag technology,” she said. “Technology moves very fast and legislation tends to catch up … what we need to look at are what are the systems of the future? And how can we legislate around those?”