Breach Notification , Breach Response , Data Breach

Ousted Equifax CEO Faces 3 Congressional Hearings

Board of Directors Investigation Reportedly Now Focusing on Chief Legal Officer
Ousted Equifax CEO Faces 3 Congressional Hearings
Richard Smith, former CEO and chairman of the board at Equifax

Mr. Smith is going to Washington.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

This week, Richard Smith, the former CEO and chairman of the board at embattled credit-reporting bureau Equifax, is set to testify before three Congressional committees over the company's massive data breach. In written testimony submitted before Tuesday's hearing, Smith says "human error and technology failures" led to the breach.

The breach at Equifax, which the company first disclosed on Sept. 7, exposed 143 million U.S. consumers' personal details, including Social Security numbers.

The hearings will likely focus on Equifax's information security practices, breach response, data obtained by hackers, as well as the suspicious timing of stock sales by three top executives.

Smith, who "retired" last week, is due to appear before the House Energy and Commerce Committee on Tuesday, followed by the Senate Banking Committee on Wednesday and the House Financial Services Committee on Thursday. At all three hearings, Smith - now listed as being "adviser to the interim CEO and former chairman and CEO of Equifax" - is the sole witness being called.

When Smith retired, he handed the reins to Paulino do Rego Barros, who will serve as interim CEO until the board finds a permanent replacement. Smith, meanwhile, has agreed to advise Equifax for 90 days.

Prior to his resignation, Smith had written that the breach was the "most humbling moment" in the history of 118-year-old Equifax.

Questions Dog Stock Sale Timing

A Sunday report in the Wall Street Journal says that Equifax's board of directors is focusing on the role played by Equifax Chief Legal Officer John J. Kelley, who oversaw information security at the company - the company's CSO reports to him - and who had ultimate authority for approving stock sales.

After Equifax warned that it had been breached, a review of the company's filings with the U.S. Securities and Exchange Commission revealed that three executives, including the CFO, collectively sold Equifax stock worth almost $1.8 million on Aug. 1 and Aug. 2 - just days after the breach was discovered, and well before the company issued its public breach notification.

The company notified the SEC about the stock sales on Aug. 3 in documents signed by Lisa Stockard, assistant general counsel at Equifax.

The stock sales generated $946,374 for CFO John Gamble, $584,099 for U.S. Information Solutions President Joseph Loughran - who also exercised an option to purchase 3,000 shares at a price of $33.60 - and $250,458 for Consumer Information Solutions President Rodolfo Ploder (see Equifax Breach: 8 Takeaways).

Letter to House Energy & Commerce Committee Democrats from Equifax, dated Sept. 28.

Equifax has claimed the executives did not know about the breach at the time of their stock sales. But some outside executives have noted that it would have been highly unusual for the publicly traded company's CFO to not have been part of an emergency meeting of the executive management committee to plan its breach response.

Meanwhile, a letter from Equifax lawyer Theodore Hester to members of Congress, dated Thursday, said that the board has formed a special committee to investigate the stock sales and that it "takes these matters seriously."

Hester adds: "The committee has retained counsel and is conducting a thorough review of the trading at issue."

Smith's Delayed Compensation

Smith's departure followed the company's CIO and CSO similarly "retiring," as Equifax likewise described their departures. Equifax says Smith will forego his severance package, but noted that he might still be due compensation, contingent upon the results of the board's cybersecurity investigation, worth up to $90 million.

In an SEC filing, the company says that "any obligations or benefits owed" to Smith will be evaluated following that investigation, suggesting that the board could attempt to "claw back" some of Smith's compensation if it finds fault with his leadership.

In 2016, Smith received a pay package of nearly $15 million, and he holds stock in the company currently valued at $29 million, although not all of it has vested.

Equifax, Under Pressure

The Equifax breach is now the focus of a criminal investigation by the FBI. Equifax also faces investigations by at least 40 state attorneys general, probes by the Federal Trade Commission and the SEC, as well as consumer lawsuits and legal actions by financial services firms whose customers' payment card details were exposed.

The Justice Department last month announced that it has opened an investigation into the timing of stock sales by three senior Equifax executives, and both the SEC and the U.S. Attorney in Atlanta are reportedly participating in the probe (see More Questions Raised After Equifax CIO, CSO 'Retire').

SEC Chairman Jay Clayton appeared to confirm the probe last week when testifying before the Senate Banking Committee. "I'm glad to hear that you're investigating," Sen. John Kennedy, R-La., told Clayton, who replied: "Thank you."

Equifax is also facing probes by U.K. and Canadian regulators, owing to the breach exposing personal data for 400,000 British consumers and 100,000 Canadian consumers.

Probing Breach Details

This week's hearings on Capitol Hill will likely see lawmakers demanding more extensive details about what data, exactly, attackers obtained, and how it was being secured. Equifax has yet to describe precisely what was stolen in the breach, except to say that Social Security numbers, names, birthdates and addresses were exposed, as were drivers' license numbers, in some cases.

The hearings could presage further calls for greater privacy rights for consumers and oversight of the "big three" data brokers - Equifax, Experian and TransUnion. But Republicans, who control a majority in Congress, have signaled that they do not expect to pass any new legislation as a result of the Equifax breach (see Cynic's Guide to the Equifax Breach: Nothing Will Change).

Equifax has already stated that attackers exploited a flaw in its open source Apache Struts application framework that it failed to patch after Apache issued an emergency security update on March 6. On March 10, hackers reportedly used the flaw to exploit Equifax (see Equifax's Colossal Error: Not Patching Apache Struts Flaw).

Equifax says it discovered the breach on July 29.

Timeline

Equifax breach timeline. (Source: House Committee on Energy and Commerce)

'Top-Secret Project'

Since at least February, Equifax was aware that online attackers had been abusing its payroll service by entering stolen information - including Social Security numbers - and downloading W-2 and other tax forms for employees from multiple firms. These forms were allegedly then used to file fraudulent tax returns in employees' names (see Equifax Disputes Report of Undisclosed Breach From March).

Equifax hired FireEye's Mandiant incident response group in March to investigate the attacks as part of what Smith designated as "a top-secret project," one unidentified source told Bloomberg. But Equifax's relationship with Mandiant allegedly soured, with Equifax suggesting that the team deployed by Mandiant was undertrained.

Equifax could not be immediately reached for comment on that report, which suggests that the breakdown between the company and Mandiant may have allowed the Apache Struts attackers to roam unchecked for a longer period of time.

But Mandiant was brought in again after Equifax discovered signs that it had been hacked in March, in what may or may not have been a separate attack. In a report issued last month to Equifax's customers - including banks - Mandiant reportedly said that attackers had installed 30 web shells across various Equifax systems, giving them persistent access. Investigators reportedly said they were able to identify who hacked Equifax.

FireEye declined to comment.

Poor Victim Support

As part of its breach notification, Equifax created a website - www.equifaxsecurity2017.com - designed to give consumers breach-related information. But it has been dogged by technical problems.

The company's own customer support team has also been inadvertently directing potential breach victims to a lookalike site, securityequifax2017.com, created by a security researcher to highlight the risks faced by consumers when attempting to differentiate Equifax's official breach notification site from potentially bogus ones.

Following the breach, Equifax faced widespread criticism for apparently requiring anyone who signed up for the identity theft monitoring service it was monitoring - prepaid for the first year - to waive their right to participate in any lawsuits against Equifax.

Equifax quickly adjusted those terms of service. But it - and other credit-reporting agencies - have faced criticism from consumer-rights groups, and Democratic legislators, for charging breach victims a fee to freeze their credit files. Identity theft experts say that credit freezes remain the best way for breach victims to protect themselves.

Equifax says that by Jan. 31, 2018, it plans to offer consumers the ability to permanently restrict access to their personal credit data. "The service the company is developing will let consumers lock and unlock access to their Equifax credit files, at will, without charge and for life," the company said in a Thursday 8-K filing to the SEC.

Late last month, student loan refinancing website LendEDU says it surveyed 1,000 American consumers over the age of 17 about the Equifax breach and found that while 84 percent of respondents had heard of it, only 45 percent had visited Equifax's breach-notification site to see if they were a victim. That's despite the breach having resulted in the exposure of data relating to a majority of American adults.

Survey: "Have you checked to see if you've been affected by the Equifax cyber-security incident?"

Source: Survey of 1,000 U.S. consumers aged 18 and over, conducted in late September by LendEDU.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network