Ex-CEO of Equifax proposes consumers control their credit files
In congressional testimony, Richard Smith answers questions about massive breach
Expert on consumer credit laws and regulations
Under a grilling from Congress on Tuesday for one of the largest data breaches on record, Equifax ex-CEO Richard Smith proposed to make a fundamental change in the U.S. credit reporting system: Give you, the consumer, control of your credit file.
Smith resigned following the revelation that sensitive data about 143 million consumers – now up to 145.5 million – was exposed to hackers. In his first testimony Tuesday, he apologized and pledged to give all consumers the right to lock and unlock their Equifax credit file at will – for free, for life. He also called on the other two large credit bureaus, Experian and TransUnion, to follow suit.
More on the Equifax data breach:
"It's time we change the paradigm," he said in testimony before a subcommittee of the House Energy and Commerce Committee. "It's time we give control to consumers."
Locking the file would block loan applications filed by identity thieves, greatly reducing the threat posed by the exposure of Social Security numbers, birthdates and other personal information used to verify your identity. Unlocking the file would let the legitimate consumer grant access when they needed to apply for a loan or other purposes.
TransUnion is currently offering a free service with credit report locking and unlocking, TrueIdentity. Experian charges monthly fees starting at $9.99 for its IdentityWorks service, which includes credit locking, according to its website.
Calls for higher
But some angry members of Congress from both parties were not appeased by Smith's plan, calling for higher security standards and greater penalties for failing to protect individuals' data.
"It would seem to me you might pay a little more attention to security if you had to pay everyone who was hacked a couple thousand bucks," Rep. Joe Barton, R-Texas, said. Existing data security requirements call for notification of affected people, but lack penalties, he said. "I think it’s time we at the federal level put some teeth into this, some sort of per-account payment."
Bills introduced in the wake of the hack would tighten security standards, give consumers free credit freezes, or broadly reform the credit reporting system.
"American consumers don't just need answers, they need action," said Rep. Janice Schakowsky, D-Ill., sponsor of H.R. 3896 requiring bureaus to secure their data and notify individuals if there is a breach.
Equifax standing questioned
Rep. Paul Tonko, D-N.Y., asked questions he said came from his constituents. Given that handling data securely is the company's core business, and it "failed spectacularly," he asked, "why should the company be allowed to continue to exist?"
Smith responded that the company’s function is to help people into the "credit world." Credit reports are an integral part of the system that gets consumers access to credit, he said, making it vital to the economy as well as borrowers.
Among the measures prompted by the breach, Sen. Elizabeth Warren, D-Mass., introduced S.1816, the Freedom from Equifax Exploitation Act, to enhance fraud alerts and provide free credit freezes. Also, Rep. Maxine Waters, D-Calif., who has long called for broad changes in the credit reporting system, introduced the Comprehensive Consumer Credit Reporting Reform Act, H.R. 3755.
But Rep. Greg Walden, R-Ore., expressed doubt that legislation could prevent another hack. "I don't think we can pass a law that, excuse me for saying this, fixes stupid," he said. "It's like the guards at Fort Knox failed to lock the doors and didn’t notice thieves were robbing the vault."
More questions on
credit freezes, security and Equifax’s response to breach
Here is a summary of Smith's testimony before the Subcommittee on Digital Commerce and Consumer Protection in question-and-answer form:
Q. You promised to let consumers lock and unlock their credit file. How is this different from the credit freezes and un-freezes available to consumers under state law?
A. From a security standpoint, the lock is the same as a freeze, according to Smith, but the usability of a lock will be more convenient. A consumer using the app that Equifax plans to release in January 2018 can control who gets access to their credit file, and when, by toggling the control within the software, he said. Credit freezes, by contrast, are mandated by state laws, some of which require notification in writing, by mail, meaning days or weeks before the action can take effect, he said.
Q. Equifax was notified in March that a flaw in software called Apache Struts needed to be patched. This was the flaw that hackers used to get entry into the dispute system that was compromised. What happened?
A. Smith said a combination of errors was to blame. The individual cybersecurity official who received the notice of the vulnerability failed to tell the security team to make the fix. A subsequent computer scan of vulnerabilities failed to flag the unpatched software, which is still being looked at by cybersecurity consultants.
Q. When did you first learn of the breach?
A. Smith said he first heard of the incident on July 31 in a face-to-face conversation with Chief Information Officer David Webb, who has also resigned.
Q. Why did it take you so long to warn the public, waiting until Sept. 7?
A. The initial indication of a problem was only that there was suspicious activity in a web portal that consumers use to dispute information in their credit files, he said. Such incidents are not uncommon as hackers target the company frequently. It took cybersecurity experts time to determine there was a data breach, and to find the extent of it. Following that, the company built a website and response plan to get information to individuals.
Q. In speeches given Aug. 11 and Aug. 17, Smith was reported saying that data security was a "huge opportunity," making it sound like Equifax was poised to profit from exposing consumer’s identifying details.
A. The speech was a routine one that Smith said he gave often. At that point, the company did not yet know what data was compromised.
Q. Why was the consumer help website set up with a separate, non-company address (https:www.equifaxsecurity2017.com) instead of on the company's system, using its easily recognizable internet address?
A. Smith said the volume for the breach website was beyond what the company's main site was designed to handle. The main site is mainly built to handle requests from companies. The breach website received 400 million consumer visits in three weeks, he said.
First hearing of
Smith's testimony continued Wednesday and is to wrap up today before banking committees in the Senate and House. Members of the Energy and Commerce subcommittee on Tuesday indicated that lawmakers still have concerns about the security breach, the company's response, and the issues the incident raises.
"Most Americans don’t know how much information you have on them, and they never said OK," Rep. Schakowsky said. "I’m hoping this yields a wider discussion."
- Citi to refund $330 million in interest charges to cardholders – Citi discovered errors in re-evaluating APRs for millions of cardholders who resumed on-time payments after slipping up ...
- 5 months after Equifax breach, no new data security rules – Five months after Equifax data breach, debate over tighter security rules continues – but new tools let individuals lock their credit files ...
- Wells Fargo: Fed's crackdown shouldn't hit cardholders – Wells Fargo cardholders won't be affected by the Federal Reserve's cap on bank's growth following the fake account scandal in 2016, banks says ...