Former Equifax CEO Richard Smith faces House subcommittee via @YouTube

Interesting importance of lack of quick communication all the way to the CEO/Board.

The House: "How does this happen?" Interesting that they would ask this question. I feel their techsperts tell them "this is easy to do".

Mr. Pallone is doing a good job of hitting on what Equifax plans to do with people's data separate from credit control.

Mr. Barton (TX) What would the industry do if we passed a law making you pay everyone that got breached?

Mr. Barton: We looked at the data you collected on one of my staffers who was breached. It was more data than you needed.

Man. That was an open threat.

Mr. Lujan: Will you make people whole?
Mr. Smith: uhhh....

Mr. Harper: Is protecting PII the #1 job of everyone in your company?
Mr. Smith: Yep. And has been for years.
gabe: uh....

Mr. Cardenas: Mr. Smith, welcome to Washington.

Mr. Cardenas: Sooo, why isn't the actual Equifax CEO here?
Mr. Smith: I don't know but I was responsible during the breach so I'm here.

Mr. Upton: Could the data have been changed?
Mr. Smith: No indication it's been changed.

Mr Smith: Credit file itself was not accessed.

Mr. Upton: How'd the actors get caught?
Mr. Smith: <something about a 'decrypter'>. Sounds like DLP?

(Gabe: Uh, if you caught this by the data leaving, how did you _not_ know it was a breach immediately?)

Mrs. <someone's name plate blocked by bald headed guy>: <Reading some statement.>

Mrs ...gell: Was it a nation-state? Do you know who attacked?
Mr. Smith: Attribution is hard.

Mr. Lance: Is it possible people from another country?
Mr. Smith: yes but..
Mr Lance: Is it possible another country?
Mr. Smith: Ask the FBI

Mr. Smith (to Mr. Lance) We staffed up call centers to handle response but we lost 2 call centers to a hurricane.

Mrs. Matsui: How did you comply with California's breach law?
Mr. Smith: I don't know.
(Gabe: this is an interesting one...)

Mrs. Matsui: Do I own my data?
Mr. Smith: 'we are part of a federally regulated ecosystem...'

Mrs. Matsui: What makes data about me mine vs someone elses?
Mr. Smith: We're giving away a product next year.

Mrs Matsui: So in 2018 I'll own my data?
Mr. Smith: You'll be able to control who accesses it...

(Sounds like some in congress are starting to understand the importance of data)

Mr. Kinzinger: "You said 'I don't know if consumers are harmed.' I think that's ludicrous. Even w/o financial harm & just data exposed."

Mr. Kinzinger: About mandatory arbitration clause.
Mr. Smith: oops. boilerplate.

Mr. Kinzinger: Do you require it elsewhere?
Mr. Smith: Not related to breach.
K: where else?
S: it's standard.

Mr. Kinzinger: What different DBs do you have?
Mr. Smith: Dispute portal is separate from 'core' data.
K: so 145M disputed?
S: it's a portal

Mr. Kinzinger: Why wouldn't you consider it to be part of the core?
Mr. Smith: Simple. We have more security on the core database.

(uh....)

Mr. Kinzinger: was this data encrypted?
Smith: we use many techniques. This wasn't encrypted at rest.
K: & the core?
S: We use techniques

Mr. McNerney: Use struts elsewhere?
Mr. Smith: nope.

Mr. McNerney: was Equifax for business offerings breached?
Mr. Smith: no. that's part of the core.

Mr. McNerney: What have you invested in in security?
Mr. Smith: 225 people. $250M in sec over last 3 yrs.

Mr. McNerney: So how'd you still miss the patch & get breached?
Mr. Smith: Communication error to person in charge of patching.

Mr. McNerney: Blaming the scanner sounds like a cop-out. (cop-out = gabe's word)

Mr. McNerney: How long will people be vuln to identity theft due to this breach?
Mr. Smith: We're offering services
...

Mr. McNerney: that's not an answer. This is forever right?
Mr. Smith: Lots of SSN breaches. SSNs may not be good identifiers.

Mr. Guthrie: What would you have done different since breach?
Mr. Smith: I haven't had time to reflect.

Mr. Guthrie: Why set up a new website that ended up being an issue?
Mr. Smith: Volume.

Mr. Smith: New microsite could surge.

Mr. Guthrie: Why was breach site inaccurate at first?
Mr. Smith: It wasn't matching on full SSN so was inaccurate.

Mr. Guthrie: What is Equifax doing to rebuild confidence that credit works going forward...

Mr. Smith: think holistically. we're more secure. offer security services. Let people control access to their credit next year.

Mr. Bilirakis: online submission is wonky. & what's next steps?
Mr. Smith: You have now been notified & can access our services.

Mr. Bilirakis: how long will free credit last?
Mr. Smith: 1yr from sign-up. Product in 2018.

Mr. Bilirakis: as CEO, what involvement did you have in infused?
Mr. Smith: Infosec reported to GC. I met routinely with CISO/GC through yr

Mr. Bilirakis: what responsibilities did CISO have with infosec, protection, & notification
Mr. Smith: core. she headed infosec and physical

Mr. Bilirakis: How many infosec meetings did you have?
Mr. Smith: I don't know.

Mr. Bilirakis: What infosec responsibilities did Head of tech have?
Mr. Smith: None

Mr. Bucshon: Could people who never signed up or used Equifax directly be impacted?
Mr. Smith: Yes

Mr. Bucshon: how?
Mr. Smith: we get data from other companies

Mr. Bucshon: My constituents have no clue who Equifax is. That you have their data & using it for credit may be an issue.

Mr. Bucshon: Constituents w/o internet. How are you notifying them?
Mr. Smith: Call centers
B: So they need to be proactive?
S: ...

S: State laws require newspaper, etc notification. (Now he apparently knows about state laws. He didn't when CA was asking.)

Mr. Green: So ppl buying Equifax through lifelock. What is value of contract?
Mr. Smith: I don't know. They could have come to us directly..

Mr. Green: You sell data on people according to <reads b2b ad>
Mr. Smith: we don't do behavioral analytics

Mr. Green: How often do you sell someone's data & how much do you make each time?
Mr. Smith: We take credit data, add analytics, and sell it

G: That wasn't the Q.
S: yeah, we sell data.

(Gabe: still didn't answer)

Mr. Mullin: What's your current job? Any affiliation?
Mr. Smith: retired but I work for free as long as board needs.

Mr. Mullin: Have stock in the company? Sold any of it?
Mr. Smith: yes. Yes. Not since breach.

Mr Mullin: <rehashing people's sale of stock before the breach went public>

Mr. Mullin: Why would they sell it?
Mr. Smith: They only have a small windows after 2nd quarter window.

Mr. Mullin: Error in portal? 3 wks till you notified?
Mr. Smith: open source software
M: who's responsible to watch portal?
S: me.
...

M: who was responsible for you? still there?
S: CISO. no.

Mr. Mullin: <some 'hind sight is 20-20' complaints about infosec>

Mrs. Walters: What's Equifax doing with the data given in response to breach? sell it?
Mr. Smith: <I missed answer but I think it was 'no'>

Mrs. Walters: You're using stock Wordpress for SSNs. Is that secure?
Mr. Smith: We prioritized securing it.

Mrs. Walters: Delay in protecting info. When'll it be done?
Mr. Smith: Backlog is now fulfilled.

(He mentioned multiple times they were told to prepare for increased attacks by their IR firm)

Mr. Costello: Is it not predictable how bad it might get for those breached?
Mr. Smith: yeah, people are angry ... (interrupted)

Mr Costello: The response seems bad.
Mr Smith: We tried. We weren't prepared.
C: How couldn't you be
S: not our traditional business model

Smith: our business model is to sell to companies, not people.
(Gabe: let that sink in)

Mr. Tonko: It would be wrong to call the victims of this breach customers. Why have they been impacted?

<Mr. Tonko is reading constituent questions>

Mr. Smith: I'm sorry.

Mr Tonko: did you apply the most effective defense?
Mr Smith: we were willing and able to invest. we just had errors.

Mr Tonko: <from consituent> how do I protect myself & cost?
Mr Smith: our services. Free.

Mr Tonko: if your job is to securely enable data sharing, why should you still exist?
Mr Smith: we still help people.

Mr Tonko: why are you turning the victims into customers?
Mr smith: not our intent. services will be free.

Mr Tonko: why haven't you notified the people you compromised?
Mr Smith: Following recommendation, we used a press release

Mr Tonko: why did it take so long to announce & why shouldn't you be held responsible for the time?
Mr Smith: I've already answered that.

Mr Tonko: people targeted or randomly picked? why some & not others?
Mr Smith: random.

Mr Tonko: I have more constituent questions I'll send you to answer.

Mr Murphy: If scan not configured, could it have missed other things
Mr Smith: "I have no knowledge of that"

Mr Murphy: <same Q, different way>
Mr Smith: I have no information that that is the case.

*duck*

Mr Murphy: Why wouldn't your website handle the breach website traffic? don't you use elastic cloud?
Mr Smith: the microsite is...

Mr Murphy: Fixing this was harder than just patching but took 3 days. Why wasn't installed immediately?
Mr Smith: patching takes time.

Mr Murphy: Did you notify people about the time to patch?
<back and forth w/o smith really getting the question>

<Murphy was implying victim's should have been told their info was at risk while not patching I think.

<have to sign off for a meeting>