, 93 tweets, 7 min read Read on Twitter
Former Equifax CEO Richard Smith faces House subcommittee via @YouTube
Interesting importance of lack of quick communication all the way to the CEO/Board.
The House: "How does this happen?" Interesting that they would ask this question. I feel their techsperts tell them "this is easy to do".
Mr. Pallone is doing a good job of hitting on what Equifax plans to do with people's data separate from credit control.
Mr. Barton (TX) What would the industry do if we passed a law making you pay everyone that got breached?
Mr. Barton: We looked at the data you collected on one of my staffers who was breached. It was more data than you needed.
Man. That was an open threat.
Mr. Lujan: Will you make people whole?
Mr. Smith: uhhh....
Mr. Harper: Is protecting PII the #1 job of everyone in your company?
Mr. Smith: Yep. And has been for years.
gabe: uh....
Mr. Cardenas: Mr. Smith, welcome to Washington.
Mr. Cardenas: Sooo, why isn't the actual Equifax CEO here?
Mr. Smith: I don't know but I was responsible during the breach so I'm here.
Mr. Upton: Could the data have been changed?
Mr. Smith: No indication it's been changed.
Mr Smith: Credit file itself was not accessed.
Mr. Upton: How'd the actors get caught?
Mr. Smith: <something about a 'decrypter'>. Sounds like DLP?
(Gabe: Uh, if you caught this by the data leaving, how did you _not_ know it was a breach immediately?)
Mrs. <someone's name plate blocked by bald headed guy>: <Reading some statement.>
Mrs ...gell: Was it a nation-state? Do you know who attacked?
Mr. Smith: Attribution is hard.
Mr. Lance: Is it possible people from another country?
Mr. Smith: yes but..
Mr Lance: Is it possible another country?
Mr. Smith: Ask the FBI
Mr. Smith (to Mr. Lance) We staffed up call centers to handle response but we lost 2 call centers to a hurricane.
Mrs. Matsui: How did you comply with California's breach law?
Mr. Smith: I don't know.
(Gabe: this is an interesting one...)
Mrs. Matsui: Do I own my data?
Mr. Smith: 'we are part of a federally regulated ecosystem...'
Mrs. Matsui: What makes data about me mine vs someone elses?
Mr. Smith: We're giving away a product next year.
Mrs Matsui: So in 2018 I'll own my data?
Mr. Smith: You'll be able to control who accesses it...
(Sounds like some in congress are starting to understand the importance of data)
Mr. Kinzinger: "You said 'I don't know if consumers are harmed.' I think that's ludicrous. Even w/o financial harm & just data exposed."
Mr. Kinzinger: About mandatory arbitration clause.
Mr. Smith: oops. boilerplate.
Mr. Kinzinger: Do you require it elsewhere?
Mr. Smith: Not related to breach.
K: where else?
S: it's standard.
Mr. Kinzinger: What different DBs do you have?
Mr. Smith: Dispute portal is separate from 'core' data.
K: so 145M disputed?
S: it's a portal
Mr. Kinzinger: Why wouldn't you consider it to be part of the core?
Mr. Smith: Simple. We have more security on the core database.
(uh....)
Mr. Kinzinger: was this data encrypted?
Smith: we use many techniques. This wasn't encrypted at rest.
K: & the core?
S: We use techniques
Mr. McNerney: Use struts elsewhere?
Mr. Smith: nope.
Mr. McNerney: was Equifax for business offerings breached?
Mr. Smith: no. that's part of the core.
Mr. McNerney: What have you invested in in security?
Mr. Smith: 225 people. $250M in sec over last 3 yrs.
Mr. McNerney: So how'd you still miss the patch & get breached?
Mr. Smith: Communication error to person in charge of patching.
Mr. McNerney: Blaming the scanner sounds like a cop-out. (cop-out = gabe's word)
Mr. McNerney: How long will people be vuln to identity theft due to this breach?
Mr. Smith: We're offering services
...
Mr. McNerney: that's not an answer. This is forever right?
Mr. Smith: Lots of SSN breaches. SSNs may not be good identifiers.
Mr. Guthrie: What would you have done different since breach?
Mr. Smith: I haven't had time to reflect.
Mr. Guthrie: Why set up a new website that ended up being an issue?
Mr. Smith: Volume.
Mr. Smith: New microsite could surge.
Mr. Guthrie: Why was breach site inaccurate at first?
Mr. Smith: It wasn't matching on full SSN so was inaccurate.
Mr. Guthrie: What is Equifax doing to rebuild confidence that credit works going forward...
Mr. Smith: think holistically. we're more secure. offer security services. Let people control access to their credit next year.
Mr. Bilirakis: online submission is wonky. & what's next steps?
Mr. Smith: You have now been notified & can access our services.
Mr. Bilirakis: how long will free credit last?
Mr. Smith: 1yr from sign-up. Product in 2018.
Mr. Bilirakis: as CEO, what involvement did you have in infused?
Mr. Smith: Infosec reported to GC. I met routinely with CISO/GC through yr
Mr. Bilirakis: what responsibilities did CISO have with infosec, protection, & notification
Mr. Smith: core. she headed infosec and physical
Mr. Bilirakis: How many infosec meetings did you have?
Mr. Smith: I don't know.
Mr. Bilirakis: What infosec responsibilities did Head of tech have?
Mr. Smith: None
Mr. Bucshon: Could people who never signed up or used Equifax directly be impacted?
Mr. Smith: Yes
Mr. Bucshon: how?
Mr. Smith: we get data from other companies
Mr. Bucshon: My constituents have no clue who Equifax is. That you have their data & using it for credit may be an issue.
Mr. Bucshon: Constituents w/o internet. How are you notifying them?
Mr. Smith: Call centers
B: So they need to be proactive?
S: ...
S: State laws require newspaper, etc notification. (Now he apparently knows about state laws. He didn't when CA was asking.)
Mr. Green: So ppl buying Equifax through lifelock. What is value of contract?
Mr. Smith: I don't know. They could have come to us directly..
Mr. Green: You sell data on people according to <reads b2b ad>
Mr. Smith: we don't do behavioral analytics
Mr. Green: How often do you sell someone's data & how much do you make each time?
Mr. Smith: We take credit data, add analytics, and sell it
G: That wasn't the Q.
S: yeah, we sell data.
(Gabe: still didn't answer)
Mr. Mullin: What's your current job? Any affiliation?
Mr. Smith: retired but I work for free as long as board needs.
Mr. Mullin: Have stock in the company? Sold any of it?
Mr. Smith: yes. Yes. Not since breach.
Mr Mullin: <rehashing people's sale of stock before the breach went public>
Mr. Mullin: Why would they sell it?
Mr. Smith: They only have a small windows after 2nd quarter window.
Mr. Mullin: Error in portal? 3 wks till you notified?
Mr. Smith: open source software
M: who's responsible to watch portal?
S: me.
...
M: who was responsible for you? still there?
S: CISO. no.
Mr. Mullin: <some 'hind sight is 20-20' complaints about infosec>
Mrs. Walters: What's Equifax doing with the data given in response to breach? sell it?
Mr. Smith: <I missed answer but I think it was 'no'>
Mrs. Walters: You're using stock Wordpress for SSNs. Is that secure?
Mr. Smith: We prioritized securing it.
Mrs. Walters: Delay in protecting info. When'll it be done?
Mr. Smith: Backlog is now fulfilled.
(He mentioned multiple times they were told to prepare for increased attacks by their IR firm)
Mr. Costello: Is it not predictable how bad it might get for those breached?
Mr. Smith: yeah, people are angry ... (interrupted)
Mr Costello: The response seems bad.
Mr Smith: We tried. We weren't prepared.
C: How couldn't you be
S: not our traditional business model
Smith: our business model is to sell to companies, not people.
(Gabe: let that sink in)
Mr. Tonko: It would be wrong to call the victims of this breach customers. Why have they been impacted?
<Mr. Tonko is reading constituent questions>
Mr. Smith: I'm sorry.
Mr Tonko: did you apply the most effective defense?
Mr Smith: we were willing and able to invest. we just had errors.
Mr Tonko: <from consituent> how do I protect myself & cost?
Mr Smith: our services. Free.
Mr Tonko: if your job is to securely enable data sharing, why should you still exist?
Mr Smith: we still help people.
Mr Tonko: why are you turning the victims into customers?
Mr smith: not our intent. services will be free.
Mr Tonko: why haven't you notified the people you compromised?
Mr Smith: Following recommendation, we used a press release
Mr Tonko: why did it take so long to announce & why shouldn't you be held responsible for the time?
Mr Smith: I've already answered that.
Mr Tonko: people targeted or randomly picked? why some & not others?
Mr Smith: random.
Mr Tonko: I have more constituent questions I'll send you to answer.
Mr Murphy: If scan not configured, could it have missed other things
Mr Smith: "I have no knowledge of that"
Mr Murphy: <same Q, different way>
Mr Smith: I have no information that that is the case.
*duck*
Mr Murphy: Why wouldn't your website handle the breach website traffic? don't you use elastic cloud?
Mr Smith: the microsite is...
Mr Murphy: Fixing this was harder than just patching but took 3 days. Why wasn't installed immediately?
Mr Smith: patching takes time.
Mr Murphy: Did you notify people about the time to patch?
<back and forth w/o smith really getting the question>
<Murphy was implying victim's should have been told their info was at risk while not patching I think.
<have to sign off for a meeting>
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Gabe The Engineer
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!