Former Equifax Inc. (EFX) Chairman and Chief Executive Officer Richard Smith will apologize to the American people during Congressional testimony this week for a data breach that exposed the personal data of nearly half the U.S. population.
But he's done that before. The more relevant points he's expected to be be grilled on include what security measures the credit-scoring firm has in place, why it waited so long to tell people about the hack and why some executives were allowed to sell shares before the news became public.
Smith is scheduled to appear before a House Energy and Commerce Committee on Tuesday and the Senate Committee on Banking, Housing and Urban Affairs on Wednesday.
"Equifax was entrusted with Americans' private data and we let them down," Smith said in eight pages of prepared testimony for the House committee. "To each and every person affected by this breach, I am deeply sorry that this occurred." The 57-year-old, who retired last week from the Atlanta-based company, blames the breach on both human error and technological failures, and says that as the company's CEO, he was ultimately responsible.
Here are the important points to watch for during his two days of hearings. You can watch the live stream below.
WHAT SECURITY MEASURES ARE IN PLACE
Equifax should have had an intrusion-detection system or an incident-response plan or, at the very least, a data leak-prevention plan, Warren Zafrin, a management and technology consultant at UHY Advisors, said in a recent interview with TheStreet.
Smith acknowledged in his prepared remarks that a vulnerable version of Apache Struts, an open-source web application used by Equifax, was not identified or patched and "allowed hackers to access personal identifying information."
Equifax's security department didn't observe suspicious network traffic until July 29, more than two months after the attackers accessed the sensitive information.
"Where was everything that would have set off the alarms?" Zafrin asked. "It was a complete breakdown" of the company's cyber-security program or miscommunication, he said. "It can't be both."
EXPLAINING THE DELAYED DISCLOSURE
Equifax disclosed on Sept. 7 that the names, addresses, birthdays and Social Security numbers of 143 million Americans were compromised in the cyberattack, which was discovered on July 29.
Equifax said hackers accessed the information starting on May 13, but the Wall Street Journal reported that the first "interaction" with hackers happened on March 10. The company registered the domain name equifaxsecurity2017.com, the website to which it directed concerned consumers, on Aug. 22, more than two weeks before the hack was publicly disclosed, according to the Journal.
"Once Equifax discovered [the cyberattack], why did it take so long to become public?" asked Zafrin. He said the delayed disclosure of the incident just "doesn't make sense" and demonstrates a level of incompetence.
To explain the delay, Smith said in his prepared testimony that there was fear about "copycat" attacks.
"A mounting concern also was that when any notification is made, the experts informed us that we had to prepare our network for exponentially more attacks after the notification, because a notification would provoke 'copycat' attempts and other criminal activity," Smith said.
He waited until Aug. 22 to notify Equifax's lead independent director, Mark Feidler, of the data breach. The entire board learned of the situation in special telephonic board meetings on Aug. 24 and 25, almost a month after the hack was discovered.
WHY EXECUTIVES WERE ALLOWED TO SELL SHARES
Congress will also be keen to hear more about the three executives who sold shares worth almost $1.8 million in the days after the company found the security breach. Equifax said the three people, including Chief Financial Officer John Gamble, had not been informed of the incident when they sold their shares.
The company is reportedly reviewing the actions of its Chief Legal Officer John Kelley in connection with the share sales, according to The Wall Street Journal. Kelley was responsible for approving the transactions.
Equifax "absolutely" should have shut down any trades by company personnel as soon as the breach was discovered, Zafrin said.
Don't miss these top stories on TheStreet
- 20 Companies Goldman Sachs Thinks Will Be Huge Winners from Trump's Big Tax Plan
- 'Whole New World' for Publishers as Google Finally Scraps First Click Free
- Intel, AMD and Two-Dozen Other Stocks I Love for October
- 4 Reasons We Could Have Another October Stock Market Crash
- What Rich Families Know About Finance That You Don't
