‘You Can’t Fix Stupid,’ Lawmaker Tells Equifax’s Former CEOBy
Former chief Richard Smith apologizes for massive data breach
Republican proposes fines based on number of people affected
Legislation to avert future data breaches like the one at Equifax Inc. will fall short because none can fully prevent human error, a U.S. congressman told the company’s former top executive.
“You can’t fix stupid,” Representative Greg Walden, an Oregon Republican, said Tuesday at congressional hearings in Washington featuring former CEO Richard Smith, who stepped down from the credit-monitoring company last month.
Smith, who apologized for the breach, testified before the House Energy and Commerce Committee, the first of four hearings this week on Capitol Hill. Lawmakers from both parties expressed outrage over the size the breach as well as the company’s response, and grilled Smith on the timeline of the incident, including when top executives learned about it.
Smith said the employee responsible for communicating that vulnerable software needed to be patched didn’t do so. That failure was compounded when a scan of the company’s systems didn’t find that the vulnerability still existed, the former CEO said.
“Equifax’s response to this breach has been unacceptable," New Jersey Representative Frank Pallone from New Jersey, the top Democrat on the House panel, said in his prepared remarks. “I appreciate that you’re both sorry. My question is: What now?"
Smith said Equifax didn’t meet its responsibility to protect sensitive consumer information, which led to the theft of personal data for almost half of all Americans. The company said Monday that an outside cybersecurity firm has completed its review of the breach and boosted its estimate of affected U.S. consumers to 145.5 million, an increase of 2.5 million.
The company has said hackers exploited a vulnerability in open source Apache software it was using. A patch for the flaw was available in March, about two months before hackers began accessing sensitive information on Equifax’s servers.
Democrats on the panel have reintroduced legislation imposing requirements for when companies have to report data breaches, and they said at the hearing that additional federal oversight might be needed for companies like Equifax. One Republican, Joe Barton of Texas, suggested huge fines might be needed as well.
“The only way I know how to do it is some kind of fine-per-account-hacked that’s large enough that even a company that’s worth $13 billion would rather protect their data and probably not collect as much data than just come up here and appear and say we’re sorry,” Barton said.
— With assistance by Jennifer Surane