Failure Has a Name at Equifax. Al Franken Says It’s ‘Gus’

  • Senator shocked much of hack’s blame falls on one employee
  • Ex-CEO Smith indicates employee is no longer with Equifax

Sen. Warren: Equifax Might Benefit From Data Breach

Gee thanks, Gus.

Gus isn’t a real person, but it’s the pseudonym Senator Al Franken assigned to the Equifax Inc. employee who holds a lot of the blame for the theft of 145.5 million Americans’ personal data.

Former Chief Executive Officer Richard Smith told Franken and other senators Wednesday that Equifax was breached largely because of a breakdown in communication within the company. Gus and his team were responsible for telling the techies that a software vulnerability needed to be fixed. It never happened.

Al Franken

Photographer: Andrew Harrer/Bloomberg

“Why is the security of 145 million people all in the hands of one guy?" Franken, a Minnesota Democrat, asked Smith at a Senate Judiciary Subcommittee hearing. “Why is it all up to Gus?"

Former Employee

If Smith knows Gus’s real name, he kept it to himself. The ex-CEO did share a key tidbit about the employee, though: he indicated the person is no longer at the Atlanta-based company.

Smith has now endured three separate congressional grillings over two days. The lawmaker scrutiny and Smith’s responses haven’t worried shareholders. Equifax’s stock has risen 3.8 percent to $111.93 since Oct. 2 in New York trading. He testifies again Thursday.

At Wednesday’s hearing, Smith reiterated the chain of events that led up to the intrusion.

The Department of Homeland Security alerted Equifax in March that a vulnerability in certain software needed to be patched. "Gus," or the employee overseeing Equifax’s patching process, was supposed to issue an internal notification requesting that the software be upgraded, with the company’s security department mandating that any weakness be fixed within 48 hours. We now know the software was never repaired.

Many Missteps

But Gus may not be entirely at fault. Smith said it’s possible “this one guy” didn’t know all of Equifax’s various business portals were using the faulty software. Later security scans didn’t detect the vulnerability either.

“I am not certain that the person who is responsible for communicating that the patch needed to be applied” knew “the software was applied,” the former CEO said.

Equifax made more missteps after it publicly disclosed the hack Sept. 7.

A customer service representative tasked with responding to customers’ Tweets sent out incorrect links to the website the company created to help consumers sign up for credit monitoring. Instead, that person was tweeting out links to a phishing website with a similar name. The customer service representative is no longer with the company, Smith said Wednesday. 

    Before it's here, it's on the Bloomberg Terminal.