Business

'We want answers,' lawmakers demand of Equifax ex-CEO Richard Smith

The former chairman and CEO of Equifax says the challenge of responding to the concerns of tens of millions of consumers in the wake of a massive data breach proved overwhelming, and regrettably, his company made mistakes.

'Time to have identity verification procedures that match the technological age in which we live,' ex-CEO says

Richard F. Smith resigned from the company last month after overseeing the company for a dozen years. (Noah Berger/Bloomberg)

House Republicans and Democrats on Tuesday lashed out at the former head of Equifax, demanding answers for the massive data breach that compromised the sensitive personal information of an estimated 145 million Americans.

Democrat Frank Pallone of New Jersey said that if Equifax wants to stay in business, its entire corporate culture needs to change to one that values security and transparency.

"We want answers for consumers because Equifax's response to this breach has been unacceptable," said Pallone, the top Democrat of the House Energy and Commerce Committee.

Republican Greg Walden of Oregon, the committee's chairman, said the hearing was necessary to do something that Equifax has failed to do in recent months: "Put Americans first."

Last month, the company revealed that more than 145 million Americans had their data stolen over the summer, along with 100,000 Canadians. On Tuesday the company said it thinks the number of Canadian victims may be lower, at 8,000 people.

While the response is ongoing, former Equifax chairman and CEO Richard F. Smith testified before a House panel, the first of four hearings on Capitol Hill this week as Congress examines what went wrong. The sessions typically turn into a public shaming, and this year the Republican-led Congress has worked to ease government regulations on businesses.

The revelation last month of the disastrous hack to Equifax's computer system rocked the company which faces several state and federal inquiries and several class-action lawsuits. Smith said the company was cooperating with the FBI and state agencies.

Smith attributed the breach to human error and technological error, and said both errors have been addressed.

He also told lawmakers that when the breach was first discovered on July 31, company officials did not realize that personal information about consumers had been stolen. He described suspicious activity against the company's database as routine.

"As we all painfully learned, data security is a national security problem," Smith told lawmakers.

He said no single company can solve the problem on its own and said a system was needed that would let consumers control access to their personal data.

"Let me close by saying how sorry I am for the breach," Smith said.

Smith, who resigned after overseeing the company for a dozen years, says Equifax was hacked by a yet-unknown entity. He said the information stolen included names, Social Security numbers, birth dates and addresses. In addition, the credit card information for about 209,000 consumers was also stolen as well as certain documents with personally identifying information for approximately 182,000 consumers.

Smith said the Department of Homeland Security warned the company on March 8 about the need to patch a particular vulnerability in software used by Equifax and other businesses. The company disseminated that warning by email the next day and requested that applicable personnel install the upgrade. The company's policy requires the upgrade to occur within 48 hours, but Smith said that did not occur. The company's information security department also ran scans on March 15 that did not pick up the vulnerability.

Smith also said he was disappointed in the rollout of call centers and a website designed to help the people affected by the breach. He said the company has increased its number of customer service representatives and the website has been improved.

"Still, the rollout of these resources should have been far better, and I regret that the response exacerbated rather than alleviated matters for so many," Smith said in his written remarks.

Equifax said Monday that 2.5 million more Americans may have been affected by the breach of its systems, bringing the total to 145.5 million people.

WIth files from CBC News