Equifax CEO Mark Begor was eating crow on the Hill recently as he accounted for Equifax’s epic data breach.
Begor testified along with Marriott CEO Arne Sorenson before the Senate Permanent Subcommittee on Investigations, which has been looking into their respective data breaches. The biggest focus was on Equifax, which was the subject of a damning report by the same Subcommittee.
Released last week, the report accused the credit agency of neglecting cybersecurity for years and leaving millions of Americans open to attack. “The damage done by the hackers could have been minimized if Equifax had prioritized widely agreed-upon cybersecurity protocols,” it warned, arguing that this failure led directly to a four month gap between the hack and data breach notification.
Senators at the hearing echoed complaints in the report that Equifax failed to retain key records dating from the time of the breach, which was announced in September 2017, meaning that the American public doesn't have the full record of what happened.
The company didn't have a full inventory of its IT assets, the report explained, meaning that scans missed the vulnerable Apache Struts instance that led to the breach.
There were many other failures. “Equifax allowed a key tool used to monitor IT assets for malicious web traffic to expire in November 2016,” the Committee added in a statement. “As a result the hackers' presence in the company's network when entirely undetected for 78 days.”
Begor listed measures that Equifax has taken to improve security since the breach, but also added that there were controls in place early on. “They clearly weren't strong enough,” he admitted during the hearing.
Begor only joined Equifax after the breach occurred. The CEO in charge at the time, Richard Smith, retired in September 2017 without his annual bonus. However, he still kept his base annual salary of $1.45m, along with $18.3m in pension benefits.
There was a post-breach conviction for insider trading as the SEC identified illicit trades from former Equifax CIO Jun Ying. Aside from these financial crimes, there has been precious little punishment for a company that let hackers steal over 145 million Americans' private information.
Meanwhile, calls are strengthening for a federal privacy law, with some even proposing jail time for executives whose companies violate the rules. As the data breaches mount, we clearly need a better solution than a slap on the wrist on the Hill.
The topic of Governance, Risk and Compliance will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Governance, Risk and Compliance here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
