Former Yahoo!, Equifax CEOs Face Congressional Grilling Over Data Breaches

Written by

Two execs who exited their Fortune 500 companies in the wake of massive security breaches (and who walked away with millions of dollars in exit package perks) are testifying on Capitol Hill in Washington.

The US Senate Commerce Committee will hear testimony on Wednesday from former Yahoo! chief Marissa Mayer, Equifax’s former CEO Richard Smith and Equifax interim CEO Paulino do Rego Barros, regarding the enormous cybersecurity breaches that hit their companies under their watches.

“Companies that collect and store personal data on American citizens must step up to provide adequate cybersecurity," said Senator John Thune, chairman of the Commerce Committee, in remarks ahead of the hearing. “And there should be consequences if they fail to do so."

In 2013 and 2014, when Mayer was at the helm, Yahoo! saw two massive data breaches in which billions of users' accounts were compromised. The incidents did not come to light until 2016, while Verizon was working on a buy of major assets from the internet pioneer. At the time, it was revealed that 1 billion users—essentially, all of its users—had their names, email addresses, telephone numbers, dates of birth, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers stolen; but just last month, Verizon issued an update via its Oath division saying the number of accounts affected was actually closer to 3 billion.

The committee reportedly resorted to subpoenaing Mayer to testify in the hearing, after she refused multiple requests to appear of her own free will.

In prepared remarks, she reiterated that Yahoo! “promptly” disclosed the breach and worked closely with law enforcement afterward; she also talked up how the company devoted “substantial resources” to security and outlined its bug bounty program.

“With an increasingly connected world also comes a new host of challenges, including a dramatic rise in the frequency, severity, and sophistication of hacking, especially by state-sponsored actors,” she said. “Throughout my tenure as CEO, we took our obligations to our users and their security extremely seriously. We worked hard from the top down and bottom up to protect our systems and our users…After I joined Yahoo, we roughly doubled our internal security staff and made significant investments in its leadership and the team. We hired strategically, filling our ranks with security specialists who focused on threat investigations, e-crimes, product security, risk management and offensive engineering.”

The rosy assessment stands in contrast to reports that the executive suite ignored repeated warnings from security staff about impending attacks and employee targeting.

Equifax meanwhile was the subject of the now-infamous data breach in July that compromised the sensitive financial and personal information of 145.5 million Americans (the majority of the country’s adult population) and 700,000 Britons—however, the company didn’t reveal the breach for more than a month. Four Equifax executives, including the firm’s CFO, were investigated and cleared for insider trading, after it was uncovered that they sold shares just before the breach was announced and the company’s stock price dropped.

Equifax is responsible for determining credit scores based on people’s debt loads, credit repayment histories, credit availability and so on—and is one of three main companies that US financial institutions rely on to determine qualifications for mortgages and other loan approvals. The incident saw criminals make off with names, Social Security numbers, dates of birth and physical addresses, and potentially information on credit accounts, including the type of account, when it was opened, the limit, and the balance and payment history, and information on consumers' address history and debt.

In a summary given to lawmakers in the hearing, Mandiant, the company hired to carry out a forensic investigation of the Equifax incident, said that the hacking tactics don’t offer up any obvious fingerprints.

“Mandiant has not been able to attribute the identified attacker activity within the Equifax environment to any targeted threat actor group that Mandiant currently tracks," the firm said in the report, obtained by Bloomberg. “The tools, tactics and procedures the attackers used did not overlap with attacker activity identified in previous Mandiant incident response investigations.”

Smith advocated in his prepared remarks for an industry standard placing control of access to consumers’ credit data in the hands of the consumers themselves—a scheme that would somewhat alleviate the burden on financial companies for data protection. He also argued against using the Social Security number as the default financial tracking mechanism in the US.

“Equifax’s free lifetime lock program will allow consumers, and consumers alone, to decide when their credit information may be accessed,” he said. “This should become the industry standard. Second, we should consider the creation of a public-private partnership to begin a dialogue on replacing the Social Security Number as the touchstone for identity verification in this country. It is time to have identity verification procedures that match the technological age in which we live.”

Despite the canned comments, it is likely that both execs will be grilled by the committee on their respective roles within the corporate culture surrounding security and consumer data protection—and what oversights were made that, if addressed, could have prevented the breach.

Smith for his part has been cooperative on this front with Congress so far—he has already appeared before four other congressional panels in recent weeks to discuss the anatomy of the incident.

While consumers fend off phishing attempts and worse stemming from the breaches, it should be noted that Mayer walked away from Yahoo! after the Verizon sale with an exit package of $260 million in stock options and other perks, including $23 million in severance payments.

Smith at age 57 meanwhile exited his company, albeit under a cloud, with $90 million in retirement—or roughly 63 cents for every customer affected by the data breach. While he forfeited his 2017 bonus (estimated to have been around $3 million), he’ll collect $72 million this year alone and another $17.9 million in the coming years from vestments, according to Fortune estimates.

Karen Zacharia, deputy general counsel and chief privacy officer at Yahoo! parent Verizon and Todd Wilkinson, president and CEO of Entrust Datacard, are also set to give sworn testimony.

What’s hot on Infosecurity Magazine?