House Republicans and Democrats on Tuesday grilled Equifax's former chief executive over the massive data hack of the personal information of 145 million Americans, calling the company's response inadequate as consumers struggle to deal with the breach.
This week, the company said that 2.5 million more people were affected by the breach than had been initially estimated.
In March, the U.S. Department of Homeland Security alerted Equifax to an online gap in security but the company did nothing, said Smith.
"The only way I know how to do it is some kind of fine-per-account-hacked that's large enough that even a company that's worth $13 billion would rather protect their data and probably not collect as much data than just come up here and appear and say we're sorry", Barton said. But the "vulnerable versions" of the software were not identified or patched, Smith said.
"I have no indications that they had any knowledge of the breach at the time they made the sale", he said.
Democrats on the panel have reintroduced legislation imposing requirements for when companies have to report data breaches, and they said at the hearing that additional federal oversight might be needed for companies like Equifax.
While most states require companies to inform consumers affected by cyberattacks, there's no federal notification law.
The information stolen included names, Social Security numbers, birth dates and addresses. Security experts have warned that the long-term consequences of the hack will be hard to fully discern.
Rep. Bob Latta, R-Ohio, says he wants to let congressional hearings into the Equifax breach run their course before making any decisions about where Congress should act to prevent future disclosures of Americans' personal information. The first hearing began Tuesday at 10 a.m. ET.
By August, Equifax was aware of the scale of the breach, Smith said. On Aug. 1 and 2, Equifax Chief Financial Officer John Gamble and two other executives, Rodolfo Ploder and Joseph Loughran, sold a combined $1.8 million in stock. Then Smith, the former chief executive, said that he, too, would step down. US companies and government agencies have disclosed 1,022 breaches this year, according to the Identity Theft Resource Center.
- Separately, the administration of President Donald Trump is considering replacing the use of Social Security numbers as personal identifiers in the wake of the Equifax hack, White House cyber-security coordinator Rob Joyce said at a conference on October 3, Bloomberg reported.
"It's time we change the paradigm of who controls and who accesses credit data", he said.