Richard Smith — who resigned as chief executive of big-three credit bureau Equifax this week in the wake of a data breach that exposed 143 million Social Security numbers — is slated to testify in front of no fewer than four committees on Capitol Hill next week. If I were a lawmaker, here are some of the questions I’d ask when Mr. Smith goes to Washington.
Before we delve into the questions, a bit of background is probably in order. The new interim CEO of Equifax — Paulino do Rego Barros Jr. — took to The Wall Street Journal and other media outlets this week to publish a mea culpa on all the ways Equifax failed in responding to this breach (the title of the op-ed in The Journal was literally “I’m sorry”).
“We were hacked,” Barros wrote. “That’s the simple fact. But we compounded the problem with insufficient support for consumers. Our website did not function as it should have, and our call center couldn’t manage the volume of calls we received. Answers to key consumer questions were too often delayed, incomplete or both.”
Barros stated that Equifax was working to roll out a new system by Jan. 31, 2018 that would let consumers “easily lock and unlock access to their Equifax credit files.”
“You will be able to do this at will,” he continued. “It will be reliable, safe, and simple. Most significantly, the service will be offered free, for life.”
I have argued for years that all of the data points needed for identity thieves to open new lines of credit in your name and otherwise ruin your credit score are available for sale in the cybercrime underground. To be certain, the Equifax breach holds the prospect that ID thieves could update all that stolen data with newer records. I’ve argued that the only sane response to this sorry state of affairs is for consumers to freeze their files at the bureaus, which blocks potential creditors — and ID thieves — from trashing your credit file and credit score.
Equifax is not the only bureau promoting one of these lock services. Since Equifax announced its breach on Sept. 7, big-three credit bureaus Trans Union and Experian have worked feverishly to steer consumers seeking freezes toward these locks instead, arguing that they are easier to use and allow consumers to lock and unlock their credit files with little more than the press of a button on a mobile phone app. Oh, and the locks are free, whereas the bureaus can (and do) charge consumers for placing and/or thawing a freeze (the laws freeze fee laws differ from state to state).
CREDIT FREEZE VS. CREDIT LOCK
My first group of questions would center around security freezes or credit freezes, and the difference between those and these credit lock services being pushed hard by the bureaus.
Currently, even consumer watchdog groups say they are uncertain about the difference between a freeze and a lock. See this press release from Thursday by U.S. PIRG, the federation of state Public Interest Research Groups, for one such example.
Also, I’m curious to know what percentage of Americans had a freeze prior to the breach, and how many froze their credit files (or attempted to do so) after Equifax announced the breach. The answers to these questions may help explain why the bureaus are now massively pushing their new credit lock offerings (i.e., perhaps they’re worried about the revenue hit they’ll take should a significant percentage of Americans decide to freeze their credit files).
I suspect the pre-breach number is less than one percent. I base this guess loosely on some data I received from the head of security at Dropbox, who told KrebsOnSecurity last year that less than one percent of its user base of 500 million registered users had chosen to turn on 2-factor authentication for their accounts. This extra security step can block thieves from accessing your account even if they steal your password, but many consumers simply don’t take advantage of such offerings because either they don’t know about them or they find them inconvenient.
Bear in mind that while most two-factor offerings are free, most freezes involve fees, so I’d expect the number of pre-breach freezers to be a fraction of one percent. However, if only one half of one percent of Americans chose to freeze their credit files before Equifax announced its breach — and if the total number of Americans requesting a freeze post-breach rose to, say, one percent — that would still be a huge jump (and potentially a painful financial hit to Equifax and the other bureaus).
So without further ado, here are some questions I’d ask on the topic of credit locks and freezes:
-Approximately how many credit files on Americans does Equifax currently maintain?
-Prior to the Equifax breach, approximately how many Americans had chosen to freeze their credit files at Equifax?
-Approximately how many total Americans today have requested a freeze from Equifax? This should include the company’s best estimate on the number of people who have requested a freeze but — because of the many failings of Equifax’s public response cited by Barros — were unable to do so via phone or the Internet.
-Approximately how much does Equifax charge each time the company sells a credit check (i.e., a bank or other potential creditor performs a “pull” on a consumer credit file)?
-On average, how many times per year does Equifax sell access to consumer’s credit file to a potential creditor?
-Mr. Barros said Equifax will extend its offer of free credit freezes until the end of January 2018. Why not make them free indefinitely, just as the company says it plans to do with its credit lock service?
-In what way does a consumer placing a freeze on their credit file limit Equifax’s ability to do business?
-In what way does a consumer placing a lock on their credit file limit Equifax’s ability to do business?
-If a lock accomplishes the same as a freeze, why create more terminology that only confuses consumers?
-By agreeing to use Equifax’s lock service, will consumers also be opting in to any additional marketing arrangements, either via Equifax or any of its partners?
BREACH RESPONSE
Equifax could hardly have bungled their breach response more if they tried. It is said that one should never attribute to malice what can more easily be explained by incompetence, but Equifax surely should have known that how they handled their public response would be paramount to their ability to quickly put this incident behind them and get back to business as usual.
Equifax has come under heavy criticism for waiting too long to disclose this breach. It has said that the company became aware of the intrusion on July 29, and yet it did not publicly disclose the breach until Sept. 7.However, when Equifax did disclose, it seemed like everything about the response was rushed and ill-conceived.
One theory that I simply cannot get out of my head is that perhaps Equifax rushed preparations for is breach disclosure and response because it was given a deadline by extortionists who were threatening to disclose the breach on their own if the company did not comply with some kind of demand.
-I’d ask a question of mine that Equifax refused to answer shortly after the breach: Whether the company was the target of extortionists over this data breach *before* the breach was officially announced on Sept. 7.
-Equifax said the attackers abused a vulnerability in Apache Struts to break in to the company’s Web applications. That Struts flaw was patched by the Apache Foundation on March 8, 2017, but Equifax waited until after July 30, 2017 — after it learned of the breach — to patch the vulnerability. Why did Equifax decide to wait four and a half months to apply this critical update?
-How did Equifax become aware of this breach? Was it from an external source, such as law enforcement?
-Assuming Equifax learned about this breach from law enforcement agencies, what did those agencies say regarding how they learned about the breach?
FRAUD AND ABUSE
Multiple news organizations have reported that companies which track crimes related to identity theft — such as account takeovers, new account fraud, and e-commerce fraud — saw huge upticks in all of these areas corresponding to two periods that are central to Equifax’s breach timeline; the first in mid-May, when Equifax said the intruders began abusing their access to the company, and the second late July/early August, when Equifax said it learned about the breach.
-Has Equifax performed any analysis on consumer credit reports to determine if there has been any pattern of consumer harm as a result of this breach?
-Assuming the answer to the previous question is yes, did the company see any spikes in applications for new lines of consumer credit corresponding to these two time periods in 2017?
Many fraud experts report that a fast-growing area of identity theft involves so-called “synthetic ID theft,” in which fraudsters take data points from multiple established consumer identities and merge them together to form a new identity. This type of fraud often takes years to result in negative consequences for consumers, and very often the debt collection agencies will go after whoever legitimately owns the Social Security number used by that identity, regardless of who owns the other data points.
-Is Equifax aware of a noticeable increase in synthetic identity theft in recent months or years?
-What steps, if any, does Equifax take to ensure that multiple credit files are not using the same Social Security number?
-Prior to its breach disclosure, Equifax spent more than a half million dollars in the first half of 2017 lobbying Congress to pass legislation that would limit the legal liability of credit bureaus in connection with data security lapses. Do you still believe such legislation is necessary? Why or why not?
What questions did I leave out, Dear Readers? Or is there a way to make a question above more succinct? Sound off in the comments below, and I may just add yours to the list!
In the meantime, here are the committees at which Former Equifax CEO Richard Smith will be testifying next week on Capitol Hill. Some of these committees will no doubt be live-streaming the hearings. Check back at the links below on the morning-of for more information on that. Also, C-SPAN almost certainly will be streaming some of these as well:
-Tuesday, Oct. 3, 10:00 a.m., House Energy and Commerce Committee. Rayburn House Office Bldg. Room 2123.
-Wednesday, Oct. 4, 10:00 a.m., Senate Committee on Banking, Housing, & Urban Affairs. Dirksen Senate Office Bldg., Room 538.
-Wednesday, Oct. 4, 2:30 p.m., Senate Judiciary Subcommittee on Privacy, Technology and the Law. Dirksen Senate Office Bldg., Room 226.
-Thursday, Oct. 5, 9:15 a.m., House Financial Services Committee. Rayburn House Office Bldg., Room 2128.
Garbage!
There was a time I had some respect for Krebs articles, now they all fall into the same puke pail as the MSM hypebole.
I actually don’t see any hyperbole in the article. It is well written and points out the inconsistencies in Equifax’s public positions and what the data shows.
Equifax has breached the trust of millions of Americans and put their good names at risk.
The questions are fair, and many of them should also be asked by Equifax’s board and shareholders.
Care to cite any supporting reasons?
More proof that I don’t censor comments, regardless of how far up on the page they are or how groundless they may be.
Au contraire, Brian. One of my comments on a prior topic was “Awaiting Remediation” and then disappeared.
Really? What was the gist of the comment? I see one other comment from you on this story, and nothing in Akismet spam folder or awaiting moderation. I was searching on the email address you used on this comment and the previous one. If you used a different email, I can’t help you with this request without more information.
Here is your other comment: https://krebsonsecurity.com/2017/09/heres-what-to-ask-the-former-equifax-ceo/comment-page-2/#comment-442293
I’m sure he’s coming back… any second now…
You are right, I apologize. The comment was posted.
Maybe he has a significant position in Equifax stock? Only thing that seems to support his position.
For dumb people like me, what exactly about the article is garbage Ben?
Gee Ben care to back up your flip remark? And pls let us know when you are as fully open about what your credentials are on a public blog as Brian is.
Obvious troll, or credit bureau insider, is obvious.
Looks like astroturfing. Smells like astroturfing. Tastes like astroturfing. Sure glad I didn’t step on the astroturf!
Astroturfing is the practice of masking the sponsors of a message or organization (e.g., political, advertising, religious or public relations) to make it appear as though it originates from and is supported by a grassroots participant(s). (Wikipedia)
I’d want to ask Richard Smith the following questions.
Why did Equifax prioritize CYA moves over ALL other actions that might have helped their millions of customers? Example — disappearing their music major CSO Susan Mauldin (and applying a scorched earth policy to her Internet presence, most notably LinkedIn, where her lack of qualifications would be most apparent)?
Why did they try to sneak a clause into their initial sign-up for credit protection that removed consumers’ ability to join a class-action lawsuit? Who made the final call on that decision?
What internal evidence has been destroyed so far, and who ordered and/or approved its destruction? This includes backups, emails, documents (printed and digital), SIEM data, contracts and communications with security and law enforcement, workstations/tablets/phones (including Susan Mauldin’s), etc. What steps are being taken right now to preserve evidence?
Why were they not working on their public response to include beefing up their web site and staff to handle the inevitable flood of requests (or contracting for support), unless it was because they hoped to bury this breach entirely in defiance of Federal and State breach laws?
Given Equifax’s clear incompetence in cyber security and incident response, what possessed upper management to hawk their own credit monitoring service which would likely only increase risk for consumers who would be forced to provide even more data to Equifax? Has there ever been a clearer business example of the fox guarding the hen house?
What specific punishments would Mr. Smith consider to be truly fair for (at the very least) criminally negligent top management in a case like this when lives will be disrupted or destroyed and billions of dollars lost?
I suspect the difference between a freeze and a “lock” is that the “lock” still allows them to sell and allow certain access ($$$) that a freeze does not. It’s probably down in the fine print of the service agreement. Revenue preservation is the only reason to suppress the freeze service over anything else.
I agree.
Here’s the fine print on the Equifax Credit Report Control Lock:
“Locking your credit file with Equifax Credit Report Control will prevent access to your Equifax credit file by certain third parties, such as credit grantors or other companies and agencies. Credit Report Control will not prevent access to your credit file at any other credit reporting agency, and will not prevent access to your Equifax credit file by companies like Equifax Global Consumer Solutions which provide you with access to your credit report or credit score or monitor your credit file; Federal, state and local government agencies; companies reviewing your application for employment; companies that have a current account or relationship with you, and collection agencies acting on behalf of those whom you owe; for fraud detection and prevention purposes; and companies that wish to make pre-approved offers of credit or insurance to you.”
Exceptions to a credit freeze varies from state to state.
Generally, the exceptions to a freeze include:
Your current creditors
Collection agencies acting on behalf of your current creditors
Credit monitoring companies
Government agencies as permitted under the FCRA.
The difference between the two lists of exceptions is probably one of the main difference between a lock and a freeze.
“…and companies that wish to make pre-approved offers of credit or insurance to you.””
Bingo. There’s your (literal) money quote.
I’m thankful that Brian talked me into freezing my account over a year ago, but now I don’t know what my risk is from the stolen accounts. Seems those people now have my personal info and SS number.
Someone explain to me how the credit agencies got permission to sell my personal info.
I would ask this:
“With something as important as a person’s credit score — which lasts a person’s lifetime — and with private companies having now proven little to no regard for security — but instead, even now, eagerly willing to profit off of their own mistakes, why shouldn’t the government handle people’s credit scores instead, as is done in European countries such as Belgium?
I would ask this:
“With something as important as a person’s credit score — which lasts a person’s lifetime — and with private companies having now proven little to no regard for security — but instead, even now, eagerly willing to profit off of their own mistakes, why shouldn’t the government handle people’s credit scores instead, as is done in European countries such as Belgium?”
I’d ask Mr. Smith why a person with an education in music was put in charge of cybersecurity? And Why they made such an effort to scrub her online presence. They made more of an effort to erase her than securing our data.
What does the education of the person in charge have to do with their ability to manage an unrelated field? One of the best sysadmins I know has a degree in Interior Decorating. I have a degree in Radiology. Are you saying a person cannot be qualified unless they received a degree in that particular field? Your comment is better suited to the off-topic, ill-thought newsfeed of Facebook.
Some people are “hung up” on degrees; I’ve met those whose identities and ego are based on that.
Like the Sysadmin you reference, my degree has nothing to do with what I do now. And I’ve met many people in the same situation.
Even if one has a degree, it’s the arc of experience and continuing learning that is meaningful; a degree just represents a starting point.
However, my real point here is the “scrubbing” of the online presence: “If they’re not guilty, why did they hide?”. And I think this is likely the main point of most of the other commenters as well.
The three most talented people I’ve ever worked with in mainframe tech support did not have degrees in any computer field. One had a degree in theoretical physics, another in chemistry and the other had no degree at all. The most incompetent person I worked with had a masters degree in computer science.
1. Does he feel a sense of responsibility for the breach and for the exposure of millions of Americans’ personal information?
2. Why did his company wait so long to publicly announce the breach?
2. Has he personally been affected?
3. What is he doing now to protect his, and his family’s, identity?
I think we should roll out the Arthur Andersen welcome wagon for Equifax. We have so many people in this country that have a hard time with a smart phone let alone navigating terms and conditions from companies like Equifax to understand how badly they can be hurt if they look away and ignore this.
Put some laws in place in Congress and send some people to jail and then we will be talking.
Ill address the credit freeze/lock
There is no standard definition of either and thus the requirements for each are different in each state.
There is also no standard mechanism to each.
Therefore, Equifax will need to explain in laymen’s terms what a credit freeze/lock is and how it will work. Namely how it will block all new credit accounts from being opened.
As for questions, my simple question is why does Equifax not limit the data it collects or purge said data after a period of time? The data collected is not needed to conduct the stated function of the company.
If they are collecting it, it is because they have found a way to sell it. They do not waste their time on unsellable information.
As an IT professional that works for a national bank, I find it extremely unfair that banks and credit unions are required by law to comply with regulations and be examined by federal agencies (OCC, Federal Reserve, FDIC). We have the same type of data as these bureaus! Account numbers, relationships, addresses, and SSN’s.
My question would be more along the looking forward – yes, there should be penalties/repercussions that Equifax should have to answer to now – but what about the future? We have these big three (and then 1 other) credit bureaus, but who is watching them? Who should watch them? Who should examine them to make sure they’re doing what they are supposed to be doing? Clearly someone needs to since they weren’t patching as they should and they delayed so much in coming out with the breach.
The difference is that banks and credit unions hold monetary assets, and in order for them to receive federal insurance protection of those assets, they have to comply with the rules and regulations set forth by the FDIC and other federal agencies. Credit bureaus however hold no monetary assets and therefore don’t follow the same rules but only the rules for credit reporting agencies.
Does he think that credit reporting agencies should have more governmental oversight, given the current situation?
What specific laws would he implement to protect every individual’s personally identifiable information from being used in a fraudulent manner?
I read that only 4% of identity theft fraud involved new lines of credit, which could be prevented by freezing credit files. The mostly like fraud mechanism from the Equifax breech would be fraud against existing accounts, such as checking. I don’t know what else we could do about existing accounts other than to monitor them.
“By agreeing to use Equifax’s lock service, will consumers also be opting in to any additional marketing arrangements, either via Equifax or any of its partners?”
By agreeing to use Equifax’s lock service, will consumers also be opting in to any additional arrangements with Equifax or any of its partners?
What will the terms of service and privacy policy be for the free offering?
I would ask:
Where is the DECEPTIVE fine print that granted “permission” for them to sell MY info and on top of that, why the heck don’t I get a cut?!
An additional question might be asking what Congress proposes to do to remove barriers to unfreezing credit files.
Just this week, I needed to temporarily lift the freeze on my files. With TransUnion, it took three minutes online with my PIN and password. With Equifax, I spent about two hours over three evenings on the phone before they successfully lifted the freeze. (They had an incorrect birthdate in my file.) Experian repeatedly took my PIN and other information — and held funds on my credit card, to boot — before kicking me to a “mail us a sheaf of documents and we’ll get back to you” screen. In the end, I accomplished what I needed to without Experian.
Companies that hold troves of personal data bear a special responsibility to protect that data; numerous breaches led many of us to freeze our files even before the Equifax breach, but we still need to lift those freezes occasionally. With my PIN and knowledge of every detail of my financial life, I should be able to lift my freeze quickly, and Experian should have phone representatives to assist. One would be forgiven for suspecting they try to make these freezes as painful as possible to drive consumers to avoid freezes altogether.
Any links to PCI-DSS ?
They are a merchant ( they sell these reports online and you can most probably pay with a credit card)
So PCI applies, and it is obvious they did not adhere to most of the 12 requirements
What was the result of the last PCI DSS audit?
“Uh, everything’s under control. Situation normal.”
Then called before Congress…
“We had a reactor leak here now. Give us a minute to lock it down. Large leak, very dangerous.”
Thanks, Brian.
For too long, tech folks have looked for tech solutions, as in “If my only tool is a hammer, all the problems look like nails.” What good is 2FA in the face of such widespread incompetance at the executive level? Until the political hammer comes down, nothing will change.
Great initial work, Brian, and great followup in your reporting afterwards.
I would ask: why did Equifax executives cash in their stock after the breach but prior to its announcement, as reported by the press, have anything to do with the breach?
If it did, can the profits be clawed back to somehow help those consumers who were affected by the breach?
I would also ask why the seeming confusion/inconsistency in public announcements after the breach–does it have something to do with a loose organizational chart?
Regards,
IF the insiders sold their stock knowing of the breach, then they are guilty of what is known as “illegal insider trading,” which as the name suggests, is a major crime!
Additional question: why has the credit industry not developed a fool-proof mechanism for identifying an individual? A system which relies on readily discerned/manufactured information such as SSN and date of birth is a joke.
Question #1 to Mr Smith: Your company does business internationally, so why are you not allowing the consumers in countries outside the USA, to invoke a credit freeze?
Question #2 to Mr Smith: Why are consumers outside the USA being offered a 1 yr of free credit monitoring, whereas USA consumers are getting a life time offer ?
Question #3 to Mr Smith: Why is there no website setup by Equifax for consumers outside the USA to check if their credit has been compromised?
Question #4 to Mr Smith: Sir, have you violated your Corporate Charter?
I’ve frozen my credit w/ 5 bureaus now:
Equifax, Experian, TransUnion, Innovis, and ChexSystems.
I’m pretty sure I froze all 5 by phone. I used a US based phone number in all instances (I generally use either Skype or Google Voice — both are free), but I don’t think I need to be in the US for any of them. The only requirement they’ve had is that I provide a US mailing address (which generally provides the thaw code).
It’s been fairly painless.
I would ask instead of those holding the Inquiry: “Why does no one go to jail? Or why are not those responsible in some way held liable for the distress and expense they’ve caused the victims?”
If those who caused the problem suffer no consequence, what’s the point of the inquiry, otherwise just smoke and mirrors.
“Also, I’m curious to know what percentage of Americans had a freeze prior to the breach, and how many froze their credit files (or attempted to do so) after Equifax announced the breach.”
An article I glanced at online published perhaps 2 weeks after the breach, indicated that only 20% of the people who were well aware of the breach had taken any action (freeze or monitoring).
Sorta like the phrase “Watching Katrina”. Everyone had ample notice of the impending storm. So you wander down to the beach and watched as the waves start kicking up. Then the sea starts getting more violent. The winds really kick in and almost knock you down. The sea now laps at your feet. Now it’s up to your waist. Now it’s over your head but you’re still just “watching”, maybe it’ll all turn out just fine.
After “all” the breaches/hacks in just recent years alone, one would think almost everyone would be taking some precautions. As for me. I got the news of the impending storm and have headed to what I hope is safer grounds. I feel sorry for all those who may get caught up in this mess because they didn’t do something proactive.
Did Equifax have cyber security insurance?
If no, then why not? Given their amount of PII and PCI on millions of people it would definitely be necessary.
If yes, then what is the name of cyber security insurance provider? And how much of the breach response were they responsible?
Good article Brian.
Question to Mr. Smith: What can Equifax do (or any other bureau for that matter) to ensure that those individuals caught up in the breach will not have negative future impacts to their credit reports as a result of the breach?
Quick reminder: For the most part, we are their Product and not their Consumer. Without regulatory protections we, as the Product, are limited in what influence we have to drive change. For example, we can’t “take our money elsewhere” like a typical consumer can. (Bruce Schneier has spoken about this in much more depth.)
How much is the Company providing in financial reserves to pay for the cost of free freezes / unfreezes for life for all consumers who set freezes at all credit bureaus? How much is the Company providing in financial reserves to pay for free credit monitoring (ID Theft protection) for life for all consumers who were impacted by the breach?
Agree with questions about: Encryption of consumer data; consumer permission (opt-in) before allowing data to be shared; and free freeze / unfreeze for life.
Brian, here is what I would ask him: does he think his company should have been regulated and supervised by a financial services regulator? if no, why not?
Great article!
Additional lines of questioning for Mr. Smith:
1) Describe the security protections in place as of March to protect consumers’ data (encryption, pen tests, patching policies, vm scans, etc)
2) What % of Equifax’s 2017 budget was allocated to security? What % was allocated to lobbying / “government affairs”?
1. Is there a reason why the C suite at Equifax should not go to jail for culpable, criminal negligence resulting in harm to consumers ?
2. Why should the congress not require Equifax and other data gatheres, that collect, maintain, and comercialize extremely sensitive consumer data to establish a Billion (2-5) as an insurance pool to cover harm caused to consumers through security breaches ?
I’m still wondering what percentage of records maintained by Equifax were breached. Any of the following questions:
“How many people’s information does Equifax maintain?”
“What percentage, of the records that Equifax maintains, were breached?”
I’ve been wondering if the total population that Equifax had responsibility for was 143 million, and they managed to breach every one of those records.