Former Equifax chief will face questions from U.S. Congress over hack

WASHINGTON (Reuters) – U.S. lawmakers are due to question the former head of Equifax Inc (EFX.N) at a Tuesday hearing that could shed light on how hackers accessed the personal data of more than 140 million consumers.

Richard Smith retired last week but the 57-year-old executive will answer for the breach that the credit bureau acknowledged in early September.

Late Monday, Equifax said an independent review had boosted the number of potentially affected U.S. consumers by 2.5 million to 145.5 million.

In March, the U.S. Homeland Security Department alerted Equifax to an online gap in security but the company did nothing, said Smith.

“The vulnerability remained in an Equifax web application much longer than it should have,” Smith said in remarks prepared for delivery on Tuesday. “I am here today to apologize to the American people myself.”

Smith will face the House Energy and Commerce Committee on Tuesday but there will be three more such hearings this week.

Equifax keeps a trove of consumer data for banks and other creditors who want to know whether a customer is likely to default.

The cyber-hack has been a calamity for Equifax which has lost roughly a quarter of its stock market value and seen several top executives step down alongside Smith.

Smith’s replacement, Paulino do Rego Barros Jr., has also apologized for the hack and said the company will help customers freeze their credit records and monitor any misuse.

There has been a public outcry about the breech but no more than 3.0 percent of consumers have frozen their credit reports, according to research firm Gartner, Inc.

Smith said hackers tapped sensitive information between mid-May and late-July.

Security personnel noticed suspicious activity on July 29 and disabled web application a day later, ending the hacking, Smith said. He said he was alerted the following day, but was not aware of the scope of the stolen data.

On Aug. 2, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board’s lead director on Aug. 22.

Patrick Rucker contributed from Washington; editing by Clive McKeef.

Our Standards:The Thomson Reuters Trust Principles.

Tech

The SEC Hack Shows That Not Even Top Government Data Is Safe

A major computer hack at America’s top stock market regulator is the latest sign that data stored in the highest reaches of the U.S. government remains vulnerable to cyber attacks, despite efforts across multiple presidencies to limit high-profile breaches that are so frequent many consider them routine.

In recent years, nation-state and criminal hackers, as well as rogue employees, have stolen data from the Internal Revenue Service, the State Department and intelligence agencies, including millions of government employee files allegedly exfiltrated by the Chinese military, U.S. officials say.

The Sec urities and Exchange Commission ( SEC ), America’s chief stock market regulator, said on Wednesday that cyber criminals may have used data stolen last year to make money in the stock market, making it the latest federal agency to grab headlines for losing control of its data.

Related

JAPAN-US-IT-FINANCE-BITCOIN -COMPUTERS-HACKING-SERVICES-BANKING

At the same time, being only the latest major breach is not special, said Dan Guido, chief executive of Trail of Bits, which does cyber sec urity consulting for the U.S. government.

“It simply reflects the status quo of our digital sec urity,” said Guido, who is a former member of the cyber sec urity team at the Federal Reserve, America’s central bank.

Central bank officials have detected dozens of cases of cyber breaches, including several in 2012 that were described internally as “espionage.”

The U.S. federal government has sharply increased funding dedicated to protecting its own digital systems over the last several years, attempting to counter what is widely viewed as a worsening national sec urity liability.

But as one of the world’s largest collectors of sensitive information, America’s federal government is a major target for hackers from both the private sec tor and foreign governments.

“When you have one central repository for all this information – man, that’s a target,” said Republican Representative Bill Huizenga, chairman of the House subcommittee on Capital Markets, Sec urities, and Investment, which oversees the SEC .

Last year, U.S. federal, state and local government agencies ranked in last place in cyber sec urity when compared against 17 major private industries, including transportation, retail and healthcare, according to benchmarking firm Sec urityScorecard.

An update of the rankings in August showed the U.S. government had improved to third worst, ahead of only telecommunications and education.

“We also must recognize – in both the public and private sec tors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery,” said SEC Chairman Jay Clayton.

The federal government audits cyber sec urity measures every year at top agencies, producing reports that routinely expose shortfalls and sometimes major breaches. The Federal Bureau of Investigation also looks for hacking attempts and helped spot an alleged intrusion by Chinese military-backed hackers into a major banking regulator between 2010 and 2013.

Weekly scans of government systems by the Department of Homeland Sec urity showed in January that the SEC had critical cyber sec urity weaknesses but that vulnerabilities were worse at three agencies, including the Environmental Protection Agency, the Department of Health and Human Services and the General Services Administration.

Some agencies said they had improved their cyber sec urity posture since that report.

For more about cybersecurity, see Fortune’s video:

A GSA spokeswoman said the agency has not had any critical vulnerabilities in the past six months, and that the ones identified in January were patched in under 10 days.

A Department of Labor spokesman said all identified vulnerabilities had been fixed and that its systems were not compromised by the identified flaws.

But, he added, “addressing vulnerabilities associated with legacy systems can be challenging.”

Tech