Richard Smith, former Equifax CEO, testified before the House Energy & Commerce Committee on his first stop on his tour testifying before committees. He confirmed some of terrible stories floating out there and even introduced us to some new ones.

Referring to solid Krebs On Security article (since he’s reliable and gave three hours of his life to watch) titled Fear Not: You, Too, Are a Cybercrime Victim! some of the points discussed are as follows:

     + 145.5 million people were affected, 2.5 million more than initially reported

     + Smith clarified banks & other businesses are their customers, not consumers

     + The company waited 4.5 months to fix the security flaw in their dispute portal (the human element he made sure to point out). Krebs points out that Smith did not explain, nor did the committee ask, how or why 145.5 million users were tied up in this ‘dispute portal’.  Here are some questions Krebs thinks should be asked

     + Smith claimed they “use many techniques to protect data — encryption, tokenization, masking, encryption in motion, encrypting at rest” but the compromised data in the ‘dispute portal’ was stored in plaintext. He then went on to explain “There are varying levels of security techniques that the team deploys in different environments around the business”

     + Smith gave two public speeches in the second and third weeks of August where he was quoted saying fraud was a “a huge opportunity for Equifax,” and that it was a “massive, growing business” for the company, though he claims they did not know what kind or how much data was compromised at that time.. sketchy. Coincidentally, just after this testimony Politico released a story that even amid this scandal Equifax has been granted a 7 million dollar contract from the IRS for identity proofing & anti fraud services. They’ve also been a contractor in the past resulting in a huge tax fraud epidemic and poor security all around

     + Hurricane Irma was to blame for there phone systems being able to handle the volume of calls from concerned consumers.. and 420 million visits to the site created unreliable online as well

     + ‘Credit Locks’ (the fine text in your service agreement) are preferred over ‘Security Freezes’ (consumer protections under the law) because they are free and allegedly more consumer friendly. Krebs refers to Christina Tetreault, a staff attorney for the respected Consumer Reports, who says security freezes are stronger than credit locks because protections under the law are stronger than contractual agreements and prevent businesses from making money by selling your credit files to banks & others wanting to open your new line of credit

Check out Smith’s official written testimony here.

This is a brief recap of Krebs On Security article. You should definitely check out his more detailed story where he links to many stories and resources to back all this up.

Follow Brian Krebs on Twitter & Facebook

@highupwebdev