Senate panel holds hearing on Equifax, Yahoo security breaches
The Senate Commerce Committee is holding a hearing on consumer data security. Interim CEO of Equifax, Paulino do Rego Barros Jr. and former Equifax CEO Richard Smith are testifying as well as former Yahoo CEO Marissa Mayer. Other witnesses include Verizon Communications Chief Privacy Officer Karen Zacharia; Entrust Datacard Corporation President and CEO Todd Wilkinson.
Equifax revealed in early September that hackers had gained access to the personal information of 143 million U.S. consumers after exploiting a vulnerability on its website.
Verizon said in early October that the 2013 Yahoo hack affected all three billion user accounts.
Follow live updates from the hearing below:
Interim Equifax CEO says it's developing app to provide consumers more control
Barros confirmed that Equifax is working on an app that would allow consumers to lock and unlock personal credit data, providing consumers with more control. In an exchange with Sen. Amy Klobuchar, D-Minnesota, Barros said that the company is on time to deliver the product in January and it's being developed right now. He said that it has all of the security needs and requirements that are in compliance with security.
Mayer clarifies Yahoo hasn't concluded those responsible for the 2013 breach
In an exchange with Sen. Todd Young, R-Indiana, he said that Mayer testified that the 2014 breach was state-sponsored, but asked if the 2013 breach's origins have been determined.
"We have not been able to determine who perpetrated the 2013 breach," she said.
Mayer said that she learned of the breaches at the scale reported in 2016, but learned of a Russian intrusion into the network in Dec. 2014.
Sen. Tammy Baldwin asks Equifax chief to commit to notifying every consumer affected by breach
The Wisconsin Democrat asked Barros if he can commit to proactively notifying every person affected by the company's data breach.
"We have been notifying; we have been working with consumers," said Barros, who added that the company is also improving social media and engaging with consumers.
Baldwin asked him again to commit to notifying everyone affected and Barros only said that the company is actively engaged with consumers.
Verizon's chief privacy officer outlines what could be in data breach legislation
Zacharia said that the two key items that should appear in data breach legislation include a national framework so that companies have one standard to comply with when they're responding to a data breach. The other item is that companies get the standard right for when they notify customers about a breach. She said that there should be a balance between notify customers when important information is stolen and not notifying them too often.
Nelson says companies must go to "extreme limits" to protect customers' privacy
Nelson said that Mayer admitted in her testimony that Yahoo was not protected enough against a state actor. He then asked Zacharia what Verizon is doing to make sure that Yahoo is protected. Zacharia said that Verizon must work with both industry and government to tackle the problem of data security.
She said that Verizon has "long believed" that there should be national data security and data breach legislation and said her company is open to collaborating with senators on such measures. She also said that because security isn't static and attackers are always getting better at their techniques, she said that Verizon has to make sure that it's also constantly changing its security.
Nelson said that while she conveyed "good intention," he said said, "it's going to take more.
"It's going to take an attitude change among companies such as your's," Nelson said, adding that they must go to "extreme limits" to protect customers' privacy.
Sen. John Thune asks Marissa Mayer why it took Yahoo three years to disclose breach
The South Dakota Republican asked why it took Yahoo more than three years to discover and disclose the breach.
Mayer said that Yahoo "deeply valued our users' security" and that the company has still not been able to identify the intrusion that led to the theft. She said that Yahoo doesn't exactly understand "how the act was perpetrated." She said that this led to areas where Yahoo had gaps in its information.
Thune asked again why it was three years for Yahoo to disclose the breach and why it underestimated the number of people affected by billions.
Mayer said that Yahoo didn't know about the intrusion in 2013. She said that the company learned about the intrusion by files presented to Yahoo in November 2016 and verified that the data was taken in 2013.
Verizon's chief privacy officer says Yahoo took action in wake of 2013 theft
Zacharia said that the review of the data theft from 2013 confirmed that the stolen information didn't include Social Security numbers and sensitive financial data, among other information. At the time of the theft, she said that Yahoo required password changes for user accounts and invalidated unencrypted security questions. She said that this means "Yahoo took steps in 2016 to protect all users."
Ex-Yahoo chief Marissa Mayer says she "sincerely" apologizes to victims of breach
Mayer said that Yahoo worked hard over the year to earn the trust of users. She said that the data thefts occurred during her tenure and she said she "sincerely" apologizes to those affected. Mayer said once the theft was exposed, it was "promptly" reported to law enforcement. She said that Yahoo worked closely with law enforcement, including the FBI, to expose those responsible, which she noted were Russian intelligence officers and state-sponsored actors.
Interm Equifax CEO Barros apologizes to the American people
Barros said that Equifax is focused every day on strengthening security and providing better support to consumers. He said his company has taken certain steps in recent weeks since the breach to improve security.
Barros said that his highest priority is to improve services for consumers and as a result, he has visited call centers, spoken to consumers directly and has made improvements to social media and the consumer experience. Barros said that it has resulted in a "substantial reduction in delays and backlogs."
He also said that there was a corporate restructuring which involves the chief security officer reporting directly to him.
Sen. Ben Nelson says "rigorous" data security rules must be implemented
The Florida Democrat said that stiffer enforcement and stringent penalties are the only way to incentivize companies to properly protect consumers' information and to inform consumers when breaches take place.