Yahoo and Equifax are going to need a lot of sorry cards.
Executives from the two companies testified before Congress on Wednesday, apologizing for massive network breaches that affected billions of people around the world.
Yahoo last month revealed that in 2013 it suffered the largest hack in history, a breach that hit 3 billion customer accounts. Equifax, a credit-monitoring agency, in September said hackers stole information, including Social Security numbers, credit card numbers, names and addresses, on up to 143 million Americans.
Lawmakers on the Senate Commerce Committee demanded answers on how the two companies would protect people from future massive data breaches.
“It’s not a question of if we’ll have another one, but when,” Sen. Bill Nelson, a Democrat from Florida, said in his opening statement.
It was a packed house on Capitol Hill: Both the current and former Equifax CEOs, Paulino do Rego Barros, Jr. and Rick Smith, respectively, testified. Yahoo’s former CEO, Marissa Mayer, as well as parent company Verizon’s chief privacy officer, Karen Zacharia, also testified. Verizon bought Yahoo in June, with the data theft shedding $350 million off the deal.
Mayer opened her testimony with an apology, pointing out that Yahoo had been hit by a sophisticated attack from Russian hackers, one that even the best security couldn’t have stopped.
“These thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users,” Mayer said.
The Department of Justice indicted Russian hackers for attacking Yahoo during a 2014 breach, but not for the 2013 data leak, which affected the 3 billion users. Mayer said it’s still unclear who was behind the 2013 hack.
“I believe all companies, even the most well-defended ones, could fall victim to these crimes,” she said.
Equifax’s interim and former CEO apologized for the company’s failures and touted all the tools it’s offered to victims affected by the breach. That includes a credit-monitoring app that will be available in January and free credit locks from the company.
“We did not meet the public’s expectations, and now it’s up to us to prove that we can regain their trust,” Barros said.
During the testimony, both companies talked up how they’ve changed since suffering their historic breaches — while senators called out their inaction. Both Mayer and Verizon’s Zacharia pointed to Yahoo’s responses to the breach, such as requiring password changes and improving its encryption.
Yahoo said it’s doubled its security team. Equifax said its budget for security has increased fourfold since the breach. But the new priority on security hasn’t changed the root problems for both companies.
Mayer said Yahoo still doesn’t know exactly how hackers breached all of its users and isn’t sure what flaws it needs to fix.
Smith said Equifax decided not to encrypt its massive database of sensitive data because it felt its firewalls and layers of security were enough. The company’s new CEO said he’s unsure if its data has been encrypted since the breach.
And while Barros discussed Equifax’s tools for breach victims, he noted that barely anyone are using them. Less than one-fifth of the 145 million people affected by the breach are actually turning to Equifax’s solutions, Barros said during the testimony. The company’s website received 420 million visits, but only 30 million people have actually used the tools.
As Verizon takes over Yahoo, Zacharia promised better security for the future, though senators remained skeptical during the hearing. Richard Blumenthal, a Democratic senator from Connecticut, called for incentivizing security via laws that would punish companies that suffer major breaches.
“Under current law, even some of the most egregious examples of lax security can be met only with apologies and promises to do better next time, not fines or other penalties or real deterrents,” Blumenthal said.