Skip to main content

tv   Data Breaches  CSPAN  November 10, 2017 8:12am-10:45am EST

8:12 am
2.5 hours.
8:13 am
chair: good morning, now that our executive session is complete we turn to the issue of data breaches. this is not a new issue. the committee has been focused on the consumer impact since before i was elected to the senate. the september 2004 choice point breach was considered to be the first high-profile data breach in the modern era prompted investigations from this committee and state authorities. choice point was a data aggregation company originally as fateby equifax who
8:14 am
would have it is represented here today. in terms of the inquiry the major data breaches, we have come full circle. congress and this committee paid close attention to data breaches big and small. the committee has entertained proposals to strengthen requirements for companies across the board and impose federal requirements for companies to notify consumers following discovery of the breach. we are in the air of major data breaches, including equifax and yahoo! that we are examining. the yahoo! breaches are larger, the fx -- equifax breach is more severe given the nature of the data compromised. i have heard many constituents who were concerned about the lasting effects of the equifax breach. i have heard complaints it is difficult to set up a credit freeze and questions about whether credit monitoring is an effective tool to prevent identity theft.
8:15 am
theequifax breach exposed sensitive personal data of 140 5.5 u.s. consumers including the names, social security's, birthdates, addresses cut -- and driver license numbers. were affected. will have an opportunity to provide an update regarding the breach as well as it's much criticized efforts to mitigate harm and prevent anything like this from happening. the yahoo! breach compromised over 3 billion user accounts and followed a prior breach in which hackers still information five -- from 500 million users. the data included names, dates of birth, partial passwords, unencrypted security questions and answers, and employment information. the figure constitutes the entirety of yahoo! mail and other yahoo! owned accounts at the time of the breach.
8:16 am
have! representatives will an opportunity to provide an update regarding the breaches as well as efforts to mitigate harm and ensure security and consumer data going forward. the data breaches illustrate dramatically that our nation continues to face constantly evolving cyber threats to her personal data. companies that collect and store personal data on american citizens must step up to provide adequate cyber security and there should be consequences if they fail to do so. the committee made cyber security a priority and i am hopeful today's hearing will help -- help the committee when there is a risk of real harm stemming from a breach we must make sure that consumers have the information protect themselves. that is why i support a uniform federal breach notification standard to replace the patchwork of laws and 48 states in addition to the district of columbia and three other territories. a single federal standard would
8:17 am
ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm. such a standard would provide consistency and certainty regarding timely notification practices that a fitting consumers and businesses. securere that businesses information appropriately, i have advocated for uniform reasonable security requirements to protect consumer data. based on the size and scope of the company and the sensitivity of the information. however in this regard, the facts of the equifax reach are troubling. as a credit bureau equifax was subject to the safeguards rule under the act which is considered to be a stringent regulation. the equifax breach occurred and its implement could -- implications appear dire. enhancing security, protecting the personal data of consumers will be a priority for this committee. i want to thank our witnesses for appearing here today and i
8:18 am
look forward to hearing your testimony. i will turn to senator nelson for his opening remarks. senator nelson: thank you, mr. chairman. , this is the latest edition and a long history of hearings that we have held on this committee to discuss data security and breaches. several senators on this committee who have asked for this hearing. senator baldwin in particular, alator cortez, thank you for l the more ringing this to the forefront. if you start with the massive point reache choice in 2005, and then continuing with target, neiman marcus, shape hat, sony, citigroup, cvs,
8:19 am
south shore hospital, heartland payment systems, and many others, the parade of high-profile data breaches seems to have no end and billions of consumers have had their , personallyrsonal identifiable information socialised, including security numbers, driver's licenses, addresses, dates of birth. for years going forward, criminals can use this data to steal the identity of innocent consumers and create fake accounts in their names and commit other types of fraud and i might point out that right now, we estimate $5 billion a year is being stolen from the u.s. treasury just on fake federal income tax returns of
8:20 am
which they get a refund. and on top of that, we also recently found out the 2013 yahoo! breach compromised the personal data, it is hard to believe, 3 billion users. that is the biggest aider breach in history -- data breach in history. yet today here we are once again dealing of the aftermath of the -- breachifax reach involving the personal identification information of nearly 145 million americans. raisesst recent breach and even more troubling question. agencies reporting that offer identity theft protection and credit monitoring services cannot even safeguard their own data from hackers, then how can consumers trust any company to protect their
8:21 am
information? and let me say also, when you get up against the sophistication of state actors such as russia and china, it is going to be hard to protect against them. sadly, the question that millions of americans are now asking is, as they struggle to figure out how to protect themselves in the wake of these massive breaches, what in the world do we do? chairman, ise, mr. going to again consider what it would do to make sure that but ifrs are protected, we are going to do anything meaningful, we must have the clinical will -- political will to hold these companies accountable. over the years the federal trade commission has brought numerous enforcement actions against companies for lax data security practices.
8:22 am
but industry has recently challenged the ftc's well-established legal authority to bring such actions. this piecemeal, after-the-fact approach would be better served if the ftc were able to prescribe rules that require companies to a. reasonable security practices -- to adopt reasonable security practices in the first case. been pute already forward to agencies like equifax. the agency should have a similar authority for the rest of the commercial sector. and so, mr. chairman, i think at the end, it is only stiffer enforcement and stringent penalties are going to be able help incentivize companies to properly safeguard their consumer information, and to notify help their consumers whey
8:23 am
have been compromised. i strongly believe that without rigorous data security rules in place, it is not a question of anotherwe will have one, but when. we can either take -- i hope it can inform our future actions. it needs to be addressed. congress needs to be heard from. glad to have our panel with us this morning. on my left in your right is mr.b from equifax, and richard smith, the former ceo at equifax. ms. marissa mayer, former ceo of yahoo! incorporated. verizon, zachariah for
8:24 am
a parent company of yahoo! since 2017. wilkinson's, -- wilkinson, president and ceo of entrusted data card. i will start with you mr. barro s, and ask you to confine your oral remarks as close to five minutes as possible. anything extra can be on the record. barros: good morning. rankingman thune, member nelson, members of the committee. thank you for letting me be here today. six weeks ago i was named interim chief executive officer of equifax. i never expected to become ceo under the circumstances. but i am honored to be in this position.
8:25 am
speaking for everyone at equifax come i am determined to address all the issues from the breach so we can regain the confidence of the american people. equifax is based in atlanta, you can tell from my accent, i did not grow up in georgia. i am a native of brazil. i have had the privilege of working most of my adult life in the u.s. my children were born here. i'm an engineer by training and i have spent a lifetime confronting and fixing complex business problems. this is the mindset i bring to my new position. was the act as ceo consumer response and call centers and the website. we are working hard to fix the problem. i apologized to the american people and they do so again here today. you and thech of
8:26 am
american people, equifax will be focused every day on assessing security and providing better support for consumers. leader in an industry giving consumers more control over personal private data. in answer to your questions i would like to review briefly the actions we have taken in the past six weeks. first, my highest priority has been to improve service for consumers. i visit call centers, have spoken with call center havesentatives, personally taken calls from consumers and help to resolve their issues. expandeddia, we have communication. website,mproved the have staffed the call centers and made it more consumer friendly. the result is a substantial collection it -- reduction in backlogs and delays. we have revised our corporate structure.
8:27 am
the chief security officer now reports directly to me. officerlso appointed an to perceive the response to this incident. improvingare rapidly our security infrastructure. we're changing our networks, our vetting procedures, introducing new tools, and strengthening our accountability mechanisms. fourth, we have committed to working with the entire industry to develop solutions to the growing cyber security and data protection challenges we all face. we promise to launch a new, easy-to-use app in january that will give consumers access to data free for life. scheduled -- where confident consumers will find it extremely valuable.
8:28 am
we have done a lot in a short period of time. but this is just beginning. i remind my team every day that there are not shortcuts. -- it is asumers long-term commitment. equifax is made up of 10,000 talented and dedicated people. our business is not well understood. but it is essential for the economy and for helping consumers obtain credit they need. our top job must be to protect the data entrusted to us. did not meet the public's expectations and now it is up to us to prove we can regain the trust. we are committed to working with consumers, customers, congress, and regulators to restore public
8:29 am
trust. this is been my focus during my first six weeks as ceo. it will continue to be my focus every day at my new job. thank you for your attention and i welcome your questions. sen. thune: mr. smith. mr. smith: thank you. thank you for the opportunity to testify before you today. i submitted my written testimony to the committee and other committees in the senate and house. i testified over the last three or four weeks. the written testimony is a record of the events of the breach at equifax is that occurred. i am here today to answer any questions you may have. thank you. sen. thune: thank you, ms. the -- ms. mayer. mayer: thank you for the
8:30 am
opportunity to appear before you today. i have the honor and privilege of serving as the yahoos chief executive officer from july 2012 through the sale of the business in june of this year. as you know, yahoo! was a victim of criminal -- state-sponsored attacks on its systems, resulting in the theft of certain user information. we worked hard over the years to earn our users trust. i want to sincerely apologize to each and every one of our users. of this in learned late 2014, yahoo! promptly reported it to law enforcement and notified the users at that time who had been directly impacted. yahoo! worked closely with a law enforcement, including the fbi, and were able to identify and expose the hackers responsible. we now know that russian intelligence officers and state-sponsored hackers were responsible for highly complex and sophisticated attacks on
8:31 am
yahoo! systems. the department of justice and fbi had a 27 count indictment charging criminals with these fbi praiseddoj and yahoo! for our cooperation and early proactive engagement with law enforcement. 2016, -- yahoo! determined the user data was most likely stolen from the company in august of 2013. although yahoo! and its outside forensic experts were not able to identify it, the company disclosed to incident, notified the users believed to have been affected, and took steps to secure all user accounts. i want to stress how seriously i cyberhe threat of attacks. after growing up in wisconsin i remember buying my first computer in college, developing a passion for computer science
8:32 am
and writing code and seeing the potential to change the world. after college i was hired by a small start up named google as their 20th employee and first female engineer. i worked my way up from software engineer to part of the executive operating committee. in july 2012i became ceo of yahoo!. i will always be grateful for and humbled by the opportunity to have led yahoo! and its employees for the last five years. my friends from yahoo! and google have shown me the potential of the internet to change our world for the better. however, they have reinforced the dangers of sire -- cybercrime. our efforts to confront the challenges of cyber security, including security measures and defenses yahoo! has in place, in hopes of further advancing protection and security. -- we protected our systems and users.
8:33 am
we devoted substantial resources to security with a shared goal of heading -- staying ahead of the evolving threat. joined yahoo! we roughly doubled our internal security staff and made significant investment. in addition to improving our talent, we improved our security processes and system defenses. yahoo! had in place multiple layers of sophisticated protection. we were extremely committed to security. i want to thank all of our team members for their tireless efforts in addressing yahoos -- yahoo!'s security needs. russian agents intruded on our system. the threat from state-sponsored attacks has changed the playing field so dramatically that today, i believe all companies, vulnerable to
8:34 am
these crimes. cyber security is a global challenge. no company, individual or government agency is immune from these threat. the attacks on yahoo! demonstrate the strong collaboration between the public and private sectors is essential in the fight against cyber crime. aggressive pursuit of cyber criminals as the doj and fbi exhibited in the yahoo! case, could be a meaningful deterrent in preventing future crimes like these. of thee words investigator, a nation state attack is not a fair fight and not one you will win alone. we can work together to level the cyber playing field. ms. zacharia. ms. zacharia: thank you for the opportunity to testify here today. my name is karen zacharia and i am verizon's chief security
8:35 am
officer. verizon has a long-standing commitment to protecting and safeguarding consumer data and building trust online. increasingly connected world, verizon recognizes strong security and consumer trust are prerequisites to compete in the 21st century's digital economy. the nature of our business requires verizon made cyber security a top priority. in 2016 verizon announce it entered into an agreement to acquire yahoo!'s operating business. that closed in 2017. yahoo! is now part of a new company from verizon called oath. including yahoo! news, yahoos sports, tumbler and aol. in september and december of 2016, yahoo! announced its user data was stolen and two separate
8:36 am
incidents in 2013 and 2014. this happened well before the acquisition of yahoo!. at the time of the december 2016 announcement, yahoo! disclosed one billion of the 3 billion accounts existing at 2013 had likely been impacted. verizon acquired yahoo!, we obtain new information from a with party and reviewed it the same forensic experts yahoo! had used previously. notoncluded all accounts, just a subset, were impacted by the 2013 security incident. yahoo! provided further notices to the impacted users beginning october 3, 2017. when wen a week determined that the impacted user accounts. the review confirmed the stolen information did not include social security numbers or passwords and clear text, and
8:37 am
did not include sensitive financial information like payment card data or bank account information. although verizon do not own yahoo!'s operation -- operating business at the time of the 2013 data theft, we understood yahoo! took action around the time of this announcement to protect its users accounts. yahoo! required password changes for user accounts that had not been changed since 2014. yahoo! invalidated unencrypted security questions and answers so they could not be used to access an account. yet he took these actions on user accounts beyond those of the security incident. they took steps in 2016 to protect all users, including additional accounts individually notified in october of. 2017 -- individually, notifying them in october of 2017.
8:38 am
leverage intelligence, technology advances to make improvements to our system, and apply more advanced protection to our user accounts. we are combining two strong existing security teams. we are examining practices of each team and applying the best a crossed -- across oath. we are creating an advisory board with experts. security has always been in verizon's dna and we will make improvements to meet the security challenges of the future. we areizon and oath, laser focused on the needs of our customers. we know that they expected their information will be secure. we go to great lengths to implement security. substantialtting resources to defend our assets, networks and customers,
8:39 am
including those acquired with the closing of the yahoo! transaction. with the benefit of verizon's resources and accountability, verizon and oath will continue to strive to stay ahead of an ever evolving threat landscape. i look forward to answering your questions. sen. thune: mr. wilkinson. mr. wilkinson: chairman soon -- committee,ers of the thank you for allowing me to discuss about the urgent actions needed to protect personal information. for almost 50 years, entrust datacard has secured digital identities that are used around the world and banking, government and private applications. identity is the way americans build financial lives. it is the primary reason this information was targeted. -- and it ismour
8:40 am
why we see more sophisticated attacks. the challenge of protecting data is an evolving and sophisticated task that starts with a secure identity. it is more critical as we drive toward connectivity linking virtually every aspect of our lives. according to the 2017 verizon data breach, 43% of all data breaches can be traced to a phisihing tactic. once compromised, primary target is consumer identities. the information stolen in the most recent breach contained a significant amount of personally identify -- identifiable information. the focus of this hearing is to focus on the events, the steps that could of been taken, and determine if there are options to further safeguard consumer identities in the future.
8:41 am
regarding the issue of steps we have taken to ensure -- better ensure the safety, organizations are challenged by increasingly complex systems. arise -- and a rise in attacks from nationstates. is free from vulnerabilities and all have the potential to be breached. are documented best practices and tools available to mitigate common attacks. the vast majority are the result mistakes andurity poor cyber hygiene. ii is the basis of our identities for secure transactions, could potentially be used to defraud consumers. it is essential to find a balance in providing an answer to the underlying security of consumer identities. to recovercritical
8:42 am
quickly and ensure consumer data is no longer at risk. today, the federal government provided a nine digit number issued on a paper card, our social security card. this static number is issued at birth and difficult the change without significant inconvenience. while we have made substantial steps and technology, consumers are still vulnerable to compromise. our recommendation is that the time is upon us to create a new identity. it would have a modern secure identity with collaboration of government and industry. examples several delivering stronger identity frameworks as a foundation for commerce. will identity framework allow citizens to use a more secure method to transact in and reduce potential of breach or compromise. this new framework would minimize risk and be used in case of breach and allow the consumer to more easily recover their identity with minimal
8:43 am
impact. our identity system is broken, not secure. it is time to leverage technologies to provide americans with new technologies to protect their identities. the best path forward rests upon andpublic-private ecosystem constant self-assessment of vulnerabilities. whether it is through incentive or directive, we need to proceed now. we need to address information compromised while working toward longer-term solutions to greater more resilient identity for american consumers. thank you for your time today. sen. thune: thank you, mr. wilkinson. i will start with the questions, you describe the significant investments yahoo! made under your leadership with regards to security. nevertheless, the company failed
8:44 am
to -- detect the 2013 breach, the largest in the security of the internet, for more than three years. even after the 2013 breach became apparent, yahoo! significantly underestimated the number of accounts implicated, by billions. i will give you an opportunity to answer the obvious question. that is, with such a strong security team in place, how did yahoo! fail to recognize that all 3 billion of its user accounts had been compromised, and why did it take more than three years to discover and disclose the breach? at yahoo! we deeply valued our user security and invested heavily in that security. inis frequently the case these type of cyber attacks, they are complex, they are persistent, and in often cases, the understanding of the facts
8:45 am
evolve over time. to this day, as i understand it, we have not been able to identify the intrusion that led theft. safed. -- to that we verified the data came from yahoo!, but we do not understand how the act was perpetrated. that led to some of the areas where we had doubts about the information. sen. thune: why the delay in disclosing it? it took from 2013, three years. and how is it possible to underestimate by billions, literally, the number of consumers impacted by it? yahoo! did not know of the intrusion in 2013. we knew in november of 2016. we identified at the data was taken from yahoo!, likely from
8:46 am
august of 2016, notified law enforcement and users and took effective actions on accounts. we estimated it affected more than one billion users. there have been recent announcements from verizon that i am not privy to, as i am no longer with the company. sen. thune: the 500 million originally disclosed and it jumped up to 3 billion, there is no real explanation to your knowledge, for how you miscalculated the number of people? ms. mayer: the 500 million to the fallelated of 2014 breach by the russian hackers for the indictments were issued by the doj and fbi. sen. thune: in prior testimony you said the failure to patch a known vulnerability in your
8:47 am
system boil down to a single employee's failure to act, compounded by an i.t. scan that should have detected the failure, but did not. and then the vulnerability was allowed to persist for several months without corrective actions being taken. for a company that holds the most sensitive information on american consumers, i hope you can understand why this revelation is so hard to understand. can you explain why there were not more tripwires and redundancies to prevent things like this from happening? you testified these weaknesses have now been addressed. perhaps you could elaborate on how. >> yes, you're right. i referred to the fact we were notified march 8 of this year. i communicated protocol on the ninth, the vulnerability in the source software.
8:48 am
the emailed did go out for our protocol on the 15th of march, we did a scan and the scanned and not find the vulnerability. aman error, as well as technology error, both led to the ability for criminals to access what we call a web portal dispute environment. why wouldn't you have had more redundancies built into your system? why was it -- basically comes down to, one employee. it seems really hard to fathom. a company that specializes in what you do. mr. smith: the redundancy was a scanner ended -- and it did not work as well as it could. a standard process of identifying a patch, and going back a week later with a technology scanner. sen. thune: you said you fixed to that? can you elaborate on that? candelabra on further
8:49 am
steps equifax has taken since the breach. mr. smith: i will start and mr. barros can continue. we installed a new scanning technology to a new generation scanner. it seems to be a better scanner than the prior scanner. mr. barros: as you can imagine, it is my top priority. strengthening security systems in our company. we have done a comprehensive, top-down review on the process. we are strengthening all aspects of our operations. including our patching capabilities, enhancing and sureing our tools, to make we have an effective detected --
8:50 am
detection system in place. we have put stronger policies in place to make sure we have more redundants and closed loops. sen. thune: have you disposed of the data you no longer need? has equifax disposed of it? mr. barros: it is part of the process we're going through right now. how about in cryptic? mr. barros: whatever is necessary to do it. including encryption and all new technologies available to make sure we protect the data. sen. nelson: -- senator nelson. sen. nelson: we have had these hearings before. if we do not do something, we will be having a lot of these
8:51 am
hearings again. wonderingint, i am that there is no such thing as data security. when you think of a sophisticated state actor, such yourina or russia, companies cannot stand up against them. institutionson or that can stand up against them . . . . . . personally identifiable information, but the state secrets of our country . are critical infrastructure, as represented by companies such as ewers. there is -- such as yours.
8:52 am
there is going to be cooperation with a sophisticated player in the united states, which is the u.s. -- which is the nsa. otherwise, we, americans, will not have any more privacy. we do not do something and if you all do not do something to change this, we are going to be right back here on additional coming up on this same topic. ms. mayer, what do you think? you had a sophisticated state actor coming after you. you really think you could have protected yourself? robust defenses and processes are not sufficient protect against a
8:53 am
state-sponsored attack, especially one that is sophisticated and persistent. we at yahoo! cooperated with the law enforcement and brought these breaches and intrusions to the attention of law enforcement, each time they were detected. and the doj and fbi were of great assistance to the company in identifying the perpetrators and bringing them to justice. is anelson: but that admission you are not protected against a state actor.
8:54 am
>> we have to make sure we're changing our security systems to and keep up. >> that's a good intention. take it's going to take an attitude change among companies such as go tothat we've got to extreme limits to protect our privacy.s all -- you hold a
8:55 am
lot of financial guillotine over a lot of your customers by what their credit rating is. protected,a is not the poor little fella goes it and he's got it ready and he's got the down payment and then he can't get a because now, he's got something black mark on his credit rating that is not real theres been placed because of a data breach. can't close onla his house. consequences. what are you going to do about it? >> there's no dugout that -- securing databt is the core value of our company. apologize deeply to the
8:56 am
american public for the breach that we had. we let the public down. i'll tell you this, i do agree other panelist here and your point earlier, a combination cooperation between public private to address this issue is needing. any 12 years running company tracking the increase of cyberattacks. i talked about it. not unusual for any one given year to see suspicious activity unwanted attempted attacks of millions per year. mr. smith, didn't you describe equifax as the victim failed toompany secure the security theerability that led to breach? is equifax really the victim? i described victim of a're a
8:57 am
criminal attack. >> mr. wilkinson do you consider equifax to be a victim? >> senator i think a victim. there's been many victims in the case of these breaches. the criminal impact from hackers those enterprises creates them to be a victim in my opinion. >> well, do you believe that they had adequate security measures in place? >> based on my understanding of at breach that occurred equifax, we're talking about the fact patching security timely way,ies in a we've heard some discussion some in securityase stance they've had since the breach. these are the types of things suggest to you basically understand best practices. understand your
8:58 am
question. have hadnsider them to appropriate security protocols? >> having not patched i would suggesting that that was adequate security protocol. no.o the answer is equifax is not the victim. customers of equifax? is that correct? ifi believe both are victims my opinion. >> thank you. >> senator nelson. your writtenif testimony, one of your public private partnership on social securities. -- if your that also rethinkingapply to
8:59 am
use of passwords and user i.d. askers and i will mr. wilkinson to address this question also. mr. wilkinson,ny you talked about dynamic identities as a way to replace the social security number in modern age. a better to brazil as example where the government issuinge identity technology and issues some sort identity a fight last for three years. go to mr. wilkinson first and mr. smith. is that system working better for the consumer in brazil or is it just a helpful aspect but the job done get against this onslaught which
9:00 am
nelson described if his question. are two questions. youour first question, passports,ion use of identifiers as well as social security number. with static information like pass poured or social security number, you have frame work.ak which is why we talk about the for additional security. some of those tools need to be deployed as we talk about where we use social security numbers some of those tools need to be deployed as we talk about where we need social security numbers that forms the basis of our identity. in my written testimony i have additional of what we see other countries doing that i won't suggest to our best practices.
9:01 am
in some cases these countries have move todd to digital ident systems. we are moving to a system that worked probably 50 years but no longer is secure. the example you site from brazil is a form issued by the digital government that they could use for certain transactions, high security needs, digital signing requirements. it has limited life, in that case three to five years. the way they deployed that is more secure and provides the ability to be more resilient and what we are able to recover from in a breach like we talked about from eqifax. >> it is better protected under this system? >> they can be, yes. >> to a degree.
9:02 am
thinking it is secure we have outlived that concept. >> you suggestion legislation and it might be all five are legislation. we only have a minute and 23 left, but in general what would this legislation look like? >> i think the two key things that should be in data breach legislation are number one that it be a national framework so that we have one standard to comply with as we're responding to a data breach and number two it is really important that we get the right for when we notify customers. it is important to notify customers about information they really need but to make sure we are not notifying them so often and about so many things that
9:03 am
they stop paying attention. >> and would anyone like to take issue with senator nelson's overall conclusion that really against a state actor like we have seen, a mere company is just unable to with stand that without going to nsa. anybody want to disagree with that no takers? thank you mr. chairman. >> thank you mr. chairman. thank you for having this hearing. thank you to the witnesses for being here today. i think almost every american consumer at this point is aware of the unacceptable risks that right now are entailed in many of our business practices
9:04 am
concerning their privacy information that they expect and reasonably anticipate will be safeguarded by companies that do business with them and where they are customers. the equifax breach exposed the limits of the trade commissions ability to protect consumers and impose civil penalties on companies that treat our data with negligence and recklessness. even some of the most lax can be met only with apologies and promises to do better next time, not fines or other penalties or real deterrence that provide incentives to business executives to actually do better. the real deterrent will come when penalties are imposed on
9:05 am
executives like the ones before us today. and if the entities that hoeltd our data cannot be to protect it then the government needs to have the tools to not only go after hackers and fees but also hold companies accountable. common sense legislation i have introduced the data breach and enforcement act of 2017 would ensure that the ftc can investigate any data breach by any company or organization including nonprofits and can impose civil penalties that are actually sufficiently strong to implement strong security at the onset. in this area truly a pound of prevention is worth it. for many consumers there is no real cure.
9:06 am
when you were here last, i think it was the last time you were on the senate side at least you came before the judiciary committee and i asked you whether you could commit that none of your consumers would ever be required to go through arbitration you said understandably you were no lo longer with the company and you couldn't guarantee. i will ask mr. barros -- and i appreciate your being here tochltd can you guarantee no consumer will be required to go through arbitration if they decide to use one of your services or products? >> senator, i understand on the first product when it came out and was immediately removed.
9:07 am
arbitration is a tool used by the consumer industry. we have used that tool in the light of the law. we will continue to evolve in this process and examine the use of this process. >> and i apologize for interrupting you but my time is limited, as you understand. so this is one of those yes or no answers. can you guarantee you won't use arbitration. i understand all of the on the one hand, on the other hand comments that could be made but consumers expect they will have a right to go to court and have their rights vindicated there. can you guarantee you will not force them to use arbitration. >> i believe they have a choice. >> if they choose your products they not be forced into arbitration?
9:08 am
you're guaranteeing that? >> we use rules that have arbitration in place. >> do you know the difference between a credit freeze and credit lock? >> yes. i know. >> can you guarantee that the credit lock, if you use them will be subject to consumer protection under the state laws where consumers live? >> we understand that we use freeze and locks. at the end of the day for the consumer it provides the same result. the state law requires regulated process for you to obtain the freeze. >> the difference is freezes are regulated by states and locks are not. you're resorting to credit locks. is it to avoid state oversight? >> no. not at all. we did it because it's simple to
9:09 am
use. it's more accessible to use. it's easy to understand for the consumer. >> my time is expired. thank you mr. chairman. i hope we'll have a second rountd. >> thank you. >> thank you mr. chairman. thank you for being here. do you think consumers should be able to see the same information that their bank uses when the bank makes a credit decision? >> we have as an industry not done a good job how we play in this process. the information is provided by the don sconsumer when it's opea credit card. this is turning to -- most of the times a financial institution. >> i understand how it works. i'm just saying when the bank evaluates my credit worthiness they get a bunch of credit data.
9:10 am
do you think i should be able to see what they are looking at when evaluating my credit worthiness? this is probably also a yes or no answer. >> you have access to your credit report. you have access to your score. this is information they use -- most of the time they use to make a decision. >> it's the same information? >> a credit report is the same -- my score is the same as i have. they are allowed to see the information. >> you're telling me that the information that so called customer has is all that a bank is provided by equifax? >> i don't know. i know what i provide to the bank. >> you sounded like you want today credit. >> just if i may add something to it for clarification. if a consume ser going to a bank to apply far loan typically the
9:11 am
underwriter would pull a credit file. they also have access to the scores. i think what you're referring to is the banks don't just use a standard score. they may have their own score and that score is not discloseable to the individual consumer. >> okay. are we your customers? are the people that -- the people whose data was breached, are we your customers? how do you see that? >> well, we have -- we have customers that are small part of our business consumers.
9:12 am
you get provided the patch. your scanner doesn't work. executives cash out their stock. you start charging people to lock their credit or freeze their credit. you then start to promote through life lock -- you have commercials with life lock saying hey, there's been a breach. you might want to use this product. life lock subcontracts to eqifax. you guys continue to be profitable. for verizon and google and others if you screw up there is a customer relationship that is frayed. in the case of the credit reporting agencies there is no va ligs and that's the problem
9:13 am
here. your customers are not the people that with got harmed through the breach. do you want to respond through that? >> i think the biggest incentive is the obligation i have with the consumer to keep their data accurate and safe. >> right but that's not a fiduciary. i think you have an earnings call and you'll tloort things are starting to pick up or maybe even that you made more profit than usual in the wake of this problem. people back home -- and i don't mean back home where i live but back home where all of us live
9:14 am
cannot understand how the ceo of equifax and ceo of yahoo walked away with $27 million and possibly a quarter billion dollars in stocks. this is unfat thomable to the average person. i understand that you and i had an exchange where you said this was in the approximaproxy. i understand all of that. i'm saying regular people shouldn't understand that and they shouldn't understand how you harm consumers and walk away with the amount that a small city or county uses for their annual operating budget. it is why they have an obligation to not just drag you back and forth and wave our fingers at you. >> thank you. >> thank you mr. chairman. thank you ranking member. let me start by asking this question. let me set the premise.
9:15 am
my question is before the breaches occurred, what did you expect? what did you say to your executive committee or to your board of directors? what's the probability of a breach occurring at our company and second the follow-up question is what is that probability today? you calculated what the probabilities were. what that probability is it any different today than it was prior to the original breaches,
9:16 am
mr. smith. >> thank you. we have always ranked it as the most high probably. if we had a cyber security event it would be to the company. >> does that mean you would accept a breach in. >> the probability -- >> is high? >> yes. >> and is that any different based upon the changes you made at the company? is it still the same probability as it was prior to earlier breaches? >> well, we believe today we are
9:17 am
better than we were for one reason. we had to make significant investments and continue to do so. >> so how much more money are you spending today? >> significantly more. >> what percentage has occurred from the breaches that occurred in the past? >> well, we are expecting to have a specific spike on the cost. >> you spent 50% more today than you did before? >> easily. >> four times more. >> four times more. as a result would you say it's less likely that a wraech occurred than the probability of it occurring before? >> that's my understanding. >> what's the reduction of
9:18 am
probability? >> i don't have a specific number because we have a ser ri of actions taking place today. i can say today we believe it is better today than it was before. >> would it be better if you were spending instead of four times more six times more? >> we are acquiring new tools to make sure it happens. we have been advised to make sure we have a sequence. >> would yahoo! answer this? >> we have to become sophisticated! would you have predicted a breach before it occurred? would you expect a breach? i expect the answer to that is no or you would have been doing
9:19 am
more. >> i will say we took significant efforts and inestment to increase our security which included increasing the size of the team by two. we empowered our users into yahoo! account key. we increased our inkripgs we used. we introduced a bug bounty. so we took extensive actions. >> is the probability of a breach less today than it was prior to your acquisition of the company? >> we don't kul late the
9:20 am
probability of a breach. >> are customers more secure today than they were prior to the breach? can a customer expect that it will have less expectation that their data is at risk earlier than the breach? >> i can tell you verizon has aulsz taken security very seriously. we are bringing that same intensity that we have always brought to any new acquisition including yahoo!. >> what seems to be missing to me is the assurance that a customer should have a sense that they are safer today than they were before. i don't have any assurance to any of the response from my questions that that's the case that we ought to be just as concerned today as prior to. what i hear is that we are taking all of these steps.
9:21 am
every other company that's in the data business is just as vulnerable as you have been and are today? >> i would point out that the list of efforts are ongoing defenses in addition in response to the breach we took significant steps causing users to change the attack surface area of our systems. >> and i should feel how much better that my data is safe?
9:22 am
>> there is no question the users are better protected today because they were remediated for. >> are you spending all of the money necessary to increase that protection? could they be safer if you did more? >> i am no longer with the company but i would say during my tenure that was the case. >> and the security, exactly right, the security teams would tell you their job is to defend you against any and all attacker and that's what we are try to go do. >> and the company providing them to do that goal? >> yes.
9:23 am
>> thank you. >> certainly for the yahoo! incident. i'm not trying to -- on the telecome side but for the -- absolutely. >> thank you. in the absence of the chairman i recognize senator. >> thank you. i want to start with a question of the panel mr. barros and mr. smith in particular. i want to ask if you have any information today about who possesses the personal identifying information of about 145 million americans and what you believe they intend to do with it. can you identify to me if any of
9:24 am
you have that information today in. >> no. we have no evidence. >> the only thing i will add is we engaged on august 2nd. >> in our experience in the vast majority of these bleaches everyone owns this data because it is out in the public. >> thank you. >> so we all know that the equifax breach compromised the information of more than 145 million americans and we really can't even begin to know what ramifications this failure will have to the families and individuals that are impacted. and i think it's clear that equifax needs to do a lot more than it has to help victims respond to this breach. mr. barros, will you make a
9:25 am
commitment right here and now that equifax will notify every person who was impacted in this breach? yes or no? >> we have been notifying. we have been working with consumers. we have improved our web page to make sure social media is active in that moment. we have been working with consumers and i have a team working every day to make sure we engage consumers to do so. >> and state law demands you to do so. where it doesn't are you going to reach out to each and every individual that you believe was impacted to let them know? >> we will execute. >> we are actively to ensure
9:26 am
they -- [ inaudible ] >> people would have to go to the equifax web site to find out if they were impacted. how many people have gone through this process? >> as mr. smith mentioned we had -- for a period of time we had close to 400 million hits. >> do you know how many -- >> 30 million. >> out of 145 million. you mentioned call centers in your testimony. where are equifax's call centers located? >> nevada in las vegas. >> the two major operations in north florida and one in las
9:27 am
vegas as well. >> are there any outside of the united states? >> we use as a surge we use call centers in costa rica and all parts of the world. >> what other parts of the world? >> malaysia, india, it depends how the demand goes. recent have been here in the u.s. >> most of them? >> yes. >> out of the surge. i'm sorry, out of the surge. when we have a surge we use the capacities that we have. >> equifax is offering monitoring through january 31st, 2018 will you free monitoring for life?
9:28 am
>> the first service that was availab available, that was for a year. so if you enroll until january you have another 12 months to use that has been described. the new product that we put in place where consumers can lock would be available. >> and monitoring? >> we don't have a monitoring at this stage. >> victims of this breach will really need to be able to control access to the reports from all three credit agencies to fully protect themselves. the other agencies charge between 5 and $10 for each and every freeze. will you be offering rebates to
9:29 am
the victims to cover their freezing costs with the other reporting agencies? >> senator, i believe that the resolution has to be one that protects the consumer, has to be sustainable, industry driven and work with the government to make sure we reach the consumers to execute that. we take our first step forward which was to offer a service that consumers can check and lock and unlock their credit data for free and for life. we want to work with the industry to make sure that we have a similar capacity to do it. >> mr. barros, your firm completed an internal review by four enjor equifax prior to public disclosure of the breach and hack. the special committee report found that none of the four executives engaged in insider
9:30 am
trading. the report failed to mention that equifax's chief legal officer approved some of the stock sales on the same day that he called the fbi to alert it that the company had a problem. it took mr. kelly two more weeks to inform the executives that they were no longer allowed to sell stock. this is totally inappropriate and yet the report does not even mention mr. kelly and he still works fortune equifax. i would like to ask mr. barros and mr. smith, do you believe mr. kelly's failure to act was appropria appropriate? >> i think it's not my perspective to provide -- the board has actively inconclusi
9:31 am
inconclusively in a correct form. the board is still -- the committee continues to investigate, to review the process as it relates to the cyber security indent including policies and procedures. >> there is a full investigation by the independent directors of the board. you saw the report. it was published earlier this week or last week. the second thing i would say is it's not unusual for us to engage outside forensic experts or the fbi. i mentioned earlier to one of the senators we have 3 to 4 million suspicious activities around the world. it's not unusual. he didn't engage fbi. it was the security team. it is not an unusual step in itself.
9:32 am
>> thank you senator baldwin. >> thank you. and first of all let me say thank you chair and the ranking member for holding this hearing. i appreciate that. let me start with equifax. i'm from nevada and 1.3 million were impacted by this breach. we received over four dozen letters. let me give you an example. she said no citizen has a say. i did not choose equifax for did my husband or any of my children. equifax did not do enough to store my information. i want to drill down into the data that is collected. i think part of this is the data collection and we should be looking at that. equifax, my understanding of the
9:33 am
145 million consumers, the data that was collected was names of those consumers, social security numbers, addresses, birth dates, drivers license numbers and credit card information, is that true? yes or no? >> in some cases, yes, some cases no. >> what other data do you collect other than the data i just identified? >> there was a fact that included -- most of the data included social security numbers, names, date of births and that's it. zb what other data do you collect? i will ask for the record. if equifax could provide me with that. does yahoo! collect drivers license numbers? >> not that i know of. >> it happens all of the time. we are all getting pinged.
9:34 am
companies getting pinged. we have heard it -- from what i have heard cyber security is a global challenge. when you fail to do that the enforcement should be swift and consumers should be notified and there should be restitution. we haven't had the discussion ton data. to me that's what this is about. even those individuals you work with now and those consumers that had credit locks and credit freezes their data was still breached, correct? >> could be. >> right. that's what they will go after, that social security number. i see mr. wilkinson is nodding yes, is that right? >> yes. >> shouldn't consumers be able
9:35 am
to say i will opt in or opt out? don't you agree? >> this is the way the committee works. when the consumer works -- >> the consumer does not have a choice ton data you are collecting. quite frankly the credit reports i get do not tell me all of the data you're collecting, isn't that true? >> the credit reports we have -- >> that's true isn't it? >> i was attorney general for eight years. identity theft across this country is through the roof. every day we dealt with somebody whose identity is stolen. now for the rest of their lives the woman and all of the people i hear from nevada of the 1.3 million people, they are going have to clear their record for the rest of their lives.
9:36 am
people will commit crimes in their name. believe me, i have seen it. they are spending the rest of their lives clearing the record in their good name. that's why this is so outrageous. i think you have an obligation to look at the data you're collecting but make sure if there is a breach you're doing everything you can do bring restitution to those individuals whose information is stolen. let me talk to you, mr. wilkinson, you talked about social security numbers and the idea that now we have to look at a different way of identifying the peii. i'm very curious if you have anything specific on what we should be doing when we are looking at that security that is shared and collected. >> well, the first thing has been noted a few times. in the case of this most recent breach items of personal information was leaked. when you combine this we are
9:37 am
getting very close to all of the personality information that's been breached in some way. the question applies, what are we trying to protect at this point? in the case of some of the financial breaches three years ago we testified on behalf of, at that time i think that's good point to compare and contrast with what's happened and that's the financial payment system is reasonably resilient. despite the case that it with was a burden for consumers the ability for consumers to have a new card reissued and be back in business the ability to do commerce is relatively well known and relatively resilient. the issuers of those financial cards and so i think looking to
9:38 am
some examples like what we see in financial payments is an example of a more resilient testimony in this form of identity today. identities are out there. i continue to reenforce that our position is that we believe that a more resilient identity needs to be brought forward. there are several examples. >> and i know my time is up. let me say this, our identities are out there. some it is too late. to our kids it's not too late. we have to look to the future and protecting their information as well. so it is something to me that it's not static. we have to continue to figure out how to address this issue. if we will talk about the government coming up with something different. i do agree with you that there should be a public/private partnership. we have got to figure that out for the benefit of the people that we are taking their data and they have no choice that
9:39 am
companies are taking their personal information and then they get stuck for the rest of their lives dealing with the results of a breach. so thank you. >> thank you, mr. chairman. good morning to all of our panelists. this is a question to the panel. although the most relevant example that we can call on is response from equifax there are state by state laws to notify individuals when there are security breaches of their personally identifiable information. these laws represent the lowest amount of communication required. i'm interested in what companies are deciding to do to help notify and help the consumers effected by these breaches. so we could start perhaps with mr. smith and mr. barros. i know you both stated equifax
9:40 am
has taken big steps in their interaction with your company. many of those seem to have come only after public outcry to your initial response. can each of you elaborate what you and your companies take into account when determining steps to notify and remediate the damage done from data breaches? >> senator, if i may start and if you want to add on, the notification process we took very seriously the state require ms as far as time and notificati notification. >> and i'm asking beyond that because those are minimal. what are you deciding to do beyond that and how do you -- what considerations are you making? >> well, one of my top priorities has been consumer response. on the consumer side we definitely made our call centers
9:41 am
more scaleable. in other words you can have access within three minutes and have a response back. >> but i'm also talk ability your efforts to notify consumer beyond the requirements that state law for instance gives you. >> right. with the amount of hits that we have had we have been working with consumers to mike sure they use the services we provided for free and we continue to do it again we'll introduce our lock and unlock free for life. >> and mr. smith -- >> and the process we did use was one legal and acceptable. it seemed like it worked. -- >> again, we can -- that isn't my question. i want to get to the other panelists. i'm asking for now regardless of state laws you have to follow it. what are the factors that you are considering when you decide when to notify a consumer? if any of the other panelists
9:42 am
would like to answer it it would be helpful. >> yeah. at yahoo! we generally took a proactive stance which is to say yes, laws vary from state to state. if user notification was required any where we did it everywhere. >> yes, ma'am. >> yes, at verizon first we always look at what the law requires but then we look at what we think is the right thing to do for the customer. if in a particular situation we think it's the right thing to notify the customer that's what we do. >> thank you. >> our company doesn't hold consumer information so it's not applicable. >> i didn't think so, but just
9:43 am
checking. >> i want to follow up with mr. barros about credit lock and credit freeze services. places a freeze is one of the ways consumers can protect themselves. equifax said it will waive the fees in response to the major data breach earlier this year. i believe you stated in your testimony that it will offer consumers the ability to lock their credit for free. can you please share with the committee the legal differences between a credit lock and credit freeze in terms of consumers rights and protections and who has access to a consumer's credit report when it is frozen versus locked? >> fundamentally there's no difference between a lock and a freeze. when you freeze you use a regulatory process to do it.
9:44 am
you make a phone call, identify yourself, you get a pin and you're ready execute a freeze or not. when you do the lock is the simplicity of the process. in financial institutions they are trying to get to your file to to open an account. >> i think some would disagree that there's no difference in a freeze or a lock. one thing i would follow up with you is the degree of fees equifax gets for consumers unfreezing or unlocking their information. >> thank you. >> thank you mr. chairman. thank you to all of the pan panelists for being here today. i want to start with a question to mr. barros.
9:45 am
has any of the information that was breached, drivers license, social security, birth dates, credit card information, do you have any information that any of those customers or folks that you had whose data was breached has been misused or did you have any indication that somebody was using this data to make other purchases or other things of that nature? >> to the best of my knowledge it is premature to make an assessment that has been used already. >> what about in terms of yahoo!? did you have any indications at yahoo! that an individual's data had been misused? was that a retd flak that was brought to your country? it notified if we saw any
9:46 am
indication that it might be accessed? we rolled that out in 2015. so they are notified at any time. >> so in light of the fact that you said all of this information is out there in general probably we would have to assume that? does it surprise you that none of this information that's out there has been used in a way that anybody can detect at this point? >> yes. it would surprise me given the time frame that we are talking abili about. >> mr. barros, you mentioned in terms of how individuals were contacted, noting that obviously yahoo! has a direct communication with customers through their e-mail accounts. all of the data that's collected here does not seem to indicate any kind of e-mail address or
9:47 am
phone number that you can send out a mass warning signal. so your customers basically have to opt in to find out. you said you have been out telling him ways to do that. will that change your profile in terms of being able to have more efficient and wider spread way to desimilar nate information to those of the folks of information that you're collecting? some kind of a communication tool with all of these individuals? >> it frustrates us. as i said, we have improved significantly our web site. it is much more friendly. it is easier to access. we have phone numbers for those who ask questions. our web site has phone numbers as well. we are doing this through social media and inviting people to
9:48 am
talk to us and making sure we can direct them to the right solution. >> i can tell you one of the ways people want to talk to you is when they get their credit report and they see something they don't agree with. i think that your company through the years and the credit bureaus in general realized it is a problem if there's a false industry on their credit report especially if it is one that knocks down their credit rating. i'm sure -- i know that happens frequently and i know you try to reach the consumer. i would hope that having myself to do this and how frustrating it is to get through to whoever i was trying to get through to equifax or which of the other two to try to register a compla complaint and work through the process, very time consuming and difficult. so i will assume those processes
9:49 am
are tightening up particularly in light of this security breach we have seen at your company in terms of consumer friendliness. >> right. it's one of the top response to consumers. we are making sure we have a bet are way to communicate with consumers. >> and i'm also interested in your proposal to lock your information as an individual that you said you would have on stream in january at cost free where the customer could opt in and then opt out, unlock and lock their own personal data. how does that work in terms of your business frame work? if a consumer locks the data out are you then locked out to reporting to your customer how that customer's data would influence their credit rating in terms of purchasing a home or something like that? >> the objective that we have when we designed the service was
9:50 am
to make sure the consumer had the power in their hands to lock and unlock their file. >> so when they have a locked file it's locked from you, to anybody? >> yeah. nobody can have access your personal information. i have heard it said that this is consumer information. this is personal identification information. can you tell me who owns the information that you provide to your clients, customers? >> according to the existing regulatory framework we own the information. >> does the consumer have the ability to say i don't want you to have that information? >> they have the opportunity today to lock and unlock,
9:51 am
therefore not allowing anyone to have access to it. >> do i have the ability to say i don't want equifax to have information about me? >> i understand, from the regulatory framework we have today, the consumer cannot exit out. >> the answer is no. i, as a consumer, apply for a credit card or bank loan. that institution then provides it to you and i have no ability to stop that from happening. >> you can lock and unlock your file. >> the answer is no, i can't stop that and, no, i can't prevent you from getting it. whose information is it? is it my file or your file? whose file is it? >> according to the regulatory perspective, i have the information. >> so it's your file, not my file. so all the information about me, all the consumer information i produce, all the data, everything that i own that defines my life, i have no control over that. is that correct? other than you've got it and i can tell you whether i want you to give it or sell it to
9:52 am
somebody else. >> this is how the industry framework -- >> i get it. i get it. do you think it's right, though? >> i think it's not my perspective to say it's right or wrong. this is the regulatory perspective that we work under. >> who owns the credit card information that you have on me? that's you, then, at that point, correct? >> i have a trade line on the credit card information. >> do you think consumers should own their data? >> i think my perspective -- >> miss mayer, should consumers own their data, their own information? >> yes, i believe they should. >> should we be able to control our own information, mr. barros? >> this is the effort that we're making to the process, really they should control the information. >> you're saying by putting a lock or unlock that can be hacked by somebody is consumer control. >> when you lock and unlock your file, nobody can have access to
9:53 am
your file. >> would you support a mechanism that allowed consumers to say, i don't want that information to go to equifax, experian, transunion? >> this is a decision that's digger than our industry. we need to understand how the economy will behave on that perspective. >> it's my understanding the data access through the consumer dispute portal was not encrypted at rest. is that correct? >> correct. >> if that -- if the answer is yes as you said it was, was the fact that this data remained unencrypted at rest the result of an oversight or was it a decision that was made to manage that data unencrypted at rest? >> there are multiple tools we use. used to use. i was there to secure data, encryption at rest, encryption in motion, tokenization. masking, fire walls. multiple layers. security encryption is only one. >> a decision was made to leave it unencrypted at rest. >> correct. >> mr. barros, since you took
9:54 am
over as part of your internal response to the breach, have you directed the company to encrypt such data, or have you been recommended to encrypt such data so it is encrypted at rest? we have done a top-down review. comprehensive top-down review of the security situation. we use outside companies to help us with that. pwc. we are strengthening -- >> yes or no. does the data remain unencrypted at rest? >> it will be part of the process that's being reviewed. >> yes or no? does it remain unencrypted at rest. >> i don't know at this stage. >> this is the reason it was breached, correct? this data was unencrypted. >> encripplyption is one format defense. we have several formats in place now that can prevent this to happen. >> data remains unencrypted at
9:55 am
rest. >> we have deployed several different tools, and encryption is one tool. >> senator, if i may. it's my understanding entire environment in which this criminal attack occurred is now much different. it's a more modern environment with multiple layers of security that did not exist before. encryption is only one of those levels of security. >> there are other experts. privacy experts. is it reliable and safe to leave the data unencrypted at rest? >> certainly, as mr. smith noted, encryption is one of the tools, but certainly, from our company's perspective, a very important one to be used for data that is -- data of this type that is of high value. >> so your answer is it is -- >> yes. >> -- irresponsible to leave this unencrypted at rest? >> other segments of the industry, i mentioned examples of payments ecosystem, have
9:56 am
requirements around pci requirements that require this information, credit card data at retailers and things like that to be encrypted. in this case it was not. >> mr. smith, i know my time expired. if i could ask one more question. when specifically did you notify the other credit reporting agencies about the breach? >> senator, we notified them when we notified the public. >> so the public and the other -- that was around august. can you give me the date again. >> september 7th was when we -- >> the breach occurred august 2nd. september 7th? >> we saw suspicious activity on the 29th and 30th of july. notified the fbi the 2nd. >> i'm sorry. that was the 2nd. >> that's when we notified the fbi and went public on the 7th of september. >> that's when the other credit rating agencies also received that information. >> that's when we went public with the entire breach, yes. >> thank you. is equifax currently under investigation by the department of justice or sec? >> there are multiple investigations. >> thank you. >> thank you, senator gardner.
9:57 am
senator young. >> thank you, chairman. i thank the panelists for being here today. miss mayer you were ceo at yahoo in the 2013 and 2014 breaches. you testified today that the 2014 breach was state sponsored but you have not concluded that the 2013 breach was state sponsored. is that correct? >> we have not been able to determine who perpetrated the 2013 breach. >> thank you. you testified today you didn't learn of either data breach until 2016. is that correct? >> i learned of the breaches at the scale reported in 2016. >> what does that mean? >> in december of 2014 we saw a russian intrusion in our network, and we saw 26 individuals, all with russian connections, political interests in russia, with accounts
9:58 am
compromised. we notified the fbi, and we put in place a special notice for those users that had to be dismissed by user action to make sure they were aware that this had happened. >> thank you. is it correct that you didn't learn of the 2013 breach until 2016? >> that's right. >> okay. what sort of information can you provide this committee that supports your claims? that you didn't learn of the 2013 breach until 2016? >> our board formed an independent committee. they have reported on their findings. >> okay. that's all publicly available? >> yes. >> okay. thank you. mr. smith, mr. barros, former and current ceos of equifax, i am grateful for your presence today. i represent over 6.5 million hoosiers. 3.8 million hoosiers, 3.8 million hoosiers, 60% of indiana's population, was impacted by equifax's data
9:59 am
breach. can you see why they feel like companies like equifax don't have their back? yes? >> yes, senator. >> okay. one of the tragic things about this whole episode is that many of these hoosiers, many americans, won't discover until a number of years down the road that there was, in fact, a data breach. a single mother of a few children gets a new job in gary, indiana, goes to buy a car because this job requires her to drive, and she finds out her credit has been ruined. what is equifax going to do to remedy the situation for that single mother? >> let me jump in first. that was the idea behind the lifetime ability to lock and unlock your file. we talked about it in four prior hearings. if it's locked, senator, you don't have the ability to go rent a house falsely in your name. or rent an apartment. get access -- >> that's prospective.
10:00 am
and prophylactic, defensive. seems like a good thing to do. let me return to that momentarily. i will say, you know, we have had these massive data breaches, and it is an affrontry to the basic sense of fairness that most americans that the top executives leave with tense of millions of dollars. when i see the united states navy, just fired two top officers in the pacific on account of some sailors who died in the wake of the "uss john mccain" situation. and they were separated from the military service because of a loss of confidence. i think this is an issue that we collectively, in congress, need to start discussing more seriously, if -- if the titans of free enterprise here in the united states of america don't
10:01 am
take more seriously -- talking about boards as well as executives -- when things like this happen. it offends the sensibilities of most americans. can you understand that? why that would offend the sensibilities of americans for them to be on the receiving end of a data breach and within months somebody leaves with tens of millions, maybe hundreds of millions of dollars? >> i understand your point, senator. as i said in prior testimonies, i have left with nothing except the pension. i asked for nothing. i waived my bonus. there is no equity coming next year. i am working for three to six months as long as needed for he free in an advisory capacity. what i am walking away with, which was disclosed in the proxy, is my pension. >> miss mayer, you don't need to answer the question. i don't need to personalize it. i'm talking culturally in this country, big business. i would like to touch on something else.
10:02 am
the idea that credit reporting agencies moving forward will give consumers the right to request a locking of access to their credit files at no cost to them. can you pledge, mr. barros, that five years from now equifax won't be charging consumers to lock and unlock their credit files and would you be opposed to congress implementing a law today that states unequivocally that industry can't charge to lock or unlock an unlimited number of times each year? >> thank you, senator. i think the proposal that we have put forward which should definitely -- we expect to lean in that direction where consumers can lock and unlock their files, it's free for life. this is a commitment that equifax has made. and they're definitely welcome to a conversation with the rest of the industry and the government. >> thank you for that. thank you all. >> thank you senator young.
10:03 am
senator cantwell. >> thank you for holding this hearing. we have had several larger commerce committee hearings on cybersecurity. certainly had some in the energy committee, and i think homeland security has had some and the armed services committee has had some. now is the time for us to be very serious about passing legislation as we did out of the senate that would help us fight the issue of cyber crime and particularly help strengthen our critical infrastructure against state actored attacks. as miss mayer mentioned. these are not the only things being attacked. networks at nuclear power plants, pipelines, a whole variety of things. as we continue to grow the economy of the internet of things, the hearing we just had i guess that was yesterday, we also heard about how more devices and more connectivity means more data entry portals for people to attack. so i hope our committee will
10:04 am
join the efforts to get cyber security legislation over the goal line this year. i think it's not too soon to act. i too want to bring up that there are 3 million washingtonians who were impacted by the equifax, according to my information. it's my understanding, mr. barros, that a patch was available that was not implemented, like a basic hygiene issue wasn't followed. is that correct? >> that is correct. >> why can't mr. barros answer that question? because he doesn't know? or because -- >> he was not in the position at the time. >> okay. >> yeah. i came to the position six weeks ago. this is my understanding. my understanding is the same as being deposed here by mr. smith. what happened was a combination of human error and technology. he defer to him because he actually lived through the process. >> what was the technology error
10:05 am
if a patch was available and was not implemented by an employee? we have to do both. the issue of cybersecurity is here. it's a national security issue, it's a consumer issue. it's a future issue on identity theft and the ability for individuals to protect the things that they hold dear. so we have to do both. we have, at the federal level, up our game and make sure that we're making investments to help on critical infrastructure and what do we need to put together on an international basis to get people on the same page in fighting cyber crime. at the same time we need to make sure everybody gets hygiene and that the hygiene of your day-to-day business and even your home computer and everything else is going to be a critical aspect of the world that we now live in. so, i want you to know and be
10:06 am
able to speak to the fact that, you know, one individual failing to put a patch in place caused this much damage. >> we have done a -- since i got to this job, my first priority has been to harden our security systems. we have done a comprehensive review of the process. including our patching capabilities, improving our tools, updating our tools, making sure that they are detecting processes much more up to speed at this stage. we have changed the policies. we have changed the policies to making sure that we have redundancies and close looks in place to improve the accuracy and precision of our execution. >> is it good enough to have voluntary safeguards for the industry, or is it time to have something more stringent? >> i understand the safeguards that we have.
10:07 am
i think they provide the scope and we complied with the scope before. the industry is ahead of that in many perspectives, deploying new tools, using new tools. definitely welcome the conversation. >> i would say that we need something more at this point in time, that if on the hygiene issue one employee was able to miss something as critical as this and put so much data at risk, that we need something to make sure that this is implemented. anybody else on the panel want to answer that question? mr. wilkinson? >> the vulnerability that we are speaking about, not that you want the specifics, was called the apache struts. we were aware of it in march. we became aware of it in march publicly. this is a zero day vulnerability. these types of vulnerabilities
10:08 am
are serious and they have been more often than we would like to speak about. when we become aware of zero day threats our needs to react to the threats is quick and has to be conclusive. this is something that we're going to continue to see. it's not new. it's not -- it's going to continue to happen. this concept that you continue to speak about, senator, of cybersecurity hygiene is a very important one because i liken it a little bit to locks on doors. we can speak for a bit about the fact that, no matter what we do, there is still vulnerability in our ecosystem and still the possibility that we'll be breached but some of the processes are frankly like locks on your door. that's not going to protect you against all crime. you can still put a lock on your front door. it's good cyber hygiene which includes things like reacting quickly to zero day threats. >> exactly. that's my point impactlexactly. you just explained that you have to have -- we have our national labs working day and night
10:09 am
against the unbelievable amount of at a it be -- of attacks happening every single day. we have the effort to try to get a skilled work force that this committee had a hearing on. we need companies to follow hygiene with great religious fervor. if state-owned actors are going to continue to hack, we need to do something. we need the companies to follow a hygiene and be very religious about it. thank you, mr. chairman. >> next up, senator peters. >> thank you, mr. chairman. thank you for putting together this hearing. this is an incredibly important topic, and i think it angers most folks as they hear about this incident and the impact that it's going to have on over 140 million americans, in the case of the equifax breach, over 4 million in my state. i just want to pick up, expand a little bit before i ask some questions, on senator cantwell's
10:10 am
questions to mr. wilkinson. my understanding, i just want to be clear of this -- this was a vulnerability that was discovered. a patch was created, the information went out. and that means, what my understanding is, when these go out, bad guys find out about them as well. you are basically broadcasting that there is a vulnerability that people can figure out pretty easily. at least some of the experts i've talked to have said, this was not a sophisticated hack, it was a pretty him am hasimple hae road map was pretty much put out for folks to take. we have had discussions had national or state actors, highly sophisticated networks. this was basically a road map was put out for the bad guys and they jumped in and got in. is that correct? >> it is. i think it goes back to the discussion of when -- when zero date threats are publicized they create a bit of a road map for
10:11 am
the bad guys, as you said, which is one of the reasons why the need to respond quickly to close down those types of threats in your ecosystem is very, very important. >> right. >> it's best practices. it's good hygiene. >> i just want to paint the picture for the american public to know. basically a road map was put out for all the bad guys who want to do us harm. that there is a vulnerability. we have a company with some of the most sensitive personal information about each and every one of us and, as we heard from testimony earlier, we don't have any choice in the matter, companies can collect all this information, and they don't even take the time to look at a road map that has just been put out that there is a breach. i can't think of a clear definition of gross negligence anywhere. a company that has been entrusted with this most sensitive data and customers didn't have a choice for you to
10:12 am
hold it, you are holding it. i didn't ask equifax to have that information. you're holding that, and you don't take the precautions when a road map has been put out. the other question to you, mr. wilkinson, after a breach has occurred, oftentimes a criminal may wait some time before using the data? >> absolutely. >> so this may be a while before we actually see it being used. >> yes. >> in your professional opinion is there ever a point after a breach, especially one of this magnitude, where a consumer could no longer fear the formation of fraudulent accounts that could be used against them? >> no. this goes back to my original comment. this type of data being out in the wild, if you will, is forever now exposed and will never be credibly used for secure identity again. >> so we have to worry about this the rest of our lives. >> yes. >> we have to worry about this the rest of our lives. mr. barros, you mentioned that
10:13 am
there is free credit monitoring for one year. is that correct? for folks who may have been victims of this? >> sorry. it started in -- since we announced the breach on september 7th, we extend this until the end of january. and after that point you still have 12 months. >> why only 12 months when we have heard that we have to worry about this the rest of our lives? >> i strongly believe that this -- the action that will come out of this has to be to protect the consumers. >> for one year. why not for the rest of their lives? >> the product that we have offered today is a step forward in that direction where the consumer can lock and unlock their file. it's free for life. >> that's only with your company. this information, as we heard, can now be used with any of the other -- access to any of the other credit reporting agencies. there are all sorts of avenues now that you can basically use this information to create a false identity. you are saying that your response as a company, you can
10:14 am
lock your credit with us going forward, but you still have vulnerabilities with all of the other agencies. they'll just go to -- this is pretty simple if you are a bad go. just don't go to equifax. go to one of the others. i have the keys to the kingdom. i'm going to go other places. we have to create incentives to stop this type of behavior and to make sure people put the highest standards in place. and certainly, gross negligence should never be acceptable. to me, what we need to do is from an incentive standpoint, if you are giving information of mine and i did not ask to have the information given -- i understand you make money when you provide information to financial institutions. you make money on my information which i have never asked you to use. at a minimum you should let me know. you are making money off of that information, and i should actually give you permission to give my information out. if you're going to make money, i don't understand why i don't have the ability and the tools for any kind of agency right now
10:15 am
to be able to make sure that i have control, as we've talked about. it should be my information that we control. so, you know, i am out of time right now, but i think, you know, this raises a host of major issues related to privacy and control of data. and right now we don't have the kinds of incentives to get companies to really protect that information. you profit from that information. you don't protect that information. you allowed a simple, unsophisticated hack to have access to 140 million people's most private information. there needs to be some strong liability. companies that do not protect information and jeopardize americans for the rest of their lives need to be subjected to strict liability and need to be stepping up and making sure that those consumers are protected for the rest of their lives. hopefully that's something we can consider as we move forward in this committee. thank you so much. >> thank you, senator peters. senator markey has returned.
10:16 am
>> mr. chairman, the public wants us to do more to protect their privacy and security. yet, earlier this year congress formally rescinded the federal communication commission's broad band privacy and security rule which insured that broad band companies like verizon adopt reasonable data security protections. these protections ensured the providers implement up to date, best data security practices, provide appropriate overnight of security practices. properly dispose of sensitive information and notify consumers within 30 days of a breach. verizon opposed these probes protections and played an instrumental role in ensuring that they were, in fact, repealed. providers like verizon argued we need a light touch regulatory framework like those governing
10:17 am
websites like equifax and yahoo. well, three billion yahoo account users and 140 million americans have now learned that light touch means hands off. light touch means no protections. light touch means free rein. now, because of congressional action, free rein for broad band providers like verizon to collect, use, share and sell consumers' most sensitive information without their consent is the law. free rein to allow reasonable data security protections and avoid promptly notifying consumers when their sensitive information has been compromised. ms. zakaria. your testimony says security has always been in verizon's dna. during the hearing today you stated that verizon would support national data security
10:18 am
legislation. but verizon vigorously lobbied to eliminate these breach notification protections. how are the two positions consistent? >> senator, verizon believes that there should be a single national framework when it comes to data security and privacy. we do support legislation in both of those areas, and we would be very happy, as i said earlier, to work with your office or other members of this committee on what that legislation should look like. but we do think that there should be one overarching framework and the cra was not that. >> well, here is where we are. now we have nothing. you know. now we have nothing. so you repealed the law that actually required that there be protections. now we have nothing. and from my perspective, you didn't have to repeal one of the most comprehensive data security and privacy frameworks to
10:19 am
develop a national data security framework. you could have advocated for congress to give the federal trade commission the authority to prescribe data security protections to websites as well. instead, verizon opted to eliminate the rules altogether. so that's the problem that we have right now. that we had very strong, you know, data security and privacy protections that were on the books. and they were removed, as part of a cra. vote on the floor of the senate and the house. earlier this year. so, as we sit here, we hear concerns about the needs to have legislation. we had it. we had it. and it was going to actually work. in terms of ensuring that we would have those regulations that would be put on the books. but instead, we don't have
10:20 am
anything. so i guess, in retrospect, do you think it was in the public interest to eliminate these data security and breach notification protections? ms. zacharia. if you could go back in time would you still remove those protections from the books? >> yes, i would. >> we had it. you advocated strongly to remove the protections. okay. that's what you did. even today you are not -- you are not regretful at all. okay. but that's kind of the environment within which we're working right now. that's where yahoo was and the other companies over in ftc land. we had a strong regime that was in place and going to be made even stronger. that's what the american people want. they want real teeth to be put into these laws. they want accountability from the private sector in terms of the guarantee that there is real security around this data that
10:21 am
goes to the very identity of who people are, as citizens of our country. instead of toughening those laws this year there was a weakening, a serious weakening. and i think ultimately we're going to pay a big price as year after year goes by, because ultimately it's not talk, it's going to be action that makes the difference. and those actions had been taken. they were on the books. they were starting to put a little teeth into the protections and now that is gone. thank you, mr. chairman. >> thank you, senator markey. obviously some of us have a difference of opinion on that subject. i think there are ways that we can address data breach that don't specifically have as their principle objective enriching class-action lawyers. i do think, rather than rehashing that debate, we ought to be looking at what we can do to prevent breaches, ensure that government enforcement agencies like the ftc which can help make
10:22 am
consumers whole have the tools to hold bad actors accountable. next up, senator duckworth. >> thank you, mr. chairman. thanking the ranking member for convening this important meeting. as today's proceedings made clear shall the harm caused by the massive data breaches is incredibly far-reaching. i just wanted to take a moment to highlight how both states and federal government entities rely on these agencies such as equifax for services, for credit monitoring -- for credit services. for example, equifax's loss of millions of social security numbers endangers the well-being of our nation's veterans who receive v.a. disability benefits. now, at the current time, the v.a. allows veterans to use a wide variety of methods to interact with the department, if a veteran is not comfortable going online, he or she can actually manage their disability benefit account by fax. so, for example, a veteran can fix -- can fax a request to
10:23 am
change the bank account into which their v.a. disability benefits are deposited, and those changes will be made if the form includes a social security number that matches the name of the requester. this policy and process was likely created in an era when your valid social security number could serve as an effective authentication tool. obviously that is no longer the case. so my initial questions to you, mr. barros and mr. smith, is simple. following equifax's loss of millions of social security numbers, what concrete steps did the company take to notify government agencies and specifically the united states department of veterans affairs, of the urgent need to strengthen authentication policies to prevent service disabled veterans from having their benefits stolen? >> we have -- my team is actively working with the department of defense. veterans association, veterans administration. cfbp, the senate to make sure that we enhance the
10:24 am
communication process and have solutions that we allow the focus to be informed about how to protect themselves using our services. >> when you went public with the information on the breach, when did you contact the d.o.d. or department of veterans affairs to inform them of the significance of the breach and what they would have to do to strengthen their processes? >> this happened when -- i can say what i did. since i got here, i asked my people to make sure that they contacted d.o.d. and veterans associations and they have done recently, a few weeks ago. >> just a few weeks ago. >> yeah. >> so, was anything done, mr. smith, do you know? was anything done when the breach was known and when it became public? >> specific to the veterans? >> specific to government agencies in particular but --
10:25 am
specifically to the u.s. department of veterans affairs and to the department of defense. >> not that i am aware of. >> so you just left our veterans exposed. >> i am saying not that i am aware of. >> i would like to know. so please find out and provide me with that information. >> we'll do that. >> so i want to be clear. the theft of v.a. disability benefits is an urgent problem that can be financially devastating for veterans who need the funds to pay their rent, to afford their groceries and to keep the lights on. even when a veteran notices that their disability benefit was not received and contacts the v.a., this merely represents a first step in what is an unacceptably complex and onerous bureaucratic maze that a veteran must navigate to get their disability benefits restored. as i understand it, this is what has to happen when a veteran discovers that, say, their disability check did not go into the bank account that it normally goes into. thinking back to when this breach occurred, you will see
10:26 am
that veterans could still be suffering because you did not tell the v.a. -- hopefully you told them, but i -- you have no evidence that you have. first, the v.a. must confirm that the -- with the financial institution where the money was sent erroneously that it received information. then the v.a. has to work out an agreement with that financial entity to return those funds back to the u.s. treasury department's general fund. then the v.a. must get a confirmation from the treasury that the fraudulent payment was actually recouped. and then wait until the treasury actually returns the funds to the v.a. before the v.a. will then send that money back to the veteran. in the best-case scenario, this process can take weeks, but i wouldn't be surprised if it would take many months. now, my office has warned various veterans services organizations of the need to notify their members of this danger. i am working with the v.a. to strengthen v.a. policies and procedures. however, mr. barros, given your company's role in failing to
10:27 am
safeguard this critical data i would like equifax's commitment to work with the v.a., veterans service organizations and with individual veterans to provide valuable support and services such as unlimited, free credit freezes and monitoring for life. will you make that commitment on behalf of the men and women who are willing to lay down their lives to protect you and your family and your business here in this country? >> we have, again, actually engaged with the department of defense and the veterans association, veterans administration, cfpb and the senate. they will be offered the product that we have in -- they can use -- >> so you're not going to offer credit monitoring to our veterans who have been affected by your data breach for life? >> we're going to offer for them the lock and unlock product which is -- will provide the same barrier of defense -- >> as my colleague mr. peters just mentioned, that does not apply. that doesn't help because the bad guys will go somewhere else. you are basically saying you
10:28 am
will not make this commitment to our nation's veterans. the people who protect your ability to make money and protect your freedoms. you will not support our veterans? our disabled veterans who were wounded in their service of this country? you will not provide credit monitoring to them for life? >> we believe the lock and unlock product is safer product than the monitoring that we have. >> so the answer is no. i am over time. i yield back. >> thank you, senator duckworth. senator udall. >> thank you chairman thune and thank you for holding this important hearing. i must say some of the testimony is pretty discouraging here. there were 846,188 new mexicans whose identity and possibly their credit worthiness was endangered by the blatant carelessness of equifax employees. when you previously testified, mr. smith, you specifically said
10:29 am
that the data was stolen was stored in plain text and had not been encrypted. this is an unacceptable practice for an organization with such power over consumers' lives and it's painfully clear that americans cannot rely on large companies that store their data to protect it. as one possible solution, congress should consider banning the use of unverified social security numbers in commerce. there is the potential for strong bipartisan support for this. social security numbers were never intended to be used as universal online i.d.s. i am glad to hear that the white house is looking at this idea and congress should also evaluate this possibility as well. in that regard, this committee should take a closer look at the work that the national institute of standards and technology has initiated with the trusted identities group to develop secure online i.d.s and to ban
10:30 am
the use of unverified social security numbers. i look forward to working with others and building on the work this group has already undertaken. the following are yes or no questions for all the panelists. i am interested in banning the use of unverified social security numbers. is it necessary for online commerce to rely on a social security number. mr. barros? please give me a yes or no. it's a simple question. >> social security number is -- is -- it's a process that was developed in 1936. i think we need to have a better digital imprint perspective when dealing with e-commerce. >> so your answer is yes, it's necessary to rely on it? >> today. some -- some sites do rely on it. it's -- >> mr. smith? >> i would love to see it
10:31 am
replaced. until its replacement, it's the standard. >> miss mayer. >> yahoo does not collect or store social security numbers so we did not need it for the conduct of our business. >> verizon is happy to work with this committee and others to come up with an alternative for social security numbers. >> thank you. mr. wilkinson. >> social security numbers, a static identity, is a basis for our online identities, will not be secure, is not secure and will never be secure in the future. >> do your businesses -- another yes or no question. do your businesses require a consumer's social security number before you will do business with them? >> most of our business is done business to business, so we deal mostly with entities. such a small portion of our business that requires information that varies -- >> mr. smith? >> i concur. >> miss mayer.
10:32 am
>> no. >> zacharia? >> the answer is no, but it's part of -- it's not a requirement but it is part of the typical way that we'll go through a credit check for a new customer. >> mr. wilkinson. >> we are focused in the b to b area. i don't collect consumer information or social security numbers. >> thank you. another question. do you think the development of a security digital i.d. could break the cycle of data breaches and identity theft? >> yes. >> yes. >> i think it's necessary but not necessarily sufficient. >> yes. >> yes. >> and the final one. do you think it's worth while for congress to consider legislation to restrict the use of unverified social security numbers and other personal information while promoting the use of secure digital identification? >> i need to understand the
10:33 am
proposition that it's going to be. essentially anything that can move us forward from a static number, we'll be in support of. >> i agree. >> miss mayer. just for the record, yes or no? >> i don't know that my opinion matters, but yes. >> yeah. >> i agree. >> yeah. >> yes. >> mr. will conditikinson, yes. >> the trusted identities group is comprised of the public private partnership to promote the adoption of an easy to use digital identity. i will ask the final question here. i was wondering if you had worked with this group, since i am running out of time here, will you commit to working with my office on ways to improve the current working group and expand its efforts? >> definitely. >> mr. smith. >> mayer. >> yes. >> zacharia.
10:34 am
>> yes. >> thank you very much, mr. chairman. appreciate you holding this hearing. i know there was great interest on both sides of the aisle. i think, what i have seen here today -- i have been here for a long time listening today to the testimony. there are a lot of good ideas, and hopefully we can find a bipartisan way to really deal with a very tough situation. thank you very much. >> agreed. thank you senator udall. my neighbor from minnesota. senator klobuchar. >> thank you, mr. chairman. given that i am the last one here to have questions i use the opportunity to welcome mr. wilkinson. i hope things have been going well. from my home state, here before us again. entrust da thank you for being here. i will start with you. i know much of this ground has been covered but not this exact question. in your testimony you mentioned brazil's model of issuing dynamic identities to citizens.
10:35 am
and in this model the government partners with industry to provide consumers options to access digital certificates for identification. how do they ensure it's private -- that the government's private partners can keep citizens' information safe? >> so, some of the models that -- brazil is a great example, but there are certain mod lg models being used around the world that i wouldn't necessarily promote in the u.s. in terms of where the center of trusted identity lies. certainly the framework they've built for secure identity is one that's very close to what we are proposing in terms of looking forward to the framework for secure identity going forward. senator -- the comment senator udall made a few moments ago talking about nst and the work they're doing with the trusted identities group is one we'll follow closely and they're doing really good work that we'd love to spend more time with the
10:36 am
committee speaking about and helping to describe what secure identity could look like in the future. >> thank you very much. mr. smith appeared before us in judiciary, and i think i expressed my -- the shares frustration i have with others in the senate about what went on. but i thought i would focus with you, mr. barros, on what's happening now. equifax has announced that it would be launching this app, right, in january that will allow consumers to lock and unlock personal credit data while providing consumers with more control over their credit information as a positive step. we don't want to have new avenues for hackers. are there additional cybersecurity challenges that come with this mobile technology, and how is the product going to be tested? >> the product being developed as we speak. we're on time to deliver this in january. one of the advantages of the system is the simplicity of how consumers can actually understand and use the
10:37 am
application through that. we just started our development tests now. and this is a strict connection to our main files. so it has all the security needs and requirements that will be -- make the product in compliance with security. >> okay. i have been working a lot, of course, on the election issue sink i am the ranking on rules. we have been really concerned, senator graham and i have been, about upgrading our election equipment when we have attempts to hack 21 state elections equipment manufacturers or software companies. and so i see this as kind of going hand in hand with the attacks i have seen on some of my companies like target and other places. miss mayer, we have individual hackers and we also have state sponsored attacks like what we believe occurred in the 2016 election. so, in your experience at yahoo,
10:38 am
how do state-sponsored attacks differ from those committed by individual hackers? >> on many cases the motivation is different. and i would also say that they tend to be much more sophisticated, much more -- >> the state sponsored. >> the state sponsored tend to be more sophisticated, persistent, lasting for longer periods of time. they attack more targets. they span often over several companies trying to stitch together a picture of what they are actually seeking. and they are very good at hiding their tracks. the four people indicted in the case with yahoo, one of them is considered to be perhaps most sophisticated and dangerous hacker in the world today. he is a center figure in many of these ongoing investigations. but when you are that empowered, well funded, motivated, and sophisticated to work such a complex campaign, especially
10:39 am
across multiple targets and sources, it's an issue. >> so what do you think we could be doing differently for those kinds of state-sponsored attacks? what should we be doing out of congress when you look at the whole scope of things? the business, the government, the election equipment? >> i think that really aggressive pursuit of the hacking is important. and i was really pleased with the fbi and department of justice's work with yahoo to bring the people who perpetrated the crimes against us to justice. and i think that we should be empowering them legislatively and financially to pursue hacking, because right now there is just not enough of a disincentive to hack either on a commercial or criminal level. >> it needs to be international cases, and then they could involve sanctions or other things if we find that. that's what you're talking about. much more aggressive about going after these, in addition to doing everything we can to
10:40 am
protect the software. >> yes. one of the individuals in the yahoo case was apprehended in canada and has been extradited to the u.s. >> good example. on the election side it's different. we have to get backup paper ballots. it's a one-time occurrence but it is a lot of the same issues that business is facing as well. thank you very much. thank you. >> thank you, senator klobuchar. i think we -- you guys made it through. we will keep the record open. and we'll allow members to submit questions for the record for a couple of weeks. but we will want to close it out. so if you could, respond as quickly as you can in writing to the questions that the members of the committee submit. we'll get them included in the record. and, again, appreciate all of you being here today. i think this has shed a lot of light on this subject. as was mentioned earlier by a number of members on both sides of the committee, we have an
10:41 am
interest in moving forward on the legislative front in a way, hopefully, that will be effective in helping to prevent these types of cyberattacks in the future. thank you again. with that, this hearing is adjourned. [ gavel ] >> well done. thanks. >> all right. this from information magazine. the shortage of trained professionals with cybersecurity skills is acute. worsening and exacerbating the number of data breaches that are taking place. a report last month by a pair of
10:42 am
security management firms shed light on the scope of the problem and offered guidelines to businesses for easing the skill crunch. the results depict a widespread business problem that is becoming more severe. nearly 3/4 of respondents indicate that the shortage of people with cybersecurity skills has had an impact on their organization. read more at later today, the national archives hosts three events on the vietnam war to commemorate the opening of their remembering vietnam exhibit. live coverage begins at 12:00 p.m. eastern on c-span. you can also watch online at or listen on the free c-span radio app. 50 years ago the united states was at war in vietnam. this veterans day weekend, american history tv on c-span3 looks back with 48 hours of
10:43 am
coverage. starting saturday at 8:00 a.m. eastern. we're live from the national archives. aening mo the backdrop of three vietnam era helicopters to talk with veterans who flew them. then we'll take your phone calls and tweets live with historians mark atwood lawrence about the war in 1967. at 1:00 p.m. from the vietnam veterans memorial a ceremony with remarks from former defense secretary chuck hagel. on sunday at 4:00 p.m. eastern on real america, a 1967 cbs news vietnam war special report. >> whether it's due to the enemy's clever tactics or the bad fighting conditions, the weather or terrain it seems clear that the american military offensive along the dmz has dogged down. like the marines in the mud. >> then at 6:00 on american artifacts. we'll tour the national archives exhibit "remembering vietnam."
10:44 am
at 8:00 on the presidency, the 1967 president lyndon johnson vietnam war press conference. >> made our statement to the world of what we would do if we had communist aggression in that part of the world in 1954. we said we would stand with those people in the face of common danger, and the time came when we had to put up or shut up. and we put up. and we're there. >> watch the vietnam war, 50 years later. this weekend on american history tv. on c-span. tomorrow on the 64th year of national observance of veterans day vice president mike pence will take part in the wreath laying ceremony at the tomb of the unknown soldier and speak afterwards. live coverage from arlington national cemetery begins at 11:00 a.m. eastern on c-span and it's also on the website and the di


info Stream Only

Uploaded by TV Archive on