Ex-Yahoo, Equifax execs hammered over massive hacks

Ex-Yahoo, Equifax execs hammered over massive hacks
© Getty Images

Lawmakers railed against former CEOs of Yahoo and Equifax over massive cybersecurity breaches that occurred on their watch and floated potential policy solutions to crack down on the hacks impacting hundreds of millions of Americans.

Frustrated members of the Senate Commerce Committee pressed former Yahoo CEO Marissa Mayer, former Equifax CEO Richard Smith and its current CEO Paulino do Rego Barros Jr. on how their companies allowed such enormous breaches and pushed for answers as to how they would handle the fallout.


Committee Chairman Sen. John ThuneJohn Randolph ThuneDemocrats slide in battle for Senate Through a national commitment to youth sports, we can break the obesity cycle Florida politics play into disaster relief debate MORE (R-S.D.) opened the hearing by asking Mayer to explain how, despite the increased investments she touted during her opening, 3 billion of its accounts were hacked into in 2013.

“Despite these investments, Yahoo failed to detect the 2013 breach,” Thune said, noting it also took years for Yahoo to understand the full scale of the problem.

“With such a strong security team in place, how did Yahoo fail to recognize all 3 billion of its user accounts had been compromised?” he asked.

Mayer replied that such breaches are complex and required time to understand. Indeed, she said, the company is still trying to determine who was responsible.

“We still have not been able to identify the intrusion that led to that breach,” the former Yahoo CEO explained.

The firm did not initially understand the scope of the breach and only notified users that it had been hacked in 2017. It revealed just last month that the 3 billion accounts were compromised.

In July, credit bureau Equifax also was the subject of a large cybersecurity breach in which sensitive information, including Social Security numbers, of 145.5 million people was stolen by hackers.

Sen. Brian SchatzBrian Emanuel SchatzDem senator calls for US action after 'preposterous' Saudi explanation Graham: Saudi’s findings on slain journalist not 'credible' Overnight Health Care — Presented by Purdue Pharma — Democrats, McConnell spar over entitlements | Minnesota AG sues drugmakers over insulin price hikes | CDC investigates polio-like illness MORE (D-Hawaii) critically highlighted that after stepping down following the enormous intrusions, Mayer and Smith still walked away with tens of millions of dollars.

Mayer stepped down after Verizon’s acquisition of Yahoo was complete in June.

“People where I live, people where we all live, cannot understand how the CEO of Yahoo walked away with [millions of dollars] worth of stocks,” Schatz said.

“Regular people don’t understand that, and they shouldn’t understand how you walk away with money that a small city … would have as their budget,” he added. “It’s not fair.”

Lawmakers also voiced potential legislative and policy solutions to prevent future cyber breaches that could compromise the public’s data and questioned the executives' commitment to fixing cybersecurity vulnerabilities.

“Of course it does,” Schatz responded when asked by reporters if Mayer’s refusal to testify until she was subpoenaed by the Senate Commerce Committee raised accountability concerns.

“This is why Congress needs to legislate in this area.” Schatz told reporters later. “I have no belief that they’re going to fix this on their own.”

The committee’s top Democrat, Sen. Bill NelsonClarence (Bill) William NelsonDemocrats slide in battle for Senate Election Countdown: Small-donor donations explode | Russian woman charged with midterm interference | Takeaways from North Dakota Senate debate | O'Rourke gives 'definitive no' to 2020 run | Dems hope Latino voters turn Arizona blue Election Countdown: Florida Senate fight resumes after hurricane | Cruz softens ObamaCare attacks | GOP worries Trump will lose suburban women | Latest Senate polls | Rep. Dave Brat gets Trump's 'total endorsement' | Dem candidates raise record B MORE (Fla.), told witnesses that “there’s going to have to a be cooperation between the most sophisticated player in the U.S., which is the NSA, and all of you.”

Nelson’s comment was aimed at addressing the threat of state-sponsored attacks, which Mayer said that firms like Yahoo would not be able to handle alone.

A 2014 attack in which 500 million Yahoo accounts were stolen, was perpetrated by Russian spies and hackers.

“Only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information and promptly notify them when their data has been compromised,” Nelson said.

Lawmakers during the hearing pointed out that consumers could be affected by the breaches and have their identities stolen at any point during the rest of their lives.

Senators were skeptical that Equifax’s solutions would sufficiently protect the public.

Sen. Gary PetersGary Charles PetersHillicon Valley: Facebook deletes accounts for political 'spam' | Leaked research shows Google's struggles with online free speech | Trump's praise for North Korea complicates cyber deterrence | Senators want Google memo on privacy bug Lawmakers move to award posthumous Congressional Gold Medal to Aretha Franklin The farm bill gives Congress a chance to act on the Pet and Women Safety (PAWS) Act MORE (D-Mich.) ripped Barros for making Equifax’s credit monitoring free for only a year, after the executive conceded that consumers could be affected at any point.

Sen. Richard Blumenthal (D-Conn.) hammered Equifax further about its arbitration clauses that consumers agree to when using the company’s products to monitor their credit and see if they were affected in the breach. 

The firm took criticism in the wake of the breach for including a clause that forced consumers to waive their right to sue the company in court. Instead, they would have to resolve legal disputes with Equifax in private arbitration, which critics say unfairly benefits corporations over consumers.

Equifax ultimately said that the tools it set up to help consumers affected by the breach, Equifaxsecurity2017.com, would be exempt from the arbitration clause.  

But Barros did not commit to removing this clause from Equifax’s other products and services on Wednesday.

“I believe consumers have a choice to choose their products,” Barros said to Blumenthal.