Equifax ex-CEO: Hacked data wasn't encrypted

Customer data that was compromised during a massive breach of Equifax's (EFX) systems was not encrypted, the company's ex-CEO told a congressional committee Tuesday.

During a three-hour hearing before the House Energy and Commerce Committee, Richard Smith blamed the massive hack on a combination of failed technology and human error. 

On March 8, he said, the Department of Homeland Security warned the company it needed to patch a particular vulnerability in software that Equifax and other businesses use. Equifax emailed out that warning the following day and asked that applicable personnel install the upgrade. But even though Equifax's policy required the upgrade to occur within 48 hours, Smith said that didn't happen.

The hack itself took place as early as May 13, Smith said in his prepared testimony. But it wasn't until July 29 that the company's security noticed what he called "suspicious activity" in a part of the website used for customer complaints, separate from financial information used for credit reports and credit scores. "That is a completely separate environment from the credit file itself," Smith said.

Then, responding to a question from Rep. Adam Kinzinger, R-Illinois, Smith said the data was "not encrypted."

"We use many techniques to protect data: encryption, tokenization, masking, encryption in motion, encrypting at rest. To be very specific, this data was not encrypted at rest," Smith said. 

"So this wasn't, but your core [data] is?" Kinzinger asked. 

"Eeeh -- it's, some, not all," replied Smith. "Some data is encrypted, some is tokenized, some is in motion, some is masked. There's varying levels of security techniques that the team deploys in different environments," he said. 

That situation is common among large companies, which mostly don't encrypt their databases, said Jeff Williams, co-founder of Contrast Security. "That probably is a best practice, but I'd say most organizations don't really do that." 

Even if the data were encrypted, however, the application that the hackers exploited would still have had access to it, said Williams. So encryption wouldn't have stopped the hack.

Even though the data on the dispute resolution site was separate from "core credit reporting data," the compromised information still included names, addresses, phone numbers and Social Security numbers -- plenty of fodder for a would-be criminal to impersonate someone. 

The broader problem lies in Smith's description of different data techniques in different environments, said Dmitri Sirota, CEO of the data protection company BigID.

"They do some things and don't do other things because there's no standard. Everyone can kind of do whatever they want," he said. "There's not even really a federal standard about what's personal data -- is it your Social Security number, is it your name?" The Equifax debacle, he noted, could increase the public appetite for federal standards concerning personal data protection.

While that would be a boon consumers, it would be a hit to the bottom lines of many financial companies and banks, Wall Street analysts say. 

"Cybersecurity could be the new hot regulatory topic that trips up banks in M&A applications and leads to more enforcement actions," KBW analysts wrote in a note.