Yahoo, Equifax apologize for hacks. Congress doesn't buy it

Last Updated Nov 8, 2017 3:00 PM EST

Yahoo and Equifax are going to need a lot of sorry cards.

Executives from Yahoo and Equifax testified to Congress on Wednesday, apologizing for massive breaches affecting billions of people around the world.

Yahoo last month revealed that in 2013 it suffered the largest hack in history, hitting 3 billion accounts on the website. Equifax, a credit-monitoring agency, in September said hackers stole information — including Social Security numbers, credit card numbers, names and addresses — on up to 143 million Americans.

Lawmakers on the Senate Commerce Committee demanded answers on how the two companies would protect people from future massive data breaches.

"It's not a question of if we'll have another one, but when," Senator Bill Nelson, a Democrat from Florida, said in his opening statement.

It was a packed house on Capitol Hill: Both the current and former Equifax CEOs, Paulino do Rego Barros, Jr. and Rick Smith, respectively, testified. Yahoo's former CEO Marissa Mayer, as well as parent company Verizon's Chief Privacy Officer Karen Zacharia, also testified. Verizon bought Yahoo in June, with the data theft shedding $350 million off the deal.  

Mayer opened her testimony with an apology, pointing out that Yahoo had been hit by a sophisticated attack from Russian hackers, one that even the best security could not have stopped.

"These thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users," Mayer said.

The Department of Justice indicted Russian hackers for attacking Yahoo during a 2014 breach, but not the 3 billion users affected by the data leak from 2013. Mayer said it's still unclear who is behind the 2013 hack.

"I believe all companies, even the most well-defended ones, could fall victim to these crimes," she said.

Equifax's interim and former CEO also both apologized for their company's failures and touted all the tools that they've offered for victims affected by the breach. That includes a credit-monitoring app that will be available in January and free credit locks from the company.

"We did not meet the public's expectations, and now it's up to us to prove that we can regain their trust," Barros said.

During the testimony, both companies talked up how they've changed since suffering their historic breaches — while senators called out their inaction. Both Mayer and Verizon's Zacharia pointed to Yahoo's responses to the breach, such as requiring password changes and improving its encryption.

Yahoo said it's doubled its security team. Equifax said its budget for security increased four-fold since the breach. But the new priority on security hasn't changed the root problems for both companies.

Mayer said Yahoo still doesn't know exactly how hackers breached all of its users and isn't sure what flaws it needs to fix. 

Smith said Equifax decided not to encrypt its massive database of sensitive data because it felt its firewalls and layers of security were enough. The company's new CEO said he's unsure if its data has been encrypted since the breach.

And while Barros discussed Equifax's tools for breach victims, he noted that barely anyone is using it. Less than one-fifth of the 145 million people affected by the breach are actually turning to Equifax's solutions, Barros said during the testimony. The company's website received 420 million visits, but only 30 million people have actually used it.

As Verizon takes over Yahoo, Zacharia promised better security for the future, though senators remained skeptical during the hearing. Sen. Richard Blumenthal, a Democrat from Connecticut, called for laws to punish companies who suffer major breaches in order to incentivize security.

"Under current law, even some of the most egregious examples of lax security can be met only with apologies and promises to do better next time, not fines or other penalties or real deterrents," Blumenthal said. 

This article originally appeared on CNET.