Equifax and Marriott executives are slated to appear before the Senate on Thursday (March 7) to discuss what lessons the two companies have learned from some of the largest data breaches to hit corporate America.
According to CNBC, the Senate Homeland Security and Governmental Affairs Subcommittee on Investigations is holding the hearing, and has also released a report on how Equifax handled its data security leading up to the data breach that resulted in 143 million people’s credit card data being exposed. Equifax disclosed the hack in September of 2017. Marriott’s data breach, which occurred in late November, impacted the records of 383 million guests, but didn’t include as much sensitive data as the Equifax incident.
CNBC said the report is critical of the company’s tech and cybersecurity operations, as well as Equifax’s handling of employees’ warnings to a top executive about security flaws. One portion of the report depicts executives as shrugging off security meetings in March of 2017, at a time when a flaw in the open-source software Apache Struts was hurting financial companies. The flaw went unpatched at Equifax and created the entry point for hackers.
“The Subcommittee interviewed the leadership of the Equifax IT and security staffs and learned that none of them regularly attended these monthly meetings or specifically recalled attending the March 2017 meeting,” the report said. “In addition, the chief information officer, who oversaw the IT department during 2017, referred to patching as a ‘lower-level responsibility that was six levels down’ from him.”
In a statement to CNBC, Equifax spokesman Jacob Hawkins said the company has cooperated with the Subcommittee, and while it doesn’t agree with a number of the report’s findings, it is committed to being transparent. Since the breach, Equifax has hired a new chief technology officer and chief information security officer, and has also increased technology and security spending. The spokesman added that Equifax has hired close to 1,000 new technology and security employees.