U.S. Senators grilled current and former executives at Yahoo and Equifax on Wednesday, trying to ascertain what — if anything — companies can do to prevent future data breaches of massive proportion.
Yahoo, now owned by Verizon, and Equifax, are two companies which were hit with some of the biggest data breaches of all time. The former CEOs of the two companies apologized for their roles in the hacks in testimony to the Committee on Commerce, Science and Transportation on Wednesday.
But at least one senator found the testimony "discouraging," as companies also sustained that they had fallen victim to bad actors, and that even high amounts of security spending would be limited by current privacy standards and law enforcement collaborations.
"I can't think of a clearer definition of gross negligence anywhere," Sen. Gary Peters, a Michigan Democrat, said of the Equifax attack. "A company that has been entrusted with the most sensitive data and customers didn't have a choice for you to hold it .... you're holding that and you don't take precautions."
Yahoo revealed last month that every account — 3 billion in all — was affected by a 2013 data breach. The revelation built on previous disclosures that more than 1 billion accounts were hacked. Hackers stole email addresses, passwords, birth dates, telephone numbers and more in the attack, but did not access passwords in clear text, payment card data or information about bank accounts.
"Yahoo was the victim of criminal state-sponsored attacks on its systems, resulting in the theft of certain user information," Yahoo CEO Marissa Mayer said. "We worked hard over the years to earn our users' trust. As CEO, these thefts occurred during my tenure, and I want to sincerely apologized to each and every one of our users."
Two Russian intelligence agents and two other people have been indicted in connection with the "highly complex" attack of at least 500 million Yahoo accounts. Mayer said on Wednesday one of these actors is considered one of the most dangerous hackers in the world, and that to this day, Yahoo has not been able to find the intrusion that led to some of the thefts.
"The Department of Justice and FBI announced a 47-count indictment charging four individuals with these crimes against Yahoo and its users. The DOJ and FBI praised Yahoo for our extensive cooperation and early, proactive engagement with law enforcement," Mayer said.
At least 145.5 million U.S. consumers were affected by a separate attack on credit reporting company Equifax, an attack that has already been scrutinized heavily by regulators. In that attack, more sensitive information, like Social Security numbers, was stolen.
On Wednesday, several senators said there should be more financial incentive for companies to prevent against hacks, as well as laws that have "teeth" when it comes to notifying consumers of breaches. In particular, the senators questioned why consumers don't own their own data, and have an ability to opt out of using credit-checking services like Equifax.
"Under current law, even some of the most egregious examples of lax security can be met only with apologies and promises to do better next time. Not fines, or other penalties — or real deterrents," said Connecticut Sen. Richard Blumenthal, a Democrat. "The real deterrent will come when those penalties are imposed on executives like the ones before us today."
Equifax said it spends about four times more on cybersecurity today than it did before the attack. But— despite prodding from senators —Equifax CEO Paulino do Rego Barros Jr. did not agree to stop use of controversial artibration agreements, nor did he commit Equifax to doing personalized outreach, free credit monitoring, or extended benefits to veterans.
"We work according to the law and use the tools that the industry uses to have arbitration in place," Barros said, referring to consumers' ability to sue Equifax.
All the companies agreed that personal identifiers, like Social Security Numbers, were a dated form of ID that should be replaced with something more complex and safe. The companies also said they would work with Congress on more comprehensive data security reforms.
But some of the senators pushed the companies to provide more protection.
Senator Bill Nelson (D-Fla.) said that going forward, companies would need an "attitude change," while Brian Schatz, (D-Hawaii), said that regular people don't understand how Mayer, and former Equifax CEO Richard Smith, could walk away from their companies with millions. Sen. Ed Markey, (D-Mass.) pointed out that Verizon was a supporter of the repeal of Obama-era broadband privacy rules earlier this year.
"You're not regretful at all," said Markey said.