Equifax and Yahoo leaders apologise for hacks

Interim CEO of Equifax Paulino Barros, former CEO of Equifax Richard Smith, former CEO of Yahoo Marissa Mayer, and Deputy General Counsel and Chief Privacy Officer for Verizon Communications Karen Zacharia testify during a hearing before Senate Commerce, Science and Transportation Committee November 8, 2017 on Capitol Hill in Washington, DC. Image copyright Getty Images

Former top executives at Yahoo and Equifax have apologised again for breaches that exposed billions of customer accounts.

But US lawmakers were impatient with after-the-fact contrition and said they want proof that the firms are taking cyber security more seriously.

Politicians are threatening greater intervention in tech firms' business.

They say new laws may be necessary amid rising cyber attacks that threaten the privacy of personal data.

"This dais has an obligation to make a law and not just wag our fingers," said Senator Brian Schatz, a Democrat from Hawaii, at the meeting of the Senate Commerce, Science and Transportation Committee.

The hearing comes after Equifax said failure to install a security update may have led to exposure of information of more than 145 million people in the US and almost 700,000 people in the UK.

Verizon, which now owns Yahoo, last month also said two breaches in 2013 and 2014 exposed 3 billion customer accounts - far more than the initial estimate.

The US has accused state-sponsored Russian hackers of being behind one of the Yahoo attacks, involvement the Kremlin denies.

Image copyright Getty Images
Image caption Interim boss of Equifax Paulino Barros, former chief of Equifax Richard Smith, and former Yahoo boss Marissa Mayer testify.

Senators said they were concerned that companies took too long to realise the scope of the attacks and tell those affected.

They criticised the payouts to top executives after the breaches and asked about more secure ways to identify people than relying on their Social Security number.

In the case of Equifax, they also questioned the firm's collection of financial data without permission of the individual involved.

"All the data... everything that defines my life, I have no control over it," said Senator Cory Gardner, a Republican from Colorado.

"Do you think it's right?"

'We have to figure this out'

Concerns over the privacy of personal data also emerged last week as attorneys for Facebook, Twitter and Google testified in Washington.

But there is little agreement among lawmakers over what kind of legislative response is appropriate.

"We have to figure this out," said Senator Catherine Cortez-Masto, a Democrat from Nevada. "We are taking their data and they have no choice."

The US is typically considered to have less stringent personal data privacy laws than in Europe.

In response to questioning, former Yahoo chief executive Marissa Mayer said customers should own their data.

But that change would be a stark change from the current system, said Paulino de Rego Barros, acting boss of Equifax.

Some lawmakers said they want companies to face more serious liabilities in the event of attacks.

Ms Mayer said increasing the potential consequences of hacks for the perpetrators would help deter attacks, on both the state-sponsored and commercial side.

"I think really aggressive pursuit of the hacking is important," she said. "Right now, there's just not enough of a disincentive to hack."

More on this story