The Washington PostDemocracy Dies in Darkness

Senators slam Equifax, Marriott executives for massive data breaches

Mark Begor,(L), CEO of Equifax, and Arne Sorenson, CEO of Marriott International, at the start a Senate hearing on private sector data breaches. (Mark Wilson/Getty Images)

Members of Congress sharply rebuked Equifax and Marriott on Thursday for failing to protect people’s personal data and prevent two of the largest security breaches in U.S. history, putting hundreds of millions at risk.

At a Senate hearing featuring both organizations’ top executives, Democrats and Republicans alike said Equifax, a credit-reporting bureau, and Marriott, a hotel chain, each had failed to implement basic defenses against sophisticated hackers -- and that Equifax repeatedly did not patch known security holes or store key data in a way that was hidden from digital malefactors.

The two attacks, which were unrelated, exposed consumers nationwide to possible identity theft and banking fraud, lawmakers stressed during the hearing by the Senate Permanent Subcommittee on Investigations, which has been probing the breaches. Lawmakers expressed interest in reviving long-stalled data-security legislation that’d require companies to better secure consumers’ data and more swiftly communicate with consumers about major cyber attacks.

"When hackers are able to obtain someone's personal information, the consequences are real," said Sen. Tom Carper (Del.), the top Democrat on the panel. "The constant stream of data-breach notifications we see year in, and year out, is a sign we could be doing better."

For committee members, their primary focus Thursday was Equifax, where hackers gained access to the highly sensitive personal data of about 143 million people -- including names, Social Security numbers, birth dates, addresses, and in some cases, even driver’s license and credit card numbers. The incident triggered state and federal investigations and prompted widespread outrage, as many consumers -- perhaps unaware that data brokers had compiled intricate digital dossiers about them -- initially struggled to freeze their credit reports. Authorities later brought insider-trading charges against two Equifax executives that sold stock before informing the public about the breach.

Senators initiated their own probe, and in a new report, said they found Equifax had exhibited a longstanding “neglect of cybersecurity,” implemented poor, inconsistent procedures to update critical computer systems against known security flaws, and failed to adhere to the most basic best practices, such as encrypting user names and passwords. The report noted that one of Equifax’s own audits, conducted in 2015, specifically identified “a backlog of over 8,500 known vulnerabilities that had not been patched.”

The senators also slammed Equifax for failing to retain key internal communications, which they said might have helped them fully understand who was to blame for the massive security incident.

“The subcommittee is left with an incomplete record,” said Sen. Rob Portman (Ohio), the Republican chairman of the subcommittee. “So are the American people.”

Mark Begor, the chief executive of Equifax, who arrived at Equifax after the breach, stressed the credit-reporting firm had invested more heavily in security since the 2017 attack. But he also defended his company’s early security practices. “There were controls in place,” he told lawmakers. “They clearly weren’t strong enough.”

The answers left lawmakers unsatisfied -- and convinced that only through tough, new federal rules would Equifax and other companies truly improve their digital defenses.

“I understand you’re doing things, but you’re doing things after a major breach,” said Democratic Sen. Maggie Hassan (N.H.). “And what I want to make sure that Americans -- whose information is in the custody of an entity they may not even know anything about -- don’t have to wait for there to be a breach before companies start doing what they should responsibly do.”

“This is an ongoing threat,” she continued. “It’s been an ongoing threat for a while. And we need to make sure there are standards in place, just the way we have safety standards for other industries.”

Lawmakers also took aim at Marriott, where a breach made public in November compromised data from as many as 383 million guest records. Hackers stole names, addresses, credit card numbers and phone numbers, along with some passport numbers and travel itineraries.

The breach targeted the company’s Starwood subsidiary, which includes hotel chains such as Westin and Sheraton, in the years before it was acquired by Marriott.

Yet lawmakers still faulted Marriott for moving too slowly to phase out Starwood’s software, which had fallen victim to well-known security incidents long before the merger had been consummated. Democratic Sen. Jacky Rosen (Nev.), who said she previously worked in information technology, expressed surprise that Marriott had taken “no method of auditing the data coming across” in the early days.

Secretary of State Mike Pompeo has blamed China for the attack, though Marriott CEO Arne Sorenson declined Thursday to place blame. Instead, Sorenson said they “deeply regret this incident,” adding that critical data stolen by hackers has not been found on the internet or dark web.