A Senate Commerce Committee interrogation of current and former executives at Equifax and Yahoo! revealed few answers about the data breaches that occurred at both companies. Both data breaches have been called the largest in history, with billions of consumers affected.
On Wednesday, the committee grilled executives, including former head of Yahoo! Marissa Mayer, about how the data breaches happened and who was responsible. Neither Mayer, nor Richard Smith of Equifax, were able to provide much information about the breaches.
The Yahoo! breach occurred in 2013, when hackers stole account information from three billion users. Mayer says that company was not aware of the breach until the U.S. government brought it to their attention in 2016. Yahoo! disclosed the breach in December of last year, but at the time, they said that only one billion accounts had been hacked.
Yahoo! suffered another cyberattack in 2014, when information was stolen from 500 million accounts.
Mayer, who resigned after Verizon bought Yahoo! in June, received a severance package worth $260 million. At the Senate hearing, she blamed Russian hackers for the 2014 breach, but said she did not know who was responsible for the 2013 breach. She was also unable to provide any details as to why it took the company three years to discover the 2013 breach, and why the company had grossly underestimated the number of stolen accounts.
While Mayer couldn’t provide many answers, she did express remorse. “As CEO, these thefts occurred during my tenure. I want to sincerely apologize to each and every one of our users,” she said during her testimony.
Some Senators, however, were unimpressed by the apology. Senator Brian Schatz (D-HI), said that it was “unfathomable” that Mayer could “harm consumers” then “walk away with the amount of money that a small city or county uses for their annual operating budget.”
Like Mayer, Equifax’s Richard Smith was also short on answers. Earlier this year, Equifax revealed that highly sensitive information from over 145.5 million users had been stolen. Because Equifax often gets data from third party users, many “customers” whose information was hacked were not even aware that Equifax had their information.
The company has been harshly criticized for waiting six weeks after finding out about the hack to disclose to customers, as well as for failing to install a much-needed security update that would have patched the vulnerability that hackers used to steal the data.
The executives, however, insisted that the breaches were the result not of negligence, but of increasingly “sophisticated” hacks. Mayer said that tech companies were engaged in an “arms race” against hackers, include state-sponsored agents, arguing that these hackers have “changed the playing field so dramatically” that “all companies, even the most well defended ones, could fall victim to these crimes.”
When asked if Yahoo! customers could expect their data to be safer in the future, chief privacy officer Karen Zacharia couldn’t say.