WASHINGTON — Members of Congress tore into Equifax on Tuesday, berating the company’s former chief executive for a breach of its computer systems that potentially exposed the sensitive personal information of more than 145 million Americans.
Richard F. Smith, who stepped down last week as Equifax’s chief executive, appeared Tuesday before a House subcommittee that is investigating the breach. No current Equifax executives appeared at the hearing.
“I’m truly and deeply sorry for what happened,” Smith said at the start of his testimony to a House Energy and Commerce subcommittee.
But under questioning from lawmakers, he refused to commit Equifax to making whole any people who were financially harmed as a result of the breach.
Lawmakers were unsatisfied by the company’s apologies. Representative Joe L. Barton, Republican of Texas, called for new federal laws to “put some teeth” behind penalties for data breaches.
“We could have this hearing every year from now on if we don’t do something to change the current system,” Barton said.
He said he would like to see companies fined for every account that gets breached — with penalties large enough “that even a company that’s worth $13 billion would rather protect the data, and probably not collect as much data, than have to come up here and appear and say ‘we’re sorry.’ ”
The Equifax hacking sparked widespread outrage, as well as bipartisan demands for more information from the company on how the security debacle happened and what steps the company is taking to handle the fallout. The outcry has increased the odds of new rules or laws governing the credit-reporting industry.
Representative Frank Pallone Jr., Democrat of New Jersey, called for Congress to pass legislation that would do more to protect consumers whose personal data is stolen in such breaches.
“Of course, breaches will continue to occur, but they occur more often when there is no accountability and when no preventative measures are in place,” Pallone said.
After Tuesday’s grilling, Smith is scheduled to testify at three additional congressional hearings this week.
On Monday, Equifax said the personal information of nearly 146 million Americans may have been stolen, an increase of more than 2 million from the company’s previous estimate.
Smith provided some new details about the breach.
In early March, the Department of Homeland Security sent Equifax and others an alert about a critical vulnerability in software that Equifax used in an online portal for recording customer disputes. The company sent out an internal e-mail requesting that its technical staff fix the software, but that was not done, Smith said.
By mid-May, attackers had found the unpatched software and used the flaw to gain access to sensitive information. Their actions went undetected until late July, when Equifax finally registered suspicious traffic on its network.
Equifax cut off the attackers at that point and began an investigation, but it did not grasp the scale of the theft — including the discovery that consumers’ personal information had been breached — until mid-August.
The company’s full board was not notified until the end of the month, nearly four weeks after Equifax discovered the breach.
“Mistakes were made,” Smith said, referring to extensive problems with Equifax’s call centers and with the website that it set up to provide information to those whose information may have been exposed.
Some lawmakers have called for new consumer protections such as stricter monitoring of the credit bureaus and a federal rule standardizing requirements to notify victims of data breaches.
Smith said he would be amenable to rethinking the role that Social Security numbers play in identity verification. Critics have long condemned the widespread reliance on and use of the numbers as insecure.
Smith said he would like companies and government agencies to “begin a dialogue” about replacing Social Security numbers as a key verifier.
“It is time to have identity verification procedures that match the technological age in which we live,” he said.