Former Yahoo! Inc. Chief Executive Officer Marissa Mayer warned hackers are becoming more potent as she joined Equifax Inc.’s interim CEO in trying to reassure a Senate panel the companies are bolstering their defenses.
Yahoo, which announced last month that a 2013 breach affected far more customers than previously thought, has doubled its security staff, helping to deflect “a barrage of attacks,” Mayer said in remarks to be delivered Wednesday before the Senate Committee on Commerce, Science and Transportation. But the suspected involvement of Russian agents in its breach shows companies still face a formidable challenge, she said.
“The threat from state-sponsored attacks has changed the playing field so dramatically that today I believe that all companies, even the most-well-defended ones, could fall victim to these crimes,” she said.
U.S. lawmakers have been grilling corporate leaders in recent months over failures to protect sensitive information on hundreds of millions of Americans. Wednesday’s session marks a Washington debut for Paulino do Rego Barros, who took Equifax’s helm in September. In prepared testimony, he said he hoped to focus on the firm’s efforts to address the mess, “not on the forensic details of the breach.”
The credit reporting company has reshaped management since hackers obtained personal data on more than 145 million people, he said. Its chief security officer now reports directly to the CEO, and a new chief transformation officer is overseeing the firm’s broader response.
When Barros agreed to accept the job, “some of my family and friends thought I was crazy for accepting the challenge,” he said. “Some of you may think the same. I understand."
Richard Smith, who was Equifax’s CEO when the attack occurred earlier this year, also is set to testify. He already appeared before four other congressional panels in recent weeks, reiterating the chain of events that led up to the intrusion, which included a breakdown in communication within the company.
Consultants hired by Equifax to investigate haven’t been able to identify the attackers, according to a summary of their report provided to Senate staff before Wednesday’s hearing and obtained by Bloomberg. The consulting firm, Mandiant, said the tactics aren’t familiar.
“Mandiant has not been able to attribute the identified attacker activity within the Equifax environment to any targeted threat actor group that Mandiant currently tracks," the firm said in the summary of their report. “The tools, tactics and procedures the attackers used did not overlap with attacker activity identified in previous Mandiant incident response investigations.”
Yahoo initially revealed its breach last year, later lowering the price for its main web properties for a sale to Verizon Communications Inc. Last month, Yahoo said the breach apparently exposed all its users at the time it occurred.
Lawmakers on both sides of the aisle have pummeled Equifax and Yahoo. The government is weighing whether to impose tougher standards on companies, such as requirements for notifying consumers after a breach.
“Companies that collect and store personal data on American citizens must step up to provide adequate cybersecurity," Senator John Thune, chairman of the Commerce Committee, said in remarks for the hearing. “And there should be consequences if they fail to do so."