U.S. Sen. Tim Scott doubted Wednesday that Equifax executives had no knowledge of a massive data breach that affected more than 145 million people when they chose 48 hours later to sell their shares in the company for nearly $2 million.
"All the folks in the executive suite had no clue, but they were the luckiest investors on Aug. 1 to sell the stock at the best price to net $655,000 — this was pure luck and nothing else?" a baffled Scott asked former Equifax CEO and Chairman Richard Smith. "Question: Is it? Was it?"
Smith was testifying before the Senate Committee on Banking, Housing and Urban Affairs. It was the second congressional hearing in as many days where Smith has attempted to explain the scandal that occurred at one of the three main credit reporting companies.
The company discovered the hack on July 29 and publicly announced it more than a month later, on Sept. 7.
Members of Congress also expressed bewilderment that Equifax has received a $7.25 million contract with the IRS to provide taxpayer and personal identity verification services.
"You realize, to many Americans right now, that looks like we're giving Lindsay Lohan the keys to the mini-bar," Sen. John Kennedy, R-La., told Smith.
Smith said he didn't know many details about the contract, but that it was for work Equifax has done in the past for the IRS, and he thought the contract was being renewed.
During his five minutes of allotted questioning, Scott, R-S.C., laid out the timeline Smith had given the committee thus far during his testimony, picking at the discrepancy of when company executives sold stock and when the public was informed of the breach.
Smith, who stepped down from the company last week, told Scott that the executives followed protocol.
"We experience millions of suspicious potential attacks each year," Smith said. "Suspicious attacks occur all the time."
Scott interrupted him.
"Was there ever a suspicious activity that led to, within a 48-hour period, a sale of stock?" Scott questioned.
Smith said this particular sale opened after the second quarter earnings call and was in line with normal behavior.
"These are honorable men who followed the protocol that was outlined by the organization," Smith said.
Scott pushed back.
"What y'all want us to believe is that the three luckiest investors, who sold their stock, did so without any knowledge that that suspicious activity may be bigger and more powerful than any other suspicious activity perhaps in the history of the company," he said. "I find that hard to believe."
In September, the Department of Justice opened a criminal investigation into whether the three Equifax executives violated insider trading laws when they sold company sock before the data breach was made public.
Smith testified at the second of four congressional hearings this week in which lawmakers are demanding to know how the breach happened and what the company was doing to make things right for consumers. Hackers stole Social Security numbers, birth dates and addresses, and in some instances driver's license numbers.
Sen. Elizabeth Warren, D-Mass., said Equifax didn't have enough incentive to ensure consumer data was secure. She said the breach means consumers will spend the rest of their lives worrying about identity theft and businesses will lose money to thieves, but the company itself will come out of the crisis just fine.
"When companies like Equifax mess up, senior executives like you should be held personally accountable and the company should pay mandatory and severe financial penalties for every consumer record that's stolen," Warren said.
"We've got to change this industry before more consumers get hurt," she said.