Credit-reporting firm Equifax Inc.'s (EFX) - Get Reportfailure to realize that hackers had obtained access to sensitive consumer data for as long as four months is like guards at Fort Knox forgetting to lock the doors and not noticing that thieves are looting the vaults, a Congressional committee chairman said.
"How could a major U.S. company like Equifax, which holds the most personal and sensitive data on Americans so let them down?" Rep. Greg Walden, the Oregon Republican who chairs the energy and commerce committee, asked in a hearing with former Equifax CEO Richard Smith on Tuesday, Oct. 3.
"Our job is to get answers," he continued at the start of a brutal session with the subcommittee on digital commerce and consumer protection, whose members lambasted Smith and Equifax for their handling of data from Social Security numbers to birth dates that lenders commonly use to verify the identities of loan applicants. It's a trove as attractive to hackers as the U.S. bullion depository in Kentucky might be to gold thieves, Walden suggested.
Equifax shares have tumbled 22% to $110.35 since its Sept. 7 disclosure of the hack, which exposed the data of more than 145 million U.S. residents -- nearly half the country.
The firm's initial response, rather than alerting affected consumers individually, was to request that people log onto its website, where many were told only that their data might have been involved and offered a free year of the company's credit-monitoring service.
Opting for the service, initially, required giving up the right to sue the company and agreeing to an automatic renewal of the service at its regular price.
Although Equifax later removed those conditions, the fallout led to Smith's departure and his agreement to give up an annual bonus payment this year that had totaled more than $3 million each of the past two years.
"I'm truly and deeply sorry for what happened," Smith said on Tuesday. "I've talked to many consumers, I've read your letters and Equifax is committed to making it whole for you."
He blamed the hack on a combination of technological and human error. Equifax typically relied on members of its security team to notify their technology counterparts of patches and updates recommended by the company's software providers, then followed up with digital scanning software designed to detect vulnerabilities, Smith said.
The breach scrutinized in Tuesday's hearing occurred after an employee responsible for notifying the company that a patch had been issued for a vulnerability in open-source Apache Struts software failed to do so, despite a warning from the U.S. Department of Homeland Security, Smith said.
A subsequent digital scan failed to detect the problem, and an outside firm is investigating why it didn't, he added.
Because of those failures, the company is now grappling with both lawsuits and a U.S. Department of Justice investigation while lawmakers have proposed a variety of bills that would tighten regulations on Equifax as well as its rivals.
"Consumers don't have a choice over what information Equifax, or for that matter, TransUnion (TRU) - Get Report or Experian (EXPGF) , have collected, stored and sold," said Rep. Jan Schakowsky of Illinois, the ranking Democrat on the subcommittee.
The day before the hearing, Schakowsky reintroduced the Secure and Protect Americans' Data Act, which she said would enhance information security and require prompt notification of, and assistance to, consumers.
In the Senate, meanwhile, Elizabeth Warren, a Massachusetts Democrat, joined Brian Schatz of Hawaii earlier in introducing a bill that would require Equifax and its two biggest rivals to freeze credit files whenever consumers make a request -- for free.
But legislative proposals, even those to institute or increase fines on companies that fail to protect the consumer data they have stored, may not address a chain of events like those that led to the Equifax hack, Walden noted.
"I don't think we can pass a law that, excuse me for saying this, fixes stupid," he said.
Watch the full testimony below.
Updated from 10:39 a.m. on Tuesday, Oct. 3, 2016.
More of What's Trending on TheStreet: