In March, federal prosecutors charged two Russian intelligence agents and two hackers with masterminding the 2014 theft of 500 million Yahoo accounts, the first time the U.S. government has criminally charged Russian spies for cyber crimes.
"We describe this as arms race, hackers become ever more sophisticated and we have to become sophisticated in turn", Mayer said. Mayer says Yahoo, which originally said only 1 billion accounts were affected, didn't find out about the hack until it got data from the government in 2016 and still hasn't figured out how it happened, though she says Russian intelligence officers have launched attacks on Yahoo systems.
Senator Bill Nelson said "only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information". Thune also pressed Equifax's former CEO Richard Smith and interim CEO Paulino Barros on Equifax's known security vulnerabilities that led to its recent data breach and how the company is now addressing these issues. Mayer said it's still unclear who is behind the 2013 hack.
"The threat from state-sponsored attacks has changed the playing field so dramatically that today I believe that all companies, even the most-well-defended ones, could fall victim to these crimes", she said.
Richard Smith, who was Equifax's CEO when the attack occurred earlier this year, also is set to testify. He said that app is in development and may release in January.
Tax probe: Queen Elizabeth II in trouble
In the most recent fiscal year, the Duchy generated £19.2 million ($25 million) in net income according to its website. But the revelations will no doubt raise questions about whether the monarch should be investing in offshore finance.
"We did not meet the public's expectations, and now it's up to us to prove that we can regain their trust", Barros said.
They answered questions about the Equifax breach in September and Yahoo's in March. "The DOJ and Federal Bureau of Investigation praised Yahoo for our extensive cooperation and early, proactive engagement with law enforcement", Mayer said. Smith said Equifax decided not to encrypt its massive database of sensitive data because it felt its firewalls and layers of security were enough.
"We work according to the law and use the tools that the industry uses to have arbitration in place", Barros said, referring to consumers' ability to sue Equifax. The company's website received 420 million visits, but only 30 million people have actually used it. Richard Blumenthal, a Democrat from CT, called for laws to punish companies who suffer major breaches, to incentivize security.
"Under current law, even some of the most egregious examples of lax security can be met only with apologies and promises to do better next time".