Equifax's interim CEO said during a congressional hearing that he doesn't know whether or not the company now encrypts customer data.

Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches."

During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional.

"Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith.

Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest.

"So, a decision was made to leave it unencrypted at rest?" Gardner pushed.

"Correct," Smith responded.

Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26.

Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again.

"Yes or no, does the data remain unencrypted at rest?"

"I don't know at this stage," Barros responded.

Gardner appeared stunned by Barros' answer and pointed out that a lack of encryption was essentially what caused this massive Equifax breach. Smith attempted to make the situation better.

"Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.

Also testifying at the hearing was a panel of experts in security and privacy, as well as the former CEO of Yahoo Inc., which revealed in September 2017 that its data breach in 2013 affected 3 billion user accounts.

Gardner deferred to Todd Wilkinson, the president and CEO of Entrust Datacard who was a member of the panel, and asked Wilkinson whether it is irresponsible not to encrypt customer data at rest. Wilkinson pointed out that industry standards such as PCI DSS require retailers and others to encrypt precisely the kind of information that Equifax did not encrypt.

Equifax still faces over 240 class action suits following the data breach, including lawsuits from multiple classes of consumers, as well as shareholders and financial institutions that claim to be affected by the breach.