Equifax Inc.’s former chief executive officer said the credit-reporting company didn’t meet its responsibility to protect sensitive consumer information, confirming that the failure to fix a software vulnerability months ago led to the theft of more than 140 million Americans’ personal data.
Richard Smith apologized for the breach and outlined a chronology of key events in testimony prepared for House Energy and Commerce Committee hearing set for Tuesday, according to a copy obtained by Bloomberg. He blamed human errors, particularly the failure to repair the problematic software despite warnings from the federal government and the company’s own security team.
“To each and every person affected by this breach, I am deeply sorry that this occurred," Smith said. “The company failed to prevent sensitive information from falling into the hands of wrongdoers."
Equifax has said hackers exploited a vulnerability in open source Apache software the company was using in one of its systems. The Apache Software Foundation had issued a patch for the flaw in March, two months before hackers began accessing sensitive information on Equifax’s servers on May 13.
Smith said officials at the Department of Homeland Security notified Equifax of a vulnerability in certain software on March 8 that needed to be patched. The next day, the company issued a notification internally requesting that the software be upgraded. Consistent with Equifax internal policies, the company’s security department required that the weakness be patched within 48 hours. But that never happened, Smith said.
“We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification,” he said. The vulnerability remained in Equifax’s systems "much longer than it should have," Smith added, and its failure to be patched allowed hackers to access consumers’ most sensitive data.
Smith said he was first informed there was suspicious activity on July 31 in a conversation with his chief information officer, two days after Equifax’s security department saw it. He said he didn’t know that personal identifying information, like Social Security numbers, had been taken until Aug. 15.
The company contacted the FBI and hired outside counsel and security experts on Aug. 2, Smith said. He began notifying Equifax’s board of directors on Aug. 22, and convened a board meeting to discuss the scale of the breach on Sept. 1.
Smith also said the company was “disappointed” with how its website and call centers were managed in the wake of the breach. In the days after the breach, consumers weren’t able to access the website the company set up to help identify who was hacked and the firm had trouble handling the massive influx of calls.
“The scale of this hack was enormous and we struggled with the initial effort to meet the challenges that effective remediation posed,” Smith said in the remarks. “The rollout of these resources should have been far better, and I regret that the response exacerbated rather than alleviated matters for so many.”