Equifax Inc.’s former chief executive officer said the credit-reporting company didn’t meet its responsibility to protect sensitive consumer information, confirming that the failure to fix a software vulnerability months ago led to the theft of more than 140 million Americans’ personal data.
Richard Smith apologized for the breach and outlined a chronology of key events in testimony prepared for House Energy and Commerce Committee hearing set for Tuesday, according to a copy obtained by Bloomberg. He blamed human errors, particularly the failure to repair the problematic software despite warnings from the federal government and the company’s own security team.
“To each and every person affected by this breach, I am deeply sorry that this occurred," Smith said. “The company failed to prevent sensitive information from falling into the hands of wrongdoers."
Equifax has said hackers exploited a vulnerability in open source Apache software the company was using in one of its systems. The Apache Software Foundation had issued a patch for the flaw in March, two months before hackers began accessing sensitive information on Equifax’s servers on May 13.
Government Warning
Smith said officials at the Department of Homeland Security notified Equifax of a vulnerability in certain software on March 8 that needed to be patched. The next day, the company issued a notification internally requesting that the software be upgraded. Consistent with Equifax internal policies, the company’s security department required that the weakness be patched within 48 hours. But that never happened, Smith said.
“We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification,” he said. The vulnerability remained in Equifax’s systems "much longer than it should have," Smith added, and its failure to be patched allowed hackers to access consumers’ most sensitive data.
Smith said he was first informed there was suspicious activity on July 31 in a conversation with his chief information officer, two days after Equifax’s security department saw it. He said he didn’t know that personal identifying information, like Social Security numbers, had been taken until Aug. 15.
The company contacted the FBI and hired outside counsel and security experts on Aug. 2, Smith said. He began notifying Equifax’s board of directors on Aug. 22, and convened a board meeting to discuss the scale of the breach on Sept. 1.
‘Enormous Hack’
Smith also said the company was “disappointed” with how its website and call centers were managed in the wake of the breach. In the days after the breach, consumers weren’t able to access the website the company set up to help identify who was hacked and the firm had trouble handling the massive influx of calls.
“The scale of this hack was enormous and we struggled with the initial effort to meet the challenges that effective remediation posed,” Smith said in the remarks. “The rollout of these resources should have been far better, and I regret that the response exacerbated rather than alleviated matters for so many.”
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
