Equifax Inc was alerted in March to the software security vulnerability that led to hackers obtaining personal information of more than 140 million Americans but took months to patch it, according to its former chairman.
In a prepared testimony to be delivered to Congress on Tuesday, Richard F. Smith said Equifax was told of the breach in March by the U.S. Homeland Security Department.
‘It appears that the breach occurred because of both human error and technology failures,’ Smith said in written testimony released on Monday by the Energy and Commerce Committee.
Smith, 57, said he was retiring from the company last week and would forgo this year’s bonus as criticism mounted over the attack, which was not made public until September 7.
In a prepared testimony to be delivered to Congress on Tuesday, Richard F. Smith said Equifax was told of the breach in March by the U.S. Homeland Security Department
It has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Justice Department.
He is still eligible for $18.4 million in retirement benefits, regardless of the results of the internal probe.
On March 15, Equifax´s information security department ran scans that should have identified any systems that were vulnerable to the software issue but it did not, his testimony said.
‘The vulnerability remained in an Equifax web application much longer than it should have,’ Smith said. ‘It was this unpatched vulnerability that allowed hackers to access personal identifying information.’
In his testimony, Smith said it appears the first date hackers accessed sensitive information may have been on May 13. He said ‘between May 13 and July 30, there is evidence to suggest that the attacker(s) continued to access sensitive information.’
Smith said security personnel noticed suspicious activity on July 29 and disabled the web application on July 30, ending the hacking. He said he was alerted the following day, but was not aware of the scope of the stolen data.
On August 2, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board’s lead director on August 22.
Smith apologized for the company’s response after the data breach was made public.
He said the company was entrusted with the personal information of 140 million Americans and ‘we let them down’ as human error and technology failures allowed a massive data breach. He said the millions are not just numbers in a database, but friends, family, neighbors and members of his church.
Smith, 57, said he was retiring from Equifax last week and would forgo this year’s bonus as criticism mounted over the attack, which was not made public until September 7
‘To each and every person affected by this breach, I am deeply sorry that this occurred. Whether your personal identifying information was compromised, or you have had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize,’ Smith said.
‘The company failed to prevent sensitive information from falling into the hands of wrongdoers.’
Smith, who resigned after overseeing the company for a dozen years, says Equifax was hacked by a yet-unknown entity.
He said the information hacked by criminals in a major cyber-attack included names, Social Security numbers, birth dates and addresses.
In addition, the credit card information for about 209,000 consumers was also stolen as well as certain documents with personally identifying information for approximately 182,000 consumers.
Smith also said he was disappointed in the rollout of call centers and a website designed to help the people affected by the breach. He said the company has increased its number of customer service representatives and the website has been improved.
‘Still, the rollout of these resources should have been far better, and I regret that the response exacerbated rather than alleviated matters for so many,’ Smith said in the prepared testimony.
Smith will be testifying Tuesday in the first of several congressional hearings this week into the Equifax breach as both House and Senate panels examine what occurred.