WASHINGTON -- The former chairman and CEO of Equifax says the company was entrusted with personal information of 140 million Americans and "we let them down" as human error and technology failures allowed a massive data breach.
In prepared congressional testimony, Richard F. Smith said the millions are not just numbers in a database, but friends, family, neighbours and members of his church. The revelation last month of the disastrous hack to Equifax's computer system rocked the company which faces several state and federal inquiries and a myriad of class-action lawsuits.
"To each and every person affected by this breach, I am deeply sorry that this occurred. Whether your personal identifying information was compromised, or you have had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize," Smith said. "The company failed to prevent sensitive information from falling into the hands of wrongdoers."
Smith, who resigned after overseeing the company for a dozen years, says Equifax was hacked by a yet-unknown entity. He said the information stolen included names, Social Security numbers, birth dates and addresses. In addition, the credit card information for about 209,000 consumers was also stolen as well as certain documents with personally identifying information for approximately 182,000 consumers.
Lawmakers are expected to question Smith on how the company allowed the breach to occur, why it took as long as it did to notify consumers and what's it's doing to help consumers protect themselves going forward. The House subcommittee holding the hearing has jurisdiction over e-commerce and consumer protection issues.
Smith said the Department of Homeland Security warned the company on March 8 about the need to patch a particular vulnerability in software used by Equifax and other business. The company disseminated that warning by email the next day and requested that applicable personnel install the upgrade. The company's policy requires the upgrade to occur within 48 hours, but Smith said that did not occur. The company's information security department also ran scans on March 15 that did not pick up the vulnerability.
"I understand that Equifax's investigation into these issues is ongoing," Smith said in the prepared remarks. "The company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information."
Smith said it appears the first date the hackers accessed sensitive information was May 13. Between May 13 and July 30, there is evidence to suggest the attackers continued to access sensitive information, but it wasn't until July 29 that Equifax's security department observed suspicious network traffic. Smith said the hack was over the next day, but the hard work of figure out the impact was just beginning.
Smith said he was told of the suspicious activity on July 31 in a conversation with the company's chief information officer. He then provided a timeline of events that included a senior leadership team meeting on Aug.17 where he learned the forensic investigation has determined large volumes of consumer data had been compromised. He said the lead member of the company's board of directors was notified on Aug. 22 and the full board two days later. He convened a board meeting to discuss the scale of the breach on Sept. 1.
Meanwhile, the company worked on a support package for consumers and then notified the public on Sept. 7.
Smith also said he was disappointed in the rollout of call centres and a website designed to help the people affected by the breach. He said the company has increased its number of customer service representatives and the website has been improved.
"Still, the rollout of these resources should have been far better, and I regret that the response exacerbated rather than alleviated matters for so many," Smith said in the prepared testimony.