Menu
Former Equifax CEO opens up over patch delays amid breach fallout

Former Equifax CEO opens up over patch delays amid breach fallout

Former Equifax CEO claims it took months to patch the vulnerability that compromised the personal details of over 145M individuals

US-based credit reporting firm, Equifax, was alerted in March to the software security vulnerability that led to hackers obtaining personal information of more than 140 million individuals, but took months to patch it, its former CEO has said in a testimony to be delivered to Congress this week.

"It appears that the breach occurred because of both human error and technology failures," former CEO, Richard Smith, said in written testimony released on Monday by the Energy and Commerce Committee.

Separately, Equifax has said that an outside review determined about 2.5 million additional US consumers were potentially impacted, for a revised total of 145.5 million.

The company said the review also found that just 8,000 Canadian citizens were impacted, rather than up to 100,000 Canadians, as previously announced.

Equifax was alerted to the breach by the US Homeland Security Department on March 9, Smith said in the testimony, but it was not patched.

On March 15, Equifax’s information security department ran scans that should have identified any systems that were vulnerable to the software issue but did not, the testimony said.

As a result, "the vulnerability remained in an Equifax web application much longer than it should have," Smith said. "It was this unpatched vulnerability that allowed hackers to access personal identifying information."

In his testimony, Smith said it appears the first date hackers accessed sensitive information may have been on 13 May. He said "between May 13 and July 30, there is evidence to suggest that the attacker(s) continued to access sensitive information."

Smith said security personnel noticed suspicious activity on July 29 and disabled the web application on July 30, ending the hacking. He said he was alerted the following day, but was not aware of the scope of the stolen data.

On 2 August, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board's lead director on 22 August.

Smith, 57, said he was retiring last week and would forgo this year’s bonus as criticism mounts over the attack, which was not made public until 7 September and has prompted investigations by multiple federal and state agencies, including a criminal probe by the US Justice Department.

"I am here today to apologise to the American people myself," he said.

Smith also apologised for the company's response after the data breach was made public, including the "rollout of our website and call centers, which in many cases added to the frustration of American consumers."

He also said another well-known, independent expert consulting firm "has been retained to perform a top-to-bottom assessment of the company’s information security systems."

Smith will testify at three separate congressional hearings this week.

(Reporting by David Shepardson; Editing by Chizu Nomiyama and Dan Grebler)


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags breachhackEquifax

Featured

Slideshows

Malwarebytes shoots the breeze with channel, prospects

Malwarebytes shoots the breeze with channel, prospects

A Kumeu, Auckland, winery was the venue for a Malwarebytes event for partner and prospect MSPs - with some straight shooting on the side. The half-day getaway, which featured an archery competition, lunch and wine-tasting aimed at bringing Malwarebytes' local New Zealand and top and prospective MSP partners together to celebrate recent local successes, and discuss the current state of malware in New Zealand. This was also a unique opportunity for local MSPs to learn about how they can get the most out of Malwarebytes' MSP program and offering, as more Kiwi businesses are targeted by malware.

Malwarebytes shoots the breeze with channel, prospects
EDGE 2019: Channel forges new partnerships during evening networking

EDGE 2019: Channel forges new partnerships during evening networking

Partners, vendors and distributors reconnected during a number of social gatherings during EDGE 2019. The first evening saw the channel congregate for a welcome party at the Hamilton Island yacht club, while the main poolside proved to be the perfect stop for a barbecue on the final night.

EDGE 2019: Channel forges new partnerships during evening networking
Show Comments