Tech and human errors combined to yield Equifax hack, says former CEO

(Bloomberg) -- Equifax Inc.’s former chief executive officer said the credit-reporting company failed to meet its responsibility to protect sensitive consumer information and struggled in responding to an “enormous” data hack reported last month.

Richard Smith apologized for the breach and outlined a chronology of key events in testimony prepared for a House Energy and Commerce Committee set for Tuesday, according to a copy obtained by Bloomberg. He said both human efforts and technology failures were to blame for the attack that allowed criminals to access personal data on nearly half the U.S. population.

users_iqjWHBFdfxIU_i8wpcxoaKUiU_v0_pi0TFsqn_N8siPbzgcJYQlLw_-1x-1.jpg
Richard F. Smith, chief executive officer of Equifax Inc. speaks with Bloomberg News reporters on Thursday, March 15, 2007, in San Francisco, California. Photographer: Noah Berger/Bloomberg News.

“To each and every person affected by this breach, I am deeply sorry that this occurred," Smith said. “The company failed to prevent sensitive information from falling into the hands of wrongdoers."

The company confirmed that its security experts identified a vulnerability in certain software in March that needed to be patched. But, as outlined in Smith’s testimony, the company’s security department did not respond accordingly. It’s that failure to patch the system that allowed hackers to steal some of the most sensitive data, the company said.

Smith said he was first informed there was suspicious activity on July 31 in a conversation with his chief information officer, two days after Equifax’s security department saw it. He said he didn’t know that personal identifying information, like Social Security numbers, had been taken until Aug. 15.

The company contacted the FBI and hired outside counsel and security experts on Aug. 2, Smith said. He began notifying Equifax’s board of directors on Aug. 22, and convened a board meeting to discuss the scale of the breach on Sept. 1.

Smith also said the company was “disappointed” with how its website and call centers were managed in the wake of the breach. In the days after the breach, consumers weren’t able to access the website the company set up to help identify who was hacked and the firm had trouble handling the massive influx of calls.

“The scale of this hack was enormous and we struggled with the initial effort to meet the challenges that effective remediation posed,” Smith said in the remarks. “The rollout of these resources should have been far better, and I regret that the response exacerbated rather than alleviated matters for so many.”

Bloomberg News
Cyber security
MORE FROM DIGITAL INSURANCE