Ex-Equifax CEO to apologize in congressional testimony for data breach

Andrew Cummings
October 3, 2017

"On March 15, Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue identified by U.S. CERT".

Richard Smith resigned from Equifax following breach that gave intruders access to personal information on as many as 143 million Americans. A cybersecurity firm retained by the company reported Monday that number might actually be closer to 145.5 million - 2.5 million more than initially reported. But among the swirl of state and federal investigations that have opened since the breach was disclosed to the public on September 7 are stock sales by three company insiders - the chief financial officer and two business heads - in early August.

All of these probably pale into comparison when one takes into account the May 2017 hack of Equifax, a consumer credit reporting agency - something that has since been dubbed one of the worst security breaches ever.

While company protocol requires that Equifax patch up the software glitch within 48 hours, Smith said he now knows that software vulnerability was "not identified or patched".

The House Energy and Commerce subcommittee holding the hearing posted Smith's advance written testimony Monday. He also apologized for the way the company handled the announcement of what happened. Investigators say the Equifax breach has the hallmarks of similar intrusions in recent years at giant health insurer Anthem and the U.S. Office of Personnel Management, all ultimately attributed to hackers working for Chinese intelligence.

Smith's prepared remarks to a congressional subcommittee, published online Monday, are the most substantive yet by an Equifax official since the cyber-theft was made public September 7.

In his remarks, Smith will call for an industry standard to allow consumers to lock and unlock their credit at will for free, a program Equifax said last week it will offer by next year. Smith said at an event at the University of Georgia in August. It was "overwhelming", Smith says in the testimony, "and, regrettably, mistakes were made".

Investors are more bearish on Equifax, Inc. of late as shown by the change in short interest. But by mid-August, outside security firms Mandiant had determined that massive amounts of personal information could have been stolen from a "database table containing a large amount of consumers' PII, and potentially other data tables". The company adds an unspecified number of U.K and Canadian consumers also may have been impacted.

Smith said tentative results of the investigation so far show attackers first accessed sensitive information on May 13 and continued to have access over the next two months.

Consumer watchdogs and lawmakers have savaged Equifax not only for the breach, but for the company's ham-handed response. The company is providing free identity theft protection and credit file monitoring.

Smith also said he was disappointed in the rollout of call centers and a website created to help the people affected by the breach.

Lawmakers are expected to grill Smith about why it took the company so long to notify the public after he was informed of "suspicious activity" on July 31.

Other reports by iNewsToday