On March 8, Atlanta-based Equifax received an urgent notice from the U.S. Department of Homeland Security. A vital security update needed to be installed in a software application used on its websites and those of many major companies.
The alert was sent the next day via email to the Equifax personnel who oversee security of the application, known as Apache Struts. It’s Equifax’s policy that such security updates be made within 48 hours.
But in this case, it wasn’t.
That lingering security vulnerability appears to be at the center of a hack that compromised the personal information of more than 140 million Americans, former Equifax CEO Rick Smith will say in testimony to members of Congress on Tuesday.
Smith stepped down from Equifax last week amid a crisis that roiled millions of Americans, led to dozens of class-action lawsuits against Equifax and triggered multiple investigations by federal and state authorities.
Political observers and consumer advocates expect Smith to receive a grilling this week on Capitol Hill as he is expected to testify over the course of three days before two House panels and before two Senate committees.
On Monday, Equifax increased the number of affected consumers to more than 145 million.
His prepared testimony describes both the failures of Equifax officials to patch the vulnerability, but also how the company later missed the hole hackers exploited for months. Smith also takes responsibility and apologizes for the incident.
“The company failed to prevent sensitive information from falling into the hands of wrongdoers,” the statement says. “The people affected by this are not numbers in a database. They are my friends, my family, members of my church, the members of my community, my neighbors. This breach has impacted all of them. It has impacted all of us.”
In his remarks, Smith will call for an industry standard to allow consumers to lock and unlock their credit at will for free, a program Equifax said last week it will offer by next year.
The industry along with government should consider replacing Social Security numbers “as the touchstone for identity verification in this country,” Smith’s remarks say.
“It is time to have identity verification procedures that match the technological age in which we live,” the prepared remarks say.
Equifax has said hackers gained access to the company’s systems from May 13 to July 30.
Last month, days after the breach became public, Equifax blamed the Apache Software Foundation, which fired back that the patch was announced well before the breach happened.
On March 15, a week after Equifax first received the Apache Struts alert from DHS, a scan that “should have identified any systems that were vulnerable” didn’t, leaving the vulnerability in place, Smith’s remarks say.
As previously reported, Equifax said it noticed suspicious activity on July 29 in a part of its network were consumers can contest issues in their credit files and ultimately took the application offline the next day.
Smith learned of the breach July 31 from the company’s then-chief information officer, David Webb. At the time, according to Smith’s testimony, Smith was informed of evidence of the suspicious activity on the dispute portal, but Smith said he was not aware that personal information had been taken, nor did he “have any indication of the scope of this attack.”
Smith said the company retained the cyber practice at Atlanta law firm King & Spalding on Aug. 2 to guide its response and engaged the cybersecurity consulting firm Mandiant. That day, Equifax also alerted the FBI.
Over the following weeks, Smith said Equifax and its advisers analyzed data to determine the scope of the breach. By Aug. 15, Smith said he was informed that consumer information had been stolen, and he updated senior leadership two days later.
Smith said the internal probe was complicated by the volume of data and the location of information across “various data tables.”
Smith said he informed the company’s then-lead board member, Mark Feidler, who ultimately succeeded Smith as chairman, on Aug. 22. The full board was notified via conference calls on Aug. 24-25.
By Sept. 4, Smith said the company and its outside advisers had determined the theft involved more than 140 million consumers, and the company prepared to roll out its “support package” for consumers, a dedicated website, call center and a suite of services including credit monitoring.
Consumer watchdogs and lawmakers have savaged Equifax not only for the breach, but for the company’s ham-handed response. These public-facing failures included a balky consumer website and what appeared to be an attempt to make victims of the breach subject to binding arbitration for signing up for free credit monitoring tools the company offered in the wake the breach.
Equifax later removed the binding arbitration clause from the service, and Smith said its inclusion was a mistake.
Smith said call centers were understaffed for the heavy volume of calls from consumers, and two of its call centers were forced to close when Hurricane Irma hit.
MYAJC.COM: REAL JOURNALISM. REAL LOCAL IMPACT.
AJC Business reporter J. Scott Trubey keeps you updated on the latest news about economic development and commercial real estate in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:
- Atlanta-based Equifax hit with massive data breach
- Atlantic Station owners planning for next phase
- Will Falcons' new stadium drive more development to downtown Atlanta?
Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.