Ex-Equifax CEO blames human and technical errors for massive breach

Former Equifax Chairman and CEO Rick Smith will tell members of Congress on Tuesday that a mixture of "human error and technology failures" led to a breach of the credit bureau's security in a hack that compromised the personal information of more than 140 million people.

In prepared remarks, Smith is expected to address what is known about the breach so far and explain a number of communications failures that have dogged the Atlanta-based company since the cybertheft was made public Sept. 7. Smith is scheduled to testify before a subcommittee of the U.S. House Committee on Energy and Commerce.

His prepared remarks were posted online Monday ahead of his expected testimony tomorrow on Capitol Hill.

Last month, Equifax announced the mammoth breach, saying criminals gained access to Equifax's systems from mid-May to July, and was discovered by the company on July 29. Smith announced his retirement from the company last week.

“Let me say clearly: As CEO, I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans’ private data and we let them down,” Smith’s prepared remarks say. “To each and every person affected by this breach, I am deeply sorry that this occurred.”

His testimony includes a timeline of events going back to March. On March 8, Smith’s testimony reads, the company got an alert from the U.S. Department of Homeland Security, Computer Emergency Readiness Team of a need to patch a flaw in an application known as Apache Struts. That alert, Smith said, was shared with its security team and company policy called for such a security update to be completed within 48 hours.

“We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel,” Smith’s prepared remarks say.

Subsequent scans of Equifax’s system by its security department that should have found the Struts issue did not find the vulnerability.

A subsequent investigation found that hackers first accessed sensitive data on May 13 and that hackers accessed Equifax’s systems from that date through July 30.

As previously reported, Equifax noticed suspicious activity on July 29 and ultimately took the application offline the next day.

To read more about Smith’s upcoming testimony, go to the subscriber website, MyAJC.com.

Related coverage

ExplorePressure builds as Congress seeks answers on Equifax breach
ExploreConsumer groups slam Equifax over security breach arbitration clause


AJC Business reporter J. Scott Trubey keeps you updated on the latest news about economic development and commercial real estate in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:

Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.