Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Customer Data / Former Equifax CEO Says He's Sorry
Former Equifax CEO Apologizes for Massive Data Breach
Former Equifax CEO Apologizes for Massive Data Breach
By Jim Puzzanghera Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
The former chief executive of Equifax plans to apologize for the credit reporting company's massive data breach when he testifies Tuesday before a congressional committee, as well as detail the missteps in response to the hack that exposed the Social Security numbers and birthdates of as many as 143 million people.

"Equifax was entrusted with Americans' private data and we let them down," Richard Smith said in written testimony for the hearing that the House Energy and Commerce Committee released Monday. "To each and every person affected by this breach, I am deeply sorry that this occurred."

Smith stepped down last week in the wake of the breach, which has sparked numerous federal and state investigations as well as outrage from lawmakers. His appearance Tuesday before the House panel will be the first of three before congressional committees this week.

In his written testimony, Smith blamed the breach on "human error and technology failures" and said the company was a victim of "a massive theft."

"The company failed to prevent sensitive information from falling into the hands of wrongdoers," he said.

"The people affected by this are not numbers in a database. They are my friends, my family, members of my church, the members of my community, my neighbors," Smith said. "This breach has impacted all of them. It has impacted all of us.

Smith also said Equifax was "disappointed" with the rollout of a special website and call centers to deal with the fallout from the breach. The company "struggled with the initial effort" to help consumers, he said.

Equifax has been criticized for waiting nearly six weeks to notify the public after learning of the hack on July 29, and then initially made consumers give up their right to sue if they wanted free credit monitoring and identity theft protection. Equifax later backtracked on that.

Smith said the problems started on March 8 when the Department of Homeland Security's Computer Emergency Readiness Team sent a notice to Equifax and other companies about the need to patch a vulnerability in software known as "Apache Struts."

Equifax sent emails about the federal warning to workers responsible for the software, which is used in the company's consumer online disputes portal. But the "vulnerable versions" of the software were not identified or patched, Smith said.

"Equifax's efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax web application much longer than it should have," Smith said. The company is investigating why.

Hackers appear to have first used the software vulnerability to access sensitive information on May 13 and continued to do so for weeks before Equifax's security team identified suspicious network traffic on July 29.

The next day, Equifax took the web portal offline.

Smith said he learned about the problem on July 31 from the company's chief information officer. A full response began on Aug. 2, including contacting the FBI, Smith said.

Equifax and an independent cybersecurity forensic consulting firm, Mandiant, worked "literally around the clock" to figure out what happened, Smith said. But despite numerous internal discussions, Equifax did not publicly announce the breach until Sept. 7.

Smith said one reason for the delay was that experts had told company executives that notifying the public "would provoke 'copycat attempts' and other criminal activity."

Equifax is trying to help consumers while also fixing its security systems, he said. The company's "vulnerability scanning and patch management processes and procedures" have been enhanced, Smith said.

Smith noted that in addition to his departure, the company's chief information officer and chief security officer also left the company following the breach.

© 2017 Los Angeles Times under contract with NewsEdge/Acquire Media. All rights reserved.

Image credit: iStock.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter

Britain's cybersecurity agency has told government departments not to use antivirus software from Moscow-based firm Kaspersky Lab amid concerns about Russian snooping.

© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.