‘Our worst fears…come true’ — Former Equifax CEO issues testimony on eve of grilling by Congress

You can click this link to watch the hearing at 10 a.m. Tuesday morning.

WASHINGTON, D.C. — Former Equifax CEO Richard Smith, in a witness statement released prior to scheduled Congressional testimony on Tuesday, apologized to consumers for the recent hack that exposed up to 143 million consumers to identity crimes, calling the incident “our worst fears…come true.”

“We at Equifax clearly understood that the collection of American consumer information and data carries with it enormous responsibility to protect that data,” Smith says in the statement, posted Monday on the  U.S. House Committee on Energy and Commerce website. He will testify before the committee on Tuesday morning.  (Programming note: I’ll be there.) “We did not live up to that responsibility, and I am here today to apologize to the American people myself and on behalf of the Board, the management team, and the company’s employees.”

The statement is heavy on apologies, but light on specifics that might help, such as who took the data and why.

“It appears that the breach occurred because of both human error and technology failures,” Smith writes.

Smith says the firm received notice of the now-infamous Apache Struts vulnerability in March, but internal scans failed to detect any vulnerable services on its servers, so patches were not applied.  That left those servers readily available for penetration by hackers. It took two months, but on May 13, hackers broke into Equifax computers.

Two months passed before Equifax security workers noticed suspicious activity on the firm’s computers. They detected unusual network traffic on the firm’s dispute website on July 29. By the next day, the “hack was over,” Smith said. But the investigation was just beginning.

Initially, the firm believed the hack was limited to computers involved in the dispute process. But by mid-August, outside security firms Mandiant had determined that massive amounts of personal information could have been stolen from a “database table containing a large amount of consumers’ PII, and potentially other data tables.”

By Sept. 4, the investigative team had created a list of 143 million consumers whose “personal information we believed had been stolen.”

I’ve asked earlier; why would any entity, human or computer, have access to all 143 millions SSNs?

Smith also apologized for the firm’s initial response to the attack, which had many consumers visiting websites that crashed or calling customer service agents who were poorly trained to deal with the fallout.

“We were disappointed with the rollout of our website and call centers, which in many cases added to the frustration of American consumers. The scale of this hack was enormous and we struggled with the initial effort to meet the challenges that effective remediation posed,” he says. “This was extremely
challenging given that the company needed to build a new capability to interface with tens of
millions of consumers, and to do so in less than two weeks. That challenge proved overwhelming, and, regrettably, mistakes were made.”

As of late September, only 7.5 million consumers had signed up for Equifax’s remediation program, Smith said.

“To each and every person affected by this breach, I am deeply sorry that this occurred. Whether
your personal identifying information was compromised, or you have had to deal with the
uncertainty of determining whether or not your personal data may have been compromised, I
sincerely apologize.”

AlertMe
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.


 

About Bob Sullivan 1115 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

2 Comments

  1. Hewlett Packard let Russia examine the source code of the intrusion detection software that is used buy our military and other government entities. The Equifax break in is due to the disruption of the intrusion detection system by the Russians.

    In 2002 I was enrolled in Medical Informatics at UC Davis. It was clear to us that the computer industry was so engrossed with selling hardware and software that they had no interest in data security. We protested but it all fell on deaf ears. This is just another example of how our captains of industry have betrayed us again and compromised our security in order to sell their products to our enemy. This is when we need to reintroduce burning at the stake.

    I

Leave a Reply

Your email address will not be published.


*