WASHINGTON, D.C. — Former Equifax CEO Richard Smith, in a witness statement released prior to scheduled Congressional testimony on Tuesday, apologized to consumers for the recent hack that exposed up to 143 million consumers to identity crimes, calling the incident “our worst fears…come true.”
“We at Equifax clearly understood that the collection of American consumer information and data carries with it enormous responsibility to protect that data,” Smith says in the statement, posted Monday on the U.S. House Committee on Energy and Commerce website. He will testify before the committee on Tuesday morning. (Programming note: I’ll be there.) “We did not live up to that responsibility, and I am here today to apologize to the American people myself and on behalf of the Board, the management team, and the company’s employees.”
The statement is heavy on apologies, but light on specifics that might help, such as who took the data and why.
“It appears that the breach occurred because of both human error and technology failures,” Smith writes.
Smith says the firm received notice of the now-infamous Apache Struts vulnerability in March, but internal scans failed to detect any vulnerable services on its servers, so patches were not applied. That left those servers readily available for penetration by hackers. It took two months, but on May 13, hackers broke into Equifax computers.
Two months passed before Equifax security workers noticed suspicious activity on the firm’s computers. They detected unusual network traffic on the firm’s dispute website on July 29. By the next day, the “hack was over,” Smith said. But the investigation was just beginning.
Initially, the firm believed the hack was limited to computers involved in the dispute process. But by mid-August, outside security firms Mandiant had determined that massive amounts of personal information could have been stolen from a “database table containing a large amount of consumers’ PII, and potentially other data tables.”
By Sept. 4, the investigative team had created a list of 143 million consumers whose “personal information we believed had been stolen.”
I’ve asked earlier; why would any entity, human or computer, have access to all 143 millions SSNs?
Smith also apologized for the firm’s initial response to the attack, which had many consumers visiting websites that crashed or calling customer service agents who were poorly trained to deal with the fallout.
“We were disappointed with the rollout of our website and call centers, which in many cases added to the frustration of American consumers. The scale of this hack was enormous and we struggled with the initial effort to meet the challenges that effective remediation posed,” he says. “This was extremely
challenging given that the company needed to build a new capability to interface with tens of
millions of consumers, and to do so in less than two weeks. That challenge proved overwhelming, and, regrettably, mistakes were made.”
As of late September, only 7.5 million consumers had signed up for Equifax’s remediation program, Smith said.
“To each and every person affected by this breach, I am deeply sorry that this occurred. Whether
your personal identifying information was compromised, or you have had to deal with the
uncertainty of determining whether or not your personal data may have been compromised, I