Ex-Equifax CEO apologizes for hack, blames human and technical errors

On March 8, Atlanta-based Equifax received an urgent notice from the U.S. Department of Homeland Security. A vital security update needed to be installed in a software application used on its websites and those of many major companies.

The alert was sent the next day via email to the Equifax personnel who oversee security of the application, known as Apache Struts. It’s Equifax’s policy that such security updates be made within 48 hours.

But in this case, it wasn’t.

That lingering security vulnerability appears to be at the center of a hack that compromised the personal information of more than 140 million Americans, former Equifax CEO Rick Smith will say in testimony to members of Congress on Tuesday.

Smith’s prepared remarks to a congressional subcommittee, published online Monday, are the most substantive yet by an Equifax official since the cyber-theft was made public Sept. 7.

Smith stepped down from Equifax last week amid a crisis that roiled millions of Americans, led to dozens of class-action lawsuits against Equifax and triggered multiple investigations by federal and state authorities.

Political observers and consumer advocates expect Smith to receive a grilling this week on Capitol Hill as he is expected to testify over the course of three days before two House panels and before two Senate committees.

On Monday, Equifax increased the number of affected consumers to more than 145 million.

His prepared testimony describes both the failures of Equifax officials to patch the vulnerability, but also how the company later missed the hole hackers exploited for months. Smith also takes responsibility and apologizes for the incident.

“The company failed to prevent sensitive information from falling into the hands of wrongdoers,” the statement says. “The people affected by this are not numbers in a database. They are my friends, my family, members of my church, the members of my community, my neighbors. This breach has impacted all of them. It has impacted all of us.”

In his remarks, Smith will call for an industry standard to allow consumers to lock and unlock their credit at will for free, a program Equifax said last week it will offer by next year.

The industry along with government should consider replacing Social Security numbers “as the touchstone for identity verification in this country,” Smith’s remarks say.

“It is time to have identity verification procedures that match the technological age in which we live,” the prepared remarks say.

Equifax has said hackers gained access to the company’s systems from May 13 to July 30.

Last month, days after the breach became public, Equifax blamed the Apache Software Foundation, which fired back that the patch was announced well before the breach happened.

On March 15, a week after Equifax first received the Apache Struts alert from DHS, a scan that “should have identified any systems that were vulnerable” didn’t, leaving the vulnerability in place, Smith’s remarks say.

As previously reported, Equifax said it noticed suspicious activity on July 29 in a part of its network were consumers can contest issues in their credit files and ultimately took the application offline the next day.

Smith learned of the breach July 31 from the company’s then-chief information officer, David Webb. At the time, according to Smith’s testimony, Smith was informed of evidence of the suspicious activity on the dispute portal, but Smith said he was not aware that personal information had been taken, nor did he “have any indication of the scope of this attack.”

Smith said the company retained the cyber practice at Atlanta law firm King & Spalding on Aug. 2 to guide its response and engaged the cybersecurity consulting firm Mandiant. That day, Equifax also alerted the FBI.

Over the following weeks, Smith said Equifax and its advisers analyzed data to determine the scope of the breach. By Aug. 15, Smith said he was informed that consumer information had been stolen, and he updated senior leadership two days later.

Smith said the internal probe was complicated by the volume of data and the location of information across “various data tables.”

Smith said he informed the company’s then-lead board member, Mark Feidler, who ultimately succeeded Smith as chairman, on Aug. 22. The full board was notified via conference calls on Aug. 24-25.

By Sept. 4, Smith said the company and its outside advisers had determined the theft involved more than 140 million consumers, and the company prepared to roll out its “support package” for consumers, a dedicated website, call center and a suite of services including credit monitoring.

Consumer watchdogs and lawmakers have savaged Equifax not only for the breach, but for the company’s ham-handed response. These public-facing failures included a balky consumer website and what appeared to be an attempt to make victims of the breach subject to binding arbitration for signing up for free credit monitoring tools the company offered in the wake the breach.

Equifax later removed the binding arbitration clause from the service, and Smith said its inclusion was a mistake.

Smith said call centers were understaffed for the heavy volume of calls from consumers, and two of its call centers were forced to close when Hurricane Irma hit.


AJC Business reporter J. Scott Trubey keeps you updated on the latest news about economic development and commercial real estate in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:

Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.

Reader Comments ...

Next Up in Local

In deeply diverse Gwinnett, white residents confront minority status
In deeply diverse Gwinnett, white residents confront minority status

The paved part of Davenport Road ended at his family’s driveway. They had 12 acres, including one that was dedicated to a garden big enough to feed them all for a while, should the need arise. There were chickens in the front yard. When Dan Franklin was growing up in the 1950s and ’60s, the Duluth area — and the rest of Gwinnett County...
Woman reported missing later found in North Georgia
Woman reported missing later found in North Georgia

A metro Atlanta woman who was reported missing after not arriving at her daughter’s house for Thanksgiving has been found, police said. Velma Harrison, 80, was found in Rome by a citizen who recognized her vehicle from the Mattie’s Call that was issued, Dunwoody police said in a Facebook post. “She will be reunited with her family...
Colin Kaepernick surprise guest at 'Unthanksgiving Day' on Alcatraz
Colin Kaepernick surprise guest at 'Unthanksgiving Day' on Alcatraz

Former San Francisco 49ers quarterback Colin Kaepernick made a surprise appearance at the Alcatraz Indigenous People's Sunrise Gathering on Thursday, The San Francisco Chronicle reported. A tradition in California since 1975, the annual dawn festivities, also known as Unthanksgiving Day, commemorate the occupation of Alcatraz by American...
Torpy at Large: Reefer Madness still lives in parts of Georgia
Torpy at Large: Reefer Madness still lives in parts of Georgia

Here’s a dispatch from the ongoing war on drugs that Georgia continues to wage. You keep hearing that nickel-and-dime marijuana cases no longer take place. That law enforcement has moved on to real crimes. Not so. This is one of those throwback cases that the state’s drug-industrial machine can’t seem to let go of, even though such...
Chilly start to Black Friday
Chilly start to Black Friday

Today: Sunny. High: 64 Tonight: Clear. Low: 43 Tomorrow: Some clouds. High: 64. For people planning to go out early for Black Friday shopping, bundle up. But expect things to get warmer in metro Atlanta as the day goes on. “We’re going to warm up steadily,” Channel 2 Action News meteorologist Brian Monahan said early Friday. The northern...
More Stories