Cybersecurity

Ex-Equifax CEO: Tech staff were told to patch security flaw before breach

Equifax's former chief executive will tell lawmakers Tuesday that the credit bureau botched a critical opportunity to patch the security vulnerability hackers would eventually use to gain access to its files.

Richard Smith resigned from Equifax following breach that gave intruders access to personal information on as many as 143 million Americans. The House Energy and Commerce subcommittee holding the hearing posted Smith's advance written testimony Monday. 

Smith will testify that Equifax received a warning on March 8 about a vulnerability in Apache Struts software from U.S. CERT, a Department of Homeland Security body that notifies companies of widespread computer security problems. Equifax used Struts as part of its website.

On March 9, the company directed "applicable personnel" to patch that vulnerability. Company policy was to apply such patches within 48 hours. 

"We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel," Smith wrote in his testimony. 

"On March 15, Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue identified by U.S. CERT. Unfortunately, however, the scans did not identify the Apache Struts vulnerability," Smith continued. 

Four months later, the company noticed unusual network traffic and deduced that it had been hacked. 

Tuesday's hearing at the Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection will be one of four hearings on the breach slated to occur this week. 

In his written testimony, Smith said when it came to assigning corporate responsibility for the breach, the buck stopped with him.

"Let me say clearly: As CEO I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans' private data and we let them down. To each and every person affected by this breach, I am deeply sorry that this occurred. ... The people affected by this are not numbers in a database. They are my friends, my family, members of my church, the members of my community, my neighbors. This breach has impacted all of them. It has impacted all of us," he wrote. 

Outbrain
View desktop version