Equifax ex-chief admits responsibility 'starts at the top' for devastating data breach

Former Equifax CEO Richard Smith says the data breach shouldn't have happened on his watch.
Written by Charlie Osborne, Contributing Writer

Former Equifax chief executive Richard Smith has testified in front of US regulators, claiming that the massive data breach occurred due to both "human error and technology failures."

In front of the US House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, on Tuesday, Smith said the data breach, resulting in the theft of Social Security numbers, birth dates, addresses, driver's license numbers and credit card information, has been a "devastating experience" for those at Equifax, and the company failed to uphold its responsibility to keep this information safe from exposure.

Last month, credit rating and report company Equifax admitted to an enormous data breach which led to the theft and compromise of the personal and sensitive data of up to 143 million consumers across the US, in addition to some customers in Canada and the United Kingdom.

However, an analysis conducted by cybersecurity and forensics firm Mandiant later revealed this figure was wrong and an additional 2.5 million American customers were involved, bringing the total 145.5 million.

A data breach on this scale, and a compromise leading to a treasure trove of data on millions of people which could be used for identity theft, to create credit lines and destroy financial stability and ability, was naturally something that regulators had to examine.

To make matters worse, Equifax's botched response to the breach and customer concerns ramped up criticism, and the firm's fraud alert checker website was discovered to be vulnerable to threat actors.

See also: Equifax blames open-source software for its record-breaking security breach

While Paulino do Rego Barros, Jr. has taken over as interim CEO following Smith stepping down, this does not mean the former executive is off the hook.

At the hearing, the former executive said (.PDF) that Equifax "did not live up to the responsibility" entailing the collection of citizen data, and as CEO, "I was ultimately responsible for what happened on my watch."

"The people affected by this are not numbers in a database," Smith said. "They are my friends, my family, members of my church, the members of my community, my neighbors. This breach has impacted all of them. It has impacted all of us."

The former CEO offered regulators a timeline of the events leading to the catastrophic data breach, saying that the chain started on 8 March, when US-CERT sent the company a notice of a requirement to patch an Apache Struts bug, software used in the Equifax online dispute portal.

While Equifax claims that such patches are usually applied within 48 hours, in this case, "the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel," according to Smith.

On 15 March, the firm's security team ran scans "that should have identified any systems that were vulnerable to the Apache Struts issue," however, as noted by a number of security researchers, vulnerability scanners will only pick up this bug if they are pointed directly at a Struts URL.

Otherwise, the vulnerability remains hidden.

"Equifax's efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax web application much longer than it should have," the former CEO admitted. "I understand that Equifax's investigation into these issues is ongoing."

"The company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information," Smith added.

The first time this vulnerability was exploited occurred on May 13, but Equifax remained in the dark. It appears the threat actors behind the breach -- or, perhaps, even separate groups -- continued to root around the PII of consumers between May 13 and July 30.

It was not until July 29 that the Equifax security team noticed "suspicious network traffic" flowing in and out of the consumer disputes portal, by which time, the damage was done.

Smith was made aware of the problem the next day after the portal was taken offline to address the bug. Equifax then reached out to cyberforensics firm Mandiant for help and notified the FBI.

Mandiant traced the issue during the following month, but finding out exactly how much PII had been compromised was difficult, according to the former chief.

"A substantial complication was that the information stolen from Equifax had been stored in various data tables, so tracing the records back to individual consumers, given the volume of records involved, was extremely time-consuming and difficult," Smith admitted. "To facilitate the forensic effort, I approved the use by the investigative team of additional computer resources that significantly reduced the time to analyze the data."

On August 22, the Equifax board was notified, and after the public was made aware of the breach, all hell broke loose.

Millions of customers called in, the company could not cope, and Smith admitted both call center staff and the website was not up to scratch. One major issue, for example, was the inclusion of a clause in the website which decreed those who used the service waived their rights to a class-action lawsuit.

"That provision -- which was never intended to apply in the first place -- was immediately removed as soon as it was discovered. (I was informed later that it had simply been inadvertently included in terms and conditions that were essentially "cut and pasted" from a different Equifax offering.)," according to Smith.

"Accountability starts at the top and I, therefore, decided to step down as CEO and retire early to allow the company to move forward," Smith said.

The damage is already done, but Equifax has scrambled to put together what it calls a "robust package of remedial protections" for Americans impacted by the breach.

While there is no word on damage control efforts for victims outside of the US, the company says that it will offer free credit monitoring, access to Equifax credit files, an insurance policy which will cover "out of pocket expenses" for those affected, and scans across the underbelly of the Internet to check for signs that Social Security numbers are being sold.

In addition, the credit monitoring agency will offer a tool that allows consumers to lock and unlock their credit files "for life, and at no cost."

However, this tool will not be available until next year and considering the firm's performance of late, we will have to see just how the tool performs -- and when it lands -- in the future.

"This has been a devastating experience for the men and women of Equifax. But I know that under the leadership of Paulino and Mark they will work tirelessly, as we have in the past two months, to making things right," Smith says. "Giving consumers more control of their data is a start, but is not a full solution in a world where the threats are always evolving."

"I am hopeful there will be careful consideration of this changing landscape by both policymakers and the credit reporting industry," the former executive said.

Previous and related coverage

10 things you didn't know about the Dark Web

Editorial standards