The Department of Homeland Security alerted Equifax on March 8 to flaws in its software, but the credit-monitoring company twice failed to identify the vulnerability, its former chief executive revealed on Monday.
Equifax’s failure left the door open to a possible cyber-attack — and sure enough, two months later, the company’s database was hacked and the Social Security numbers and other sensitive information on 145.5 million Americans was swiped.
Richard Smith, who unexpectedly retired as chief executive on Sept. 25 in the aftermath of the hack, apologized to the country for failing to live up to the “enormous” responsibility of safeguarding the personal info.
“To each and every person affected by this breach, I am deeply sorry that this occurred,” Smith said in prepared remarks he is expected to give on Tuesday when testifying before a House subcommittee probing the hack.
The testimony depicts a “perfect storm” of errors, Scott Vernick, partner and cybersecurity expert at Fox Rothschild.
“This is a company whose sole purpose is to safeguard data,” he said.
The DHS warned Equifax on March 8 that its software, Apache Struts, was vulnerable to hackers, Smith revealed, his first remarks on the hack since stepping down.
But after a March 9 review, “the vulnerable version of Apache Struts within Equifax was not identified or patched,” said Smith.
Six days later, another group of Equifax techies tried to tackle to software bug — but they failed, as well, according to Smith.
“Equifax’s efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax Web application much longer than it should have,” the ex-CEO admitted.
At first, Equifax said 143 million IDs were stolen; that number on Monday was raised by 2¹/₂ million.
Smith’s testimony offers some details on what executives knew and when — key information at the heart of state investigations into negligence. The FBI is also running a criminal investigation into whether three executives committed a crime when they sold nearly $2 million in stock in early August.
The hack began as early as May 13, Smith said — but was only discovered on July 29.
Smith was told of the breach on July 31 — the day before Chief Financial Officer John Gamble sold almost $1 million in shares, according to company filings.
Joseph Loughran and Rodolfo Ploder, company presidents in information and human resources, also sold about $800,000 worth of stock on Aug. 2.
The company said none of the stock-selling brass knew of the breach when they sold.
The Wall Street Journal reported Monday that the board was investigating the company’s top lawyer, John J. Kelly, for approving the stock sales.
Equifax has come under fire for waiting six weeks to alert the public to the hack — and for then offering help to the millions of affected Americans only if they first promised not to sue the company.
That quid pro quo was then lifted.