Former Equifax CEO Richard Smith has confirmed the company failed to patch a software vulnerability that hackers exploited to compromise the personal information of more than 140 million Americans.
In written testimony to be delivered to a congressional committee on Tuesday, Smith said the Department of Homeland Security alerted Equifax and other companies on March 8 to the need to fix the flaw in Apache Struts, a popular open source framework for creating Java apps that Equifax used in its consumer online disputes portal.
A patch for the flaw had been made available the previous day. But according to Smith, Equifax’s information security department was unable to identify any systems that were vulnerable to the software issue.
As a result, he said, “the vulnerability remained in an Equifax web application much longer than it should have. It was this unpatched vulnerability that allowed hackers to access personal identifying information.”
Before Smith’s testimony, Equifax had not accounted for its apparent failure to install the patch. The breach occurred in mid-May but Equifax security personnel did not notice any suspicious activity until July 29. They disabled the web application the following day, ending the hacking.
Security experts have warned that other organizations may be vulnerable to similar breaches because of the technical challenges involved in patching a flaw in applications software. Many users do not maintain a proper inventory of their apps, making it difficult even to identify exactly where the flaw that needs to be patched is.
Smith said he learned about the problem July 31 from the company’s chief information officer and a full response began Aug. 2, including contacting the FBI. Despite numerous internal discussions, Equifax did not publicly announce the breach until Sept. 7.
One reason for the delay, Smith said, was experts had told company executives that notifying the public “would provoke ‘copycat attempts’ and other criminal activity.”
Smith announced last week he was retiring amid amounting criticism of Equifax’s response to the breach. “I am here today to apologize to the American people myself,” he said in his testimony.