Equifax, former CEO reveal more details about the devastating breach

That’s the first of a trio of Capital Hill hearings at which Smith, who “retired” last week, is scheduled to testify this week (see Ousted Equifax CEO Faces 3 Congressional Hearings).

“The company failed to prevent sensitive information from falling into the hands of wrongdoers”, he said.

The total number of people affected by the recent Equifax breach has risen after more details came to light.

“The scale of this hack was enormous and we struggled with the initial effort to meet the challenges that effective remediation posed”, Smith said in the remarks.

Regulators in Britain and Canada have said they are probing the breach. It has impacted all of us. The company adds that it is working with United Kingdom regulators to agree on how affected consumers should be notified.

Smith faced questions from legislators about Equifax’s botched response to the breach, the months-long delay in announcing it and whether consumers will be compensated for damage caused by identity theft. Equifax later backtracked on that.

Equifax was alerted to the breach by the U.S. Homeland Security Department on March 9, Smith said in the testimony, but it was not patched.

Smith said that provision was “never meant to apply in the first place” and was the result of copying and pasting the terms of services from another Equifax product and included in the offering to breach victims.

It also confirms that the firm failed to patch an Apache Struts vulnerability when it should have, allowing hackers to exploit the flaw to access its network. The Mandiant investigation revealed that the number is significantly less, with only approximately 8,000 Canadians at risk.

Mandiant, the cybersecurity firm hired to conduct a forensic investigation, did not identify any proof of new activity, according to Equifax.

He says that the US CERT notified them on March 8 of the Apache Struts vulnerability which ultimately provided the attackers with the way in.

The company notified the Federal Bureau of Investigation and hired outside council and security experts on August 2.

The company previously estimated that some 100,000 Canadians could have had their personal information compromised before a forensic review by cybersecurity firm Mandiant found the actual number to be much lower. Despite numerous internal discussions, Equifax did not publicly announce the breach until September 7.

Customers of companies including BT and Capital One are believed to have been among them. Three executives who sold shares on August 1 and 2 didn’t know suspicious activity had been detected at the time of those sales, he said, “to the best of my knowledge”. The company’s policy requires the upgrade to occur within 48 hours, but that did not occur.

Lawmakers asked U.S. Securities and Exchange Commission Chair Jay Clayton last week to confirm whether Equifax executives who have left their posts would still be looked into for wrongdoing.