Former Equifax Chairman and CEO Richard Smith is headed to Washington D.C. this week for back-to-back hearings on the massive Equifax data breach, shedding light on exactly how a breach of this size happened.
Smith’s first prepared testimony for his hearing on Tuesday before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection entitled, “Oversight of the Equifax Data Breach: Answers for Consumers,” became public Monday.
Along with issuing a public apology to the nation, the testimony gave a chronological account of how the breach happened.
Smith began his testimony saying, “Let me say clearly: As CEO I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans’ private data and we let them down. To each and every person affected by this breach, I am deeply sorry that this occurred.”
But beyond his apology, Smith said he wants to respond to the question that is on everyone’s mind, which is, “How did this happen?”
Consumers, going into the hearings this week, mostly knew that the breach potentially impacts as many as 143 million U.S. consumers. And as of Monday, this number has actually gone up.
According to the beginning information from the company, “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
Those files includes the names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, of approximately 143 million consumers, Equifax stated.
Now, in Smith’s hearing, he explained that the breach “occurred because of both human error and technology failures. These mistakes – made in the same chain of security systems designed with redundancies – allowed criminals to access over 140 million Americans’ data.”
Below is Smith’s beginning account of the breach, revealing how the hackers managed to get in the company’s system. For details on how Smith and the company dealt with the information after they found out, read the full testimony here.
Timeline of events:
March 8, 2017: The U.S. Department of Homeland Security, Computer Emergency Readiness Team (“U.S. CERT”) sent Equifax and many others a notice of the need to patch a particular vulnerability in certain versions of software used by other businesses. Equifax used that software, which is called “Apache Struts,” in its online disputes portal, a website where consumers can dispute items on their credit report.
March 9: Equifax disseminated the U.S. CERT notification internally by email requesting that applicable personnel responsible for an Apache Struts installation upgrade their software. Consistent with Equifax’s patching policy, the Equifax security department required that patching occur within a 48 hour time period. We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel.
March 15: Equifax’s information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue identified by U.S. CERT. Unfortunately, however, the scans did not identify the Apache Struts vulnerability. Equifax’s efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax web application much longer than it should have. I understand that Equifax’s investigation into these issues is ongoing. The company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information.
May 13: Based on the investigation to date, it appears that the first date the attacker(s) accessed sensitive information may have been on May 13, 2017. The company was not aware of that access at the time. Between May 13 and July 30, there is evidence to suggest that the attacker(s) continued to access sensitive information, exploiting the same Apache Struts vulnerability. During that time, Equifax’s security tools did not detect this illegal access.
July 29: Equifax’s security department observed suspicious network traffic associated with the consumer dispute website (where consumers could investigate and contest issues with their credit reports). In response, the security department investigated and immediately blocked the suspicious traffic that was identified. The department continued to monitor network traffic and observed additional suspicious activity on July 30, 2017. In response, they took the web application completely offline that day. The criminal hack was over, but the hard work to figure out the nature, scope, and impact of it was just beginning.
July 31: I was told about the suspicious activity.
After the beginning timeline of events on how the breach happened, Smith details how Equifax planned to announce the breach and their strategy on how to communicate with consumers, a topic the company received a lot of backlash for.
The investigation is still ongoing, and Smith said, “It is my hope and expectation that, at the conclusion of the investigation, we will have an even more complete account of what happened, how future attacks by criminal hackers can be deterred and suspicious activity curbed more quickly, and most importantly, how consumers’ concerns about the security of their personal data can be alleviated.”