Equifax’s former CEO Richard Smith—who “retired” after a massive data breach at his company resulted in the theft of personal information for more than 143 million people—is set to testify before a Congressional subcommittee on consumer protection tomorrow. Smith will be expected to explain exactly how Equifax bungled its response to the hack, and his prepared testimony sheds some light on exactly what went wrong.
The breach at Equifax was traced to a vulnerability in Apache Struts that was discovered earlier this year. On March 8, the Department of Homeland Security warned that the Struts vulnerability could give remote attackers the ability to take full control of an affected system and urged enterprises to patch their systems. Equifax had a procedure in place to push patches, but that procedure failed, Smith said.
Equifax’s security team was expected to patch the vulnerability within 48 hours, Smith explained, but did not discover that they were using a vulnerable version of Struts. On March 15, the security team ran another scan that should have detected the vulnerable version of Struts but failed to do so.
“Equifax’s efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax web application much longer than it should have,” Smith explained.
Hackers apparently discovered the vulnerability still live in May on Equifax’s consumer dispute website, which is used by people disputing marks on their credit. The company believes that sensitive information was first accessed by the attackers on May 13. Equifax’s security team didn’t notice anything suspicious until July 29, triggering a long-overdue investigation.
Smith is taking responsibility for the mess. “As CEO I was ultimately responsible for what happened on my watch,” he wrote. “The company failed to prevent sensitive information from falling into the hands of wrongdoers.”
Smith says he was first told about the hack on July 31 during a conversation with Equifax’s chief information officer. When executives learned about the breach is also subject to investigation, given the fact that several of them dumped nearly a million in stock just days later on August 1 and 2. (August 2 is also the day that Equifax hired the cybersecurity forensics firm Mandiant and contacted the Federal Bureau of Investigation to report the hack.)
Mandiant’s investigation revealed that a significant amount of personal information had been accessed, and the results of its investigation were shared internally on August 17. Equifax still didn’t understand the full scale of the breach, Smith said. “A substantial complication was that the information stolen from Equifax had been stored in various data tables, so tracing the records back to individual consumers, given the volume of records involved, was extremely time consuming and difficult,” he wrote.
Equifax finally announced the hack to the public on September 7—and its announcement has been as thoroughly criticized as its failure to patch the Struts vulnerability. An Equifax site designed to help consumers sign up for credit monitoring didn’t work for days after the hack was announced, and included a mandatory arbitration clause that was later removed. Call centers set up to help consumers suffered interminable wait times. At one point, Equifax’s social media team directed affected consumers to a site designed to spoof Equifax by pointing out how easy it would be to set up a phishing site targeting Equifax customers.
Smith defended Equifax’s remediation efforts. “The task was massive—Equifax was preparing to explain and offer services to every American consumer,” he wrote. He said that several Florida call centers were shuttered by Hurricane Irma, throwing an unexpected wrench in the response effort.
Ultimately, Smith said only 7.5 million activation emails for credit monitoring had been sent as of late September—that’s only about 5 percent of affected consumers.
So what’s next? Smith, like prominent cybersecurity experts before him, says it’s time for Americans to stop using Social Security numbers as a method of authentication and identity—particularly now that Equifax has allowed so many Social Security numbers to be stolen. “We should consider the creation of a public-private partnership to begin a dialogue on replacing the Social Security Number as the touchstone for identity verification in this country. It is time to have identity verification procedures that match the technological age in which we live,” Smith said.