Rueters reported that former Equifax CEO Richard Smith (who retired suddenly last week) provided written testimony that “Equifax was alerted to the breach by the U.S. Homeland Security Department on March 9,…, but it was not patched.” The October 2, 2017 report entitled “Equifax failed to patch security vulnerability in March: former CEO” included these comments about the testimony provided to the Energy and Commerce Committee:
On March 15, Equifax’s information security department ran scans that should have identified any systems that were vulnerable to the software issue but did not, the testimony said.
As a result, “the vulnerability remained in an Equifax web application much longer than it should have,” Smith said. “It was this unpatched vulnerability that allowed hackers to access personal identifying information.”
In his testimony, Smith said it appears the first date hackers accessed sensitive information may have been on May 13. He said “between May 13 and July 30, there is evidence to suggest that the attacker(s) continued to access sensitive information.”
Smith said security personnel noticed suspicious activity on July 29 and disabled the web application on July 30, ending the hacking. He said he was alerted the following day, but was not aware of the scope of the stolen data.
On Aug. 2, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board’s lead director on Aug. 22.
We will likely continue to see bad news in the aftermath of Equifax’s confession of exposing more than 143 million individuals personal data.