Equifax warned about vulnerability, didn't patch it: ex-CEO

The first congressional hearing on the massive hack at credit agency Equifax is set for this week
The first congressional hearing on the massive hack at credit agency Equifax is set for this week

The security team at Equifax failed to patch a vulnerability in March after getting a warning about the flaw, opening up the credit agency to a breach affecting 143 million people, the former chief executive said Monday.

Former CEO Richard Smith, in a statement to a congressional committee released Monday, offered a timeline of the which is believed to be the worst in terms of damaging information leaked—including and other .

Smith said in prepared remarks to a House panel that the company on March 9 disseminated an internal memo warning about a software flaw identified by the government's Computer Emergency Response Team (CERT).

He added that Equifax policy would have required a patch to be applied within 48 hours and that this was not done—but he could not explain why.

Equifax's information security department ran scans that should have identified any systems that were vulnerable but failed to identify any flaws in the software known as Apache Struts.

"I understand that Equifax's investigation into these issues is ongoing," he said in the statement.

"The company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information."

Smith said he was notified of the breach on July 31, but was not aware "of the scope of this attack." He informed the company's lead director three weeks later, on August 22, and board meetings were held on the matter August 24 and 25.

Equifax, one of three major agencies which gathers data used in credit ratings for banks, has come under fire for waiting until September 7 to publicly disclose the breach, and investigators are looking into stock sales by two senior executives in August.

Smith stepped down last week amid the investigation, while indicating he would remain in a consulting capacity during the investigation, which includes a congressional hearing Tuesday.

Smith offered a fresh apology for the attack, saying in his statement: "As CEO I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans' private data and we let them down.


Explore further

Former Equifax chairman apologizes for data breach

© 2017 AFP

Citation: Equifax warned about vulnerability, didn't patch it: ex-CEO (2017, October 2) retrieved 20 June 2019 from https://phys.org/news/2017-10-equifax-vulnerability-didnt-patch-ex-ceo.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
10 shares

Feedback to editors

User comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more