X

Equifax ex-CEO: Here's what went wrong

"Both human error and technology failures" to blame for massive data breach, Richard Smith will tell Congress Tuesday.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read
security-privacy-hackers-locks-key-6724
James Martin/CNET

So, how did hackers get their hands on the personal information of more than 143 million people?

That's what Richard Smith, the former CEO of Equifax, is set to explain before the House Energy and Commerce Committee Tuesday. In prepared remarks released Monday, he gave his take on what happened.

The investigation is ongoing, Smith's prepared remarks say, "but it appears that the breach occurred because of both human error and technology failures."

The remarks will launch the first of four hearings this week in the US Capitol investigating what happened in the massive breach of consumer information at one of the country's three major credit reporting agencies. Smith, who resigned last week, will have a lot to answer for, and consumer advocates will be seeking answers to what went wrong both before and after the breach. 

The company's Sept. 7 announcement of the breach sparked outrage at the theft of information that criminals could use to commit massive identity theft. Anger continued as consumers found the company's call centers bogged down with long wait times and an Equifax website dedicated to sharing information about the breach that asked consumers to waive their right to join a class action against the company.

What's more, the tool for checking whether you were affected by the breach proved unreliable.

Failed processes

As Smith described it, the company had processes to patch software bugs and catch hackers, but those processes failed leading up to the data breach. On March 9, the company's IT team was informed of a vulnerability affecting the Apache Struts software it used on its dispute resolution portal, with instructions to patch it in 48 hours. That didn't happen. Hackers breached Equifax's systems through that vulnerability on May 13, but the company didn't catch them on the system until July 29.

Smith's remarks will begin with an apology. Equifax didn't live up to its responsibility to protect personal information on millions of people, Smith's statement reads. 

"As CEO I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans' private data and we let them down. To each and every person affected by this breach, I am deeply sorry that this occurred."

Later in the statement, Smith noted that Equifax's rollout of extra customer service when it went public with the data breach wasn't adequate. "That challenge proved overwhelming, and, regrettably, mistakes were made." 

In particular, the customer service call centers were understaffed, leading to long wait times. What's more, the terms of service online tool meant to let consumers find out if they were affected contained a mandatory arbitration clause that could have blocked consumers from joining class actions against Equifax, which Smith said was unintentional.

Smith's testimony begins Tuesday at 10 a.m. Eastern.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

iHate: CNET looks at how intolerance is taking over the internet.