Equifax ex-CEO blames breach on one person and a bad scanner

Richard Smith, who stepped down last week, draws fierce criticism from Congress after Equifax's massive breach.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
Former Equifax CEO Richard Smith testifies before Congress on October 3, 2017.

Equifax was responsible for losing data from 145.5 million Americans through a massive data breach. Former CEO Richard Smith testified to Congress on Tuesday.

Chip Somodevilla / Getty Images
Watch this: Former Equifax CEO apologizes to Congress, blames hack on human error

Equifax's former CEO is blaming many of the company's mistakes on a single person, and it's not himself.

Richard Smith, who was Equifax's CEO for 12 years before stepping down on Sept. 26, on Tuesday faced questions from the House Committee on Energy and Commerce, and it wasn't pretty. Congress members slammed the former leader for the company's high-profile failure. 

"Equifax deserves to be shamed in this hearing," Rep. Jan Schakowsky, a Democrat from Illinois, said in her opening statement. 

On Sept. 7, Equifax announced had it suffered a massive breach in which cybercriminals got access to the Social Security numbers, names, birthdates and addresses of 145.5 million Americans, or nearly half the US population. The company has since been in the glare of public scrutiny not only for the hack itself, but also for the glitches and multiple mistakes that came in the revelation's wake. 

It was one of the largest hacks in US history, though still dwarfed by Yahoo's loss of data from 1 billion accounts, revealed last year. The incidents are yet more red flags signaling how much of our personal information is in the hands of big businesses, and how vulnerable it is.

During the hearing, Smith gave an inside perspective on how Equifax lost all that data. He opened with an apology, taking responsibility for the breach and the botched response. 

The door was opened for the breach earlier this year. Equifax had learned in March about a weak spot in the Apache Struts software in a key computer system, but never patched it. Smith said Equifax did everything it was supposed to, but still failed to protect its data.

In his testimony, Smith laid the blame on a faulty scanner for not flagging the vulnerability on March 15 and on a single Equifax staffer responsible for mishandling patches on March 9. He did not name the person.

"Both human deployment and the scanning did not work. But the protocol was followed," Smith said. 

Equifax did not respond to a request for comment on whether the person still works at the company. 

The company, which has 9,900 employees, only had one person in charge of its patching process, Smith said.

"The reason why the technology did not locate the vulnerability is still under investigation by outside counsel," he said. 

But breaches are almost never a single person's fault, said Nate Fick, CEO at security firm Endgame. Often times, it's a lack of accountability and poor security culture building up to the attack, not one person's mistake. 

"CEOs are accountable for the actions of the whole company -- and it's not OK to place the blame on any one employee," Fick said.

The former Equifax CEO revealed that the company's security protocols experienced several miscommunications tied to the incident. After Smith first learned about the hack in July, he never asked if any personal data had been stolen. He was also not aware of the vulnerability until after the hack happened. 

Smith told Congress he couldn't remember how many times he had spoken with Equifax's security team between the patch notification and the day the company learned it was hacked.

The House committee members also criticized Equifax for its actions after the hack was made public.

"Talk about ham-handed responses," said Rep. Greg Walden, a Republican from Oregon.  "This is simply unacceptable."

Equifax will be offering a free mobile app as of Jan. 31, 2018, that will let people manage their credit data, but Congress members said it's not enough. 

Rep. Ben Lujan, a Democrat from New Mexico, asked if Equifax would be compensating the victims hurt by the breach. Smith said the company was already offering free tools, but declined to comment further. 

"It is hard for me to tell if someone has been harmed, so I can't answer the question," Smith said. 

Rep. Jerry McNerney, a Democrat from California, asked how long Americans will be affected by the breach, since a Social Security number usually sticks with a person for life. Smith did not answer the question and instead talked about how there's been a rise in stolen Social Security numbers.

The breach will likely have a long-lasting impact, according to Michael Marriott, a research analyst at Digital Shadows, a cybercrime monitoring company. Thieves can use Social Security numbers in several ways, including tax return fraud and credit card fraud.

"The data may remain in the hands of one actor, but it is still a possibility that the data will be resold and commoditized," Marriott said.

Smith spent a large portion of his testimony talking up the free tools Equifax is now offering and encouraging the affected people to use them. Rep. Paul Tonko, a Democrat from New York, relayed a question from one of the people affected by the breach.

"Why are you using this gross misconduct to turn your victims into customers for a paid monitoring service that you will profit from?" Tonko asked. 

Several House committee members suggested federal laws to regulate credit monitoring companies like Equifax. Walden bluntly noted that it would be difficult to stop cyberattacks from human errors like the one Equifax suffered.

"I don't think we can pass a law that fixes stupid," Walden said.

Originally published Oct. 3 at 9:32 a.m. PT.
Update, 1:00 p.m. PT: Added analysis from experts on Smith's testimony.
Update,  10:07 a.m. PT: Added details after the hearing ended.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

iHate: CNET looks at how intolerance is taking over the internet.