In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax’s recently departed CEO is blaming it all on a single person who failed to deploy a patch.
Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache’s Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred.
Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.
However, Smith had an interesting explainer for how this easy fix slipped by 225 people’s notice — one person didn’t do their job.
“The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not,” Smith, who did not name this individual, told the committee.
The notion that just one person didn’t do their job and led to the biggest breach in history is quite an amazing claim and shows a fundamental lack of good security practices. But that’s what Smith says led to this disaster.
According to Smith’s written testimony, Equifax sent out an internal email on March 9th to deploy the Apache Struts update within 48 hours. However, Smith said, the system failed to identify any vulnerabilities. A few days later, the IT department also ran scans but failed to recognize the vulnerability. Then it was apparently all up to one person to communicate that there was a patch available for a discovered vulnerability.
Hackers, who quickly recognized the vulnerability, despite a team of 225 cybersecurity experts at one of the largest credit reporting agencies failing to do so, started to access the sensitive information on March 13th and continued to do so over a period of months.
Equifax is still investigating the details of what happened and Smith said providing consumers with adequate information in the aftermath was “challenging.”
Equifax has been raked over the coals for offering up a separate website to tell consumers seemingly at random if they’d been affected by the hack. The site not only proved unhelpful and confusing, it then directed many to sign up for Equifax’s credit monitoring product TrustID. Language in the Terms of Service attached to TrustID prevented those who signed up from suing the company. Equifax since sent out a statement retracting that language and saying consumers could sue, which they have started to do.
Smith stepped down as CEO last week, shortly after the company’s chief security officer and chief information officer also exited the company. New York has also issued a subpoena in regards to the massive breach and the city of San Francisco has opened up a lawsuit against Equifax on behalf of the 15 million Californians affected by the hack.
Something else problematic for the committee questioning Smith – the sale of $1.8 million in stock by three top individuals within the company on August 1 and 2, within the time they would have known about the hack.
“I’ve know these individual for up to 12 years. They’re men of integrity. I have no indication that they had any knowledge of the breach when they made this sale,” Smith said, pointing out it wasn’t unusual for individuals to sell within the quarterly earnings window.
There are still more hearings to come — tomorrow company execs will speak with the Senate Banking committee, on Thursday they’ll meet with the House Financial Services committee. But if today is any indication, there’s still more chances for blame to go around.