Equifax warned about vulnerability, didn't patch it: ex-CEO

  
The first congressional hearing on the massive hack at credit agency Equifax is set for this week
The first congressional hearing on the massive hack at credit agency Equifax is set for this week

The security team at Equifax failed to patch a vulnerability in March after getting a warning about the flaw, opening up the credit agency to a breach affecting 143 million people, the former chief executive said Monday.

Former CEO Richard Smith, in a statement to a congressional committee released Monday, offered a timeline of the cyber attack which is believed to be the worst in terms of damaging information leaked—including social security numbers and other sensitive data.

Smith said in prepared remarks to a House panel that the company on March 9 disseminated an internal memo warning about a software flaw identified by the government's Computer Emergency Response Team (CERT).

He added that Equifax policy would have required a patch to be applied within 48 hours and that this was not done—but he could not explain why.

Equifax's information security department ran scans that should have identified any systems that were vulnerable but failed to identify any flaws in the software known as Apache Struts.

"I understand that Equifax's investigation into these issues is ongoing," he said in the statement.

"The company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information."

Smith said he was notified of the breach on July 31, but was not aware "of the scope of this attack." He informed the company's lead director three weeks later, on August 22, and board meetings were held on the matter August 24 and 25.

Equifax, one of three major agencies which gathers data used in credit ratings for banks, has come under fire for waiting until September 7 to publicly disclose the breach, and investigators are looking into stock sales by two senior executives in August.

Smith stepped down last week amid the investigation, while indicating he would remain in a consulting capacity during the investigation, which includes a congressional hearing Tuesday.

Smith offered a fresh apology for the attack, saying in his statement: "As CEO I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans' private data and we let them down.

Explore further: Former Equifax chairman apologizes for data breach