Equifax Data Breach Blamed on One Employee
During his testimony before the House Energy and Commerce Committee, former Equifax CEO Richard Smith said the recent breach was caused by the error of a single employee who failed to install a security patch.
Hackers were able to access Equifax’s system through a vulnerability in the company’s Apache Struts software, but a patch for that particular weakness had been available for months before the breach.
In a written statement, Smith said an email was sent on March 9 that asked employees to deploy the Apache Struts patch within 48 hours, but the system did not recognize this had not happened. The IT department ran scans during that time period as well, but did not see that the patch had not been installed. Cybercriminals took advantage of the vulnerability and began hacking the system on March 13.
Smith, who apologized to the committee and the American people, said he had tried to improve Equifax’s security during his 12 years with the company. When he took over, he said there was no one in cybersecurity, and since then, the company spent $1 billion on cybersecurity and now has a 225-person team. However, he said money and staff could not prevent one person from making a mistake.
“The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not,” Smith told the committee. He did not name the responsible party.
The committee seemed angered by Smith’s responses, and said they could not understand how such a massive company could make such a simple error when the sensitive information, including names, social security numbers, addresses and more, was at risk.
“How does this happen when so much is at stake?” asked Representative Greg Walden, Republican of Oregon. “I don’t think we can pass a law that, excuse me for saying this, fixes stupid. I can’t fix stupid.”
Since the incident, Smith has stepped down as CEO.
Recently, the several media outlets have reported the breach affected 2.5 million more people than originally been reported. Initially, Equifax said 143 million Americans had been affected, but that number is now closer to 146 million.