CEO resigned over identity theft scandal, then threw a worker under the bus
The former CEO of Equifax, a credit-scoring company that recently compromised personal information on as many as 145 million Americans, said a single IT technician was at fault for the data breach.
Speaking before the House Energy and Commerce Committee, former chief executive Richard Smith said: "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not."
The breach was caused by a vulnerability in Apache’s Struts system, Smith said, something the software provider moved to eliminate by supplying a patch. The IT technician, whom he identified in the hearing, failed to install the patch, Engadget reported.
Smith, who resigned last week, said the normal procedure for new patches was that a technician would install it and then scan the system for remaining vulnerabilities. Neither step was done.
As a result, hackers got their hands on names, Social Security numbers, birth dates, addresses, some driver's license numbers, and about 209,000 credit card numbers, Wired reported.
Moreover, 182,000 “dispute documents” – complaint submissions that include personal identifying data – were also compromised.
According to Engadget, the Department of Homeland Security's Computer Emergency Readiness Team (CERT) sent Equifax a notice on 8 March about the vulnerability in certain versions of Apache Struts.
Equifax sent out an internal mass-email, which should have required its internal IT team to fix the vulnerability within 48 hours.
The fix wasn’t done. Neither did an automatic scan a week later indicate that the Struts version Equifax was using had the vulnerability.
According to Equifax, the hacker who exploited the weakness likely carried out the attack between May 13 and July 30. What tipped the company off to the breach was suspicious traffic in and out of its system on July 29.
Lawmakers at the hearing were not appeased by Smith’s explanations.
"You can't change your Social Security number and I can't change my mother's maiden name," Rep. Debbie Dingell (D-Mich.) said in the hearing, according to The Los Angeles Times. "This data is out there forever."
“How does this happen when so much is at stake?" Rep. Greg Walden (R-Ore.) told Smith.
"I don't think we can pass a law that fixes stupid."
Related stories:
Employees get lessons in how to stop leaking
How HR can reduce the costs of a cyber attack