WASHINGTON — The former chairman and CEO of Equifax says the company was entrusted with the personal information of millions of Americans and ‘‘we let them down’’ as human error and technology failures allowed a massive data breach.
The company said Monday that 2.5 million more Americans may have been affected by the breach, bringing the total to 145.5 million.
In prepared congressional testimony, Richard F. Smith said the millions are not just numbers in a database, but friends, relatives, neighbors, and members of his church. The revelation last month of the disastrous hack to Equifax’s computer system rocked the company, which now faces several state and federal inquiries and several class-action lawsuits.
‘‘To each and every person affected by this breach, I am deeply sorry that this occurred,” Smith said. “Whether your personal identifying information was compromised, or you have had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize. The company failed to prevent sensitive information from falling into the hands of wrongdoers.’’
Smith, who resigned after overseeing the company for a dozen years, said Equifax was hacked by a yet-unknown entity. He said the information stolen included names, Social Security numbers, birth dates, and addresses. In addition, the credit card information for about 209,000 consumers was stolen as well as certain documents with personally identifying information for approximately 182,000 consumers.
Lawmakers are expected to question Smith on how the company allowed the breach to occur, why it took as long as it did to notify consumers, and what’s it’s doing to help consumers protect themselves going forward.
Smith said the Department of Homeland Security warned the company on March 8 about the need to patch a particular vulnerability in software used by Equifax and other business. The company disseminated that warning by e-mail the next day and requested that applicable personnel install the upgrade. Company policy requires the upgrade to occur within 48 hours, but Smith said that did not occur. Equifax’s information security department also ran scans on March 15 that did not pick up the vulnerability.
‘‘I understand that Equifax’s investigation into these issues is ongoing,’’ Smith said in the prepared remarks. ‘‘The company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information.’’
Smith said it appears the hackers first accessed sensitive information on May 13. Between May 13 and July 30, there is evidence to suggest the attackers continued to access sensitive information, but it wasn’t until July 29 that Equifax’s security department observed suspicious network traffic. Smith said the hack was over the next day, but the hard work of figuring out the impact was just beginning.
Smith said he was told of suspicious activity on July 31. He provided a timeline of events that included a senior leadership meeting on Aug. 17 at which he learned the forensic investigation had determined that large volumes of consumer data had been compromised. He said the lead member of the company’s board of directors was notified on Aug. 22, and the full board two days later. He convened a board meeting to discuss the breach on Sept. 1.
Meanwhile, the company worked on a support package for consumers and then notified the public on Sept. 7.
Smith said he was disappointed in the rollout of call centers and a website designed to help people affected by the breach. He said the company has increased its number of customer service representatives and the website has been improved.
‘‘Still, the rollout of these resources should have been far better, and I regret that the response exacerbated rather than alleviated matters for so many,’’ Smith said in the prepared testimony.