Equifax Reveals 2.5 Million More Affected by Breach, Totaling 145.5M

Posted October 06, 2017

Smith expressed disappointment that Equifax was now part of a long list of companies and government agencies that have suffered major hacks by cybercriminals. The House Energy and Commerce subcommittee holding the hearing posted Smith's advance written testimony Monday.

Former chief executive Richard Smith is slated to testify in front of four congressional committees this week, and frustrated lawmakers are expected to grill him on the company's cybersecurity practices, its immediate response to the hack and reports of insider trading.

Smith said the breach was the result of both "human error and technology failures", and confirmed the hackers gained unauthorized access to the company's servers by exploiting a vulnerability in the popular web application framework Apache Struts.

"Consistent with Equifax's patching policy, the Equifax security department required that patching occur within a 48 hour time period", Smith stated.

For some reason, Equifax's security team failed to find the version of Struts that attackers exploited. It was "overwhelming", Smith says in the testimony, "and, regrettably, mistakes were made".

The impact of the breach was increased based on investigations by cyber security firm Mandiant, but Equifax said forensic investigators has not found any evidence of new or additional hacking activity or unauthorised access to new databases or tables. The feature on the website that USA consumers may use to determine whether they may have been impacted will be updated to reflect the additional potentially impacted US consumers discussed in this release by no later than October 8.

The company has also said that 182,000 USA individuals' personal details were exposed via breached credit dispute documents. He began notifying Equifax's board of directors on August 22, and convened a board meeting to discuss the scale of the breach on September 1.

Virginia Attorney General Mark Herring is among attorneys general from around the nation, including D.C. and Maryland, who have told Equifax in a letter that it should reimburse fees charged to consumers freezing their credit elsewhere.

The company's investigation into its United Kingdom customers is also complete, but Equifax is still in the process of analyzing how many Britons were affected. He said the company's lifetime lock program should become the industry standard.

Smith goes on to run down a series of events that eventually led to the breach, telling the panel what the "key facts" were as he understood them.

Democrats favour legislation that they say would establish strong data security standards and prompt notification and relief for consumers when their information is hacked. That action included retaining a third-party cybersecurity group to investigate the breach and contacting the Federal Bureau of Investigation.

"I want to apologise again to all impacted consumers", Barros said.

The company will collaborate with internal team and outside experts to implement long-term security improvements.

Smith also published remarks for Congress in which he called on the USA to adopt new standards for customer credit data, saying consumers should have sole control over access to their credit data. The link-spam schemes appeared to be created to elevate scammers' content in search results, and raise further questions about Equifax's information security acumen (see Scammers Hosted Files on Equifax's Australian Website).