Equifax's former CEO blamed human error, a security scan glitch and failure to encrypt sensitive data for the breach, but U.S. representatives were not appeased. Credit: REUTERS/Kevin Lamarque On Monday, Equifax admitted that an additional 2.5 million Americans may have been affected by the breach reported in September. On Tuesday, Equifax’s former CEO Richard Smith testified about that breach that resulted in 145.5 million Americans having their personal information accessed or stolen.Smith may be “sorry,” but that simply doesn’t cut it — especially in light of some of the tidbits that came from Smith’s testimony at Tuesday’s Congressional hearing.For starters, the timeline for when Smith knew about the hack is bizarre. At that time, he was CEO of Equifax, but he claimed he wasn’t told about the “suspicious activity” — which was first discovered on July 29 — until July 31. On Aug. 2, he hired cybersecurity experts to investigate. Smith couldn’t be bothered to even check in on the investigation for nearly two weeks. He finally asked for a briefing about the suspicious activity on Aug. 15, but he didn’t receive it until Aug. 17. Smith claimed it didn’t cross his mind to ask if personally identifiable information (PII) was affected.That is beyond belief, considering Equifax stored Americans’ sensitive information in plaintext. In fact, the company holding all our information — even though we never asked it to — can only be bothered to encrypt “some” data. The timeline of discovery means the sale of $1.8 million in stock by three people in the company on Aug. 1 and 2 was within the time period that they would have known about the hack. Yet Smith claimed they are “men of integrity” that he has known for a dozen years.“I have no indication that they had any knowledge of the breach when they made this sale,” he said. The big fat finger of blame for the hack was eventually pointed at human error, all boiling down to one person who didn’t do their job. Apache went public about the vulnerability in the Apache Struts platform and made the patch available on March 6. According to Smith’s written testimony (pdf), US-CERT notified Equifax about patching Apache Struts in its online dispute portal on March 8. Equifax security policy meant the vulnerability was to be patched within 48 hours.Despite 225 people working in the security department, the flaw did not get patched. Smith blamed it on “human error” — the person responsible for communicating that the hole needed patched did not do so.Out of 225 security professionals, someone surely reads the news and knew about Apache Struts issue! Maybe someone did because on March 15, Equifax’s security department ran scans that should have identified the bug but did not. It is unknown why technology glitched and failed to do its job — maybe it was channeling the lax security mindset of its masters?“It’s like the guards at Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults,” U.S. Rep. Greg Walden (R-Ore.), the committee’s chairman, told Smith. “How does this happen when so much is at stake?” Walden asked before adding:“I don’t think we can pass a law that fixes stupid.”IRS awarded $7.25 million fraud prevention contract to Equifax!Speaking of stupid, the IRS handed over $7.25 million in taxpayer money to Equifax for the purpose of verifying taxpayers’ identities. The money was awarded for a fraud prevention contract posted to the Federal Business Opportunities database on Sept. 30. The IRS did not bother to take bids from multiple companies because the contract was a “sole source order,” meaning the IRS regarded Equifax as the only company capable of doing the job. Equifax is “to verify taxpayer identity and to assist in ongoing identity verification” for the IRS.The IRS defended its decision, saying IRS data was not involved in the Equifax breach even though the agency already provides similar services for the IRS under a previous contract. It is a “critical service that cannot lapse,” the IRS said.Senate Finance Chairman Orrin Hatch told Politico, “In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed.”Read also: Equifax says website vulnerability exposed 143 million US consumersHow to protect your email account from Equifax hackers in 5 minutesWhat business can learn from the Equifax data breachEquifax: A teaching opportunity Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe