As Former CEO Testifies, Equifax Reveals More Breach Victims

Equifax yesterday disclosed that data of an additional 2.5 million Americans was implicated in its recent data breach, bringing the total number of U.S. consumers affected to 145.5 million. The disclosure came as former Equifax Chairman and CEO Rick Smith prepared to testify before the House Energy and Commerce Committee today — the first of three appearances before congressional committees this week.

Smith, who is serving as an unpaid adviser to Equifax during the post-breach process, outlined the circumstances around the breach. “This attack was made possible by a combination of human error and technological error,” he said. In March, Equifax’s IT department failed to patch a software vulnerability in its online disputes portal identified by the Department of Homeland Security. This vulnerability was the portal through which hackers accessed Equifax’s data starting in May, Smith said.

Apologizing for the breach, Smith told the committee that Equifax personnel noticed suspicious network traffic on July 29 and took down the vulnerable application the next day, after which Equifax began assessing the extent of data compromised before the breach was publicly announced on Sept. 7.

Smith also discussed the new “credit lock” product his successor announced last week in a Wall Street Journal op-ed. Starting in January 2018, Equifax will offer a free app that allows consumers to “lock” or “unlock” their credit files at the bureau at will for life. The service is distinct from a security freeze, but “as far as protection to the consumer, it is” the same, Smith said. He added that the locking and unlocking process would take place “instantly.”