×

Equifax's then-CEO waited three weeks to inform board of massive data breach, testimony says

  • Equifax said Sept. 7 that a major data breach affected the personal information of as many as 143 million people.
  • After learning about the incident, company security experts and outside advisors worked "around the clock" to identify the scale of what happened.

Equifax's former chief executive waited nearly three weeks to tell the company's board of directors about the now infamous data breach, as a group of company and outside security experts scrambled to figure out what had happened, according to written testimony prepared for his visit to Capitol Hill on Tuesday.

Richard Smith, Equifax's former CEO who abruptly retired last week, learned about the hack on July 31 and hired outside legal and investigative experts and contacted federal law enforcement the same week. But he didn't inform the company's board for another 20 days.

In the meantime, King & Spalding, a law firm, and Mandiant, a cybersecurity forensic consulting firm, investigated what happened. Mandiant and Equifax worked "literally around the clock" to identify and understand unauthorized activity on its network and the scale of the hack, including whether personal information was taken.

The company also contacted the FBI on Aug. 2, he says, and the agency has an ongoing investigation.

Smith's prepared remarks were released Monday in advance of his appearance before the House Energy and Commerce Committee on Tuesday. He's also scheduled to testify before the Senate Banking and the Senate Judiciary committees on Wednesday and the House Financial Services Committee on Thursday.

But the former executive has also met with the House Oversight Committee. In a letter Monday, the committee's ranking Democrat, Elijah Cummings from Maryland, urged Chairman Trey Gowdy of South Carolina to investigate Equifax's handing of the incident, especially why it waited so long to tell the public.

"Equifax conceded that the FBI never instructed or directed the company to withhold from the public information about the breach," the letter said. Rep. Cummings is also seeking all communication between Equifax and a government agency that warned companies in March about a glitch in software that needed to be fixed.

According to the testimony, on Aug. 15, Smith learned that consumer personal information had been taken in the hack, and he requested a detailed briefing. Two days later, Smith had a "senior leadership team meeting to receive the detailed briefing on the investigation." The testimony doesn't say who attended that meeting.

Smith says he notified the board's lead independent director, Mark Feidler, and executives who run Equifax's business units about the breach on Aug. 22.

The full board was told of the breach and the investigation of it on Aug. 24 and 25, according to the testimony. They began developing a plan to help affected consumers.

Smith convened a Sept. 1 board meeting to discuss the size of the breach, the ongoing investigation, and the company's public disclosure and response.

Smith's prepared remarks were released Monday in advance of his appearance before the House Energy and Commerce Committee on Tuesday. He's also scheduled to testify before the Senate Banking and the Senate Judiciary committees on Wednesday and the House Financial Services Committee on Thursday.

The timeline in Tuesday's testimony doesn't specifically say who inside the company other than Smith and the security team knew about the breach before he says he told management and the board. But among the swirl of state and federal investigations that have opened since the breach was disclosed to the public on Sept. 7 are stock sales by three company insiders — the chief financial officer and two business heads — in early August.

Unusual trading activity in Equifax options on Aug. 21, now known to be one day before Smith says he told the lead director, also has drawn scrutiny.

An Equifax spokeswoman has said the three executives weren't aware of the breach when they sold $1.8 million of stock on Aug. 1 and 2. The spokeswoman wasn't immediately available on Monday.

Equifax has been largely criticized for its handling of the response. Concerned people initially encountered a flawed website, jammed customer service phone lines and confusing information about what remedies were available. It was "overwhelming," Smith says in the testimony, "and, regrettably, mistakes were made."

Brian Krebs, who writes about cybersecurity, says Equifax's response given its one month to prepare for a public onslaught, makes the incident even worse. "It boggles my mind how they have mishandled this," he said.

It has been known that Equifax didn't fix a flaw in its software that was known to the public for months. That flaw was announced in March, when the U.S. Department of Homeland Security told Equifax and many other companies that use the software about it, but Equifax didn't utilize the fix offered by the software developer right away.

"It was this unpatched vulnerability that allowed hackers to access personal identifying information," Smith says in the written remarks.

WATCH: 2.5 million more customers may be victims of Equifax breach