It took weeks for Equifax insiders to understand the breadth and depth of the giant data breach they disclosed last month, former CEO Richard Smith told Congress on Tuesday, describing the around the clock investigation the company began in late July, when it first detected suspicious activity.
It wasn't immediately clear there was a breach, Smith told Congress. But eventually the company would disclose that criminals had accessed its systems and compromised the personal information of more than 145 million people.
A combination of human and technological error led to the hack, Smith said, adding he takes "full responsibility."
Smith made the remarks at a hearing of the House Energy and Commerce Committee. It is his first of four Capitol Hill stops this week as lawmakers investigate what happened and how it might have been prevented.
"The criminal hack happened on my watch," Smith said. "I am truly and deeply sorry for what happened."
Many of the questions during Tuesday's hearing concerned the timeline from the discovery of the breach July 29 to the public notification on Sept. 7. Smith said he found out about suspicious activity in a July 31 message from the company's security group. Three executives who sold shares on Aug. 1 and 2 didn't know suspicious activity had been detected at the time of those sales, he said, "to the best of my knowledge."
Even in mid-August, around the time Smith says he was briefed on an investigation into the breach by an outside security firm, they still weren't fully aware of the size and scope of the breach or what data was involved. "The picture was very fluid. We were learning new pieces of information every day," he said.
Smith abruptly retired last week, taking no severance or bonus for this year, but he remains eligible for $18.4 million in pension benefits.
Equifax is still getting information, Smith said. On Monday it increased the number of people affected to 145.5 million, which is 2.5 million more than originally estimated.
In his prepared remarks, Smith admitted the company didn't act quickly to fix a software glitch that had been widely known since the government warned companies about it in March. That problem would not be fixed until July, when Equifax first became aware of suspicious activity on its system.