Ex-Equifax CEO Richard Smith told lawmakers Monday that “both human error and technology failures” opened the way for a massive hacking incident in which thieves got away with sensitive information on more than 145 million Americans. Here’s a chronology of what happened, based on his prepared testimony before a hearing Tuesday by the House Energy and Commerce Committee. Smith stepped down and retired from Equifax on Sept. 26.
March 8: The U.S. Department of Homeland Security warns Equifax and many other users that a patch is needed on software called Apache Struts to fix security weaknesses.
March 9: Equifax forwards the U.S. warning internally to its information security team and requests a fix within 48 hours, but the patch isn’t installed.
March 15: Equifax’s security team runs software scans that should have caught the weak spot in Apache Struts. But it doesn’t spot any vulnerable versions of the software. “It was this unpatched vulnerability that allowed hackers to access personal identifying information,” Smith said.
May 13: Hackers apparently get their first batch of sensitive data. “The company was not aware of that access at the time,” Smith said. Equifax doesn’t detect the ongoing attack for another two months plus.
July 29: Equifax’s security team sees “suspicious network traffic” tied to its website where consumers dispute alleged errors in their credit profiles or other problems. The team investigates and “immediately” blocks the traffic, Smith said. The website is shut down the next day when more questionable activity appears.
July 31: Equifax’s chief information officer tells Smith about the attack, and that the website was shut down. “I certainly did not know that personal identifying information … had been stolen, or have any indication of the scope of the attack,” Smith said. (Equifax’s CIO at the time of the hack, David Webb, retired in the wake of the scandal on Sept. 15.)
Aug. 2: Equifax hires King & Spalding to “guide the investigation” into the data breach, and calls the FBI. The Atlanta law firm hires cybersecurity consultant Mandiant to investigate the hacking incident.
Aug. 11: Mandiant and Equifax determine that hackers may have gotten “a large amount of consumers” sentive data, Smith said, from a separate database in addition to the attack on the complaint portal.
Aug. 15: Smith said he is told that “it appeared likely that consumer (data) had been stolen. He said he requested “a detailed briefing to determine how the company should proceed.”
Aug. 17: Smith meets with “a senior leadership team” on the hacking investigation. By this time, the company knows “large volumes of consumer data … had been compromised,” he said. “This information was deeply concerning to me, although the team needed to continue their analysis to understand the scope and specific consumers potentially affected.” (Equifax eventually concluded the total was 145.5 million people — most adult Americans.)
Aug. 22: Smith tells Mark Feidler on the company’s board of directors of the breach, as well as the heads of Equifax’s business units. The rest of the board is told of the situation on August 24-25 in conference call meetings. The company starts drawing up “remediation” plans for consumers. (Feidler was named Equifax’s interim chairman when Smith stepped down.)
Sept. 1: The Equifax board meets to discuss the scale of the attack, remediation plans, and the risk of “exponentially more attacks” by copycat hackers, Smith said.
Sept. 4: Equifax draws up a list of 143 million potentially affected consumers — later bumped up to 145.5 million — and sets up a call center and a website for consumers to check if their data is compromised, and to sign up for help. The FBI is told about Equifax’s plans to go public with the breach.
Sept. 7: Equifax discloses the massive breach after the stock market closes.