FORMER EQUIFAX CEO Richard Smith has blamed a lone IT staffer for the data breach that exposed the social security numbers of 145.5 million Americans.
Smith, who suddenly decided to 'retire' last week, told the House Energy and Commerce Committee this week that a single IT technician was at fault for the mega-breach after they failed to patch a vulnerability in the Apache Struts Web Framework.
According to Smith's testimony, the Department of Homeland Security's Computer Emergency Readiness Team (CERT) sent Equifax a notice on 8 March about the flaw in certain versions of Apache Struts.
Equifax sent out an internal email the following day which should have required its internal IT team to fix the vulnerability within 48 hours, but that didn't happen.
Smith noted that an automatic scan for vulnerabilities, carried out on 15 March, also failed to indicate that Equifax was using a Struts version that had the vulnerability.
"We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification," Smith wrote.
"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not."
Smith pointing the finger of blame squarely at one IT staffer didn't stop him from receiving a tongue-lashing from the committee, which were quick to slam Equifax over its security failings.
"How does this happen when so much is at stake?" Rep. Greg Walden said to Smith. "I don't think we can pass a law that fixes stupid."
Rep. Debbie Dingell added: "You can't change your Social Security number and I can't change my mother's maiden name. This data is out there forever."
Earlier this week, Equifax admitted that an additional 2.5 million Americans may have been affected by the massive data breach it disclosed last month, bringing the total up from 143 million to 145.5 million.
The company previously said that around 400,000 UK consumers may have been caught up in the breach. On Tuesday it noted that results of its forensic investigation are still being analyzed and that it's still engaged in "discussions with regulators in the United Kingdom regarding the scope of the company's consumer notifications." µ
A whole new way to be tied to your ISP
Search giant puts Epyc chips at the heart of its datacentre servers
Notch-equipped handset quickly overtakes its cheaper siblings
Good news for developers; a collective shrug for everyone else