Former Equifax CEO Richard Smith says he is "deeply sorry" for the security breach in which sensitive personal information of as many as 143 million Americans was compromised.
Smith, who is set to testify before a House Energy and Commerce Committee Tuesday, apologized for the cyber attack disclosed by the credit reporting company on September 8. He confirmed that the hack occurred due to "human error and technology failures," according to prepared remarks posted on the committee's website Monday.
"To each and every person affected by this breach, I am deeply sorry this occurred," said Smith, who will make his first of four appearances on Capitol Hill this week on the breach. "The company failed to prevent sensitive information from falling into the hands of wrongdoers."
The former CEO announced his retirement last week from the credit reporting company.
Related: Why the Equifax hack has small business owners worried
Equifax has come under fire for its handling of the huge cybersecurity breach. The company is one of three nationwide credit-reporting companies that track and rate the financial history of U.S. consumers, gathering data from credit card companies, banks, retailers and lenders.
In his eight-page testimony, Smith outlined the chronology of events that lead to the breach, which allowed criminals to access personal information including names, Social Security numbers, birth dates, addresses, and in some cases driver's license numbers and credit card information.
The former CEO said hackers were able to infiltrate a software weakness in an online portal that allows consumers to dispute items on their credit report. The company said Equifax and other businesses that use the software had been warned by the Department of Homeland Security on March 8 of the vulnerability.
While company protocol requires that Equifax patch up the software glitch within 48 hours, Smith said he now knows that software vulnerability was "not identified or patched."
Related: Equifax will offer free credit locks. Here's what that means for you
Even when Equifax ran its own scans to identify any weaknesses less than a week later, it too failed to identify any vulnerabilities.
"It was this unpatched vulnerability that allowed hackers to access personal identifying information," said Smith.
The first time hackers accessed sensitive information may have been on May 13, he said. Adding that the "company was not aware of the access at the time." He said the company now knows that hackers continued to access information until July 30.
Smith said he didn't learn of the suspicious activity until July 31, and was only told that personal identifying information of customers had been stolen several weeks later on August 15.
Related: Equifax data breach: What you need to know
The company notified the FBI and hired outside council and security experts on August 2. It notified Equifax board members on August 22, and had its first board meeting on the matter on September 1.
Smith also apologized for the company's botched response, which has added to the frustration of American consumers.
Rather than notifying affected customers, it set up a web site which wasn't functioning properly and angered many consumers.
The company's customer service hotline was also inadequately staffed with poorly trained representatives.
Plus, the free credit monitoring service the company was offering initially required consumers to give up their right to sue, inciting public outrage. The company later removed that clause. In his testimony, Smith claimed the clause was inadvertently "cut and pasted" into the service terms and conditions.
"The scale of this hack was enormous and we struggled with the initial effort to meet the challenges that effective remediation posed," said Smith. "The rollout of these resources should have been far better, and I regret that the response exacerbated rather than alleviated matters for so many."
Smith expressed disappointment that Equifax was now part of a long list of companies and government agencies that have suffered major hacks by cybercriminals. But he took the opportunity to call for improved standards and a dialogue to replace Social Security numbers.
"Giving consumers more control of their data is a start, but is not a full solution in a world where the threats are always evolving," said Smith.
