SARASOTA, FL (WWSB) - The personal information of more than 145 million people may have been compromised when hackers broke through Equifax's computer system. The credit reporting agency is now scrambling to break down what happened and how this could affect customers.
Former CEO Richard Smith testified before Congress last week with his version of the story.
"The criminal hack happened on my watch, and as CEO I am ultimately responsible, and I take full responsibility." Smith said.
Smith said on March 8, a cybersecurity arm of the U.S. Department of Homeland Security informed the company of a flaw in a web tool called Apache Struts. The company uses it to support its online dispute portal, where consumers go to contest information about their credit reports.
The very next day, Equifax said it sent an internal memo that a patch was available, and Smith said one specific employee failed to communicate to the IT department that the patch needed to be deployed.
"We know now this criminal attack was made possible because of a combination of human error and technological error," Smith said.
That technological error happened on March 15 when Equifax's scanning system did not pick up the vulnerability in the struts software; why that happened is still being investigated.
Those two things combined allowed hackers to gain access to the personal information of millions of customers between May 13 and July 30, including names, Social Security numbers, birth dates, addresses and some driver's license numbers.
"I'm here today to say to each and every person affected by this breach, I'm truly and deeply sorry for what happened," Smith told members of a House committee.
Smith testified that Equifax has spent $250 million over the past three years on beefing up its data security, going from no cybersecurity staff when he became CEO to a 225-member team.
But Equifax continues to face criticism for its handling of the breach and its aftermath, sending customers to a website that many said did not accurately tell them if their information was compromised.
"In the rollout of our remediation program, mistakes were made, which again, I deeply apologize," Smith said. "I regret the frustration that many Americans felt when our websites and call centers were overwhelmed in the early days."
"Every day we wake up and there's another data breach, and I don't know about you, but I'm fed up with this," said Jerry Zivic, ABC 7 Consumer Watchdog.
Zivic said he's skeptical about the free service Equifax is offering to customers starting in January of 2018.
"They're coming out with this new product where you're going to be able to unlock and lock your account at will," Zivic said. "Now who in their right mind would think that you can trust Equifax to do this? They have not demonstrated the technical savvy to do this."
So what can consumers do to protect themselves? There's one simple thing you can do today.
"On our own personal level, there's there's very little we can do," Zivic said. "But what we can do, and what we don't do, is we need to change our passwords."
Zivic also said you should file your tax return as soon as possible so that someone who may have stolen your information doesn't beat you to it. Also, do what you can to protect your credit.
"You have to do a credit freeze," Zivic said. "A lot of companies will (make you) pay every time you freeze and unfreeze your account, but if you want to protect yourself, that to me, is the only way to do that"
The Federal Trade Commission is investigating the Equifax breach as a violation of fair business practices. The Department of Justice has opened a probe into whether Equifax executives committed insider trading by selling company stock before the breach was made public.