Equifax, the credit agency behind this summer’s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.
Paulino do Rego Barros, Jr., the company’s interim CEO, announced Monday that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.
Equifax initially called its investigation around the breach “substantially complete,” but said it was still carrying out further analysis with Mandiant, a FireEye company it hired to investigate the breach, on the incident. According to Equifax, investigators didn’t find any additional vulnerabilities. The extra 2.5 million Americans figure came “during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.”
The company used the opportunity on Monday to reiterate that Canadian citizens were also impacted, although far fewer than initially thought. The company said there may have been up to 100,000 Canadians affected several weeks ago however upon closer inspection, only 8,000 Canadian consumers were affected by the breach.
Equifax says its still analyzing exactly how many United Kingdom consumers have been affected by the breach and is in the middle discussions with regulators to determine how to notify them.
Details about the breach came out the day before Richard Smith, Equifax’s former CEO, was scheduled to testify about the breach before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. Smith, former Equifax chairman and chief executive, retired last Tuesday in wake of the breach.
In a written testimony (.PDF) released in tandem with the subcommittee hearing, Smith blamed the breach on a combination of “human error and technology failures.”
“These mistakes – made in the same chain of security systems designed with redundancies – allowed criminals to access over 140 million Americans’ data,” Smith wrote.
In the testimony Smith claimed that the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (U.S. CERT) notified Equifax on March 8 that it needed to patch CVE-2017-5638, the Apache Struts vulnerability that eventually led to the hack.
Equifax requested the “applicable personnel responsible” update Apache Struts via email on March 9, something that should have been done within a 48 hour period, Smith said.
That was never done and according to Smith, the vulnerability wasn’t picked up by internal scans designed to identify vulnerable systems carried out on March 15. The issue lingered for roughly two months until attackers accessed Equifax’s systems on May 13 – and persisted until the company became aware of the attackers on July 30.
Greg Walden (R-Ore.) pointed out some of Equifax’s many missteps on Tuesday morning, including how Equifax’s consumer facing website for the breach was put hosted on a separate domain from the main Equifax website, the confusion that spawned, and how on multiple occasions Equifax directed users to the wrong website.
“On top of all the other issues, multiple times Equifax tweeted the wrong URL directing consumers to the wrong website to check if they were part of a breach,” Walden said, “Talk about ham-handed responses this is simply unacceptable and it makes me wonder if there was a breach response plan in place at all and if anyone was in charge of executing that plan.”
During another part of the hearing, Tim Murphy, a U.S. representative for Pennsylvania’s 18th Congressional district, came back to that question. When told the company’s original site couldn’t handle the traffic is received, Murphy was befuddled.
“Why wouldn’t your website be able to handle this kind of traffic?” Murphy asked, “It just doesn’t make sense, a company your size and with your knowledge, doesn’t understand how to handle traffic for over 100 million people, don’t you use an Elastic cloud computing service that would’ve accounted for this?”
Smith said the sheer amount of traffic Equifax’s site received in wake of the breach made hosting a site on its domain impossible.
“The environment the micro site is in is a cloud environment that’s very, very scalable,” Smith said. “Our traditional environment could not handle 400 million consumer visits for three weeks.”
Murphy also grilled Smith on what took Equifax so long to patch the March vulnerability and if it’s possible Equifax’s internal scanning system could potentially miss another vulnerability.
“If the patch only took a few days to apply why did Equifax fail to apply it in March when it was announced as critical?” Murphy asked.
Smith skirted the question and instead discussed the difficulties associated with patching.
“Patching can take a variety of time… it can take days or up to a week or more,” Smith said, adding that he wasn’t aware of the particular Struts vulnerability at the time.
At the end of the hearing, when pressed by Anna Eshoo, U.S. Representative for California’s 18th congressional district, Smith described the process around patching again but did little to deviate from his prepared testimony.
“I want to know when they did it, when they took care of [the patch]” Eshoo said.
“They took care of it in July because we never found it,” Smith said. “We had the human error, we did the scan, the technology never found it, in July we found suspicious activity, took the portal down, found the vulnerability, applied the patch.”