Richard Smith, Equifax’s former CEO who abruptly resigned last week, learned about the hack on July 31 and hired outside judicial and investigative experts and reached federal law enforcement the same week. But he didn’t inform the company’s board for another 20 days.
In the meantime, King & Spalding, a law firm, and Mandiant, a cybersecurity forensic consulting firm, studied what happened. Mandiant and Equifax went “literally around the clock” to identify and recognize unauthorized activity on its network and the order of the hack, including whether private information was taken.
The company also talked to the FBI on Aug. 2, he says, and the bureau has an ongoing investigation.
Smith’s prepared comments were released Monday in progress of his appearance before the House Energy and Commerce Committee on Tuesday. He’s also registered to testify before the Senate Banking and the Senate Judiciary committees on Wednesday and the House Financial Services Committee on Thursday.
But the former executive has also met with the House Oversight Committee. In a letter, Monday, the panel ranking Democrat, Elijah Cummings of Maryland, urged Chairman Trey Gowdy of South Carolina to investigate Equifax’s handling of the incident, particularly why it waited so long to tell the public.
“Equifax conceded that the FBI never instructed or directed the business to withhold from the public information about the breach,” the letter said. Rep. Cummings is also trying to get all communication between Equifax and a government agency that warned businesses in March about a glitch in the software that required to be fixed.
According to the affidavit, on Aug. 15, Smith learned that customer personal information had been taken in the hack, and he requested a detailed briefing. Two days later, Smith had a “senior leadership team meeting to receive the detailed briefing on the investigation.” The declaration doesn’t say who attended that meeting.
Smith says he notified the board’s lead sovereign director, Mark Fiedler, and officials who run Equifax’s business units about the breach on Aug. 22.
The full board was told of the violation and the investigation of it on Aug. 24 and 25, according to the facts. They began developing a plan to help feigned consumers.
Take your time to comment on this article.