Former Equifax chief executive Richard Smith has been accused of misleading lawmakers and the American public by attempting to place the blame for the company’s mass data breach on one person, amid claims that Equifax simply did not have the right expertise in place.
According to Dr Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers, Equifax failed as a company when it neglected to put standard information technology asset management systems and controls in place that would have prevented the breach.
During his testimony before the Congressional House Energy & Commerce Committee, Smith – who was “retired” last week but continues to work unpaid at the firm – disclosed that it was a failure to upload a security patch for the Apache Struts systems that Equifax was using.
However, the Department of Homeland Security’s Computer Emergency Readiness Team had sent emails to several companies, including Equifax, which notified them about the vulnerabilities to the Apache Struts systems as far back as March 8.
While internal policy was to ensure that all systems were updated within 48 hours, Dr Rembiesa claims this clearly did not happen. She added: “Everyone, from House Committees to innocent people who had their identities stolen, are left wondering why.”
During the testimony, Smith stated that the employee who is responsible was identified and that it was ‘human error’ that caused 145 million identities to be stolen. However, Dr Rembiesa argues that if Equifax had employed an IT asset manager, the breach would never have occurred in the first place.
She added: “It is due diligence on the part of an IT asset manager and their ability to use discovery tools that ensures proper versions of software are installed on organsational assets. Simply stated, it is people who run organisations through tools, not tools that run organisations through people.”
Dr Rembiesa concluded: “The excuse Smith has posed about the breach being a ‘human error’ is another way of saying that the proper people were not in place to ensure the safety and security of the data, or the people now exposed. The human error, was not having an IT asset manager.”
Related stories
Equifax: Oops we’ve found another 2.5m stolen records
Equifax CEO is ‘retired’ as company reels from breach
Equifax blunders on after sending users to fake website
Equifax admits that 400,000 Brits hit by US breach
Flaw on Equifax system was exposed over 6 months ago
44m Brits could be affected by Equifax US data breach
Equifax rocked as mega hack exposes 143m consumers