Equifax Inc.’s former chief executive officer said thecredit-reporting company didn’t meet its responsibility to protectsensitive consumer information, confirming that the failure tofix a software vulnerability months ago led to the theft of morethan 140 million Americans’ personal data.

Richard Smith apologized for the breach and outlined a chronology of keyevents in testimony prepared for House Energy and CommerceCommittee hearing set for Tuesday, according to a copy obtained byBloomberg. He blamed human errors, particularly the failure torepair the problematic software despite warnings from the federalgovernment and the company’s own security team.

“To each and every person affected by this breach, I am deeplysorry that this occurred," Smith said. “The company failed toprevent sensitive information from falling into the hands ofwrongdoers."

Equifax has said hackers exploited a vulnerability in opensource Apache software the company was using in one of its systems.The Apache Software Foundation had issued a patch for the flaw inMarch, two months before hackers began accessing sensitiveinformation on Equifax’s servers on May 13.

Government Warning

Smith said officials at the Department of Homeland Securitynotified Equifax of a vulnerability in certain software on March 8that needed to be patched. The next day, the company issued anotification internally requesting that the software be upgraded.Consistent with Equifax internal policies, the company’s securitydepartment required that the weakness be patched within 48 hours.But that never happened, Smith said.

“We now know that the vulnerable version of Apache Struts withinEquifax was not identified or patched in response to the internalMarch 9 notification,” he said. The vulnerability remained inEquifax’s systems "much longer than it should have," Smith added,and its failure to be patched allowed hackers to access consumers’most sensitive data.

Smith said he was first informed there was suspicious activityon July 31 in a conversation with his chief information officer,two days after Equifax’s security department saw it. He said hedidn’t know that personal identifying information, like SocialSecurity numbers, had been taken until Aug. 15.

The company contacted the FBI and hired outside counsel andsecurity experts on Aug. 2, Smith said. He began notifyingEquifax’s board of directors on Aug. 22, and convened a boardmeeting to discuss the scale of the breach on Sept. 1.

‘Enormous Hack’

Smith also said the company was “disappointed” with how itswebsite and call centers were managed in the wake of the breach. Inthe days after the breach, consumers weren’t able to access thewebsite the company set up to help identify who was hacked and thefirm had trouble handling the massive influx of calls.

“The scale of this hack was enormous and we struggled with theinitial effort to meet the challenges that effective remediationposed,” Smith said in the remarks. “The rollout of these resourcesshould have been far better, and I regret that the responseexacerbated rather than alleviated matters for so many.”