Richard Smith, the former CEO of credit reporting firm Equifax, will testify in front of Congress Tuesday about the massive data breach that resulted in the exposure of personal information of more than 143 million Americans.

In advance of his testimony, Smith—who resigned from his position as CEO of the company last week— released a transcript of his prepared remarks, which include his account of how the breach occurred.

The ousted CEO begins his statement prepared for House Energy and Commerce Committee hearing by taking full responsibility for the breach and apologizing to the hundreds of millions of consumers affected by the incident.

“Let me say clearly: As CEO I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans’ private data and we let them down,” Smith wrote.

“To each and every person affected by this breach, I am deeply sorry that this occurred. Whether your personal identifying information was compromised, or you have had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize. The company failed to prevent sensitive information from falling into the hands of wrongdoers.”

Smith said the breach was the result of both “human error and technology failures,” and confirmed the hackers gained unauthorized access to the company’s servers by exploiting a vulnerability in the popular web application framework Apache Struts.

According to a timeline laid out by Smith, Equifax learned of the vulnerability after the U.S. Department of Homeland Security Computer Emergency Readiness Team (CERT) issued a notice about an available patch for the framework. That notification was received on March 8 and circulated inside the company on March 9.

While the company requires patches to be applied within 48 hours of availability, Equifax failed to apply the fix to Apache Struts. A scan completed by the company on March 15 did not identify any systems vulnerable to the security flaw, Smith said.

The former CEO said the hackers first gained access to Equifax’s servers on May 13 and continued to have unfettered access through the Apache Struts vulnerability until July 30, when the company’s security team noticed suspicious network traffic associated with the Equifax dispute website that consumers could use to contest issues with their credit report.

Smith said he was informed of the breach the next day, and Equifax started taking action in response to the breach on Aug. 2. That action included retaining a third-party cybersecurity group to investigate the breach and contacting the FBI.

Between the revelation that the breach occurred and the decision to inform the public on Sept. 7, Smith noted the rapid development of events related to the breach as investigators learned how much public information was exposed.

The former CEO said the company attempted to prepare best it could to accommodate users following the public acknowledgement of the breach, but noted those efforts fell well short of expectations.

“We were disappointed with the rollout of our website and call centers, which in many cases added to the frustration of American consumers,” Smith wrote.

He said the company had to build a new website from scratch to help consumers learn if they were affected and shortcuts in that process led to additional issues, including the accidental inclusion of a mandatory arbitration clause that said no consumer who took advantage of Equifax’s free credit monitoring service offered in the wake of the breach could take part in legal action against the company.

Smith said that provision was “never intended to apply in the first place” and was the result of copying and pasting the terms of services from another Equifax product and included in the offering to breach victims.

The company also set up a number of call centers to handle customer service requests but was forced to shut down its largest centers as they were located in Florida and were in the path of Hurricane Irma.

Despite the failures in the rollout after the breach, Smith said the customer support website received more than 420 million hits since its launch and more than 7.5 million activation emails were sent to consumers who registered for the free credit monitoring service provided by Equifax.

RELATED STORIES
Security Security Security Congress