Richard Smith, the former Equifax CEO who suddenly retired last week, has decided that the buck for one of the most catastrophic data breaches in history must stop with a lone IT staffer - rather than the company's freshly departed, well-remunerated former CEO.
The data breach saw the social security numbers and other personal information of 145.5 million Americans compromised, leaving most of adults in the US open to identity theft.
Smith suddenly decided to 'retire' last week. He told the House Energy and Commerce Committee this week that a single IT technician was at fault for the mega-breach after they failed to patch a vulnerability in the Apache Struts Web Framework.
According to Smith's testimony, the Department of Homeland Security's Computer Emergency Readiness Team (CERT) sent Equifax a notice on 8 March about the flaw in certain versions of Apache Struts.
Equifax sent out an internal email the following day which should have required its internal IT team to fix the vulnerability within 48 hours, but that didn't happen.
Smith noted that an automatic scan for vulnerabilities, carried out on 15 March, also failed to indicate that Equifax was using a Struts version that had the vulnerability.
"We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification," Smith wrote.
"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not."
Smith pointing the finger of blame squarely at one IT staffer didn't stop him from receiving a tongue-lashing from the committee, which were quick to slam Equifax over its security failings.
"How does this happen when so much is at stake?" Representative Greg Walden said to Smith. "I don't think we can pass a law that fixes stupid."
Representative Debbie Dingell added: "You can't change your Social Security number and I can't change my mother's maiden name. This data is out there forever."
Earlier this week, Equifax admitted that an additional 2.5 million Americans may have been affected by the massive data breach it disclosed last month, bringing the total up from 143 million to 145.5 million.
The company previously said that around 400,000 UK consumers may have been caught up in the breach. On Tuesday it noted that results of its forensic investigation are still being analyzed and that it's still engaged in "discussions with regulators in the United Kingdom regarding the scope of the company's consumer notifications."
Newbies will be thrown in with the big boys on Sanhok as Kar98 fodder
Data is the perfect intersection of logic and emotion
Support for RTX Technology and new version of GPU Boost algorithm coming in next-gen Nvidia GPUs
Is Sony's Xperia XZ2 Compact a big step forward against last year's XZ1 Compact?