PHILADELPHIA (CBS/AP) — The Equifax data breach affected more Pennsylvania residents than originally thought.
Pennsylvania Attorney General Josh Shapiro tweeted Friday that Equifax informed his office that an additional 107,108 residents were affected by the data breach, bringing the total number in the state to 5,548,576.
On Tuesday, House Republicans and Democrats grilled Equifax’s former chief executive over the massive data hack of the personal information of 145 million Americans, calling the company’s response inadequate as consumers struggle to deal with the breach.
Former Equifax CEO Richard Smith apologized for the compromise of such information as names, addresses, birth dates and Social Security numbers. Smith was the lone witness at the first of several Capitol Hill hearings this week. No current Equifax official testified.
“The criminal hack happened on my watch, and as CEO, I am ultimately responsible, and I take full responsibility,” Smith said. “I am here today to say to each and every person affected by this breach, I am truly and deeply sorry for what happened.”
Democrats favor legislation that they say would establish strong data security standards and prompt notification and relief for consumers when their information is hacked. But Republicans tamped down expectations for any congressional action as this year the GOP-led Congress has rolled back several Obama-era rules affecting businesses and the financial sector.
“Equifax deserves to be shamed in this hearing, but we should also ask what Congress has done, or failed to do, to stop data breaches from occurring,” said Rep. Jan Schakowsky, D-Ill.
Rep. Bob Latta, R-Ohio, the chairman of the subcommittee examining the breach, said there are already laws on the books that require companies to secure sensitive consumer data. He said hearings before four House and Senate panels this week should run their course before lawmakers make a decision about what to do next.
“The big thing we heard today is it was a very human error on their part” Latta said.
Separately, Equifax signed a $7.25 million contract last month with the Internal Revenue Service to verify taxpayer identities. The no-bid contract, first reported by Politico, is for Equifax to provide the IRS taxpayer and personal identity verification services.
The contract stated that Equifax was the only company capable of providing these services to the IRS, and it was deemed a “critical” service that couldn’t lapse.
Smith offered a timeline of what went wrong, saying the Department of Homeland Security warned the company on March 8 about the need to patch a particular vulnerability in software used by Equifax and other businesses. The company disseminated that warning by email the next day and requested that applicable personnel install the upgrade. The company’s policy requires the upgrade to occur within 48 hours, but that did not occur. The company’s information security department also ran scans on March 15 that did not pick up the vulnerability.
In late July, data security officials noticed suspicious activity on a website, which Smith said “happens routinely around our business.” He said an internal investigation ensued and he was alerted the next day, but he had no knowledge at that time that consumers’ personal information had been accessed.
(TM and © Copyright 2017 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2017 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)