By David Shepardson


WASHINGTON (Reuters) - Equifax Inc was alerted in March to the software security vulnerability that led to hackers obtaining personal information of more than 140 million Americans but took months to patch it, its former CEO said in testimony to be delivered to Congress on Tuesday.


"It appears that the breach occurred because of both human error and technology failures," former CEO Richard Smith said in written testimony released on Monday by the Energy and Commerce Committee.


Equifax was alerted to the breach in March by the U.S. Homeland Security Department, he said in the testimony, in which he said the company is taking a number of steps to protect personal data.


Smith, 57, said he was retiring from the company last week and would forgo this year’s bonus as criticism mounts over the attack, which was not made public until September 7 and has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Justice Department.


"I am here today to apologize to the American people myself," he said.

On March 15, Equifax’s information security department ran scans that should have identified any systems that were vulnerable to the software issue but it did not, the testimony said.

"The vulnerability remained in an Equifax web application much longer than it should have," Smith said. "It was this unpatched vulnerability that allowed hackers to access personal identifying information."

In his testimony, Smith said it appears the first date hackers accessed sensitive information may have been on May 13. He said "between May 13 and July 30, there is evidence to suggest that the attacker(s) continued to access sensitive information."

Smith said security personnel noticed suspicious activity on July 29 and disabled the web application on July 30, ending the hacking. He said he was alerted the following day, but was not aware of the scope of the stolen data.

On Aug. 2, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board's lead director on Aug. 22.

Smith also apologized for the company's response after the data breach was made public, including the "rollout of our website and call centers, which in many cases added to the frustration of American consumers."

He also said another well-known, independent expert consulting firm "has been retained to perform a top-to-bottom assessment of the company’s information security systems."

Smith will testify at three separate congressional hearings this week.

(Reporting by David Shepardson; Editing by Chizu Nomiyama and Dan Grebler)