Equifax's outgoing CEO Richard Smith has blamed one employee for the massive data breach which exposed the personal information of close to 146 million Americans.

Smith said a single human error and oversight resulted in failure to deploy a security patch that could have prevented the hack.

In a testimony before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee on Tuesday (3 October), he noted that the security vulnerability Apache's Struts software had a patch that was made available to them long before the breach took place.

Smith said the vulnerability was discussed by the company's computer emergency response team (CERT) on 8 March this year. He added that over the last three years, the company had invested over $250m (£188.45m) in cybersecurity.

Of the 225 people employed by the company, Smith said one person made a mistake. Without naming the employee, Smith said: "The human error was that the individual who's responsible for communicating in the organisation to apply the patch, did not."

In a written testimony, Smith said on 9 March an internal email was sent out to the security team to apply the patch within 48 hours, following a communication from the Department of Homeland Security. Since the message did not go through as intended, the breach happened.

Hackers apparently discovered the weak link and started to steal data starting 13 March and continued to do so for months.

"At best you are incompetent; at worst you were complicit," said Elizabeth Warren, Democratic senator from Massachusetts, at the hearing.

Apart from Smith, who stepped down as CEO last week, the chief security officer and chief information officer of Equifax have also retired from their posts. The state of New York has reportedly issued a subpoena against Smith and San Francisco has filed a lawsuit on behalf of its citizens, over 15 million of whom were affected by the breach.

Smith will have to attend a few more hearings this week, including the financial services and banking committees.

equifax
The massive Equifax breach also saw the theft of data from hundreds of thousands of credit cards Reuters/Dado Ruvic