Equifax was alerted to the breach by the U.S. Homeland Security Department on March 9, Smith said in the testimony, but it was not patched.
On March 15, Equifax’s information security department ran scans that should have identified any systems that were vulnerable to the software issue but did not, the testimony said.
As a result, “the vulnerability remained in an Equifax web application much longer than it should have,” Smith said. “It was this unpatched vulnerability that allowed hackers to access personal identifying information.”
It’s one thing to get hacked. It’s quite another to know about it and refuse to take basic countermeasures for weeks on end.