WASHINGTON — The Equifax data breach, which exposed the sensitive personal information of nearly 146 million Americans, happened because of a mistake by a single employee, the credit reporting company’s former chief executive told members of Congress on Tuesday.
Richard F. Smith, who stepped down last week, repeatedly apologized to the members of the House Energy and Commerce Committee — and the American people — for the security lapse.
But he also sought to play down the severity of the problems that had led to the breach, defended the company’s response to the crisis and deflected questions about how far Equifax would go to compensate consumers who were financially harmed.
On multiple occasions, Mr. Smith referred to an “individual” in Equifax’s technology department who had failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach. A company spokesman did not respond to questions about that employee’s status with the company.
Angry members of the committee tore into Mr. Smith and pressed him on how a credit bureau of Equifax’s size, responsible for safeguarding billions of sensitive records on Americans’ financial lives, could have allowed so much data to escape, unnoticed.
“How does this happen when so much is at stake?” asked Representative Greg Walden, Republican of Oregon. “I don’t think we can pass a law that, excuse me for saying this, fixes stupid. I can’t fix stupid.”
The congressional hearing — the first of four this week at which Mr. Smith was scheduled to testify — presented lawmakers with an opportunity to showcase their populist ire, albeit aimed at the former executive of a previously obscure company.
On the opposite side of Capitol Hill, senators were ripping into the current chief executive of a better-known — but similarly beleaguered — financial institution, Wells Fargo. The giant bank’s chief, Timothy J. Sloan, was testifying about the company’s responses to a series of scandals that have rocked Wells Fargo over the past year.
“At best you are incompetent; at worst you were complicit,” said Elizabeth Warren, Democrat of Massachusetts. “Either way, you should be fired.”
Equifax already got rid of Mr. Smith, who announced his retirement last week. Even though he no longer works at Equifax, he was the only representative of the company to testify at the hearing. An Equifax spokesman, Wyatt Jefferies, declined to say whether any current executives had been invited to appear on Capitol Hill.
The company previously said that an unpatched software flaw had been to blame for the massive security breach, but on Tuesday, Mr. Smith went a step further, describing the “human error and technology failures” that turned a single oversight into a data breach that allowed attackers to obtain personal details on nearly half of America’s population.
In early March, the Department of Homeland Security sent Equifax and other companies an alert about a critical vulnerability in software that Equifax used in an online portal for recording customer disputes.
The company sent out an internal email requesting that its technical staff fix the software, but “an individual did not ensure communication got to the right person to manually patch the application,” Mr. Smith told the subcommittee. That was compounded by a technical error: The scanning software that Equifax used to detect vulnerabilities failed to find the unpatched hole, he said.
Lawmakers from both parties — many of them citing anecdotes from family members, staffers or constituents who have been caught up in the breach — called for greater government oversight of the largely unregulated credit reporting industry.
“We could have this hearing every year from now on if we don’t do something to change the current system,” said Representative Joe L. Barton, Republican of Texas. He called for new federal laws to “put some teeth” into penalties for data breaches.
Mr. Smith maintained an even-keeled appearance and spoke in a muted tone throughout his testimony. “I’m truly and deeply sorry for what happened,” he said in his opening remarks.
But Mr. Smith refused to commit Equifax to making whole any people who had been financially harmed as a result of the breach. He evaded the question when asked if Equifax would allow consumers to remove themselves from its files.
“I never opted in,” said Representative Jan Schakowsky, Democrat of Illinois. “I never said it was O.K. to have all my information, and now I want out. I want to lock out Equifax. Can I do that?”
Mr. Smith responded, “That requires a much broader discussion around the role of the credit reporting agencies.”
Mr. Smith got tangled up several times trying to explain the difference between credit freezes, which allow people to block access to their credit reports, and locks, an industry-backed alternative that the bureaus say are easier for consumers to use. Freezes are regulated by the states; credit locks are not.
Equifax has said that on Jan. 31 it will introduce a free lock that customers can turn on and off through a mobile phone app. But some lawmakers are pushing for credit reporting companies to offer complimentary credit freezes.
“Getting a free freeze, I think, is possible even in a divided Congress,” said Ed Mierzwinski, a consumer program director at the advocacy group U.S. PIRG who attended the hearing. “Everybody understands it.”
On Monday, Ms. Schakowsky and Representative Frank Pallone Jr., Democrat of New Jersey, introduced the Secure and Protect Americans’ Data Act, an updated version of an unpassed bill that has been around for at least a decade. The latest iteration would require tougher security standards and faster notification of breaches.
If the bill had been law during the Equifax breach, it would have required that affected individuals were notified of the breach in writing, and they would have been entitled to 10 years of free credit monitoring and credit freezes, according to a Democratic congressional aide.
Lawmakers also grilled Mr. Smith about the stock sales by three senior Equifax executives, who sold shares worth almost $ 1.8 million in the days after the breach was discovered, but before it was disclosed. The sales were approved by John J. Kelley III, Equifax’s chief legal officer, who knew at the time that the company’s technical department had detected suspicious activity on Equifax’s network.
The three executives who sold stock are “honorable men of integrity” who were unaware of the technical investigation, Mr. Smith said.
Equifax’s public response to the breach — “ham-handed” and “unacceptable,” in Mr. Walden’s words — drew heavy condemnation. The company had extensive problems with its call centers and the website that it had set up to provide information to those whose information may have been exposed.
One by one, Democrats and Republicans took turns blasting the company. It was a rare moment of bipartisanship, Representative Anna G. Eshoo, Democrat of California, observed.
“You have brought Republicans and Democrats together in outrage and distress and frustration over what’s happened,” she said.