Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.
"To each and every person affected by this breach, I am deeply sorry that this occurred".
Apart from those in the United States and Canada, Equifax had initially said that 400,000 UK consumers may have been hit by this breach.
The breach, Smith says, "occurred because of both human error and technology failures".
"Equifax was entrusted with Americans' private data and we let them down", Smith said. On Wednesday, Smith will appear before the Senate Banking panel, and he will then field questions from the House Financial Services Committee on Thursday.
He confirmed that the first attack happened in May and took advantage of a software vulnerability that Equifax had been warned about in March, but failed to address effectively. The company disseminated that warning by email the next day and requested that applicable personnel install the upgrade.
On 15 March, the firm's security team ran scans "that should have identified any systems that were vulnerable to the Apache Struts issue", however, as noted by a number of security researchers, vulnerability scanners will only pick up this bug if they are pointed directly at a Struts URL. Unfortunately, it's not clear when those findings will be shared, because the company is "continuing discussions with regulators in the United Kingdom regarding the scope of the company's consumer notifications".
Lawmakers pressed Smith about company executives selling stock in the company after the suspicious activity had been detected.
Three high-ranking executives, including the chief financial officer, for example, sold almost $1.8 million worth of stock just days after the company detected the large-scale data breach, according to Bloomberg.
Smith described the executives as "honourable men, men of integrity".
Equifax is trying to help consumers while also fixing its security systems, he said.
Schakowsky said "for a lot of Americans, that just doesn't pass the smell test".
The D.C. Council will consider the measure Tuesday to waive credit freeze fees as emergency, temporary legislation that would take effect immediately and last 225 days to give staff time to write something more permanent, Allen said.
The company's response was rife with missteps, first establishing a data breach checker that was essentially useless.
"It is time to have identity verification procedures that match the technological age in which we live", he said. "The people affected by this are not numbers in a database". The company said it would notify them through the mail.
Smith, 57, said he was retiring last week and would forgo this year's bonus as criticism mounts over the attack, which was not made public until September 7 and has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Justice Department. An emailed statement from the credit-monitoring agency said the executives "had no knowledge" of the breach beforehand.