According to Smith's testimony, the Department of Homeland Security's Computer Emergency Readiness Team (CERT) sent Equifax a notice on 8 March about the flaw in certain versions of Apache Struts.
"The breach of your system has actually created more opportunities for you", Warren said to Smith, noting that, for instance, Equifax is offering one year of free credit monitoring to consumers, but after that, people will have to pay to keep the service.
Smith appeared before the House energy and commerce ommittee on Tuesday, where he expressed his remorse and desire to made things right, but had frequent testy exchanges with lawmakers.
The Atlanta-based company believes that the hackers gained access to Equifax Canada's database via a consumer website application designed for the use of U.S. consumers.
"Yeah, we ought to be more concerned about it", Grassley said, noting the cybersecurity breach and the potential for a similar hack of IRS data are both concerns.More news: ' We're on the Right Path': Trump Responds to Senator Corker's WWIII Accusations
"You're really just required to notify everybody and say, so sorry, so sad", Barton said to Smith.
The review "also has concluded that there is no evidence the attackers accessed databases located outside of the United States", the Equifax statement said.
At the hearing in Washington on Tuesday Mr Smith said it took the firm weeks to establish the extent of the attack after it identified suspicious activity in July. Equifax was entrusted with Americans' private data and we let them down. Representative Greg Walden said to Smith.
He also said he did not believe minors, whose information could be listed under their parents, were breached.
Walden and other members of the committee pressed Smith on how Equifax checked its security measures between when the hack happened in May and when the public became aware in August.
In regards to the three company executives that sold almost $2 million worth of stock on Aug.1 and August 2, just days after the company discovered there had been some sort of "suspicious activity", Smith said, to the best of his knowledge, these executives were unaware of the cyber intrusion.