The initial drama over Equifax's September data breach has mostly subsided, but the actual damage will play out for years. And indeed, there turns out to be plenty of spectacle and public controversy left. It was all on display at a Tuesday Congressional hearing, in which lawmakers questioned Equifax's former CEO Richard Smith in an attempt to make sense of how things went so wrong.

Before delving into the hearing itself—which went poorly enough—it's worth mentioning that it was bracketed by further unfortunate Equifax revelations. The company announced Monday that the total number of people impacted by its breach is not 143 million—the amount it first disclosed—but in fact 145.5 million. Its ability to casually misplace 2.5 million lives upended by the breach is alarming, as is Tuesday afternoon's revelation that the IRS awarded Equifax a no-bid, multimillion-dollar fraud-prevention contract last week.

And there's a lot more where that came from. Here are six important (and astonishing, disappointing, you name it) tidbits that came out of Tuesday's hearing.

1. The timeline of when executives knew what about the breach is both disheartening and suspect. Equifax has previously said that it was breached on May 13 and that it first discovered the problem on July 29. The company notified the public on September 7. But during Tuesday's hearing, former CEO Smith added that he first heard about "suspicious activity" in a customer-dispute portal, where Equifax tracks customer complaints and efforts to correct mistakes in their credit reports, on July 31. He moved to hire cybersecurity experts from the law firm King & Spalding to start investigating the issue on August 2. Smith claimed that, at that time, there was no indication that any customer's personally identifying information had been compromised. As it turns out, after repeated questions from lawmakers, Smith admitted he never asked at the time whether PII being affected was even a possibility.

LEARN MORE The WIRED Guide to Data Breaches

Smith further testified that he didn't ask for a briefing about the "suspicious activity" until August 15, almost two weeks after the special investigation began and 18 days after the initial red flag. He received the briefing from King & Spalding and other forensic investigators on August 17. At that point, he said, those monitoring the situation had a better sense of the situation's severity. But Smith still staunchly maintains that he didn't have full information on August 17. "I did not know the size, the scope of the breach," he told the committee. He finally notified the presiding director of Equifax's board on August 22, while the entire board of directors was briefed on August 24 and 25. “The picture was very fluid," Smith said. "We were learning new pieces of information each and every day. As soon as we thought we had information that was of value to the board I reached out."

Pretty leisurely timeline, no? There are still numerous outstanding questions, particularly about what Equifax general counsel John Kelly knew about the breach when he approved nearly $2 million in company stock sales for three executives at the beginning of August. But just these additional time stamps alone paint a picture of a severe lack of emergency protocol and general urgency.

2. Equifax's patching process was wholly inadequate. Attackers initially got into the affected customer-dispute portal through a vulnerability in the Apache Struts platform, an open-source web application service popular with corporate clients. Apache disclosed and patched the relevant vulnerability on March 6. In response to questions from representative Greg Walden of Oregon, Smith said there are two reasons the customer-dispute portal didn't receive that patch, known to be critical, in time to prevent the breach.

The first excuse Smith gave was "human error." He says there was a particular (unnamed) individual who knew that the portal needed to be patched but failed to notify the appropriate IT team. Second, Smith blamed a scanning system used to spot this sort of oversight that did not identify the customer-dispute portal as vulnerable. Smith said forensic investigators are still looking into why the scanner failed.