This summer, a breach at the credit bureau Equifax compromised Social Security numbers and other sensitive data on more than 145 million people. Since then, experts have been puzzling over how the company allowed it to happen. The attackers seem to have broken into the system by exploiting a public vulnerability in Apache’s Struts software, but by the time the compromise occurred, a patch for that vulnerability had been available for months. So why didn’t Equifax deploy the patch?

Speaking to the House Energy and Commerce Committee, former Equifax CEO Richard Smith gave the most detailed answer to that question we’ve heard so far. According to him, the team internally discussed the Struts vulnerability when it was first announced by CERT on March 8th.

The protocol is to deploy a patch internally and then scan the system for any lingering vulnerability. In theory, it’s a two-part process that should ensure no disclosed vulnerability is allowed to persist in the system — but according to Smith, neither half of the process worked.

“Both the human deployment of the patch and the scanning deployment did not work,” Smith told Congress. “The protocol was followed.”

He went into more detail in his written testimony, saying that the CERT notification was distributed internally the day after it was published, but no one in the IT department seems to have recognized its significance. “We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification,” Smith wrote.

Smith blamed the initial failure to patch on a specific individual, who he declined to name. “The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not,” Smith said in the hearing.

“So does that mean that that individual knew the software was there,” Rep. Greg Walden replied, “and it needed to be patched, and did not communicate that to the team that did the patching?”

“That is my understanding, sir,” Smith said.

The company is still investigating why the subsequent scan did not detect the vulnerability, but written testimony indicates it took place the following week, on March 15th.

Smith stepped down as CEO of Equifax last week, and the company’s chief information officer and chief security officer have also stepped down. The Federal Trade Commission is currently investigating the breach as a violation of fair business practices, and the Department of Justice has opened a probe into whether Equifax executives committed insider trading by selling company stock before the breach became public.

Still, the hearing revealed significant frustration from members of Congress at the lack of financial consequences for the company. “Under current law, you’re required to alert those whose account has been hacked, but there’s basically no penalty,” Rep. Joe Barton (R-TX) told Smith. “We’re going to have this hearing every year from now on if we don’t do something to change this system.”