(Rewrites with start of hearing, changes bylines)
By John McCrank and Diane Bartz
WASHINGTON, Oct 3 (Reuters) - The former head of Equifax Inc apologized repeatedly on Tuesday at a congressional hearing for the theft of millions of people's personal data in a hacking breach, saying it took weeks for the credit bureau to understand the extent of the intrusion.
Richard Smith retired last week but the 57-year-old executive led the company over the time of the hack, which Equifax acknowledged in early September.
Late on Monday, Equifax said an independent review had increased the estimate of potentially affected U.S. consumers by 2.5 million to 145.5 million.
In March, the U.S. Department of Homeland Security alerted Equifax to an online gap in security but the company did nothing, said Smith.
"The vulnerability remained in an Equifax web application much longer than it should have," Smith said. "I am here today to apologize to the American people myself."
Equifax keeps a trove of consumer data for banks and other creditors who want to know whether a customer is likely to default.
Smith said both technology and human error opened the company's system to the cyber hack, which has been a calamity for Equifax, costing it about a quarter of its stock market value and leading several top executives to depart.
A company employee failed to tell the information team a software vulnerability that hackers could exploit should be fixed, Smith said. Then, a later system scan did not uncover the weak point.
Smith said he was notified on July 31 that "suspicious activity had occurred," after security personnel had already disabled the web application and shut down the hacking. He said he only learned in the middle of August the scope of the stolen data.
On Aug. 2, the company alerted the Federal Bureau of Investigation and retained a law firm and consulting firm to provide advice. Smith notified the board's lead director on Aug. 22.
That timing could help lift suspicions that three executives who sold stock on the first two days of August illegally used insider knowledge of the hack. Smith said the three "honorable men" did not know about the breach at that time.
Smith deferred to the FBI on questions of whether the hack had been sponsored by a nation-state.
"It's possible," he said when asked if the hackers were from another country. (Writing by Lisa Lambert and Patrick Rucker; Editing by Clive McKeef and Bill Rigby)