In-brief: Equifax said on Friday that its Chief Information Officer and Chief Security Officer had “retired” in the wake of a massive data breach that leaked sensitive on some 143 million people.
Equifax said on Friday that two of its senior executives had “retired” in the wake of a massive data breach that leaked sensitive on some 143 million people.
The company announced that Chief Information Officer, David Webb, and Chief Security Officer, Susan Mauldin were retiring with interim replacements taking their roles: Mark Rohrwasser as Chief Information Officer, the current head of Equifax’s International IT and Russ Ayres as CSO. He had previously served as Vice President in the IT organization at Equifax.
The moves come at the end of a stormy week for the company.Consumers are having difficulty reaching the company via support lines and competing firms like Experian and TransUnion are being flooded with calls and requests from consumers afraid that cyber criminals will use the stolen information to carry out identity theft scams. The announced departures came after the FTC said it opened an investigation into the firm and made the unusual step of publicly announcing the existence of the investigation. As we noted, Congress and states attorneys general are also investigating the security incident at the company.
Equifax also provided information about the source of the leak: an attack on a known security hole in commonly used open source software, Apache Struts 2. In an update on that, the company said in a statement that it first learned of the breach on July 29, 2017 after the company’s security team “observed suspicious network traffic” emanating from its U.S. online dispute portal web application.
By early August, the company had contracted with Mandiant, a cyber forensic firm, to investigate the incident. Subsequent investigation by Mandiant and Equifax determined that the breach began May 13 after cyber criminals exploited a known vulnerability in Struts, CVE-2017-5638. That flaw had been patched in March, 2017 and Equifax said that it was aware of the vulnerability, but did not explain the four-month delay in applying the patch. In all, the incident “potentially impacts personal information relating to 143 million U.S. consumers” including their Social Security numbers, birth dates, addresses and driver’s license numbers in some cases. For around 209,000 individuals, credit card numbers were also part of the mix.
The departure of Webb and Mauldin follows controversy over the breach and the company’s response to it. Among the missteps: Equifax’s use of a confusing (and fraudulent seeming) web address, equifaxsecurity2017.com, to manage response to the incident. The company also came under fire with consumers for legalese in a Terms of Service agreement for an online “Breach Look Up Tool” that asked users to waive their right to be part of a class action lawsuit against the company.
In its statement Friday, Equifax said that it had provided a clearer link between its main website, equifax.com and the breach website and updated the Terms of Service agreement to make clear that those clauses do not apply to this cybersecurity incident or to the complimentary TrustedID Premier offering. Equifax also said that the clauses will not apply to consumers who signed up before the language was removed.