Key Equifax ex­ecs de­part­ing after huge data breach

Imperial Valley Press - - BUSINESS -

NEW YORK (AP) — Equifax an­nounced late Fri­day that its chief in­for­ma­tion of­fi­cer and chief se­cu­rity of­fi­cer would leave the com­pany im­me­di­ately, fol­low­ing the enor­mous breach of 143 mil­lion Amer­i­cans’ per­sonal in­for­ma­tion.

The credit data com­pany — un­der in­tense pres­sure since it dis­closed last week that hack­ers ac­cessed the So­cial Se­cu­rity num­bers, birth­dates and other in­for­ma­tion — also re­leased a de­tailed, if still mud­dled, time­line of how it dis­cov­ered and han­dled the breach.

Equifax said that Su­san Mauldin, who had been the top se­cu­rity of­fi­cer, and David Webb, the chief tech­nol­ogy of­fi­cer, are re­tir­ing. Mauldin, a col­lege mu­sic ma­jor, had come un­der media scru­tiny for her qual­i­fi­ca­tions in se­cu­rity. Equifax did not say in its state­ment what re­tire­ment pack­ages the ex­ec­u­tives would re­ceive.

Mauldin is be­ing re­placed by Russ Ay­ers, an in­for­ma­tion tech­nol­ogy ex­ec­u­tive inside Equifax. Webb is be­ing re­placed by Mark Rohrwasser, who most re­cently was in charge of Equifax’s in­ter­na­tional tech­nol­ogy op­er­a­tions.

Equifax also pro­vided its most de­tailed time­line of the breach yet, al­though it raised as many ques­tions as it an­swered.

The tale be­gan on July 29, when the com­pany’s se­cu­rity team de­tected sus­pi­cious net­work traf­fic as­so­ci­ated with the soft­ware that ran its U.S. on­line-dispute por­tal. After block­ing that traf­fic, the com­pany saw ad­di­tional “sus­pi­cious ac­tiv­ity” and took the por­tal’s soft­ware off­line.

At this point, Equifax’s retelling grows cloudy. The com­pany said an in­ter­nal re­view then “dis­cov­ered” a flaw in an open-source soft­ware pack­age called Apache Struts used in the dispute por­tal, which it then fixed with a soft­ware patch. It sub­se­quently brought the por­tal back on­line.

But that vul­ner­a­bil­ity had been known pub­licly since early March 2017, and a fix was avail­able shortly there­after — facts that Equifax ac­knowl­edged in its Fri­day state­ment. The com­pany did not say why the soft­ware used in the on­line-dispute por­tal hadn’t been patched ear­lier, al­though it claimed that its se­cu­rity or­ga­ni­za­tion was “aware” of the soft­ware flaw in March, and that it “took ef­forts” to lo­cate and fix “any vul­ner­a­ble sys­tems in the com­pany’s IT in­fra­struc­ture.”

It ap­par­ently missed at least one vul­ner­a­ble sys­tem. The clos­est Equifax gets to ex­plain­ing that? “While Equifax fully un­der­stands the in­tense fo­cus on patch­ing ef­forts, the com­pany’s re­view of the facts is still on­go­ing,” ac­cord­ing to its state­ment.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.