Advertisement

Key Equifax execs departing after huge data breach

September 16, 2017 at 2:56AM

NEW YORK – Equifax announced late Friday that its chief information officer and chief security officer would leave the company immediately, following the enormous breach of 143 million Americans' personal information.

The credit data company — under intense pressure since it disclosed last week that hackers accessed the Social Security numbers, birth dates and other information — also released a detailed, if still muddled, timeline of how it discovered and handled the breach.

Equifax said that Susan Mauldin, who had been the top security officer, and David Webb, the chief technology officer, are retiring. Mauldin, a college music major, had come under media scrutiny for her qualifications in security. Equifax did not say in its statement what retirement packages the executives would receive.

Mauldin is being replaced by Russ Ayers, an information technology executive inside Equifax. Webb is being replaced by Mark Rohrwasser, who most recently was in charge of Equifax's international technology operations.

Equifax also provided its most detailed timeline of the breach yet, although it raised as many questions as it answered.

The tale began on July 29, when the company's security team detected suspicious network traffic associated with the software that ran its U.S. online-dispute portal. After blocking that traffic, the company saw additional "suspicious activity" and took the portal's software offline.

At this point, Equifax's retelling grows cloudy. The company said an internal review then "discovered" a flaw in an open-source software package called Apache Struts used in the dispute portal, which it then fixed with a software patch. It subsequently brought the portal back online.

But that vulnerability had been known publicly since early March 2017, and a fix was available shortly thereafter — facts that Equifax acknowledged in its Friday statement.

Advertisement
Advertisement

The company did not say why the software used in the online-dispute portal hadn't been patched earlier, although it claimed that its security organization was "aware" of the software flaw in March, and that it "took efforts" to locate and fix "any vulnerable systems in the company's IT infrastructure."

"While Equifax fully understands the intense focus on patching efforts, the company's review of the facts is still ongoing," the statement said.

After patching the dispute-portal's software, Equifax hired Mandiant, a computer-security firm, to do a forensic review. That effort determined that hackers had access to Equifax systems from May 13 through July 30.

about the writer

about the writer

KEN SWEET, Associated Pres

More from Minnesota Star Tribune

See More
In this photo taken Monday, March 6, 2017, in San Francisco, released confidential files by The University of California of a sexual misconduct case, like this one against UC Santa Cruz Latin Studies professor Hector Perla is shown. Perla was accused of raping a student during a wine-tasting outing in June 2015. Some of the files are so heavily redacted that on many pages no words are visible. Perla is one of 113 UC employees found to have violated the system's sexual misconduct policies in rece

We respect the desire of some tipsters to remain anonymous, and have put in place ways to contact reporters and editors to ensure the communication will be private and secure.

card image
Advertisement
Advertisement

To leave a comment, .

Advertisement