The full extent of Equifax’s recently revealed, massive data breach isn’t known yet — although 143 million US customers and tens of millions of others globally are thought to be affected — but top executives are already having to answer for the debacle, with two Equifax officers making a sudden exit.
Equifax announced late Friday that its top security and information officers would retire as the company continues to reveal small details of the nearly two-and-a-half month-long hack attack.
Chief information officer David Webb will retire after seven years with the company. He was responsible for leading the CRA’s IT department and providing support to customers and businesses.
Webb will be replaced on an interim basis by Mark Rohwasser, who joined the company just last year, as the head of Equifax’s international IT operations.
Susan Mauldin, chief security officer, will also retire from the company. It’s unclear how long Mauldin has worked for Equifax.
The Associated Press reports that Mauldin’s qualifications came under scrutiny shortly after Equifax’s data breach broke, as she has a degree in music.
Mauldin will be replaced on an interim basis by Russ Ayres, who most recently served as a vice president in the IT organization at Equifax.
Equifax notes that the changes were immediate.
In other Equifax data breach news, the company released a slightly more detailed timeline for the hack attack.
July 29: Equifax’s security team detected suspicious network traffic associated with the software used to operate its online-dispute portal in the U.S.
The company’s security team investigated the issue and blocked the suspicious traffic.
July 30: The security team continued to monitor traffic and observed additional suspicious activity. As a result, the web application was taken offline for the day as the company began an internal review of the incident.
At this point, the company discovered a vulnerability in the Apache Struts web application, determining this was the initial attack area. A patch was conducted and the portal was brought back online.
According to Equifax, it became aware in March 2017 that there was a vulnerability in the Apache Struts framework. The company says it took efforts to identify and patch any vulnerabilities at that time.
Aug. 2: Equifax says it contacted cyber security firm Mandiant to assist in forensic review of the intrusion.
It’s unclear why Equifax did not disclose that it was the victim of a possible hack attack at this time. However, the company contends that over the next several weeks, Mandiant analyzed available forensic data to identify the extent of the unauthorized activity.
Equifax notes that its review of the breach is still ongoing, and will release additional information when it is available.