The Equifax breach of 143 million individuals’ personal information has drawn unprecedented levels of anger and scrutiny from federal and state officials, with numerous bills introduced, hearings called, and investigations opened.
The cyber event also resulted in the announcement that the credit reporting firm’s chief information officer David Webb and chief security officer Susan Mauldin would retire immediately. Equifax quickly drew criticism for having installed Mauldin, a person with multiple degrees in music composition but no formal security training, as its chief security officer.
Equifax on Sept. 15 offered some answers to questions surrounding its massive data breach revealed a week earlier. The firm explained that a vulnerability in Apache Struts, an open source web application, allowed the breach to occur from May 13 until July 30.
“Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online,” the credit reporting agency stated. However, Apache, the application’s creator, announced this particular vulnerability in March 2017 and provided a patch.
“Equifax’s security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure,” said the firm, not commenting on the success of the patching initiative. “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing.”
The event, which exposed the names, Social Security numbers, birthdates, addresses, drivers’ license numbers of 143 million individuals, and 209,000 credit cards, has resulted in a Federal Trade Commission (FTC) investigation, class action lawsuits, inquiries from both Canadian and UK privacy officials, and investigations by state attorneys general. The FTC confirmed the investigation in a statement, due to the “intense public interest and the potential impact of this matter.”
It has also raised questions about the transparency of the credit reporting industry, inspiring numerous federal lawmakers to file a measure to transfer control of personal data back to consumers. One lawmaker went so far as to call for jail time for Equifax executives over the breach.