The two most senior security roles have since been filled by the credit rating firm, with the world still stunned by the scale of the breach that also affected around 400,000 people in the UK.
The way Equifax executives and its IT security team appears to have failed to adequately apply patches, the amount of time it took to discover the depth of the breach and the delay in ultimately reporting it certainly paints a picture of a colossal failure at all levels, including the curiosly timed stock sales by top executives (who deny knowledge of the breach at the time of the sale) just days before the disclosure, reported by Bloomberg. The company said it is taking short-term remediation steps to improve security but also wants to make long-term improvements. One day later on Jul. 30, Equifax’s security teams were still seeing suspicious traffic and made a decision to take the entire impacted application offline.
More than 50,000 organizations are using outdated and leaky versions of Apache, the software whose Struts app gave hackers a back door into Equifax – even though free fixes have been available for nine months, according to Sonatype, a firm that monitors downloads of open-source software like Apache. The specific vulnerability is CVE-2017-5638 which was patched by the Apache Struts project in March 2017.
“Based on the company’s investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017”.
Some of this might have been because Equifax “Chief Security Officer” Susan Mauldin has a bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia.
And the company’s security department “was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems”. “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing”, said the company in a statement released Friday. What has not been known, is how exactly many individuals in other countries are at risk. In Canada, the numbers are not almost as certain as Equifax has not publicly disclosed any estimate.
Having held steady at around $140 since April, it then hit $123 the day after the news that they had suffered a data breach was revealed, over a month after it happened.
The company is now under investigation by the Federal Trade Commission and the class-action lawsuits are starting to pile up.