Equifax Security Chief, CIO to ‘Retire’ Immediately

Following the massive data breach that was disclosed on September 7, Equifax announced on Friday that Chief Security Officer Susan Mauldin and Chief Information Officer David Webb are retiring from the company effective immediately. 

Russ Ayres, who previously served as a Vice President in the Equifax IT department, has been appointed interim Chief Security Officer. 

Mark Rohrwasser has been appointed interim Chief Information Officer. Rohrwasser joined Equifax in 2016 and has led Equifax’s International IT operations since that time, the company said.

Ayres will report directly to Rohrwasser.

Equifax informed customers last week that hackers had access to its systems between mid-May and late July. The breach, which affects roughly 143 million U.S. consumers, involved names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers.

The company has hired FireEye-owned breach investigations firm Mandiant to work on the investigations, and noted that “Equifax’s internal investigation of this incident is still ongoing and the company continues to work closely with the FBI in its investigation.”

Equifax initially only revealed that the cybercriminals exploited a vulnerability in a “U.S. website application” to access files. However, financial services firm Baird later claimed to have learned that the application in question was Apache Struts, a framework used by many top organizations to create web apps.

While some believed that the Apache Struts vulnerability was the recently patched CVE-2017-9805, which has been increasingly exploited in the wild to deliver malware, a more likely candidate was CVE-2017-5638, a vulnerability disclosed and fixed in March, and leveraged by cybercriminals shortly after.

An update posted by Equifax on Wednesday to the website dedicated by the company to the cybersecurity incident confirms that CVE-2017-5638 was the Apache Struts 2 flaw exploited by attackers.

This shows that the breach was possible due to the company’s failure to patch a critical vulnerability in more than two months after its disclosure. Following the incident, others started highlighting holes in Equifax’s cyber security, including unpatched cross-site scripting (XSS) vulnerabilities reported to the company more than one year ago, and the lack of many basic protections.

Security blogger Brian Krebs reported on Tuesday that an Equifax Argentina employee portal exposed 14,000 records, including employee credentials and consumer complaints.

After New York Attorney General Eric T. Schneiderman announced the launch of a formal investigation into the Equifax breach, Illinois and nearly 40 other states joined the probe.

Equifax shares have fallen more than 30% since the disclosure of the breach, wiping more than $5 billion off the company’s market capitalization.

Equifax says that it maintains data on more than 820 million consumers and more than 91 million businesses worldwide.