Equifax Hacked Because of Incompetent Security Chief


They will be replaced, respectively, by Mark Rohrwasser, who joined Equifax a year ago as head of the company's International IT operations, and Russ Ayres, most recently vice president of IT.

Credit rating giant Equifax has swapped out its chief security and chief information officers following the growing data breach scandal that saw sensitive information on 143 million people being leaked.

The update reveals that the the attack hit the company's "U.S. online dispute portal web application" and that the source of its woes was CVE-2017-5638, which "which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header".

It also presented a litany of security efforts it made after noticing suspicious network traffic in July.

A new report says Equifax knew about the hack in March, nearly five months before the date it publicly disclosed the hack. "Companies - including every single member of the C-suite - must change to a Zero Trust security posture so that when updating their technology, it follows a new, innovative mindset, rather than continuing the insanity cycle with the next generation of flawed technology", said Panesar.

It was only then on the 30th that "Equifax patched the affected web application before bringing it back online". Both hacks appear to have exploited the same vulnerability in Apache software that Equifax didn't fully patch until it was too late. The closest Equifax gets to explaining that?

The company's interim chief information office will be Mark Rohrwasser, Equifax said. Equifax said it believes the access occurred from May 13 through July 30.

"The company's internal review of the incident continued".

Consumers calling the number Equifax set up initially complained of jammed phone lines and uninformed representatives, and initial responses from the website gave inconsistent responses. Equifax also said Friday it would continue to allow people to place credit freezes on their reports without a fee through November 21.

"Selling a fee-based product that competes with Equifax's own free offer of credit monitoring services to victims of Equifax's own data breach is unfair", Jepsen said.

Equifax faces at least 23 proposed class-action lawsuits over the breach and a federal probe from two agencies. The company's CEO Richard Smith is scheduled to testify in front of Congress in early October.

Three Equifax executives - not the ones who are departing - sold shares worth a combined $1.8 million just a few days after the company discovered the breach, according to documents filed with securities regulators.