Equifax's CIO and chief information security officer (CISO) are "retiring," effective immediately. The moves come after Equifax suffered a massive security breach that has shaken investor, regulator and public confidence in the credit checking service.
Mark Rohrwasser, an IT operations veteran with the company since 2016, shifts into the interim CIO role. And Equifax VP Russ Ayres is now interim Chief Security Officer. The personnel changes are effective immediately, Equifax stated this evening.
Equifax hired FireEye's Mandiant team in August to assist with a forensic review of the breach, which was discovered in late July. Long-term recommendations from that review are still coming together, the company indicated.
The big question on most people's minds: Why did Equifax fail to apply an Apache software patch to address a known vulnerability that dates back to March 2017? So far, the answer to that question has not been nailed down, according to a lengthy Equifax statement released today.
Equifax Breach: Forensic Review Findings So Far
Here are eight takeaways from the Equifax breach statement. Many of the items are word-for-word from Equifax:
1. When Did Equifax discover the breach?: On July 29, 2017, Equifax's security team observed suspicious network traffic. The team investigated and blocked the suspicious traffic that was identified. The team observed additional suspicious activity on July 30, 2017. In response, the company took offline the affected web application that day. The initial attack vector involved Apache Struts, which the company patched and then brought back online.
2. Was there a forensic review?: Yes. Equifax hired Mandiant on August 2, 2017 to assist in conducting a privileged, comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Over several weeks, Mandiant analyzed available forensic data to identify unauthorized activity on the network.
3. What was the forensic review's findings?: The incident potentially impacts personal information from 143 million U.S. consumers – primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
4. Was the breach limited to U.S. identities? No. Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents and is working with regulators in those countries.
5. What corrective action has occurred since the forensic review? Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements. The company didn't offer specific information.
6. How long were hackers in Equifax's systems as part of this breach?: Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.
7. Why didn't Equifax patch the Apache system when U.S. CERT identified the vulnerability in early March 2017?: Equifax's Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure. While Equifax fully understands the intense focus on patching efforts, the company's review of the facts is still ongoing. The company will release additional information when available.
8. What steps is Equifax taking to protect customers?: Find the information here.
Washington (and MSSPs) Are Watching
The Equifax executive changes arrive amid intense pressure from Washington regulators, politicians and privacy advocates.
Senate Minority Leader Chuck Schumer said the breach was "one of the most egregious examples of corporate malfeasance since Enron," and the credit-reporting company’s chief executive officer and board should quit if they don’t act to address the situation within a week, according to Bloomberg.
Meanwhile, MSSPs are closely watching the situation. Some MSSPs are reviewing customer contracts and checking in with corporate counsel to see what types of legal exposure, if any, they may face for failing to patch systems that ultimately get breached.