Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes
PR Newswire 15-Sep-2017 5:40 PM
ATLANTA, Sept. 15, 2017 /PRNewswire/ -- As part of the company's ongoing review of the cybersecurity incident announced September 7, 2017, Equifax Inc. (NYSE:EFX) today made personnel changes and released additional information regarding its preliminary findings about the incident.
The company announced that the Chief Information Officer and Chief Security Officer are retiring. Mark Rohrwasser has been appointed interim Chief Information Officer. Mr. Rohrwasser joined Equifax in 2016 and has led Equifax's International IT operations since that time. Russ Ayres has been appointed interim Chief Security Officer. Mr. Ayres most recently served as a Vice President in the IT organization at Equifax. He will report directly to the Chief Information Officer. The personnel changes are effective immediately.
Equifax's internal investigation of this incident is still ongoing and the company continues to work closely with the FBI in its investigation.
Specific Details of Incident:
On July 29, 2017, Equifax's Security team observed suspicious network traffic associated with its U.S. online dispute portal web application. In response, the Security team investigated and blocked the suspicious traffic that was identified.
The Security team continued to monitor network traffic and observed additional suspicious activity on July 30, 2017. In response, the company took offline the affected web application that day.
The company's internal review of the incident continued. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.
On August 2, 2017, Equifax contacted a leading, independent cybersecurity firm, Mandiant, to assist in conducting a privileged, comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.
Over several weeks, Mandiant analyzed available forensic data to identify unauthorized activity on the network.
The incident potentially impacts personal information relating to 143 million U.S. consumers primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers.
With respect to the company's security posture, Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements.
Questions Regarding Apache Struts:
The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application.
Based on the company's investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.
The particular vulnerability in Apache Struts was identified and disclosed by U.S. CERT in early March 2017.
Equifax's Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure.
While Equifax fully understands the intense focus on patching efforts, the company's review of the facts is still ongoing. The company will release additional information when available.
Overview of Consumer Support Response and Recent Developments
The company is fully committed to proactively supporting consumers who may have been impacted by the cybersecurity incident. A timeline of our response includes:
The company worked diligently with Mandiant to determine what information was accessed and identify the potentially impacted consumers in order to make an appropriate public disclosure of the incident.
As soon as the company understood the potentially impacted population, a comprehensive support package was rolled out to consumers on September 7, 2017.
Equifax took the following steps:
Equifax also provided written notification to all U.S. State Attorneys General and contacted other federal regulators.
Since the announcement, Equifax has taken additional actions including:
Equifax is a global information solutions company that uses trusted unique data, innovative analytics, technology and industry expertise to power organizations and individuals around the world by transforming knowledge into insights that help make more informed business and personal decisions. The company organizes, assimilates and analyzes data on more than 820 million consumers and more than 91 million businesses worldwide, and its database includes employee data contributed from more than 7,100 employers.
Headquartered in Atlanta, Ga., Equifax operates or has investments in 24 countries in North America, Central and South America, Europe and the Asia Pacific region. It is a member of Standard & Poor's (S&P) 500 Index, and its common stock is traded on the New York Stock Exchange (NYSE) under the symbol EFX. Equifax employs approximately 9,900 employees worldwide.
FOR MORE INFORMATION 1550 Peachtree Street, NE Atlanta, Georgia 30309
View original content:http://www.prnewswire.com/news-releases/equifax-releases-details-on-cybersecurity-incident-announces-personnel-changes-300520691.html
SOURCE Equifax Inc.