Equifax Says CIO, Chief Security Officer to Exit After Hack
Equifax Inc. said two of its senior executives are leaving as the credit-reporting company faces mounting public anger for losing data on 143 million Americans in one of the biggest cyberattacks in history.
The firm’s chief information and chief security officers are retiring immediately, the Atlanta-based company said Friday in a statement that didn’t name the individuals. Mark Rohrwasser was named interim CIO and Russ Ayres was appointed interim CSO, reporting to Rohrwasser, according to the statement.
Equifax has faced withering criticism since disclosing Sept. 7 that hackers stole sensitive data — including Social Security numbers, birth dates and other identifying information — for much of the adult U.S. population. Lawmakers have since threatened to boost oversight of the industry, whose knowledge of consumers can, in the wrong hands, be used for identity theft and fraud. The Federal Trade Commission even took the rare step of announcing a probe, citing the “intense public interest and the potential impact.”
David C. Webb, who joined the company in January 2010, was previously the firm’s chief information officer, according to Equifax’s annual regulatory filing in February. Susan Mauldin previously served as chief security officer, according to her professional profile on LinkedIn and an Equifax press release from 2015.
Rohrwasser joined the company last year to lead its international information technology operations, while Ayres was a vice president in Equifax’s IT unit.
The company said in the statement that it hired cybersecurity firm Mandiant, owned by FireEye Inc., on Aug. 2 to review the incident and “continues to work closely with the FBI in its investigation.”
Equifax clarified on Friday that its security team first investigated and blocked suspicious traffic it identified in its online dispute portal on July 29. The firm discovered additional suspicious activity the next day, so it took down the web application and patched it before bringing it back online, according to the statement.
Equifax has said that hackers exploited a software vulnerability known as Apache Struts CVE-2017-5638. Computer-security specialists had publicly identified that weakness earlier this year, offering a patch to fix it in March.
“Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure,” the company said in Friday’s statement. “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing. The company will release additional information when available.”
Senate Minority Leader Chuck Schumer this week called for Chief Executive Officer Richard Smith and the company’s board to quit. The incident is “one of the most egregious examples of corporate malfeasance since Enron,” he said, referring to the Texas energy trader that collapsed in 2001 after lying about its finances.
A group of state attorneys general on Friday called on the company to stop selling credit-monitoring on its website. Senator Elizabeth Warren introduced legislation that would require Equifax and its competitors to freeze consumers’ credit reports free of charge, and restrict their ability to profit from data during the freeze.
“We apologize to everyone affected,” Smith wrote in an op-ed posted to USA Today’s website Sept. 12. “This is the most humbling moment in our 118-year history.”