Bloomberg reported that a major breach of Equifax’s computer systems occurred in March, but Equifax stated that this breach was not related to the hack that exposed the details of close to 150m customers in the United States that was disclosed in September.
The next point on the company’s list says “Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure“.
In a Friday statement, Equifax claimed it first noticed and started blocking “suspicious network traffic associated with its U.S. online dispute portal application” on July 29, before taking the app offline the following day. “The company will release additional information when available”.
On Friday, the company announced its chief information officer and chief security officer are “retiring”. The next day, suspicious activity was detected again and the company took the affected web application offline.
“The company’s internal review of the incident continued”.
According to Sonatype, in addition to the more than 3,000 organizations to download the version of Apache Struts that was disclosed as vulnerable in March over the last 12 months-another 1,731 organizations downloaded versions of the framework that were disclosed as vulnerable as early as July 2013. The phrase “aware of this vulnerability at that time” could mean anything, perhaps even something as trivial as a single email reaching an inbox in Equifax’s security team. Webb is being replaced by Mark Rohrwasser, who most recently was in charge of Equifax’s global technology operations.
The statement leaves many questions unanswered. The words “took efforts to identify and patch vulnerable systems” don’t definitively say whether Struts was identified as vulnerable or whether an attempt was made to patch it.
But elsewhere in the statement, Equifax just-about-confesses that those efforts either missed the Struts implementation or failed to patch it properly.
“Based on the company’s investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017”.
Consumers calling the number Equifax set up initially complained of jammed phone lines and uninformed representatives, and initial responses from the website gave inconsistent responses.
In the days after the breach was announced, Equifax waived fees for 30 days to allow customers to implement freezes on their accounts.
Equifax faces at least 23 proposed class-action lawsuits over the breach and a federal probe from two agencies. The company’s CEO Richard Smith is scheduled to testify in front of Congress in early October.