A few days later, Equifax brought in security consulting firm Mandiant, now a unit of FireEye and associated with many high-profile forensics investigations including the Yahoo breach a year ago, when data on more than 1 billion accounts were exposed. “Companies – including every single member of the C-suite – must change to a Zero Trust security posture so that when updating their technology, it follows a new, innovative mindset, rather than continuing the insanity cycle with the next generation of flawed technology”, said Panesar. On Friday, it said it waited until it “observed additional suspicious activity” a day later to take the affected web application offline.
“The company’s internal review of the incident continued”.
Equifax also provided its most detailed timeline of the breach yet, although it raised as many questions as it answered.
The company named Mark Rohrwasser as interim chief information office and Russ Ayres as interim chief security officer. Webb led global information technology, according to a cached version of his company bio, while Mauldin was in charge of the company’s cyber security operations.
Apache said Thursday it provided a patch for the software fault on March 7, well before Equifax said the security breach began in mid-May.
“Based on the company’s investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017”.
Equifax’s chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software. The words “took efforts to identify and patch vulnerable systems” don’t definitively say whether Struts was identified as vulnerable or whether an attempt was made to patch it.
Consumers calling the number Equifax set up initially complained of jammed phone lines and uninformed representatives, and initial responses from the website gave inconsistent responses.
The two most senior security roles have since been filled by the credit rating firm, with the world still stunned by the scale of the breach that also affected around 400,000 people in the UK.
The Federal Trade Commission and FBI are investigating Equifax and lawsuits are pending by state attorneys general. The company’s CEO Richard Smith is scheduled to testify in front of Congress in early October.