Equifax executives retire one week after massive security breach
Two Equifax executives are retiring from Equifax just one week after the credit reporting firm announced a security incident in which over 143 million records were compromised, according to an announcement made late Friday.
The chief information officer, David Webb, and chief security officer, Susan Mauldin, are no longer with the company effective immediately. Mark Rohrwasser, who has led Equifax’s international IT operations since 2016, is now interim CIO. Russ Ayres, previously the Vice President in the IT organization at Equifax, is interim CSO and reports directly to Rohrwasser.
The move comes as part of a thorough review and reaction to the breach announced on Sept. 7. The internal investigation into the incident, led by the cybersecurity firm Mandiant, is ongoing and the FBI is investigating as well.
Equifax also issued updates on its internal investigation noting that it saw “suspicious network traffic” on July 29 and, in the midst of looking into that traffic, found additional suspicious activity.
“The company’s internal review of the incident continued,” Equifax said. “Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.”
Equifax CEO Richard F. Smith has also been invited to testify before Congress. One day after that invitation, the Federal Trade Commission announced an investigation into the data breach. The firm faces dozens of lawsuits, demands for answers from Congress and a stock price that’s fallen from $142 per share to $92 per share in one week.
“Consumer confidence in a credit rating agency, like Equifax, is based on that company’s ability to do one job well: store data securely,” Rep. Will Hurd, R-Texas, chairman of the House Government Reform Subcommittee on IT, told CyberScoop earlier this week. “Data is not just a byproduct of doing business, it is their business. And when a breach occurs, it shouldn’t take six weeks to alert consumers. When it comes to consumer protection, companies must adopt a ‘need-to-share’ mentality.
