Equifax CEO Richard Smith steps down in aftermath of massive breach

Equifax Chairman and CEO Richard Smith stepped down Tuesday in the wake of a massive cybersecurity breach that exposed the birth dates, social security numbers, and other personal information of 143 million Equifax customers, The New York Times reports.

Paulino do Rego Barros Jr. will vacate his post as the company’s president of the Asia-Pacific region to assume the CEO duties in an interim capacity, the Times says. Equifax will consider candidates from both inside and outside the company as permanent replacements.

According to the Times, Mark Feidler will become chairman of the board.

“Speaking for everyone on the board, I sincerely apologize [for failing to protect the seized data],” Feidler said in a statement, per the Times. Feidler said, per the Times, that the board has formed a special committee to handle the breach.

Lawmakers, as well as the general public, have taken issue with Equifax’s failure to secure the data, and some have cast aspersions upon the company’s handling of the fallout that followed the breach.

Equifax set up a special-purpose website to provide information about the attack, and to help customers contain the damage. Among the website’s primary offerings was a tool by which a customer could enter his information and find out whether the breach had affected him. But the tool ran into a number of problems. Moreover, the company struggled to field the myriad calls that flooded its customer support lines.

The Times reports that three Equifax executives sold a combined $1.8 million worth of stock in the company in the days after the breach had been discovered but before it had been disclosed. Equifax said, per the Times, that the executives mentioned were unaware of the breach when they offloaded the shares.

Smith is the third prominent Equifax executive to vacate his post in response to the breach. The company’s chief information officer and chief security officer both stepped down September 14.

“Mr. Smith has been very cooperative and supportive of this approach,” Equifax spokesman Wyatt Jefferies said per the Times.

Smith had served as CEO since 2005. In his 12 years with the company, he more than doubled its annual revenue, the Times notes. He was renowned amongst Wall Street experts for his ability to develop innovative products, and for his sales acumen.

As of now, Equifax has not terminated Mr. Smith, but the terms reached prior to his departure allow the board to retroactively fire him for cause, the Times says. The company will provide neither severance nor accelerated vesting of stock options to Smith, and he will not receive a bonus for 2017 (Equifax awarded him $3-million bonuses in 2015 and 2016).

Smith will retain $18.4 million in pension benefits.

Smith is scheduled to appear at congressional meetings regarding the breach in the coming weeks: one held by the House Energy and Commerce Committee on October 3, the other by the Senate Banking, Housing and Urban Affairs Committee the following day.

Senator Brian Schatz of Hawaii, a leading member of the latter committee, issued a statement ordering Smith to appear for the appointment and admonishing the former executive for shirking his responsibility for the breach.

“A CEO walking out the door just days before he is to appear before Congress is an abdication of his responsibility,” Schatz said, according to the Times.

But, Jefferies, the Equifax spokesman, has indicated that Smith intends to comply with Congress’ demands. “If Congress asks him, he will go,” said Jefferies of Smith.

Schatz is one of the several senators who have, in the wake of the Equifax incident, advocated legislation that would give consumers more latitude to protect their credit information.

The FBI is currently leading a criminal investigation into the breach, the Times says, and attorneys general in 30 states have launched their own probes into the matter. On September 19, the Massachusetts Attorney General sued Equifax seeking civil damages and more compensation.

Featured image via Vimeo

Equifax could have prevented breach with a simple patch, experts say

Last Thursday, credit-monitoring firm Equifax announced that hackers had breached its computer systems and compromised the data of as many as 143 million Americans. Thursday, the company confirmed that the perpetrators of the attack did, as rumored, exploit a weakness in Apache STRUTS.

Equifax identified the exploited vulnerability as Apache Struts CVE-2017-5638.

In March, industry experts pinpointed the CVE-2017-5368 vulnerability. That same month, Apache released a patch to correct it, the New York Times notes. Apache also published instructions describing how to implement the patch.

Three days after the Apache STRUTS weakness was discovered, reports surfaced indicating that hackers had begun taking advantage of it. At that point, it was clear that the Apache vulnerability presented a considerable security threat.

Therefore, many are scratching their heads as to why Equifax neglected to install the patch before hackers accessed the company’s systems in mid-May. Ars Technica notes that implementing the update would have been labor-intensive because after downloading the patch, one would need to rebuild all applications built with older, vulnerable versions of the software.

Still, Bas van Schaik, a product manager and researcher at Semmle, an analytics security firm, points out, it is Equifax’s responsibility to take the measures necessary to protect its customers’ data.

“This vulnerability was disclosed back in March. There were clear and simple instructions of how to remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly,” says per WIRED. “The fact that Equifax was subsequently attacked in May means that Equifax did not follow that advice. Had they done so this breach would not have occurred.”

But, Avivah Litan, a security analyst with the research firm Gartner, told the Times a high-profile company like Equifax needs a multi-faceted security system so that if one aspect fails, others provide reinforcement.

“You have to have layered security controls,” she said. “You have to assume that your prevention methods are going to fail.”

Apache STRUTS is an open-source web development framework used to create Java applications that run Web servers, Ars Technica explains. The software is free, and about 65 percent of Fortune 100 companies, including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtime, use it, per the New York Post. Banks and government agencies—including the IRS—also use the software.

Generally speaking, though, open-source software is particularly vulnerable to hacks.

Developers use Apache STRUTS to develop applications for front-end as well as back-end servers. Front-end servers contain code that translates the website’s content into something the user can see, while back-end ones contain the building blocks of a website and are only accessible to site administrators.

Equifax has not said whether the hackers exploited the company’s back-end or its front-end servers. Accessing the back-end would have required access to the company’s private network, the Times notes.

Several hacking experts have already noted the sophistication of the attack—the sheer amount of data stolen is sufficient to indicate the intricacy of the operation.

Investigators have yet to identify the perpetrators of the attack. A group calling itself the PastHole Hacking Team has claimed responsibility and threatened to release the seized data Friday unless a 600-bitcoin ($2.5-million) ransom is paid.

Several people have concluded that PastHole’s claiming responsibility was a hoax. The leading theory among investigators, the Times says, holds that a nation-state, or a group of hackers sponsored by a nation-state, carried out the attack. A government holding animosity toward the U.S. could cull the stolen data in search of information that could be used for espionage or blackmail.

Investigators note that the amount of data stolen casts further doubt on the notion that a small, financially motivated group of hackers perpetrated the attack.

Such a group would likely sell the information on the Dark Web. While there is a market amongst cyber-criminals for sensitive data, particularly permanent information, like birth dates and social security numbers one can use to access a victim’s bank account, medical records, etc., the market likely would not support such a massive amount of data.

“Are cybercriminals going to try and sell circa 150 million records in dark web auctions? That’s nearly half the population of the United States,” said Thomas Boyden, president of GRA Quantum, a company that specialized in cyberattack incident response, per the Times. “Are there standard cybercriminals out there with the purchasing power for that type of data?”

Equifax said in a statement Wednesday: “We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Featured image via Pexels

Equifax stares down almost two dozen class actions after cyberattack

Credit reporting and monitoring company Equifax is facing at least 23 proposed class action lawsuits in the wake of its announcement Thursday that a cyber attack compromised the personal information of up to 143 million Equifax customers, USA Today reports.

Various law firms have filed suits in 14 different states as well as D.C., according to USA Today. More suits will likely come. Victimized customers may receive a pretrial settlement from Equifax, and/or may be entitled to some portion of any financially pejorative judgment levied against the firm.

“Equifax probably injured 143 million people, which is kind of a record…with 143 million people it doesn’t surprise me there are already 23 suits,” said John Coffee, who directs the Center on Corporate Governance at Columbia Law School.

USA Today notes that the number of people the breach potentially victimized represents 44 percent of the U.S. population.

“Assume that if you’re an American with a credit card or a mortgage, your data has been leaked,” Zach Whittaker, security editor for CBS’s ZDNet, tweeted.

Hackers carried out the attack from mid-May through July, seizing customers’ names, social security numbers, birth dates, addresses and, in some cases, driver’s license numbers. Equifax says it became aware of the breach in late July. The company alerted the public of the incident on September 7. In the interim, Equifax hired third-party consultants to investigate the crime and provide suggestions as to how the company might bolster its cyber-defenses.

Many of the lawsuits take issue with the lag time between Equifax’s discovery of the attack and the firm’s notification of the public. USA Today says one suit calls the delayed disclosure “willful, or at least negligent.” Another argues that the delay “deprived [consumers] of their opportunity to meaningfully consider and address issues related to the potential fraud, as well as to avail themselves of the remedies available under the FCRA (U.S. Fair Credit Reporting Act) to prevent further dissemination of their private information.”

The company would presumably argue that it was justified in assessing the nature and extent of the attack before alarming the public.

A third suit notes that Equifax fell victim to similar attacks earlier this year, as well as in 2013 and 2016. Therefore, said suit argues, Equifax “knew and should have known of the inadequacy of its own data security.”

Other filings take aim at TrustedID, an Equifax service that provides identity theft protection and credit monitoring. One document says the company “failed to disclose to consumers that it owned TrustedID,” and baited customers into signing up for the service.

To help customers identify whether their information was compromised by the attack, Equifax is offering free TrustedID service to all U.S. customers

New York Attorney General Eric Schneiderman, who is investigating the Equifax case, took issue with a clause in the agreement Equifax requires TrustedID members sign. The clause in question says that in signing up for TrustedID, a user waives his/her “right to bring or participate in any class action…or to share in any class action awards.”

“This language is unacceptable and unenforceable,” Schneiderman tweeted Friday. “My staff has already contacted @Equifax to demand that they remove it.”

Equifax subsequently explained that the waiver does not prohibit TouchID members from participating in class actions regarding the cyber security incident.

In addition to Schneiderman, other government entities are pursuing the Equifax case. USA Today obtained a copy of a letter Senators Omin Hatch and Ron Wyden, both of whom hold key positions on the Senate Committee on Finance, sent to Equifax requesting details about the attack and the manner in which the company is handling it.

The letter requests a timeline of the breach and asks how Equifax is identifying affected customers and what measures the company is taking to limit consumer harm. The document also asks Equifax to clarify the amount of information that was compromised.

Legal arguments must take place before the proposed suits achieve class action status. If the court grants class action status, USA Today says, a “federal panel on multi district litigation” will likely consolidate the suits into a single case, then assign that case to a judge, who would, in turn, appoint one law firm or a group of law firms as plaintiff counsel.

At the market’s close Tuesday, Equifax stock has dipped 18.7 percent since the original announcement. 4.7 percent of the drop has come since Monday morning when news of the proposed class actions broke.

Featured image via Pixabay