Equifax two top technology executives leave company ‘effective immediately’

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell

By Dustin Volz and Diane Bartz

WASHINGTON (Reuters) – Equifax said on Friday that it made changes in its top management as part of its review of a massive data breach, with two technology and security executives leaving the company “effective immediately.”

The credit-monitoring company announced the changes in a press release that gave its most detailed public response to date of the discovery of the data breach on July 29 and the actions it has since taken.

The statement came on a day when Equifax’s share price continued to slide following a week of relentless criticism over its response to the data breach,

Lawmakers, regulators and consumers have complained that Equifax’s response to the breach, which exposed sensitive data like Social Security numbers of up to 143 million people, had been slow, inadequate and confusing.

Equifax on Friday said that Susan Mauldin, chief security officer, and David Webb, chief information officer, were retiring.

The company named Mark Rohrwasser as interim chief information office and Russ Ayres as interim chief security officer, saying in its statement, “The personnel changes are effective immediately.”

Rohrwasser has led the company’s international IT operations, and Ayres was a vice president in the IT organization.

The company also confirmed that Mandiant, the threat intelligence arm of the cyber firm FireEye, has been brought on to help investigate the breach. It said Mandiant was brought in on Aug. 2 after Equifax’s security team initially observed “suspicious network traffic” on July 29.

The company has hired public relations companies DJE Holdings and McGinn and Company to manage its response to the hack, PR Week reported. Equifax and the two PR firms declined to comment on the report.

Equifax’s share prices has fallen by more than a third since the company disclosed the hack on Sept. 7. Shares shed 3.8 percent on Friday to close at $92.98.

U.S. Senator Elizabeth Warren, who has built a reputation as a fierce consumer champion, kicked off a new round of attacks on Equifax on Friday by introducing a bill along with 11 other senators to allow consumers to freeze their credit for free. A credit freeze prevents thieves from applying for a loan using another person’s information.

Warren also signaled in a letter to the Consumer Financial Protection Bureau, the agency she helped create in the wake of the 2007-2009 financial crisis, that it may require extra powers to ensure closer federal oversight of credit reporting agencies.

Warren also wrote letters to Equifax and rival credit monitoring agencies TransUnion and Experian, federal regulators and the Government Accountability Office to see if new federal legislation was needed to protect consumers.

Connecticut Attorney General George Jepsen and more than 30 others in a state group investigating the breach acknowledged that Equifax has agreed to give free credit monitoring to hack victims but pressed the company to stop collecting any money to monitor or freeze credit.

“Selling a fee-based product that competes with Equifax’s own free offer of credit monitoring services to victims of Equifax’s own data breach is unfair,” Jepsen said.

Also on Friday, the chairman and ranking member of the Senate subcommittee on Social Security urged Social Security Administration to consider nullifying its contract with Equifax and consider making the company ineligible for future government contracts.

The two senators, Republican Bill Cassidy and Democrat Sherrod Brown, said they were concerned that personal information maintained by the Social Security Administration may also be at risk because the agency worked with Equifax to build its E-Authentication security platform.

Equifax has reported that for 2016, state and federal governments accounted for 5 percent of its total revenue of $3.1 billion.

400,000 BRITONS AFFECTED

Equifax, which disclosed the breach more than a month after it learned of it on July 29, said at the time that thieves may have stolen the personal information of 143 million Americans in one of the largest hacks ever.

The problem is not restricted to the United States.

Equifax said on Friday that data on up to 400,000 Britons was stolen in the hack because it was stored in the United States. The data included names, email addresses and telephone numbers but not street addresses or financial data, Equifax said.

Canada’s privacy commissioner said on Friday that it has launched an investigation into the data breach. Equifax is still working to determine the number of Canadians affected, the Office of the Privacy Commissioner of Canada said in a statement.

(Reporting by Dustin Volz and Diane Bartz; Additional reporting by Chris Sanders, Michelle Price and Jim Finkle; Editing by Chris Reese and Leslie Adler)

Key U.S. senators demand answers on Equifax hacking

Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell

By David Shepardson and Dustin Volz

WASHINGTON (Reuters) – Two key U.S. senators on Monday asked Equifax Inc <EFX.N> to answer detailed questions about a breach of information affecting up to 143 million Americans, including whether U.S. government agency records were compromised in the hack.

Senator Orrin Hatch, who chairs the Finance Committee, and ranking Democrat Ron Wyden, also demanded that Equifax Chief Executive Rick Smith provide a timeline of the breach and its discovery. They asked for information on when authorities and the company’s board were notified and when three executives who sold stock in the company in August were first told of the data breach.

Equifax did not immediately respond to a request for comment on the letter. It came amid mounting scrutiny of the company’s response to the breach from lawmakers, regulators and security experts, prompting the credit-monitoring services to issue an apology on Friday and pledge to dedicate more resources to helping affected consumers.

“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” the letter said.

Equifax announced last week that it learned on July 29 that hackers had infiltrated its systems in mid-May, pilfering names, birthdays, addresses and Social Security and driver’s license numbers. Cyber security experts said it was among the largest data hacks ever recorded and was particularly troubling due to the richness of the information exposed.

Three days after Equifax discovered the breach, three top Equifax executives, including Chief Financial Officer John Gamble and a president of a unit, sold Equifax shares or exercised options to dispose of stock worth about $1.8 million, regulatory filings show.

Equifax said in a statement last week that the executives were not aware that an intrusion had occurred when they sold their shares.

Hatch and Wyden asked Smith to respond by Sept. 28. Other congressional committees have announced plans to hold hearings investigating the Equifax breach and want answers.

The senators want to know if Equifax has a chief information security officer and over the past two years “how many times has Equifax employed third-party cyber security experts to conduct penetration tests of its internal and external systems?” The senators want copies of all Equifax penetration test and audit reports by outside cyber security firms.

Separately, a group of 20 Democratic senators asked Equifax to end its use of forced arbitration agreements, which limit the ability of consumers to pursue claims, and not to lobby to reverse a new rule from the Consumer Financial Protection Bureau to limit the use of forced arbitration in the financial services sector.

(Reporting by Dustin Volz and David Shepardson; Editing by Andrew Hay and Jonathan Oatis)

Equifax reveals hack that likely exposed data of 143 million customers

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski/File Photo

By Yashaswini Swamynathan

(Reuters) – Equifax Inc, a provider of consumer credit scores, said on Thursday that personal details of as many as 143 million U.S. consumers were accessed by hackers between mid-May and July, in what could be one of the largest data breaches in the United States.

The company’s shares fell nearly 19 percent in after-market trading as investors reacted to possible consequences of the exposure of sensitive data of nearly half of the U.S. population.

Atlanta-based Equifax said in a statement that it discovered the breach on July 29. It said criminals exploited a U.S. website application vulnerability to gain access to certain files that included names, Social Security numbers and driver’s license numbers.

In addition, credit card numbers of around 209,000 U.S. consumers and certain dispute documents with personal identifying information of around 182,000 U.S. consumers were accessed. Information of some UK and Canadian residents was also gained in the hack, Equifax said.

Equifax said in its statement that it was working with law enforcement agencies and has hired a cyber-security firm to investigate the breach. It said its investigation is “substantially complete,” and expects it will be completed in the coming weeks.

The company declined to comment beyond its statement.

The Federal Bureau of Investigation is tracking the situation, a spokeswoman for the agency said.

U.S. Senator Mark Warner, vice chairman of the Senate Select Committee on Intelligence, said in a statement that it would not be an “exaggeration to suggest that a breach such as this represents a real threat to the economic security of Americans.”

Equifax’s breach follows rival Experian Plc’s breach two years ago that exposed sensitive personal data of some 15 million people who applied for service with T-Mobile US Inc (http://reut.rs/2f8ES9k)

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax Chief Executive Richard Smith said in a statement, adding that the company is conducting “a thorough review of our overall security operations.”

LIKELIHOOD FOR PHISHING SEEN HIGH

Cybersecurity experts said the breach was very serious.

“On a scale of 1 to 10, this is a 10. It affects the whole credit reporting system in the United States because nobody can recover it, everyone uses the same data,” said Avivah Litan, a Gartner Inc analyst who tracks identity theft and fraud.

Equifax handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.

Ryan Kalember, senior vice president of cyber security firm Proofpoint, said the hack was “especially troubling” because companies typically offer free credit monitoring services from firms such as Equifax, which has now itself suffered a huge cyber attack.

“The information is very personal – the likelihood that it could be used for phishing is very high,” said Matt Tait, a former analyst at the British intelligence service GCHQ and a cyber security researcher.

Equifax said consumers could check if their information had been impacted at, www.equifaxsecurity2017.com.

Representative Maxine Waters, a member of the House of Representatives Financial Services Committee, said in a statement that she would reintroduce legislation to “enhance consumer protection tools available to minimize harm caused by identity theft.”

Three days after Equifax discovered the breach, three top Equifax executives, including Chief Financial Officer John Gamble and a president of a unit, sold Equifax shares or exercised options to dispose off stock worth about $17.8 million, regulatory filings show. It was not clear whether these transactions were part of a pre-arranged sales plan.

Equifax said in a statement that the executives were not aware that an intrusion had occurred when they sold their shares.

(Reporting by Yashaswini Swamynathan in Bengaluru; Additional reporting by Laharee Chatterjee in Bengaluru and Siddharth Cavale and Dustin Volz in Washington; Editing by Leslie Adler)