General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsEquifax Releases Details on Cybersecurity Incident, Announces Personnel Changes
https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832Specific Details of Incident:
On July 29, 2017, Equifax's Security team observed suspicious network traffic associated with its U.S. online dispute portal web application. In response, the Security team investigated and blocked the suspicious traffic that was identified.
The Security team continued to monitor network traffic and observed additional suspicious activity on July 30, 2017. In response, the company took offline the affected web application that day.
The company's internal review of the incident continued. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.
On August 2, 2017, Equifax contacted a leading, independent cybersecurity firm, Mandiant, to assist in conducting a privileged, comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.
Over several weeks, Mandiant analyzed available forensic data to identify unauthorized activity on the network.
The incident potentially impacts personal information relating to 143 million U.S. consumers primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers.
In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents and is working with regulators in those countries.
With respect to the company's security posture, Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements.
Questions Regarding Apache Struts:
The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application.
Based on the company's investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.
The particular vulnerability in Apache Struts was identified and disclosed by U.S. CERT in early March 2017.
Equifax's Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure.
While Equifax fully understands the intense focus on patching efforts, the company's review of the facts is still ongoing. The company will release additional information when available.
CountAllVotes
(20,878 posts)Price = $1,000,000.00 each person in household that they got.
Take your stories Equifax and pay up!
HipChick
(25,485 posts)all those overseas rep have access to your information too...
htuttle
(23,738 posts)There it is.
hatrack
(59,592 posts)The company announced that the Chief Information Officer and Chief Security Officer are retiring. Mark Rohrwasser has been appointed interim Chief Information Officer. Mr. Rohrwasser joined Equifax in 2016 and has led Equifax's International IT operations since that time. Russ Ayres has been appointed interim Chief Security Officer. Mr. Ayres most recently served as a Vice President in the IT organization at Equifax. He will report directly to the Chief Information Officer. The personnel changes are effective immediately.
http://www.prnewswire.com/news-releases/equifax-releases-details-on-cybersecurity-incident-announces-personnel-changes-300520691.html
But none of the "retiring" executives were listed among those who sold shares before the breach was announced:
As first reported by Bloomberg News, Chief Financial Officer John Gamble banked $946,374 on the sale, U.S. Information Solutions President Joseph Loughran made $584,099 and Consumer Information Solutions President Rodolfo Ploder earned $250,458. In the same filing, Loughran exercised an option to buy 3,000 shares at a price of $33.60.
While Equifax did not return a call from MarketWatch on Thursday, a company spokesperson told The Guardian and Gizmodo that the executives had no knowledge of the breach at the time they sold their shares.
Most executives set up what is referred to as a 10b5-1 plan to sell shares on regular schedules, in order to avoid accusations of insider trading. Sales that are part of those plans are typically noted on the SEC filings, but none of the Equifax executives said they were pre-scheduled.
EDIT
http://www.marketwatch.com/story/equifax-executives-sold-stock-after-data-breach-before-informing-public-2017-09-07
colsohlibgal
(5,275 posts)It is already making my life a bit of Hell. Equifax said my info was taken, so I signed up for Lifelock. Created a password after I entered all my info, set up a PayPal monthly payment. Tonight I get an email from Lifelock saying they had canceled out. They did get my 29.99 but when I tried to log in it said I had the wrong password.
Yep, there needs to be a huge class action lawsuit to make up for the trouble they have caused for so many of us.
CountAllVotes
(20,878 posts)They sent a message that said "we got your back" re: Equifax.
FREE btw!