Equifax CIO and CSO Retire Amid Confusion Over Patching

Under-fire credit reporting agency Equifax has confirmed that its CSO and CIO are retiring following a massive data breach at the company affecting 143 million US and 400,000 British customers.

Mark Rohrwasser, who joined the firm to head of international IT operations in 2016, has been appointed interim Chief Information Officer. VP Russ Ayres will become interim CSO, reporting to Rohrwasser.

The timing of the personnel changes may lead many to assume that the retirements were forced as a result of the events leading up to the incident earlier this year.

In a Friday statement, Equifax claimed it first noticed and started blocking “suspicious network traffic associated with its US online dispute portal application” on July 29, before taking the app offline the following day.

“The company’s internal review of the incident continued. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online”, it continued.

Mandiant was then brought in a couple of days later on August 2 to conduct a forensic investigation, the results of which forced the breach disclosure last week, around a month later.

However, the statement raises more questions than it answers.

It continues:

“Based on the company’s investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017. The particular vulnerability in Apache Struts was identified and disclosed by US CERT in early March 2017.

"Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”

It’s unclear why, if Equifax “took efforts to identify and patch” an Apache Struts bug disclosed by the US CERT in March, the bug remained unpatched and was actually only 'discovered' months later after the portal app was taken offline.

“While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing. The company will release additional information when available,” it said.

What’s Hot on Infosecurity Magazine?