More Questions Raised After Equifax CIO, CSO ‘Retire’

In the wake of revealing a massive data breach, Equifax has announced that its CIO and CSO “are retiring” immediately.

On Friday, Equifax issued a statement saying that “effective immediately” it has appointed Mark Rohrwasser, who joined the company last year as its head of international IT operations, as interim CIO, and Russ Ayres, a vice president in its IT group, as interim CSO, reporting to Rohrwasser.

Equifax’s curious choice of language – spinning the removal of its key technology officials as a retirement, rather than saying they had been fired – has led some observers to question whether the credit reporting agency was taking its breach seriously enough.

The company has warned that 143 million U.S. consumers’ names, Social Security numbers, birthdates, addresses and in some instances driver’s license numbers were exposed, as well as 209,000 of their credit card numbers and additional personal information relating to 182,000 consumers. An estimated 400,000 British residents were also affected, as well as an unspecified number of Canadian consumers.

Equifax faces numerous class-action lawsuits in the United States and Canada, Congressional probes and a Federal Trade Commission investigation as a result of its breach (see Top Democrat Likens Equifax to Enron as FTC Launches Probe).

In response, Equifax CEO Richard Smith last week took to USA Today, where he wrote a column promising to do better (see Equifax CEO: ‘We Will Make Changes’).

On Monday, the Justice Department announced that it has opened an investigation into the timing of stock sales by senior Equifax executives, Bloomberg reports, adding that the U.S. Securities and Exchange Commission and the U.S. Attorney in Atlanta are also participating in the probe. The three executives, including the CFO, collectively sold Equifax stock worth almost $1.8 million in early August after the breach was discovered but before the company issued a public breach notification. Equifax has claimed the executives did not know about the breach at the time of their stock sale.

New Breach Details Disclosed

Equifax on Friday released more details about the breach, which it believes began May 13 and continued unchecked for 77 days.

On Saturday, July 29, according to the update, “Equifax’s security team observed suspicious network traffic associated with its U.S. online dispute portal web application,” prompting the team to block the suspicious traffic and investigate further. It says the security team found “additional suspicious activity” the next day, at which point it took the web application offline.

Continue reading…