03/10/2017: Equifax's systems were vulnerable since March
Equifax's systems have been vulnerable since March, though hackers didn't take advantage of the flaws until May.
Former Equifax CEO Richard Smith stated in a written testimony that the data breach occurred as a result of both human error and technology failures, according to a report from Reuters.
Additionally, Equifax announced that an extra 2.5 million US consumers may have been affected by the data breach, taking the total number up to 145.5 million.
The investigation into how UK consumers have been affected by the breach has been completed and the information is now being analysed by the firm.
Smith's testimony is scheduled to be shared with Congress today. It outlines how on 15 March the company's information security department carried out scans to identify any vulnerabilities in the system, but these failed to do so.
"The vulnerability remained in an Equifax web application much longer than it should have," Smith said. "It was this unpatched vulnerability that allowed hackers to access personal identifying information."
Smith added that the first date he believes hackers accessed private information may have been on May 13. He wrote: "between May 13 and July 30, there is evidence to suggest that the attacker(s) continued to access sensitive information."
Security personnel noticed suspicious activity on 29 July and ended the hacking on 30 July by disabling the web application. Smith said he was alerted the day after but did not realise the extent of the stolen data.
Equifax told the FBI on 2 August and retained a law firm and consulting firm as advisors. Smith told the board's lead director on 22 August.
Smith will testify at three different congressional hearings this week.
Furthermore, an extra 2.5 million US consumers have been identified as potentially being affected by the hack following the completion of a forensic investigation carried out by cybersecurity firm Mandiant. The firm said it hadn't identified any additional or new attacker activity within Equifax's systems too.
Equifax highlighted that the review determined that there is no evidence the attackers accessed databases located outside of the US.
"I want to apologise again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements," said interim CEO Paulino do Rego Barros.
Equifax CEO Smith announced his retirement last week, following the data breach in which up to 400,000 UK citizens' personal details and millions of US customers' information was revealed.
Smith was the third executive to leave the company after the breach, as the CIO and CSO also retired after it emerged that the company had failed to protect its customers sufficiently.
27/09/2017: Equifax CEO 'retires' in data breach aftermath
Equifax CEO Richard Smith has announced his retirement, following a serious data breach that revealed up to 400,000 UK citizens' personal information and millions of US customers' details.
Smith is the third executive to leave the credit monitoring agency after the CIO and CSO also officially retired following the revelations the company failed to protect its customers sufficiently.
"Serving as CEO of Equifax has been an honour, and I'm indebted to the 10,000 Equifax employees who have dedicated their lives to making this a better company," Smith said in his departing statement.
"The cyber security incident has affected millions of consumers, and I have been completely dedicated to making this right. At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward."
Board member Mark Feidler will become non-executive chairman, while Paulino do Rego Barros Jr, who most recently served as president of the company's Asia Pacific region, has been appointed as interim chief executive officer, while the company fills the three roles for the long term.
"The board remains deeply concerned about and totally focused on the cybersecurity incident," Feidler said. "We are working intensely to support consumers and make the necessary changes to minimise the risk that something like this happens again.
"Speaking for everyone on the board, I sincerely apologise. We have formed a special committee of the board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken."
20/09/2017: Equifax admits it suffered an earlier leak in March
Credit agency Equifax, which lost 143 million customer data records through a data breach in May, has said it suffered a similar leak back in March, casting doubt over whether executives were entirely ignorant of the incidents when selling company shares.
The company were spurred to admit the earlier breach after sources familiar with the leaks had passed information over to Bloomberg, stating that the widely reported data leak in May was in fact a second breach.
Equifax reportedly hired a security team to investigate the leak and informed its customers, but chose not to inform the individuals it held data on because they were technically not customers of the company.
"Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service," the company said in a later statement to Gizmodo. "The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media,"
"The March event reported by Bloomberg is not related to the criminal hacking that was discovered on 29 July. The criminal hacking that was discovered on 29 July did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event."
Despite the claim the two leaks were unrelated, sources speaking to Bloomberg believe there is evidence to suggest the hacks were carried out by the same individual or group.
Equifax reportedly informed five organisations affected by the breach in March and admitted the incident in a letter to the New Hampshire attorney general. However, the company is facing mounting backlash for its handling of its second breach in May, as those affected were informed four months after its investigation concluded.
During that time, Equifax executives were able to sell off their stocks in the company, activity that is now being investigated by the US Justice Department as there is suspicion that insider trading was taking place. Although the company has maintained that its executives were unaware of May's data breach, the existence of an earlier incident casts doubt over how ignorant they were.
One report by ThinkAdvisor claims CFO John Gamble, president of US information solutions Joseph Loughran, and president of workforce solutions Rodolfo Ploder, are all currently under investigation. The three are thought to have sold off shares valued almost $1.8 million in early August, one month before the breach was made public.
Shares in the company plummeted by 17% following the news of the breach, wiping almost $3 billion off the value of the company. Equifax announced on Friday that both its CIO and CSO would be immediately leaving the company as a result of the breach.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.