Equifax has replaced two senior executives entrusted with watching over its computers, after the credit reporting agency revealed it suffered a major hack that led to one of the worst-ever breaches of personal data. The Equifax chief information officer and head of security will retire, effective immediately, the firm said Friday, as part of an "ongoing review of the cybersecurity incident" that resulted in the theft of personal data from 143 million US customers.
Hundreds of thousands of British customers and an unspecified number in Canada may have also been affected by the hack at Equifax, one of the three major credit bureaus that collect consumer financial data. The breach is considered particularly serious because the type of data collected - names, social security numbers, addresses, credit card numbers, and other financial details - can potentially be used by criminals to steal people's identities for financial gain.
An internal investigation into the hack continues and the company is working with FBI investigators, according to Equifax. Word that top Equifax executives were out came on the same day that Canada's privacy commissioner announced a high-priority investigation into the massive data theft. A lawsuit by Canadian consumers whose data was stolen was also launched this week, seeking class action status and damages of Can$550 billion ($450 billion US).
Equifax also confirmed on Friday that "limited" information from as many as 400,000 British customers may have been hacked - adding that the data was restricted to name, date of birth, email address and a telephone number. "Equifax believes identity takeover is unlikely for the UK consumers who had their data potentially accessed in this incident," the company's UK branch said in a statement, adding that it was reaching out to the customers concerned.
Equifax collects consumers' financial data in order to rate their credit-worthiness to banks, home sellers, auto sellers and others who depend on consumer credit in marketing. The hack took place from mid-May through July 2017 via a website application vulnerability that US cyber security companies say they had identified in March. US officials have not revealed if they know who was behind the breach, though foreign hackers are widely suspected.
In disclosing the breach on September 7, the Atlanta-based company did not explain why it waited more than a month to warn those affected about a risk of identity theft. A senior US senator has asked the Federal Trade Commission, one of the few bodies with oversight powers over loosely regulated credit raters, to examine Equifax's security practices and its "widely-panned response" to consumers potentially impacted. Senator Mark Warner, a member of the powerful Senate Banking Committee, accused the company of "exceptionally poor cybersecurity practices" that continued even after the hack became known.
He also said the company's woeful response to people whose data may have been lost - including trying to charge them for protection - was "alarming." "The volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize."
US lawmakers have expressed particular outrage over allegations that three Equifax officials sold their company stock before the hack was made public. Filings with the US Securities and Exchange Commission showed that three high-ranking Equifax executives sold shares worth almost $1.8 million in the days after the hack was discovered.
An Equifax spokesperson told AFP the executives "had no knowledge that an intrusion had occurred at the time they sold their shares." Senator Elizabeth Warren on Friday fired off letters to credit reporting agencies Equifax, TransUnion and Experian as well as to several governmental agencies as part of "a new, broad investigation" into the breach and how it was handled, according to a release.
"Equifax's initial efforts to provide customers information did nothing to clarify the situation and actually appeared to be efforts to hoodwink them into waiving important legal rights," Warren said in a letter to the company. While not the largest-ever breach - Yahoo attacks leaked data on as many as one billion accounts - the Equifax incident could prove the most damaging because of the high-value of the data stolen. The House Energy and Commerce Committee has scheduled an October 3 hearing with Equifax chief executive Richard Smith, who has openly apologized.