The latest news about Equifax puts the company in an even worse situation than last week. Bloomberg Technology reported September 18 that Equifax was hacked in March 2017, almost five months before the company reported a massive theft of over 150 million personal records in September.
NBC News and others reported that Susan Mauldin, Equifax’s former Chief Security Officer, and CIO David Webb, in charge of all information technology, retired effective September 15. Mauldin was widely mocked on social media for having a degree in music composition, not information security. She also attempted to conceal her professional LinkedIn profile by changing her name to “Susan M.” and eventually made the profile private.
Equifax insiders told Bloomberg reporters that the March 2017 information theft was perpetrated by the same hackers who broke into the company’s records between May and June.
Hackers used an Apache vulnerability that “had a patch available back in March,” Greg Sparrow, general manager for Compliance Point, told NBC News. The company was supposed to follow the Payment Card Industry Data Security Standard, which specifies that all critical patches must be applied within 30 days.
According to Wired, the security vulnerability was an “easy fix.” As more information emerges, the pattern of negligence is clear even to non-experts. Apache, the company which provided the underlying software, said that it issued clear instructions to plug the vulnerability that hackers used, and there was no reason for the company not to follow the instructions.
All of this adds up to good news for the more than 30 official lawsuits that have been filed against Equifax so far, including one for $70 billion.
— ????Vanessa Dunford ???? (@vaniccilondon) September 11, 2017
A chatbot originally designed to help people contest parking tickets is now helping ordinary people file lawsuits against Equifax for $2,500 to $25,000 in their local small claims court.
Exciting news. You can sue Equifax for up to $25,000 by pressing a button! First case of fully automated lawsuithttps://t.co/cDHUYaVXbu
— Joshua Browder (@jbrowder1) September 12, 2017
Attorneys all over the country are clamoring to file lawsuits for residents in their state, but a move is on to combine all of the lawsuits into one, which will be filed against the company in a Federal District Court in Georgia, where Equifax’s Atlanta headquarters is located.
Equifax is under increased pressure from federal and state lawmakers. The company’s executives have been testifying before Congress about changes to the Fair Credit Reporting Act (FCRA). The FCRA “Harmonization” Act relaxes standards on credit companies. The act is sponsored by 10 congressional representatives who received campaign donations linked to Equifax and the other two large credit reporting bureaus.
Massachusetts Senator Elizabeth Warren has introduced a bill to enable consumers to freeze their credit for free and potentially get a refund if they already paid.
Equifax is also the largest federal contractor of the three credit bureaus. The company has a thriving business providing identity and information security services to state and local governments. One of the company’s many federal contracts is for more than $10 million to provide information security services for the Social Security Administration’s website.
That’s right, the people who let ID thieves get your personal information and social security number then kept it a secret for months are designing the system for actual social security numbers.
[Featured Image by Aimstock/iStock]