The CEO of Equifax, Richard Smith, is set to testify before Congress following a massive data breach that left the personal data of 143 million people vulnerable.
Reuters reports that the CEO of consumer credit-reporting agency Equifax will testify to Congress about a massive data breach that the company recently fell victim to. Almost 40 U.S. states have joined a probe into the credit-reporting agency’s handling of the cyberattack. Richard Smith, the CEO of Equifax, will testify before the House of Representatives on October 3rd.
Eileen Boyce, a spokeswoman for Illinois State Attorney General Lisa Madigan, said that Illinois would be leading the state probe into Equifax. Connecticut, Pennsylvania, Iowa, and Rhode Island have all also stated that they are involved in the probe into the consumer-credit reporting agency. Equifax has been hit hard by the cyberattack with shares falling another 14.6 percent on Wednesday, dropping below $100 for the first time since 2016.
A recent report also revealed that the vulnerability exploited by hackers to gain access to Equifax consumers information had been patched two months previously, but Equifax reportedly failed to update their web applications with the fix, resulting in hackers gaining access to Equifax’ system. In an updated post on their website, Equifax stated, “Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted.” The statement continued, “We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
The vulnerability was patched on March 6th; Equifax, however, stated that the breach on their site occurred in May, more than two months after the flaw in the Apache Struts framework was recognized and fixed.
It was also reported that Equifax’ security on their Argentine website was not up to standards. According to cyber-crime blogger Brian Krebs, an online employee tool used on the Argentine Equifax website could be logged into and accessed simply using the username and password “admin.” Krebs reported that logging into this system gave him access to records that included thousands of customers national identity numbers.
In response, an Equifax spokeswoman told the BBC, “We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cyber-security event that occurred in the United States last week. We immediately acted to remediate the situation, which affected a limited amount of information strictly related to Equifax employees.”
The spokeswoman continued to say, “We have no evidence at this time that any consumers or customers have been negatively affected, and we will continue to test and improve all security measures in the region.” Krebs replied, “It’s outrageous that any organisation that holds such sensitive personal data can build a portal with this kind of basic security vulnerability. It simply shouldn’t happen and responding that they have now fixed the issue is not the point: it puts a huge question mark over whether Equifax have been applying the appropriate resources to online security elsewhere.”