Mandiant has concluded the forensic part of its Equifax breach investigation, and the results are as follows:
- 2.5 million additional US consumers were potentially impacted, bringing the total to 145.5 million
- The initial estimate of some 100,000 Canadian citizens being impacted was incorrect: in the end, the information of some 8,000 Canadian consumers was compromised, as well as credit card information of some of them
- The number of affected UK consumers has still not been revealed, as UK regulators are still analyzing the results provided by Equifax.
The company announced that all these users will be notified of this via mail. They also noted that there is no evidence the attackers accessed databases located outside of the United States.
A recent report by Bloomberg points to state-sponsored actors as the most likely perpetrators of the hack.
Former Equifax CEO testifies
Former Equifax CEO Richard Smith, under whose watch the breach happened and who resigned last month, is set to share more details about the breach before the House Energy and Commerce subcommittee on Tuesday (today).
His prepared testimony has already been published, and in it he claims that the breach occurred because of both human error and technological failures.
He says that the US CERT notified them on March 8 of the Apache Struts vulnerability which ultimately provided the attackers with the way in. IT personnel who were responsible for patching Apache Struts installations were instructed to upgrade their software within 48 hours, but they failed to identify and patch the vulnerable installations.
Even later scans by the company’s infosec department failed to flag systems vulnerable to the issue, and Equifax is apparently still trying to discover how these failures happened.
So, the vulnerability remained in an Equifax web application, and the attackers used it to get in on May 13. The breach remained undetected until July 30. A first indication of a potential breach came on On July 29, when the company’s security department observed suspicious network traffic associated with the consumer dispute website.
Smith says that the decided to delay the public revelation of the breach because they were concerned it would provoke copycat attacks and other criminal activity, and they had to make sure their network was prepared for that.
New security assessment
He acknowledged the many mistakes the company made in the wake of the revelation, and detailed some of the security measures Equifax has implemented or enhanced to prevent future attacks. He also said that another consulting firm (not Mandiant) was called in to independently assess the company’s information security systems.
He concluded the testimony by saying that he believes that consumers should be able to decide when their credit information may be accessed, and that the Social Security Number should be replaced as the touchstone for identity verification in the US.
Smith was replaced by interim CEO Paulino do Rego Barros, Jr.
Equifax CIO David Webb and CSO Susan Mauldin “retired” on September 15. Mark Rohrwasser, who has lead Equifax’s international IT operations, is the company’s new interim CIO and Russ Ayres, the company’s former VP for IT, is the new interim CSO.
Equifax’s chief legal officer John Kelley, who was put in charge of cybersecurity at the company and to whom Susan Mauldin was instructed to report, is still with the company. He is apparently the subject of an internal investigation, mounted to determine whether he knew about the breach when he approved the sale of Equifax shares held by several executives just a few days after the breach was uncovered.