Timeline of the hacking of Equifax


Ex-Equifax CEO Richard Smith told lawmakers Monday that “both human error and technology failures” opened the way for a massive hacking incident in which thieves got away with sensitive information on more than 145 million Americans. Here’s a chronology of what happened, based on his prepared testimony before a hearing Tuesday by the House Energy and Commerce Committee. Smith stepped down and retired from Equifax on Sept. 26.

Read additional coverage on myAJC.com.

March 8: The U.S. Department of Homeland Security warns Equifax and many other users that a patch is needed on software called Apache Struts to fix security weaknesses.

March 9: Equifax forwards the U.S. warning internally to its information security team and requests a fix within 48 hours, but the patch isn’t installed.

March 15: Equifax’s security team runs software scans that should have caught the weak spot in Apache Struts. But it doesn’t spot any vulnerable versions of the software. “It was this unpatched vulnerability that allowed hackers to access personal identifying information,” Smith said.

May 13: Hackers apparently get their first batch of sensitive data. “The company was not aware of that access at the time,” Smith said. Equifax doesn’t detect the ongoing attack for another two months plus.

July 29: Equifax’s security team sees “suspicious network traffic” tied to its website where consumers dispute alleged errors in their credit profiles or other problems. The team investigates and “immediately” blocks the traffic, Smith said. The website is shut down the next day when more questionable activity appears.

July 31: Equifax’s chief information officer tells Smith about the attack, and that the website was shut down. “I certainly did not know that personal identifying information … had been stolen, or have any indication of the scope of the attack,” Smith said. (Equifax’s CIO at the time of the hack, David Webb, retired in the wake of the scandal on Sept. 15.)

Aug. 2: Equifax hires King & Spalding to “guide the investigation” into the data breach, and calls the FBI. The Atlanta law firm hires cybersecurity consultant Mandiant to investigate the hacking incident.

Aug. 11: Mandiant and Equifax determine that hackers may have gotten “a large amount of consumers” sentive data, Smith said, from a separate database in addition to the attack on the complaint portal.

Aug. 15: Smith said he is told that “it appeared likely that consumer (data) had been stolen. He said he requested “a detailed briefing to determine how the company should proceed.”

Aug. 17: Smith meets with “a senior leadership team” on the hacking investigation. By this time, the company knows “large volumes of consumer data … had been compromised,” he said. “This information was deeply concerning to me, although the team needed to continue their analysis to understand the scope and specific consumers potentially affected.” (Equifax eventually concluded the total was 145.5 million people — most adult Americans.)

Aug. 22: Smith tells Mark Feidler on the company’s board of directors of the breach, as well as the heads of Equifax’s business units. The rest of the board is told of the situation on August 24-25 in conference call meetings. The company starts drawing up “remediation” plans for consumers. (Feidler was named Equifax’s interim chairman when Smith stepped down.)

Sept. 1: The Equifax board meets to discuss the scale of the attack, remediation plans, and the risk of “exponentially more attacks” by copycat hackers, Smith said.

Sept. 4: Equifax draws up a list of 143 million potentially affected consumers — later bumped up to 145.5 million — and sets up a call center and a website for consumers to check if their data is compromised, and to sign up for help. The FBI is told about Equifax’s plans to go public with the breach.

Sept. 7: Equifax discloses the massive breach after the stock market closes.

LEARN MORE

Kempner: Last assignment for Equifax’s ex? Survive Capitol Hill

http://www.myajc.com/business/kempner-last-assignment-for-equifax-survive-capitol-hill/fwVjMQ3O520bidJltGKnlM/ 

MYAJC.COM: REAL JOURNALISM. REAL LOCAL IMPACT.

AJC Business reporter Russell Grantham keeps you updated on the latest news about major companies, CEOs and public utilities in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:

Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.



Reader Comments ...


Next Up in Business

Kempner: Cobb-based convenience chain gets fancy with own wine, chefs
Kempner: Cobb-based convenience chain gets fancy with own wine, chefs

For $8.99, a metro Atlanta-based chain of convenience stores will sell you it’s own private-label bottle of wine, Sequins & Sawdust. What is happening in the land of beef jerky and air fresheners? Big changes: pushing to get healthier foods, experimenting with delivery to customer homes, stressing self-service, creating ways to look special,...
Experts (well, some) predict Amazon will pick Atlanta
Experts (well, some) predict Amazon will pick Atlanta

A company that specializes in comparing communities, making lists of best and worst, has surveyed the various bets on Amazon’s new headquarters and predicted a Georgia choice. Seattle-based Amazon recently narrowed its list of potential cities for its second headquarters from several hundred down to 20 – Atlanta and 19 other metro...
Facebook said to be interested in Atlanta area data center complex
Facebook said to be interested in Atlanta area data center complex

Social media giant Facebook is said to be pursuing a deal for a massive data center complex at a sprawling industrial park east of Atlanta. The California-based Fortune 500 company is said to be behind plans for the data center complex at Stanton Springs, near the Shire pharmaceutical plant along I-20 near Social Circle. A person familiar with...
Kroger looking to partner with Overstock.com: report
Kroger looking to partner with Overstock.com: report

Kroger is considering teaming up with Overstock.com Inc. in an effort to compete with online retailers. The New York Post reported the Cincinnati-based grocer may be eyeing a deal with Overstock.com, according to sources. Overstock CEO Patrick Byrne said last year that he plans to sell or reorganize the e-commerce business to focus on blockchain...
Georgia state senator prepares bill requiring internet ‘neutrality’
Georgia state senator prepares bill requiring internet ‘neutrality’

When the Federal Communications Commission voted to toss out “net neutrality,” consumer advocates howled that the change would limit consumer choices and hurt small businesses. Since then, scores of Congress members have said they support the idea of re-instating the rule but discussion of the idea has been largely sidetracked as lawmakers...
More Stories