Timeline of the hacking of Equifax


Ex-Equifax CEO Richard Smith told lawmakers Monday that “both human error and technology failures” opened the way for a massive hacking incident in which thieves got away with sensitive information on more than 145 million Americans. Here’s a chronology of what happened, based on his prepared testimony before a hearing Tuesday by the House Energy and Commerce Committee. Smith stepped down and retired from Equifax on Sept. 26.

Read additional coverage on myAJC.com.

March 8: The U.S. Department of Homeland Security warns Equifax and many other users that a patch is needed on software called Apache Struts to fix security weaknesses.

March 9: Equifax forwards the U.S. warning internally to its information security team and requests a fix within 48 hours, but the patch isn’t installed.

March 15: Equifax’s security team runs software scans that should have caught the weak spot in Apache Struts. But it doesn’t spot any vulnerable versions of the software. “It was this unpatched vulnerability that allowed hackers to access personal identifying information,” Smith said.

May 13: Hackers apparently get their first batch of sensitive data. “The company was not aware of that access at the time,” Smith said. Equifax doesn’t detect the ongoing attack for another two months plus.

July 29: Equifax’s security team sees “suspicious network traffic” tied to its website where consumers dispute alleged errors in their credit profiles or other problems. The team investigates and “immediately” blocks the traffic, Smith said. The website is shut down the next day when more questionable activity appears.

July 31: Equifax’s chief information officer tells Smith about the attack, and that the website was shut down. “I certainly did not know that personal identifying information … had been stolen, or have any indication of the scope of the attack,” Smith said. (Equifax’s CIO at the time of the hack, David Webb, retired in the wake of the scandal on Sept. 15.)

Aug. 2: Equifax hires King & Spalding to “guide the investigation” into the data breach, and calls the FBI. The Atlanta law firm hires cybersecurity consultant Mandiant to investigate the hacking incident.

Aug. 11: Mandiant and Equifax determine that hackers may have gotten “a large amount of consumers” sentive data, Smith said, from a separate database in addition to the attack on the complaint portal.

Aug. 15: Smith said he is told that “it appeared likely that consumer (data) had been stolen. He said he requested “a detailed briefing to determine how the company should proceed.”

Aug. 17: Smith meets with “a senior leadership team” on the hacking investigation. By this time, the company knows “large volumes of consumer data … had been compromised,” he said. “This information was deeply concerning to me, although the team needed to continue their analysis to understand the scope and specific consumers potentially affected.” (Equifax eventually concluded the total was 145.5 million people — most adult Americans.)

Aug. 22: Smith tells Mark Feidler on the company’s board of directors of the breach, as well as the heads of Equifax’s business units. The rest of the board is told of the situation on August 24-25 in conference call meetings. The company starts drawing up “remediation” plans for consumers. (Feidler was named Equifax’s interim chairman when Smith stepped down.)

Sept. 1: The Equifax board meets to discuss the scale of the attack, remediation plans, and the risk of “exponentially more attacks” by copycat hackers, Smith said.

Sept. 4: Equifax draws up a list of 143 million potentially affected consumers — later bumped up to 145.5 million — and sets up a call center and a website for consumers to check if their data is compromised, and to sign up for help. The FBI is told about Equifax’s plans to go public with the breach.

Sept. 7: Equifax discloses the massive breach after the stock market closes.

LEARN MORE

Kempner: Last assignment for Equifax’s ex? Survive Capitol Hill

http://www.myajc.com/business/kempner-last-assignment-for-equifax-survive-capitol-hill/fwVjMQ3O520bidJltGKnlM/ 

MYAJC.COM: REAL JOURNALISM. REAL LOCAL IMPACT.

AJC Business reporter Russell Grantham keeps you updated on the latest news about major companies, CEOs and public utilities in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:

Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.



Reader Comments ...


Next Up in Business

Georgia loses jobs in March, but unemployment rate steady
Georgia loses jobs in March, but unemployment rate steady

After two strong months, Georgia’s economy lost jobs in March. The number of jobs dropped by 7,400 during the month after adding 9,200 in January and 18,300 in February. The unemployment rate, which is calculated from a different, less extensive survey, held steady at 4.4 percent, according to a report issued Thursday by the Georgia Department...
Commuting brings challenges for Hartsfield-Jackson workers
Commuting brings challenges for Hartsfield-Jackson workers

As the largest job site in the state, some 63,000 people work at Hartsfield-Jackson International Airport. Although these employees help people travel around the world, it’s hard for some airport workers to just make it to to their jobs. Commuting comes with its hassles for workers all over the region. But the Atlanta airport presents some particularly...
Atlanta company raises all pay to $50k: quirky or smart?
Atlanta company raises all pay to $50k: quirky or smart?

Most smart employers want to pay enough to get the workers they need, but not more. Yet Rented.com, an Atlanta company with technology that fuels Airbnb, has raised the minimum pay for all employees to $50,000 and the company’s chief executive says the firm will save money in the long run by paying more. Wait, what? True, said CEO Andrew McConnell...
Kempner: Ignore call from boss? Georgia shifts on distracted driving
Kempner: Ignore call from boss? Georgia shifts on distracted driving

Georgia’s new distracted driving rules are confusing and watered down, but they give Georgians a legal excuse not to work in their cars and to ignore calls from bosses and customers. Some workaholics won’t take the hint. Not when they spend all that time brewing in Atlanta’s traffic. Not when plenty of employees and business owners...
Pilotless air taxis now flying openly in New Zealand
Pilotless air taxis now flying openly in New Zealand

Ride in a pilotless flying taxi, anyone? Larry Page’s Kitty Hawk has been testing such a vehicle in New Zealand since late last year and is coming out of stealth mode, the Silicon Valley company announced recently. “The dreamers from California met the visionaries from New Zealand,” Kitty Hawk said in a press release that lauds New...
More Stories