Credit reporting agency Equifax discloses it has suffered a cyber breach affecting up to 143 million customers.
Between May and June, the breach affected the names, Social Security numbers, birth dates, addresses, and driver’s license numbers of consumers mainly in the U.S. U.K. and Canada residents may have also been put at risk.
The company creates a website to "help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection."
Equifax launches TrustID Premier, a credit-file-monitoring and identify-theft-protection service free of charge to U.S. users for one year.
Bloomberg reports three Equifax executives sold shares worth a combined $1.8 million after the company found out it was compromised.
New York Attorney General Eric Schneiderman demands Equifax remove the language. Later, he launches an investigation into the breach.
Class-action lawsuits begin cropping up across the country, first in Portland, Oregon, and Atlanta.
Cybercrime and investigative journalist Brian Krebs reports that Edelman appears to have created Equifax’s "completely broken website."
More stories criticizing the website emerge, with experts saying it is vulnerable to hacking and phishing threats.
PRWeek confirms Equifax hired a DJE Holdings subsidiary for communications support.
In a statement, Equifax confirms it used Apache Struts, an open-source software with a flaw hackers exploited. When flagged by Cisco in March, the nonprofit that created the application issued a patch. A division of the Department of Homeland Security issued a notice about the vulnerability two days later.
In that same statement, the company claims it was aware of that risk at the time and took the proper precautionary measures.
Equifax releases a lengthy statement laying out the specific details of the incident. It also explains the steps it’s taken to protect consumer information and abide by regulatory standards.
Chief information officer Dave Webb and chief security officer Susan Mauldin retire, effective immediately. The statement announcing the personnel changes doesn’t name Webb or Mauldin, but the company discloses that information to CNNMoney upon inquiry.
Mark Rohrwasser, lead of Equifax’s international IT, replaces Webb, and Russ Ayres, a member of Equifax’s IT operation, steps in for Mauldin, the statement says.
The company’s stock has fallen almost 35% since news of the breach became public.
At least 30 class-action lawsuits have been filed in 19 federal judicial districts against Equifax.
Bloomberg reports Equifax learned of another major breach in March, "almost five months before the date it was publicly disclosed." Though the company maintains the March breach was unrelated to the current crisis, it involved the same hackers, a source told the business publication.
"There’s no evidence that the publicly disclosed chronology is inaccurate, but it leaves out a set of key events that began earlier this spring, the people familiar with the probe said," Bloomberg reports.
The company’s board announces the abrupt retirement of CEO and chairman Richard Smith.
Smith has served as CEO since 2012. He served in a variety of roles at GE, most recently as COO of GE Insurance Solutions. Board member Mark Feidler has been appointed chairman, while Paulino do Rego Barros Jr. will serve as interim CEO.
Feidler cofounded private equity firm MSouth, and has served as an independent director for Equifax since 2007. Prior to that, he served as president and COO of BellSouth Corporation until it merged with AT&T in 2006.
Barros previously led Equifax’s APAC business.
The company will search for an interim CEO. Equifax shares have plunged 26% since the company disclosed the breach.