Timeline of a crisis: How Equifax responded to one of the worst hacks in history

A play-by-play of Equifax's response to a massive hack that endangered the personal information of 143 million U.S. residents.

Photo credit: Getty Images
Photo credit: Getty Images

September 7
Credit reporting agency Equifax discloses it has suffered a cyber breach affecting up to 143 million customers.

Between May and June, the breach affected the names, Social Security numbers, birth dates, addresses, and driver’s license numbers of consumers mainly in the U.S. U.K. and Canada residents may have also been put at risk.

The company creates a website to "help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection."

Equifax launches TrustID Premier, a credit-file-monitoring and identify-theft-protection service free of charge to U.S. users for one year.

Bloomberg reports three Equifax executives sold shares worth a combined $1.8 million after the company found out it was compromised.

September 8
TrustID’s terms of use are criticized for forcing users to waive their right to join a class-action lawsuit.

New York Attorney General Eric Schneiderman demands Equifax remove the language. Later, he launches an investigation into the breach.

Class-action lawsuits begin cropping up across the country, first in Portland, Oregon, and Atlanta.

September 11

Cybercrime and investigative journalist Brian Krebs reports that Edelman appears to have created Equifax’s "completely broken website."

September 12
More stories criticizing the website emerge, with experts saying it is vulnerable to hacking and phishing threats.

September 14
PRWeek confirms Equifax hired a DJE Holdings subsidiary for communications support.

In a statement, Equifax confirms it used Apache Struts, an open-source software with a flaw hackers exploited. When flagged by Cisco in March, the nonprofit that created the application issued a patch. A division of the Department of Homeland Security issued a notice about the vulnerability two days later.

In that same statement, the company claims it was aware of that risk at the time and took the proper precautionary measures.

September 15
Equifax releases a lengthy statement laying out the specific details of the incident. It also explains the steps it’s taken to protect consumer information and abide by regulatory standards.

Chief information officer Dave Webb and chief security officer Susan Mauldin retire, effective immediately. The statement announcing the personnel changes doesn’t name Webb or Mauldin, but the company discloses that information to CNNMoney upon inquiry.

Mark Rohrwasser, lead of Equifax’s international IT, replaces Webb, and Russ Ayres, a member of Equifax’s IT operation, steps in for Mauldin, the statement says.

The company’s stock has fallen almost 35% since news of the breach became public.

September 18
At least 30 class-action lawsuits have been filed in 19 federal judicial districts against Equifax.

Bloomberg reports Equifax learned of another major breach in March, "almost five months before the date it was publicly disclosed." Though the company maintains the March breach was unrelated to the current crisis, it involved the same hackers, a source told the business publication.

"There’s no evidence that the publicly disclosed chronology is inaccurate, but it leaves out a set of key events that began earlier this spring, the people familiar with the probe said," Bloomberg reports.

September 26
The company’s board announces the abrupt retirement of CEO and chairman Richard Smith.

Smith has served as CEO since 2012. He served in a variety of roles at GE, most recently as COO of GE Insurance Solutions. Board member Mark Feidler has been appointed chairman, while Paulino do Rego Barros Jr. will serve as interim CEO.

Feidler cofounded private equity firm MSouth, and has served as an independent director for Equifax since 2007. Prior to that, he served as president and COO of BellSouth Corporation until it merged with AT&T in 2006.

Barros previously led Equifax’s APAC business.

The company will search for an interim CEO. Equifax shares have plunged 26% since the company disclosed the breach.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in