Equifax announced late Friday that its chief information officer and chief security officer would leave the company immediately, following the enormous breach of 143 million Americans’ personal information.
It also presented a litany of security efforts it made after noticing suspicious network traffic in July.
The credit data company said that Susan Mauldin, who had been the top security officer, and David Webb, the chief technology officer, are retiring from Equifax. Mauldin, a college music major, had come under media scrutiny for her qualifications in security. Equifax did not say in its statement what retirement packages the executives would receive.
Mauldin is being replaced by Russ Ayers, an information technology executive inside Equifax. Webb is being replaced by Mark Rohrwasser, who most recently was in charge of Equifax’s international technology operations.
Equifax has been under intense public pressure since it disclosed last week that hackers accessed or stole the millions of Social Security numbers, birthdates and other information.
On Friday it gave its most detailed timeline of the breach yet, saying it noticed suspicious network traffic on July 29 associated with its U.S. online dispute portal web application. Equifax said it believes the access occurred from May 13 through July 30.
Equifax had said earlier that it identified a weakness in an open-source software package called Apache Struts as the technological crack that allowed hackers to heist the data from the massive database maintained primarily for lenders. That disclosure, made late Wednesday, cast the company’s damaging security lapse in an even harsher light. The software problem was detected in March and a recommended software patch was released shortly afterward.
Equifax said its security officials were “aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”
The company said it hired Mandiant, a business often brought in to deal with major technology security problems at big companies, to do a forensic review.
Equifax has been castigated for how it has handled the breach, which it did not disclose publicly for weeks after discovering it.
Consumers calling the number Equifax set up initially complained of jammed phone lines and uninformed representatives, and initial responses from the website gave inconsistent responses. The company says it has addressed many of those problems. Equifax also said Friday it would continue to allow people to place credit freezes on their reports without a fee through November 21. Originally the company offered fee-free credit freezes for 30 days after the incident.
Equifax is facing a myriad of investigations and class-action lawsuits for this breach, including Congressional investigations, queries by the Federal Trade Commission and the Consumer Financial Protection Bureau, as well as several state attorneys general. The company’s CEO Richard Smith is scheduled to testify in front of Congress in early October.
Three Equifax executives — not the ones who are departing — sold shares worth a combined $1.8 million just a few days after the company discovered the breach, according to documents filed with securities regulators.
Equifax shares have lost a third of their value since it announced the breach.