Credit reporting firm Equifax is just starting to come to terms with the scale of the massive data breach that affected millions of Americans in recent months. Now that CEO and chairman of the board Richard Smith has stepped down, the new interim CEO is offering a mea culpa in The Wall Street Journal. CEO Paulino do Rego Barros, Jr. says Equifax screwed up, and to make up for it, the company is working on a free credit locking service.
The news has only been getting worse for Equifax following the announcement that some 143 million people were affected by the data breach. As a credit reporting firm, Equifax had all the goods on a substantial chunk of US consumers. The attackers reportedly gained access to names, birth dates, social security numbers, addresses, and even several hundred thousand active credit card numbers. With around 245 million adults in the US, roughly 58 percent of them had some of their data stolen in this attack.
Barros admits in his WSJ letter that the company is at fault here. Equifax didn’t intentionally hand customer data over to online criminals, but it might as well have. The flaw exploited in the Equifax system was part of Apache Struts, known as CVE-2017-5638. It was reported and patched in March of 2017, which is also when exploits began showing up in the wild. On unpatched systems, this vulnerability allows attackers to execute commands on a remote system using #cmd= string in HTTP headers. This is a huge security hole, but Equifax wasn’t hacked until May, which indicates it never patched its systems. Equifax didn’t even notice the breach until late July, and it didn’t tell anyone until early this month.
Naturally, when it did announce that data on most US adults was stolen, everyone wanted to know if they were affected and freeze their credit if so. Equifax was unable to keep up with the customer service demands, and even directed people to a phishing site for a time. So, there’s a lot to fix for the new CEO, and he’s starting with a free credit freezing service. According to Barros, the company will have this service operational by January 31, 2018. That’s a long lead time, but it’s arguably better to take the time and do it right in this case.
When it’s operational, the service will allow customers to freeze and unfreeze their credit whenever they want. Barros says this isn’t just a free introductory offer, but it will be free forever. Until then, the free credit freeze offered via Equifax customer service will remain available. Good luck getting through to customer service.