Equifax executives step down after major hack

Equifax said Friday that two executives entrusted with watching over its computers are retiring, their departures coming after its maligned handling of a major hack at the credit reporting agency.

The Equifax chief information officer and head of security will retire, effective immediately, as "part of the company's ongoing review of the cybersecurity incident" that resulted in personal data of 143 million US customers being stolen by hackers.

An as yet unspecified number of Canadian and British customers may have also been affected by the hack at Equifax, one of the three major credit bureaus that collect consumer financial data.

The breach is considered one of the worst-ever because of the nature of data collected: bank and social security numbers and personal information of value to hackers and others.

An internal investigation into the hack continues and the company is working with the FBI, according to Equifax.

Word that top executives responsible for defending Equifax computer systems are out came on the same day that the Canadian privacy commissioner announced an investigation into the massive theft of personal data from the US credit agency.

"The investigation is a priority for our office given the sensitivity of the personal information that Equifax holds," the office of the privacy commission of Canada said in a release.

A lawsuit by Canadian consumers whose data was stolen in the Equifax hack was launched this week, seeking class action status and damages of Can $550 billion ($450 billion US).

Questions mount 

A senior US senator this week asked the Federal Trade Commission, one of the few bodies with oversight powers over loosely-regulated credit raters, to examine Equifax's security practices and its "widely-panned response" to consumers potentially impacted by the breach.

Senator Mark Warner, a member of the powerful Senate Banking Committee, accused the company of "exceptionally poor cybersecurity practices" that continued even after the hack became known.

He also said the company's woeful response to people whose data may have been lost - including trying to charge them for protection - was "alarming".

"The volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialise."

Equifax collects consumers' financial data in order to rate their credit-worthiness to banks, home sellers, auto sellers and others who depend on consumer credit in marketing.

The data the company admitted to losing on September 7 includes people's names, social security numbers, addresses, credit card numbers, and other financial details.

Such data is often used by criminals to steal people's identities for financial gain.

US officials are investigating the data hack but have not revealed if they know who was behind it, though foreign hackers are widely suspected.

The breach took place from mid-May through July 2017 via a website application vulnerability that US cyber security companies say they had identified in March.

Congress has expressed outrage at the hack and the company's management of it. Particular anger has been aimed at allegations that three Equifax officials sold their stock in the company before the hack was made public.

Shares sold 

US Senator Elizabeth Warren on Friday fired off letters to credit reporting agencies Equifax, TransUnion and Experian as well as to several governmental agencies as part of "a new, broad investigation" into the breach and how it was handled, according to a release.

"Equifax has failed to provide the necessary information describing exactly how this happened, and exactly how your security systems failed," Warren said in a letter to the company.

"Equifax's initial efforts to provide customers information did nothing to clarify the situation and actually appeared to be efforts to hoodwink them into waiving important legal rights."

While not the largest breach - Yahoo attacks leaked data on as many as one billion accounts - the Equifax incident could be the most damaging because of the nature of data collected: bank and social security numbers and personal information of value to hackers and others.

The House Energy and Commerce Committee has scheduled an October 3 hearing with Equifax chief executive Richard Smith, who has openly apologised for the breach.

The Atlanta-based company disclosed the breach in a release that did not explain why it waited more than a month to warn those affected about a risk of identity theft.

Filings with the US Securities and Exchange Commission showed that three high-ranking Equifax executives sold shares worth almost $1.8 million in the days after the hack was discovered.

An Equifax spokesperson said the executives "had no knowledge that an intrusion had occurred at the time they sold their shares."