Equifax's chief security officer Susan Mauldin and chief information officer David Webb are retiring, effective immediately, in the wake of a historic hack that saw the theft of valuable financial data of 143 million Americans. The departures, announced on Friday, come as Equifax faces intense scrutiny and outrage over its handling of the historic breach.
Mauldin, who has a Bachelor of Arts and Master of Fine Arts in music from the University of Georgia, served as the firm's chief security officer since 2013. She will be replaced by Equifax's vice president of IT, Russ Ayres.
Webb earned a bachelor's degree in Russian from the University of London before getting his MBA. Before joining Equifax in 2010, he previously served as COO at Silicon Valley Bank and as vice president at Goldman Sachs. Mark Rohrwasser, who led Equifax's international IT operations since 2016, has been appointed interim CIO.
Equifax said the "personnel changes" come as "part of the company's ongoing review of the cybersecurity incident announced September 7."
The credit reporting agency said earlier this week that hackers exploited a months-old Apache Struts server vulnerability — a patch for which was made available in March, more than a month before the hack took place from 13 May through 30 July.
"Equifax's Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure," the company said in a statement. "While Equifax fully understands the intense focus on patching efforts, the company's review of the facts is still ongoing."
The breach has been dubbed one of the largest and worst ever due to the sensitive nature and value of the data compromised, which included names, Social Security numbers, addresses, dates of birth and driver's licenses. Credit card numbers of about 209,000 people and certain dispute documents with personal identifying information of around 182,000 people were also accessed in the attack.
The firm said it identified unauthorised access to "limited personal information" of certain UK and Canadian residents as well and is currently working with regulators in those countries.
Equifax said it is working with security firm Mandiant to conduct a "privileged, comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted".
"With respect to the company's security posture, Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements," the firm said. "Equifax's internal investigation of this incident is still ongoing and the company continues to work closely with the FBI in its investigation."
The company has faced widespread criticism in the wake of the breach, triggering a slew of class action lawsuits and probes from numerous US states, Congress, the FBI and the Federal Trade Commission.
This week, senator Elizabeth Warren introduced legislation that would require Equifax and competitors to freeze consumers' credit reports for free. Lawmakers have also demanded the company provide more information on the circumstances surrounding the hack, explain its decision to delay the disclosure for over a month and about the three executives who sold stock just days after it found out about the breach.
Equifax CEO Richard Smith openly apologised for the breach and is expected to testify at a hearing before a special house committee on 3 October.