Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith.
The company says its chief information officer and chief security officer are retiring.
The Office of the Privacy Commissioner of Canada launches investigation into the breach.
The root vulnerability that enabled attackers to breach Equifax was identified as a flaw in the open-source Apache Struts framework.
Smith said that the stock sales on August 1 and August 2 by the three executives occurred during the 30-day window when insiders can sell stock following the company's quarterly call with financial analysts.
Equifax and an independent cybersecurity forensic consulting firm, Mandiant, worked "literally around the clock" to figure out what happened, Smith said.
The cyber-hack has been a calamity for Equifax which has lost roughly a quarter of its stock market value and seen several top executives step down alongside Smith.
Smith is scheduled to make an additional appearance before the Senate Judiciary subcommittee on privacy Wednesday afternoon. Gamble's stock sale was worth almost $950,000, according to the SEC.
While there is no word on damage control efforts for victims outside of the United States, the company says that it will offer free credit monitoring, access to Equifax credit files, an insurance policy which will cover "out of pocket expenses" for those affected, and scans across the underbelly of the Internet to check for signs that Social Security numbers are being sold. ". The bottom line here is you had a hack that you found out about on [July] 29th, you told the Federal Bureau of Investigation about the breach and on that same day some high level executives sell $2 million worth of stock".
"Most major lenders have relationships with all three agencies so that they get the most accurate information about the consumer", Horn said. Only suspicious traffic in and out of its system on July 29th tipped the company off to the breach. "We had no idea data had been exfiltrated".
Smith said he would like companies and government agencies to "begin a dialogue" about replacing Social Security numbers as a key verifier. Exasperated lawmakers at the hearing asked "what the heck" it could've been if not a hack.