Two Equifax executives retire after cyber breach

Two senior Equifax executives are retiring from the company effective immediately, the company said Friday, as an explosive cyber security breach rocks the Atlanta-based credit bureau.

Chief Information Officer David Webb and Chief Security Officer Susan Mauldin are out, though the company did not name the executives in announcing the retirements. Webb led global information technology, according to a cached version of his company bio, while Mauldin was in charge of the company’s cyber security operations.

The company announced that on an interim basis, IT executives Mark Rohrwasser would replace Webb and Russ Ayers would replace Mauldin.

Last week, Equifax announced a breach of its systems that compromised personal information, including Social Security numbers, of 143 million Americans.

“Equifax’s internal investigation of this incident is still ongoing and the company continues to work closely with the FBI in its investigation,” the company said in a statement.

Also Friday, Georgia Attorney General Chris Carr said his office has joined a coalition of 36 state attorneys general in a probe of the massive data breach.

In a statement Friday, Carr's office said the nature of the probe so far is civil, not criminal, and it will examine "all facts and circumstances surrounding the breach, and its impact on Georgia consumers."

“Our primary responsibility is to protect the consumers of Georgia, millions of whom, through no fault of their own, have had their personal information compromised,” he said.

In its statement, Equifax outlined new details from its internal probe. The company said that on July 29, its security team “observed suspicious network traffic associated with its U.S. online dispute portal web application,” and took action to block it. More suspicious traffic followed the next day, and Equifax said it took the affected web application offline.

The company said a security flaw in an application called Apache Struts, an open-source server software, was the initial “attack vector.” Equifax said it patched the application and returned it to service.

Equifax and Apache Software Foundation have blamed each other this week for the vulnerability.

Apache said Thursday it provided a patch for the software fault on March 7, well before Equifax said the security breach began in mid-May.

“Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure,” the company statement said. “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing.”

Before her retirement from the company was announced Friday, Equifax took heat from a number of publications for Mauldin's background. On her LinkedIn page, Maudlin listed a pair of music composition degrees from the University of Georgia, including a masters of fine arts.

The page does not list an IT or computer science degree.

The LinkedIn page, which is now private and removed her last name, also listed executive work at financial giants First Data and SunTrust Banks.