In case you're trying to keep score at home in the Equifax mega breach fallout event, here is your one-stop play by play.
Let's start with the Equifax breach announcement and end (for now) with the IRS decision to suspend its identity management contract with Equifax.
Equifax breach timeline
- September 7: Equifax announces mega breach relating to 143 million customers, ignites social media firestorm
- September 15: Equifax CIO and CSO choose sudden retirement
- September 26: Equifax CEO chooses sudden retirement 19 days after breach announcement
- September 30: IRS awards $7.25M no-bid contract to Equifax, claims it had to
- October 2: Equifax revises breach numbers to 145.5 million customers impacted
- October 3: Equifax announces U.K. records accessed are more than twice as many as previously announced
- October 3: Former Equifax CEO testifies before Congress on what happened behind the scenes and how the InfoSec team has stepped up security
- October 5: General Accounting Office says the IRS did not have to award contract to Equifax
- October 11: News breaks of malware re-direct on Equifax website, which took advantage of Adobe Flash Player
- October 12: IRS says it is suspending its identity management contract with Equifax
Do you see why we needed to use bullet points for the Equifax incident response and fallout timeline?
So here we are on October 13, knowing that the IRS has put a short-term stop to its work with the credit reporting agency. Its statement, in part:
Forbes has a nice write-up of this latest twist. And it looks like this may be the way the IRS tries to get itself off of the hot seat, as the malware re-direct (in this case) was more of an embarrassment for Equifax than anything else.
Does it make sense to award a no bid-contract for identity management after a company's mega-breach but then suspend it when an application on the company's website is serving up low-level adware? Now there is something to ponder over the weekend.
Please share your thoughts below and share this story with your peers in InfoSec, using the social media or email tabs at the top of the page.
There are so many lessons to be learned and insights to discuss among cybersecurity and IT teams, including the 5 warnings that Equifax missed.
Winston Churchill summed it up quite nicely: “The farther backward you can look, the farther forward you are likely to see.”