Timeline: How the cyberattack on Equifax unfolded and the fall out that followed

By Aleksandra Sagan, The Canadian Press

VANCOUVER – Months after hackers gained access to the personal data of millions of American, Canadian and U.K consumers through Equifax’s website, the company disclosed the massive cyberattack to the public.

It now faces multiple investigations and lawsuits in Canada and south of the border, while its shares have fallen more than 30 per cent in less than two weeks.

Here is a look at how one of the largest cyber attacks in history unfolded and the fall out that followed:

— — — —

Early March: The United States Computer Emergency Readiness Team detects and discloses a vulnerability in Apache Struts, a widely-used web-application software product.

— — — —

May 13 to July 30: Hackers have unauthorized access to Equifax Inc.’s files.

The company later says the hackers gained access through the vulnerability in Apache Struts, which supports Equifax’s online dispute portal web application.

— — — —

July 29: Equifax’s security team observes suspicious network traffic on a U.S. online dispute portal web application. The company’s security team blocks the identified suspicious traffic.

The company says in later communication that it “acted immediately to stop the intrusion.”

— — — —

July 30: The same team observes more suspicious activity and the company takes the affected web application offline.

— — — —

Aug. 2: Equifax contacts cybersecurity firm Mandiant, which spends several weeks conducting a forensic review.

— — — —

Sept. 7: Equifax publicly discloses the cyberattack for the first time, saying it may have compromised the personal data of up to 143 million Americans. The company adds an unspecified number of U.K and Canadian consumers also may have been impacted.

On a website for affected U.S. consumers, Equifax explains that the complex and time-consuming investigation is behind the delay between its discovery of the breach and disclosing it.

“As soon as we had enough information to begin notification, we took appropriate steps to do so,” the company says.

— — — —

Sept. 12: An Ontario resident files a proposed class action in the province, seeking $550 million in damages from Equifax, according to Toronto-based law firm Sotos LLP. It is one of at least two proposed class action lawsuits filed in Canada against the credit monitoring company.

— — — —

Sept. 14: The Federal Trade Commission says it is opening an investigation into the hack.

The chairmen of two congressional committees say in a letter to Equifax CEO Richard Smith that they are investigating the breach and ask for a slew of documents and a company briefing by Sept. 28.

— — — —

Sept. 15: The Office of the Privacy Commissioner of Canada launches investigation into the breach.

Equifax says fewer than 400,000 U.K. consumers had some of their personal information compromised, but it was more limited in scope and unlikely to lead to identity theft.

The company says its chief information officer and chief security officer are retiring. Both are replaced with internal employees on an interim basis effective immediately.

— — — —

Sept. 19: Equifax says about 100,000 Canadian consumers may have had their personal information and credit card details compromised in the cyber attack. The breached data may have included names, addresses, social insurance numbers and, in limited cases, credit card numbers.

Later that day, Equifax revealed that it also had a security breach earlier this year that involved a different part of the company than the one accessed in the larger hack.

The breach involved TALX, which is Equifax’s human resources and payroll service. The company said there’s no evidence that the TALX breach, which happened between March and April this year, and the wider breach are related.

Follow @AleksSagan on Twitter.

Top Stories

Top Stories

Most Watched Today