Submitted via IRC for SoyCow5743
On Friday, Equifax announced that two top executives would be retiring in the aftermath of the company's massive security breach that affected 143 million Americans.
According to a press release, the company said that its Chief Information Officer, David Webb, and Chief Security Officer, Susan Mauldin, would be leaving the company immediately and were being replaced by internal staff. Mark Rohrwasser, who has lead Equifax's international IT operations, is the company's new interim CIO. Russ Ayres, who had been a vice president for IT at Equifax, has been named as the company's new interim CSO.
The notorious breach was accomplished by exploiting a Web application vulnerability that had been patched in early March 2017.
However, the company's Friday statement also noted for the first time that Equifax did not actually apply the patch to address the Apache Struts vulnerability (CVE-2017-5638) until after the breach was discovered on July 29, 2017.
Source: https://arstechnica.com/tech-policy/2017/09/equifax-cio-cso-retire-in-wake-of-huge-security-breach/
(Score: 3, Informative) by Anonymous Coward on Monday September 18 2017, @10:29AM (13 children)
Lovely, they're not even firing them. This ensures these execs will get their nice fat golden parachutes likely earning more money in "retirement" than they would have in years had things not gone tits up. Corporate America is amazing.
(Score: 0) by Anonymous Coward on Monday September 18 2017, @12:18PM (2 children)
And in addition to that, killing America.
(Score: 2) by Snow on Monday September 18 2017, @03:24PM (1 child)
Something something trickle down
(Score: 1) by a262 on Tuesday September 19 2017, @12:33AM
Something something something dark side...
(Score: 4, Insightful) by Anonymous Coward on Monday September 18 2017, @05:04PM (3 children)
What Equifax is doing is ensuring these execs' silence and/or amnesia in case of criminal investigations.
(Score: 2) by ilsa on Monday September 18 2017, @10:07PM
You've been upvoted funny, but I really wonder about the truth of it.
(Score: 2) by frojack on Wednesday September 20 2017, @07:45PM (1 child)
Not sure missing one machine in your company wide patch program rises to the level of a crime.
Who died here?
Who was actually hurt?
Who won't be protected against credit fraud?
You do know that Equifax has their own Credit Monitoring Service [equifax.com] right?
Oh, you don't trust Equifax any more? Fine. Equifax will hire Experian [experian.com] for your account. All free to you.
Oh, don't get me wrong, Equifax will pay. They will pay everybody. This will cost big time. But I wager, Ma and Pa Sixpack are never going to lose a dime because of this. Just like nobody lost any money on the Target breach, except Target [thesslstore.com].
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday September 21 2017, @02:54PM
And because all of this, there was no display of severe incompetence, nor was it the case that it is just plain *wrong* for others to hold data about you that you have no insight into?
Gotcha!
(Score: 5, Insightful) by frojack on Monday September 18 2017, @10:41PM (5 children)
Read the chronology.
They were aware of the vulnerability, They took timely steps to patch, and somebody fucked up.
The Patch first became available on March 6. And was immediately applied.
All the servers (except this one) were patched some time soon after availability.
This one server got hacked on May 13 fully two months after the patch was available.
So clearly the CIO/CSO knew about the patch and ordered that steps be taken to block it.
One public facing server was missed.
Someone needed to be fired. But I'm not sure it was either of these two. They are responsible
simply because it was their job to see to it this didn't happen. But I assure you in an organization
of that size these two were NOT the people managing the servers, probably didn't have the
login to those servers, probably did not know where those servers were, and didn't have
the technical skills to apply the patch. Anyone who expects to see CIOs and CSOs at the
consoles of servers is delusional.
They did nothing wrong.
Their orders were not followed properly.
They had no way to detect that a machine was missed.
Some flunky admin missed a server.
Some section chief of said Admin didn't verify the work.
The people who did have that server inventory didn't check them off the list.
Probably not many even knew Struts was running on that machine. (Agile aficionados; I'm looking at you).
In short, having seen this kind of head-chop before I'd wager the firing was purely perfunctory.
These people did everything right that was in their power to do. Someone under them fucked up.
Those guys need to be fired. (And maybe they were).
These two not so much, and surely they didn't deserve to lose their pensions and stock options on top
of being let go mostly so the company could save face.
So yeah, unleash your nerd rage at the big money people. But bear in mind that it was a nerd
somewhere in the bowels of the organization the fucked up. And if THAT NERD was the only one fired
you'd be bitching about that too.
No, you are mistaken. I've always had this sig.
(Score: 4, Informative) by Whoever on Tuesday September 19 2017, @01:56AM (2 children)
That's a very interesting and probably correct analysis of events.
Except that it misses one important point: these CXX people sold shares before the breach was announced. They lied about not knowing about the breach (it's just come out that there was an earlier breach).
(Score: 2) by frojack on Wednesday September 20 2017, @06:26PM (1 child)
People with stock options sell shares on an automated basis. Precisely to avoid these situations.
Their portfolio managers have standing instructions to sell some of their option stocks to keep their portfolio diversified.
They ALL have portfolio managers that handle own-company stock PRECISELY to avoid insider trading. Its virtually a requirement to sit on any board, hold any officer position to put your own-company stock in a trust. The FTC is pretty strict on this.
Yet there's always some fool who knows nothing about the stockmarket who jumps up screaming INSIDER!!!
No, you are mistaken. I've always had this sig.
(Score: 2) by Whoever on Wednesday September 20 2017, @08:31PM
Except that there doesn't appear to have been a scheduled trade plan in place that would explain these trades.
What is your deal? You feel compelled to make stuff up so that you can brown-nose wealthy people? Why?
Go fuck youself, know-nothing asshole!
(Score: 2) by arslan on Tuesday September 19 2017, @04:38AM (1 child)
I disagree. Yes they are too way up in the hierarchy to be directly held responsible, but they are responsible for setting the risk culture of the organization. There's scarce details around what the root cause is that caused single server to be missed. If it is truly an exception then it is really a matter of bad luck. If it is due to poor risk culture set by the leaders, then they are to blame.
I've worked in organizations where good architecture and cyber security recommendations often time gets trumped by tech owners because it gets in the way of them delivering "value" to their business users. The IT leaders are responsible for these kind of culture or operating model.
Just because they issued the "order" doesn't mean they're not accountable if they've fostered a culture where folks can "dispensate" or get away with non-compliance.
Again not saying that's the case with equifax since there's scarce details on the internals and you don't normally get that level of disclosure in the public press. The only way to know is to talk to folks that have worked in the organization.
(Score: 1, Troll) by frojack on Wednesday September 20 2017, @06:52PM
You can't even define "risk culture" let alone make it an actionable item.
How many servers to you think this company had? I'm betting THOUSANDS.
Apparently they all got taken care of, or were at least not breached. Clearly everybody cared, or feared for their jobs enough to see that this patch got applied. One sysadmin, perhaps over worked, perhaps out sick, missed this machine. That's hardly a risk culture.
Being in business is a risk. Its the perfect definition of risk. Disasters befall every business now and then. Sometimes people get killed. Sometimes entire companies are wiped out. This situation does not rise to that. Those affected accounts get flagged for free credit monitoring for a few years. Equifax can afford it.
No, you are mistaken. I've always had this sig.