Submitted via IRC for Fnord666_
In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax's recently departed CEO is blaming it all on a single person who failed to deploy a patch.
Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred.
Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.
However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice — one person didn't do their job.
"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.
(Score: 2) by Thexalon on Monday October 09 2017, @07:18PM
That's just it: Criminal charges won't be coming, because they never do for C-level executives of major companies regardless of what they do. Including killing people.
I can tell you already exactly what the consequences of this will be when the dust settles:
1. Equifax will eventually weather the storm of bad public relations, will continue to function as a business, and ultimately their stock will come back. Why? Because they're still getting business. They're still getting everybody's personal data. And people's memory is far from perfect, so they will eventually not notice "Wait, these guys gave away my personal details to identity thieves." I guarantee you their board is seeing this whole situation as a public relations problem, not a technical problem.
2. The CEO, CIO, and peon who it's all been blamed on will be replaced with a new CEO, CIO, and peon.
3. Mr. Smith will be forced to take his millions and spend the rest of his life relaxing in his extremely comfortable retirement. He might be occasionally forced to spend some of his vast sums of money to bribe away attorneys general and/or judges to prevent anyone from looking into what he did.
4. The peon in question no longer has a career in IT. Guaranteed. Nobody with any kind of responsibility for securing anything would be willing to take on that kind of risk: Imagine if you hired that guy and there was a data breach to understand why that might be.
5. Some people in the company will use the shakeup to hire their friends to do nothing useful.
The end result will be that the only person who is punished for this entire debacle is one low-level IT guy.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.