Submitted via IRC for Fnord666_
In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax's recently departed CEO is blaming it all on a single person who failed to deploy a patch.
Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred.
Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.
However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice — one person didn't do their job.
"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.
(Score: 1, Interesting) by Anonymous Coward on Monday October 09 2017, @07:29PM
"when he started with Equifax 12 years ago there was no one in cybersecurity."
That puts us at 2005. Think about that for a minute. 2005...
And no, they don't have a 225 man team doing infosec. They have maybe a twentyth of that, and a 200 man call center eating shit and trying to externalize liability for the fact that they, and most other big corporations have ignored their infosec staff for over a decade, resulting in the current security climate.
But ultimately the problem was created by SCOTUS and Congress. It goes all the way back to the dictionary act of 1871. Individual security was subordinated by law to institutional security. The problem is that there is no such thing as institutional security, since institutions aren't persons. This results in security infrastructure being driven by a market impetus to violate civil rights, not preserve them.
Congress and SCOTUS were the ones that destroyed the 4th amendment. This failure is the technical manifestation, of that crime against civil rights. So they can fix it. But they won't. How could they possibly? Who's going to fund their next campaign, if it isn't Equifax?