Submitted via IRC for SoyCow5743
On Friday, Equifax announced that two top executives would be retiring in the aftermath of the company's massive security breach that affected 143 million Americans.
According to a press release, the company said that its Chief Information Officer, David Webb, and Chief Security Officer, Susan Mauldin, would be leaving the company immediately and were being replaced by internal staff. Mark Rohrwasser, who has lead Equifax's international IT operations, is the company's new interim CIO. Russ Ayres, who had been a vice president for IT at Equifax, has been named as the company's new interim CSO.
The notorious breach was accomplished by exploiting a Web application vulnerability that had been patched in early March 2017.
However, the company's Friday statement also noted for the first time that Equifax did not actually apply the patch to address the Apache Struts vulnerability (CVE-2017-5638) until after the breach was discovered on July 29, 2017.
Source: https://arstechnica.com/tech-policy/2017/09/equifax-cio-cso-retire-in-wake-of-huge-security-breach/
Related Stories
Equifax's Twitter account linked to a website created by a software engineer imitating the real breach info site:
People create fake versions of big companies' websites all the time, usually for phishing purposes. But the companies do not usually link to them by mistake.
Equifax, however, did just that after Nick Sweeting, a software engineer, created an imitation of equifaxsecurity2017.com, Equifax's page about the security breach that may have exposed 143 million Americans' personal information. Several posts from the company's Twitter account directed consumers to Mr. Sweeting's version, securityequifax2017.com. They were deleted after the mistake was publicized.
By Wednesday evening, the Chrome, Firefox and Safari browsers had blacklisted Mr. Sweeting's site, and he took it down. By that time, he said, it had received about 200,000 hits.
Fortunately for the people who clicked, Mr. Sweeting's website was upfront about what it was. The layout was the same as the real version, complete with an identical prompt at the top: "To enroll in complimentary identity theft protection and credit file monitoring, click here." But a headline in large text differed: "Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That's So Easily Impersonated By Phishing Sites?"
Also at The Verge.
Previously: Equifax Data Breach Could Affect 143 Million Americans [Updated]
Are You an Equifax Breach Victim? You Could Give Up Right to Sue to Find Out
Outrage Builds after Equifax Executives Banked $2 Million Following Data Breach
Equifax CIO, CSO "Retire" in Wake of Huge Security Breach
(Score: 3, Informative) by Anonymous Coward on Monday September 18 2017, @10:29AM (13 children)
Lovely, they're not even firing them. This ensures these execs will get their nice fat golden parachutes likely earning more money in "retirement" than they would have in years had things not gone tits up. Corporate America is amazing.
(Score: 0) by Anonymous Coward on Monday September 18 2017, @12:18PM (2 children)
And in addition to that, killing America.
(Score: 2) by Snow on Monday September 18 2017, @03:24PM (1 child)
Something something trickle down
(Score: 1) by a262 on Tuesday September 19 2017, @12:33AM
Something something something dark side...
(Score: 4, Insightful) by Anonymous Coward on Monday September 18 2017, @05:04PM (3 children)
What Equifax is doing is ensuring these execs' silence and/or amnesia in case of criminal investigations.
(Score: 2) by ilsa on Monday September 18 2017, @10:07PM
You've been upvoted funny, but I really wonder about the truth of it.
(Score: 2) by frojack on Wednesday September 20 2017, @07:45PM (1 child)
Not sure missing one machine in your company wide patch program rises to the level of a crime.
Who died here?
Who was actually hurt?
Who won't be protected against credit fraud?
You do know that Equifax has their own Credit Monitoring Service [equifax.com] right?
Oh, you don't trust Equifax any more? Fine. Equifax will hire Experian [experian.com] for your account. All free to you.
Oh, don't get me wrong, Equifax will pay. They will pay everybody. This will cost big time. But I wager, Ma and Pa Sixpack are never going to lose a dime because of this. Just like nobody lost any money on the Target breach, except Target [thesslstore.com].
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday September 21 2017, @02:54PM
And because all of this, there was no display of severe incompetence, nor was it the case that it is just plain *wrong* for others to hold data about you that you have no insight into?
Gotcha!
(Score: 5, Insightful) by frojack on Monday September 18 2017, @10:41PM (5 children)
Read the chronology.
They were aware of the vulnerability, They took timely steps to patch, and somebody fucked up.
The Patch first became available on March 6. And was immediately applied.
All the servers (except this one) were patched some time soon after availability.
This one server got hacked on May 13 fully two months after the patch was available.
So clearly the CIO/CSO knew about the patch and ordered that steps be taken to block it.
One public facing server was missed.
Someone needed to be fired. But I'm not sure it was either of these two. They are responsible
simply because it was their job to see to it this didn't happen. But I assure you in an organization
of that size these two were NOT the people managing the servers, probably didn't have the
login to those servers, probably did not know where those servers were, and didn't have
the technical skills to apply the patch. Anyone who expects to see CIOs and CSOs at the
consoles of servers is delusional.
They did nothing wrong.
Their orders were not followed properly.
They had no way to detect that a machine was missed.
Some flunky admin missed a server.
Some section chief of said Admin didn't verify the work.
The people who did have that server inventory didn't check them off the list.
Probably not many even knew Struts was running on that machine. (Agile aficionados; I'm looking at you).
In short, having seen this kind of head-chop before I'd wager the firing was purely perfunctory.
These people did everything right that was in their power to do. Someone under them fucked up.
Those guys need to be fired. (And maybe they were).
These two not so much, and surely they didn't deserve to lose their pensions and stock options on top
of being let go mostly so the company could save face.
So yeah, unleash your nerd rage at the big money people. But bear in mind that it was a nerd
somewhere in the bowels of the organization the fucked up. And if THAT NERD was the only one fired
you'd be bitching about that too.
No, you are mistaken. I've always had this sig.
(Score: 4, Informative) by Whoever on Tuesday September 19 2017, @01:56AM (2 children)
That's a very interesting and probably correct analysis of events.
Except that it misses one important point: these CXX people sold shares before the breach was announced. They lied about not knowing about the breach (it's just come out that there was an earlier breach).
(Score: 2) by frojack on Wednesday September 20 2017, @06:26PM (1 child)
People with stock options sell shares on an automated basis. Precisely to avoid these situations.
Their portfolio managers have standing instructions to sell some of their option stocks to keep their portfolio diversified.
They ALL have portfolio managers that handle own-company stock PRECISELY to avoid insider trading. Its virtually a requirement to sit on any board, hold any officer position to put your own-company stock in a trust. The FTC is pretty strict on this.
Yet there's always some fool who knows nothing about the stockmarket who jumps up screaming INSIDER!!!
No, you are mistaken. I've always had this sig.
(Score: 2) by Whoever on Wednesday September 20 2017, @08:31PM
Except that there doesn't appear to have been a scheduled trade plan in place that would explain these trades.
What is your deal? You feel compelled to make stuff up so that you can brown-nose wealthy people? Why?
Go fuck youself, know-nothing asshole!
(Score: 2) by arslan on Tuesday September 19 2017, @04:38AM (1 child)
I disagree. Yes they are too way up in the hierarchy to be directly held responsible, but they are responsible for setting the risk culture of the organization. There's scarce details around what the root cause is that caused single server to be missed. If it is truly an exception then it is really a matter of bad luck. If it is due to poor risk culture set by the leaders, then they are to blame.
I've worked in organizations where good architecture and cyber security recommendations often time gets trumped by tech owners because it gets in the way of them delivering "value" to their business users. The IT leaders are responsible for these kind of culture or operating model.
Just because they issued the "order" doesn't mean they're not accountable if they've fostered a culture where folks can "dispensate" or get away with non-compliance.
Again not saying that's the case with equifax since there's scarce details on the internals and you don't normally get that level of disclosure in the public press. The only way to know is to talk to folks that have worked in the organization.
(Score: 1, Troll) by frojack on Wednesday September 20 2017, @06:52PM
You can't even define "risk culture" let alone make it an actionable item.
How many servers to you think this company had? I'm betting THOUSANDS.
Apparently they all got taken care of, or were at least not breached. Clearly everybody cared, or feared for their jobs enough to see that this patch got applied. One sysadmin, perhaps over worked, perhaps out sick, missed this machine. That's hardly a risk culture.
Being in business is a risk. Its the perfect definition of risk. Disasters befall every business now and then. Sometimes people get killed. Sometimes entire companies are wiped out. This situation does not rise to that. Those affected accounts get flagged for free credit monitoring for a few years. Equifax can afford it.
No, you are mistaken. I've always had this sig.
(Score: 4, Insightful) by bradley13 on Monday September 18 2017, @11:44AM (14 children)
...not normally this badly.
I think this is an excellent reason to discuss the concept of professional liability. Obviously, in the first instance, the company is liable for the damages done. However, at what point should individual people be on the hook? I'm not (necessarily) suggesting that individual coders should carry any liability (although professional engineers often do). However, certainly at the level of CxO, I do believe personal liability is appropriate.
In a case as severe as this (and as a bare minimum), any bonuses earned for the past X years should be forfeit. Because they were clearly undeserved: creating an environment in which a severe security issue could go unpatched for so long is *precisely* the fault of the CIO and CSO. Being allowed to retire, while retaining full benefits and all past bonuses, is just wrong.
If we were dreaming, how could this problem be solved? What about a practice of paying all bonuses into an escrow account, and only releasing each year's bonus if X years pass with no major problems in the person's area of responsibility? Other suggestions? How far down the food chain does personal responsibility go?
Everyone is somebody else's weirdo.
(Score: 1, Interesting) by Anonymous Coward on Monday September 18 2017, @11:53AM (3 children)
Shouldn't Equifax just go bankrupt from lawsuits and fines from mishandling PII? Then there would be no money/benefits to give the executives.
(Score: 5, Insightful) by bradley13 on Monday September 18 2017, @12:00PM (2 children)
"Shouldn't Equifax just go bankrupt from lawsuits and fines from mishandling PII? Then there would be no money/benefits to give the executives."
CxO types take care of each other. Bet that they already have the bonuses, and I wouldn't be surprised if they have vested (i.e. fully-funded) pensions, probably unlike the rest of the Equifax employees.
Ah, stocks, that may hang some of them. It appears that some of the top-level execs were trying to sell their stocks before the SHTF. Which is called insider trading, and jail terms would be well-deserved pour le encourage les autres.
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Monday September 18 2017, @07:52PM
Claw back. [zerohedge.com]
(Score: 1, Redundant) by frojack on Wednesday September 20 2017, @07:27PM
ALL the top level execs and board members sell their bonus stock routinely.
They have their portfolio manager sell on a schedule that doesn't change. The exec is hands off of his own-company stock.
Every change requires another federal form be filled out.
Every scheduled sale requires a federal form.
http://www.investopedia.com/articles/stocks/05/042605.asp [investopedia.com]
It goes without saying that the FTC looks into this every time there is an "event" at any company. It goes without saying that the press jumps on this without even
bothering to check with the FTC, because they know its automatic.
99.99% of the time nothing is found that is not routine and pre-scheduled.
99.999% of the time some fools screams INSIDER TRADING.
No, you are mistaken. I've always had this sig.
(Score: 4, Insightful) by Anonymous Coward on Monday September 18 2017, @12:07PM
All the way down, but it should always start from the very top. Most often, someone at the bottom just takes the blame.
It should be, the CEO gets the blame, takes the responsibility, but if he can show his reports were doing an improper job then he can move part of the blame to them. Only part, because he is still responsible for hiring/promoting them, for checking and verifying they do a proper job, ...
It doesn't work in the other direction, if an employee tells: we should do X because of this thing Y, and his superior says no, the employee can't fire his boss.
(Score: 3, Insightful) by FakeBeldin on Monday September 18 2017, @12:40PM (1 child)
The argument that I've often heard touted justifying CxO's enormous financial rewards is that their jobs comes with "more risks".
If they're not personally liable, what justification is there left?
"Because otherwise we can't hire a good person for the job"?
If you're not applying that argument to the actual workers, why should it apply to the jobs with golden parachutes?
(Score: 2, Interesting) by Anonymous Coward on Monday September 18 2017, @03:58PM
Ummm, yeah. About that. A recent study shows an inverse correlation between CEO pay and performance. [cooleypubco.com] Have board members at various companies seen this study? Probably. Will they act on it? [Snort] Hell no!!!
The answer will be left as an exercise for the reader.
(Score: 1, Informative) by Anonymous Coward on Monday September 18 2017, @02:54PM (2 children)
The "LLC" means "Limited Liability Company", which means the suits can't be personally liable for ANY problems legal or otherwise with Equifax business practices.
(Score: 2, Insightful) by Anonymous Coward on Monday September 18 2017, @03:11PM
Which is why "we the people" should take justice into our own hands. These scumbags, should be doxxed, then gutted and left to bleed out slowly and painfully. This day is coming soon. Hopefully, I will live to see it.
(Score: 2) by Whoever on Tuesday September 19 2017, @02:06AM
LLC status protects owners, not employees. They may still be liable in their position as employees.
(Score: 2) by frojack on Monday September 18 2017, @10:55PM (3 children)
Maybe read the linked articles before rushing judgement.
They knew about the vulnerability and the patch.
They ordered all the servers to be patched.
All the other servers were patched
This one got missed.
This one server got hacked.
Clearly someone fucked up.
But it wasn't the fault of either of these two people.
They got canned because someone had to get canned. They signed up knowing there was always a risk one low level minion could bring their world crashing down by ill intent, or by simply assuming some other team member took care of this server.
There is no way you can spin that into personal liability for the CIO/CSO. There is no way they should lose their retirement because some snotnosed agile developer failed to add this server to the list running Struts.
No, you are mistaken. I've always had this sig.
(Score: 2) by arslan on Tuesday September 19 2017, @04:48AM (2 children)
That's one way to look at it. The other could be why did that one server got missed? Are we sure it is just one just because one was discovered and exploited? Maybe there's more unknown servers in their network. Maybe they've fostered a risk culture such that documentation of their assets into their asset register are not strict because documentation is an overhead that gets in the way of delivering "value"?
How do you say for certain that the above is not the case? Documentation is always an after thought, I've seen it so many times. The CxOs are definitely on the hook for any corporate culture they set including any culture/practice that indirectly affects their risk management like ensuring their discipline in maintaining their knowledge base, key person dependencies, workforce skillset, etc.
Even small things like always "stretching" your employee so they can deliver more bang for the buck but not looking at the implications from the risk aspect (i.e. they make mistakes, they bring work home and risk data leakage, etc.). Maybe this "minion" as you put it were overworked because that is the corporate culture.
(Score: 2) by frojack on Wednesday September 20 2017, @06:58PM (1 child)
There you go with that "risk culture" nonsense again.
You haven't got a point here. Sorry. All business is risk.
All the paper pushing bean counters in the world can't avoid risk. Its part of business.
No, you are mistaken. I've always had this sig.
(Score: 2) by arslan on Thursday September 21 2017, @12:15AM
Nobody's saying you can avoid risk, but how an organization overall deals with it is not a binary thing. The top leadership are accountable on how they want the rest of the leadership chain down react to risk (as in how it affects their decision making).
If a mid level IT manager decides that patching is low priority because he wants his project to be deployed first so he can score brownie points with his business sponsor because that is his main KPI set from the top and decides to postpone the patching, then they are potentially taking a very bad position on managing risk. The risk doesn't go away to your point - and this isn't about that. Why does the IT manager behave that way? Is this a lone-wolf cowboy thing, or is it a typical thing across the organization? Surely the top leaders are accountable to set the risk culture because they are they ones that decide on the KPI model.
Another scenario, which is not so direct, is a culture where the top leaders foster an environment where minions are always stretched to work 10 hours a day continuously till they burn out and fat fingering is par for the course. This isn't "directly" related to risk culture, but it does setup a culture where mid level IT managers gets the mandate to whip their workforce and create an environment where there's high degree of mistakes and indirectly create a poor cyber risk environment.
I've been in organization where I've experienced both the above. If shit were to happen I wouldn't be blaming the minion like you suggested.
(Score: 1, Interesting) by Anonymous Coward on Monday September 18 2017, @11:53AM
So their IT and IT security screw up and are replaced with more people from the failing organisation.
I can understand this if their replacements have previously reported about the problems, asked for budgets to fix things but were denied etc... Then it would make sense to promote them, but it would then also make sense to hang the CSO and CIO out to dry as they ignored internal information about security repeatedly.
Since that didn't happen, I'm assuming their replacements didn't badger them endlessly about the security holes and carry a good part of the blame.
(Score: 1, Interesting) by Anonymous Coward on Monday September 18 2017, @12:16PM (7 children)
Can someone more familiar explain whether this company can survive somehow? Who are their actual customers? Do they still want to do business with Equifax?
(Score: 4, Interesting) by Thexalon on Monday September 18 2017, @12:32PM (2 children)
Their "actual customers" are businesses that want to run credit checks on ordinary people. Which, since many businesses use credit rating as a measure of overall responsibility, is more than you might think. For instance, it's pretty common for employers to run credit checks on people they're considering hiring (which makes it harder if you have bad credit to get a job, making it harder to fix your credit).
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Monday September 18 2017, @05:43PM
So we need to cross our fingers that whoever is behind this breech sells it to their "actual customer" for less and undercuts Equifax's business.
(Score: 2) by frojack on Wednesday September 20 2017, @07:02PM
Gee, its too bad Equifax is powerless to protect credit rating of the ordinary people [equifax.com] who's data was breached.
No, you are mistaken. I've always had this sig.
(Score: 5, Interesting) by bradley13 on Monday September 18 2017, @12:37PM (2 children)
Their customers are companies considering giving credit cards or loans to individuals. They pay Equifax, and get information on the individual. Supposedly, this is the same information that you see when you ask for a copy of your credit report. However, numerous anecdotes would seem to indicate that that there is additional information that they only show their real customers.
Can they survive? That depends on the lawsuits. Given the size of this breech, it seems entirely likely that the judgements will drive Equifax bankrupt. That doesn't mean much - that's just a way of limiting the financial damage. The company will almost certainly rise again, under cover of the bankruptcy laws, and continue where it left off. If it gets really bad, maybe they will sell their business assets to a new entity (formed for the purpose), so that they can resume business under a new name.
Most importantly, be assured that none of the executives will suffer. Remember the 2008 financial crisis? The one that nearly brought down the entire international banking system? A couple of years after the crisis, I checked on the executives of the companies most to blame for the mess. Without exception, they all found soft landings. Either they retired, or - if they were younger - they were in new CxO positions at other banks, private equity firms, or whatever. Aside from a bit of momentary embarrassment, the results of their malfeasance didn't personally inconvenience them at all.
Everyone is somebody else's weirdo.
(Score: 4, Insightful) by bob_super on Monday September 18 2017, @07:04PM
> it seems entirely likely that the judgements will drive Equifax bankrupt
They'll settle out of court with the DOJ for a ridiculously small amount, and people will be rewarded for a job well done.
Can we attack the real problem: Why the [bleep] is your SSN, DOB and address all anyone needs to completely impersonate you?
I thought we celebrated that 21st century thingy, a long while back. Some systems didn't get the memo...
(Score: 2) by nobu_the_bard on Monday September 18 2017, @09:30PM
There is additional information they show their real customers, yes.
Among them: you have a separate credit score for car buying, for example. In my experience it is typically lower than your main credit score. This is not included among the free ones you can request. There is also a separate one for something home related, I think getting home mortgages. There are probably another two or three besides.
(Score: 0) by Anonymous Coward on Monday September 18 2017, @03:59PM
Apparently it is a spying company, the most lucrative business today. (see e.g. goog) Such scum flourish mostly because stupid and naive people spill their guts on the internet (especially "social media" interactions and unprotected web browsing in general). I don't know whether they will survive this giant fuckup but if they do, you'll want to buy some shares. Looking at how past similar situations have evolved, they'll probably go unscathed or at worst get a slap on the wrist. Humanity is pretty well fucked.
If you don't know what a hosts file is, do yourself and the rest of us a favor and do find out. Could you live your online life without JavaScript and cookies? Or at least radically reduce your exposure? (see NoScript, consider allowing only cookies that YOU need) Do you use a proprietary operating system that spies on you all the time? You know, there are alternatives that offer a much improved e-hygiene.
(Score: 0) by Anonymous Coward on Monday September 18 2017, @06:24PM (8 children)
http://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15 [marketwatch.com]
(Score: 2) by frojack on Monday September 18 2017, @11:01PM (7 children)
So what!?
The Music major did everything right.
It was the CS graduate admin tech with the degree and training that failed to follow the Music Major's orders and applied the patch to ALL the servers except THIS one. The guy with the appropriate training screwed the pooch.
No, you are mistaken. I've always had this sig.
(Score: 2) by Whoever on Tuesday September 19 2017, @02:13AM (2 children)
"The buck stops here"?
Was the Chief Security Officer asking the right questions? Did she get the work audited? If your security relies upon individuals doing the right thing without appropriate auditing of their work, you will eventually fail.
People make mistakes. As a manager, your job is to ensure that mistakes are corrected.
Now, I am not saying that the music major makes her unqualified for that position, but the fact that Equifax was hacked suggests that she did not have the appropriate skills. Or it may be that she didn't have the appropriate budget.
(Score: 2) by frojack on Wednesday September 20 2017, @07:09PM (1 child)
Or maybe she couldn't get clearance from HR to give every employee a lie detector test at the end of every work day.
Somewhere out there across north america there is a railroad spike that has worked its way loose. Maybe I loosened it on my last vacation because I have a mean streak.
It my cause a derailment.
Somebody lock up Warren Buffet right now, till we know every single spike is inspected and fixed.
No, you are mistaken. I've always had this sig.
(Score: 2) by Whoever on Wednesday September 20 2017, @10:04PM
If a single loose spike is likely to cause a major derailment with serious consequences for the railroad company, then, fuck yes, the railroad company should be inspecting them every night and someone high up (the most senior person in charge of safety) should take the blame in the event of a derailment caused by a loose spike.
But that's not the case, is it? Your argument is based on a false premise. Try again.
Your analogy is completely invalid. But I bet it made your tiny mind feel good because you think you made a point.
You didn't. You just showed your stupidity again.
(Score: 2) by FatPhil on Tuesday September 19 2017, @04:13AM (3 children)
Whoever hired her for her position is equally useless. Simply noticing that she has claimed "data center" as a skill is not diligent recruiting. (What does she do - act as a rack?)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Flamebait) by frojack on Wednesday September 20 2017, @07:11PM (2 children)
So your problem here seems to be that she is a she. You never mentioned the He who was also fired.
perfunctory face-saving firing is perfunctory.
No, you are mistaken. I've always had this sig.
(Score: 2) by FatPhil on Wednesday September 20 2017, @09:22PM
I dare you do prove me wrong, and by so doing prove once and for all the widely held belief that deep down you're a bullshit artist (albeit only a grade C one).
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by FatPhil on Wednesday September 20 2017, @09:27PM
Do I bring up eth-fueled's traits when criticising your illogic? No, because you are different, and special, individuals.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves