back to article Equifax's IT leaders 'retire' as company says it knew about the bug that brought it down

Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software. The retirements and more details about the company's mega-breach are revealed in a new entry to …

Page:

  1. sanmigueelbeer
    FAIL

    There's something missing

    What about the bit where some of the Argentinian systems have admin/admin credentials?

    And what about the rules that the each user's ID and password is the same?

    1. DNTP

      Re: admin/admin

      Never mistake incompetence for incompetence.

      1. TReko

        Re: admin/admin

        Seems like the incompetence was caused by ignorance.

        It was reported on Slashdot yesterday that Susan Mauldin, the woman in charge of the Equifax's data security, has a bachelor's degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin's LinkedIn profile lists no education related to technology or security.

        If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.

        So ignorance was followed by cover-up.

        1. a_yank_lurker

          Re: admin/admin

          First disqualification (th)Uga grad which is the byword for stupidity in the Southeast. Second where they retirements or 'retire or be fired'.

        2. Anonymous Coward
          Anonymous Coward

          Re: admin/admin

          So ignorance was followed by cover-up.

          From what I have seen so far, that's generally SOP in companies that do not allocate enough resources for security. It tends to come accompanies by sacrificial heads of security who will be sacked for their inability to either extract sufficient budget to do the job (an unfair fight as best) or an inability to spot they're being set up as the patsy.

          Given the amount of money it was raking in (some of which is about to get nuked) it has no excuse on the budget side.

          (At the bottom of the linked article is a video about a reporter trying to get information about his personal exposure in a safe manner - which seems it only took 42 minutes. No surprise there, then. Muppets).

          1. Trigonoceps occipitalis

            Re: admin/admin

            "So ignorance was followed by cover-up.

            From what I have seen so far, that's generally SOP ... "

            No, ignorance is followed by denial in the standard model.

        3. Adam 52 Silver badge

          Re: admin/admin

          "lists no education related to technology or security"

          I don't think you can read too much into that. Plenty of useless comp sci graduates around. For someone who's in a position to retire now there's plenty of time to have gone on workplace training. Tim Berners-Lee has a BA (albeit in physics).

          And security is a large part human factors; if they'd had a techie in charge we might now be reading about the massive Equifax phishing scam.

          Besides which, have you ever known a CISO who was actually empowered to force developers to do anything. Somebody set up that admin/admin account and it won't have been anyone with "chief" in their job title.

          1. RobertLongshaft

            Re: admin/admin

            This has absolutely nothing to do with developers. They simply didn't have a patching program sufficient for an enterprise data gathering organisation.

            See TNT in Europe for a similar failing.

            1. Adam 52 Silver badge

              Re: admin/admin

              "This has absolutely nothing to do with developers. They simply didn't have a patching program sufficient for an enterprise data gathering organisation."

              These two sentences nicely illustrate what's wrong with a large number of developers today.

              Patching and security; all somebody else's problem.

              1. Anonymous Coward
                Anonymous Coward

                Re: admin/admin

                In the shops I've worked, security patches is a grind-it-out never ending process. It is not exciting, not inventive, does not bring attention to your coding or talent. It is the take-out-the-trash job of computer science. It is not career enhancing, and its the first thing to get outsourced because no one wants to spend even one year doing something that does not help you move forward as a developer. 10 years fixing patches and your technical abilities will have atrophied and you will be unemployable at any real computers science job. That said, it is necessary work that must be done.

            2. Anonymous Coward
              Anonymous Coward

              Re: admin/admin

              At a very minimum, PCI requires the change from defaults, and an adequate patching process. I would LOVE to see their last audit report. The CIO/CISO "retirements" won't be the last.

          2. billat29

            Re: admin/admin

            "Tim Berners-Lee has a BA (albeit in physics)."

            Of course. At the time he studied Physics, Oxford University only awarded a Bachelor of Arts degree even for science.

            These days he would get an MPhys to recognise that science at Oxford is a four year journey.

          3. Aodhhan

            Re: admin/admin

            Sure you have a lot of educated idiots with tech degrees when it comes to InfoSec, but you have a lot more when they don't have this background.

            What we are beginning to see, is the lack of experience and practice in more disciplines than just InfoSec who are responsible for this breach.

            For example, where was auditing, compliance, risk management and operations? These aren't InfoSec disciplines, these are straight up management disciplines designed to ensure everyone is doing whatever their job is effectively.

            For this reason, it isn't just the tech bosses like the CIO who should step down. The top officers responsible for auditing, compliance, risk and operations should also step down.

            The CEO should also step down, as his/her primary role is to protect the stock holders. Obviously this wasn't done, and he continues to fail in this regard.

        4. Anonymous Coward
          Anonymous Coward

          Re: admin/admin / So ignorance was followed by cover-up.

          If (IF) this were true, one might want to ask how she got that role and who was the moving agent, and why. Personal connections? PR?

          That said, more important than that would be, how the message about the bug did NOT travel up the way it should have. Well, we know "how", but at which point it was patted down as "Thanks for your concerns so eloquently put in 3532215 e-mails. After thorough investigation we have decided no further action be taken".

        5. rmacd

          Re: admin/admin

          This irks me. "You haven't got the right letters after your name, so are not qualified to have an opinion".

          My first degree was in music. I now work as a software engineer. I've met people who tell me they've "done" CompSci. And they know fuck-all. The most solid programmers I had the fortune to work with to date studied biochemistry and medieval history respectively.

          Anyone who has studied at undergraduate level will attest that it does not matter what you study (bar vocational degrees such as law or medicine), It's your attitude to learning that matters. You get taught HOW to learn. I went to university thinking I'd learn everything about my subject. On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else.

          1. Prst. V.Jeltz Silver badge

            Re: admin/admin

            Anyone who has studied at undergraduate level will attest that it does not matter what you study (bar vocational degrees such as law or medicine), It's your attitude to learning that matters. You get taught HOW to learn. I went to university thinking I'd learn everything about my subject. On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else.

            Why did nobody tell me this at the start? There's me learning differentiation , integration , fluid dynamics , youngs modulus, resonant circuits etc ad infintum, when I could have just chosen "Navel Gazing" and gone on a bender for 3 years.

            I find it a little sad that you apparently dont pick up any useful information or skills on a "dosent matter what subject" degree . Dosent that make it a waste of time?

            Didnt you learn how to learn in school ?

            does it really take 3 years to learn how to learn? (5 years if you count your A levels.)

          2. Anonymous Coward
            Anonymous Coward

            Re: admin/admin

            "On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else."

            Sadly too many squander that perfect chance. I know a lot of people who graduated with degrees and moved on to IT and know absolutely nothing, worse still they have no common sense, not logical problems solving abilities and basically just seem to have stopped learning about anything after college except when Big Brother is on next! I never had the opportunity to study beyond college but I've never stopped learning on my own volition. Playing with computers for almost 40 years since I was 7 years old, I make it point to ensure I learn something new every day, anything I can just something to make each day worthwhile, often I can't get to sleep at night unless I've gained some new piece of knowledge, large or small. I hate sitting in the office surrounded by people who've had the good fortune to study education to a higher level than I and yet they've simply stopped learning anything, they simply drift through life with hardly any passion for anything anymore, tragic. You try to fire them up discussing new facets of IT and nothing, surely they were hungry for knowledge once or was that their parents forced them into IT because that's where the money was and now they're trapped, wasting opportunities some people would sell their right arm for?

            1. Prst. V.Jeltz Silver badge

              Re: admin/admin

              Heres your new fact for today:

              "Reno is farther west than Los Angeles."

              There. sleep easy.

              1. jimdandy
                Windows

                Re: admin/admin

                Yes, Reno NV is farther west than Los Angeles. You are correct in establishing that as a fact. So is San Francisco and numerous other Cities.

                So, WTF?

                1. Prst. V.Jeltz Silver badge

                  Re: admin/admin

                  Well the poster a couple of posts above that mentioned that he like to make sure he learns something new every day or he cant sleep. So I offered that nugget in the hopes he wasnt aware of that.

                  I wasnt. I guess you think of nevada as inland and LA on the beach . Turns out CA is a bit bendy.

                  Its like a geographic optical illusion. I was in Canada once and worked out I was further south than at home in UK . Also I bet its further across the bottom England than it is from to top to bottom .

                  1. David Tallboys

                    Re: admin/admin

                    I'm supposed to go to Barcelona next week, or not thanks to Ryanair,

                    I thought Barcelona was down and to the left from London so I am shocked to find out it is east of the meridian - but it might have moved as I just looked at a 1970 National Geographic map.

          3. Anonymous Coward
            Anonymous Coward

            Re: You haven't got the right letters after your name

            "degree was in music... work as a software engineer. "

            In that case go get an Engineering degree, after all that will be a walk in the park for you and you are already getting paid as an Engineer so it would be professional development. Then join the Professional Association that regulates the practice or Engineering and you will be an Engineer.

            There is a reason that profession is regulated in many areas. The consequences of not requiring minimum education were, and still are, repeated catastrophes. Equifax is just a recent one example.

        6. Warm Braw

          Re: admin/admin

          degree in music composition

          She will now have the time. as well as the skill, to write an elegiac piece for a really tiny violin.

          1. Captain Badmouth
            Coat

            Re: admin/admin

            < degree in music composition

            She will now have the time. as well as the skill, to write an elegiac piece for a really tiny violin.>

            Hopefully it won't be too maudlin.

            Mine's the one with the copy of "Music of the spheres" in the pocket, thanks...

        7. Anonymous Coward
          Anonymous Coward

          Re: admin/admin

          With that background she'd be a shoo-in for a senior management role in UK public sector "digital".

        8. Zakhar

          Re: admin/admin

          Since when does knowing anything about I.T. qualifies you for a job in an big company's I.T.?

    2. Anonymous Coward
      Anonymous Coward

      Re: There's something missing

      The first rule of incompetence club is that we don't talk about incompetence club just move the boss to another company to still earn lots of money whilst being incompetent.

      1. Fatman
        Joke

        Re: There's something missing

        <quote>...just move the boss to another company to still earn lots of money whilst being incompetent.</quote>

        At my former WROK PALCE (CW Shark Tank readers will 'get it'), the CIO had a katana mounted on a plaque on the wall behind her desk.

        It bore the inscription:

        The Reward for Incompetence

        It was used a few times. until the bills for 'carpet cleaning' got the CFO annoyed.

        1. DropBear
          Trollface

          Re: There's something missing

          "...katana mounted on a plaque on the wall..."

          "I have to say Boss that this kind of dedication to constantly reminding oneself that anyone in a position of power, even a king, is always a single hair's width away from their doom is truly worthy of admiration..."

      2. Missing Semicolon Silver badge
        Mushroom

        Re: There's something missing

        Something missing? What about the fact that these two clowns get to retire, with benefits and yuge pension, instead of being dismissed for gross stupidity, clear your desk now?

    3. FuzzyWuzzys
      Flame

      Re: There's something missing

      Personally I hope it all goes a bit "Ratners" for Equifax!

      1. Roj Blake Silver badge

        Re: I hope it all goes a bit "Ratners" for Equifax!

        You mean you hope they change their name and carry on exactly as before?

    4. ecofeco Silver badge

      Re: There's something missing

      This. There's a lot more going on here than Struts.

  2. Blotto Silver badge
    Unhappy

    Muppets

    I've been trying to get them to correct incorrect details on my profile since 2016. That stupid dispute site never worked properly. I'd create or reset an account and it wouldn't let me login so I could never see their responses.

    Funnily enough it works now, since they've patched it.

    They still won't correct the wrong info.

    I'll be lodging a complaint with ICO next, but I suspect they'll be equally useless.

    1. Anonymous Coward
      Anonymous Coward

      Re: Muppets

      All corporations are muppets, and becoming more muppety, year on year:

      http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

      Those people at "information is beautiful" are going to need to start using log scaling the way things are progressing

  3. Barry Rueger

    Meanwhile in Canada

    A class action suit is in the works, and the complete response for Canadian "customers" is:

    Are you concerned you are affected by the Canadian impact of the breach against Equifax?

    We are still investigating, but this is what we know now:

    Only a limited number of Canadians may have been affected.

    We are working on finding out how many.

    The breach is contained.

    At this point, it seems the personal information that may have been breached includes name and address and Social Insurance Number.

    We will update this information as we learn more.

    1. elDog

      Re: Meanwhile in Canada

      "We are still investigating, but this what we know now:" Or "no now" or "no know". Rumsfeld must be coaching this team.

      "Only a limited number of Canadians may have been affected." Well, there are a limited number of Canadians so they may all be infected. "We are working on finding out how many" but trust us, it is limited and "The breach is contained" - perhaps within some pastebin account or Yours for only 9.99 Loonies.

      Finally, "it seems the personal information that may have been breached includes name and address and Social Insurance Number". May have included those items and may have included a whole lot more.

      Rest assured Canadians, and carry on. Oh, and please reserve me a couple of bunks far away from the mobsters to the south.

      1. Adrian 4

        Re: Meanwhile in Canada

        That's OK. Nobody would be using social security numbers for ID, would they ?

        Would they ?

        No, You Can't Have My Social Security Number

        Didn't the government promise that SSNs wouldn't be used for ID?

        1. liac

          Re: Meanwhile in Canada

          The Canadian link for Social Insurance Number (SIN ) responsibility/usage is at:

          https://www.canada.ca/en/employment-social-development/services/sin/reports/code-of-practice/section-2.html

          The algorithm for generating numbers is known, as it is used by companies( e.g. banks) to validate a given SIN. Having a secret algorithm to generate a SIN does not help the situation. No matter how the SIN is generated, at some point, the number is given to a bank or employer or credit check bureau. Hence, if these companies' security is breached, we are in the same situation. The resolution to not perpetuating this problem is via better processes, not technology. If the numbers were not easily associated to names, this problem would not exist. For example, one could post a list of 50 SINs which are generated by the public algorithm. No one would be able to determine 1) who the SINs belong to and 2) if the SINs were in use. So a list containing only these 50 numbers means nothing.

        2. Anonymous Coward
          Anonymous Coward

          Re: Meanwhile in Canada

          Sadly, my work told me I could no longer use my own password to protect my electronic payslips, we would all now have the password set to our NI number.... Clearly they don't have a clue about security, convenience is far more important....

          1. Anonymous Coward
            Anonymous Coward

            Re: Meanwhile in UK

            If you want to open someone's password protected payslip, find out their NI number, chances are this is all you need to do.

            If you work for a company where some pen pusher has gone this way to make their life easier, they perhaps need some lessons in security awareness, and companies responsibility for protecting personal data in a secure and responsible manner...

            1. Anonymous Coward
              Anonymous Coward

              Re: Meanwhile in UK

              Some authorities in Wales send out the payslips via email with no encryption.

  4. Anonymous Coward
    Anonymous Coward

    'You don’t pay extra at restaurants to keep rat poison out of the food'

    "There’s a good chance you’ve spent time recently on a chore you didn’t sign up for: finding out if hackers possibly stole information about you from Equifax Inc. - What makes the situation especially awful is that you never had much choice about entering into a relationship with Equifax."...

    -

    https://www.bloomberg.com/news/features/2017-09-14/thank-you-for-calling-equifax-your-business-is-not-important-to-us

    1. Anonymous Coward
      Anonymous Coward

      Re: 'You don’t pay extra at restaurants to keep rat poison out of the food'

      That extra revenue stream may hopefully be come to an end in the US - hope Europe will follow soon.

      1. pirxhh

        Re: 'You don’t pay extra at restaurants to keep rat poison out of the food'

        Europe is leading the US by a wide margin in this - the EU General Data Protection Regulation (EU GDPR) is already in force and becomes fully mandatory on May 25th, 2018. This unifies the much stronger stance on privacy prevalent in Europe - in part this is due to different perception; Europeans generally care more about e.g. your neighbor knowing how much you make but less about nudity than their US counterparts.

        The EU GDPR has significant fines attached, i.e. 4 percent of annual global turnover or 20 million Euros (about 22 million dollars), whichever is greater.

        1. Anonymous Coward
          Anonymous Coward

          Re: 'You don’t pay extra at restaurants to keep rat poison out of the food'

          The EU GDPR has significant fines

          Whilst agreeing that the US authorities are laggards on data protection (undoubtedly Google are trying to ensure this remains so), we've yet to see how European regulators interpret and enforce the GDPR rules.

          I suggest that the draconian sounding GDPR fines will not reflect in any way what organisations actually pay. Looking at other regulatory fines, anybody expecting big numbers could well be disappointed. Take UK energy supplier E.ON. They had an obligation to install "advanced meters" at all business premises by April 2014, and failing to do so would incur a penalty of "up to 10% of UK turnover", which was about £9bn. So in theory they could have been fined £900m. In practice, they missed the target by a significant measure, and the penalty imposed was £7m. Technically the actual fine element was only two quid, with £7m paid to an "industry related charity".

          So, if that's indicative of the thinking of regulators (and Ofgem are the most aggressive regulator when setting penalties), what do you think Talk Talk would have been fined if GDPR had been in force back in 2015? My guess is around £6m-10m. Better than the £400k they got fined by the ICO at the time, but still dwarfed by the £35m cost of sorting the mess out that they reported. And if they had been fined that £6m-10m, it would have been a measly 0.4% of TalkTalk's £1.8bn turnover that year. I think that's what people should expect when GDPR comes into force, I'm afraid.

          1. Potemkine! Silver badge
            Trollface

            Re: 'You don’t pay extra at restaurants to keep rat poison out of the food'

            we've yet to see how European regulators interpret and enforce the GDPR rules. [...] Take UK energy supplier E.ON

            Everybody knows that UK is not in Europe ^^

  5. Anonymous Coward
    Anonymous Coward

    This is what you get when you let corporations & lawyers run your country

    “It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place,"

    .

    https://www.bloomberg.com/news/articles/2017-09-08/one-thing-all-of-government-agrees-on-equifax-deserves-grilling

    ======================

    "Equifax Hack Is ‘Exhibit A’ in Case for Regulation - ‘Pathetic’ Remedies .... The company’s remedies for the breach were "pathetic" and that offering one year of free credit monitoring to consumers provided "scant protection" to those who were harmed. Equifax should offer free credit monitoring indefinitely and should drop its charges of up to $10 to consumers who want to freeze their credit"

    .

    https://www.bloomberg.com/news/articles/2017-09-11/equifax-hack-is-exhibit-a-in-case-for-regulation-durbin-says

    ======================

    "We object to Equifax seemingly using its own data breach as an opportunity to sell services to breach victims," the attorneys general said. "Equifax cannot reap benefits from confused consumers who are likely only visiting Equifax’s homepage because they are concerned about whether the breach affects them and their families.”

    .

    https://www.bloomberg.com/news/articles/2017-09-15/equifax-asked-by-ags-to-stop-selling-credit-monitoring-services

  6. Anonymous Coward
    Anonymous Coward

    The Elephant in the room

    "Now, to the remedy. The company is offering one free year of credit monitoring to all Americans, not just the ones whose data was stolen. It includes the ability to turn your Equifax credit report on and off, to keep thieves from applying for credit in your name using information they stole from Equifax and to have access to your Equifax report to do so."

    "That’s all well and good, except that the thieves might use the stolen information to apply for credit with lenders that check the credit reports only at the other big agencies, Experian and TransUnion. So this protection is incomplete."

    https://www.nytimes.com/2017/09/08/your-money/identity-theft/equifaxs-instructions-are-confusing-heres-what-to-do-now.html

    1. Phil Kingston

      Re: The Elephant in the room

      Question is, will the potential fraudsters just happily sit on the information for 366 days before trying to use the information they've obtained?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon