back to article Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory

A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure. The 96-page report (PDF) from the Committee of Oversight and Government Reform found that the 2017 network breach could have easily been prevented had the …

  1. Pascal Monett Silver badge

    "Such a breach was entirely preventable"

    So, tell me that Richard Smith is going to be dragged before the judge and sentenced for gross negligence and endangering the private data of almost 150 million people ?

    Oh, of course not. He drove the system into overdrive, but retired when the shit hit the fan, so instead of going to jail, he's getting millions of dollars.

    Ah, isn't capitalism wonderful ?

    1. Version 1.0 Silver badge

      Re: "Such a breach was entirely preventable"

      Sounds like they might be looking for another PFY to fire - but the PHB's all get bonuses and golden handshakes.

    2. Anonymous Coward
      Anonymous Coward

      Re: "Such a breach was entirely preventable"

      But socialism would prevent such a thing???

      Perhaps “Ah isn’t democracy crazy” would at least make some sense.

      I can’t see how the economic model can be linked to someone getting away with murder. That literally has happened throughout history.

      1. FrozenShamrock

        Re: "Such a breach was entirely preventable"

        No, the original poster was correct, it is capitalism that is to blame. Pure, unfettered capitalism pursues maximum profits at the expense of everything else. It has no obligation to society or its own employees. that is why government regulation and oversight is necessary; to keep capitalism in check, from letting it go to its natural predatory conclusion. Equifax management increased profits, and their own wealth, and disregarded everything else. That is the essence of capitalism on full display. Western civilization keeps going through cycles where it allows wild west capitalism to rape, pillage, and plunder, followed by a period where it clamps down too tight and chokes off innovation. The middle, people, can't we get to the middle and stay there?

        1. Anonymous Coward
          Anonymous Coward

          Re: "Such a breach was entirely preventable"

          No go read the comment. And also read about capitalism. Regulation is a part of a capitalistic model, it is politics that interferes with it. If anything it is a weak democratic process in America with lobbyists that is the problem, not the economic model. You are ignoring the theme of the post that somehow it is capitalism that allowed him to retire with millions of dollars without consequence.

          Soviet Russia did just as badly.

      2. John Brown (no body) Silver badge

        Re: "Such a breach was entirely preventable"

        But socialism would prevent such a thing???

        ---------

        If you think socialism is the only alternatuve to the rampant and raw capitalism as practiced in the US, then you need to get out more and see, or at least read about, the rest of the world.

        1. LOL123

          Re: "Such a breach was entirely preventable"

          Again confusing economic models with corruption, politics and fair democracies.

          America is I think among the worst here, where you can legally bribe and influence an election under the term lobbying.

          A pile of turd by any other name still stinks.

    3. ryokeken

      Re: "Such a breach was entirely preventable"

      Dunno, chances are he did screw a few of his richer peers and in high flying money matters I think only bernie madoff went to jail.word on the streets is because he stole from the super rich =\

  2. Wellyboot Silver badge
    Holmes

    Simple Greed

    Senior management at its finest, ignoring anything that doesn't line their pockets.

  3. sanmigueelbeer Silver badge
    Happy

    Equifax blamed its woes on an IT staffer who hadn't installed the Apache patch, and fired the person. The report makes it clear that there were many more people involved in Equifax's failings than this one scapegoat.

    I can smell a wrongful dismissal lawsuit in the making. That IT staffer is going to have a very, very big paycheck soon.

    Fire the torpedoes!

    1. Throatwarbler Mangrove Silver badge

      You're so cute, I just want to pinch your adorable little cheeks!

    2. a_yank_lurker Silver badge

      @sanmigueelbeer - While the incompetent failures on the bench are probably too stupid to grasp that a massive screw up this big is partially caused by mid and senior mismanagement not making IT security a priority. Compound this with mistakes by the grunts and you can have a perfect storm brewing. While a wrongful dismissal should be slam-dunk I am not so confident that the shyster in robes cares about justice and is capable of understanding how this really occurred.

      1. sanmigueelbeer Silver badge

        I am not so confident that the shyster in robes cares about justice and is capable of understanding how this really occurred.

        We're talking about a justice system where the (unofficial) national pastime is to sue someone. There are more lawyers than accountants out there. Even a half-cooked, half-stoned/drunk ilk can make his/her mark by just suing something this big.

        `tis too easy to win. Imagine this: Staff wrongfully blamed for breaches. Independent report shows the breach was caused by a certificate issue which no one wants to take ownership to update. Blame-game is the topic of the day. Oh wait, I don't like your tie. You're "it"!

        Equitrax will do anything just to get this sorted quickly. Out-of-court-settlement is bound to happen.

    3. DropBear Silver badge

      There's rather significant difference between wrongfully blaming an innocent for something he's not guilty of and wrongfully blaming an admittedly guilty party as the sole reason for the consequences that were not caused by his actions alone. Neither is fair, but I don't think the "scapegoat" was fired for "single-handedly leaking the whole database" but rather for "not applying an important patch in due time", which apparently he did (fail to) do. Unless he can prove holding back the patch was an instruction from higher-up, I don't see how he can sue simply for nobody else being blamed at the time.

      1. SImon Hobson Silver badge

        Neither is fair, but I don't think the "scapegoat" was fired for ... but rather for "not applying an important patch in due time", which apparently he did (fail to) do.

        The question is, was he actually under instruction (whether from management or the systems) to do so ? Reading the article, it sounds like they knew there were instances to patch, but missed some of them because they did a scan wrong when looking for all of them - the latter raising other issues about knowing what's running !

        If the instructions were to "patch this list of servers" and the one he didn't do wasn't on the list then he's not to blame. But even he did miss one he was instructed to do, I'd think he's still got a good case for wrongful dismissal since it's clear that his error was only a tiny cog in the big system that allowed this breach.

    4. MJB7
      Pirate

      Re: Wrongful dismissal

      I don't know where the employee worked, but if it was in an "at will" state, then "wrongful dismissal" isn't a thing. (Unless they can show it was because of race/sex discrimination or similar.)

      If you turn up to work one day in a tie that your boss doesn't like they can fire you with absolutely no comeback.

  4. Destroy All Monsters Silver badge
    Pint

    After the pwning of its servers was revealed Equifax blamed its woes on an IT staffer who hadn't installed the Apache patch, and fired the person. The report makes it clear that there were many more people involved in Equifax's failings than this one scapegoat.

    Woah I didn't expect THAT! Surprising stuff for the 21st century.

    "And next week, Mueller will deliver more indictments" (Laugh track)

  5. DCFusor Silver badge

    Too much power

    It's worse than you think. I recently retired (USA) and am on social security. For other reasons I had to get a paper verification of my status to a medical establishment in a tight time frame. So I log on to the government site, and try to start a "MYSSA" account, but the procedure fails. I then call the number, and after the usual multi-hour wait when calling the government, I got to a human who said that if I'm NOT in the equifax or experian databases, they cannot prove I exist! (I am in the OPM as I had a security clearance, or I should be, anyway - but two government entities here can't talk to each other apparently unless there's a political motive to incriminate someone).

    Yep, the government can't keep track of my existence - even as an EMPLOYEE(!) if I'm not in a "private" database! One that has data that's all too powerful - identity theft is the least of it - can't get a loan?

    Can't even get phone service with some providers, and here in the US you probably don't have a choice of that or ISP. Guess you your government really is - bankers and their services. Notice how they got bailed out with our money, how they get everything they want, and look at the horrible punishment they're getting here for history-making breach. /sarcasm

    I'm sure you can connect those dots, they're real close together.

    Lucky I was grandfathered in long ago on those things. All you have to do to drop off the earth is not use credit in any form or fail to pay a bill in 7+ years, and bam, you're a ghost. Screw someone - don't pay a bill, have them "screw up your rating" and it turns out that a negative number is better than no number at all! Suddenly everyone wants to lend you money, the government can find you again (which may be good or not)....

    When I mentioned this to the government human and pointed out that they must know I exist and where I live as I get checks...they said "shhhhh, don't mess it up, if these dots get connected they'll stop".

    And you guys think your UK government is screwy. Hold our beer. No telling who wins that one.

    1. Amos1

      Re: Too much power

      "I got to a human who said that if I'm NOT in the equifax or experian databases, they cannot prove I exist! (I am in the OPM as I had a security clearance, or I should be, anyway -..."

      You could probably ask the Chinese government for an affidavit of your existence since they allegedly owned both Equifax and OPM.

    2. Stoneshop Silver badge

      Re: Too much power

      And you guys think your UK government is screwy. Hold our beer.

      a) uk.gov appears to be a bit busy at the moment, trying to fsck up the already fscked-up dreckshit.

      b) beer?

  6. Walter Bishop Silver badge
    Facepalm

    Retrospective ass-covering ©

    'The report noted some of the previously-disclosed details of the hack, including the expired SSL certificate that had disabled its intrusion detection system for 19 months” ..

    Retrospective ass-covering, seeing as there was no one actually tasked with monitoring potential security bugs.

    The report states that Equifax's IT team did scan for unpatched Apache Struts code on its network. But it only checked the root directory, not the subdirectory that was home to the unpatched software

    This is total pseudo technical sounding BS, what kind of a security scan only checks the root directory. The reality more likely that there was no such IT Team, and nobody was tasked with checking Apache Struts for bugs.

    It was only when the certificate was renewed that Equifax saw the massive amounts of data being copied from its servers and realized something was very wrong.”

    Enough already, it was only after Equifax customer records was spotted online that Equifax became aware of the hack. And Equifax was being monitored by a respectable security company that shall have to remain nameless.

    Equifax blamed its woes on an IT staffer who hadn't installed the Apache patch, and fired the person.”

    What was the name of this imaginary IT staffer person?

  7. M2

    Time machines obviously exist....

    "A 2015 audit found that ACIS, a Solaris environment that dated back to the 1970s,"

    Even some basic date checking on Wikipedia by an editor should have flagged up some changes were required in that 2015 review.... or maybe it was a sign of the review quality...

    And here's me thinking we were early adopters of Solaris 2.1 - seems someone was already using it 13 years before Sun even released SunOS.......

    1. Anonymous Coward
      Anonymous Coward

      Re: Time machines obviously exist....

      13 years before Sun even released SunOS

      Indeed, Sun wasn't even founded until the mid-80s.

    2. 's water music Silver badge

      Re: Time machines obviously exist....

      "...dated back to the 1970s..." ...13 years before Sun even released SunOS...

      I wondered if they might have found elements that dated back to 00:00:00 Jan 1st 1970 or that time +SystemUpTime

    3. Michael Wojcik Silver badge

      Re: Time machines obviously exist....

      Yeah, that phrase in the article is clearly wrong. What the report actually says is that the Equifax ACIS application (Automated Consumer Interview System) was originally developed in the 1970s. Obviously it has changed since then, since at the time of the breach it was using Apache Struts.

      The report cites an interview with Graeme Payne, Equifax manager of the ACIS system, stating that when he joined the firm in 2014 they were still running ACIS on the original platform (more or less), but then goes on to say that it was running on Sun servers, so obviously he wasn't too clear on the history either.

      My guess is that the Struts-using, post-2014 incarnation of ACIS was at least the third platform for it.

  8. ThatOne Silver badge
    Facepalm

    > Such a breach was entirely preventable.

    Except it would had cost money to do so. Money not spent = profit.

    > tell people what information is being gathered, how it is stored, and who it is shared with

    Everything is gathered, it's stored anywhere, and more often than not shared with world & dog.

    > The credit biz has yet to identify what in the report is inaccurate.

    Obvious: It is inaccurate because it makes them look bad.

  9. John Smith 19 Gold badge
    Unhappy

    "Except it would had cost money to do so. Money not spent = profit."

    The root cause?

    1. Fred Flintstone Gold badge

      Re: "Except it would had cost money to do so. Money not spent = profit."

      The root cause?

      Absolutely .

      IMHO it ought to be the basis of any fine: make the fine many, many times more than the expense of doing it properly, of course retrospectively applied and aggregated. It's the only way I can see this become a concern for those taking the decision as it hits them in their pocket.

      Further, make security audits mandatory as well as their publication for big organisations after, say, a 3 month period to fix the problems found, with an extra 3 month wait extension only available via a rigorous exception process to filter out the usual excuses.

  10. SimonC

    Can someone explain how an expired certificate causes problems? In our systems if a certificate expires the website goes down / APIs stop working / everything grinds to a halt.

    I see it like a combination lock that rusts up. Nobody is getting in, even the people that know the passcode.

    1. John Riddoch

      The cert was on the security monitoring software, so while service was running fine, it wasn't getting monitored. When they finally upgraded the cert, they had their "ohshit" moment.

      1. Anonymous Coward
        Anonymous Coward

        I need some help with Latin here

        I'm guessing we'll need "who monitors the monitors" in Latin now to make it sound impressive in reports, it's no longer about the watchers.

        Having a problem is one thing, that's life, but leaving it unaddressed for so long on such critical functionality ought to be tagged as criminal neglect.

        1. gerdesj Silver badge
          Windows

          Re: I need some help with Latin here

          "I'm guessing we'll need "who monitors the monitors" in Latin now to make it sound impressive in reports, it's no longer about the watchers."

          What you asked for is "quis custodiet ipsos custodes" what you will get in return from Equifax is "futue te ipsum et caballum tuum".

    2. ArrZarr Silver badge
      Windows

      If only one system relies upon the certificate, and that isn't something checked by another system to inform other systems (or even people) of the failure, then that system can grind to a halt without anything else caring.

      1. John Brown (no body) Silver badge

        then that system can grind to a halt without anything else caring.

        ---------------

        It does make one wonder who responsible for checking the security monitoring system and why they never wondered about either the complete lack of reports, logs etc. or even why, if reports were being generated, nothing ever happened for 19 months.

        An org the size of Equifax should expect to be under constant attack fron multiple sources.

        1. Anonymous Coward
          Anonymous Coward

          Surely an outfit that size must be audited regularly? How the heck did they miss this?

          Oh, no, they didn't. They had warnings for *years* but chose to ignore them instead.

          I think one could translate that as a criminal neglect of duty.

  11. Anonymous Coward
    Anonymous Coward

    a stunning catalog of failure

    We would like to reassure our stakeholders once again that we remain totally commited to maintaining the highest standards of data security. As per our stellar, world-renown, certification system.

  12. Anonymous Coward
    Anonymous Coward

    So, who scores Equifax now?

    As far as I can tel, Equifax's credit is now a negative value..

    1. Michael Wojcik Silver badge

      Re: So, who scores Equifax now?

      How so? Their stock price recovered quickly, and I don't see much reason to hope that either the corporation itself, or anyone else serving a major role in it, will see any serious consequences.

      The moral of Equihax is "it's cheaper to fail and be found out than to do it right in the first place". Perhaps GDPR and similar regulation will change that, but I'm not holding my breath.

  13. Oh Matron!

    "We are deeply disappointed that the Committee chose not to provide us with adequate time to...

    spin this into something positive..."

  14. Herring`

    The thing is

    it wasn't people who gave their personal data to Equifax - it was companies selling financial products. In a just world, there ought to be some liability on them too. They didn't take steps to ensure that they were handing over our data to someone who was taking the necessary steps to secure it.

    Yeah, I know there's no chance of this happening.

    1. Lyndon Hills 1

      Re: The thing is

      They didn't take steps to ensure that they were handing over our data to someone who was taking the necessary steps to secure it.

      I know this is an Amercian story, but this sounds like something covered by the GDPR?

      1. Richard 12 Silver badge

        Re: The thing is

        Yes, it would have been, had it occurred after GDPR came into effect.

        As it stands, Equifax have dodged that bullet.

        Next time, they die.

  15. SVV Silver badge

    If 148 million customer records can be nabbed

    and the blame shunted to some poor developer for not shoving a new version of a library onto a live production server or twenty, then things were clearly so wrong on so many levels that a lengthy essay could be written about all the failures at every level of the company.

    Categories including build and dependency management, release management, integration testing, certificate management, access control to live systems, and so much more would show neglect all over the shop. Neglecting all these things for a company with responsibility for so many people's crucial data is fundamentally negligent. Especially in the context of "aggressive expansion".

    And criticising obscene rewards for failure ain't socialism bud, capitalists are supposed to believe that failure comes at a price. For the company that failed, not some easy scapegoat. "The buck stops here" has been replaced with "The bucks stop here" for the bosses who rake in millions every year.

    1. Anonymous Coward
      Anonymous Coward

      Re: If 148 million customer records can be nabbed

      But the security team sent an e-mail to everyone! Two days too late to stop the breach... And apparently never followed up.

      And the person responsible didn't respond! Fire them!!!

      Meanwhile, the larger security screw up (i.e. no security monitoring for 19 months, no controls to ensure the monitoring was working as required and no testing to verify the monitoring plus the tesing they did do to verify server compliance was insufficient to detect non-compliance) appears to have resulted in no action. I'm assuming working in Equifax IT security primarily involves coating ones self in teflon.

  16. Cincinnataroo

    These guys should not even have much of the information. Effectively stopping that, deleting it thoroughly, preventing recurrence and prosecuting those involved in it's acquistion might fix the world a bit.

  17. astounded1

    So Shut Up And Pay Us For Premium Dark Web Insurance

    Look, if we didn't surf our greed and disregard for you digits out there into this magnificent fuck up, we wouldn't have jumpstarted our hot, new dark web scanning business so you can watch how your stolen info we let get stolen is put to work.

    All for just 75 quid a month.

    Once you see your privates on the scary side of the web, you won't be surprised anymore when your bank balance suddenly goes to zero. We will have warned you.

    That's all we do here. We lose your shit, then we charge you to warn you. So fuck off.

  18. fredj

    From my distant memories when I used to work: I saw a lot of new computer and science technology coming in and easily understood it. I saw old technology managers deliberately plan to stop young, pain in the rear, types like me. I would be discredited, behind my back, at every opportunity such that I would never be promoted and as such senior managers would never get to hear of what I was doing. This tactic prevented middle managers loosing their jobs or having to learn new things to keep up to date.Of course. It all collapsed soon enough but a fine company is now just a memory. Latterly I worked with a company who knew they had to have A1 security for many real, real security reasons. Their techies got on with it and did it well.

    (I have heard it said that I have a persecution complex!! It is difficult to disagree.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019