back to article Equifax's IT leaders 'retire' as company says it knew about the bug that brought it down

Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software. The retirements and more details about the company's mega-breach are revealed in a new entry to …

  1. sanmigueelbeer
    FAIL

    There's something missing

    What about the bit where some of the Argentinian systems have admin/admin credentials?

    And what about the rules that the each user's ID and password is the same?

    1. DNTP

      Re: admin/admin

      Never mistake incompetence for incompetence.

      1. TReko

        Re: admin/admin

        Seems like the incompetence was caused by ignorance.

        It was reported on Slashdot yesterday that Susan Mauldin, the woman in charge of the Equifax's data security, has a bachelor's degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin's LinkedIn profile lists no education related to technology or security.

        If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.

        So ignorance was followed by cover-up.

        1. a_yank_lurker

          Re: admin/admin

          First disqualification (th)Uga grad which is the byword for stupidity in the Southeast. Second where they retirements or 'retire or be fired'.

        2. Anonymous Coward
          Anonymous Coward

          Re: admin/admin

          So ignorance was followed by cover-up.

          From what I have seen so far, that's generally SOP in companies that do not allocate enough resources for security. It tends to come accompanies by sacrificial heads of security who will be sacked for their inability to either extract sufficient budget to do the job (an unfair fight as best) or an inability to spot they're being set up as the patsy.

          Given the amount of money it was raking in (some of which is about to get nuked) it has no excuse on the budget side.

          (At the bottom of the linked article is a video about a reporter trying to get information about his personal exposure in a safe manner - which seems it only took 42 minutes. No surprise there, then. Muppets).

          1. Trigonoceps occipitalis

            Re: admin/admin

            "So ignorance was followed by cover-up.

            From what I have seen so far, that's generally SOP ... "

            No, ignorance is followed by denial in the standard model.

        3. Adam 52 Silver badge

          Re: admin/admin

          "lists no education related to technology or security"

          I don't think you can read too much into that. Plenty of useless comp sci graduates around. For someone who's in a position to retire now there's plenty of time to have gone on workplace training. Tim Berners-Lee has a BA (albeit in physics).

          And security is a large part human factors; if they'd had a techie in charge we might now be reading about the massive Equifax phishing scam.

          Besides which, have you ever known a CISO who was actually empowered to force developers to do anything. Somebody set up that admin/admin account and it won't have been anyone with "chief" in their job title.

          1. RobertLongshaft

            Re: admin/admin

            This has absolutely nothing to do with developers. They simply didn't have a patching program sufficient for an enterprise data gathering organisation.

            See TNT in Europe for a similar failing.

            1. Adam 52 Silver badge

              Re: admin/admin

              "This has absolutely nothing to do with developers. They simply didn't have a patching program sufficient for an enterprise data gathering organisation."

              These two sentences nicely illustrate what's wrong with a large number of developers today.

              Patching and security; all somebody else's problem.

              1. Anonymous Coward
                Anonymous Coward

                Re: admin/admin

                In the shops I've worked, security patches is a grind-it-out never ending process. It is not exciting, not inventive, does not bring attention to your coding or talent. It is the take-out-the-trash job of computer science. It is not career enhancing, and its the first thing to get outsourced because no one wants to spend even one year doing something that does not help you move forward as a developer. 10 years fixing patches and your technical abilities will have atrophied and you will be unemployable at any real computers science job. That said, it is necessary work that must be done.

            2. Anonymous Coward
              Anonymous Coward

              Re: admin/admin

              At a very minimum, PCI requires the change from defaults, and an adequate patching process. I would LOVE to see their last audit report. The CIO/CISO "retirements" won't be the last.

          2. billat29

            Re: admin/admin

            "Tim Berners-Lee has a BA (albeit in physics)."

            Of course. At the time he studied Physics, Oxford University only awarded a Bachelor of Arts degree even for science.

            These days he would get an MPhys to recognise that science at Oxford is a four year journey.

          3. Aodhhan

            Re: admin/admin

            Sure you have a lot of educated idiots with tech degrees when it comes to InfoSec, but you have a lot more when they don't have this background.

            What we are beginning to see, is the lack of experience and practice in more disciplines than just InfoSec who are responsible for this breach.

            For example, where was auditing, compliance, risk management and operations? These aren't InfoSec disciplines, these are straight up management disciplines designed to ensure everyone is doing whatever their job is effectively.

            For this reason, it isn't just the tech bosses like the CIO who should step down. The top officers responsible for auditing, compliance, risk and operations should also step down.

            The CEO should also step down, as his/her primary role is to protect the stock holders. Obviously this wasn't done, and he continues to fail in this regard.

        4. Anonymous Coward
          Anonymous Coward

          Re: admin/admin / So ignorance was followed by cover-up.

          If (IF) this were true, one might want to ask how she got that role and who was the moving agent, and why. Personal connections? PR?

          That said, more important than that would be, how the message about the bug did NOT travel up the way it should have. Well, we know "how", but at which point it was patted down as "Thanks for your concerns so eloquently put in 3532215 e-mails. After thorough investigation we have decided no further action be taken".

        5. rmacd

          Re: admin/admin

          This irks me. "You haven't got the right letters after your name, so are not qualified to have an opinion".

          My first degree was in music. I now work as a software engineer. I've met people who tell me they've "done" CompSci. And they know fuck-all. The most solid programmers I had the fortune to work with to date studied biochemistry and medieval history respectively.

          Anyone who has studied at undergraduate level will attest that it does not matter what you study (bar vocational degrees such as law or medicine), It's your attitude to learning that matters. You get taught HOW to learn. I went to university thinking I'd learn everything about my subject. On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else.

          1. Prst. V.Jeltz Silver badge

            Re: admin/admin

            Anyone who has studied at undergraduate level will attest that it does not matter what you study (bar vocational degrees such as law or medicine), It's your attitude to learning that matters. You get taught HOW to learn. I went to university thinking I'd learn everything about my subject. On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else.

            Why did nobody tell me this at the start? There's me learning differentiation , integration , fluid dynamics , youngs modulus, resonant circuits etc ad infintum, when I could have just chosen "Navel Gazing" and gone on a bender for 3 years.

            I find it a little sad that you apparently dont pick up any useful information or skills on a "dosent matter what subject" degree . Dosent that make it a waste of time?

            Didnt you learn how to learn in school ?

            does it really take 3 years to learn how to learn? (5 years if you count your A levels.)

          2. Anonymous Coward
            Anonymous Coward

            Re: admin/admin

            "On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else."

            Sadly too many squander that perfect chance. I know a lot of people who graduated with degrees and moved on to IT and know absolutely nothing, worse still they have no common sense, not logical problems solving abilities and basically just seem to have stopped learning about anything after college except when Big Brother is on next! I never had the opportunity to study beyond college but I've never stopped learning on my own volition. Playing with computers for almost 40 years since I was 7 years old, I make it point to ensure I learn something new every day, anything I can just something to make each day worthwhile, often I can't get to sleep at night unless I've gained some new piece of knowledge, large or small. I hate sitting in the office surrounded by people who've had the good fortune to study education to a higher level than I and yet they've simply stopped learning anything, they simply drift through life with hardly any passion for anything anymore, tragic. You try to fire them up discussing new facets of IT and nothing, surely they were hungry for knowledge once or was that their parents forced them into IT because that's where the money was and now they're trapped, wasting opportunities some people would sell their right arm for?

            1. Prst. V.Jeltz Silver badge

              Re: admin/admin

              Heres your new fact for today:

              "Reno is farther west than Los Angeles."

              There. sleep easy.

              1. jimdandy
                Windows

                Re: admin/admin

                Yes, Reno NV is farther west than Los Angeles. You are correct in establishing that as a fact. So is San Francisco and numerous other Cities.

                So, WTF?

                1. Prst. V.Jeltz Silver badge

                  Re: admin/admin

                  Well the poster a couple of posts above that mentioned that he like to make sure he learns something new every day or he cant sleep. So I offered that nugget in the hopes he wasnt aware of that.

                  I wasnt. I guess you think of nevada as inland and LA on the beach . Turns out CA is a bit bendy.

                  Its like a geographic optical illusion. I was in Canada once and worked out I was further south than at home in UK . Also I bet its further across the bottom England than it is from to top to bottom .

                  1. David Tallboys

                    Re: admin/admin

                    I'm supposed to go to Barcelona next week, or not thanks to Ryanair,

                    I thought Barcelona was down and to the left from London so I am shocked to find out it is east of the meridian - but it might have moved as I just looked at a 1970 National Geographic map.

          3. Anonymous Coward
            Anonymous Coward

            Re: You haven't got the right letters after your name

            "degree was in music... work as a software engineer. "

            In that case go get an Engineering degree, after all that will be a walk in the park for you and you are already getting paid as an Engineer so it would be professional development. Then join the Professional Association that regulates the practice or Engineering and you will be an Engineer.

            There is a reason that profession is regulated in many areas. The consequences of not requiring minimum education were, and still are, repeated catastrophes. Equifax is just a recent one example.

        6. Warm Braw

          Re: admin/admin

          degree in music composition

          She will now have the time. as well as the skill, to write an elegiac piece for a really tiny violin.

          1. Captain Badmouth
            Coat

            Re: admin/admin

            < degree in music composition

            She will now have the time. as well as the skill, to write an elegiac piece for a really tiny violin.>

            Hopefully it won't be too maudlin.

            Mine's the one with the copy of "Music of the spheres" in the pocket, thanks...

        7. Anonymous Coward
          Anonymous Coward

          Re: admin/admin

          With that background she'd be a shoo-in for a senior management role in UK public sector "digital".

        8. Zakhar

          Re: admin/admin

          Since when does knowing anything about I.T. qualifies you for a job in an big company's I.T.?

    2. Anonymous Coward
      Anonymous Coward

      Re: There's something missing

      The first rule of incompetence club is that we don't talk about incompetence club just move the boss to another company to still earn lots of money whilst being incompetent.

      1. Fatman
        Joke

        Re: There's something missing

        <quote>...just move the boss to another company to still earn lots of money whilst being incompetent.</quote>

        At my former WROK PALCE (CW Shark Tank readers will 'get it'), the CIO had a katana mounted on a plaque on the wall behind her desk.

        It bore the inscription:

        The Reward for Incompetence

        It was used a few times. until the bills for 'carpet cleaning' got the CFO annoyed.

        1. DropBear
          Trollface

          Re: There's something missing

          "...katana mounted on a plaque on the wall..."

          "I have to say Boss that this kind of dedication to constantly reminding oneself that anyone in a position of power, even a king, is always a single hair's width away from their doom is truly worthy of admiration..."

      2. Missing Semicolon Silver badge
        Mushroom

        Re: There's something missing

        Something missing? What about the fact that these two clowns get to retire, with benefits and yuge pension, instead of being dismissed for gross stupidity, clear your desk now?

    3. FuzzyWuzzys
      Flame

      Re: There's something missing

      Personally I hope it all goes a bit "Ratners" for Equifax!

      1. Roj Blake Silver badge

        Re: I hope it all goes a bit "Ratners" for Equifax!

        You mean you hope they change their name and carry on exactly as before?

    4. ecofeco Silver badge

      Re: There's something missing

      This. There's a lot more going on here than Struts.

  2. Blotto Silver badge
    Unhappy

    Muppets

    I've been trying to get them to correct incorrect details on my profile since 2016. That stupid dispute site never worked properly. I'd create or reset an account and it wouldn't let me login so I could never see their responses.

    Funnily enough it works now, since they've patched it.

    They still won't correct the wrong info.

    I'll be lodging a complaint with ICO next, but I suspect they'll be equally useless.

    1. Anonymous Coward
      Anonymous Coward

      Re: Muppets

      All corporations are muppets, and becoming more muppety, year on year:

      http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

      Those people at "information is beautiful" are going to need to start using log scaling the way things are progressing

  3. Barry Rueger

    Meanwhile in Canada

    A class action suit is in the works, and the complete response for Canadian "customers" is:

    Are you concerned you are affected by the Canadian impact of the breach against Equifax?

    We are still investigating, but this is what we know now:

    Only a limited number of Canadians may have been affected.

    We are working on finding out how many.

    The breach is contained.

    At this point, it seems the personal information that may have been breached includes name and address and Social Insurance Number.

    We will update this information as we learn more.

    1. elDog

      Re: Meanwhile in Canada

      "We are still investigating, but this what we know now:" Or "no now" or "no know". Rumsfeld must be coaching this team.

      "Only a limited number of Canadians may have been affected." Well, there are a limited number of Canadians so they may all be infected. "We are working on finding out how many" but trust us, it is limited and "The breach is contained" - perhaps within some pastebin account or Yours for only 9.99 Loonies.

      Finally, "it seems the personal information that may have been breached includes name and address and Social Insurance Number". May have included those items and may have included a whole lot more.

      Rest assured Canadians, and carry on. Oh, and please reserve me a couple of bunks far away from the mobsters to the south.

      1. Adrian 4

        Re: Meanwhile in Canada

        That's OK. Nobody would be using social security numbers for ID, would they ?

        Would they ?

        No, You Can't Have My Social Security Number

        Didn't the government promise that SSNs wouldn't be used for ID?

        1. liac

          Re: Meanwhile in Canada

          The Canadian link for Social Insurance Number (SIN ) responsibility/usage is at:

          https://www.canada.ca/en/employment-social-development/services/sin/reports/code-of-practice/section-2.html

          The algorithm for generating numbers is known, as it is used by companies( e.g. banks) to validate a given SIN. Having a secret algorithm to generate a SIN does not help the situation. No matter how the SIN is generated, at some point, the number is given to a bank or employer or credit check bureau. Hence, if these companies' security is breached, we are in the same situation. The resolution to not perpetuating this problem is via better processes, not technology. If the numbers were not easily associated to names, this problem would not exist. For example, one could post a list of 50 SINs which are generated by the public algorithm. No one would be able to determine 1) who the SINs belong to and 2) if the SINs were in use. So a list containing only these 50 numbers means nothing.

        2. Anonymous Coward
          Anonymous Coward

          Re: Meanwhile in Canada

          Sadly, my work told me I could no longer use my own password to protect my electronic payslips, we would all now have the password set to our NI number.... Clearly they don't have a clue about security, convenience is far more important....

          1. Anonymous Coward
            Anonymous Coward

            Re: Meanwhile in UK

            If you want to open someone's password protected payslip, find out their NI number, chances are this is all you need to do.

            If you work for a company where some pen pusher has gone this way to make their life easier, they perhaps need some lessons in security awareness, and companies responsibility for protecting personal data in a secure and responsible manner...

            1. Anonymous Coward
              Anonymous Coward

              Re: Meanwhile in UK

              Some authorities in Wales send out the payslips via email with no encryption.

  4. Anonymous Coward
    Anonymous Coward

    'You don’t pay extra at restaurants to keep rat poison out of the food'

    "There’s a good chance you’ve spent time recently on a chore you didn’t sign up for: finding out if hackers possibly stole information about you from Equifax Inc. - What makes the situation especially awful is that you never had much choice about entering into a relationship with Equifax."...

    -

    https://www.bloomberg.com/news/features/2017-09-14/thank-you-for-calling-equifax-your-business-is-not-important-to-us

    1. Anonymous Coward
      Anonymous Coward

      Re: 'You don’t pay extra at restaurants to keep rat poison out of the food'

      That extra revenue stream may hopefully be come to an end in the US - hope Europe will follow soon.

      1. pirxhh

        Re: 'You don’t pay extra at restaurants to keep rat poison out of the food'

        Europe is leading the US by a wide margin in this - the EU General Data Protection Regulation (EU GDPR) is already in force and becomes fully mandatory on May 25th, 2018. This unifies the much stronger stance on privacy prevalent in Europe - in part this is due to different perception; Europeans generally care more about e.g. your neighbor knowing how much you make but less about nudity than their US counterparts.

        The EU GDPR has significant fines attached, i.e. 4 percent of annual global turnover or 20 million Euros (about 22 million dollars), whichever is greater.

        1. Anonymous Coward
          Anonymous Coward

          Re: 'You don’t pay extra at restaurants to keep rat poison out of the food'

          The EU GDPR has significant fines

          Whilst agreeing that the US authorities are laggards on data protection (undoubtedly Google are trying to ensure this remains so), we've yet to see how European regulators interpret and enforce the GDPR rules.

          I suggest that the draconian sounding GDPR fines will not reflect in any way what organisations actually pay. Looking at other regulatory fines, anybody expecting big numbers could well be disappointed. Take UK energy supplier E.ON. They had an obligation to install "advanced meters" at all business premises by April 2014, and failing to do so would incur a penalty of "up to 10% of UK turnover", which was about £9bn. So in theory they could have been fined £900m. In practice, they missed the target by a significant measure, and the penalty imposed was £7m. Technically the actual fine element was only two quid, with £7m paid to an "industry related charity".

          So, if that's indicative of the thinking of regulators (and Ofgem are the most aggressive regulator when setting penalties), what do you think Talk Talk would have been fined if GDPR had been in force back in 2015? My guess is around £6m-10m. Better than the £400k they got fined by the ICO at the time, but still dwarfed by the £35m cost of sorting the mess out that they reported. And if they had been fined that £6m-10m, it would have been a measly 0.4% of TalkTalk's £1.8bn turnover that year. I think that's what people should expect when GDPR comes into force, I'm afraid.

          1. Potemkine! Silver badge
            Trollface

            Re: 'You don’t pay extra at restaurants to keep rat poison out of the food'

            we've yet to see how European regulators interpret and enforce the GDPR rules. [...] Take UK energy supplier E.ON

            Everybody knows that UK is not in Europe ^^

  5. Anonymous Coward
    Anonymous Coward

    This is what you get when you let corporations & lawyers run your country

    “It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place,"

    .

    https://www.bloomberg.com/news/articles/2017-09-08/one-thing-all-of-government-agrees-on-equifax-deserves-grilling

    ======================

    "Equifax Hack Is ‘Exhibit A’ in Case for Regulation - ‘Pathetic’ Remedies .... The company’s remedies for the breach were "pathetic" and that offering one year of free credit monitoring to consumers provided "scant protection" to those who were harmed. Equifax should offer free credit monitoring indefinitely and should drop its charges of up to $10 to consumers who want to freeze their credit"

    .

    https://www.bloomberg.com/news/articles/2017-09-11/equifax-hack-is-exhibit-a-in-case-for-regulation-durbin-says

    ======================

    "We object to Equifax seemingly using its own data breach as an opportunity to sell services to breach victims," the attorneys general said. "Equifax cannot reap benefits from confused consumers who are likely only visiting Equifax’s homepage because they are concerned about whether the breach affects them and their families.”

    .

    https://www.bloomberg.com/news/articles/2017-09-15/equifax-asked-by-ags-to-stop-selling-credit-monitoring-services

  6. Anonymous Coward
    Anonymous Coward

    The Elephant in the room

    "Now, to the remedy. The company is offering one free year of credit monitoring to all Americans, not just the ones whose data was stolen. It includes the ability to turn your Equifax credit report on and off, to keep thieves from applying for credit in your name using information they stole from Equifax and to have access to your Equifax report to do so."

    "That’s all well and good, except that the thieves might use the stolen information to apply for credit with lenders that check the credit reports only at the other big agencies, Experian and TransUnion. So this protection is incomplete."

    https://www.nytimes.com/2017/09/08/your-money/identity-theft/equifaxs-instructions-are-confusing-heres-what-to-do-now.html

    1. Phil Kingston

      Re: The Elephant in the room

      Question is, will the potential fraudsters just happily sit on the information for 366 days before trying to use the information they've obtained?

    2. JCitizen
      Black Helicopters

      Re: The Elephant in the room

      A permanent credit freeze is the only way to address this effectively for now. If this article is suggesting that it will be done - I don't believe it. I called my congressman and demanded that Equifax do this for free and give at least 3 free "unfreeze" actions for the future.

      I don't think all readers here know that all other reporting agencies synchronize to catch up to the same level of data accuracy within a maximum of 3 months, So it isn't always necessary to write a letter to all three of the big ones. They all get the same data eventually. I only had to put a free fraud alert on one of the big three, and it spread to the other two automatically. Unfortunately they only last 90 days. I be damned if I'm going to pay for Equifax's mistakes!!

  7. Anonymous Coward
    Anonymous Coward

    _ We pay taxes for this shit? _ - Government always the last to act...

    Equifax warehouses the most intimate details of Americans’ financial lives, from the credit cards in their wallets to the size of their medical bills. But the company doesn’t face the constant monitoring and auditing that help strengthen banks’ systems and data protections. Despite the wealth of sensitive information in its databases, Equifax, in essence, falls through the regulatory cracks.

    https://www.nytimes.com/2017/09/08/business/equifax.html

    ----------------------------

    So if a data-storage credit agency loses pretty much everyone’s data, why should it be allowed to store anyone’s data any longer? Here’s one troubling reason: Because even after one of the gravest breaches in history, no one is really in a position to stop Equifax from continuing to do business as usual. And the problem is bigger than Equifax: We really have no good way, in public policy, to exact some existential punishment on companies that fail to safeguard our data. There will be hacks — and afterward, there will be more.

    Consumers also have piddling rights over how Equifax may continue to use their credit data. “There’s nothing in any statute or anything else that allows you to ask Equifax to remove your data or have all your data disappear if you say you no longer trust it,”

    https://www.nytimes.com/2017/09/08/technology/seriously-equifax-why-the-credit-agencys-breach-means-regulation-is-needed.html

    1. jimdandy
      Windows

      Re: _ We pay taxes for this shit? _ - Government always the last to act...

      There is an answer to this: make every agency that uses personally identifiable data in it's profit-making enterprise be completely responsible for the safe, and secure handling of that data. Make any profit-making user of that data responsible to at least one level higher than that of the individual who actually "owns" that data, since said agencies are making a profit from that data.

      Nobody I know willingly serves their personal data to the web "with intent" to have it used for other peoples/companies purposes. Granted, they should know better; but how does that make them "fair targets" for criminal enterprises? Oh, and by the way, just how does not knowing that the big Data Corporations refuse to take care of an individual's personal data make that individual responsible?

  8. Anonymous Coward
    Anonymous Coward

    Wow! The system is such a Clusterfuck!

    'Debt Collectors Have Figured Out A Way To Seize Your Wages & Savings'

    http://www.huffingtonpost.com/2014/06/02/debt-collectors-wages-savings_n_5364062.html

    ------------------------------------

    'It's Disturbingly Likely That Your Credit Report Is Wrong'

    http://www.huffingtonpost.com/2014/08/11/credit-report-bureau-mistakes-_n_5661956.html

  9. Potemkine! Silver badge

    Are personal data yours?

    It's shocking that some companies would own a lot of data related to your private life and you would have no right about how these data are handled, used, transmitted to somebody else.

    Each one should have the legal right to ask those companies to erase his/her personal data. Whatever social media gurus say, privacy does still exist.

    1. Zog_but_not_the_first
      Headmaster

      Re: Are personal data yours?

      Shocking but not surprising, sadly. If the corporations who run the world declare privacy to be dead, who are we to argue?

      Pedant's thumbs up for "these data".

  10. dvd

    I don't get why forcing you to pay to manage this data isn't extortion, and why mistakes in this information that is shared with third parties isn't libel.

    1. Prst. V.Jeltz Silver badge

      exactly .

      I dont get why collecting it in the first place isnt illegal

      1. Anonymous Coward
        Anonymous Coward

        Sadly it's usually covered in small print on contracts many of us sign. The management of the information needs to be improved though, it's completely out of hand.

  11. matthew.wilson@pobox.com

    They should have been reading The Register! I read about this bug on this site, I sent up the balloon and we had it patched overnight. I found a ready-to-use curl command that I could use to show the devs just how serious the problem was, and there were no arguments.

    I'm actually a bit surprised by how few international-headlines breaches were caused by that bug.

  12. Anonymous Coward
    Unhappy

    Wow I CAN see the future...

    "The CIO will be fine.

    Few million golden parachute and a cushy number someone else.

    Feel sorry for the poor buggers at the bottom."

    Source: Me from last week.

    Well looks like I need to buy a Lotto ticket this week then.....

  13. Luke Worm
    Joke

    Struts

    Struts is Swedish and means ostrich. That's why everyone was hiding their head in the sand.

  14. Anonymous Coward
    Trollface

    But Struts is open source!

    Many eyes, but all looking at pr0n...

    1. c1ue

      Re: But Struts is open source!

      I was at a presentation 2 weeks ago by one of the 2 people who publicly pushed hard for open source code, 10 years ago. Internet Hall of Fame, ICANN security committee, etc.

      He's now switched gears completely.

      He said that 10 years ago, there was 50 million lines of open source code and that it would be reviewed by multiple sets of eyes.

      However, today there are 50 billion lines of code - most of which will never be reviewed by more than the author.

  15. Lee D Silver badge

    Does it also explain why a database with hundreds of millions of people's details did not have any intrusion detection, query limits, isolation from the front-end web-app, etc.etc.etc.

    Even with complete root access to a web-app server, you shouldn't be able to just suck out the entire database without SOMETHING noticing.

    1. Anonymous Coward
      Anonymous Coward

      you shouldn't be able to just suck out the entire database without SOMETHING noticing.

      Well, everybody claims they have these controls in place. Its just that after a breach, it turns out they didn't, or the controls didn't work. I used to work on commercially sensitive data for a large, high public profile company. We certainly had internal access controls on folders, but it wasn't clear if there was any more than that. I asked our IT people and my line managers if we had the means to check when files were being access and what happened to them (eg out of hours snooping, mysterious volume transfers, or even atypical access by a permitted user). I was told "yes, yes, we've got all that". But when asked for examples of the monitoring, nothing was ever produced. And no alarm bells were set off when a colleague emailed his entire Outlook archive to his home email address on his last day in the office.

    2. timbo2001

      I know, right?

  16. Sykowasp

    I'm going to guess that patching Struts on hundreds of internal applications was decided to be too difficult in a short time.

    So they patched their external-facing routers/firewalls to remove #cmd=xyz strings from http headers.

    And it went wrong or wasn't applied everywhere, regardless, the attacker found a way past this to an affected server.

  17. cuddlyjumper
    Facepalm

    I wonder...

    ...if they'll be putting this stuff on their LinkedIn profiles

  18. Martin
    WTF?

    Incompetence is bad, but there is worse....

    Data breaches happen - but this is a company whose whole raison d'etre is looking after data - and they managed to lose the lot! If a bank had lost all its customer's money, they'd be shut down.

    Personally, this is what upsets me the most about this particular breach.

    1. timbo2001

      Re: Incompetence is bad, but there is worse....

      Agreed. when I first read that, I thought "insider trading, you nasty b*st*rds"; jail for you!

  19. RainForestGuppy

    Just appoint anybody to CSO

    Judging by the quality of sales calls I get, I think they are used to dealing with Senior Security officers not having a security background.

    Every day I get multiple "how product x can solve your GDPR issues" bullshit, or worse, the "Artificial Intelligence" secret sauce product that can detect alert you to all you security issues, type calls.

  20. hitchslap

    Congratulations Equifax......You blame the very people who have, in all likelihood, been pressuring for more frequent security patching as well as other changes. This is why being a CISO is truly a terrible job. If you do it well nothing happens and it's BAU. But you are viewed as not making any money for the company, or bringing in more customers...in fact all you do is spend money and slow up project delivery. A CISO is always seen as a major thorn BUT the minute something goes bang all the eyes turn to the CISO....he or she is then screwed, and the most laughable part is that they are often not on the board (despite the C tag) and they are certainly earning far less than other C-Level execs.

    1. JCitizen
      Megaphone

      The US Congress has been threatening...

      to pile more regulation on the credit reporting industry for years, but the big 3 always manage to convince them that they got it down pat. I hope this if the straw that broke the camel's back and they finally lower the BOOM on them!!

  21. Hans 1

    Where are the defenders of outdated software, the defenders of lethargy when it comes to software patching when you need them, hey ?

    I keep saying you need to keep your software up-to-date, at all costs ... costs are within reason, if you plan appropriately ...

    I see everyone here is fine with dissing the manglement of Equifax, but, honest question, how's YOUR patching going ?

    One wise saying, patch or feel sorry! If you cannot get a patch from your software purveyor in a timely manner, choose another who can ... you will notice the best are usually FFS purveyors.

  22. c1ue

    I would just point out that there are dark web databases with 170M+ SSNs, addresses and name groupings already.

    The interesting part will be to see just how much the coverage increases with Equifax.

  23. Floz

    I've got f-all in formal education for >INFORMATION< technology.

    My background is military electronics (RF systems) and automotive systems. Somehow (dumb luck and being a computer geek/hobbyist for decades) I landed a sysadmin position.

    I don't leave default passwords set on systems. My kids don't either, hell, my 8 y/o can tell you what a botnet is (albeit in rather broad strokes).

  24. Barry Rueger

    Takeover target?

    If you consider the depth and breadth of data held by Equifax, and the apparent complete lack of regulation, I can't help but think that one of either Facebook or Google is destined to buy them up.

  25. Anonymous Coward
    Anonymous Coward

    What you knew yesterday (or when you graduated) about cyber security is already outdated

    I wouldn't hire anyone with a master's degree in computer science much less give them Chief Security concerns, unless they spend time regularly (if not daily) familiarizing themselves with the absolutely latest discoveries and changes in Cyber Security. Including but not limited to attending hackers conventions, consulting with specialists, and reading, oh and did I mention reading. The degree (piece of paper) is useful to start a discussion, after that ongoing education is required regardless of your base education. I'd happily take a music major who is invited to present regularly at conventions over a CS major who graduated 5 years ago, and is still using the system he learned on in the computer labs in college. Security is a domain that changes daily. Your last year's implementation is already outdated, along with your degree. When you are a company responsible for storing the involuntarily provided significant personal information of every American who uses credit you WILL have the absolute latest technology in place - and a staff that evolves regularly.

    1. JCitizen
      Pint

      Re: What you knew yesterday (or when you graduated) about cyber security is already outdated

      You hit that right on the nail head - have a sip for me!

      1. John 104

        Re: What you knew yesterday (or when you graduated) about cyber security is already outdated

        @have a sip on me.

        You cheap bastard! It's a virtual beer! At least give him the whole pint!

    2. DropBear
      Devil

      Re: What you knew yesterday (or when you graduated) about cyber security is already outdated

      While that is all nice and well and having only a degree in music doesn't prevent you from being a kick-ass security pro, statistically speaking it makes it incredibly unlikely that you have any shred of a clue whatsoever in that field. It puts the onus of proving otherwise squarely on you or else it lets people entirely rightfully assume you're a clueless numpty who got the job on the merits of entirely different body parts than her brain.

  26. MarkSitkowski

    Yes...But Who Stole It?

    All that data is sitting on the hacker's computer, somewhere. Have they yet determined where the breach came from?

    1. jimdandy
      Windows

      Re: Yes...But Who Stole It?

      Doesn't really matter. If they are a bunch of script kiddies who lucked upon an open gap due to well-posted systemic failures, they are just pouncing and doing what feral children do. IF they are part of a well-funded criminal syndicate, we are all toast. These guys know what the game is and they will dredge up what they need and then send it on down the line for the bottom feeders to enjoy.

      If this is a true State-level breach, then much will be withheld until the best possible time for non-monetary purposes.

      The worst possible outcome is that this is one of many eruptions yet to come. And if it isn't, then what the fuck could it possibly be?

      Perhaps the end of this "distributed" electronic economy?

  27. a well wisher

    Probably just a co-incidence then that the majority of C level execs all dumped large quantities of shares just days after this happens despite allegedly having no knowledge of the actual hack having taken place

  28. John 104

    Am I Insane or...

    I see a lot of folks sticking up for the two that got sacked. Excuse me, but they knew about it, failed in their implementation and then what? Did nothing? These two are not off the hook. Expect to see them in congressional hearings at the very least.

    As for Equifax, sure they are doing what they can to assuage consumers fears, but not enough. Their check your SSN site is still a joke. A user should be able to just put the last 4 of the SSN in, along with a last name and get results. WITHOUT signing up for anything.

    I expect a class action lawsuit will be forthcoming. It will present damages so high that Equifax will be no more. What monies they have after the pay out will go to government fines and an escrow account used to pay for identity protection for the entirety of the US for the next 80 years. They are finished as a company. Anyone besides damage control folks would be wise to start looking elsewhere for work.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon