Tech security at Equifax was so diabolical, senators want to pass US laws making its incompetence illegal Credit-rating monitor Equifax ignored years of warnings and red flags before it was thoroughly ransacked in 2017 by hackers, who made off with the personal information of roughly 150 million Americans, Brits, and Canadians, according to another congressional probe. An investigation [PDF] by the US Senate Committee on Homeland …
Exactly, the guilty executives left with multi-million dollar bonuses.
It was reported on at the time of the hack, that Susan Mauldin, the woman in charge of the Equifax's data security, has a bachelor's degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin's LinkedIn profile lists no education related to technology or security.
If that wasn't enough, news outlet MarketWatch reported hat Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.
So ignorance was followed by cover-up, and payouts to the guilty. The 120 million affected people in the hacked files are the victims, but will get zero relief.
"The 120 million affected people in the hacked files are the victims, but will get zero relief."
Wrong! They all get free identity theft monitoring free for a whole free year (before being auto-enrolled in the most expensive platinum grade programmes, unless they remember to opt-out with 6 months notice). All provided by, for FREEEE,......Equifax!!!!
Ms Mauldin had been in senior security roles with HP and First Data, and as she was at retirement age, there would not have been a cyber security degree available in the 1960s/70s when she gained her music degree.
Male CISOs at breached organisations aren't subject to the same criticism based on their early education choices.
there would not have been a cyber security degree available in the 1960s/70s when she gained her music degree.
If she wanted to be in charge of security at an important organisation thens he should have done one in her spare time at the point they became available. Or completed sufficient professional training in regards to security rather than restringing guitars.
Male CISOs at breached organisations aren't subject to the same criticism based on their early education choices.
Utter rot. I don't care about the divserity boxes the top snout ticks or not, I care that they have the professional competence to keep my data secure - especially where I have no choice but to provide it to them.
There's simply no excuse for not having an related technical degree in a field for which you hold a senior technical position. No excuse at all.
> Because it's a regulatory requirement to operate
In theory yes, but in practice there is absolutely no drawback in ignoring those regulations.
One could say the whole thing is only based on the offenders' sense of morality. A little like saying "Please don't steal/murder, because it's forbidden to do so". Some deterrent indeed...
As for the legislators deciding on something more compelling (despite lobbying and general calls for "self-regulation"), I definitely wish that would result in something efficient, but I don't hold my breath. I don't know what's beyond that thin layer of "let's surf on the wave of popular outrage", and if it is strong enough to stir the molasses of habits, entitlements and old boy networks. Only time will tell.
Increased regulations will NEVER pass! Why? First, security is expensive. Second, lobbyists from the companies will spread $$$$$$ around Congress. Third, we are a country run by a businessman's party, for business, and the ONLY rule our government recognizes since the 1990's is "Enhancing Shareholder Returns".
"Because it's a regulatory requirement to operate. Or at least it should be. The article suggests that the message is finally getting through to legislators."
Yes, despite the initial hand-wringing and cries of "socialism!!!", the US is slowing coming around to the GDPR way of thinking, one security breach at a time :-)
Just look at what's happened since the hack, big bonuses and retirement for the executives, they fired a few of the low paid techs and now it's business as usual - their share price is rising again.
No need to worry, it wasn't their data that was lost was it? These companies make money by selling information about third-party entities so security was always relatively insignificant - what they really worked hard at was making people pay to access the credit profiles.
The big problem is nobody in charge faces jail time. Handling PII is a huge responsibility since it can affect so many people's lives that there should be severe penalties including jail time for management if they are found to be negligent. It may convince some companies that collecting and storing PII is too much of a liability and doesn't contribute enough to their bottom line to do it. As it stands, there is so little downside to gathering, storing and selling the information that many companies see it as an asset.
Most of them actually see it as there god given right and it seems that it's getting worse. I recently had two shops try to get personal details from me, for a cheap pair of shoes and an over the counter medicine (anti stink foot powder). Both times they were shocked at my refusal, both times I explained they had no legal right to take my details and were in fact breaking the law by doing so. While I got my cheapo shoes at the pharmacy the manager was called and after i explain the situation to her she threatened to call security to arest me. So this is what they want and most of the time get away with. Also the reason I have none of these points cards for the big chains
I've though if those same hackers started providing a service of *cleaning up* people's credit records, purging out bad reports and replacing them with good ones (thereby boosting the credit score of whomever employs that hacker for the clean-up job) you'd start seeing the security being shored up right quick. Once it got out that Equifax's (and the other reporting agencies') data had been invalidated by hackers, their bottom line would plummet.
Now *there's* your incentive for you. Granted, I wouldn't be trusting the hackers to fix my credit *without* taking advantage of the information for themselves, but the possibility of bad-actors being able to manipulate the very data that is the lifeblood of a company *should* be enough to scare them into locking their systems down. But that would necessitate the MBAs running these companies to be able to see past the BMW sales catalogue their nose is jammed into.
This post has been deleted by its author
More likely that they don't get enough revenue from EU people to make it worth the potential risk of a fine, even if they believe they are doing everything right. If I had a site that mostly US focused but happened to have 5-10% of traffic from the EU, I'd do the same.
The GDPR fines are a giant hammer that may be needed with big sites like Google and Facebook but has the same potentially devastating impact on everyone. The big sites where it is really needed are the ones who can afford fancy lawyers that will no doubt get them off with a slap on the wrist, while being a death penalty for the rest.
"If I had a site that mostly US focused but happened to have 5-10% of traffic from the EU, I'd do the same."
Would you cut of traffic from California as well? California is copying the European GDPR. The major difference is that California doesn't levy such enormous fines yet.
"More likely that they don't get enough revenue from EU people to make it worth the potential risk of a fine, even if they believe they are doing everything right."
Well, as the article shows, the light's even starting to dawn on your Federal government and some states are ahead of the curve. Such sites need to start thinking about how much revenue they're prepared to cut off as more and more governments wake up to the fact that abusing privacy and lax security aren't desirable.
There's also a network effect. It depends on the sort of site but even if it's not the sort that has user participation the site that allows traffic from the EU is likely to get talked about in other forums than one that doesn't. Positive feedback will then draw more and more traffic away from the refusenik until it gets regarded as a backwater.
Don't get me wrong, I want to see the US support better privacy and data handling. I'm just saying it totally makes sense for the way US sites are treating it now.
Even if the US gets better protection, to the extent the GDPR differs it might STILL make sense for US sites to block EU users, because the risk of running afoul of the letter of their law is still very significant.
If they were more reasonable about the fines, and fined based on a percentage of the EU derived revenue rather than overall revenue, it wouldn't be so scary. But if you make 5% of your revenue in the US and run the risk of being fined 5% of your revenue I hope you can see why many sites are taking the easy way out.
If the US did the same stupid thing then pretty soon a company would run the risk of being fined over 100% of their revenue, if they had an Equifax like breach that hit in a bunch of states/countries, all taking their own 5% cut...
If the goal is to make it painful, then fine them a higher percentage, but base it on their in region revenue only. It makes no sense that if you violate GDPR in both 2018 and 2019, and your EU revenue is flat but your US revenue doubles, that the EU should collect a bigger fine based on that increased US revenue.
There has to be a real downside. Fines are usually very low in comparison to the offense and companies just figure them in as a cost of doing business. If the allegations that Equifax was running fast and loose with security either to save money or just gross incompetence, they should be in danger of being fined out of existence. At that point, companies may take a more serious stance on how they manage security. Not only could a CEO not get their "bonuses", they would have a huge black mark on their resumé by being at the helm of a company that F'd up so bad that The Man fined them a whole year's gross income (with employee's being guaranteed their final checks and unused holiday pay).
But then there's a downside to the downside: it could make those big transnationals resort to the bag of tricks: bribery, legal chicanery, or as a last resort, political campaigning and threatening to take a much-demanded service (or worse, their tax payments) out of their reach.
So Congress will fix it by passing a law that won't be specific or enforceable.... But dammit...Congresscritter will shout that "WE DID SOMETHING!!!!!" Er.. maybe. Depends if the two parties can agree on how to write it, shape of the table, the color of the room where they will meet and what snack items will be available.
Icon: Closest I could find to a sarcasm icon.
What we need is for actual real consequences for companies who are shown to be negligent.
Equifax has shown such an appalling lack of basic security that they should be closed down, and have their licence to act as a credit-reference agency revoked.
They hold information which impacts on everybody's lives, and other companies make decisions based on the data Equifax hold which can literally have life-changing consequences.
Equifax has shown such an appalling lack of basic security that they should be closed down, and have their licence to act as a credit-reference agency revoked.
I expect some real people work there.
Responsibility should fall where on those responsible. Senior Management of companies like this should not be able to slither away to take up roles elsewhere.
It's the only way (or at least should be) to ensure money gets spent on security.
"What we need is for actual real consequences for companies who are shown to be negligent."
Yes. It's called regulation.
For a company so removed from any situation where they don't interact directly with the people whose data they are collecting there's no chance for market forces to operate on them. In that case the only consequences that can happen are legal sanctions. You don't have legal sanctions imposed out of thin air just because it becomes obvious that someone did something bad or was negligent in some way, at least not in a free society. It requires that they have breached some specific legal restriction.
It makes no sense to call for "real consequences" and then say we don't need more regulation. If there are currently no real consequences for breaches like this it's a clear indication that more regulation is needed.
Sadly the continued existence of Facebook and the like shows that that market forces don't seem to have much influence even when there is direct interaction.
"It is applicable as information about Brits is involved."
Article 32 says ‘Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.
Rightly or wrongly the sort of management thinking illustrated here is likely to look at the mention of costs and decide they've got a let out.
In any case, I'd have thought US citizens required something better than 2nd hand protection. A business that carries data of this sensitivity and volume should in any case be subject to more active regulation than GDPR which is passive and part self-regulatory. GDPR depends on either an aggrieved individual making a complaint or the organisation itself reporting issues to the regulator. An active regulation would be a requirement for a license and annual audits of which the security aspect would include ensuring systems were patched and maybe some penetration testing. Without that there's a likelihood that management will adopt a wait and see approach and try to trade the cost of being caught against the probability of being caught.
With a license and audit approach things change from fines as a cost of doing business to doing the job right as a cost of staying in business. It's a difference that can focus the managerial mind amazingly well.
There are some regulations but they are so vague and have such small teeth that it's less money to pay the fine than upgrade software across several server farms. If a multi-billion dollar company is fined one million which then gets reduced to five hundred thousand and a stern look, there is no motivation to overhaul anything (at a much higher cost).
There does need to be more specific regulations with better defined fines that will impact any company that must pay them. Obviously, a small company being fined 1 mil would put them straight out of business and a larger company would just have somebody in accounting cut a check without a backward glance or diminution of executive bonuses. Pain is one of the best teachers. If you were lucky enough to get spanked as a child for misbehaving, you may appreciate that concept. If there were never any consequences for acting up, nobody would ever learn right from wrong. Look at Elon Musk. He keeps yanking the tail of the Securities Exchange Commission like a squeaky toy and has been getting away with it for a while with just one paltry set of fines. $20 million dollars isn't all that much for somebody that buys 5 mansions in California at a time for much more. Maybe he would have bought a sixth. Take away his ability to be CEO for 5 years and receive no salary or payouts of any kind other than what any other stockholder would get and maybe he'll feel some pain.
have their licence to act as a credit-reference agency revoked
As far as I can tell, they don't have any kind of a license, because there is no requirement for such a thing. They do have to comply with something called the "Fair Credit Reporting Act", none of which has anything to say about them allowing private information to be stolen (it's mainly concerned with making sure an individual can access their own credit report).
Perhaps you do need more regulation? Like, I dunno, maybe licenses?
"As far as I can tell, they don't have any kind of a license, because there is no requirement for such a thing."
In the US, companies that report on the credit of customers have to operate under a specific set of laws regarding accuracy. Apparently, privacy and data security aren't covered.
Companies that collect and sell a whole array of personal information but not credit information are totally unregulated. In another decade or so maybe there will be some weak effort to seal that up. I expect that if a database containing PII on the entire US Senate is pilfered and winds up as part of the offerings of one of these Big Data companies openly, things might move a bit faster.
Yes, with an obligatory insurance that pays out when anyone is subject of a data breach. That would mean the company is policed by the insurance company. The US is supposed to like a free market, I'm always amazed that they don't just inflate the insurance requirements of any strategic/sensitive industries...
>legislation that establishes a national uniform standard requiring private entities that collect and store PII [personally identifiable information] to take reasonable and appropriate steps to prevent cyber-attacks and data breaches
This type of governmental overreach and overregulation is what’s KASA (Keeping America Small, Always). Credit scoring companies bring a much-appreciated vital service to the public and self-regulation is best at promoting the continuing innovation that is vital to developing cross-sector financial synergies. A vote for this is a vote for China and the hippy next door.
Besides, what are you going to do? Jail us? For not looking after some pretty basic data on just a few people that fully consented to being in our systems. What’s going to happen to those poor little folk? They’re going to be ID thefted, you say? Hah! They’ve probably put the same data on Facebook anyway.
If a fine must be levied, purely for appearance sake, it should be 100M $ One Million Dollars!!!
Our campaign contributions IT security specialists will contact your congressional staffs to establish the best practices for security theatre safeguarding the public interest.
Might we also suggest that credit reporting agencies be “regulated” by the FCC since the honorable Ajit Pai has, wisely, devolved telecom telecommunication information service oversight to the FTC? After all, we did our best to communicate private sensitive data to unknown external parties so that makes us telecommunication companies.
"Credit scoring companies bring a much-appreciated vital service to the public"
Eh, what? They are just the recipients of outsourcing. I very much doubt any of the "public" even think about them, let alone "appreciate" them. They are middle-men who have insinuated themselves between borrows and lenders.
It looks like the managers (manipulators) + the stooges (failed hackers) underneath were too busy looking after themselves --their own careers and, while they were earning money, economy of time/effort-- to bother about protecting their customers. But why single out Equifax? Doesn't that happen in every company that reaches a certain size + a certain notoriety? I.e., institutionalized mediocrity and complacency?
Of course Equifax had thousands of unpatched vulnerabilities. I defy any company that size to run a competent vulnerability scan and not get hundreds of thousands of the fuckers. Patching software take time, costs money, incurs risks. Not patching software also incurs risks.
Security isn't simple and securing data at that scale is bloody difficult. I mean, complaining that the struts admin wasn't on the security mail list? So fucking what? If they had been they'd have auto-deleted all of the emails anyway because they'd also need to be on 48 other mail lists and they can't reasonably read, absorb and respond to that volume of email.
It's very easy to make accusatory statements following a breach like this but ignorant fools proposing legislation without understanding the domain (informed by idiots that only think they understand the domain) can only cause more issues than they resolve.
Which on reflection is jolly nice for all of us outside of America. Nice boost to our IT industries, this.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
