Equifax CSO 'Retires'. Known Bug Was Left Unpatched For Nearly Five Months

phalse phace quotes MarketWatch: Following on the heels of a story that revealed that Equifax hired a music major with no education related to technology or security as its Chief Security Officer, Equifax announced on Friday afternoon that Chief Security Officer Susan Mauldin has quit the company along with Chief Information Officer David Webb.

Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.
The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.

Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.

Incompetent idiots

Blaming this on a single security flaw just shows how incompetent they are. It's your design and approach at security that's flawed to begin with.

Allowing some shiny MVC framework directly accessing a database containing millions and millions of personal records is just plain dead retarded software design. This kind of incompetency should be fined, let's start with $100 for every record that got stolen in compensation. If such an incident can instantly bankrupt you, maybe then these companies start to take their software security serious.

Re: Incompetent idiots

[that+this+is+not+und]

A lot of 'sensitive information', namely things like SSN, are only sensitive because the credit application process has been so sensitized. Credit extending companies want it to be trivially easy to extend credit. They want the cashier at a clothing store to be able to issue a credit card to customers at the point of sale. So things that used to be ordinary accessable information like SSNs are made into secrets, for the convenience of credit issuing companies.

When I attended college at a small liberal arts school in 1979 they didn't really have a student ID number. They just used students' SSNs as an id. So SSNs were scattered all over campus fairly freely. You used a card with your SSN on it at the library to check out books.

There is really no reason for this not to be okay, except for businesses who want to be able to use your SSN as a sort of 'secret password' to allow youbto go into debt to them.

what a bs.

[kiviQr]

A company that holds that much information should have top notch security. That includes penetration testing, penetration detection and multiple layers. Public layer should never have access to database that has that much information. There should be an internal webservice that returns filtered information information. This is 101 security!

Re:Not noticing?? That's bad

They didn't officially notice the breach until after they sold off their stock shares... So they say.