Slashdot Mirror
Equifax CSO 'Retires'. Known Bug Was Left Unpatched For Nearly Five Months (marketwatch.com)
phalse phace quotes MarketWatch: Following on the heels of a story that revealed that Equifax hired a music major with no education related to technology or security as its Chief Security Officer, Equifax announced on Friday afternoon that Chief Security Officer Susan Mauldin has quit the company along with Chief Information Officer David Webb.
Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.
The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.
Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.
Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.
The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.
Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.
I wondered if Equifax intended to circle the wagons, hold on to upper management, and then try to buy, bribe, or schmooze their way out of this mess via political channels. For a lesser P.R. disaster than this recent exploit, such a strategy might have worked.
But abruptly canning the CSO and CIO says three things to me:
(1) Equifax's internal auditing shows that this mess is considerably worse than what has been publicly revealed so far.
(2) The CEO has now shifted to "I have to save my own job" mode. The CSO and CIO have been thrown under the bus, and more will probably follow.
(3) Equifax is going to take it on the chin, financially speaking. Canning the CSO and CIO is a clear admission that Equifax was negligent. The lawsuits are going to increase exponentially from this point. But worse than that is the overwhelming demand by millions of consumers to freeze their credit reports. Equifax (along with Experian and Transunion) makes a lot of money selling credit information to banks so that they can offer credit cards to you. Credit freezes prevent that. Every new credit freeze is another hit on the annual bottom line. Equifax is bleeding from millions of tiny cuts, and it will only get worse.
Frankly, it couldn't happen to a more deserving bunch of guys.