Slashdot Mirror
Equifax CEO: All Companies Get Breached (fortune.com)
An anonymous reader quotes Fortune:There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on August 17. "There's those companies that have been breached and know it, and there are those companies that have been breached and don't know it," he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it...
Smith's fastest growing area of security concern was state-sponsored hacking and espionage, he said. "It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq -- and they're being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries," said Smith. "It's my number one worry." he added.
"In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a 'culture of tenure' and 'average talent", reports Bloomberg, adding that the Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
Smith's fastest growing area of security concern was state-sponsored hacking and espionage, he said. "It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq -- and they're being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries," said Smith. "It's my number one worry." he added.
"In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a 'culture of tenure' and 'average talent", reports Bloomberg, adding that the Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
My cousin runs a company and they build houses. He keeps all his business on ledgers and note books. Not a efficient way to run a business but it is his way. He has never been hacked.
I read at +2. If your post doesn't reach that level I will not see or respond to it.
There are many things to criticize about Equifax, and their handling of this breach. This is not one of them. People in the security industry (such as myself), talk about "breach mentality" vs "castle mentality". Castle mentality is the old style of thinking where companies think that if they just build a strong enough wall, they will never be breached and they can leave their internal network a mess. Breach mentality is to assume you are already breached or will be breached at sometime in the future. This is the sensible approach to security, and the most realistic/practical approach. The goal is to secure everything as best you can to help withstand and catch a hack. It remains to be seen if Equifax actually took reasonable steps to secure their network from breach, or not. I am betting they did not, given their crappy response times and apparent total compromise.
As he stated, all companies get breached. But we are not criticizing all other companies. We are criticizing his. He just appears to be deflecting blame, and pivoting things against his company, by stating "all companies get breached".
This was a big fuck up, no doubt about it. Mr Smith: what did your company do about it? You delayed reporting it for several weeks. You had executives who have been accused of insider trading as a result of this breach. And now you give me this pathetic excuse? Is that the best you've got?
Go get fucked.
It's holding data. If a company wants to risk my security by profiting from amassing data on me I should be able to have some finiacial recourse when they injur me with their breach. If they can't secure my data then they should not hold it. If one really feels that all companies will be breached then that person should actually know what they are doing is going to cause an injury and therefore should be liable for it.
liability is the key here. Until companies have a dear cost associated with lack of security there will be no security.
But that's not enough. we can't have companies who are good citizens, paying money to protect others, masking data so it is stored more anonymously, and so forth incurring higher costs that some jackass comapny willing to pay fast and lose. Those risk taking companies will have lower costs of operation and put the conscientious companies out of bussiness. When they fail sometimes we respond by crippling the whole industry rather than punishing the shareholders of the bad companies.
So we need not just damages but 10 fold punative damages that reach to the stock holders that invest. Currently stock holders just lose their investments. They should be informed that if they invest in a company that holds data they will be held personally liable for injuries of the company beyond their stock ownership.
then we'd see some good data practices. We'd see companies clamoring to be regulated. we'd see a lot less naked storage of raw data behind single passwords.
it's not the breach. It's the gathering of data without direct consequences for it's loss.
Some drink at the fountain of knowledge. Others just gargle.
The level of incompetence in corporate IT at times is staggering!!! https://thedailywtf.com/articl...
Until there are -real consequences- to management (personally and individually) from getting hacked, CxOs of all stripes (CEO, CIO, CISO, etc) will continue to get away with this.
This is leftist propaganda, trying to give businesses a bad reputation for security. The real problem here is the use of a nine digit government issued ID that the government doesn't allow you to change and requirea you to share with financial institutions as proof of identification. The problem here is not the private sector but that the government has failed to use secure methods of authentication such as two factor authentication and public key encryption. Let the private sector create industry standard secure methods for identification and authentication, and get the government out of our lives. We don't need the left giving businesses a bad name when the government is the problem. However, the Democrats are too busy stopping business in the Senate like addressing the Obamacare implosion so they can move on to fixing the fact that we're stuck in the 1930s when it comes to proving the identity of citizens. Provide a secure methods of proving identity and all of the stolen social security numbers are pretty much worthless.
- snruter rotsac
If all companies get breached, then no company should be allowed to keep data on a scale like that that can be so damaging if it gets stolen.
"Remember, there never were pineapple-almond cookies here."
"It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq"
IOW, The same countries who the US has been meddling with, and whose networks the US has been hacking into for years.
[citation needed]
Just making excuses - "Us getting hacked doesn't matter because everybody gets hacked!"
But this is wrong. Everybody doesn't get hacked. Invest a bit more in network security, and hacking gets much harder. Avoid some common microsoft products (windows, word, outlook in particular) and most of the hacks around won't apply to you at all.
"Equifax CEO: All Companies Get Breached "
But only you had hired a musician as an Anti-Breach specialist.
Those that we know we should fire out of a cannon and those that we don't know we should yet.
There's the third kind: The kind that doesn't store personal information unnecessarily.
Hint: You're not the third kind.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
A single word makes all the difference.
He's correct when the company does not maintain their Internet facing platform. Which is exactly what Equifax did.
I guess they decided to save money in IT. And perhaps had poorly qualified personnel. Because management doesn't understand IT, so it must be "easy" and something that should be cheap.
Equifax says: "Breaches are a cost of business!" Sorry, non-customer that we lost all of your data and our incompetence will cost you for years to come!!!
Given the vast negative effects of this breach Equifax should be given the "Corporate Death Penalty" like Anderson Accounting. Their continued attempts at 'deflection" will hopefully fail.
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
This is 100% an American problem. Notice that you don't hear about European companies having data breaches, because we're smart enough to secure our networks. Identity theft isn't a problem in Europe, either, and we're also smart enough to implement chip-and-pin credit cards. This is an American problem created by American stupidity. Let's have some real tech news that affects the rest of the world instead of your pathetic American failures. Oh, and us Europeans really wish you American untermenschen would get your military bases out of our country.
... the clue train is slow in coming to equifax ... companies who ignore basic security practices get breached, the rest don't
Immutable data should not have any value at all.
My name and SSN are assigned to me. I cannot choose or change them. Thus, they should have no business value, esp no value in the credit / financial context.
My address, my employment, my family are essentially fixed as well. Again - this data could be public. It should have no value.
"Identity theft" as perceived in the US must disappear.
Stopping the criminals won't work - as long as there is anything of value, there will be intent and crime to get it.
The value itself must change.
All Companies Get Breached
Well that means we can stop patching software we know has open security holes/backdoors. Nice, makes our jobs much easier. I guess that means it was not Equifax's fault /s
Authorization IS NOT EQUAL TO Identification. The fiction that these two concepts are interchangeable is the source of tremendous grief and financial hardship among ordinary citizens. Surely a first step in solving our problems with these breaches would be to change our laws to make and enforce the distinction between Authorization and Identification as it relates to all contract law.
>> All Companies Get Breached
This is not even slightly true. It is just a blatant attempt at blame avoidance through lying and misdirection.
...so maybe we should not allow companies to store vast repositories of personal data that is very bad if breached?
It's a whole paradigm shift that needs to happen. Similar to best-practices with passwords today: you should never be storing your clients' passwords. Hash them, salt them, (I don't have all best practices off the top of my head) - but the end result is if the password database is breached, it is not catastrophic. We need to make personal data the same.
One way I think is interesting is through homomorphic encryption- it is possible to do arbitrary operations on data without the server ever knowing the plaintext. This is the future.
No, he's so wrong.
What he's trying to do here is add "loss of privacy" to the once-exclusive fraternity of "death and taxes".
In medicine, if you come up with a dumb, risky implant don't do it in America. You will get sued. Leaky boob bags are not a good long-term business model.
But this guy thinks that the credit rating industry doesn't need to think long and hard about their business model, because "all implants fail".
Here's another point of view: if you know up front that you can't secure the information, perhaps your business model should not depend upon amassing all this information in the first place, get out of the way, and allow the vaunted creativity of American free enterprise find a different solution to the credit-worthiness problem.
Because your solution sucks in a way that can't ever be fixed, by your own admission.
"admin:admin", that's my admin username and pass. I am Equifax, with hundreds of millions of "customers", better known as victims. How long until I get breached?
Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
Wow, and did he brag about being an oligopoly who automatically receives everyone's data whether they want to allow that or not?
Getting to that position is a much neater trick than having a profit margin of 90%. The person who got them there deserves a big bonus indeed.
Let's get a little more granular... There are companies who get breached and don't know it There are companies who get breached and know it and tell those effected There are companies who get breaching, know it, and conceal it while execs cash out
"a stagnating credit reporting agency with a 'culture of tenure' and 'average talent'...earned a gross profit margin of 90%."
Wait, don't tell me, let me guess...you spend all your obscene profit on equally obscene executive bonuses and therefore you can't afford anything more than "average" talent?
Not that parachute-lined CxOs will start giving a shit anytime soon, but this is what happens when coddling top management becomes THE priority above all else.
Iraq? Jeez buddy, didn't you get the memo? We're friends with them now, they give us oil and stuff. North Korea and Venezuela are the evil hackers now. Try to keep up.
It's been said a million times but companies always want the magic bullet solutions.
He's right that you should expect being compromised, but no safeguards were in place for what he said was inevitable.
Looking at the timeline of events it's clear that getting past the endpoints meant free reign in their network.
https://medium.com/@thegrugq/e...
Over the years the focus of the security industry has changed and it is no longer considered sufficient to have a crunchy shell with a soft interior. From behavioral analysis, to canary systems and binary whitelisting/flagging. There are so many things they could have done differently it's astounding.
By publicly asserting the unavoidability of a breach, and then having no plan of action prepared for that, he's admitting that their security plan is negligent.
In other words ''Cars crash, people die... seatbelts are useless''
Cwm, fjord-bank glyphs vext quiz
Sure, but only some of them dump stocks illegally, hire arts majors to run tech security, attempt to take away the rights of victims, send their customers to illegal phishing sites, wait months to report to the public, get into a tiff with their hired outside security consultants, and otherwise completely mishandle the aftermath.
Oh right you can't, 'cos well 'murica. Only the rich get to sue and win!
Comment removed based on user account deletion
All companies do get breached, but not because of sheer incompetence due to not patching a widely publicized vulnerability. The day after publication we told our product teams to update and the teams that had it did so in weeks, not months - and that was in on-prem products. Yet, Equifax couldn't patch their website in three months? That's incompetence.
So in regard to exposing our personal information, they are basically saying "we knew it would happen and we did it anyway".
Their corporate charter needs to be revoked
They all need to be sentenced to hard labor for all eternity.
Sorry, but security is almost purely a reactive thing.
And worse, HUMANS are tossed into the mix.
As such, security is a delaying action, at best.
If someone really and TRULY wants in, they're getting in. And pretty much nothing short of destroying your computing assets wholesale will prevent it.
Security has become so full of snake-oil salesman they they've forgotten that their primary purpose is hardening to the point where your average 6 year old with an iPhone can't get root on your production servers. And their secondary purpose is monitoring the network, both proactively and in the event of a breach.
So, even if someone gets in, you SEE it and you have a log trail.
This idea that security will keep your assets totally and completely hack-proof is utter nonsense. DANGEROUS utter nonsense.
Chas - The one, the only.
THANK GOD!!!
Try that for the article.
It eas way worse than that, (altho that password shuld NEVER be used) IIRC that sdmin sccount eas used by no it staff as well on a daily basis, how hard csn in it dipstment fail? Sorry I donâ(TM)t have a linke my source is a recent eddition of the backetpushers cofie break podcast
Saying that all companies will eventually get breached is, in my opinion, correct. The unfortunate thing is that nothing will ever be done to even try to improve the situation, because it's too easy for companies to just buy "cyber-insurance" as opposed to playing cat and mouse with "security researchers." In this situation, they don't even have to have the insurance company pay for credit monitoring, because they can give it away for free by just providing the same service they used to sell.
Unless you put nothing on the Internet and have a strict, enforceable we-will-fire-you-immediately policy for people who inadvertently leave the doors open, there's very little chance companies can stay ahead of attacks forever. The bigger the company, the worse it is. Outsourced IT makes security response many times slower as well because the problem has to filter down two reporting chains before it gets fixed (assuming anyone notices.) Even the NSA wasn't able to keep a lid on their information and exploit vault...that should tell you something. All the security in the world is nothing when you have humans in the loop.
What will be interesting to see is what happens when more companies start looking to put core systems into the public cloud. Obviously cloud providers have a huge incentive to keep things safe, but nothing's perfect. And the more complex things get, the more surface area an attacker has to work on. I'm sure there are more than a few "don't be like Equifax" FUD-laden sales calls being made in CIO offices all over the world lately.
The truth is that security has zero ROI in an environment where you can just say "oops," write a small check and move on like nothing happened. So far, nothing bad has happened to any company that has lost customer data. People still shop at Target, Home Depot, etc. and still keep their money in banks that have experienced data loss incidents. People just assume that these things happen and nothing can be done about it, and I agree to some extent.
Even average attackers can get in. Also, when you make really stupid mistakes, in a working legal system that is called "gross negligence" and you become liable for the damage you did. Of course, Equifax being really large, they do not need to fear the law.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well when you hire a Music major to run your security. Chances are that was not the best choice. Maybe it's better to say, bad CEO's have companies who get hacked.
Why bother with medicine.
This kind of stupid argument shows just what kind of scumbags these people are.
Banks learned long ago that security measures had to be escalated along with the pile of money being kept. If a small branch only had a few $100K in cash, it didn't need the same security as a big bank with several $Million in the vault. When you have so much gold that it requires dump trucks to carry it in and out, you need the security of Fort Knox. Any bank that had $Billions stored in a file cabinet with only a single 80 year old security guard watching it, should be held responsible when it gets robbed. It sounds like that was the case at Equifax.
Your signature translates from the original Cyrillic as "douche-bag".
Yet another CEO trying to set himself apart from the corporate culture he created, fostered, or promoted. To wit:
"An agency with a 'culture of tenure' and 'average talent".
Gee Rick Smith, that sounds like a spot-on description of you, right from the horse's mouth! I'm only basing this upon the recent Equifax hack and reactions to that hack, but evidence is evidence. Also, dissing your company, when they pay you far too richly, that's so not cool.
This was absolutely hilarious.I'm certainly no security expert... I'm just a humble programmer who understands how security holes are made (heavens know I make them often enough).
:
:
Let's be 100% true to ourselves... the security crowd is generally full of shit. When I read the headline of an article (a month ago on Slashdot sometime) making some dumb-ass remark like "There have been more hacks already in 2017 than in any previous year". They whole article rambles on non-stop for frigging ages about how bad the attacks are... and it doesn't make the point of the absolute obvious... we are detecting more attacks this year than we had in the past. That means that we are probably responding to more attacks than we had in the past.
There's the issue of
“This wasn't a credit card play," said one person familiar with the investigation. "This was a 'get as much data as you can on every American’ play.” But it probably won’t be known if state hackers—from China or another country—were involved until U.S. intelligence agencies and law enforcement complete their work.
If you read the full article, it goes on and on and on about two major things
1) It absolutely has to be a government... almost absolutely certainly China!
2) It was a long game with lots of people and tiers involved.
I'll add something that concerned me a great deal...
3) "The company's suite of tools included Moloch, which works much like a black box after an airliner crash by keeping a record of a network's internal communications and data traffic. Using Moloch, investigators reconstructed every step."
Ok... let's address #1... if it's a government, then it's for warfare, military, etc... this was a huge investment for China to make to hack like this. In addition, this is 2017 and China has almost total free reign throughout America... and everywhere else. I was working in a highly secure environment the other day and befriended a lovely young Chinese girl who speaks English beautifully. She is a Chinese citizen... not dual anything, 100% Chinese and she loves China and wants to go back. While I'm 100% sure she's the real deal and there's nothing to worry about her... she is currently working in an environment where in less than 1 day of work, she could collapse the entire national economy of one of the world's richest countries. I'll leave the details at that... but this is absolutely not an exaggeration.
Economists will probably happily say that the value of an job this scale to attack and devastate Equifax would be extremely poorly thought out if they were to invest so heavily from operating from the outside. The inside would be far smarter and more effective. And given the resources of a government, Equifax would be a relatively easy target to place someone on the inside. I'm just speculating, but I'd imagine that they have more than their fair share of international workers like every other company over 5 employees.
Then we have #2... the long game. There is lot of noise about how this couldn't be about identity theft or credit card theft... but they also talk about how whoever is doing this seems to be well financed and well organized. Jesus you idiots... pick one or the other. You're suggesting that just because the data hasn't shown up en-mass on the black market (where... Craigslist?).... then it can't be credit card related.
Let's consider... why blow your entire was leaving enormous paper trails back to yourself by selling this stuff immediately? That would be just plain stupid. Instead 99% of the information Equifax has on people can be used to establish new lines of credit. For example, the quick loan websites for people with good or semi-good credit. It would be possible to slowly but surely use the information from Equifax to apply for loans from $1,000 to $50,000 using automated software. It would be possible to draw a few dollars here and there out and move it via PayPal, Western Unio
Do what now?
Not ALL, SOME companies get breached. Then they pay the piper. Time to pay up Rick, bitch!
So - brief summary of timeline:-
Feb 24, 2016 - Annual 10K report - indicates only generic, boilerplate risks that a financial services company like Equifax should include in their SEC filing.
Jly 27, 2017 - Quarterly 10-Q filing with the SEC, indicating "There have been no material changes with respect to the risk factors disclosed in our 2016 Form 10-K."
Aug 1, 2017 - Chief Financial Officer John Gamble sells $946,374 in shares
Aug 2, 2017 - Joseph Loughran, President of US Information Solutions sells $584,099 in shares... and Rodolfo Ploder, President of Workforce Solutions, sells $250,458 in shares
Aug 17, 2017 - Rick Smith gives a presentation to the University of Georgia, discussing cyber security threats - and makes a memorable quote...
Sep 7, 2017 - Equifax admit to a massive data breach, impacting at least 143 million Americans, see here:-
http://www.independent.co.uk/n...
Sep 7, 2017 - On the same day as admitting to the breach, Equifax also admit that 3 executive sold $1.8MM in shares between the breach being detected and the date it was made public. Crucially, despite Equifax claiming that the Executives had no knowledge of the breach, none of the three sales were part of planned, scheduled trading (i.e. were covered by 10b5-1 plans). In other words, these were spontaneous sales. See here:-
https://www.bloomberg.com/news...
The crucial thing is, however, that in the above Independent article, published September 7th, is the statement,
"The Atlanta-based company said that that “criminals” exploited a US website application to access files between mid-May and July of this year - with the weakness said to have been discovered at the end of that month. "
Now, among the pieces of information we don't know are: 1) when, exactly, did the three executives sell their shares?; and 2) what internal discussions - i.e. board meetings, emails - were used to disseminate the information internally.
Obviously we're not told this, but the company will by now have received a "Preservation Order" from the SEC, requiring them to ensure that data pertaining to this event is not destroyed. Backup tapes will be pulled from cycles; current email folders will be locked; individuals will be warned that their documents are subject to such an order. Given the close proximity of events - we're talking days, not weeks or months - it should not be difficult to forensically re-create a very precise time-line.
So whilst the speech that Smith gave a the University of Georgia is going to be hugely embarrassing for him personally - and whilst the acknowledgements he makes in it will be very uncomfortable for the company - the really crucial evidence here is all about the timing. Understanding the truth behind the question, "Who knew what, and when", is going to make the difference between negligence and a criminal act.
Here is the key thing to bear in mind. That statement as reported in the UK Independent newspaper article that the breach came to light "at the end of July" is absolutely crucial. If there is enough evidence to suggest that persons within the company knew of the data breach *before* that 10-Q was filed, then I don't see how Smith and his co-directors can avoid jail time. The deciding factor [for me] is that the actual timing could very easily show conspiracy.
If there was a suggestion that a concerted effort was made to hold back the breach information until after the second quarter 10-Q, then it will not look good for the board. They are on the horns of a dilemma here. Either there was widespread knowledge of the breach and the three executives attempted of
Yes, everybody gets breached. However, the response to a breach is important, and yours borders on criminal. By the way... Way to go with that diversity hire as the head of your Information Security department. Are you going to put a doctor of philosophy in charge of accounting next?
a significant portion of Equifax Management are utterly incompetent and basically allowed one of the worst data breaches in history to happen on their watch... in which case we can only hope that shareholder lawsuits will follow.
Did you miss this one? The blood is most definitely in the water already.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
The reason you signed this post is you need to provide proof to your employer that you're shilling or you don't get paid.
It's very obvious.
Maybe you don't like the USA or maybe you're just poor and need money. But the less stable the US becomes.... and your work does destabilize the USA, the more likely it is that we will find some poor countries to drop bombs on. Probably your country will have it's turn well before there are any revolutions or major shifts in global hegemony.
I want you to spend a few minutes looking at pictures of crying blown up kids in iraq and syria. Are you ready to sign your children up for this life? Because when the republicans take over, and americans get scared. We make jobs by building bombs.. and we sell bombs to drop them on poor people.
US Hacking of Iran in behalf of Israel is a proven fact.