Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax CEO: All Companies Get Breached (fortune.com)

Posted by EditorDavid on from the especially-if-they're-named-Equifax dept.

An anonymous reader quotes Fortune:There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on August 17. "There's those companies that have been breached and know it, and there are those companies that have been breached and don't know it," he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it...

Smith's fastest growing area of security concern was state-sponsored hacking and espionage, he said. "It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq -- and they're being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries," said Smith. "It's my number one worry." he added.
"In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a 'culture of tenure' and 'average talent", reports Bloomberg, adding that the Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.

5 of 176 comments (clear)

  1. He's not wrong... by shellster_dude · · Score: 4, Informative

    There are many things to criticize about Equifax, and their handling of this breach. This is not one of them. People in the security industry (such as myself), talk about "breach mentality" vs "castle mentality". Castle mentality is the old style of thinking where companies think that if they just build a strong enough wall, they will never be breached and they can leave their internal network a mess. Breach mentality is to assume you are already breached or will be breached at sometime in the future. This is the sensible approach to security, and the most realistic/practical approach. The goal is to secure everything as best you can to help withstand and catch a hack. It remains to be seen if Equifax actually took reasonable steps to secure their network from breach, or not. I am betting they did not, given their crappy response times and apparent total compromise.

    1. Re:He's not wrong... by elrous0 · · Score: 1, Informative

      How about we start with a basic:

      Step 1) Don't hire a music major with absolutely no technology training or education as your Chief Security Officer.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
  2. Sure, but... by reanjr · · Score: 4, Informative

    Sure, but only some of them dump stocks illegally, hire arts majors to run tech security, attempt to take away the rights of victims, send their customers to illegal phishing sites, wait months to report to the public, get into a tiff with their hired outside security consultants, and otherwise completely mishandle the aftermath.

  3. Re:You Americans are idiots by Anonymous Coward · · Score: 2, Informative

    Also European companies are not allowed to store much data about persons. For example the credit rating agency in the netherlands is not allowed to store much identifiable in their database, pretty much only the name and birth date of the person and which they have credit information on.

    They are not allowed to store the equivalent of the social security number, not even the address where the person lives.

  4. The Full Time Line by aquanaut44 · · Score: 4, Informative

    So - brief summary of timeline:-

    Feb 24, 2016 - Annual 10K report - indicates only generic, boilerplate risks that a financial services company like Equifax should include in their SEC filing.

    Jly 27, 2017 - Quarterly 10-Q filing with the SEC, indicating "There have been no material changes with respect to the risk factors disclosed in our 2016 Form 10-K."

    Aug 1, 2017 - Chief Financial Officer John Gamble sells $946,374 in shares

    Aug 2, 2017 - Joseph Loughran, President of US Information Solutions sells $584,099 in shares... and Rodolfo Ploder, President of Workforce Solutions, sells $250,458 in shares

    Aug 17, 2017 - Rick Smith gives a presentation to the University of Georgia, discussing cyber security threats - and makes a memorable quote...

    Sep 7, 2017 - Equifax admit to a massive data breach, impacting at least 143 million Americans, see here:-

    http://www.independent.co.uk/n...

    Sep 7, 2017 - On the same day as admitting to the breach, Equifax also admit that 3 executive sold $1.8MM in shares between the breach being detected and the date it was made public. Crucially, despite Equifax claiming that the Executives had no knowledge of the breach, none of the three sales were part of planned, scheduled trading (i.e. were covered by 10b5-1 plans). In other words, these were spontaneous sales. See here:-

    https://www.bloomberg.com/news...

    The crucial thing is, however, that in the above Independent article, published September 7th, is the statement,

    "The Atlanta-based company said that that “criminals” exploited a US website application to access files between mid-May and July of this year - with the weakness said to have been discovered at the end of that month. "

    Now, among the pieces of information we don't know are: 1) when, exactly, did the three executives sell their shares?; and 2) what internal discussions - i.e. board meetings, emails - were used to disseminate the information internally.

    Obviously we're not told this, but the company will by now have received a "Preservation Order" from the SEC, requiring them to ensure that data pertaining to this event is not destroyed. Backup tapes will be pulled from cycles; current email folders will be locked; individuals will be warned that their documents are subject to such an order. Given the close proximity of events - we're talking days, not weeks or months - it should not be difficult to forensically re-create a very precise time-line.

    So whilst the speech that Smith gave a the University of Georgia is going to be hugely embarrassing for him personally - and whilst the acknowledgements he makes in it will be very uncomfortable for the company - the really crucial evidence here is all about the timing. Understanding the truth behind the question, "Who knew what, and when", is going to make the difference between negligence and a criminal act.

    Here is the key thing to bear in mind. That statement as reported in the UK Independent newspaper article that the breach came to light "at the end of July" is absolutely crucial. If there is enough evidence to suggest that persons within the company knew of the data breach *before* that 10-Q was filed, then I don't see how Smith and his co-directors can avoid jail time. The deciding factor [for me] is that the actual timing could very easily show conspiracy.

    If there was a suggestion that a concerted effort was made to hold back the breach information until after the second quarter 10-Q, then it will not look good for the board. They are on the horns of a dilemma here. Either there was widespread knowledge of the breach and the three executives attempted of