Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax CEO: All Companies Get Breached (fortune.com)

Posted by EditorDavid on from the especially-if-they're-named-Equifax dept.

An anonymous reader quotes Fortune:There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on August 17. "There's those companies that have been breached and know it, and there are those companies that have been breached and don't know it," he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it...

Smith's fastest growing area of security concern was state-sponsored hacking and espionage, he said. "It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq -- and they're being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries," said Smith. "It's my number one worry." he added.
"In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a 'culture of tenure' and 'average talent", reports Bloomberg, adding that the Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.

11 of 176 comments (clear)

  1. Incorrect by jwhyche · · Score: 5, Insightful

    My cousin runs a company and they build houses. He keeps all his business on ledgers and note books. Not a efficient way to run a business but it is his way. He has never been hacked.

    --
    I read at +2. If your post doesn't reach that level I will not see or respond to it.
  2. It's not the Breach, stupid by goombah99 · · Score: 5, Insightful

    It's holding data. If a company wants to risk my security by profiting from amassing data on me I should be able to have some finiacial recourse when they injur me with their breach. If they can't secure my data then they should not hold it. If one really feels that all companies will be breached then that person should actually know what they are doing is going to cause an injury and therefore should be liable for it.

    liability is the key here. Until companies have a dear cost associated with lack of security there will be no security.

    But that's not enough. we can't have companies who are good citizens, paying money to protect others, masking data so it is stored more anonymously, and so forth incurring higher costs that some jackass comapny willing to pay fast and lose. Those risk taking companies will have lower costs of operation and put the conscientious companies out of bussiness. When they fail sometimes we respond by crippling the whole industry rather than punishing the shareholders of the bad companies.

    So we need not just damages but 10 fold punative damages that reach to the stock holders that invest. Currently stock holders just lose their investments. They should be informed that if they invest in a company that holds data they will be held personally liable for injuries of the company beyond their stock ownership.

    then we'd see some good data practices. We'd see companies clamoring to be regulated. we'd see a lot less naked storage of raw data behind single passwords.

    it's not the breach. It's the gathering of data without direct consequences for it's loss.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  3. More leftist propaganda by Anonymous Coward · · Score: 2, Insightful

    This is leftist propaganda, trying to give businesses a bad reputation for security. The real problem here is the use of a nine digit government issued ID that the government doesn't allow you to change and requirea you to share with financial institutions as proof of identification. The problem here is not the private sector but that the government has failed to use secure methods of authentication such as two factor authentication and public key encryption. Let the private sector create industry standard secure methods for identification and authentication, and get the government out of our lives. We don't need the left giving businesses a bad name when the government is the problem. However, the Democrats are too busy stopping business in the Senate like addressing the Obamacare implosion so they can move on to fixing the fact that we're stuck in the 1930s when it comes to proving the identity of citizens. Provide a secure methods of proving identity and all of the stolen social security numbers are pretty much worthless.

    - snruter rotsac

  4. Leads to just one conclusion... by jpatters · · Score: 5, Insightful

    If all companies get breached, then no company should be allowed to keep data on a scale like that that can be so damaging if it gets stolen.

    --
    "Remember, there never were pineapple-almond cookies here."
  5. All 'dumb' Companies Get Breached by atrimtab · · Score: 4, Insightful

    A single word makes all the difference.

    He's correct when the company does not maintain their Internet facing platform. Which is exactly what Equifax did.

    I guess they decided to save money in IT. And perhaps had poorly qualified personnel. Because management doesn't understand IT, so it must be "easy" and something that should be cheap.

    Equifax says: "Breaches are a cost of business!" Sorry, non-customer that we lost all of your data and our incompetence will cost you for years to come!!!

    Given the vast negative effects of this breach Equifax should be given the "Corporate Death Penalty" like Anderson Accounting. Their continued attempts at 'deflection" will hopefully fail.

    --
    Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
  6. Reduce the value of data by kaur · · Score: 5, Insightful

    Immutable data should not have any value at all.

    My name and SSN are assigned to me. I cannot choose or change them. Thus, they should have no business value, esp no value in the credit / financial context.
    My address, my employment, my family are essentially fixed as well. Again - this data could be public. It should have no value.

    "Identity theft" as perceived in the US must disappear.
    Stopping the criminals won't work - as long as there is anything of value, there will be intent and crime to get it.
    The value itself must change.

    1. Re:Reduce the value of data by k.a.f. · · Score: 5, Insightful
      Absolutely right!

      Remember, there is no such thing as "identity theft". There is only fraud, committed between two parties neither of which is you. The notion that someone can "steal your identity" is a red herring invented by big companies, in the hope that this will make it sound as if it was your responsibility and you should bear the costs. It isn't - it's their responsibility to guard against fraudulent transactions and not to withdraw money from you under fraudulent circumstances. But so far they've been pretty successful in establishing the narrative that it's your fault if someone abuses the ridiculously inadequate safeguards against fraud. This is a prime example of "Establish the terms of the debate, and you've determined its outcome".

  7. I call bullshit by JustNiz · · Score: 3, Insightful

    >> All Companies Get Breached

    This is not even slightly true. It is just a blatant attempt at blame avoidance through lying and misdirection.

  8. once-exclusive fraternity of "death and taxes" by epine · · Score: 5, Insightful

    There are many things to criticize about Equifax, and their handling of this breach. This is not one of them.

    No, he's so wrong.

    What he's trying to do here is add "loss of privacy" to the once-exclusive fraternity of "death and taxes".

    In medicine, if you come up with a dumb, risky implant don't do it in America. You will get sued. Leaky boob bags are not a good long-term business model.

    But this guy thinks that the credit rating industry doesn't need to think long and hard about their business model, because "all implants fail".

    Here's another point of view: if you know up front that you can't secure the information, perhaps your business model should not depend upon amassing all this information in the first place, get out of the way, and allow the vaunted creativity of American free enterprise find a different solution to the credit-worthiness problem.

    Because your solution sucks in a way that can't ever be fixed, by your own admission.

    1. Re: once-exclusive fraternity of "death and taxes" by Miamicanes · · Score: 5, Insightful

      The fundamental problem is that the hacking victims aren't Equifax's CUSTOMERS, they're Equifax's PRODUCT.

      If you, as a consumer, get harmed by Equifax's negligence, they aren't going to care until regulators MAKE them care.

  9. Re:You Americans are idiots by Chameleon+Man · · Score: 5, Insightful

    I'm not about to defend parent, because you're right, blaming another country for a terribly secured network is a terrible reason, but don't generalize and act like European companies are any more secure than American ones are. Two things you should consider before opening your mouth: (1) American companies are a bigger target, politically and economically. (2) It was primarily European and Asian countries that were the victim of the WannaCry ransomware. You can tout all you want about "Europe being more secure" (whatever that means), so don't act like your companies are more security-conscious. (3) Pointing to Americans being slow on adopting chip-and-pin credit cards shows how ignorant you are on the topic. Easily skimming credit cards has little to do (if at all) with what actual identity thieves do.