Slashdot Mirror
Equifax CEO: All Companies Get Breached (fortune.com)
An anonymous reader quotes Fortune:There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on August 17. "There's those companies that have been breached and know it, and there are those companies that have been breached and don't know it," he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it...
Smith's fastest growing area of security concern was state-sponsored hacking and espionage, he said. "It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq -- and they're being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries," said Smith. "It's my number one worry." he added.
"In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a 'culture of tenure' and 'average talent", reports Bloomberg, adding that the Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
Smith's fastest growing area of security concern was state-sponsored hacking and espionage, he said. "It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq -- and they're being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries," said Smith. "It's my number one worry." he added.
"In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a 'culture of tenure' and 'average talent", reports Bloomberg, adding that the Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
My cousin runs a company and they build houses. He keeps all his business on ledgers and note books. Not a efficient way to run a business but it is his way. He has never been hacked.
I read at +2. If your post doesn't reach that level I will not see or respond to it.
There are many things to criticize about Equifax, and their handling of this breach. This is not one of them. People in the security industry (such as myself), talk about "breach mentality" vs "castle mentality". Castle mentality is the old style of thinking where companies think that if they just build a strong enough wall, they will never be breached and they can leave their internal network a mess. Breach mentality is to assume you are already breached or will be breached at sometime in the future. This is the sensible approach to security, and the most realistic/practical approach. The goal is to secure everything as best you can to help withstand and catch a hack. It remains to be seen if Equifax actually took reasonable steps to secure their network from breach, or not. I am betting they did not, given their crappy response times and apparent total compromise.
It's holding data. If a company wants to risk my security by profiting from amassing data on me I should be able to have some finiacial recourse when they injur me with their breach. If they can't secure my data then they should not hold it. If one really feels that all companies will be breached then that person should actually know what they are doing is going to cause an injury and therefore should be liable for it.
liability is the key here. Until companies have a dear cost associated with lack of security there will be no security.
But that's not enough. we can't have companies who are good citizens, paying money to protect others, masking data so it is stored more anonymously, and so forth incurring higher costs that some jackass comapny willing to pay fast and lose. Those risk taking companies will have lower costs of operation and put the conscientious companies out of bussiness. When they fail sometimes we respond by crippling the whole industry rather than punishing the shareholders of the bad companies.
So we need not just damages but 10 fold punative damages that reach to the stock holders that invest. Currently stock holders just lose their investments. They should be informed that if they invest in a company that holds data they will be held personally liable for injuries of the company beyond their stock ownership.
then we'd see some good data practices. We'd see companies clamoring to be regulated. we'd see a lot less naked storage of raw data behind single passwords.
it's not the breach. It's the gathering of data without direct consequences for it's loss.
Some drink at the fountain of knowledge. Others just gargle.
This is leftist propaganda, trying to give businesses a bad reputation for security. The real problem here is the use of a nine digit government issued ID that the government doesn't allow you to change and requirea you to share with financial institutions as proof of identification. The problem here is not the private sector but that the government has failed to use secure methods of authentication such as two factor authentication and public key encryption. Let the private sector create industry standard secure methods for identification and authentication, and get the government out of our lives. We don't need the left giving businesses a bad name when the government is the problem. However, the Democrats are too busy stopping business in the Senate like addressing the Obamacare implosion so they can move on to fixing the fact that we're stuck in the 1930s when it comes to proving the identity of citizens. Provide a secure methods of proving identity and all of the stolen social security numbers are pretty much worthless.
- snruter rotsac
If all companies get breached, then no company should be allowed to keep data on a scale like that that can be so damaging if it gets stolen.
"Remember, there never were pineapple-almond cookies here."
A single word makes all the difference.
He's correct when the company does not maintain their Internet facing platform. Which is exactly what Equifax did.
I guess they decided to save money in IT. And perhaps had poorly qualified personnel. Because management doesn't understand IT, so it must be "easy" and something that should be cheap.
Equifax says: "Breaches are a cost of business!" Sorry, non-customer that we lost all of your data and our incompetence will cost you for years to come!!!
Given the vast negative effects of this breach Equifax should be given the "Corporate Death Penalty" like Anderson Accounting. Their continued attempts at 'deflection" will hopefully fail.
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
Immutable data should not have any value at all.
My name and SSN are assigned to me. I cannot choose or change them. Thus, they should have no business value, esp no value in the credit / financial context.
My address, my employment, my family are essentially fixed as well. Again - this data could be public. It should have no value.
"Identity theft" as perceived in the US must disappear.
Stopping the criminals won't work - as long as there is anything of value, there will be intent and crime to get it.
The value itself must change.
>> All Companies Get Breached
This is not even slightly true. It is just a blatant attempt at blame avoidance through lying and misdirection.
...so maybe we should not allow companies to store vast repositories of personal data that is very bad if breached?
It's a whole paradigm shift that needs to happen. Similar to best-practices with passwords today: you should never be storing your clients' passwords. Hash them, salt them, (I don't have all best practices off the top of my head) - but the end result is if the password database is breached, it is not catastrophic. We need to make personal data the same.
One way I think is interesting is through homomorphic encryption- it is possible to do arbitrary operations on data without the server ever knowing the plaintext. This is the future.
No, he's so wrong.
What he's trying to do here is add "loss of privacy" to the once-exclusive fraternity of "death and taxes".
In medicine, if you come up with a dumb, risky implant don't do it in America. You will get sued. Leaky boob bags are not a good long-term business model.
But this guy thinks that the credit rating industry doesn't need to think long and hard about their business model, because "all implants fail".
Here's another point of view: if you know up front that you can't secure the information, perhaps your business model should not depend upon amassing all this information in the first place, get out of the way, and allow the vaunted creativity of American free enterprise find a different solution to the credit-worthiness problem.
Because your solution sucks in a way that can't ever be fixed, by your own admission.
I'm not about to defend parent, because you're right, blaming another country for a terribly secured network is a terrible reason, but don't generalize and act like European companies are any more secure than American ones are. Two things you should consider before opening your mouth: (1) American companies are a bigger target, politically and economically. (2) It was primarily European and Asian countries that were the victim of the WannaCry ransomware. You can tout all you want about "Europe being more secure" (whatever that means), so don't act like your companies are more security-conscious. (3) Pointing to Americans being slow on adopting chip-and-pin credit cards shows how ignorant you are on the topic. Easily skimming credit cards has little to do (if at all) with what actual identity thieves do.
It's been said a million times but companies always want the magic bullet solutions.
He's right that you should expect being compromised, but no safeguards were in place for what he said was inevitable.
Looking at the timeline of events it's clear that getting past the endpoints meant free reign in their network.
https://medium.com/@thegrugq/e...
Over the years the focus of the security industry has changed and it is no longer considered sufficient to have a crunchy shell with a soft interior. From behavioral analysis, to canary systems and binary whitelisting/flagging. There are so many things they could have done differently it's astounding.
By publicly asserting the unavoidability of a breach, and then having no plan of action prepared for that, he's admitting that their security plan is negligent.
In other words ''Cars crash, people die... seatbelts are useless''
Cwm, fjord-bank glyphs vext quiz
Sure, but only some of them dump stocks illegally, hire arts majors to run tech security, attempt to take away the rights of victims, send their customers to illegal phishing sites, wait months to report to the public, get into a tiff with their hired outside security consultants, and otherwise completely mishandle the aftermath.
Sorry, but security is almost purely a reactive thing.
And worse, HUMANS are tossed into the mix.
As such, security is a delaying action, at best.
If someone really and TRULY wants in, they're getting in. And pretty much nothing short of destroying your computing assets wholesale will prevent it.
Security has become so full of snake-oil salesman they they've forgotten that their primary purpose is hardening to the point where your average 6 year old with an iPhone can't get root on your production servers. And their secondary purpose is monitoring the network, both proactively and in the event of a breach.
So, even if someone gets in, you SEE it and you have a log trail.
This idea that security will keep your assets totally and completely hack-proof is utter nonsense. DANGEROUS utter nonsense.
Chas - The one, the only.
THANK GOD!!!
Like salt and vinegar?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Also European companies are not allowed to store much data about persons. For example the credit rating agency in the netherlands is not allowed to store much identifiable in their database, pretty much only the name and birth date of the person and which they have credit information on.
They are not allowed to store the equivalent of the social security number, not even the address where the person lives.
Saying that all companies will eventually get breached is, in my opinion, correct. The unfortunate thing is that nothing will ever be done to even try to improve the situation, because it's too easy for companies to just buy "cyber-insurance" as opposed to playing cat and mouse with "security researchers." In this situation, they don't even have to have the insurance company pay for credit monitoring, because they can give it away for free by just providing the same service they used to sell.
Unless you put nothing on the Internet and have a strict, enforceable we-will-fire-you-immediately policy for people who inadvertently leave the doors open, there's very little chance companies can stay ahead of attacks forever. The bigger the company, the worse it is. Outsourced IT makes security response many times slower as well because the problem has to filter down two reporting chains before it gets fixed (assuming anyone notices.) Even the NSA wasn't able to keep a lid on their information and exploit vault...that should tell you something. All the security in the world is nothing when you have humans in the loop.
What will be interesting to see is what happens when more companies start looking to put core systems into the public cloud. Obviously cloud providers have a huge incentive to keep things safe, but nothing's perfect. And the more complex things get, the more surface area an attacker has to work on. I'm sure there are more than a few "don't be like Equifax" FUD-laden sales calls being made in CIO offices all over the world lately.
The truth is that security has zero ROI in an environment where you can just say "oops," write a small check and move on like nothing happened. So far, nothing bad has happened to any company that has lost customer data. People still shop at Target, Home Depot, etc. and still keep their money in banks that have experienced data loss incidents. People just assume that these things happen and nothing can be done about it, and I agree to some extent.
Always wear a condiment.
Banks learned long ago that security measures had to be escalated along with the pile of money being kept. If a small branch only had a few $100K in cash, it didn't need the same security as a big bank with several $Million in the vault. When you have so much gold that it requires dump trucks to carry it in and out, you need the security of Fort Knox. Any bank that had $Billions stored in a file cabinet with only a single 80 year old security guard watching it, should be held responsible when it gets robbed. It sounds like that was the case at Equifax.
So - brief summary of timeline:-
Feb 24, 2016 - Annual 10K report - indicates only generic, boilerplate risks that a financial services company like Equifax should include in their SEC filing.
Jly 27, 2017 - Quarterly 10-Q filing with the SEC, indicating "There have been no material changes with respect to the risk factors disclosed in our 2016 Form 10-K."
Aug 1, 2017 - Chief Financial Officer John Gamble sells $946,374 in shares
Aug 2, 2017 - Joseph Loughran, President of US Information Solutions sells $584,099 in shares... and Rodolfo Ploder, President of Workforce Solutions, sells $250,458 in shares
Aug 17, 2017 - Rick Smith gives a presentation to the University of Georgia, discussing cyber security threats - and makes a memorable quote...
Sep 7, 2017 - Equifax admit to a massive data breach, impacting at least 143 million Americans, see here:-
http://www.independent.co.uk/n...
Sep 7, 2017 - On the same day as admitting to the breach, Equifax also admit that 3 executive sold $1.8MM in shares between the breach being detected and the date it was made public. Crucially, despite Equifax claiming that the Executives had no knowledge of the breach, none of the three sales were part of planned, scheduled trading (i.e. were covered by 10b5-1 plans). In other words, these were spontaneous sales. See here:-
https://www.bloomberg.com/news...
The crucial thing is, however, that in the above Independent article, published September 7th, is the statement,
"The Atlanta-based company said that that “criminals” exploited a US website application to access files between mid-May and July of this year - with the weakness said to have been discovered at the end of that month. "
Now, among the pieces of information we don't know are: 1) when, exactly, did the three executives sell their shares?; and 2) what internal discussions - i.e. board meetings, emails - were used to disseminate the information internally.
Obviously we're not told this, but the company will by now have received a "Preservation Order" from the SEC, requiring them to ensure that data pertaining to this event is not destroyed. Backup tapes will be pulled from cycles; current email folders will be locked; individuals will be warned that their documents are subject to such an order. Given the close proximity of events - we're talking days, not weeks or months - it should not be difficult to forensically re-create a very precise time-line.
So whilst the speech that Smith gave a the University of Georgia is going to be hugely embarrassing for him personally - and whilst the acknowledgements he makes in it will be very uncomfortable for the company - the really crucial evidence here is all about the timing. Understanding the truth behind the question, "Who knew what, and when", is going to make the difference between negligence and a criminal act.
Here is the key thing to bear in mind. That statement as reported in the UK Independent newspaper article that the breach came to light "at the end of July" is absolutely crucial. If there is enough evidence to suggest that persons within the company knew of the data breach *before* that 10-Q was filed, then I don't see how Smith and his co-directors can avoid jail time. The deciding factor [for me] is that the actual timing could very easily show conspiracy.
If there was a suggestion that a concerted effort was made to hold back the breach information until after the second quarter 10-Q, then it will not look good for the board. They are on the horns of a dilemma here. Either there was widespread knowledge of the breach and the three executives attempted of