Squabble With Contractor Delayed Equifax's Response To Data Breach

An anonymous reader quotes Bloomberg's report on the contractor Equifax first hired to investigate their breach: Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company's network... Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said. For its part, Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company...

That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer... By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems.
"They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group -- known as an entry crew -- handed off to a more sophisticated team of hackers," reports Bloomberg, suggesting that the attack may have been sponsored by a nation-state.

In before a dumb turkeydance one line post

There is no excuse, especially how Equifax has also mishandled just about everything after the breach was made public. Make it a $1,000 fine per person per day for not notifying them within seven days of discovering the breach. The only exception is if law enforcement requests that the breach not be disclosed to protect the integrity of an investigation.

Correct Headline:

[Known+Nutter]

Squabble With Equifax Delayed Equifax's Response To Data Breach

The way the headline reads as published makes it sound as if the contractor is to blame -- which is obviously horseshit.

"Mandiant warned Equifax"

[Gravis+Zero]

Regardless of whatever they may have believed, they were warned and ignored the warnings. Sure seems like gross negligence or possibly even criminal negligence. If the system weren't corrupted, I would expect indictments. It's too bad our government doesn't function properly.

Hire a music major as CIO...

expect them to not grok security and put budget concerns above everything else. Our CTO has a degree is social justice, and he fired everyone that was educated in order to hide his incompetence. Plus, he fired all of the white people, and our company repeatedly lied to the state that they were fired with cause so they couldn't get unemployment.

Re:Hire a music major as CIO...

[jcr]

Some of the best engineers I've worked with have had music degrees.

-jcr

Doesn't sound like a Squabble to me

[rsilvergun]

sounds like Equifax didn't like what it heard so it disregarded their consultant's advise.

Equixpertise

[elrous0]

Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company.

So I guess they weren't as well-qualified as the music major you hired as your chief security officer?

Re:Leadership is top down and bottom up

[Todd+Knarr]

They probably did quantify the risk. In terms of it's effect on their revenue, of course, since that's what's at risk for them. And that risk is close to zero, since consumers can't block reporting of their data to Equifax and there are only 2 competitors Equifax has to worry about and the majority of them already use all 3 bureaus. So why expend money mitigating something that poses negligible risk to your business? It poses no risk to the executives either, their future income doesn't depend on Equifax continuing in business. At worst they'll collect a hefty severance package and spend a few weeks relaxing until they get picked up at another company. This is what I refer to as the difference between a businessman and an MBA: the businessman's livelihood is at stake, whereas the MBA is just a glorified W-2 employee.

Risk to consumers? Equifax doesn't do business with consumers, why would anything that happens to those consumers bother it? At most Equifax will spend a few years arguing with regulators and maybe some fines will be levied, but odds on the cost of the fines will be less than the cost of good security. More likely they'll be able to claim they were following all the recommended practices (shoddy as those are) and it's Apache's fault for having left the bug in the version of Struts in question, which (especially given the current administration) will be enough for them to skate even though everybody reasonable knows it's BS.

Re:All of which misses the MAIN POINT

[Anonymous+Brave+Guy]

And when you give that info up to your bank, you give your consent to them sharing it with the equifaxes of the world.

This is a very weak argument. Consent without a viable alternative isn't really consent at all.