Slashdot Mirror

← Back to Stories (view on slashdot.org)

Squabble With Contractor Delayed Equifax's Response To Data Breach (bloomberg.com)

Posted by EditorDavid on from the fighting-in-a-burning-house dept.

An anonymous reader quotes Bloomberg's report on the contractor Equifax first hired to investigate their breach: Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company's network... Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said. For its part, Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company...

That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer... By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems.
"They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group -- known as an entry crew -- handed off to a more sophisticated team of hackers," reports Bloomberg, suggesting that the attack may have been sponsored by a nation-state.

14 of 127 comments (clear)

  1. In before a dumb turkeydance one line post by Anonymous Coward · · Score: 5, Insightful

    There is no excuse, especially how Equifax has also mishandled just about everything after the breach was made public. Make it a $1,000 fine per person per day for not notifying them within seven days of discovering the breach. The only exception is if law enforcement requests that the breach not be disclosed to protect the integrity of an investigation.

  2. Correct Headline: by Known+Nutter · · Score: 4, Insightful

    Squabble With Equifax Delayed Equifax's Response To Data Breach

    The way the headline reads as published makes it sound as if the contractor is to blame -- which is obviously horseshit.

    --
    Beware of the Leopard.
  3. "Mandiant warned Equifax" by Gravis+Zero · · Score: 3, Insightful

    Regardless of whatever they may have believed, they were warned and ignored the warnings. Sure seems like gross negligence or possibly even criminal negligence. If the system weren't corrupted, I would expect indictments. It's too bad our government doesn't function properly.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:"Mandiant warned Equifax" by oldgraybeard · · Score: 3, Funny

      So the Equifax CSO (the music composition major) didn't think the security contractor sent individuals that had the right background to do security work?
      "Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company."
      Odd, Maybe they could not hum the right tune ;)

      I have heard people say a specific degree does not matter. Just having a degree proves you have the ability to learn and do any job. Guess Not ;)

  4. Serves them Right for using Acess by filesiteguy · · Score: 2

    Actually I have no idea what Equifax uses but it seems every time i read of these breaches they are because of a lack of communication between various internal groups. Working for a company that is often hit with DDOS or other intrusion attempts by nation-states, I know that the overriding thing to keep them out is open candid communication between staff, management, and vendors.

    Also, probably shouldn't put Access databases outside teh DMZ.

    --
    The Kai's Semi-Updated Website Thingy
  5. Doesn't sound like a Squabble to me by rsilvergun · · Score: 4, Insightful

    sounds like Equifax didn't like what it heard so it disregarded their consultant's advise.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  6. Government is at fault. by Anonymous Coward · · Score: 2, Funny

    The government regulations that stifle the industry and make it hard to do business is the real cause here. As usual, all government is bad government. We need to deregulate the industry so that the free market can fix this problem once and for all. Guaranteed.

  7. Re:Hire a music major as CIO... by jcr · · Score: 3, Insightful

    Some of the best engineers I've worked with have had music degrees.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  8. Leadership is top down and bottom up by bernywork · · Score: 4, Informative

    There's two issues here. The CEO didn't insist on security, so either he's naive or mis-informed. Either is bad.

    The CTO didn't insist or wasn't given budget for appropriate security measures. Either is bad.

    The CEO wasn't managing the CTO in regards to requirements, and the CTO wasn't managing up the requirements.

    When you look at BoA where security is king; they'd rather have a production outage, break something and then scream at the vendor to fix it, than lose customer data. A customer facing production outage costs them a lot less than the loss of customer data, where they're concerned the whole company could go to the wall.

    This is a management fuck up, of the highest order. This was business risk 101 and they failed to identify it, quantify it and migitate it.

    Mandiant may not have sent their A team, but from the sounds of things their C team would have been enough to start to deal with their issues. Unpatched systems, c'mon are we still in high school?

    --
    Curiosity was framed; ignorance killed the cat. -- Author unknown
    1. Re:Leadership is top down and bottom up by Todd+Knarr · · Score: 5, Insightful

      They probably did quantify the risk. In terms of it's effect on their revenue, of course, since that's what's at risk for them. And that risk is close to zero, since consumers can't block reporting of their data to Equifax and there are only 2 competitors Equifax has to worry about and the majority of them already use all 3 bureaus. So why expend money mitigating something that poses negligible risk to your business? It poses no risk to the executives either, their future income doesn't depend on Equifax continuing in business. At worst they'll collect a hefty severance package and spend a few weeks relaxing until they get picked up at another company. This is what I refer to as the difference between a businessman and an MBA: the businessman's livelihood is at stake, whereas the MBA is just a glorified W-2 employee.

      Risk to consumers? Equifax doesn't do business with consumers, why would anything that happens to those consumers bother it? At most Equifax will spend a few years arguing with regulators and maybe some fines will be levied, but odds on the cost of the fines will be less than the cost of good security. More likely they'll be able to claim they were following all the recommended practices (shoddy as those are) and it's Apache's fault for having left the bug in the version of Struts in question, which (especially given the current administration) will be enough for them to skate even though everybody reasonable knows it's BS.

  9. You are not Equifax's Customer by FeelGood314 · · Score: 2

    Security is only an expense for them. Losing data they have on people doesn't affect their business. Hell the data only needs to be accurate 90% of the time for them to make a profit. Don't be surprised by this. Equifax is acting completely rationally. If you really cared maybe we should have an organization that is run by the public to do things that can't efficiently by private companies because their motivations don't align with how they are paid. I suggest we give this organization a cool name like "government".

  10. Equixpertise by elrous0 · · Score: 4, Insightful

    Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company.

    So I guess they weren't as well-qualified as the music major you hired as your chief security officer?

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  11. You'd be surprised ... by jfgob · · Score: 5, Interesting

    ... or possibly not how unbelievably common this is. And most of the time, in my experience, the management is not even aware of the issues. The last security assessment I did were shot down as "unpractical and impossible to execute on" by the IT managers or directors. Simply because it started with "take XXX days to level all systems to a known updated state" along with the report from a vulnerability scanner. These IT managers/directors were actually the ones saying "if I go to my management with this proposal, I will lose my job", not the top management itself, happily thinking that everything was hunky-dory. My experience is that many CTOs do not like telling their CEO "we need to talk" or "we need to fix up things and that involves changing the way people think too."

  12. Re:All of which misses the MAIN POINT by Anonymous+Brave+Guy · · Score: 4, Insightful

    And when you give that info up to your bank, you give your consent to them sharing it with the equifaxes of the world.

    This is a very weak argument. Consent without a viable alternative isn't really consent at all.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.