Squabble With Contractor Delayed Equifax's Response To Data Breach

An anonymous reader quotes Bloomberg's report on the contractor Equifax first hired to investigate their breach: Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company's network... Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said. For its part, Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company...

That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer... By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems.
"They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group -- known as an entry crew -- handed off to a more sophisticated team of hackers," reports Bloomberg, suggesting that the attack may have been sponsored by a nation-state.

In before a dumb turkeydance one line post

There is no excuse, especially how Equifax has also mishandled just about everything after the breach was made public. Make it a $1,000 fine per person per day for not notifying them within seven days of discovering the breach. The only exception is if law enforcement requests that the breach not be disclosed to protect the integrity of an investigation.

Correct Headline:

[Known+Nutter]

Squabble With Equifax Delayed Equifax's Response To Data Breach

The way the headline reads as published makes it sound as if the contractor is to blame -- which is obviously horseshit.

Doesn't sound like a Squabble to me

[rsilvergun]

sounds like Equifax didn't like what it heard so it disregarded their consultant's advise.

Leadership is top down and bottom up

[bernywork]

There's two issues here. The CEO didn't insist on security, so either he's naive or mis-informed. Either is bad.

The CTO didn't insist or wasn't given budget for appropriate security measures. Either is bad.

The CEO wasn't managing the CTO in regards to requirements, and the CTO wasn't managing up the requirements.

When you look at BoA where security is king; they'd rather have a production outage, break something and then scream at the vendor to fix it, than lose customer data. A customer facing production outage costs them a lot less than the loss of customer data, where they're concerned the whole company could go to the wall.

This is a management fuck up, of the highest order. This was business risk 101 and they failed to identify it, quantify it and migitate it.

Mandiant may not have sent their A team, but from the sounds of things their C team would have been enough to start to deal with their issues. Unpatched systems, c'mon are we still in high school?

Re:Leadership is top down and bottom up

[Todd+Knarr]

They probably did quantify the risk. In terms of it's effect on their revenue, of course, since that's what's at risk for them. And that risk is close to zero, since consumers can't block reporting of their data to Equifax and there are only 2 competitors Equifax has to worry about and the majority of them already use all 3 bureaus. So why expend money mitigating something that poses negligible risk to your business? It poses no risk to the executives either, their future income doesn't depend on Equifax continuing in business. At worst they'll collect a hefty severance package and spend a few weeks relaxing until they get picked up at another company. This is what I refer to as the difference between a businessman and an MBA: the businessman's livelihood is at stake, whereas the MBA is just a glorified W-2 employee.

Risk to consumers? Equifax doesn't do business with consumers, why would anything that happens to those consumers bother it? At most Equifax will spend a few years arguing with regulators and maybe some fines will be levied, but odds on the cost of the fines will be less than the cost of good security. More likely they'll be able to claim they were following all the recommended practices (shoddy as those are) and it's Apache's fault for having left the bug in the version of Struts in question, which (especially given the current administration) will be enough for them to skate even though everybody reasonable knows it's BS.

Equixpertise

[elrous0]

Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company.

So I guess they weren't as well-qualified as the music major you hired as your chief security officer?

You'd be surprised ...

[jfgob]

... or possibly not how unbelievably common this is. And most of the time, in my experience, the management is not even aware of the issues. The last security assessment I did were shot down as "unpractical and impossible to execute on" by the IT managers or directors. Simply because it started with "take XXX days to level all systems to a known updated state" along with the report from a vulnerability scanner. These IT managers/directors were actually the ones saying "if I go to my management with this proposal, I will lose my job", not the top management itself, happily thinking that everything was hunky-dory. My experience is that many CTOs do not like telling their CEO "we need to talk" or "we need to fix up things and that involves changing the way people think too."

Re:All of which misses the MAIN POINT

[Anonymous+Brave+Guy]

And when you give that info up to your bank, you give your consent to them sharing it with the equifaxes of the world.

This is a very weak argument. Consent without a viable alternative isn't really consent at all.