Slashdot Mirror

← Back to Stories (view on slashdot.org)

Former Equifax CEO Blames Breach On One Individual Who Failed To Deploy Patch (techcrunch.com)

Posted by BeauHD on from the under-investigation dept.

Equifax's recently departed CEO is blaming the largest data breach in history on a single person who failed to deploy a patch. TechCrunch reports: Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred. Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.

Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team. However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice -- one person didn't do their job. "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.

14 of 255 comments (clear)

  1. I smell bullshit. by Hylandr · · Score: 5, Insightful

    If .25Bn has been invested then there's sure as hell no process that could have allowed a single critical patch go unchecked as described. There's teams, or should be teams of people watching these things.

    I smell a really shitty cop-out excuse.

    --
    ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    1. Re:I smell bullshit. by rahvin112 · · Score: 5, Insightful

      You missed the best part, 3 years ago, they didn't even have a security department. At least according to his throw the wage slave under the bus testimony. He's distracting you with this tale of rouge employee while dropping a bombshell you didn't even notice.

      3 years ago the company responsible for approving credit for all americans had NO information security department. According to the CEO's testimony they had zero budget and not a single employee dedicated to security of their IT networks. That's grounds for jailing him IMO.

    2. Re:I smell bullshit. by Hylandr · · Score: 4, Insightful

      After reading this it occurs to me that it's much more likely someone sold the info rather than had it hacked.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
  2. Human Error??? by Moblaster · · Score: 5, Insightful

    Anyone who has worked with sensitive processes (esp computer security processes) knows that relying on one person for a mission-critical function is not a "human error" - it's a process failure. If this person's communication job was that essential, they should have had a team-based process in place with multiple individuals charged with making sure the process got executed, backed up by computerized records and nag alerts if not done. Seems like this "human error" would have happened if the person had gone on vacation, gotten fired, or went off their meds. That's not a human error. That's execs failing to make sure they build a resilient security process. Quarter billion in expenditure won't buy common sense, it seems.

    1. Re: Human Error??? by Mr+D+from+63 · · Score: 5, Insightful

      There's a thing called independent verification that might have helped. Guess its that one guys fault that they didn't practice that.

    2. Re:Human Error??? by msauve · · Score: 4, Insightful

      "Anyone who has worked with sensitive processes (esp computer security processes) knows that relying on one person for a mission-critical function is not a "human error" - it's a process failure."

      Absolutely. Human redundancy is just as important as network/system redundancy. If the organization isn't set up to continue working even if someone gets hit by a bus, that's a management failure. It's not a single individual. Who was responsible for checking that the work was done as required?

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  3. Ah yes, the blame game by quonset · · Score: 5, Insightful

    "It was his fault. That's why I sold my company stock when I found out about the breach rather than inform anyone except the other folks in the executive suite."

  4. Wow, that's scummy by JohnFen · · Score: 5, Insightful

    "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not,"

    What a scummy thing to say, and he doesn't even realize that the statement makes Equifax look even worse.

    With a couple of hundred people on the security team, the idea that it's a single person's responsibility to tell everyone to apply a patch is ludicrous. If it's true, then that's institutional incompetence.

    I've been working in computer security for years, and do you know what I and all of my coworkers do? We keep up on computer security developments, particularly newly discovered vulnerabilities. And we discuss them. And send emails about them.

    Even if the one team (not individual) who is responsible for ensuring that our own systems are patched for some reason fails to do that job, there is exactly zero chance that this would go unnoticed.

    If that's not how it works at Equifax, that's the fault of Equifax, not some single individual.

  5. Failure of way more than one person by Todd+Knarr · · Score: 4, Insightful

    Failing to apply the patch would be the failure of that one person to order the patch applied, plus the failure of his superior to notice that an action item hadn't been handled, plus a failure of the security team to notice that a ticket hadn't been completed, plus the failure of the head of the security team to notice his subordinates had uncompleted tickets sitting there. All this stuff should be tracked, and where I work it is and we have daily status meetings where stuff like this gets asked about, and development team managers and product managers have weekly status meetings where lack of progress on tickets and what needs done about it is a standard agenda item.

    Accountability means managers and executives are just as accountable for work getting done or not getting done as low-level employees are expected to be.

    1. Re:Failure of way more than one person by dgatwood · · Score: 3, Insightful

      Failing to apply the patch would be the failure of that one person to order the patch applied, plus the failure of his superior to notice that an action item hadn't been handled, plus a failure of the security team to notice that a ticket hadn't been completed, plus the failure of the head of the security team to notice his subordinates had uncompleted tickets sitting there. All this stuff should be tracked, and where I work it is and we have daily status meetings where stuff like this gets asked about, and development team managers and product managers have weekly status meetings where lack of progress on tickets and what needs done about it is a standard agenda item.

      Plus a failure of their regular security auditing process to detect that a machine was running a version of software below the minimum allowed version. All this stuff should be detected programmatically in a company that size. This was not a failure of one person. This was a complete failure of the entire security organization at every level, which usually points to either a complete lack of leadership, inadequate budget to hire sufficient qualified staff, or (more likely) all of the above.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  6. Re:Nice to have Cyber Security Team by Tokolosh · · Score: 4, Insightful

    What do the other 224 do?

    --
    Prove anything by multiplying Huge Number times Tiny Number
  7. So what you're saying is by rsilvergun · · Score: 5, Insightful

    Your entire operation is one under paid and overworked sys admin away from disaster? Did I get that right?

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  8. Re: Such BS by Anonymous Coward · · Score: 0, Insightful

    You mean the gal who majored in Music? I wonder who was supposed to implement the patch, probably some Filipino high school student working as a subcontractor to some Indian subcontractor working for the US subcontractor that Equifax chose as the lowest bidder.

  9. It's even worse by PatientZero · · Score: 4, Insightful

    Any number of reasonable things could have caused the patch to be missed, but you'd expect $250M spent over three years to provide a few more security processes beyond, "Fred forgot to apply the patch." The attackers were spreading through their systems over several months without detection.

    Also, way to lead from behind. Every corporate officer I've met has shared one tenet with all others: they are responsible for everything that their team does, good and bad. If some employee several rungs down the corporate ladder fails, it's because the leadership above them failed to hire or train them correctly or put in the right processes.

    --
    Freedom to fear. Freedom from thought. Freedom to kill.
    I guess the War on Terror really is about freedom!