Slashdot Mirror
Former Equifax CEO Blames Breach On One Individual Who Failed To Deploy Patch (techcrunch.com)
Equifax's recently departed CEO is blaming the largest data breach in history on a single person who failed to deploy a patch. TechCrunch reports: Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred. Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team. However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice -- one person didn't do their job. "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team. However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice -- one person didn't do their job. "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.
Sucks that you don't do configuration management.
love is just extroverted narcissism
I caught that part but was much more incensed by the lame attempt to parry liability.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
All of those you cite are banks with numerous branches, subject to robbery and internal theft. They have security cameras which send their video over the internet, all branches are connected to multiple financial networks including their own, and lots of mundane paperwork is computerized. Securing all of these things counts as 'cybersecurity' and goes beyond what Equifax has to deal with, for the most part. If someone breaches/hacks Equifax, and they can ignore it/cover it up, then it's business as usual, so why spend money on it? It's only once the mandatory disclosure laws went into effect they took cybersecurity seriously.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
If you work in engineering, you need to see the writing on the wall. No longer are you going to be indemnified for mistakes you make at work, even if you are forced to make them by bad management policy or lack of basic resources. No longer will the penalty for grievous error be a simple firing.
Face the music. If you make a mistake that causes what ends up being a tortious harm, you are going to jail.