Following Equifax Breach, CEO Doesn't Know If Data Is Encrypted

An anonymous reader quotes a report from TechTarget: Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches." During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. "Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.

Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.

Re: Is encryption at rest really that important?

Yes it is if you want to be PCI compliant which it looks like they're supposed to be.

And just because the system is live doesn't mean that all the data is unecrypted for use. Decrypt what you need and leave the rest encrypted.

I've seen this many times. Just because you don't understand why a rule is in place doesn't mean it isn't useful and with purpose.

Re:CEO?

[_Sharp'r_]

Because encryption at rest of any taxpayer identification data is a federal government requirement as part of a normal contracting process. So either Equifax does something different between their government-facing systems and their public ones (possible), or they are also in noncompliance of the contractual requirement.

In a large, security conscious organization, even one much, much larger than Equifax (like where I work, which probably has a few hundred or more Equifax sized financial operations), any security vulnerability like not encrypting restricted data at rest would be specifically risk accepted by the business and technical owners of the system, and then would be included in a report to the CEO and the Board highlighting the issue and requiring them to specifically sign off on it before it was allowed.

So yeah, it doesn't shock me that the CEO of Equifax (which doesn't appear to have much in the way of data security processes) doesn't know, but in a responsible organization, the CEO and the Board would not only know about something like that, they'd have explicitly signed off on taking the risk, because there isn't anyone else besides the shareholders who are going to be holding the bag when the risk turns into a reality. Wouldn't you want to know, if you were in that position of responsibility?