Slashdot Mirror

← Back to Stories (view on slashdot.org)

Following Equifax Breach, CEO Doesn't Know If Data Is Encrypted (techtarget.com)

Posted by BeauHD on from the coin-toss dept.

An anonymous reader quotes a report from TechTarget: Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches." During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. "Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.

Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.

7 of 104 comments (clear)

  1. There is no way we should trust these companies by Marxist+Hacker+42 · · Score: 3, Insightful

    Big Sister Corporation collecting information on you is just as invasive, just as evil, as Big Brother Government.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  2. Re:CEO? by Anonymous Coward · · Score: 2, Insightful

    CEO: Hey guys, I'm going to go get grilled by Congress about our IT standards, anything I should know about?

    IT: ...crickets...

    CEO: Great, I'll run that by the lawyers.

    Lawyers: ...crickets...

    CEO: Great, I'm ready to testify before Congress!

  3. Is encryption at rest really that important? by CajunArson · · Score: 2, Insightful

    Outside of somebody stealing your drives to look at them, encryption at rest isn't that vital since when the system is live the data are going to be effectively unencrypted for use. Considering the hack had nothing to do with physical theft of drives, it's kind of off topic.

    It's like how Truecrypt can't protect your live database server from dumping data due to a SQL injection attack even if it protects the contents of the DB from physical hard drive theft.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  4. Re:CEO? by phik · · Score: 4, Insightful

    He should know this, but I also see your point. It's a real "got you" question. I'm sure the CEO knows exactly what encryption is, and roughly how it works, but may not know exactly what the difference between "encryption" and "encryption at rest" is, and didn't want to say something under oath that turned out to be wrong.

  5. Software is eating the world. by w3woody · · Score: 3, Insightful

    And it's poorly written, poorly managed, poorly understood and completely under-appreciated by the C-suite until something goes pear-shaped.

  6. Re:CEO? by Opportunist · · Score: 2, Insightful

    Well, bouncing the exact details to some VP of security (the CISO) is pretty much what will happen, out of necessity. But, and this is crucial, he must make sure that everyone knows that anything security related that comes out of the CISO is like it came from him himself and has to be implemented with an implied "or else".

    Anything less means the next thing a sensible CISO does is hand in his resignation. The CEOs job is to define the strategic goal and the target what security should achieve. He needn't understand the details, that's what the CISO is there for, but he must back up the CISO. Else the CISO is just the scapegoat, to be fired when (not if) the shit hits the fan.

    And I have this suspicion that this is exactly what went down in this case.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. I worked for a credit bureau - encrypting at rest by FeelGood314 · · Score: 3, Insightful

    What the hell does " encrypting at rest" prevent in this context? The data is constantly being queried in a thousand different ways. So sure you could encrypt it and if someone gained access to the raw data then it would be useless but since every process is decrypting it anyway and that's the vector the attacker will come in on it doesn't do you any good.

    Some controls could be put in place like storing address and personal identifiable information encrypted and only giving the decryption keys to processes that add data to the database and not ones that pull data but that's work, complexity and well it's the credit bureau's business to sell the data and there isn't a single piece of data they won't try and monetize.

    Aside - I used to carry the entire backup of the data, unencrypted to the offsite storage.