Following Equifax Breach, CEO Doesn't Know If Data Is Encrypted

An anonymous reader quotes a report from TechTarget: Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches." During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. "Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.

Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.

There is no way we should trust these companies

[Marxist+Hacker+42]

Big Sister Corporation collecting information on you is just as invasive, just as evil, as Big Brother Government.

Re:There is no way we should trust these companies

[K.+S.+Kyosuke]

Wasn't there a merger of the two in the US recently?

Super Secure Security

[forkfail]

Not only are they ROT-13-ing the data, they're doing it twice for double strength security!

Re:CEO?

CEO: Hey guys, I'm going to go get grilled by Congress about our IT standards, anything I should know about?

IT: ...crickets...

CEO: Great, I'll run that by the lawyers.

Lawyers: ...crickets...

CEO: Great, I'm ready to testify before Congress!

Is encryption at rest really that important?

[CajunArson]

Outside of somebody stealing your drives to look at them, encryption at rest isn't that vital since when the system is live the data are going to be effectively unencrypted for use. Considering the hack had nothing to do with physical theft of drives, it's kind of off topic.

It's like how Truecrypt can't protect your live database server from dumping data due to a SQL injection attack even if it protects the contents of the DB from physical hard drive theft.

Re: Is encryption at rest really that important?

Yes it is if you want to be PCI compliant which it looks like they're supposed to be.

And just because the system is live doesn't mean that all the data is unecrypted for use. Decrypt what you need and leave the rest encrypted.

I've seen this many times. Just because you don't understand why a rule is in place doesn't mean it isn't useful and with purpose.

Re:Is encryption at rest really that important?

[gweihir]

Indeed. It basically protects against theft of your disks. For tapes, it is a bit more important. But it has zero value as defense against getting hacked. The question is about as clueless as the answer was.

Re:CEO?

[phik]

He should know this, but I also see your point. It's a real "got you" question. I'm sure the CEO knows exactly what encryption is, and roughly how it works, but may not know exactly what the difference between "encryption" and "encryption at rest" is, and didn't want to say something under oath that turned out to be wrong.

Why testify in front of Congress?

[bradley13]

If I may, let me ask a possibly silly question: Why do these companies always have to be interviewed by some Congressional committee? What's the point? I mean, the damage is already done, nothing Congress can do to change that. If a crime has been committed, those responsible should be prosecuted. If civil damages occurred, they should be sued. What's the point of the grandstanding by Congresscritters?

That said, a CEO who knows he is going to get publicly grilled ought to have all of his ducks in a row. There's no excuse for not knowing something as basic as "is your data encrypted".

And on the gripping hand, depending on how something is hacked, "at rest" encryption may just be totally useless. It will protect you if someone gets a raw copy of your database, but if they have access to your application infrastructure, that infrastructure will happily decrypt the data for them, because that's what it does. Meanwhile, you will take a *huge* performance hit on a lot of database operations. Really, I have trouble imagining the small additional security being worth the cost in performance. But maybe I'm not familiar with enterprise-scale operations - anyone who is care to comment?

Re:Why testify in front of Congress?

[DanielRavenNest]

Congress' job is to write laws. Committee hearings are part of the process of determining what new laws, or changes to existing ones, are needed.

Yes, the Equifax breach is in the past, and can't be changed. That's not the point. The point is what future changes can be made to prevent things like this in the future. Note that the hearing's title is "Protecting Consumers in the Era of Major Data Breaches" - plural breaches, with more to come in the future. Equifax is just a really good example of what can go wrong.

Personally, I would rather that personal data was not all stored in big databases, making them attractive targets to be hacked. Split the data up, so that users hold part, and business hold part, and you need both parts to make it readable.

Re:Why testify in front of Congress?

[dave562]

Encryption at rest happens on the storage hardware itself. It is there to protect against someone stealing physical drives out of the storage array and reading data off of them. It does not have any affect on the performance of the applications running on top of the storage array.

What you are thinking about that causes a performance hit is database level encryption. For example, newer versions of MSSQL server (at least 2012+) will allow encryption on individual databases, tables and even specific columns. (I am only familiar with MSSQL. I cannot speak to Oracle or others.) While there is a performance hit, your characterization of it as *huge* is a bit dramatic. (https://sqlperformance.com/2015/08/sql-server-2016/perf-impact-always-encrypted)

Somewhat on topic here, the fact that Equifax's data was not encrypted at rest and in the database is beyond belief. My company works with the largest financial institution in the world. They have been doing regular yearly audits of our infrastructure for nearly a decade. Encryption has been on the audit checklist forever and we have been running it since 2012.

The only thing that sucks about encrypted databases from an operational point of view is backing them up. Most enterprise backup systems use some sort of compression and deduplication. As do SANs. Encrypted data does not de-dupe worth a damn. So it is very expensive from a CapEx perspective. But this is Equifax we are talking about. They have all the money in the world, more or less. A couple tens of million dollars for enterprise grade storage and backup is nothing to them.

Software is eating the world.

[w3woody]

And it's poorly written, poorly managed, poorly understood and completely under-appreciated by the C-suite until something goes pear-shaped.

Re:CEO?

[w3woody]

No, but the CEO, along with the CTO, are responsible for creating the policies which drive the procedures for the company. So while he may not be expected to know the specific implementation, he should know the policies and goals for corporate security. Bouncing those policies to some "VP of Security" only means those policies will not be taken seriously.

Re:CEO?

[i286NiNJA]

This is why he gets paid the big bucks! Not just anyone is capable of staying this conveniently negligent and uninformed.

Re:CEO?

[_Sharp'r_]

Because encryption at rest of any taxpayer identification data is a federal government requirement as part of a normal contracting process. So either Equifax does something different between their government-facing systems and their public ones (possible), or they are also in noncompliance of the contractual requirement.

In a large, security conscious organization, even one much, much larger than Equifax (like where I work, which probably has a few hundred or more Equifax sized financial operations), any security vulnerability like not encrypting restricted data at rest would be specifically risk accepted by the business and technical owners of the system, and then would be included in a report to the CEO and the Board highlighting the issue and requiring them to specifically sign off on it before it was allowed.

So yeah, it doesn't shock me that the CEO of Equifax (which doesn't appear to have much in the way of data security processes) doesn't know, but in a responsible organization, the CEO and the Board would not only know about something like that, they'd have explicitly signed off on taking the risk, because there isn't anyone else besides the shareholders who are going to be holding the bag when the risk turns into a reality. Wouldn't you want to know, if you were in that position of responsibility?

Re:CEO?

[Opportunist]

Well, bouncing the exact details to some VP of security (the CISO) is pretty much what will happen, out of necessity. But, and this is crucial, he must make sure that everyone knows that anything security related that comes out of the CISO is like it came from him himself and has to be implemented with an implied "or else".

Anything less means the next thing a sensible CISO does is hand in his resignation. The CEOs job is to define the strategic goal and the target what security should achieve. He needn't understand the details, that's what the CISO is there for, but he must back up the CISO. Else the CISO is just the scapegoat, to be fired when (not if) the shit hits the fan.

And I have this suspicion that this is exactly what went down in this case.

I worked for a credit bureau - encrypting at rest

[FeelGood314]

What the hell does " encrypting at rest" prevent in this context? The data is constantly being queried in a thousand different ways. So sure you could encrypt it and if someone gained access to the raw data then it would be useless but since every process is decrypting it anyway and that's the vector the attacker will come in on it doesn't do you any good.

Some controls could be put in place like storing address and personal identifiable information encrypted and only giving the decryption keys to processes that add data to the database and not ones that pull data but that's work, complexity and well it's the credit bureau's business to sell the data and there isn't a single piece of data they won't try and monetize.

Aside - I used to carry the entire backup of the data, unencrypted to the offsite storage.

Re:He doesn't have time for that shit.

[Opportunist]

Throw that asshole into a jail cell and you'll see how he suddenly has plenty of time.

And don't tell me there isn't PLENTY of reason for doing so.

What kind of garage shop is this?

[Opportunist]

For real. This gets worse and worse every time you get to hear about it. How can he NOT know this MONTHS after the breach? I could see that this isn't something he needs to know for everyday business, his background is probably in finance, legal or business administration, that's where most CEOs come from and that's also what they deal with in day-to-day business.

This isn't fucking day-to-day business!

How it is possible that MONTHS after the breach he obviously still doesn't know at least the crucial, important bits about the breach is beyond me! I know that I'm the odd idiot who does actually prepare for such situations, I created whole binders for PR to keep the press occupied until we're ready for a public statement so they can send them on a wild goose chase without us looking like we're stalling should something like this ever happen to us, with similar folders for the relevant C-Levels that could possibly be asked for statements, along with pretty much me only having to tell you which folder to pull out of their desk and learn (or at least read at the inevitable PK), I know that few go to those lengths but it is valuable. When the shit hits the fan, you do not have time for this bullshit.

But, FUCK, even after ... what has it been now? 2 MONTHS? Two fucking months nobody bothered to brief the CEO so he doesn't look like a total and utterly worthless piece of junk with the only quality of being far too high maintenance to be kept alive because he might waste valuable O2 that someone could put to better use? For real?

I mean, ok, his CISO was what? An opera singer or someone equally qualified? Ok, one could argue that it's his own fault if he has no clue how to pick and choose his C-Levels, but FUCK, how the heck is that guy still outside of a prison cell? How is it even possible that directorate and board didn't rip him a new one up so far that even a turtleneck couldn't cover it anymore?

What the hell is going on here?

Re:CEO?

[rogoshen1]

it's such a fundamental fucking question considering who he is, and why he was being summoned.

Re:CEO?

[rogoshen1]

Thank god he runs a corporation who makes it their job to collect, store, and act on highly sensitive personal information about hundreds of millions of people. I'm glad he's got his plausible deniability down pat.

Re:CEO?

[hawguy]

Why the heck would anyone expect a CEO to know the details of the software implementation? It's not his job to know, nor would I expect him to know, and whatever understanding he might have is probably not to be trusted.

      Other people in the company should know, but this, come on?

My company's CEO has a very good understanding of our security that goes deeper than just knowing if it's encrypted or not. For example, he knows exactly how customer keys are protected by an HSM (and how the HSM is mirrored across multiple regions). He's given more than one public talk on our security.

Just like Equifax, we're an information company, so a better question is why the heck doesn't a CEO know how they protect the company's most valuable asset?

Re:CEO?

[ranton]

A CEO of a financial services firm should know what encryption at rest is as well as he knows what a balance sheet is. I work in the financial services and I've had many meetings where we discussed what personal identifiers and other data that needs to be encrypted at rest. It is often the first thing they ask about when we are moving an existing system to a cloud based vendor. At two companies where I was either heavily involved or in charge of moving data to a new system, I have only had a handful of incompetent managers ask me what encryption at rest meant.

Every competent member of management at a company which values their customers should know basic security concepts like encryption at rest.