Slashdot Mirror
House Panel Issues Scathing Report On 'Entirely Preventable' Equifax Data Breach (thehill.com)
An anonymous reader quotes a report from The Hill: The Equifax data breach, one of the largest in U.S. history, was "entirely preventable," according to a new House committee investigation. The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information. "In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data," according to the 96-page report authored by Republicans. "Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."
The report blames the breach on a series of failures on the part of the company, including a culture of complacency, the lack of a clear IT management operations structure, outdated technology systems and a lack of preparedness to support affected consumers. "A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the committee staff wrote. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company's failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data." The Oversight staff found that the company not only lacked a clear management structure within its IT operations, which hindered it from addressing security matters in a timely manner, but it also was unprepared to identify and notify consumers affected by the breach. The report said the company could have detected the activity but did not have "file integrity monitoring enabled" on this system, known as ACIS, at the time of the attack.
The report blames the breach on a series of failures on the part of the company, including a culture of complacency, the lack of a clear IT management operations structure, outdated technology systems and a lack of preparedness to support affected consumers. "A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the committee staff wrote. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company's failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data." The Oversight staff found that the company not only lacked a clear management structure within its IT operations, which hindered it from addressing security matters in a timely manner, but it also was unprepared to identify and notify consumers affected by the breach. The report said the company could have detected the activity but did not have "file integrity monitoring enabled" on this system, known as ACIS, at the time of the attack.
A scathing report? That will show them!
Ooh, a scathing report!!! On the punishment severity scale that must be somewhere between a slap on the wrist and taking away some of their Schrute bucks.
And they thought _strrev() was a secure way to encrypt the user passwords. I guess this time they will switch to ROT13. Twice, for extra security!
Seven puppies were harmed during the making of this post.
...let's stop the Federal government 'picking winners' entirely, and see a report about the 'entirely preventable' 2007-2008 credit crash where the Congress-selected private firms that provided bond ratings simply didn't do the one thing they were tasked to do: objectively appraise and rate bundled funds as to riskiness?
I think suing those firms into oblivion, jailing their entire management team for fraud, and then NOT picking ANY private firms as "official" successors designated by the Federal Government will remind the marketplace that information too has value and the lack of any official designation means that investors will have to manage their OWN risk.
-Styopa
But because it's authored by Republicans I'm sure their solution is a market driven solution. I'm sorry to say that something this egregious shouldn't have a market driven solution.
You'd get more action, and public outrage if you scathed a fucking goat, than the non-fallout from the Equifax breach.
No penalty.
No public outcry.
No change what-so-fucking-ever .
Equifax is laughing their fucking asses off. 'Wow, bro! We almost got wrecked. Let's do that again!!!!!'
Equifax is part of a sector of the financial industry that makes some tidy profit monetizing fear of the incompetence of the financial industry. It is not exactly surprising they could not wrap their heads around how competent they needed to be to not get caught. But then again, having been caught being incompetent, how much do they care?
but is anyone going to actually change how they vote based on this? If not, then all that outrage is exactly as effective as this report...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Yeah, next time I am voting for the other guy instead of that guy.
If only the people writing this scathing report had the power to pass legislation to actually change something. Instead, they're stuck writing words!
Where are the leaders of the country when you need them?
but is anyone going to actually change how they vote based on this?
They had their chance last month... And in spite of it all... the GOP/DNC remains firmly entrenched for another two years. And you're right, the outrage is comedic, and a bit tragic...
“He’s not deformed, he’s just drunk!”
The NSA (government) collects and tracks everyone and these hypocrites are mouthing off about how other people are collecting data?
These clowns that have almost never worked a real job in their lives and in some cases can't even handle their own emails are lecturing other people on what they did right and wrong to secure data? What is this kangaroo court bull crap?! Since when did the public answer to congress? Screw these wannabe oligarchs.
The judicial system has the right to judge, not congress.
This does not excuse Equifax at all.
The point is that the imbeciles in congress should shut their mouths.
I can securitize, i can has job pls?
I have BA in musicology, good enough.
Blinky light good, solid red light bad.
pls to giving me job pls.
Right. One question (of many) I have is why are they still in business? Why weren't put out of business? There'd still be two credit bureaus out there. I'm not sure who regulates this kind of operation but they sure weren't and haven't been doing their job.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
Pfft. There's going to be outrage no matter what. This is Slashdot, after all.
Applying a corproate death penalty would be an excellent way to fix this problem. Nothing would be lost since there are other credit bureaus, and it's a function that's easy to replicate.
Don't be silly. Corporations in America are never held to account for screwing people over.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
https://en.wikipedia.org/wiki/ACIS_(disambiguation)
Could someone please add the meaning of what ACIS stands for to wikipedia?
Using acronyms in articles without mentioning their full meaning in an article should be punishable by keelhauling.
OK, so the Congress that had both Dem and GOP email systems hacked, the house employing crooks to do IT support, the Obama administration which was in power and running things had the OPM hack happened. is going to ridiculed Equifax, granted Equifax screwed up, but this is just to Rich for me.
;)
Just my 2 cents
Just like GMO crops, the data lost in the Equifax breach is already long-since in the wind, and no amount of barn-door-closing-after-the-horse-is-gone will reverse that. The data likely has been copied and sold dozens of times already, and nothing short of crashing the Moon into the Earth, destroying everything and everyone, could possibly ever erradicate all the copies, or find all the people responsible and all the people who had access to it. It may as well been uploaded to USENET, for fuck's sake. Therefore, just like the meme: I ain't even mad. Not anymore at least.
What the fuck are they going to do, now, anyway? Round up all the Equifax execs responsible for this shitshow, introduce them to Monsieur Guillotine, then mount their severed heads on poles all up and down Wall Street? Sure, I'd like to see that, but it still won't change anything. Maybe institute some strong reforms of financial regulations and practices, enforced by federal law? LOL, they'll weasel out of it somehow, lobby the ever-loving fuck out Congress, and make sure none of it happens -- and with the Trump Administration around, they'll make damned sure none of it happens, hell they'll probably de-regulate them even more, for maximum consumer ass-raping potential the next time around.
Want my advice what to do about this? Put your money in an old coffee can and bury it in your backyard. At this point that's safer than any bank, and until and unless all of Wall Street is marched out and publicly executed as a warning, I don't see where anything is going to change.
Kill
Your
Self
there were a ton of left wing candidates who accept no corporate PAC money that tried to primary the right wing "Clinton" Democrats. Most of them lost but a few (notably Alexandria Ocasio-Cortez who took out the "young" 55 year old replacement for Nancy Pelosi).
The real power in American politics is in primary elections. By the time it gets to the general it's too late. But that doesn't mean you can't vote in your primary.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
We wouldnt want to fine them now would we?
At what point do we just go ahead and say "everybody?" 148M = basically everybody in the US with credit history. Let's fix this news headline ... "Equifax screws EVERBODY"
No, the HUMANS who run the company failed, and they should lose their jobs; their stock options, and for the rest of their lives work topay back what their malfeasance cost their customers. It's called "corporate accountability"!
Anyone remember Equifax getting worried that a nation was trying to steal its trade secrets to set up a similar business back home?
https://www.wsj.com/articles/before-it-was-hacked-equifax-had-a-different-fear-chinese-spying-1536768305
Ballot initiatives were somewhat successful in bringing in some nice electoral changes, mostly with regard to district drawing, in certain states.
Similar initiatives could be used to end First-Past-The-Post (I think Maine voted for the first time using instant runoff in this election), which would remove the spoiler effect and make third parties viable.
As long as FPTP prevails, the 2-party system will remain. It's not just about who people vote for, but the choices they have. Bernie Sanders is an Independent, but he only had a real chance running as a Democrat.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
When I get a new mortgage or credit card, I should be able to ask the loan company to not send my information to Equifax, and also ask the loan company to not request information about me from Equifax.
Here's a way to do that: The loan company would give me a list of all the credit bureaus that the loan company deals with. I would get the option to choose one of those credit bureaus, and tell the loan company, "Please don't send information about me to this credit bureau, or request information about me from them." Of course, I'd pick Equifax.
Besides protecting me, this would be a way to punish Equifax - by drying up their source of information, and their business.
BEGINS ???
You must be new here.
Do you like money ?
I like money too...
Credit Reporters service the Debt industry, not you. So do not use debt.
This will require increased earnings and savings on your part.
Buy your house , car, boat, in Cash.
Do not use credit cards or Bank cards.
Go Dark... and they won't have your data to steal.
Buy your own Yellow Vest in cash,
& join the revolution.
About 20 years ago I sent a legal letter to them and other credit reporting agencies and I informed them that all data referencing me is MY intellectual property and they were ordered to destroy all data and material which references me in any form or else they agree to pay me ten million dollars or they can opt out by simply destroying all information.
As a result, I have no concern for any credit score because I don't buy things on credit.