Slashdot Mirror
House Panel Issues Scathing Report On 'Entirely Preventable' Equifax Data Breach (thehill.com)
An anonymous reader quotes a report from The Hill: The Equifax data breach, one of the largest in U.S. history, was "entirely preventable," according to a new House committee investigation. The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information. "In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data," according to the 96-page report authored by Republicans. "Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."
The report blames the breach on a series of failures on the part of the company, including a culture of complacency, the lack of a clear IT management operations structure, outdated technology systems and a lack of preparedness to support affected consumers. "A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the committee staff wrote. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company's failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data." The Oversight staff found that the company not only lacked a clear management structure within its IT operations, which hindered it from addressing security matters in a timely manner, but it also was unprepared to identify and notify consumers affected by the breach. The report said the company could have detected the activity but did not have "file integrity monitoring enabled" on this system, known as ACIS, at the time of the attack.
The report blames the breach on a series of failures on the part of the company, including a culture of complacency, the lack of a clear IT management operations structure, outdated technology systems and a lack of preparedness to support affected consumers. "A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the committee staff wrote. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company's failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data." The Oversight staff found that the company not only lacked a clear management structure within its IT operations, which hindered it from addressing security matters in a timely manner, but it also was unprepared to identify and notify consumers affected by the breach. The report said the company could have detected the activity but did not have "file integrity monitoring enabled" on this system, known as ACIS, at the time of the attack.
A scathing report? That will show them!
And they thought _strrev() was a secure way to encrypt the user passwords. I guess this time they will switch to ROT13. Twice, for extra security!
Seven puppies were harmed during the making of this post.
...let's stop the Federal government 'picking winners' entirely, and see a report about the 'entirely preventable' 2007-2008 credit crash where the Congress-selected private firms that provided bond ratings simply didn't do the one thing they were tasked to do: objectively appraise and rate bundled funds as to riskiness?
I think suing those firms into oblivion, jailing their entire management team for fraud, and then NOT picking ANY private firms as "official" successors designated by the Federal Government will remind the marketplace that information too has value and the lack of any official designation means that investors will have to manage their OWN risk.
-Styopa
Equifax is part of a sector of the financial industry that makes some tidy profit monetizing fear of the incompetence of the financial industry. It is not exactly surprising they could not wrap their heads around how competent they needed to be to not get caught. But then again, having been caught being incompetent, how much do they care?
Nah, there was definitely public outcry, the government just didn't care. Equifax must've provided our congress-critters with some REALLY high quality recreational drugs.
but is anyone going to actually change how they vote based on this? If not, then all that outrage is exactly as effective as this report...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Yeah, next time I am voting for the other guy instead of that guy.
but is anyone going to actually change how they vote based on this?
They had their chance last month... And in spite of it all... the GOP/DNC remains firmly entrenched for another two years. And you're right, the outrage is comedic, and a bit tragic...
“He’s not deformed, he’s just drunk!”
Right. One question (of many) I have is why are they still in business? Why weren't put out of business? There'd still be two credit bureaus out there. I'm not sure who regulates this kind of operation but they sure weren't and haven't been doing their job.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
There wasn't really a huge public outcry.
Slashdot is not the demographics of the country as a whole. The vast majority of the population only has a vague idea of what a credit rating is, what it is used for, and what could happen if the information gets out.
The news folks went and interviewed random Joe/Jill-on-the-streets on this issue when it happened. The majority response was "What's an Equifax?".
My UID is prime and so is this number: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.
It is a distraction to divert attention away from the government's failure to secure the data of millions of security clearance applicants.
OMB data breach - https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach
Remember, You are unique...just like everyone else.
Applying a corproate death penalty would be an excellent way to fix this problem. Nothing would be lost since there are other credit bureaus, and it's a function that's easy to replicate.
Don't be silly. Corporations in America are never held to account for screwing people over.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
OK, so the Congress that had both Dem and GOP email systems hacked, the house employing crooks to do IT support, the Obama administration which was in power and running things had the OPM hack happened. is going to ridiculed Equifax, granted Equifax screwed up, but this is just to Rich for me.
;)
Just my 2 cents
Just like GMO crops, the data lost in the Equifax breach is already long-since in the wind, and no amount of barn-door-closing-after-the-horse-is-gone will reverse that. The data likely has been copied and sold dozens of times already, and nothing short of crashing the Moon into the Earth, destroying everything and everyone, could possibly ever erradicate all the copies, or find all the people responsible and all the people who had access to it. It may as well been uploaded to USENET, for fuck's sake. Therefore, just like the meme: I ain't even mad. Not anymore at least.
What the fuck are they going to do, now, anyway? Round up all the Equifax execs responsible for this shitshow, introduce them to Monsieur Guillotine, then mount their severed heads on poles all up and down Wall Street? Sure, I'd like to see that, but it still won't change anything. Maybe institute some strong reforms of financial regulations and practices, enforced by federal law? LOL, they'll weasel out of it somehow, lobby the ever-loving fuck out Congress, and make sure none of it happens -- and with the Trump Administration around, they'll make damned sure none of it happens, hell they'll probably de-regulate them even more, for maximum consumer ass-raping potential the next time around.
Want my advice what to do about this? Put your money in an old coffee can and bury it in your backyard. At this point that's safer than any bank, and until and unless all of Wall Street is marched out and publicly executed as a warning, I don't see where anything is going to change.
there were a ton of left wing candidates who accept no corporate PAC money that tried to primary the right wing "Clinton" Democrats. Most of them lost but a few (notably Alexandria Ocasio-Cortez who took out the "young" 55 year old replacement for Nancy Pelosi).
The real power in American politics is in primary elections. By the time it gets to the general it's too late. But that doesn't mean you can't vote in your primary.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
At what point do we just go ahead and say "everybody?" 148M = basically everybody in the US with credit history. Let's fix this news headline ... "Equifax screws EVERBODY"
Ballot initiatives were somewhat successful in bringing in some nice electoral changes, mostly with regard to district drawing, in certain states.
Similar initiatives could be used to end First-Past-The-Post (I think Maine voted for the first time using instant runoff in this election), which would remove the spoiler effect and make third parties viable.
As long as FPTP prevails, the 2-party system will remain. It's not just about who people vote for, but the choices they have. Bernie Sanders is an Independent, but he only had a real chance running as a Democrat.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
I don't know if it was a deliberate distraction but FFS the OMB breach should be far and away the biggest concern! Its a major compromise that put intelligence assets at significant risk, and basically every federal employee and their families in all the same ways the Equifax breach and others do.
We also have a lot of reason to think China was behind it.
Frankly the way it was handled is disgusting. Firstly being and Obama admin failure the press basically ignored it to the degree they could. Because it was China the politicians did nothing in terms of retaliation or punitive actions.
Really forget the damned Russia investigation we need to be investigating China and every one in governments ties to it! How is a top interpol official can just disappear in China and it gets virtually no press coverage, and nobody on the hill talks about it but we go weeks because the Saudis kill a some Muslim brotherhood propaganda mouthpiece; because woop de doo he got a few opinions published in some our rags a few times therefore anyone touching him is a threat democracy.
Two things are clear:
China owns our government and press corps.
Our government is absolutely in capable of protecting our information assets as organized today, while there are some smart people at NIST and the NSA they are not making the decisions around how the chicken coup is guarded. I would argue until the Federal government is able to re-establish itself as an exemplar for good information security and asset protection they have no business telling anyone else what to do. Make some standards, prove them out in government first and then if they really are good, regulate and force them on others but ONLY then
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html