Equifax CSO 'Retires'. Known Bug Was Left Unpatched For Nearly Five Months

phalse phace quotes MarketWatch: Following on the heels of a story that revealed that Equifax hired a music major with no education related to technology or security as its Chief Security Officer, Equifax announced on Friday afternoon that Chief Security Officer Susan Mauldin has quit the company along with Chief Information Officer David Webb.

Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.
The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.

Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.

Not noticing?? That's bad

[davidwr]

I can see a company delaying patching serious bugs long enough to test it and make sure the fix isn't worse than the bug.

I can see a company treating bugs that aren't reported as being serious as non-serious.

I can see a company assessing a "serious" but and determining it's not serious in their environment and not treating it with urgency.

But that's not what happened here.

Heads deserved to roll and at least two did.

Re:Not noticing?? That's bad

[Anonymous Coward]

They didn't officially notice the breach until after they sold off their stock shares... So they say.

Not really

[rsilvergun]

She retired. She wasn't fired. So she'll get to take it all with her. Once again, the ruling class (and at CSO level she's a member) take care of themselves. And once again, I sure wish we could get the working class to do the same. Hell, we can't even get the working class to agree Healthcare is a right and not a privilege.

Re: Not really

[Corbets]

Completely off topic, but that could be because it *is* a privilege, not a right.

Someone else has to work to provide you with that healthcare. A lot of someones, in fact. What exactly gives you a right to their service?

That said, it's a privilege I think we all should share, and live in a European country where that is the case, but I can't see it being a right.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Hognoxious]

By allowing her to simply retire, they render her unavailable to be questioned during the discovery phase of any court cases against them (she is now just another citizen, and she can only be compelled to give testimony in a criminal trial or by congress).

As a material witness I'd rather suspect she could be issued with a subpoena by any court.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Hognoxious]

Only in a criminal case.

O Rly?

Under state and federal civil or criminal procedural laws, subpoenas offer attorneys a chance to obtain information to help prove or disprove their client's case. [...] Similarly, civil attorneys often subpoena individuals to obtain information that may help settle someone's claim. [findlaw.com]

A subpoena is an order requiring a person to attend a particular event or proceeding, such as a small claims hearing. [civillawse...center.org]

Subpoenas can be issued in criminal cases, in private ("civil") lawsuits; they m [berkeley.edu]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[swb]

I'd guess its way more complex than any of this. I'm sure she had a really good employment contract with a ton of conditions surrounding an involuntary termination of her contract -- large cash payouts, no non-disparagement, no forced mediation, and free to disclose any information not held under any specific non-disclosure contracts.

Her main leverage against involuntary termination, though, is that firing a corporate officer for negligence is an admission of corporate negligence and makes the corporation

People have an imaginary concept of gov't waste

[rsilvergun]

fed to them by billionaires and corporations that don't want to pay taxes. I remember a story during the height of the tea party boom of a small town that tried something like that. They eliminated all taxes and were genuinely shocked when the services stopped. They just figured all the waste would get cut and everything would be honky dory.

There's also a lot of "I got mine, fuck you" going around. A general sentiment that since I worked hard to get where I'm at I shouldn't have to pay for other folks. O

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[nospam007]

"Because America's private health care industry leads the world in health innovations more than the rest of the world combined. "

Actually no, just in the highest prices.

"Government doesn't innovate. Never has, never will."

Nobody said so.

"Healthcare is rationed in socialized countries."

No. You also don't have to wait for 10 hours in emergency care.

"Socialized countries also have the highest tax rates," ...with functioning infrastructure, yes.

" lowest home ownership rates,"

Also untrue. The US has a rate of 67

Re:

[bjwest]

In the US, the government cannot force you to purchase a product as it is unconstitutional.

You obviously don't own an automobile, or you live in New Hampshire.

Re:

[bjwest]

Sorry, I forgot state government isn't government and doesn't have to abide by the Constitution. My bad.

Re:

[account_deleted]

Comment removed based on user account deletion

you might want to talk to someone

[publiclurker]

from another country before you pretend to have a clue what they think about things. you will end up humiliating yourself a lot less that way.

Re: Not noticing?? That's bad

[dougdonovan]

i wonder is she would notice a flat tire on her car ? she would probably just buy a new car.

Re:Not noticing?? That's bad

[pop ebp]

When the break-in first came to light, lots of people criticized Equifax, but a vocal minority said something along the lines of "No system is absolutely secure. We don't know if the hackers used a zero-day vulnerability against Equifax. They could have followed all the security best practices and still be hacked."

My response was "If the past is any guide, every time a major company was hacked, it was eventually traced to vulnerabilities in outdated software that should have been patched months ago. I am going to assume this is the same."

Turns out I was right. Companies never learn.

Re:

[93 Escort Wagon]

That doesn't change the fact that no complex system is secure.

Fundamentally there are levels of security, and our job is to make the systems we manage as secure as possible. SSH is likely not 100% secure (thanks, NSA!), but that doesn't mean we should just go ahead and allow Telnet access.

It's also why people who manage multiple servers generally rely on linux distributions and their support frameworks rather than trying to keep track of everything themselves. Sure, Red Hat and Ubuntu have occasionally dropped the ball... but that's gonna happen a lot less often than

Re:

[Anonymous Coward]

No lock is 100% secure, thus I don't lock my doors.

No seatbelt is 100% safe, thus I don't wear seatbelts.

No food is 100% safe, thus I don't eat.

Re:

[epine]

Heads deserved to roll and at least two did.

Talk about low aim steering.

These credit agencies have special legal exemptions from slander and liability law. If incorrect and badly sourced information winds up in your file, and they spread it far and wide among your core business relationships, just try to collect damages.

Heads deserve to roll, and none have.

Re: Not noticing?? That's bad

[Anonymous Coward]

But but but but WOMEN IN TECH.
This is what happens when you hire someone because she has a vagina instead of actual qualifications.

This. Exactly this. Hire based on qualifications, not on gender.

Re: Not noticing?? That's bad

[Randall Smith]

We don't know if she did or didn't have the necessary experience or qualifications. We only know her degree was in music. I understand your point, and in and of itself it is valid. We just need more information to determine if she is actually qualified or not.

Re: Not noticing?? That's bad

[Anonymous Coward]

Releases every American's personal info to hackers while on the job specifically to protect it.

Not sure if unqualified though. Need more info.

Re:

[Minupla]

Add to to this - It's not exactly 'normal' for the CSO level to be exposed to the level of detail of "Hey boss we have this Apache Struts vulnerability in these servers. We're gonna punt this down the road a bit... now moving down to decision #343 made by people below you in the last week"

CSO level conversations are more of the sort "Hey boss, ass you can see on the dashboard, we have 124 vulnerabilities that have breached our maximum time to resolution according to the policy. Can we get another headcoun

Re:

[kenai_alpenglow]

She is responsible for those under her. I don't care about her degree/qualifications/etc....her section failed miserably. When a wing commander loses a couple of planes due to maintenance issues, he's not the one who turns the bolts or even the supervisor of those who do--but ultimately he is responsible for hiring/training/etc of the chain that does. So he gets "early retirement"...Same here--she needed to go.

Re:

[Zxern]

Exactly. That is the justification for the incredibly high salaries and benefits C level exec get isn't it? If they aren't going to be responsible then they don't really need that level compensation do they?

Re:

[The Cynical Critic]

This person may not have had their education or any kind of previous work experience "in tech", but they certainly were "in tech" when they worked a very "in tech" job.

I genuinely hope this wasn't what it seems like because if it is, then it just makes an incredibly stupid chain of events even dumber. Just the incompetence in itself is more than enough reason to put some much more strict limitations on what kind of data companies like these can collect. Collecting social security numbers should be absolu

Re: Not noticing?? That's bad

[Type44Q]

Poltical correctness: if you can't find a fault in the logic, mod it down!

Re:

[Hognoxious]

I don't know how much of a golden parachute she'll get but a man would have got THIRTY TIMES as much.

(deputising for AmiMoJo, who's got the painters in)

Good news everyone!

[mrsam]

The company has finally figured out how to use a random number generator, from TFA:

The company clarified that consumers placing a security freeze will be provided a randomly generated PIN.

Re:Good news everyone!

[arth1]

Unless the entropy requirements are published, the assumption should be that it's not random, but a pseudo-rng with known flaws.
Exchanging "date +%m%d%Y%H%m" with "ran=frac(9821 * ran + 0.211327)" does not qualify for "random", although it might be a good enough number for this purpose.

Re:

[classiclantern]

I would not describe victims of Equifax's data collection and loss as "consumers." What are they consuming? Neither are they "customers" since that would be the banks/loan applicants paying for financial information. Let's call them what they are. Victims. EVERY Equifax "victim" should automatically have a security freeze placed on their account by Equifax (and all the other agencies) and if the information is needed, proper identification required to release the data. Period.

Incompetent idiots

[Anonymous Coward]

Blaming this on a single security flaw just shows how incompetent they are. It's your design and approach at security that's flawed to begin with.

Allowing some shiny MVC framework directly accessing a database containing millions and millions of personal records is just plain dead retarded software design. This kind of incompetency should be fined, let's start with $100 for every record that got stolen in compensation. If such an incident can instantly bankrupt you, maybe then these companies start to take their software security serious.

Re:

[epyT-R]

So what SHOULD be used to access such sensitive databases?

Perhaps we should criminalize the warehousing of sensitive information.

Re: Incompetent idiots

[that this is not und]

A lot of 'sensitive information', namely things like SSN, are only sensitive because the credit application process has been so sensitized. Credit extending companies want it to be trivially easy to extend credit. They want the cashier at a clothing store to be able to issue a credit card to customers at the point of sale. So things that used to be ordinary accessable information like SSNs are made into secrets, for the convenience of credit issuing companies.

When I attended college at a small liberal arts school in 1979 they didn't really have a student ID number. They just used students' SSNs as an id. So SSNs were scattered all over campus fairly freely. You used a card with your SSN on it at the library to check out books.

There is really no reason for this not to be okay, except for businesses who want to be able to use your SSN as a sort of 'secret password' to allow youbto go into debt to them.

Re: Incompetent idiots

[belthize]

Same here, college I went to in the mid-80s used our SSN as the student ID number, Sometime around 87 or so they appended the number 4 to the end because they claimed it was illegal to use your SSN as a form of identification. I found that logic fascinating.

For years I've been a proponent of just posting everyone's SSN on a website so we can quit pretending it's a secure bit of info. As long as folks falsely think it's secure they'll keep using it.

Re:

[Hognoxious]

What about foreign students?

Re:

[Wescotte]

Obviously, they were given citizenship and assigned an SSN.

Re: Incompetent idiots

[silverdirk]

I think it was 2001 when University of Cincinnati stopped using SSN as the student ID

Re:

[Bigbutt]

Yea, in the military in the 70's, you were advised to put your SSN on all your personal gear. Most of my 70's era gaming gear and books have my SSN and full name written in the inside covers.

[John]

Re:

[kenai_alpenglow]

If you were in the AF they told you to put "AF" in front of the ssn--that way it's not your SSN anymore...so they could get by privacy act rules.

Re:

[Zaelath]

You don't allow the web servers to pull the entire database, unless it's MyFirstWebApplication with GRANT ALL TO 'webserver'@'localhost' IDENTIFIED BY 'p@ssword'.

You only allow the web server to pass a set of identifying data, like Name, DOB, Address, and return the (hopefully) single match.

You may well have full access from a workstation in the office, or from other servers in the data centre, but NOT from the publically facing internet unless you're incompetent.

Re:

[gweihir]

Very much so. Mistakes can happen, but ignoring a relevant CVE for months will not happen with halfway competent security people. The problem, however, is that no competent security people were hired and the CEO should lose his job immediately and be prosecuted for criminal negligence for that.

Re:

[bravecanadian]

Very much so. Mistakes can happen, but ignoring a relevant CVE for months will not happen with halfway competent security people. The problem, however, is that no competent security people were hired and the CEO should lose his job immediately and be prosecuted for criminal negligence for that.

What if they had competent security people but insufficient budget / authority to override operations for a security concern?

Re:

[tsstahl]

I find your scenario to be much more the real experience and the parent to be the hypothetical.

Re:

[gweihir]

You probably have no experience with the inner workings of large corporations...

Re:

[david_thornley]

Equifax wasn't legally required to have inadequate security measures. How much budget and authority the security people had was a business decision, and Equifax should be held accountable for bad business decisions that hurt others.

Re:

[gweihir]

Just my thought.

Stock sold ??

[Anonymous Coward]

What will happen with the one that sold they stock before annoncement.

Re:

[cdreimer]

The three executives who sold stock before the data breach became public knowledge are being investigated by the SEC for insider trading. Unless they can prove that this was a "routine" sale (I.e., consistently sold shares every quarter) and the timing was coincidental, they are facing my fines and/or prison sentences.

Re:

[gweihir]

If the law works, they will go to prison. However "the law" is a tool to keep the masses under control, it does not implement justice, even though that is the cover story. My guess: Slap on the wrist, i.e. fine that is too low to balance the gains they made.

Patching is not the only answer.

[ErikTheRed]

I have some (extremely limited) sympathy for patching "deep applicaiton infrastructure" things like Struts, because it can take quite a bit of QA to make sure that the patches don't break the application or make the problem worse. That being said, it's a top priority and companies - especially in a PCI or similar compliance environments - need to budget the time and resources to deal with issues like this, because they will pop up on a regular basis.

That being said, this problem could have been blocked without patching. First of all, an application-level proxy / API that sanity checks the types and rate of requests should have been between the public web application and the database back end. All sorts of mischief can be either stopped or at least slowed down here, and the failure to have something list this is a major architectural error. Secondly, a reverse-proxy (or load balancer) could look for attacks of this nature and block them before the get to the web server. F5's products are explicitly capable of stopping this CVE, and I'm sure some of their competitors can do it as well.

Security needs to exist in layers, because at some point people will screw up at one layer or another. That's just human nature, and it will not change until AIs take over the world and enslave us, but that's a problem for 2019.

Re:Patching is not the only answer.

[Gravis Zero]

it will not change until AIs take over the world and enslave us, but that's a problem for 2019.

Actually, that was a problem for 2019 which we solve in 2047 by solving the problem 1997. We pushed Clippy into Microsoft office and everyone saw much earlier how annoying he was and it sealed his fate before they made him intelligent. You wouldn't believe how annoying it was to be enslaved by a smart version of Clippy. I don't know what the future hold but thank your lucky stars we aren't going to be enslaved by Omega Clippy. I still have nightmares about it... ("Looks like you're trying to breathe, would you like me to push air into your lungs?" "Fuck you, Clippy! Just let me die!" "Your response is illogical, you will live to continue serving us.")

The trouble is nobody likes paying programers

[rsilvergun]

to sit around waiting for these kinds of things. But you need skilled people to do it and there's only so many H1-Bs you can have work full time on one thing while three or four times a year ramping up to an 80+ hour work week. Most experienced programmers won't put up with those kinds of hours except occasionally. Once they figure out it's part of the job they leave if they can.

So you either find a way to get the indentured servants that are folks here on work visas or you pay people to sit around waiting for problems and fixing them. It's usually only $300-$500k/yr. A sizable chunk of change but still quite affordable to large companies. But saving that $300-$500k was somebody's bonus the year the decision was made.

Re:The trouble is nobody likes paying programers

[phantomfive]

You can say that again.

Ask any programmer: "When was the last time you had a sprint to look at security? When was the last time your manager gave you extra time on a task to make sure it was secure?" The answer is always "never."

Re:

[bravecanadian]

Ask any programmer: "When was the last time you had a sprint to look at security? When was the last time your manager gave you extra time on a task to make sure it was secure?" The answer is always "never."

This person gets it.

On the same note, ask any IT infrastructure person how difficult it is to get spending and policies in place to maintain best practices in most organizations.

Re:

[DarthVain]

That said when it is considered, most of the security policies I've seen are most about applying blame than actual "security".

Essentially, you've made the security restrictions so hard to use that users are all going to circumvent it. "Well then it isn't our fault, it is theirs". The simple example are ridiculous login procedures which prompt all the users to write all the details down on sticky notes and attach it to the monitors... To which they would argue that it was secure, and it is all the users faul

Re:

[phantomfive]

That's a really good point.

Retiring is a lot better than firing

[Anonymous Coward]

She's going to get her pension and benefits, which given her title, is a lot of money. Maybe even some sort of parachute.

This needs to be fully investigated, and she should probably lose all of it.

Re:

[arth1]

Being sent to the dilithium mines on Rura Penthe seems appropriate. Or the coal mines in Pennsylvania. She worked her way up, now she can work her way down.

Re:

[JeffOwl]

Typically you don't lose your pension when you get fired for incompetence. Only when you get fired for misconduct, and often not even then unless the misconduct was felony level.

Re:

[bravecanadian]

Get diversely fucked.

What makes you think this was a diversity hire?

It is very common for top managers in tech to be relatively clueless about what they are managing.. just like top-level management everywhere. :)

That said, I haven't seen any information about her qualifications or lack thereof.

Re:

[Mashiki]

Diversity has nothing to do with incompetence.

Except when "diversity" is being used in a religious like way to bump or push a candidate into a position, even when a more talented person would have been hired. To a point: She wasn't likely hired because she was a music major. She was likely hired into that position because they were female. So that the company could show just how "progressive" they were and "rah feminism" they are at putting women into high level positions(you know the bullshit that feminists and progressive have been pushing for 7-8

Re:

[sinij]

If we are honest, merit was always secondary consideration. Before recent diversity at all costs push, it was connections and schmoozing that got unqualified males promoted to the top. It isn't structurally different from what is going on right now. The key difference is that today unqualified candidates mistakenly believe they can actually make decisions, while in the past they mostly worked on putting away hard liquor before lunch, and played golf all afternoon.

Re: Hire based on diversity

[arth1]

It means the all things being equal between candidates in technical knowledge

In all my years of sorting through job applications and conducting interviews, "all things being equal" has never occurred.

Instead, what does occur is that HR managers or upper management hint strongly that "won't someone rid me of this meddlesome diversity quota imbalance". The end result is that some will hire the first diversity candidate that in good light meets absolute minimum requirements, despite there being better candidates available.

Re:

[sgtsquid]

Quack! Quack! I love Big Brother too!

I wish I could make a mistake that pays me $1B

[Anonymous Coward]

So now everyone in the US is encouraged to pay each of the credit bureaus $10 or more to "lock down" their credit. Why isn't this free? Why should they get $1B (100M "customers" * $10) over their mistake?

Re: I wish I could make a mistake that pays me $1B

[Anonymous Coward]

Maybe this CEO is actually a genius?

Not quite

[bagofbeans]

If everyone old enough to receive credit or get a job locked down their CRA files, the CRAs would go out of business.

Look for:
1. The lock down fee changing from one-off to a yearly subscription.
2. The definition of what access is allowed to a person's locked down file to be changed to allow everything but opening a new account.

Re: Hiring anti-tech employees is a bad idea

[sinij]

Thing is, this is what 'next quarter' corporate culture rewards - accountants and lawyers cooking books and lobbying for government handouts.

Re:

[bravecanadian]

Thing is, this is what 'next quarter' corporate culture rewards - accountants and lawyers cooking books and lobbying for government handouts.

Exactly. These breaches are going to happen again and again to organizations until regulation steps in or, by some miracle, the technology professions start being given respect in organizations (very doubtful outside of tech companies).

At the moment CTO/CSO/CIO are the backwater and low power positions of senior management at non-tech companies.

PCI compliance farce

[speedlaw]

So, one year they send me two documents. One says "pci compliance". One is for data breach insurance. I do the PCI, and toss the insurance. The next year, they send me PCI compliance, and charge me for the insurance. I call, tell them no, as I don't have any hackable databases, unless you break into my office and pull out handwritten credit card numbers from each individual file. I argue with them, and they tell me that it is mandatory. I read the policy, and find it is almost useless. If I don't PCI, they charge me $20 per month "noncompliance fee". If I do, they then charge me a bit under $200 for this useless insurance anyway. Meanwhile, someone goes to the front door and walks off with the whole database ? I know interchange is a huge ripoff and is in desperate need of renovation...if Africa can move money with a dumb-phone for a lower commission rate, then V/MC/AX need to die in a fire today...but WTF ? Meanwhile, I'm stuck with paying for insurance I can't use, with a system that is not easily electronically hackable (no stored numbers anywhere..period, and I use their portal to charge HTTPS).........

Re:

[pi_rules]

If you're charging the cards via a web app all they need is a keyboard logger to record them and some malware to ship off the stored data to them. Or just a USB dongle installed locally to record keyboard input and then they can pick it up later from the terminal.

Just because you're not intentionally storing the CC records electronically doesn't mean you're safe. Somebody else might be storing them for you.

what a bs.

[kiviQr]

A company that holds that much information should have top notch security. That includes penetration testing, penetration detection and multiple layers. Public layer should never have access to database that has that much information. There should be an internal webservice that returns filtered information information. This is 101 security!

Re:

[Anonymous Coward]

Exactly right. I'm afraid that the takeaway will be either "Equifax was negligent in applying security patches to its servers" or "They hired a music major as CSO; they need to hire someone with relevant experience." The fact is that their business model is not built around security as Job #1; board members, who the C-level executives answer to, don't care.

Re:

[bravecanadian]

Exactly right. I'm afraid that the takeaway will be either "Equifax was negligent in applying security patches to its servers" or "They hired a music major as CSO; they need to hire someone with relevant experience." The fact is that their business model is not built around security as Job #1; board members, who the C-level executives answer to, don't care.

Security isn't a business model. There is always a trade off and a risk assessment needed to determine what level of security is appropriate for a business. Obviously in this case I agree they *should* have top notch security, but unless organizations are forced to they will choose keeping their bonus $ over spending money for things that "might" happen every day.

Human beings are horrible at assessing risk. Especially managers who are up away from the fray and who don't understand tech in the first place.

Internal hires, huh?

[chispito]

One would think that after suffering one of the worst breaches ever in terms of the potential damage, a company would look for fresh perspectives, and not hire the new leaders from within.

Re:

[arth1]

One would think that after suffering one of the worst breaches ever in terms of the potential damage, a company would look for fresh perspectives, and not hire the new leaders from within.

Perhaps not too many outside leaders are interested in being hired as officers on a sinking ship?

Re:

[chispito]

One would think that after suffering one of the worst breaches ever in terms of the potential damage, a company would look for fresh perspectives, and not hire the new leaders from within.

Perhaps not too many outside leaders are interested in being hired as officers on a sinking ship?

No, the ones they should have hired are the ones that want to make names for themselves for righting a sinking a ship. Some executives really are looking for a distinguishing challenge, not just a cushy offer.

Overnight hires

[raymorris]

You make a good point. On the the other hand, they needed people immediately, who can fill those rules on day one. Had the retirements been planned, they would have spent a month of or more looking for the right candidate, who would then give two weeks notice at their old job, and maybe take a week to pack up and move. Then the new person would spend month getting to know the company and its various systems. So a good outside hire would take about 10 weeks from listing to the job to actually being product

Re:

[chispito]

So maybe these are interim hires?

Just curious...

[bagofbeans]

..but were David Webb and/or Susan Mauldin amongst those execs that sold shares before the breach was made public?

Re:

[phantomfive]

The three who sold their stock: [npr.org]

Regulatory filings show the three Equifax executives — Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2.

I'd believe that none of them thought about the data leak in terms of stock price, and that isn't why they sold, but on the other hand I don't really care if they get punished because of this, either.

Root cause - cat parasites

[sinij]

Clearly, the root cause here is cat parasites that impaired judgement of the board and execs to ignore basic security practices in a trust and consumer data line of business. It is like mice getting attracted to cat urine smell, only with your financial information.

Re:

[93 Escort Wagon]

Clearly, the root cause here is cat parasites that impaired judgement of the board and execs to ignore basic security practices in a trust and consumer data line of business. It is like mice getting attracted to cat urine smell, only with your financial information.

Then clearly companies should only hire heterosexual males. Otherwise, with women and gay men, you're looking at a lot of cat owners.

But, you may ask - how can we accomplish this without running afoul of anti-discrimination laws? Simple - in the "getting to know you" phase of the interview process, ask about their pets!

- Are they a dog owner? Congratulations, son, you got the job!
- Cat owner? Send them packing!

And yet, what will happen?

[Lucas123]

FTP: "Thus, MarketWatch reports, Equifax 'admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began.' And even then, Equifax didn't notice (and remove the affected web applications) until July 30."

I'll be interested to see how Equifax is punished for their lack of security in allowing the sensitive data -- not even given willingly to them -- of 143 million Americans to be stolen. Our laws in this country give slaps on the wrist to these financial services companies because they believe they're too big to fail and should be treated with kid gloves.

Even today, all mandatory data breach notification regulations are at the state level. Our do-nothing U.S. Congress has yet to require companies to report data breaches at a national level. It's simply mind blowing how we allow this to continue.

Open Source

[richman555]

Its interesting that an Open Source API Apache Struts (likely a few jar files in a web application) caused this issue. Good old reliable and free Apache Struts. This isn't a simple run patch.exe and all is good scenario by some admin. You'd have to update the jars to the fixed apache versions (hopefully these exist), retest everything in the app, and rerelease it to production.

He deserves to be "Retired"

[Steve Jackson]

Straight to CLUB FED! For a prolonged Stay...

No circling of the wagons for Equifax

[timholman]

I wondered if Equifax intended to circle the wagons, hold on to upper management, and then try to buy, bribe, or schmooze their way out of this mess via political channels. For a lesser P.R. disaster than this recent exploit, such a strategy might have worked.

But abruptly canning the CSO and CIO says three things to me:

(1) Equifax's internal auditing shows that this mess is considerably worse than what has been publicly revealed so far.

(2) The CEO has now shifted to "I have to save my own job" mode. The CSO and CIO have been thrown under the bus, and more will probably follow.

(3) Equifax is going to take it on the chin, financially speaking. Canning the CSO and CIO is a clear admission that Equifax was negligent. The lawsuits are going to increase exponentially from this point. But worse than that is the overwhelming demand by millions of consumers to freeze their credit reports. Equifax (along with Experian and Transunion) makes a lot of money selling credit information to banks so that they can offer credit cards to you. Credit freezes prevent that. Every new credit freeze is another hit on the annual bottom line. Equifax is bleeding from millions of tiny cuts, and it will only get worse.

Frankly, it couldn't happen to a more deserving bunch of guys.

Re:

[JeffOwl]

That's why they are retiring, not being explicitly fired.

what US laws apply?

[4wdloop]

Can somebody post what US laws pertain to storing, distributing and protecting of personal information in this case?

Appointed execs + general incompetence

[ErichTheRed]

At the executive level, you can assume that anyone holding that position has no actual expertise and sometimes no experience. Anyone with a CxO title is appointed to that position, and is usually well-connected on the boards of several companies. BUT -- good people in this position know they have to hire people who actually do understand the areas they're responsible for. If she wasn't capable of doing this, or was just hiring her friends for key positions, this is the result you get. I've been doing IT work in big companies for over 20 years now and have witnessed stuff like this over and over. It's a constant battle to do a good job when you have executives hiring incompetent people at the top, offshoring or outsourcing key IT functions for big kickbacks, etc. (I'm assuming that when we peel back the covers on this, the unpatched system will be a result of the IT department getting so disconnected that a simple system change takes 3 months and people on 2 different continents coordinating it.)

What I don't like about IT in general is that people can mess up badly, get fired or be allowed to "retire", then go to another company and mess things up there as well. I would love the idea of a professional organization that would ban incompetent people from working in the field after a fair finding of facts. This would really cut down on the number of slapped-together "solutions" that cause breaches like this in the long run. If my reputation were on the line, I wouldn't rush through a system design the way I'm sometimes forced to by schedules. As it is, IT people can do the equivalent of joining the French Foreign Legion and come out on the other end with a clean reputation. (For those unfamiliar, the FFL is France's overseas military force who basically accepts anyone who wants to escape their current situation and grants them a new identity in exchange for military service.)

Re:

[Zontar_Thing_From_Ve]

What I don't like about IT in general is that people can mess up badly, get fired or be allowed to "retire", then go to another company and mess things up there as well. I would love the idea of a professional organization that would ban incompetent people from working in the field after a fair finding of facts.

It may not be as bad as you think. I've personally known of a small number of women who got jobs in various levels of IT management they weren't qualified for and they always ended up having to answer for it. I do want to say that I have also had fantastic female managers in IT, but they were qualified for the jobs. One unqualified lady worked for the government and since they almost never fire anybody, they took away all her direct reports and made her an office of one until she retired. The other few

Re:

[david_thornley]

or was just hiring her friends for key positions

There is absolutely nothing new about this. "It's not what you know, but who you know" was a common saying over fifty years ago, and there were lots of stories about the boss's friend getting a good job.

Re:

[elrous0]

a black transgendered female lesbian one-legged vegan muslim trombone player.

Ha, like they could even afford someone so diverse. Someone with those qualifications could command a CEO salary and title in Silicon Valley.