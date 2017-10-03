Follow Slashdot stories on Twitter

 


Former Equifax CEO Blames Breach On One Individual Who Failed To Deploy Patch (techcrunch.com) 65

Posted by BeauHD from the under-investigation dept.
Equifax's recently departed CEO is blaming the largest data breach in history on a single person who failed to deploy a patch. TechCrunch reports: Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred. Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.

Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team. However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice -- one person didn't do their job. "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.

  • Ob (Score:3)

    by Hognoxious ( 631665 ) on Tuesday October 03, 2017 @06:43PM (#55304449) Homepage Journal

    He's Spartacus!

    • Human Error??? (Score:5, Insightful)

      by Moblaster ( 521614 ) on Tuesday October 03, 2017 @06:47PM (#55304477)
      Anyone who has worked with sensitive processes (esp computer security processes) knows that relying on one person for a mission-critical function is not a "human error" - it's a process failure. If this person's communication job was that essential, they should have had a team-based process in place with multiple individuals charged with making sure the process got executed, backed up by computerized records and nag alerts if not done. Seems like this "human error" would have happened if the person had gone on vacation, gotten fired, or went off their meds. That's not a human error. That's execs failing to make sure they build a resilient security process. Quarter billion in expenditure won't buy common sense, it seems.
      • EXACTLY!

        Never have a single point of failure in any system. And test the system for vulnerabilities.

        People can and do make mistakes.
        • There's a thing called independent verification that might have helped. Guess its that one guys fault that they didn't practice that.

      • "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not,"

        What carefully parsed weasel words.

        So the patch had passed testing, but wasn't applied? The only alternative is that someone has to instruct them specifically to start testing every patch in their ecosystem.

        Shouldn't someone be seeing a report of all unapplied patches and how old they are? Yell at the testing group if they age too much?

      • Re: (Score:2)

        by msauve ( 701917 )
        "Anyone who has worked with sensitive processes (esp computer security processes) knows that relying on one person for a mission-critical function is not a "human error" - it's a process failure."

        Absolutely. Human redundancy is just as important as network/system redundancy. If the organization isn't set up to continue working even if someone gets hit by a bus, that's a management failure. It's not a single individual. Who was responsible for checking that the work was done as required?

  • Nice to have Cyber Security Team (Score:3)

    by avandesande ( 143899 ) on Tuesday October 03, 2017 @06:45PM (#55304461) Journal
    Sucks that you don't do configuration management.

  • I smell bullshit. (Score:5, Insightful)

    by Hylandr ( 813770 ) on Tuesday October 03, 2017 @06:46PM (#55304463)

    If .25Bn has been invested then there's sure as hell no process that could have allowed a single critical patch go unchecked as described. There's teams, or should be teams of people watching these things.

    I smell a really shitty cop-out excuse.

    • You missed the best part, 3 years ago, they didn't even have a security department. At least according to his throw the wage slave under the bus testimony. He's distracting you with this tale of rouge employee while dropping a bombshell you didn't even notice.

      3 years ago the company responsible for approving credit for all americans had NO information security department. According to the CEO's testimony they had zero budget and not a single employee dedicated to security of their IT networks. That's ground

      • Re: (Score:2)

        by Hylandr ( 813770 )

        I caught that part but was much more incensed by the lame attempt to parry liability.

      • 3 years ago the company responsible for approving credit for all Americans ...

        Technically, Equifax and the other credit bureaus don't approve credit to anyone, they simply provide a centralized source for credit information. Individual lenders make approval decisions based on this information - which is available to, and can be challenged by, the borrower.

  • To quote Thomas Jefferson, "The Tree of Bare Fucking Minimum Standards of Responsibility and Decorum must be refreshed from time to time with blood."

  • Buggy whips are gone, but the need for horsehoe nails remains.

  • Ah yes, the blame game (Score:5, Insightful)

    by quonset ( 4839537 ) on Tuesday October 03, 2017 @06:48PM (#55304483)

    "It was his fault. That's why I sold my company stock when I found out about the breach rather than inform anyone except the other folks in the executive suite."

    • "i'm getting a killer golden parachute because i'm worth that much. Really guys, they wouldn't give me this much money to retire if I wasn't. Ergo, totes not my fault, and now it's not my problem either"

      • well, you see, CEOs are paid so much money for the singular and unique value they offer to a company faced with challenges only few have ever surmounted. it is necessary to pay a large salary because the rewards he can bring are so large that there is a lot of competition. and apparently even more money if he fucks it up, because hey he deserves it.

        that last part is sorta weird, but as long as you don't ever think it even remotely applies to you, you'll be fine, pleb.

  • Wow, that's scummy (Score:5, Insightful)

    by JohnFen ( 1641097 ) on Tuesday October 03, 2017 @06:48PM (#55304495)

    "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not,"

    What a scummy thing to say, and he doesn't even realize that the statement makes Equifax look even worse.

    With a couple of hundred people on the security team, the idea that it's a single person's responsibility to tell everyone to apply a patch is ludicrous. If it's true, then that's institutional incompetence.

    I've been working in computer security for years, and do you know what I and all of my coworkers do? We keep up on computer security developments, particularly newly discovered vulnerabilities. And we discuss them. And send emails about them.

    Even if the one team (not individual) who is responsible for ensuring that our own systems are patched for some reason fails to do that job, there is exactly zero chance that this would go unnoticed.

    If that's not how it works at Equifax, that's the fault of Equifax, not some single individual.

  • huh? (Score:3, Informative)

    by Fotis Georgatos ( 3006465 ) on Tuesday October 03, 2017 @06:50PM (#55304501)

    bollocks. Yes, that.

    Any security organization which relies on a single individual's action or inaction to remain in good standing is simply fairytale.
    Every good process which involves a human in the loop, should always ensure that at least one more is present to enforce check-and-balance objectives.
    There is a good reason why all commercial flights have two pilots as a default.

    Let me state this: when you see management pointing one single downstream individual for such an event, there are at least TWO levels of management at fault.

  • Such BS (Score:4, Informative)

    by gordona ( 121157 ) on Tuesday October 03, 2017 @06:50PM (#55304505) Homepage
    The buck stops with the CEO! If the CEO knew about vulnerability that needed patching, he should have been expecting a report regarding the application of the patch. If he didn't get that he should have come down on the admin or system owner for not installing it. Unless of course that wasn't in the security policy in which case it still falls on the back of the CEO. DUE CARE and DUE DILIGENCE! Non existent.
    • A CEO cannot personally manage every aspect of a large organization. It is the CIO's job to receive and review said report. Then to advise the CEO of any items that need his attention.
      • CIO or CTO, depending on how the organization is structured.

      • Doesn't matter. The Captain of the ship is responsible for the safe operation of the ship--even if he's sleeping in his bunk (Exxon Valdez & USS McCain.)

      • It is the CIO's responsibility to see that systems are put in place to insure that the responsibility does not rest on one person, and that the company's systems cannot fail without multiple extreme and uncontrollable events occurring. They create the organization that will see that things happen properly even if individuals drop the ball. The technical buck stops at the CIO.

        The CEO is responsible for hiring a CIO that do their fucking job properly. Moreover, if .25B has been spent and one person can fai

  • $225 million isn't much (Score:3)

    by phalse phace ( 454635 ) on Tuesday October 03, 2017 @06:51PM (#55304517)

    The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.

    Spending $225 million over 3 years isn't really that much when you consider the type and amount of personal data Equifax has on us.

    JP Morgan Chase spent $500 million in 2016 alone [forbes.com], Bank of America spent $400 million on cyber security in 2016 although they have an unlimited cyber security budget [forbes.com], Citibank's cyber security budget topped $400 million and Wells Fargo spends roughly $250 million per year. [forbes.com]

  • Failure of way more than one person (Score:3)

    by Todd Knarr ( 15451 ) on Tuesday October 03, 2017 @06:51PM (#55304519) Homepage

    Failing to apply the patch would be the failure of that one person to order the patch applied, plus the failure of his superior to notice that an action item hadn't been handled, plus a failure of the security team to notice that a ticket hadn't been completed, plus the failure of the head of the security team to notice his subordinates had uncompleted tickets sitting there. All this stuff should be tracked, and where I work it is and we have daily status meetings where stuff like this gets asked about, and development team managers and product managers have weekly status meetings where lack of progress on tickets and what needs done about it is a standard agenda item.

    Accountability means managers and executives are just as accountable for work getting done or not getting done as low-level employees are expected to be.

    • The guy that failed was the one reaponsible for creating ticket, from what I understand.

    • Re: (Score:3)

      by dgatwood ( 11270 )

      Failing to apply the patch would be the failure of that one person to order the patch applied, plus the failure of his superior to notice that an action item hadn't been handled, plus a failure of the security team to notice that a ticket hadn't been completed, plus the failure of the head of the security team to notice his subordinates had uncompleted tickets sitting there. All this stuff should be tracked, and where I work it is and we have daily status meetings where stuff like this gets asked about, and

  • Struts is an application framework, which means it is an application dependency. That means that every Struts-using application within Equifax would have needed to be upgraded, to be tested at least on the new version. That is the job of more than one person!

    It is possible that Equifax's application servers (Tomcat, JBoss, etc) were configured with Struts being provided at the container level, but even that would be a full upgrade of multiple application servers within the company - a platforms team respons

  • Forgot to turn on auto-update for the Flash player? PLAY AND YOU PAY!

  • who was too busy posting on /.

  • Sign on the desk of CxO's everywhere

    (contrast this with the US Navy, where the captain of the Fitzgerald was relieved, even though he was not on deck when the collision occurred and in fact was almost killed by the accident. Subsequently, the Navy relieved several higher ranking officers, including Flag officers, for supervisory failures.)

  • So what you're saying is (Score:4, Insightful)

    by rsilvergun ( 571051 ) on Tuesday October 03, 2017 @07:02PM (#55304585)
    Your entire operation is one under paid and overworked sys admin away from disaster? Did I get that right?

  • Somebody in Management decided to hire a totally incompetent and unqualified CSO. Nice omission there Mr. BS CEO.

  • Reminds me of the time 'a couple of rogue engineers [google.com] for the whole VW emissions fiasco. I think handsome bonuses are in the works due to management for uncovering this subterfuge.

  • The Ex-CEO, talking about the guys who cashed in their stock, said (from TFA):

    I’ve know these individual for up to 12 years. They’re men of integrity.

    First, his comments about the "one individual" demonstrates that he himself isn't a man of integrity, so his vouching for them means nothing.

    Second, "men of integrity"? Hahahahahahaha!

  • When I was in grad school one of my professors talked about his. Many weak leaders, when faced by a crisis, will respond with a form of "A small man must die," instead of taking responsibility for the weakness in leadership and design that allowed the crisis to evolve in the first place.

  • Expecting the CEO to know _anything_ about what goes on in the IT department is expecting too much. Executives have no clue what's going on outside of the boardroom, and the only time they ever get any sort of information is from management consultants or the odd 'red alert' that bubbles up to the CFO/CIO/COO/CSO. There is absolutely zero chance that the CEO of Equifax has any idea what patch level of Apache Struts is running on their Internet-facing services.

    I wonder if he just went to the CIO and said, "g

