Disgraced Equifax CEO blames 145.5 million-record breach on a single forgetful flunky

Originally published at: https://boingboing.net/2017/10/04/scapegoat-located.html

…

If there was any doubt that he belonged in the C suite of a company in late-stage capitalist America, this buck-passing would be enough to dispel it.

Forgive my f-bombs but this is fucking fantastic!

IT CEO blames IT sys admin staff for critical failure of organisation he is meant to be managing. I guess he was too busy overseeing the staff canteen.

Its always the fault of the peeps making 20 bucks an hour. Never the guy making 2 mn a week.

forgetful flunky

Good name for a band.

We do it in the airline industry. Sure, it doesn’t make it illegal to be stupid, but it does make it very expensive. Provide the right motivation and even dumb, sub-sentient beings like corporations will respond by becoming smarter.

Well, to be fair…if said associate’s job was to implement a code fix and they did not do it…it is his/her fault that it wasn’t done.

But it is not their fault alone.

FYI to @Nobby_Stiles … I sincerely doubt this person was making $20 an hour. More likely $40-50. Snark aside, it wasn’t some uneducated layman. More than likely someone decently educated with a fair amount of experience and reasonably compensated.

Here’s how you stop breaches: percentage of customers breached is the percentage of money the executives and senior management loses from their total compensation and anything over 10% breach means no bonuses or golden parachutes for the next 5 years.

Hah, called it! When the IT execs resigned, I knew the blame would fall on them, it’s so f’ing typical. “You leave, we’ll give you a good payoff, and you don’t say anything when we blame you.” Meanwhile, the corporate execs who refused to hire competent IT managers and dish out for the resources and people they needed to make sure their networks were secure will keep on going on.

Did IT not apply all their patches when required? Sure, no question. How does that happen, though? Mismanagement, failure to spend on IT infrastructure and people, and willful negligence at the TOP of the company. Equifax isn’t the first to choose this route, and won’t be the last, because we value profits over all other motives now. Nothing will be done to ensure this doesn’t happen again, either, not while our Ayn Rand worshiping GOP overlords are in charge.

A massive data warehouse of some of the most sensitive data relying on a single individual to oversee software security?

This is an organizational design failure - there should be double or triple redundancies at each level.

The spineless management deserves criminal liability.

Yea.

For a period of time I was the Director of Security for a large university. His misunderstanding of IT and security processes isn’t even laughable…

Imagine that Delta said “Sorry, we have to cancel all flights today because the guy with the password for the flight operations center didn’t show up to work today.” Your response wouldn’t be “oh, it’s a mistake made by one guy”, you’d say “how did they build a system that relies on one guy!”.

Did that guy make a mistake? Probably, but if you built a business where you could harm millions of people, not to mention destroy your business, because of one man’s oversight, the real issue is the system you built.

I’ll take his statement at face value. Maybe that one person didn’t do their job. But, thing is, the CEO presided over a company and corporate structure that allowed the dereliction of a single employee to result in the release of private information on 145.5 million people. According to this yahoo, there was no check, there was no quality control, there was no verification that the job was or was not done. Now, who do you suppose is ultimately responsible for that kind of corporate structure? The IT guy?

How about Richard and Equifax foot the bill for any losses we all incurred from our data stolen from their careless keeping.

Thanks for engaging. So for what little my thinking is worth, I would have considered the CEO core job was making sure that his organisation was not critically dependent on one guy not making a “boo-boo”. It might even be nice if 2 or three people all had to fuck up before 143mn sensitive files are no longer secure. Designing that process is not necessarily the CEO’s job. But making sure that someone is hired who does design that process really is the CEOs job. And making sure that the process is implemented and functions correctly is the CEOs job.

Responsibility needs to reside in the one place where the authority to prevent this kind of idiocy is placed.

So yeah, I do blame the CEO for the disintegration of the value of the business he was meant to be safeguarding. Its not really a “whocudanode?” type situation.

Glad to hear the guy who didnt put the patch in place is probably on 40-50 bucks an hour. Looks like they could have used a couple more just to make sure that someone reviewed the first guys work.

Oh do not misunderstand me. I agree the CEO is culpable too…as is the CIO, and some other SVP, VP, and a Director or two. And yes, the person he is “blaming” was the guard on duty at the time…they are most likely part of a team of developers or analysts and they drew the short straw.

Issues like this are never left to a single point of failure…usually. And there is plenty of blame to go around.

Absolutely. And forgive me for repeating the points made by Anotherone

This. Fundamentally, this problem happened because Equifax’s job (as they and their customers see it) is to collect and distribute data. Not to protect it from unauthorized distribution. Unless the penalties for doing that are a threat to the continued existence of Equifax, they won’t take it seriously.

Unfortunately this is a lot easier in the airline industry, which is heavily competitive. If you fine an airline enough to raise its costs enough that pass through to ticket prices, they are going to loose a lot of business. With credit agencies, it isn’t clear how large the fines would need to be. Punishing the CEO / CIO / etc. certainly feels good and might help a bit, but won’t get at the real problem. There are always going to be enough ambitious and scrupulous people out there gunning to be CEO who believe that they won’t be the ones to get caught to ensure a never ending stream of this sort of fuck up, until it threatens the continued existence of the company.

If these companies perceived data breaches as existential threats rather than minor inconveniences, they would pay more attention to them. What would be great is if the people who stole the Equifax data didn’t use it for criminal purposes, but used it to set up a competing company:

Securifax: we’re just like Equifax, but we understand security.

He just demonstrated one of the universal laws of business. “Shiat rolls downhill”

Yeah, um. Fuck. That. Noise.

Blaming an individual IT flunky for not patching a system? Really? That’s bullshit. There was so much more that went wrong here beyond a simple “failure to patch”.

• No internal penetration testing trying to exploit common or known vulnerabilities (and this was a known vulnerability with a CVE and everything)
• Nobody realizing for a significant period of time that there was an APT in their system stealing data
• Lack of proper network segmentation
• Lack of audit trail to identify APT (and if you’re familiar with the security world, you’ll know that APTs have characteristics and commonalities you can use to identify them)
• Lack of proper permissions segmentation
• Data not being encrypted or otherwise protected at rest
• Lack of proper password hygiene

… and that’s just the few things I can think of off the top of my head.

The CEO blaming an individual is pure cowardice. It’s like a four star general blaming a single infantryman for losing a war. No. This is not the action of a lone individual. I can’t think of this as anything less than a culture of incompetence and negligence across IT, security, and operations. Individuals may have made mistakes, but to me this indicates far larger fuck ups much higher up.

If your shit is so weak and insecure that “some dude forgot to apply a patch” could lead to what happened, that’s not something you can blame on a single person.