Equifax blames hack on state actors, but breach followed spat with security contractor

Originally published at: https://boingboing.net/2017/10/01/30-web-shells.html



One thing we can attribute the breach to, though, is bungling. Equifax and Mandiant – its independent security contractor – got into “a squabble” just as the hackers were breaking into Equifax’s system.

Based on our recent observation of how Equifax does business I suspect the “squabble” involved them not paying Mandiant an agreed-upon rate (one far less than $90-million) and Mandiant going on a little strike that left the systems open to exploitation for a few months. I’m sure the last thing on either party’s mind was protecting the identities of tens of millions people who found themselves in the DB.

Much easier to blame China, although I am a bit surprised that the clowns in Equifax’s PR department didn’t try blaming Russia first.


If Equifax’s security was worth a damn they would have a skilled blue team that would know damn well exactly where the threats are coming from.

So to me this either points to incompetence or complete lack of security focus in general.


The fact remains that the claim that this is a state-sponsored attack on Equifax by China hasn’t been demonstrated. The Bloomberg article says as much:

The handoff to more sophisticated hackers is among the evidence that led some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions in recent years at giant health insurer Anthem Inc. and the U.S. Office of Personnel Management; both were ultimately attributed to hackers working for Chinese intelligence.

Others involved in the investigation aren’t so sure, saying the evidence is inconclusive at best or points in other directions. One person briefed on the probe being conducted by the Federal Bureau of Investigation and U.S. intelligence agencies said that there is evidence that a nation-state may have played a role, but that it doesn’t point to China. The person declined to name the country involved because the details are classified. Mandiant, the security consulting firm hired by Equifax to investigate the breach, said in a report distributed to Equifax clients on Sept. 19 that it didn’t have enough data to identify either the attackers or their country of origin.

I’ve highlighted the particularly relevant bit in regard to your own statement about the FBI in this case. Also, an IP address in China accounting for 41% of the attacks does not necessarily indicate Chinese state sponsorship; hackers sophisticated enough to get the backing of the Chinese state would more likely be insulted at the implication that they couldn’t cover their tracks better through more and proxied IP addresses.

I’m sure that hacking tools and hackers from China and several other countries were involved in this breach, but who’s actually sponsoring them or paying them – state actors, gangsters, both (they blur together in places like China and Russia) – is still unclear. What is clear is that Equifax is quite eager to distract from its own executive management’s gross negligence in this matter and that its PR department is working overtime to enable that.

This whole sorry on-going episode bolsters the case that the consumer credit rating companies, like the bond and securities rating agencies, should be subject to greater regulatory oversight and ultimately should be changed to operate as not-for-profits.

[also: Welcome to BoingBoing!]


I assume this was directed at me and no matter who handles their security doesn’t make a damn bit of difference. The very fact they had an APT in their poorly secured systems for any sort of period that captured such a large volume of information and they can’t reliably trace it’s origin tells me there’s negligence or incompetence (and if it was on IBM to secure handle their security, shame on them, too).


Is that an actual, unironic, deployment of “nobody ever got fired for buying IBM”? Adorable.


Even if IBM is all it’s claimed to be and more, if the client doesn’t pay the bills (AKA “gets into a squabble” for a few months) IBM won’t be inclined to perform at peak capacity until the “squabble” is resolved. In any case, it seems like they hired Mandiant to oversee security amongst the various vendors.


There’s also the more fundamental problem, when using the “but the cyber is just hard” argument; that, if so, doing what Equifax does is absurdly irresponsible.

If one argues that security breaches are inevitable, it’s hard to say nice things about people who make a business of collecting juicy dossiers that are going to get hacked, because breaches are inevitable.

You can’t really have it both ways: if one wants to argue that Equifax’s business is OK in principle; then there is no saving their implementation from a rather brutal assessment; while if one wants to defend their implementation as being about as good as can be reasonably expected, then it is hard to see how their line of work isn’t too risky to be permitted to exist.

This apparently makes me ‘little minded people’; but I tend to see the very high risk of eventual breach(along with the ongoing disclosure that doesn’t count as a breach because it’s to paying customers) as strong reason to condemn compiling the records in the first place as dangerously irresponsible.


There were so many basic failures in both process and procedure here that it just demonstrates a stunning level of incompetence - doubly so for a company entrusted with extremely sensitive personal and financial data. They should assume constant threat of attack from malicious actors.


Sounds to me that Equifax security was good enough. I mea, given the era where profits are more important to businesses than spending an extra dollar on adequate security.


This is one of the crucial dilemmas of the Information Age, and one that needs to be on the table not just for commercial applications, but also as to how much, or even if we want governments keeping vast haystacks of data against the possibility they might want to go on a needle hunt at some time in the future.


As did Equifax’s competition. Experian has been selling them off.

Yeah, not like they used admin/admin for a login/password or anything. Oh, wait…

1 Like

Mandiant doesn’t have a great rep. among the security folks I know. One apparently got hired because she produced more and better results than Mandiant’s entire team that was billed out at a million dollars a year.

Fantastic position for her in the salary negotiations, I can assure you.


This topic was automatically closed after 5 days. New replies are no longer allowed.