I’m going to start off this post with an apology, I am sorry for the rant that is to come. I don’t like posting rants on this blog site, I usually do that on my personal blog. So why break protocol and post it here? Well, because this rant is directed at the data professional community and management of every company that holds some sort of personal data. Whether it is PCI, HIPAA, or some other sort of personal data like financial information.
Organizations that store personal data have an obligation to be good stewards of that data. Please do not misunderstand me, I’m not calling out the entire community of data professionals or their managers. I believe deep in my being that 99% of the folks working with data protect it like it is their child. Ya, Data Professionals are weird like that. But apparently there are some who are not as vigil as they should be. How do I know this? I give you the Equifax debacle…(which in case, you weren’t aware, 143 million identities were hacked from Equifax)
Forgive me, because I am still struggling to wrap my mind this……gross misconduct. How does one of the three largest credit agencies get hacked for essentially three months without anyone noticing? The better question is, why was it so easy? They can’t say they didn’t expect this. They can’t say they didn’t have anything worth stealing. Hell, they certainly can’t say they weren’t aware of the implications if this data was breeched. It is expected that these type of organizations should be LEADERS in data security. But I don’t see it in this case. In fact, all I see is one failure after another. From Equifax’s PR page
..Criminals exploited a U.S. website application vulnerability to gain access to certain files. – Equifax
This single statement leads me to the following assumptions:
- The hackers were foreign based, possibly Russian, Chinese but most likely an organized group like Anonymous (using them as an example of an organized group of hackers, not that they did it)
- The files were not encrypted
- The data was not masked
- Equifax was poorly monitoring access to this data
Which makes me wonder, why was this data in a file in the first place? Why was none of it masked? And for the love of God, why was it NOT encrypted while the data was at rest? Now in fairness, I suppose the data could have been in a database and the PR folks are using the word “files” because it’s easier to convey. I don’t know that I believe that. It could have been in a flat file system like Hadoop. Where it was isn’t the point, the point is the lax security surrounding the data.
While the technical questions are numerous and it’s going to be interesting to learn how this happened. The bigger concerns lie with the response to the scenario and how Equifax “leadership” choose to handle it, or as far as I’m concerned…didn’t handle it.
That’s not the worst part
In fairness, Equifax as one of the three major credit agencies, has a target painted on its back. Every IT professional under their employee should KNOW hackers are gunning for them. If they didn’t think that, know that, or believed that, then those IT folks are complacent. Actually, worse yet, they are incompetent. The so called leaders should have known this though. However, as IT people and Data Professionals, we understand there is a delicate balance between security and usability. We can completely secure the data, the problem is the business won’t be able to use it, or anyone else for that matter. But I digress and that’s beside the point
What’s worse than allowing a data breach to go one from mid-May to the end of July? Waiting until September to tell people who will be directly affected. Ya, I get it, there was an ongoing investigation and announcing there was a breech on July 30th or August 1st might have compromised that investigation. Investigation be damned, 143 MILLION identities have been compromised and Equifax, along with the authorities investigating the breech, continued to allow the hackers to mobilize on the data for another month before telling anyone. Let that sink in for just a few moments. Equifax and the investigating agencies were COMPLACENT notifying the public. One also has to wonder if some one in the government wasn’t aware of this fiasco.
143,000,000 people’s lives will forever change with this single lapse in security
From this point forward, until they day they pass from this world, they will have this hanging over their head. They (the 143 mill) will have to proactively monitor their identity to fend off attacks. The systems so victims have to jump over hurdles to prove they are innocent. The costs and time associated with having your identity restored can wreak havoc on the victim’s life. Emotional and financial stress could be overwhelming. Negative credit can affect housing, jobs, and god help you if the thieves use your identity in a crime. Don’t believe me? Google it.
Oh and stop for a minute and realize that at the same time this is being dropped in our laps, how many people in Houston and Florida are aware of this news because of the hurricanes? Fantastic timing Equifax. If only you had known sooner…..
Equifax comes out and says they’ll give everyone one free year of credit monitoring to help monitor their credit. Seriously? Why on Earth would I trust you to protect me from the very mess you created? Honestly, what makes Equifax think I would trust them? why would anyone trust them now? I didn’t want them to have my information in the first place, but hey the world revolves around credit right? Someone has to have a dossier and monitor aspects of our lives to make sure we are worthy. Oh, and the agreement to this monitoring service reads like you have to give up your right to sue.
So first Equifax throws you under the bus, then they back it up over you a few times to make sure it really hurts.
But wait, there’s more
Equifax did such a lack luster job of communicating after the breech, that shortly after the news hit mainstream news outlets their website crashed. Customer service was overwhelmed, and some reports state customer service wasn’t aware of the breech at all. And because this isn’t crazy enough, they aren’t telling people if they’ve been compromised until a later date. If you do get through, you have to enter 6 digits of your SSN and trust them with more personal data. Are you kidding me right now? They think they should b trusted with more personal data? Also, the website was setup off their main page so it intentionally looks like a phishing scam. Oy vey….
Pausing for a deep breath…..and to let my blood pressure come down a few notches…
Equifax was not only compromised, Equifax took over a month to say anything but people are being told they have to wait to sign up for the free monitoring service? As well as their own customer service staff wasn’t briefed on situation on the day of the announcement. Excuse me, but did you think was going to happen when you made this announcement? Did they not think people would not freak out? See what I mean by Greek tragedy? Not to suggest Equifax is anything like Zeus, but I think 143 million Prometheus(es) will be crying out for a long, long time.
And for the Grand Finale…
As if all of this wasn’t all bad enough, the press reports that days after the hack was discovered the CEO Rick Smith, the CFO John Gamble, and Rodolfo Ploder sold shares of their Equifax holdings. But….and wait for it….because this reads like the dog ate my homework…..
The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a spokeswoman for the Atlanta-based company, said in an emailed statement. They “had no knowledge that an intrusion had occurred at the time.”
I apologize again, because I can’t hold it in any longer…..
Are you EFFIN kidding me?
The largest data breech in the history of the organization, over 143 million identities compromised, and the reputation of the one 3 largest credit agencies destroyed and you’re trying to tell me the CEO, the CFO, and another executive didn’t know. One word.
No way does this not make it up to the CEO’s desk hours after the breech is discovered. No manager is keeping this from their boss. Doesn’t work that way folks. Hell, I promise you the CIO knew within the first hour of the discovery. Maybe they don’t know the full extent in those first few hours, but they knew they had been compromised. And as political as organizations are in the management ranks, the CIO is trying to CYA and report up this discovery. So, no way do I believe for a second these three execs didn’t know what was going on. By the next day, they had a really good idea how ba the situation was. Now maybe they (the executives) already had the sale in the works, but they had plenty of time to stop it to save face.
To sum up
Equifax was breeched, 143 million identities are now in the wild and fully compromised. Equifax took their sweet time disclosing the hack, they offered an ineffective response to the situation, and they have offered to monitor their mistake with a crappy service. Then it comes out that 3 execs sold off stock days after finding out about the hack, but release a public statement that they didn’t know about it.
You better believe this is will cause a reckoning. The New York State Attorney is already looking into this. Congress will have to get involved. And for the 143 million affected, this is going to be a life time of headaches. I personally do not see the credit industry not being completely overhauled, I also do not see Equifax surviving as a company. In the coming weeks, this is only going to get worse. The lawsuits will destroy Equifax. I personally can’t wait to hear where the security flaws were. This is also going to server as a wake up call to people regarding just how important this data is (as if they didn’t know already). This is will be a teaching moment on the scale of Enron.
And finally, to completely sum up the entire situation I leave with this clip from Clark Griswald, because we may as well have a good laugh….the audio is prolly not safe for work though.
Obviously in the video, Equifax is Shirley.