Equifax – The Gift That Keeps On Giving

Update: Sep 15, 2017 – Equifax’s Chief Information Officer (CIO) and Chief Security Officer (CSO) “retired” (AKA were fired) today, effective immediately, according to USA Today.  Hopefully, the Board will ask the CEO to “retire” soon as well.

CIO Susan Mauldin and CSO David Webb are taking the heat for not installing one patch, out of the thousands that they likely install every month, that allowed the hackers to .  Webb received $2.6 million in compensation last year.

The company has appointed an interim CIO and interim CSO at the same time.  Given the dozens of investigations and dozens of lawsuits, the company is going to need to have as many resources available to testify as possible.

One complication firing them presents is that the company no longer has any where near the control over what they might say in court or to investigators.  In fact, to cover their own behinds, they might throw the CEO under the bus saying that they told the CEO that they didn’t have enough staff or money to do the job right and were not given more resources.  It is possible that their retirement package might have conditions on it, but if it says that they must lie to Congress, that probably would not be enforceable.

It’s gonna be interesting before it is all over.

Last week the news was about the 143 million people who’s data was compromised.

This week it is how Equifax is handling the breach.

First it was terms of service that seemed to require consumers to enter data for credit monitoring on a domain that wasn’t even owned by Equifax and give up their right to sue Equifax in exchange for a few bucks worth of free credit monitoring.  They changed their mind after the New York Attorney General said that he would go after them if they tried that.

Then it was the fact that the site that users were flocking to in the aftermath of the breach was vulnerable to a cross site scripting vulnerability that would allow hackers to extract all of the data the the consumers were providing.

Next it came out that Equifax Argentina’s employee web site that was used by Equifax employees to manage credit complaints had an admin account with a userid of admin and a password of admin.  That site has subsequently been taken offline after that bit of news was made public.

Then, of course, there are the 50 or lawsuits that have been filed against them.  So far.  Including one multi-BILLION dollar suit.

Next Senators Wyden and Hatch are asking a lot of embarrassing questions of Equifax like do you have a Chief Information Security Officer (apparently not) and exactly how many full time security professionals do you have on staff.  The Senators seem to understand the potential long term impact on healthcare fraud, tax return fraud and entitlement fraud, all of which the Federal government – and by association you – will get to foot the bill for.

Then it was reported that Equifax spent at least $500,000 in the months leading up to announcing the breach, lobbying Congress to change the regulations so that they wouldn’t have to notify consumers in case of a breach and limiting the legal liability of credit reporting companies.

Of course there was that slight “optics” problem of Equifax execs selling over a million dollars worth of stock between the date the breach was discovered and the date the breach was announced.

And finally, White House Spokesperson Sarah Huckabee Sanders said that the President, who was elected on a platform of removing regulations, would be looking extensively into whether additional regulation is needed to protect user data.  Of course, no one knows if Congress will actually do anything, but still that is a BIGLY about face for the prez.

All in all, not a great week for Equifax.

Information for this post came from ZDNet, CNet, USAToday, Vanity Fair and CNN.

by