As deposed Equifax CEO Richard Smith made the rounds at Capitol Hill this week for rehearsed, ritual, rhetorical floggings before several congressional committees, it sounded like the world of data security really might be about to change.
There were calls for major reform – for sanctions to include major financial penalties. Congressman Joe Barton (R-TX) suggested that a credit bureau giant like Equifax – even one worth $13b, “might pay a little more attention if you had to pay everybody whose account got hacked a couple thousand bucks or something.”
Especially if “everybody whose account got hacked” is 145.5 million people.
Populist firebrand Sen. Elizabeth Warren (D-Mass.) called for consumers, not credit bureaus, to have control of who sees their data, adding that in cases like this, “senior executives like you should be held personally accountable.”
There was outright mockery. “I don’t think we can pass a law that fixes stupid,” US Rep. Greg Walden (R-Ore.) told Smith.
It sounded like the wake-up call to end all wake-up calls. But don’t hold your breath. The outrage may be real, but in Congress, the heat of the moment tends to last about as long as conversations about a Saturday Night Live skit.
Chances are that a year from now, the world of data security will perhaps have been tweaked, but not fundamentally changed. Congress will be holding hearings on some other outrage. And 145.5 million people will definitely not have each received a $2,000 check from Equifax.
Even though you’d think this kind of event would be an obvious incentive for significant reform. As more than half the country knows directly, this was vastly more damaging than the compromise of credit cards. This was information that you can’t change. As one sardonic tweet put it after Equifax finally got around to making it public in early September 2017, everybody should change their name, date of birth, address, gender and Social Security number.
This failure – not just the breach but the response as well – by one of the “big-three” credit bureaus, was so catastrophic that it left commentators searching for printable expletives to describe it. “Ham-handed,” “unacceptable,” even “shocking” didn’t go nearly far enough. Star security blogger Brian Krebs called it a “dumpster fire.”
The list of outrages, reported by multiple media outlets, goes on and on. Among them:
- Equifax knew in early March about the software flaw in the dispute portal of the Apache Struts platform that allowed the breach. US-CERT and Apache notified Equifax about it. At the time, Naked Security’s Paul Ducklin wrote a tutorial on it. Smith told Congress that an “internal email” requested the fix, but it wasn’t done – in effect leaving the door unlocked. This in a company with 225 people in its security department.
- It took the company another four and a half months, until 29 July 2017, to discover that it had been hacked sometime in May 2017. According to Smith, it took weeks longer to realize that the personal information of consumers had been compromised. While he quickly hired cybersecurity experts from the law firm King & Spalding to look into it, he admitted he didn’t even ask if personally identifiable information (PII) may have been compromised.
- It didn’t publicly disclose the breach until 7 September 2017 – 40 days after it learned of it. During that time – the first and second week of August 2017 – Smith gave two public speeches in which he said, among other things that “the days are bright for Equifax,” that fraud is, “a huge opportunity for Equifax,” and that it was a “massive, growing business.” He told the committee he hadn’t known at the time how much or what data were compromised. Which could be because he didn’t ask for a briefing until 15 August 2017.
- Smith finally said what should be said up front, all the time, by all the credit bureaus: The company’s customers are not the consumers whose information it holds. Its customers are banks and other businesses that want our credit info. Consumers are the product.
- The data compromised was not encrypted. Equifax wasn’t encrypting data “at rest,” Smith said.
- Equifax (and the other credit bureaus) are pushing credit “locks” rather than freezes, saying the freezes are more cumbersome and costly, while the locks are simpler and free. But Consumers Union notes that the freezes are guaranteed by law, while the lock is just an agreement between the consumer and the company. Besides that, the freeze prevents Equifax from selling your credit file to banks and others, including ID thieves.
- Regarding senior executives who sold about $2m in stock during the first week after the company knew of the breach but a month before they announced it publicly, Smith said they didn’t know about the breach. He called them “honorable men of integrity,” apparently forgetting to add, “cosmically prescient.” Members of Congress said it “smelled really bad,” but there was no talk of subpoenas for those execs to put them under oath.
- As a final (maybe) note, Equifax announced on Monday that the number impacted by the breach was actually 2.5 million more than the 143 million they had earlier announced.
- And to pile on one more absurdity, at the end of September 2017, the IRS awarded Equifax a $7.25 million no-bid contract to provide identity-proofing and anti-fraud services. This after massive tax refund fraud in 2015 and 2016, thanks to weak security questions provided to the IRS by Equifax. Sen. John Neely Kennedy (R-La.) quipped that, “You realize to many Americans right now that it looks like we’re giving Lindsay Lohan the keys to the mini bar.”
Is all that enough to generate real, substantive change? History suggests it won’t be.
There should have been more than enough incentive for reform and accountability after the 2014-15 breach of the federal Office of Personnel Management (OPM), in which 22 million current and former federal employees had their PII vacuumed up.
A report released a year ago, titled, “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation,” declared that the breach was made possible, “in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems.”
The government’s response? Federal employees got a letter from OPM offering free credit monitoring for a year and identity fraud insurance as “a courtesy,” but added that, “Nothing in this letter should be construed as OPM or the US Government accepting liability for any of the matters covered by this letter or for any other purpose.”
Personal accountability of top executives? Then OPM CIO Donna K. Seymour retired in February 2016, two days before she was scheduled to appear before Congress to talk about the breach.
The head of OPM during the intrusion, Katherine Archuleta, did resign under pressure from Congress in July 2015.
But both women rode off with no financial harm – their pensions and benefits intact. It likely won’t be all that different for Equifax.
Mahhn
Since Equifax has shown the same competency as the US government (my government). They should give them more responsibility in government, like maybe letting them manage PII for the IRS. Yeah, you know what, they’ve been so much like government there’s no need to need to even consider another company. No bid contract to expose, er protect all US tax payers PII awarded.
Spryte
A sad commentary on the technology we all use on a daily basis but how true.
brianc6234
To fix problems like this the US government needs to make the fines so big it’s no longer a good idea to send IT jobs to India. Force them to have their IT people in the country they’re in. These companies care about nothing but profit so they send IT jobs to India so they can pay $10 per hour. They should bring those jobs back and send the executive jobs to India. You don’t have to know anything to run a huge company obviously.
Nobody_Holme
What, exactly, did this breach have to do with outsourced IT? Equifax have in house infosec people who choked it (one has to assume based on someone’s cost/risk analysis being wrong), but that’s not an excuse to complain about globalisation.
The US companies losing EU citizens’ data, meanwhile, was the perfect opportunity for your prejudice to come out and look justified.
Mary
Huge fines should be imposed, the IRS should rescind the Equifax contract, new regulations affording consumer protection should be enacted and we should all be given new social security numbers by the US government.
anon
Among the new regulations we should be given:
– In case of breach, written notice postmarked within 15 business days
– $1M insurance policies carried by the consortium of credit bureaus to cover the duration each breached consumers lifetime for the purpose of executing financial and identity theft recovery
– Opt-in and data removal rights for each consumer
– Mandatory use of encryption for any consumer data collected, stored, and disseminated
This is all doable and pretty simple stuff. It’s time for Congress to act or be replaced by reps who do. We can not afford inaction, gridlock, apathy, and ignorance.
anon
I educated myself on the Equifax breach through extensive online research, wrote to my Senator requesting action, wrote to thank Senator’s Elizabeth Warren and Heidi Heitman for their statements during last weeks hearings, filed a complaint via the CFPB against Experian, Transunion, and Equifax requesting government action, and placed a security freeze on my credit report data via Experian, Transunion, Equifax, and Innovis.
What did you do?
Sharon
Do you think the new GDPR legislation governing European data which comes in next year will make a difference? Penalties for infringement are stated as a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.
Mark Stockley
I do, but only as one part of a very long, slow cultural shift towards computer security being part of the basic hygiene of running a company.
Fines have a punitive nature but they’re also signals that regulators and governments take this seriously, and beacons to consumers that something really bad has gone on. Regulators, companies and consumers need to align around high expectations of computer security.
Would the threat of fines have made a difference to Equifax? I suspect not. I suspect (but it is just a guess) that if you asked Equifax execs if they were serious about security before the breach they’d probably have said they were and meant it – in fact I think they said as much in speeches. They clearly didn’t “walk the walk” though and my guess is that they didn’t know how. I think this is often the case in companies that aren’t natively digital but have needed to become digital.
The companies that have always relied entirely on a consumer-facing online presence, companies like Facebook, Google, Twitter and Amazon, do “walk the walk” and tend to get security right (I’m not talking about privacy here, just security). Breaches are conspicuous by their absence across those companies and they bristle with the outward signs of taking security seriously. You can tell they understand how important it is to their existence. Eventually the companies don’t behave like that will fall by the wayside.
As every business becomes an online business they’ll face a choice between “walking the walk” like Google or “talking the talk” like Yahoo.