Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Businesses Security The Almighty Buck

Equifax CEO: All Companies Get Breached ( 176

An anonymous reader quotes Fortune:There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on August 17. "There's those companies that have been breached and know it, and there are those companies that have been breached and don't know it," he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it...

Smith's fastest growing area of security concern was state-sponsored hacking and espionage, he said. "It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq -- and they're being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries," said Smith. "It's my number one worry." he added.

"In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a 'culture of tenure' and 'average talent", reports Bloomberg, adding that the Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
This discussion has been archived. No new comments can be posted.

Equifax CEO: All Companies Get Breached

Comments Filter:
  • Incorrect (Score:5, Insightful)

    by jwhyche ( 6192 ) on Sunday October 01, 2017 @12:32PM (#55287805) Homepage

    My cousin runs a company and they build houses. He keeps all his business on ledgers and note books. Not a efficient way to run a business but it is his way. He has never been hacked.

    • Re: Incorrect (Score:2, Interesting)

      by Anonymous Coward

      You mean burglarized.

    • If one has time for this, there is nothing wrong with paper and pencil. There are always balances when it comes to security. For a SOHO business, barring a targeted attack specifically at that business by a well-heeled organization, having a PC with a dedicated virtual machine [1] just for the accounting software, a NAS with at least RAID 1 for fast local backups for bare metal restores, and an offsite backup using Arq for documents. Arq provides AES encryption, and works with S3 and other providers. Fo

      • IYou can always let the user's PW unlock the disk as well, but having them separate ensures that a reboot forces a would-be intruder to have to deal with a very long, infrequently typed in PW.

        That is almost certainly on a sticky note on the monitor.

    • Re:Incorrect (Score:4, Interesting)

      by jellomizer ( 103300 ) on Sunday October 01, 2017 @02:07PM (#55288237)

      How much information was lost due to book keeping errors?
      Was information lost by accident, or damaged due to the weather?
      Could some one walk in and take the info without him knowing?

      The only difference between digital data and paper, is just you can be targeted from anywhere in the world.

      He would be safer if he did it on the computer, Not connected to the Internet. And took differential backups after close of business. And took those backups and locked them up.

      That you you get the advantages of electric book keeping, but massive security. This doesn't work for bigger companies, but it can for a small one.

    • by mysidia ( 191772 )

      Not a efficient way to run a business but it is his way. He has never been hacked.

      Such businesses can still be "hacked" without knowing it immediately. Burglar sneaks in and steals one of the notebooks or takes a picture of some pages; someone else bribes one of your employees to covertly tamper with some numbers or entries in your ledger or tamper with a check, transfer, deposit form, or other bank document, Etc, Etc; even a CEO Scam doesn't necessarily require the targeted business have computers --

    • by antdude ( 79039 )

      Does he have backups? What happens if thieves steal them? That's hacking physically. ;)

      • by jwhyche ( 6192 )

        Backups? Yes he does. His ledgers make 3 copies. One goes in the filing cabinet, one to the customer, and one in a fireproof safe.

        It's a archaic system but it does prove that Mr CEO is flat wrong. Not every company is going to eventually be hacked. He is just in ass covering mood now.

    • Physical security doesn't always help. I did some consulting for a company a while ago that kept its customer database on a USB stick and only plugged it into a (non-networked) machine whenever it was actually useful. Pretty good security, right up until one of their directors decided he wanted to set up a competing company and walked off with the USB drive. It took about a year of lawsuits to get it back and cost a lot of reputation. The only plus side was that no one wanted to do business with the new

  • He's not wrong... (Score:5, Informative)

    by shellster_dude ( 1261444 ) on Sunday October 01, 2017 @12:34PM (#55287819)
    There are many things to criticize about Equifax, and their handling of this breach. This is not one of them. People in the security industry (such as myself), talk about "breach mentality" vs "castle mentality". Castle mentality is the old style of thinking where companies think that if they just build a strong enough wall, they will never be breached and they can leave their internal network a mess. Breach mentality is to assume you are already breached or will be breached at sometime in the future. This is the sensible approach to security, and the most realistic/practical approach. The goal is to secure everything as best you can to help withstand and catch a hack. It remains to be seen if Equifax actually took reasonable steps to secure their network from breach, or not. I am betting they did not, given their crappy response times and apparent total compromise.
    • by MeNeXT ( 200840 )

      Not sure if you read the article but that is not what he is saying. He is saying that regardless of what you do you are breached. whether you know it or not. Which tells me that he is an idiot.

      • Idiot? No. Plausible deniability? Yes.

        Although the list of CVEs is seemingly endless, there are all kinds of moats to use that ensure core assets are protected. The problem in the US is that insufficient moats are employed because they cost real money, both capex and opex, not to mention reasonably smart people. They don't want to spend the money to keep the moats trapping crack attempts.

        Their data assets were huge, and made them lots of $$$. But they didn't value them sufficiently because, hey, they can't

    • The published Equifax reporting indicates they very much had a castle mentality, and an outward facing gate guarded by "admin/admin". So, you know, not realistic or practical; instead what I would consider negligence on the part of someone setting up home wifi.

    • by epine ( 68316 ) on Sunday October 01, 2017 @01:07PM (#55287971)

      There are many things to criticize about Equifax, and their handling of this breach. This is not one of them.

      No, he's so wrong.

      What he's trying to do here is add "loss of privacy" to the once-exclusive fraternity of "death and taxes".

      In medicine, if you come up with a dumb, risky implant don't do it in America. You will get sued. Leaky boob bags are not a good long-term business model.

      But this guy thinks that the credit rating industry doesn't need to think long and hard about their business model, because "all implants fail".

      Here's another point of view: if you know up front that you can't secure the information, perhaps your business model should not depend upon amassing all this information in the first place, get out of the way, and allow the vaunted creativity of American free enterprise find a different solution to the credit-worthiness problem.

      Because your solution sucks in a way that can't ever be fixed, by your own admission.

    • Re: (Score:2, Informative)

      by elrous0 ( 869638 )

      How about we start with a basic:

      Step 1) Don't hire a music major [] with absolutely no technology training or education as your Chief Security Officer.

    • by Junta ( 36770 )

      While I agree it is foolhardy to presume protection from the outside world is perfect, it also is an impossibly large attack surface in a company if they are of any scale and the employees are the least bit empowered to get work done.

      Sure, you don't set up anything that would be week nor do you accept "it's internal" as an excuse, but for every thing you do see, there are a dozen things you don't know the employees are doing, and 90% of those are wildly insecure in some way. If they were forced to be on th

  • by Anonymous Coward

    As he stated, all companies get breached. But we are not criticizing all other companies. We are criticizing his. He just appears to be deflecting blame, and pivoting things against his company, by stating "all companies get breached".

    This was a big fuck up, no doubt about it. Mr Smith: what did your company do about it? You delayed reporting it for several weeks. You had executives who have been accused of insider trading as a result of this breach. And now you give me this pathetic excuse? Is that

  • by goombah99 ( 560566 ) on Sunday October 01, 2017 @12:36PM (#55287827)

    It's holding data. If a company wants to risk my security by profiting from amassing data on me I should be able to have some finiacial recourse when they injur me with their breach. If they can't secure my data then they should not hold it. If one really feels that all companies will be breached then that person should actually know what they are doing is going to cause an injury and therefore should be liable for it.

    liability is the key here. Until companies have a dear cost associated with lack of security there will be no security.

    But that's not enough. we can't have companies who are good citizens, paying money to protect others, masking data so it is stored more anonymously, and so forth incurring higher costs that some jackass comapny willing to pay fast and lose. Those risk taking companies will have lower costs of operation and put the conscientious companies out of bussiness. When they fail sometimes we respond by crippling the whole industry rather than punishing the shareholders of the bad companies.

    So we need not just damages but 10 fold punative damages that reach to the stock holders that invest. Currently stock holders just lose their investments. They should be informed that if they invest in a company that holds data they will be held personally liable for injuries of the company beyond their stock ownership.

    then we'd see some good data practices. We'd see companies clamoring to be regulated. we'd see a lot less naked storage of raw data behind single passwords.

    it's not the breach. It's the gathering of data without direct consequences for it's loss.

    • Re: (Score:1, Redundant)

      by nospam007 ( 722110 ) *

      "it's not the breach."

      It's hiring a musician as anti-breach specialist.

    • by Mitreya ( 579078 ) <mitreya&gmail,com> on Sunday October 01, 2017 @01:37PM (#55288097)

      Currently stock holders just lose their investments. They should be informed that if they invest in a company that holds data they will be held personally liable for injuries of the company beyond their stock ownership.

      Ok, that would pretty much kill investment. Maybe in the olden days you could invest in your small neighborhood company that would not do bad things ever, but those days have passed

      I would settle for Equifax being destroyed. The remaining two "competitors" would certainly improve their security (which would only help the new generation, our data is already burned). But Equifax may survive. I am pretty sure they continue receive my new data even now.

      • Currently stock holders just lose their investments. They should be informed that if they invest in a company that holds data they will be held personally liable for injuries of the company beyond their stock ownership.

        Ok, that would pretty much kill investment. M

        You could make the same argument that by not allowing Nuclear and chemical companies to dump their waste into streams and landfills we would kill their investment. What I'm proposing is that companies be required to purchase a bond (an insurance policy) if they wish to engage in data retention. This would immuninze the shareholders against these reachthrough losses yet drive up the cost of doing bussiness. That is to say they would be paying for the externalities of the socail risks they create.

      • by SvnLyrBrto ( 62138 ) on Sunday October 01, 2017 @03:56PM (#55288685)

        > I would settle for Equifax being destroyed.

        Equifax being destroyed, plus:

        1) Every single C-level, board member, and president going away into pound-me-in-the-ass federal prison... forever.

        2) Anyone who knew about the breach, but sat on it for six weeks while the above sold off their stock, joins them in the pen.

        3) All assets of Equifax and of the above people... no matter where, or in what form, they are... are seized and liquidated; the proceeds used to compensate anyone who suffers identity theft or other credit or financial issues because of the breach.

  • The level of incompetence in corporate IT at times is staggering!!! []

    Until there are -real consequences- to management (personally and individually) from getting hacked, CxOs of all stripes (CEO, CIO, CISO, etc) will continue to get away with this.

  • by Anonymous Coward

    This is leftist propaganda, trying to give businesses a bad reputation for security. The real problem here is the use of a nine digit government issued ID that the government doesn't allow you to change and requirea you to share with financial institutions as proof of identification. The problem here is not the private sector but that the government has failed to use secure methods of authentication such as two factor authentication and public key encryption. Let the private sector create industry standard

    • by Anonymous Coward

      I swear, the whole effort of certain conservatives to see leftist conspiracies in everything is becoming a new Godwin's Law.

      Time to take the tinfoil hat off for a while. There is no conspiracy on the part of the "mainstream media". Our carrot-in-chief just hates CNN because they're critical of him, and NBC because SNL roasts him on a routine basis. There is nothing on the left like the Koch brother's network of big money doners looking to promote conservative causes. There's not some secret conspiracy on th

    • by ody ( 100079 )

      My understanding of the situation is that _Equifax_ was hacked. To my knowledge the Social Security Administration, whose official policy is that you should never give your ID number to anyone /except/ the SSA, had nothing to do with this breach.

      So while your statements about government being the problem, not using enough security, etc. may well be justified, they had little to do with the actual damages here.

    • Hur hur - blame the demycrats.

    • The reason you signed this post is you need to provide proof to your employer that you're shilling or you don't get paid.
      It's very obvious.

      Maybe you don't like the USA or maybe you're just poor and need money. But the less stable the US becomes.... and your work does destabilize the USA, the more likely it is that we will find some poor countries to drop bombs on. Probably your country will have it's turn well before there are any revolutions or major shifts in global hegemony.

      I want you to spend a few

  • by jpatters ( 883 ) on Sunday October 01, 2017 @12:37PM (#55287839)

    If all companies get breached, then no company should be allowed to keep data on a scale like that that can be so damaging if it gets stolen.

  • "Equifax CEO: All Companies Get Breached "

    But only you had hired a musician as an Anti-Breach specialist.

  • Those that we know we should fire out of a cannon and those that we don't know we should yet.

    There's the third kind: The kind that doesn't store personal information unnecessarily.

    Hint: You're not the third kind.

  • by atrimtab ( 247656 ) on Sunday October 01, 2017 @12:46PM (#55287875)

    A single word makes all the difference.

    He's correct when the company does not maintain their Internet facing platform. Which is exactly what Equifax did.

    I guess they decided to save money in IT. And perhaps had poorly qualified personnel. Because management doesn't understand IT, so it must be "easy" and something that should be cheap.

    Equifax says: "Breaches are a cost of business!" Sorry, non-customer that we lost all of your data and our incompetence will cost you for years to come!!!

    Given the vast negative effects of this breach Equifax should be given the "Corporate Death Penalty" like Anderson Accounting. Their continued attempts at 'deflection" will hopefully fail.

    • So let's accept that at some point or another no level of security is unbreachable (which I think is a stretch in practice but you can't prove a negative). That still doesn't make all breaches equivalent or mean that the breaches can't be detected or mitigated. Equifax fucked up on practically every level despite the importance of being especially vigilent being patently obvious because of the nature of what they held on everyone.

      The negligence started well before the breach, The incompetence really shone t

  • ... the clue train is slow in coming to equifax ... companies who ignore basic security practices get breached, the rest don't

  • by kaur ( 1948056 ) on Sunday October 01, 2017 @12:48PM (#55287889)

    Immutable data should not have any value at all.

    My name and SSN are assigned to me. I cannot choose or change them. Thus, they should have no business value, esp no value in the credit / financial context.
    My address, my employment, my family are essentially fixed as well. Again - this data could be public. It should have no value.

    "Identity theft" as perceived in the US must disappear.
    Stopping the criminals won't work - as long as there is anything of value, there will be intent and crime to get it.
    The value itself must change.

    • Immutable data should not have any value at all... Stopping the criminals won't work - as long as there is anything of value, there will be intent and crime to get it. The value itself must change.

      Wow, somebody just took Philosophy 101 and smoked a doobie, didn't he? If only the world were that simple, and if only you were right.

    • by k.a.f. ( 168896 ) on Monday October 02, 2017 @05:21AM (#55290943)
      Absolutely right!

      Remember, there is no such thing as "identity theft". There is only fraud, committed between two parties neither of which is you. The notion that someone can "steal your identity" is a red herring invented by big companies, in the hope that this will make it sound as if it was your responsibility and you should bear the costs. It isn't - it's their responsibility to guard against fraudulent transactions and not to withdraw money from you under fraudulent circumstances. But so far they've been pretty successful in establishing the narrative that it's your fault if someone abuses the ridiculously inadequate safeguards against fraud. This is a prime example of "Establish the terms of the debate, and you've determined its outcome".

    • by houghi ( 78078 )

      In Belgium:
      Credit data is held by the National Bank and is ONLY accessible to credit companies and banks.
      The data is only valid in combination of an obligatory ID card. A check can be done if that card is stolen on []
      If it is stolen you call a free number and it will be blocked immediately.
      Every person in Belgium has a national number. Even if you are not Belgian. It is your date of birth in reverse, three numbers for the person born or added on that day. and two control digits. Dutch []

  • All Companies Get Breached

    Well that means we can stop patching software we know has open security holes/backdoors. Nice, makes our jobs much easier. I guess that means it was not Equifax's fault /s

  • I call bullshit (Score:4, Insightful)

    by JustNiz ( 692889 ) on Sunday October 01, 2017 @01:02PM (#55287945)

    >> All Companies Get Breached

    This is not even slightly true. It is just a blatant attempt at blame avoidance through lying and misdirection.

    • by UPZ ( 947916 )

      >> All Companies Get Breached

      This is not even slightly true. It is just a blatant attempt at blame avoidance through lying and misdirection.

      Yep, he's just trying to avoid blame. His lack of any sense of responsibility is worse than my 10 year old nephew.

    • by gweihir ( 88907 )

      Very true. Also, those that do get breached are not all attacked successfully because they made a really bad beginner's mistake. Although the list of companies with amateur-level security is long: RSA, Deloitte, Citibank, ...

  • by Tyrannosaur ( 2485772 ) on Sunday October 01, 2017 @01:02PM (#55287947) maybe we should not allow companies to store vast repositories of personal data that is very bad if breached?

    It's a whole paradigm shift that needs to happen. Similar to best-practices with passwords today: you should never be storing your clients' passwords. Hash them, salt them, (I don't have all best practices off the top of my head) - but the end result is if the password database is breached, it is not catastrophic. We need to make personal data the same.

    One way I think is interesting is through homomorphic encryption- it is possible to do arbitrary operations on data without the server ever knowing the plaintext. This is the future.

    • maybe we should not allow companies to store vast repositories of personal data that is very bad if breached?

      You might be onto something here! If Equifax and their two cohorts can't be trusted to keep our credit histories and personal information secure, maybe they shouldn't be permitted to control certain aspects of our lives and defame us, no? They're not "too big to fail," so maybe we need to break them up, or at least require that they provide people in their databases with all of the information they provide to their customers, free of charge. Reporting incorrectly on me is one thing, but charging me to see s

  • Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.

    Wow, and did he brag about being an oligopoly who automatically receives everyone's data whether they want to allow that or not?
    Getting to that position is a much neater trick than having a profit margin of 90%. The person who got them there deserves a big bonus indeed.

  • "a stagnating credit reporting agency with a 'culture of tenure' and 'average talent'...earned a gross profit margin of 90%."

    Wait, don't tell me, let me spend all your obscene profit on equally obscene executive bonuses and therefore you can't afford anything more than "average" talent?

    Not that parachute-lined CxOs will start giving a shit anytime soon, but this is what happens when coddling top management becomes THE priority above all else.

  • Defense in Depth (Score:4, Interesting)

    by CODiNE ( 27417 ) on Sunday October 01, 2017 @01:56PM (#55288189) Homepage

    It's been said a million times but companies always want the magic bullet solutions.

    He's right that you should expect being compromised, but no safeguards were in place for what he said was inevitable.

    Looking at the timeline of events it's clear that getting past the endpoints meant free reign in their network. []

    Over the years the focus of the security industry has changed and it is no longer considered sufficient to have a crunchy shell with a soft interior. From behavioral analysis, to canary systems and binary whitelisting/flagging. There are so many things they could have done differently it's astounding.

    By publicly asserting the unavoidability of a breach, and then having no plan of action prepared for that, he's admitting that their security plan is negligent.

    In other words ''Cars crash, people die... seatbelts are useless''

  • Sure, but... (Score:5, Informative)

    by reanjr ( 588767 ) on Sunday October 01, 2017 @02:02PM (#55288211) Homepage

    Sure, but only some of them dump stocks illegally, hire arts majors to run tech security, attempt to take away the rights of victims, send their customers to illegal phishing sites, wait months to report to the public, get into a tiff with their hired outside security consultants, and otherwise completely mishandle the aftermath.

  • All companies do get breached, but not because of sheer incompetence due to not patching a widely publicized vulnerability. The day after publication we told our product teams to update and the teams that had it did so in weeks, not months - and that was in on-prem products. Yet, Equifax couldn't patch their website in three months? That's incompetence.

  • by Chas ( 5144 ) on Sunday October 01, 2017 @03:14PM (#55288533) Homepage Journal

    Sorry, but security is almost purely a reactive thing.
    And worse, HUMANS are tossed into the mix.

    As such, security is a delaying action, at best.
    If someone really and TRULY wants in, they're getting in. And pretty much nothing short of destroying your computing assets wholesale will prevent it.

    Security has become so full of snake-oil salesman they they've forgotten that their primary purpose is hardening to the point where your average 6 year old with an iPhone can't get root on your production servers. And their secondary purpose is monitoring the network, both proactively and in the event of a breach.

    So, even if someone gets in, you SEE it and you have a log trail.

    This idea that security will keep your assets totally and completely hack-proof is utter nonsense. DANGEROUS utter nonsense.

    • Sorry, but security is almost purely a reactive thing.

      Not if you do it correctly and effectively! Being proactive is the only way to be good at security.

      • by Chas ( 5144 )

        The problem is, that you're simply being proactive about using reactive systems and methodologies.

        That's like saying "this location is safe because we have hugely thick and high boundary walls, and the building itself is a combination of concrete and steel that's even thicker. The roof is 20 feet thick as is the foundation. It's bombproof and drill-proof. We've got biometric security and armed guards roaming the premises. And all our employees are heavily indoctrinated in security methods.

        Meanwhile, the

  • by ErichTheRed ( 39327 ) on Sunday October 01, 2017 @05:19PM (#55288979)

    Saying that all companies will eventually get breached is, in my opinion, correct. The unfortunate thing is that nothing will ever be done to even try to improve the situation, because it's too easy for companies to just buy "cyber-insurance" as opposed to playing cat and mouse with "security researchers." In this situation, they don't even have to have the insurance company pay for credit monitoring, because they can give it away for free by just providing the same service they used to sell.

    Unless you put nothing on the Internet and have a strict, enforceable we-will-fire-you-immediately policy for people who inadvertently leave the doors open, there's very little chance companies can stay ahead of attacks forever. The bigger the company, the worse it is. Outsourced IT makes security response many times slower as well because the problem has to filter down two reporting chains before it gets fixed (assuming anyone notices.) Even the NSA wasn't able to keep a lid on their information and exploit vault...that should tell you something. All the security in the world is nothing when you have humans in the loop.

    What will be interesting to see is what happens when more companies start looking to put core systems into the public cloud. Obviously cloud providers have a huge incentive to keep things safe, but nothing's perfect. And the more complex things get, the more surface area an attacker has to work on. I'm sure there are more than a few "don't be like Equifax" FUD-laden sales calls being made in CIO offices all over the world lately.

    The truth is that security has zero ROI in an environment where you can just say "oops," write a small check and move on like nothing happened. So far, nothing bad has happened to any company that has lost customer data. People still shop at Target, Home Depot, etc. and still keep their money in banks that have experienced data loss incidents. People just assume that these things happen and nothing can be done about it, and I agree to some extent.

    • by gweihir ( 88907 )

      The truth is that security has zero ROI in an environment where you can just say "oops," write a small check and move on like nothing happened.

      And that is the problem. If this was classified routinely as gross negligence (unless the company can prove having followed best practices), and the CEO was jailed, then things would look a bit differently. Before that or something similar happens, data-security used to protect customer data will remain a dark joke.

  • Even average attackers can get in. Also, when you make really stupid mistakes, in a working legal system that is called "gross negligence" and you become liable for the damage you did. Of course, Equifax being really large, they do not need to fear the law.

  • by DidgetMaster ( 2739009 ) on Sunday October 01, 2017 @08:11PM (#55289639) Homepage
    Banks learned long ago that security measures had to be escalated along with the pile of money being kept. If a small branch only had a few $100K in cash, it didn't need the same security as a big bank with several $Million in the vault. When you have so much gold that it requires dump trucks to carry it in and out, you need the security of Fort Knox. Any bank that had $Billions stored in a file cabinet with only a single 80 year old security guard watching it, should be held responsible when it gets robbed. It sounds like that was the case at Equifax.
  • This was absolutely hilarious.I'm certainly no security expert... I'm just a humble programmer who understands how security holes are made (heavens know I make them often enough).

    Let's be 100% true to ourselves... the security crowd is generally full of shit. When I read the headline of an article (a month ago on Slashdot sometime) making some dumb-ass remark like "There have been more hacks already in 2017 than in any previous year". They whole article rambles on non-stop for frigging ages about how bad th
  • The Full Time Line (Score:4, Informative)

    by aquanaut44 ( 5102621 ) on Monday October 02, 2017 @03:12AM (#55290675)
    So - brief summary of timeline:-

    Feb 24, 2016 - Annual 10K report - indicates only generic, boilerplate risks that a financial services company like Equifax should include in their SEC filing.

    Jly 27, 2017 - Quarterly 10-Q filing with the SEC, indicating "There have been no material changes with respect to the risk factors disclosed in our 2016 Form 10-K."

    Aug 1, 2017 - Chief Financial Officer John Gamble sells $946,374 in shares

    Aug 2, 2017 - Joseph Loughran, President of US Information Solutions sells $584,099 in shares... and Rodolfo Ploder, President of Workforce Solutions, sells $250,458 in shares

    Aug 17, 2017 - Rick Smith gives a presentation to the University of Georgia, discussing cyber security threats - and makes a memorable quote...

    Sep 7, 2017 - Equifax admit to a massive data breach, impacting at least 143 million Americans, see here:- []

    Sep 7, 2017 - On the same day as admitting to the breach, Equifax also admit that 3 executive sold $1.8MM in shares between the breach being detected and the date it was made public. Crucially, despite Equifax claiming that the Executives had no knowledge of the breach, none of the three sales were part of planned, scheduled trading (i.e. were covered by 10b5-1 plans). In other words, these were spontaneous sales. See here:- []

    The crucial thing is, however, that in the above Independent article, published September 7th, is the statement,

    "The Atlanta-based company said that that “criminals” exploited a US website application to access files between mid-May and July of this year - with the weakness said to have been discovered at the end of that month. "

    Now, among the pieces of information we don't know are: 1) when, exactly, did the three executives sell their shares?; and 2) what internal discussions - i.e. board meetings, emails - were used to disseminate the information internally.

    Obviously we're not told this, but the company will by now have received a "Preservation Order" from the SEC, requiring them to ensure that data pertaining to this event is not destroyed. Backup tapes will be pulled from cycles; current email folders will be locked; individuals will be warned that their documents are subject to such an order. Given the close proximity of events - we're talking days, not weeks or months - it should not be difficult to forensically re-create a very precise time-line.

    So whilst the speech that Smith gave a the University of Georgia is going to be hugely embarrassing for him personally - and whilst the acknowledgements he makes in it will be very uncomfortable for the company - the really crucial evidence here is all about the timing. Understanding the truth behind the question, "Who knew what, and when", is going to make the difference between negligence and a criminal act.

    Here is the key thing to bear in mind. That statement as reported in the UK Independent newspaper article that the breach came to light "at the end of July" is absolutely crucial. If there is enough evidence to suggest that persons within the company knew of the data breach *before* that 10-Q was filed, then I don't see how Smith and his co-directors can avoid jail time. The deciding factor [for me] is that the actual timing could very easily show conspiracy.

    If there was a suggestion that a concerted effort was made to hold back the breach information until after the second quarter 10-Q, then it will not look good for the board. They are on the horns of a dilemma here. Either there was widespread knowledge of the breach and the three executives attempted of
    • a significant portion of Equifax Management are utterly incompetent and basically allowed one of the worst data breaches in history to happen on their watch... in which case we can only hope that shareholder lawsuits will follow.

      Did you miss this one? [] The blood is most definitely in the water already.

Programmers do it bit by bit.