Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
United States Businesses Government Privacy Security The Almighty Buck

Squabble With Contractor Delayed Equifax's Response To Data Breach (bloomberg.com) 127

An anonymous reader quotes Bloomberg's report on the contractor Equifax first hired to investigate their breach: Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company's network... Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said. For its part, Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company...

That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer... By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems.

"They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group -- known as an entry crew -- handed off to a more sophisticated team of hackers," reports Bloomberg, suggesting that the attack may have been sponsored by a nation-state.
This discussion has been archived. No new comments can be posted.

Squabble With Contractor Delayed Equifax's Response To Data Breach

Comments Filter:
  • by Anonymous Coward on Saturday September 30, 2017 @08:53PM (#55286045)

    There is no excuse, especially how Equifax has also mishandled just about everything after the breach was made public. Make it a $1,000 fine per person per day for not notifying them within seven days of discovering the breach. The only exception is if law enforcement requests that the breach not be disclosed to protect the integrity of an investigation.

    • Make it a $1,000 fine per person per day for not notifying them ...

      You need to get a firmer grip on reality. Equifax's net income last year was $488M. There were 143M people compromised. So even $3 per person per year would likely bankrupt them.

      • If you can't do the time,don't do the crime...

      • I'm not holding my breath; but is there some reason why 'that would annihilate the company' would be considered a defect rather than a feature?
        • is there some reason why 'that would annihilate the company' would be considered a defect rather than a feature?

          There are currently 3 credit bureaus: Equifax, Experian, and Transunion. Going from 3 to 2 would reduce competition, and raise prices. That is not in the best interest of consumers. It is already clear that everyone directly involved in this debacle is going to lose their jobs, and Equifax will be under completely different management. So what is the point of shutting Equifax down and putting 9500 employees out of work?

          • Comment removed based on user account deletion
      • Comment removed based on user account deletion
      • A breach like this should bankrupt a company.
  • Correct Headline: (Score:5, Insightful)

    by Known Nutter ( 988758 ) on Saturday September 30, 2017 @08:55PM (#55286053)
    Squabble With Equifax Delayed Equifax's Response To Data Breach

    The way the headline reads as published makes it sound as if the contractor is to blame -- which is obviously horseshit.
    • by Anonymous Coward

      When in doubt, blame the IT guy. He doesn't have a PR firm to lie for him to the media.

    • by Anonymous Coward

      Agreed. The sad point of this.. is Equifax didn't have their own blue team.. or even an electronic forensics team on-station. Like normal they were riding the wave of ignorance until a shark took a big bite out of their board. Their first action was to blame the first third-party blue-team that they hired.

      Stupid is as stupid does (Forest Gump)

      Peace out.

  • Mandiant - that name rings a bell. I can't be arsed to google it, but IIRC this isn't their first clusterfuck,

    • by Anonymous Coward

      It isnâ(TM)t, they basically get called every time there is a clusterfuck. Where you heard about them before was when they tracked down an APT actor to the building: https://mobile.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?referer=https://www.google.com/

    • If a company is hired to resolve clusterfucks, it is obvious they deal with multiple ones.

  • by Gravis Zero ( 934156 ) on Saturday September 30, 2017 @09:09PM (#55286089)

    Regardless of whatever they may have believed, they were warned and ignored the warnings. Sure seems like gross negligence or possibly even criminal negligence. If the system weren't corrupted, I would expect indictments. It's too bad our government doesn't function properly.

    • by oldgraybeard ( 2939809 ) on Saturday September 30, 2017 @09:59PM (#55286187)
      So the Equifax CSO (the music composition major) didn't think the security contractor sent individuals that had the right background to do security work?
      "Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company."
      Odd, Maybe they could not hum the right tune ;)

      I have heard people say a specific degree does not matter. Just having a degree proves you have the ability to learn and do any job. Guess Not ;)
      • by dgatwood ( 11270 )

        Odd, Maybe they could not hum the right tune ;)

        And if the reports of their former security head being a music major are accurate, they were uniquely qualified to recognize when the contractors could not hum the right tune....

        This sounds like standard MBA behavior. Being secure is expensive in the short term, which hurts short-term profits, which hurts the value of their options. Therefore, in their minds, it is better to factor in insecurity as a long-term risk and spend as little money as possible on it,

      • by Anonymous Coward

        Education is independent of intelligence. It's possible to be an educated idiot - I know a lot of them personally. It's possible to be smart and uneducated, too. The difference is that an educated smart person will far exceed an uneducated smart person in terms of success. The idiots see that educated smart people make a lot of money, and because they are unable to discern correlation from causation, they decided that going to college meant anyone could be as successful as smart educated people. When the id

  • by filesiteguy ( 695431 ) <perfectreign@gmail.com> on Saturday September 30, 2017 @09:11PM (#55286095)
    Actually I have no idea what Equifax uses but it seems every time i read of these breaches they are because of a lack of communication between various internal groups. Working for a company that is often hit with DDOS or other intrusion attempts by nation-states, I know that the overriding thing to keep them out is open candid communication between staff, management, and vendors.

    Also, probably shouldn't put Access databases outside teh DMZ.
    • by HiThere ( 15173 )

      Access? Are you talking about MSAccess?

      I don't know whether they've fixed the problem, as I haven't used it in decades, but I remember it as "The database that couldn't add two number correctly". It had a bunch of other problems, but it was so convenient that I used it until I actually caught it adding two numbers together and getting the wrong answer (repeatedly, but not on every run). After that I transitioned away from it as quickly as I could. It took a lot of testing, as I couldn't believe a busine

  • by Anonymous Coward

    whoa whoa whoa, So a foreign power now has access to the credit records of the entire country? We need to stop dicking around and bring in the NSA.
    This is in their mandate.

  • by rsilvergun ( 571051 ) on Saturday September 30, 2017 @09:36PM (#55286133)
    sounds like Equifax didn't like what it heard so it disregarded their consultant's advise.
    • by jfgob ( 5104057 ) on Sunday October 01, 2017 @02:04AM (#55286513) Homepage
      ... or possibly not how unbelievably common this is. And most of the time, in my experience, the management is not even aware of the issues. The last security assessment I did were shot down as "unpractical and impossible to execute on" by the IT managers or directors. Simply because it started with "take XXX days to level all systems to a known updated state" along with the report from a vulnerability scanner. These IT managers/directors were actually the ones saying "if I go to my management with this proposal, I will lose my job", not the top management itself, happily thinking that everything was hunky-dory. My experience is that many CTOs do not like telling their CEO "we need to talk" or "we need to fix up things and that involves changing the way people think too."
      • by Anonymous Coward

        When your under the gun to meet the numbers, it's amazing how many "problems" you can find in a customer's system. Selling unnecessary "solutions" is a great way to boost commissions.

        It's buyer beware in this industry.

        • by chihowa ( 366380 )

          If you start out with the implication that "take XXX days to level all systems to a known updated state" is an "unnecessary solution", then we all have a better idea of why the state of the industry is such a clusterfuck.

          • It's a short sighted, non-solution anyhow.

            If your systems aren't being consistently patched, it's because patching is not a priority. The update 'test and deploy' teams is understaffed (likely headcount 0).

            Freezing everything and patching like crazy for a few days is likely break things, giving MBAs exactly the wrong data. (Think of MBAs as really buggy, flakey machine learning algorithms. You have to curate what they 'learn'.),

            In six months you'll be right back where you started, unless staffing and

            • by HiThere ( 15173 )

              That may be so, but if you don't start with the system in a known state, any further efforts are possibly worthless. You can't be sure that they're worthless, but you can't be sure that they aren't.

              Back in the old days the solution was to set up a duplicate system, update it, test it, and then switch to it. That doesn't work for a highly interactive system. So all that's left as possible is to pick a decent time, say 11PM EST on a Friday, and take the entire system down for "scheduled maintenance". Back

              • We know how to patch systems. That's not the issue. The issue is systems _not_ getting patched, which is pure culture/priorities.

                Until you fix the issue, running around patching will always be playing catch up.

                Known state? Again, not much point of getting to a known patched state if you know it will just be ignored after.

                Also 'Known patched state' isn't easy, especially in a culture where no one is responsible (and has the time). You'll be finding additional servers upto the last minute of the patch

                • by HiThere ( 15173 )

                  I think the problem is a net of systems. Think of it as a problem in concurrent programming. If you don't know the state of the system, you can't really fix it. Often systems known to be infected need to be recovered from backup. This system sounds as if they didn't *have* any reliable backups.

                  You are right that it's a matter of culture/priorities, which is why I said things like "you need strong management support". But for anything to work you need to START from a known state.

                  • Getting to a known state for a moment in time is exactly useless.

                    Even the 'good end state' isn't having every system patched instantly.

                    If a system is in a truly unknown state, it needs to be rebuilt from the ground up anyhow. You don't know what's in there.

    • by Cederic ( 9623 )

      No, it sounds like Mandiant went, "You're insecure" and Equifax went, "No shit. Now tell us how to resolve that insecurity at reasonable expense. Stop sending us shitty consultants that know how to read the output of a Qualys scan."

      Equifax should have been more secure, but isn't that what Mandiant were there to actually help with?

      • by Bert64 ( 520050 )

        It depends on the scope of the engagement...
        Were mandiant hired to just perform a vulnerability scan? or a more detailed assessment? how limited was their scope?
        Without knowing exactly what mandiant were hired to do, its impossible to determine if they were incompetent or not.

  • by Anonymous Coward

    Who the hell gave these freaks the right to have the personal info on millions of Americans???

    Did YOU say that they could have YOUR personal info?

    Did your parents? Did your kids? Did your neighbors or co-workers?

    Who gave them the gun and let them load it and then get drunk and start shooting?

    • Comment removed based on user account deletion
      • Um, no.

        We didn't give Equifax our info. We gave our info to banks, lenders, stores. They in turn gave our info to Equifax.

        It may seem like a minor point, but there it is -- We the People usually don't give the credit bureaus our info directly.... unless it's in the guise of "free credit reports!!!OMG!ZOMG!" in which case then we did.

        • Comment removed based on user account deletion
          • by Anonymous Brave Guy ( 457657 ) on Sunday October 01, 2017 @05:31AM (#55286839)

            And when you give that info up to your bank, you give your consent to them sharing it with the equifaxes of the world.

            This is a very weak argument. Consent without a viable alternative isn't really consent at all.

            • But there is a viable alternative: Do not use services offered where you are required to give objectionable consent.
              • It isn't viable to function as a normal member of any Western society I know about without access to basic financial facilities like a bank account. In fact, it's caused so many problems for those unlucky enough to fall through the gaps here in the UK that the government had to step in and promote the provision of basic bank accounts that might not have any sort of credit facilities but at least provided enough basic services for someone to do things like receiving pay from an employer or settling household

  • "The investigation in March was described internally as "a top-secret project" and one that Smith was overseeing personally, according to one person with direct knowledge of the matter."
    WTF? CEO was trying to cover-up the breach, instead of being a real leader and shutting down equifax until it was fixed, he let hackers just slowly take the data over 6 months. .
  • by Anonymous Coward

    The government regulations that stifle the industry and make it hard to do business is the real cause here. As usual, all government is bad government. We need to deregulate the industry so that the free market can fix this problem once and for all. Guaranteed.

  • by bernywork ( 57298 ) <bstapletonNO@SPAMgmail.com> on Saturday September 30, 2017 @10:27PM (#55286245) Journal

    There's two issues here. The CEO didn't insist on security, so either he's naive or mis-informed. Either is bad.

    The CTO didn't insist or wasn't given budget for appropriate security measures. Either is bad.

    The CEO wasn't managing the CTO in regards to requirements, and the CTO wasn't managing up the requirements.

    When you look at BoA where security is king; they'd rather have a production outage, break something and then scream at the vendor to fix it, than lose customer data. A customer facing production outage costs them a lot less than the loss of customer data, where they're concerned the whole company could go to the wall.

    This is a management fuck up, of the highest order. This was business risk 101 and they failed to identify it, quantify it and migitate it.

    Mandiant may not have sent their A team, but from the sounds of things their C team would have been enough to start to deal with their issues. Unpatched systems, c'mon are we still in high school?

    • by Todd Knarr ( 15451 ) on Sunday October 01, 2017 @01:19AM (#55286473) Homepage

      They probably did quantify the risk. In terms of it's effect on their revenue, of course, since that's what's at risk for them. And that risk is close to zero, since consumers can't block reporting of their data to Equifax and there are only 2 competitors Equifax has to worry about and the majority of them already use all 3 bureaus. So why expend money mitigating something that poses negligible risk to your business? It poses no risk to the executives either, their future income doesn't depend on Equifax continuing in business. At worst they'll collect a hefty severance package and spend a few weeks relaxing until they get picked up at another company. This is what I refer to as the difference between a businessman and an MBA: the businessman's livelihood is at stake, whereas the MBA is just a glorified W-2 employee.

      Risk to consumers? Equifax doesn't do business with consumers, why would anything that happens to those consumers bother it? At most Equifax will spend a few years arguing with regulators and maybe some fines will be levied, but odds on the cost of the fines will be less than the cost of good security. More likely they'll be able to claim they were following all the recommended practices (shoddy as those are) and it's Apache's fault for having left the bug in the version of Struts in question, which (especially given the current administration) will be enough for them to skate even though everybody reasonable knows it's BS.

      • And that risk is close to zero, since consumers can't block reporting of their data to Equifax and there are only 2 competitors Equifax has to worry about and the majority of them already use all 3 bureaus.

        As a general point of interest, that situation might change next year for consumers within the EU, when new and very heavy-handed data protection regulations come into force. Those regulations have been very transparently aimed at big data hoarders like Google and Facebook, but I can't immediately see why they wouldn't hit the likes of Equifax and the other credit reference agencies just as hard. Since there were reportedly a large (though not as large) number of EU citizens affected by the leaks here as we

  • Mandiant had sent an undertrained team without the expertise it expected from a marquee security company...

    No, that is exactly the level of competence I expect from a 'marquee security company,' specially several years after they've been bought out by a large corp.

    You'd expect about the same level of quality that you'd get from a development team at Oracle.

  • by FeelGood314 ( 2516288 ) on Saturday September 30, 2017 @11:59PM (#55286383)
    Security is only an expense for them. Losing data they have on people doesn't affect their business. Hell the data only needs to be accurate 90% of the time for them to make a profit. Don't be surprised by this. Equifax is acting completely rationally. If you really cared maybe we should have an organization that is run by the public to do things that can't efficiently by private companies because their motivations don't align with how they are paid. I suggest we give this organization a cool name like "government".
  • Equixpertise (Score:5, Insightful)

    by elrous0 ( 869638 ) on Sunday October 01, 2017 @12:20AM (#55286411)

    Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company.

    So I guess they weren't as well-qualified as the music major [marketwatch.com] you hired as your chief security officer?

  • Still no reason to let Equifax continue to exist.

  • Comment removed based on user account deletion
    • by HiThere ( 15173 )

      That isn't even what they said. What they said was "When the hack turned out to be unexpectedly valuable, they turned it over to a more skilled group", and that *this* indicated it was a nation-state.

      To me that sounds like they found something valuable and sold it to someone else...who might have been a nation-state. Why not, they have deeper pockets than most.

  • Security done correctly is expensive and management hates that. They also hate things they do not understand so security so when somebody tells them they need to spend money on something expensive that they don't understand they resist. They hire people that understand security to take care of it but they rarely give them the real resources and backing they need to do things properly.

    Compliance standards help some but the trend I've been seeing is that compliance is merely a checkbox for management and th

  • Hubris, ego, and ass covering are responsible for the delay. The head shed was concerned about its own collective assess and jobs.
  • Not only did they know about the breach long before they told anybody, they knew about the likelihood of a breach at a time when they might have drastically curtailed the damage of the one that was already in progress. All while they were arguing the equivalent of how many angels can dance on the head of a pin. Such is corporate hubris.

  • As a lay person I would like to ask the technical readers here: why don't companies with sensitive data encrypt the data in the databases and only decrypt it for processing? Wouldn't that make these thefts of data pointless?

If all else fails, lower your standards.

Working...