Squabble With Contractor Delayed Equifax's Response To Data Breach

An anonymous reader quotes Bloomberg's report on the contractor Equifax first hired to investigate their breach: Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company's network... Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said. For its part, Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company...

That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer... By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems.
"They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group -- known as an entry crew -- handed off to a more sophisticated team of hackers," reports Bloomberg, suggesting that the attack may have been sponsored by a nation-state.

In before a dumb turkeydance one line post

[Anonymous Coward]

There is no excuse, especially how Equifax has also mishandled just about everything after the breach was made public. Make it a $1,000 fine per person per day for not notifying them within seven days of discovering the breach. The only exception is if law enforcement requests that the breach not be disclosed to protect the integrity of an investigation.

Re:

[ShanghaiBill]

Make it a $1,000 fine per person per day for not notifying them ...

You need to get a firmer grip on reality. Equifax's net income last year was $488M. There were 143M people compromised. So even $3 per person per year would likely bankrupt them.

Re: In before a dumb turkeydance one line post

[cornjones]

If you can't do the time,don't do the crime...

Re:

[fuzzyfuzzyfungus]

I'm not holding my breath; but is there some reason why 'that would annihilate the company' would be considered a defect rather than a feature?

Re:

[ShanghaiBill]

is there some reason why 'that would annihilate the company' would be considered a defect rather than a feature?

There are currently 3 credit bureaus: Equifax, Experian, and Transunion. Going from 3 to 2 would reduce competition, and raise prices. That is not in the best interest of consumers. It is already clear that everyone directly involved in this debacle is going to lose their jobs, and Equifax will be under completely different management. So what is the point of shutting Equifax down and putting 9500 employees out of work?

Re:

[HornWumpus]

The credit bureaus are pretty useless, let Equifax die, break the other two into three smaller ones each. Done. Again: Too big to fail, is too big to exist.

Financial education should be taught _every_year_ in school, kindergarten to high school. If they haven't 'got it' by then, it's hopeless. Don't add it to college. Debt is a necessary tool. Try and buy a house without it. But don't be it's servant. Don't use it to buy rapidly depreciating items (e.g. cars), at least not more than once in your life.

Re:

[HiThere]

The problem with purchasing a house without debt is that rent for living space increases in cost without bounds otherwise. And when purchasing a house becomes too difficult, even with debt, the cost of rental housing explodes, even though there is a practical bound. As it has recently in many cities of the US, and probably elsewhere.

This doesn't say what the answer to that problem should be. It's merely constraints on the answer. Certainly rent-control has many well known problems, and has proven an und

Re:

[HornWumpus]

No, real estate will concentrate into the hands of those with piles of money. Everybody else pays rent.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Radiophobic]

A breach like this should bankrupt a company.

Correct Headline:

[Known Nutter]

Squabble With Equifax Delayed Equifax's Response To Data Breach

The way the headline reads as published makes it sound as if the contractor is to blame -- which is obviously horseshit.

Re: Correct Headline:

[Anonymous Coward]

When in doubt, blame the IT guy. He doesn't have a PR firm to lie for him to the media.

Re:

[Anonymous Coward]

Agreed. The sad point of this.. is Equifax didn't have their own blue team.. or even an electronic forensics team on-station. Like normal they were riding the wave of ignorance until a shark took a big bite out of their board. Their first action was to blame the first third-party blue-team that they hired.

Stupid is as stupid does (Forest Gump)

Peace out.

Re:

[Cederic]

Described a potential problem, how to fix said problem. Rather then act on the information provided equifax said they knew better and asked for a "better team' that would do as they were told.

It's fucking easy to walk into a company the size of Equifax, run a vulnerability scan or three, and go, "You have unpatched vulnerabilities! You need to patch all these systems!!"

What I want from a professional security firm is a fuck of a lot more. E.g., how do I keep those systems sufficiently secure and manage those security risks without investing half a billion dollars into my IT estate, making half my product line unprofitable.

Any cunt can spot the issues, I'm not surprised Equifax were seeking actua

Re:

[DarkOx]

Incident response, vulnerability scanning, and pen-testing are all different things.

Vuln scans as you describe are a useful service if your organization does not have the resources perform them, and consume the resulting data. Equifax sized organizations should have an internal security that are able to do that. If the hired Mandiant to do it; that indicates a defective security organization right there. A vulnerability scan is a bottom drawer service that is generally sold to small shops and shops that

Re:

[Cederic]

So what happened here. Did Mandiant show up and do a VS when Equifax hired them to do incident response? Did Mandiant's sales team sell them wrong service? Did Equifax cheap out and buy the bottom draw offering, despite it not meeting their needs against advice? Who knows!

Well, exactly. This is why I'm reluctant to make too many assumptions here.

It's very possible that Mandiant were completely shit.
It's equally possible that Mandiant were pragmatic, insightful, informed and informative, and Equifax were incapable of understanding this.

They know what a well run textbook program looks like but they don't know how to manage people and which changes to try and make first.

Worse, there are no right answers. The business benefit of not having a data breach is extremely hard to give a line-item on the balance sheet but the prevention costs are very apparent in the P&L. So how and where to prioritise the resourc

Re:

[DarkOx]

The business benefit of not having a data breach is extremely hard to give a line-item on the balance sheet but the prevention costs are very apparent in the P&L.

I could not agree with that more. How much should you spend on security specific efforts well many would argue: X = risk probability * cost of a breach

I think its actually the case an organization like Equifax probably has actually not invested to much in security. All the costs they have really incurred have mostly to do with dumb mistakes after the breach. Had they literally said and done nothing at all. What if when asked about it all the did was say "yup looks like, we are trying make sure it does n

Re:

[Cederic]

I'd suggest waiting until their next financial announcement and admiring the trend in quarterly revenues.

The real price isn't the reparation costs, it's the reputational one. Equifax rely on other people's data and if that dries up because they're not trusted with it, the competition are eager to step in.

Re:

[LifesABeach]

3 known exec's didn't, that's says something.

Re:

[LifesABeach]

Repeal the 17th Amendment TODAY! That's funny.

Re:

[HiThere]

It's totally off-topic, but it does have some merit. The 17 amendment is one of the steps that limited the power of the states and increased the centralized power of the Federal Government. It's plausible that it was a mistake, though it was intended to address real existing problems. And the problems that it caused is one of the things making me hesitant to support efforts to remove the electoral college. I can see the clear problems that it causes, but what I can't see is the problems it prevents.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[HiThere]

It's not *just* that they aren't adequately staffed and funded, though that is also true. Regulatory capture is an even worse problem. No regulator should be allowed to accept any remuneration from those they regulate, not even after they retire from the body. And I mean not allowed to accept *ANY* remuneration. No jobs. No dinners. No speaking fees. No consultant arrangements. No discounted apartments. No payments for stock owned. NOTHING. And not just while regulating, but also afterwards. (If

Re:

[LifesABeach]

Nobody knows anything; ya, got it. A company like Equifax doesn't do security checking by an outside source without a reason. Equifax's existence is based on good security, but now they need help? I question why are there 3 known upper management types that shorted their stocks when all this squabbling was going on. To many unknowns by folks who's job it is to know.

I'm buying Futures in micro wave popcorn, this looks good.

Re:

[LifesABeach]

Lets see if I understand this. Equifax hires a company to check its security stuff.
Company: "ya, you've got problems."
Equifax: "fix'em."
Company: "lets talk price."
Equifax: "your not as good as we thought."
Company: "not for free? Yup."

Re:

[wwphx]

Amusingly, I ran in to almost this exact scenario last month. A former co-worker went to her doctor, her doctor's practice had just been slammed by TWO ransomware hits. Their server was totally screwed. She gave them my name, I contacted them the next day. They never asked my price, I only charged them $30 an hour for 15 hours over two days, didn't even charge them for the time it took to put together a four page report describing what happened to them and the additional steps they needed to take.

The

Re:

[HornWumpus]

As far as they went. They found the vulns. It's not clear if they had anyone on team experienced enough to see the syptoms (live systems unpatched for months) then diagnose the cultural problem and pass that information, loudly and clearly, to the level it needed to get in Equifax (the Board via the CEO, on the record).

Based on my experience with corporate 'contractors' (been one), they put their results through channels. Which is just as good as burning them as far as results go, covers ass though.

As

Mandiant

[Hognoxious]

Mandiant - that name rings a bell. I can't be arsed to google it, but IIRC this isn't their first clusterfuck,

Re: Mandiant

[Anonymous Coward]

It isnâ(TM)t, they basically get called every time there is a clusterfuck. Where you heard about them before was when they tracked down an APT actor to the building: https://mobile.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?referer=https://www.google.com/

Re:

[someone1234]

If a company is hired to resolve clusterfucks, it is obvious they deal with multiple ones.

"Mandiant warned Equifax"

[Gravis Zero]

Regardless of whatever they may have believed, they were warned and ignored the warnings. Sure seems like gross negligence or possibly even criminal negligence. If the system weren't corrupted, I would expect indictments. It's too bad our government doesn't function properly.

Re:"Mandiant warned Equifax"

[oldgraybeard]

So the Equifax CSO (the music composition major) didn't think the security contractor sent individuals that had the right background to do security work?
"Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company."
Odd, Maybe they could not hum the right tune ;)

I have heard people say a specific degree does not matter. Just having a degree proves you have the ability to learn and do any job. Guess Not ;)

Re:

[dgatwood]

Odd, Maybe they could not hum the right tune ;)

And if the reports of their former security head being a music major are accurate, they were uniquely qualified to recognize when the contractors could not hum the right tune....

This sounds like standard MBA behavior. Being secure is expensive in the short term, which hurts short-term profits, which hurts the value of their options. Therefore, in their minds, it is better to factor in insecurity as a long-term risk and spend as little money as possible on it,

Re:

[Anonymous Coward]

Education is independent of intelligence. It's possible to be an educated idiot - I know a lot of them personally. It's possible to be smart and uneducated, too. The difference is that an educated smart person will far exceed an uneducated smart person in terms of success. The idiots see that educated smart people make a lot of money, and because they are unable to discern correlation from causation, they decided that going to college meant anyone could be as successful as smart educated people. When the id

Re:

[tomhath]

Ever heard the old joke about the three guys on a safari that piss off a lion?

First guys says "We're all dead". Second guy says "I only need to outrun one of you". Third guy takes his walking stick and cracks the second guy in the knee.

In Equifax's case, the CEO, CIO and CSO left the company and took their parachutes to the bank. Not their problem anymore.

Re:

[LifesABeach]

I've heard a lot about "block chaining." Could the Equifax event usher in a new business model for credit reporting?

Serves them Right for using Acess

[filesiteguy]

Actually I have no idea what Equifax uses but it seems every time i read of these breaches they are because of a lack of communication between various internal groups. Working for a company that is often hit with DDOS or other intrusion attempts by nation-states, I know that the overriding thing to keep them out is open candid communication between staff, management, and vendors.

Also, probably shouldn't put Access databases outside teh DMZ.

Re:

[HiThere]

Access? Are you talking about MSAccess?

I don't know whether they've fixed the problem, as I haven't used it in decades, but I remember it as "The database that couldn't add two number correctly". It had a bunch of other problems, but it was so convenient that I used it until I actually caught it adding two numbers together and getting the wrong answer (repeatedly, but not on every run). After that I transitioned away from it as quickly as I could. It took a lot of testing, as I couldn't believe a busine

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bernywork]

Don't feed the trolls

Re:

[ichimunki]

I've got a Fine Art degree and 15+ years working as a developer. The worst code I've ever seen was from a CSci grad with the job title "systems architect" (my guess is he got that title to get around normal pay range issues with being an "engineer"). Just the crappiest garbage I've ever seen. Normally the worst I see from CSci types is a tendency to over-engineer, which counterpoints the tendency of others to use copy/paste or bizarre workarounds to issues they don't understand because they lack the CSci ch

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

nation state actors

[Anonymous Coward]

whoa whoa whoa, So a foreign power now has access to the credit records of the entire country? We need to stop dicking around and bring in the NSA.
This is in their mandate.

Doesn't sound like a Squabble to me

[rsilvergun]

sounds like Equifax didn't like what it heard so it disregarded their consultant's advise.

You'd be surprised ...

[jfgob]

... or possibly not how unbelievably common this is. And most of the time, in my experience, the management is not even aware of the issues. The last security assessment I did were shot down as "unpractical and impossible to execute on" by the IT managers or directors. Simply because it started with "take XXX days to level all systems to a known updated state" along with the report from a vulnerability scanner. These IT managers/directors were actually the ones saying "if I go to my management with this proposal, I will lose my job", not the top management itself, happily thinking that everything was hunky-dory. My experience is that many CTOs do not like telling their CEO "we need to talk" or "we need to fix up things and that involves changing the way people think too."

Problems

[Anonymous Coward]

When your under the gun to meet the numbers, it's amazing how many "problems" you can find in a customer's system. Selling unnecessary "solutions" is a great way to boost commissions.

It's buyer beware in this industry.

Re:

[chihowa]

If you start out with the implication that "take XXX days to level all systems to a known updated state" is an "unnecessary solution", then we all have a better idea of why the state of the industry is such a clusterfuck.

Re:

[HornWumpus]

It's a short sighted, non-solution anyhow.

If your systems aren't being consistently patched, it's because patching is not a priority. The update 'test and deploy' teams is understaffed (likely headcount 0).

Freezing everything and patching like crazy for a few days is likely break things, giving MBAs exactly the wrong data. (Think of MBAs as really buggy, flakey machine learning algorithms. You have to curate what they 'learn'.),

In six months you'll be right back where you started, unless staffing and

Re:

[HiThere]

That may be so, but if you don't start with the system in a known state, any further efforts are possibly worthless. You can't be sure that they're worthless, but you can't be sure that they aren't.

Back in the old days the solution was to set up a duplicate system, update it, test it, and then switch to it. That doesn't work for a highly interactive system. So all that's left as possible is to pick a decent time, say 11PM EST on a Friday, and take the entire system down for "scheduled maintenance". Back

Re:

[HornWumpus]

We know how to patch systems. That's not the issue. The issue is systems _not_ getting patched, which is pure culture/priorities.

Until you fix the issue, running around patching will always be playing catch up.

Known state? Again, not much point of getting to a known patched state if you know it will just be ignored after.

Also 'Known patched state' isn't easy, especially in a culture where no one is responsible (and has the time). You'll be finding additional servers upto the last minute of the patch

Re:

[HiThere]

I think the problem is a net of systems. Think of it as a problem in concurrent programming. If you don't know the state of the system, you can't really fix it. Often systems known to be infected need to be recovered from backup. This system sounds as if they didn't *have* any reliable backups.

You are right that it's a matter of culture/priorities, which is why I said things like "you need strong management support". But for anything to work you need to START from a known state.

Re:

[HornWumpus]

Getting to a known state for a moment in time is exactly useless.

Even the 'good end state' isn't having every system patched instantly.

If a system is in a truly unknown state, it needs to be rebuilt from the ground up anyhow. You don't know what's in there.

Re:

[Cederic]

No, it sounds like Mandiant went, "You're insecure" and Equifax went, "No shit. Now tell us how to resolve that insecurity at reasonable expense. Stop sending us shitty consultants that know how to read the output of a Qualys scan."

Equifax should have been more secure, but isn't that what Mandiant were there to actually help with?

Re:

[Bert64]

It depends on the scope of the engagement...
Were mandiant hired to just perform a vulnerability scan? or a more detailed assessment? how limited was their scope?
Without knowing exactly what mandiant were hired to do, its impossible to determine if they were incompetent or not.

All of which misses the MAIN POINT

[Anonymous Coward]

Who the hell gave these freaks the right to have the personal info on millions of Americans???

Did YOU say that they could have YOUR personal info?

Did your parents? Did your kids? Did your neighbors or co-workers?

Who gave them the gun and let them load it and then get drunk and start shooting?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TigerPlish]

Um, no.

We didn't give Equifax our info. We gave our info to banks, lenders, stores. They in turn gave our info to Equifax.

It may seem like a minor point, but there it is -- We the People usually don't give the credit bureaus our info directly.... unless it's in the guise of "free credit reports!!!OMG!ZOMG!" in which case then we did.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:All of which misses the MAIN POINT

[Anonymous Brave Guy]

And when you give that info up to your bank, you give your consent to them sharing it with the equifaxes of the world.

This is a very weak argument. Consent without a viable alternative isn't really consent at all.

Re:

[Known Nutter]

But there is a viable alternative: Do not use services offered where you are required to give objectionable consent.

Re:

[Anonymous Brave Guy]

It isn't viable to function as a normal member of any Western society I know about without access to basic financial facilities like a bank account. In fact, it's caused so many problems for those unlucky enough to fall through the gaps here in the UK that the government had to step in and promote the provision of basic bank accounts that might not have any sort of credit facilities but at least provided enough basic services for someone to do things like receiving pay from an employer or settling household

CEO covered up breach for 6 months

[bongey]

"The investigation in March was described internally as "a top-secret project" and one that Smith was overseeing personally, according to one person with direct knowledge of the matter."
WTF? CEO was trying to cover-up the breach, instead of being a real leader and shutting down equifax until it was fixed, he let hackers just slowly take the data over 6 months. .

Government is at fault.

[Anonymous Coward]

The government regulations that stifle the industry and make it hard to do business is the real cause here. As usual, all government is bad government. We need to deregulate the industry so that the free market can fix this problem once and for all. Guaranteed.

Leadership is top down and bottom up

[bernywork]

There's two issues here. The CEO didn't insist on security, so either he's naive or mis-informed. Either is bad.

The CTO didn't insist or wasn't given budget for appropriate security measures. Either is bad.

The CEO wasn't managing the CTO in regards to requirements, and the CTO wasn't managing up the requirements.

When you look at BoA where security is king; they'd rather have a production outage, break something and then scream at the vendor to fix it, than lose customer data. A customer facing production outage costs them a lot less than the loss of customer data, where they're concerned the whole company could go to the wall.

This is a management fuck up, of the highest order. This was business risk 101 and they failed to identify it, quantify it and migitate it.

Mandiant may not have sent their A team, but from the sounds of things their C team would have been enough to start to deal with their issues. Unpatched systems, c'mon are we still in high school?

Re:Leadership is top down and bottom up

[Todd Knarr]

They probably did quantify the risk. In terms of it's effect on their revenue, of course, since that's what's at risk for them. And that risk is close to zero, since consumers can't block reporting of their data to Equifax and there are only 2 competitors Equifax has to worry about and the majority of them already use all 3 bureaus. So why expend money mitigating something that poses negligible risk to your business? It poses no risk to the executives either, their future income doesn't depend on Equifax continuing in business. At worst they'll collect a hefty severance package and spend a few weeks relaxing until they get picked up at another company. This is what I refer to as the difference between a businessman and an MBA: the businessman's livelihood is at stake, whereas the MBA is just a glorified W-2 employee.

Risk to consumers? Equifax doesn't do business with consumers, why would anything that happens to those consumers bother it? At most Equifax will spend a few years arguing with regulators and maybe some fines will be levied, but odds on the cost of the fines will be less than the cost of good security. More likely they'll be able to claim they were following all the recommended practices (shoddy as those are) and it's Apache's fault for having left the bug in the version of Struts in question, which (especially given the current administration) will be enough for them to skate even though everybody reasonable knows it's BS.

Re:

[Anonymous Brave Guy]

And that risk is close to zero, since consumers can't block reporting of their data to Equifax and there are only 2 competitors Equifax has to worry about and the majority of them already use all 3 bureaus.

As a general point of interest, that situation might change next year for consumers within the EU, when new and very heavy-handed data protection regulations come into force. Those regulations have been very transparently aimed at big data hoarders like Google and Facebook, but I can't immediately see why they wouldn't hit the likes of Equifax and the other credit reference agencies just as hard. Since there were reportedly a large (though not as large) number of EU citizens affected by the leaks here as we

Marquee Security Company

[phantomfive]

Mandiant had sent an undertrained team without the expertise it expected from a marquee security company...

No, that is exactly the level of competence I expect from a 'marquee security company,' specially several years after they've been bought out by a large corp.

You'd expect about the same level of quality that you'd get from a development team at Oracle.

You are not Equifax's Customer

[FeelGood314]

Security is only an expense for them. Losing data they have on people doesn't affect their business. Hell the data only needs to be accurate 90% of the time for them to make a profit. Don't be surprised by this. Equifax is acting completely rationally. If you really cared maybe we should have an organization that is run by the public to do things that can't efficiently by private companies because their motivations don't align with how they are paid. I suggest we give this organization a cool name like "government".

Equixpertise

[elrous0]

Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company.

So I guess they weren't as well-qualified as the music major [marketwatch.com] you hired as your chief security officer?

So?

[Opportunist]

Still no reason to let Equifax continue to exist.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[HiThere]

That isn't even what they said. What they said was "When the hack turned out to be unexpectedly valuable, they turned it over to a more skilled group", and that *this* indicated it was a nation-state.

To me that sounds like they found something valuable and sold it to someone else...who might have been a nation-state. Why not, they have deeper pockets than most.

It always comes down to money

[Monoman]

Security done correctly is expensive and management hates that. They also hate things they do not understand so security so when somebody tells them they need to spend money on something expensive that they don't understand they resist. They hire people that understand security to take care of it but they rarely give them the real resources and backing they need to do things properly.

Compliance standards help some but the trend I've been seeing is that compliance is merely a checkbox for management and th

No, it didn't

[DaMattster]

Hubris, ego, and ass covering are responsible for the delay. The head shed was concerned about its own collective assess and jobs.

So Equifax is doubly guilty

[jenningsthecat]

Not only did they know about the breach long before they told anybody, they knew about the likelihood of a breach at a time when they might have drastically curtailed the damage of the one that was already in progress. All while they were arguing the equivalent of how many angels can dance on the head of a pin. Such is corporate hubris.

Why don't these companies encrypt the data?

[CyclistOne]

As a lay person I would like to ask the technical readers here: why don't companies with sensitive data encrypt the data in the databases and only decrypt it for processing? Wouldn't that make these thefts of data pointless?