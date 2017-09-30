Squabble With Contractor Delayed Equifax's Response To Data Breach (bloomberg.com) 22
An anonymous reader quotes Bloomberg's report on the contractor Equifax first hired to investigate their breach: Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company's network... Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said. For its part, Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company...
That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer... By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems.
"They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group -- known as an entry crew -- handed off to a more sophisticated team of hackers," reports Bloomberg, suggesting that the attack may have been sponsored by a nation-state.
There is no excuse, especially how Equifax has also mishandled just about everything after the breach was made public. Make it a $1,000 fine per person per day for not notifying them within seven days of discovering the breach. The only exception is if law enforcement requests that the breach not be disclosed to protect the integrity of an investigation.
The way the headline reads as published makes it sound as if the contractor is to blame -- which is obviously horseshit.
When in doubt, blame the IT guy. He doesn't have a PR firm to lie for him to the media.
Agreed. The sad point of this.. is Equifax didn't have their own blue team.. or even an electronic forensics team on-station. Like normal they were riding the wave of ignorance until a shark took a big bite out of their board. Their first action was to blame the first third-party blue-team that they hired.
Mandiant - that name rings a bell. I can't be arsed to google it, but IIRC this isn't their first clusterfuck,
Regardless of whatever they may have believed, they were warned and ignored the warnings. Sure seems like gross negligence or possibly even criminal negligence. If the system weren't corrupted, I would expect indictments. It's too bad our government doesn't function properly.
"Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company."
whoa whoa whoa, So a foreign power now has access to the credit records of the entire country? We need to stop dicking around and bring in the NSA.
This is in their mandate.
WTF? CEO was trying to cover-up the breach, instead of being a real leader and shutting down equifax until it was fixed, he let hackers just slowly take the data over 6 months. .