Global Security, Privacy, & Risk Management

Equifax’s History of Hacks and Music Majors September 19, 2017

Let me get this out there first.  People are making a lot of noise about Equifax’s (no former) CISO (Susan Maulden) being a Music Major in college.  So what?  Information Security really has only been a ‘profession’ since about 1998 or so.  I know MANY CSOs and CISOs that do not have technical degrees.  While I am currently working on a Doctorate in CyberSecurity my undergrad was political science and I have an MBA.  I think I am a fairly capable security professional.  I think Equifax threw Ms. Maulden under the bus by trying to scrub her information from the Internet.  Given her prior employment (First Data, SunTrust, etc.) I cannot imagine she would have been given such a role without the requisite experience or knowledge.   Until we know more...harping on her college major is simply fishing and projecting blame in the wrong area.  What we do know is that Equifax has a history of being breached and has apparently done little to stem the flow of information being stolen.

Next…in keeping with Equifax’s proclivity for telling half truths while selling their own stock, it looks like there was a breach the March prior to the one in July (announced in September 2017).  That particular hack included employee tax records.  No doubt those execs who dumped their stock were also unaware of that breach (cough, cough).

Interestingly, Equifax provided a cryptic statement that reads: “The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event,” ..using my powers of reading comprehension it appears that they are saying that the July 29th “hacking” did not affect the SAME “customer databases” (plural) that were hacked in March.  So are we to assume that in both cases customer data was compromised?  According to Brian Krebs, well known security expert and researcher, the answer appears to be ‘yes’.

Adding to the fun, according to Forbes: “In one case, it had to change its ways following a class action lawsuit over an alleged lapse in security. That suit related to a May 2016 incident in which Equifax’s W-2 Express website had suffered an attack that resulted in the leak of 430,000 names, addresses, social security numbers and other personal information of retail firm Kroger. Lawyers for the class action plaintiffs argued Equifax had “wilfully ignored known weaknesses in its data security, including prior hacks into its information systems.”

I am sure we will continue to learn more about this breach and others.  Stay tuned!