Equifax’s History of Hacks and Music Majors September 19, 2017
Posted by Chris Mark in Data Breach, Uncategorized.Tags: credit freeze, data breach, Equifax, hack, krebs, PCI DSS, susan maulden, W-2
add a comment
Let me get this out there first. People are making a lot of noise about Equifax’s (no former) CISO (Susan Maulden) being a Music Major in college. So what? Information Security really has only been a ‘profession’ since about 1998 or so. I know MANY CSOs and CISOs that do not have technical degrees. While I am currently working on a Doctorate in CyberSecurity my undergrad was political science and I have an MBA. I think I am a fairly capable security professional. I think Equifax threw Ms. Maulden under the bus by trying to scrub her information from the Internet. Given her prior employment (First Data, SunTrust, etc.) I cannot imagine she would have been given such a role without the requisite experience or knowledge. Until we know more...harping on her college major is simply fishing and projecting blame in the wrong area. What we do know is that Equifax has a history of being breached and has apparently done little to stem the flow of information being stolen.
Next…in keeping with Equifax’s proclivity for telling half truths while selling their own stock, it looks like there was a breach the March prior to the one in July (announced in September 2017). That particular hack included employee tax records. No doubt those execs who dumped their stock were also unaware of that breach (cough, cough).
Interestingly, Equifax provided a cryptic statement that reads: “The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event,” ..using my powers of reading comprehension it appears that they are saying that the July 29th “hacking” did not affect the SAME “customer databases” (plural) that were hacked in March. So are we to assume that in both cases customer data was compromised? According to Brian Krebs, well known security expert and researcher, the answer appears to be ‘yes’.
Adding to the fun, according to Forbes: “In one case, it had to change its ways following a class action lawsuit over an alleged lapse in security. That suit related to a May 2016 incident in which Equifax’s W-2 Express website had suffered an attack that resulted in the leak of 430,000 names, addresses, social security numbers and other personal information of retail firm Kroger. Lawyers for the class action plaintiffs argued Equifax had “wilfully ignored known weaknesses in its data security, including prior hacks into its information systems.”
I am sure we will continue to learn more about this breach and others. Stay tuned!
Equifax – Protecting themselves while exposing your data and Identity! September 11, 2017
Posted by Chris Mark in Uncategorized.Tags: Breach, data security, data theft, Equifax, insider trading, premier id, stock selling
add a comment
As an update to my last Equifax post a number of stories had circulated regarding Equifax’s Terms of Use in which they attempt to prevent lawsuits related to their own incompetence that resulted in the exposure of nearly 150 million consumer records. As stated on their Terms of Use:Terms of Use:
“YOU MUST ACCEPT THIS AGREEMENT, INCLUDING ITS “ARBITRATION” SECTION BELOW, BEFORE YOU WILL BE PERMITTED TO REGISTER FOR, USE OR PURCHASE ANY PRODUCT. BY REGISTERING ON THIS WEBSITE AND SUBMITTING YOUR ORDER, YOU ARE ACKNOWLEDGING ELECTRONIC RECEIPT OF, AND YOUR AGREEMENT TO BE BOUND BY, THIS AGREEMENT. YOU ALSO AGREE TO BE BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT.”
So here is what the noble and caring Equifax has done to the public. First, they had a data breach in 2015. Then their CEO offers the obligatory public apology where he emphasizes the ‘importance of protecting data. etc. etc. Then Equifax magnanimously offers consumers free credit monitoring…in the Equifax TrustedID Premier service. It should be noted that IF you do enroll in the Equifax TrustedID Premier you are agreeing to the Terms of Use listed above…in short, should your information be exposed and used to say…steal your identity you cannot sue them nor can you engage in a class action lawsuit. You are (according to the Terms of Use) bound by Equifax’ arbitration clause. For those who are fans of the Oscar Winning film Dodgeball, I quote: “That’s a bold strategy Cotton. Let’s see if it pays off!”
To add fuel to the proverbial fire. Equifax did not disclose the data breach for a full month while 3 executives sold millions of dollars of company stock within days of identifying the breach! Now..to be fair, Equifax stated (ahem, cough, cough) “…the executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”” Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2. So let me get this straight…the Information Solutions President and CFO did not know there was a breach? To quote the incomparable George Straight: “I’ve got some oceanfront property in Arizona. From the front porch you can see the sea. If you’ll buy that I’ll throw the Golden Gate in free!”
Global Security, Privacy, & Risk Management 