A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure. The 96-page report (PDF) from the House's Committee of Oversight and Government Reform found that the 2017 network breach could have easily been prevented had …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Tuesday 11th December 2018 20:52 GMT Pascal Monett

"Such a breach was entirely preventable"

So, tell me that Richard Smith is going to be dragged before the judge and sentenced for gross negligence and endangering the private data of almost 150 million people ?

Oh, of course not. He drove the system into overdrive, but retired when the shit hit the fan, so instead of going to jail, he's getting millions of dollars.

Ah, isn't capitalism wonderful ?

83 3 Reply
1. Tuesday 11th December 2018 21:04 GMT Version 1.0
  
  Re: "Such a breach was entirely preventable"
  
  Sounds like they might be looking for another PFY to fire - but the PHB's all get bonuses and golden handshakes.
  
  42 0 Reply
2. Tuesday 11th December 2018 21:46 GMT Anonymous Coward
  
  Re: "Such a breach was entirely preventable"
  
  But socialism would prevent such a thing???
  
  Perhaps “Ah isn’t democracy crazy” would at least make some sense.
  
  I can’t see how the economic model can be linked to someone getting away with murder. That literally has happened throughout history.
  
  19 22 Reply
  1. Wednesday 12th December 2018 19:29 GMT FrozenShamrock
    
    Re: "Such a breach was entirely preventable"
    
    No, the original poster was correct, it is capitalism that is to blame. Pure, unfettered capitalism pursues maximum profits at the expense of everything else. It has no obligation to society or its own employees. that is why government regulation and oversight is necessary; to keep capitalism in check, from letting it go to its natural predatory conclusion. Equifax management increased profits, and their own wealth, and disregarded everything else. That is the essence of capitalism on full display. Western civilization keeps going through cycles where it allows wild west capitalism to rape, pillage, and plunder, followed by a period where it clamps down too tight and chokes off innovation. The middle, people, can't we get to the middle and stay there?
    
    14 2 Reply
    1. Thursday 13th December 2018 05:59 GMT Anonymous Coward
      
      Re: "Such a breach was entirely preventable"
      
      No go read the comment. And also read about capitalism. Regulation is a part of a capitalistic model, it is politics that interferes with it. If anything it is a weak democratic process in America with lobbyists that is the problem, not the economic model. You are ignoring the theme of the post that somehow it is capitalism that allowed him to retire with millions of dollars without consequence.
      
      Soviet Russia did just as badly.
      
      4 1 Reply
  2. Wednesday 12th December 2018 23:11 GMT John Brown (no body)
    
    Re: "Such a breach was entirely preventable"
    
    But socialism would prevent such a thing???
    
    ---------
    
    If you think socialism is the only alternatuve to the rampant and raw capitalism as practiced in the US, then you need to get out more and see, or at least read about, the rest of the world.
    
    12 2 Reply
    1. Thursday 13th December 2018 06:02 GMT Anonymous Coward
      
      Re: "Such a breach was entirely preventable"
      
      Again confusing economic models with corruption, politics and fair democracies.
      
      America is I think among the worst here, where you can legally bribe and influence an election under the term lobbying.
      
      A pile of turd by any other name still stinks.
      
      4 1 Reply
3. Wednesday 12th December 2018 02:26 GMT ryokeken
  
  Re: "Such a breach was entirely preventable"
  
  Dunno, chances are he did screw a few of his richer peers and in high flying money matters I think only bernie madoff went to jail.word on the streets is because he stole from the super rich =\
  
  9 0 Reply
Tuesday 11th December 2018 20:54 GMT Wellyboot

Simple Greed

Senior management at its finest, ignoring anything that doesn't line their pockets.

44 0 Reply
Tuesday 11th December 2018 20:58 GMT sanmigueelbeer

Equifax blamed its woes on an IT staffer who hadn't installed the Apache patch, and fired the person. The report makes it clear that there were many more people involved in Equifax's failings than this one scapegoat.

I can smell a wrongful dismissal lawsuit in the making. That IT staffer is going to have a very, very big paycheck soon.

Fire the torpedoes!

65 2 Reply
1. Tuesday 11th December 2018 21:24 GMT Throatwarbler Mangrove
  
  You're so cute, I just want to pinch your adorable little cheeks!
  
  18 1 Reply
2. Tuesday 11th December 2018 21:42 GMT a_yank_lurker
  
  @sanmigueelbeer - While the incompetent failures on the bench are probably too stupid to grasp that a massive screw up this big is partially caused by mid and senior mismanagement not making IT security a priority. Compound this with mistakes by the grunts and you can have a perfect storm brewing. While a wrongful dismissal should be slam-dunk I am not so confident that the shyster in robes cares about justice and is capable of understanding how this really occurred.
  
  17 2 Reply
  1. Tuesday 11th December 2018 21:58 GMT sanmigueelbeer
    
    I am not so confident that the shyster in robes cares about justice and is capable of understanding how this really occurred.
    
    We're talking about a justice system where the (unofficial) national pastime is to sue someone. There are more lawyers than accountants out there. Even a half-cooked, half-stoned/drunk ilk can make his/her mark by just suing something this big.
    
    `tis too easy to win. Imagine this: Staff wrongfully blamed for breaches. Independent report shows the breach was caused by a certificate issue which no one wants to take ownership to update. Blame-game is the topic of the day. Oh wait, I don't like your tie. You're "it"!
    
    Equitrax will do anything just to get this sorted quickly. Out-of-court-settlement is bound to happen.
    
    17 3 Reply
3. Wednesday 12th December 2018 11:07 GMT DropBear
  
  There's rather significant difference between wrongfully blaming an innocent for something he's not guilty of and wrongfully blaming an admittedly guilty party as the sole reason for the consequences that were not caused by his actions alone. Neither is fair, but I don't think the "scapegoat" was fired for "single-handedly leaking the whole database" but rather for "not applying an important patch in due time", which apparently he did (fail to) do. Unless he can prove holding back the patch was an instruction from higher-up, I don't see how he can sue simply for nobody else being blamed at the time.
  
  2 3 Reply
  1. Wednesday 12th December 2018 11:46 GMT SImon Hobson
    
    Neither is fair, but I don't think the "scapegoat" was fired for ... but rather for "not applying an important patch in due time", which apparently he did (fail to) do.
    
    The question is, was he actually under instruction (whether from management or the systems) to do so ? Reading the article, it sounds like they knew there were instances to patch, but missed some of them because they did a scan wrong when looking for all of them - the latter raising other issues about knowing what's running !
    
    If the instructions were to "patch this list of servers" and the one he didn't do wasn't on the list then he's not to blame. But even he did miss one he was instructed to do, I'd think he's still got a good case for wrongful dismissal since it's clear that his error was only a tiny cog in the big system that allowed this breach.
    
    0 0 Reply
4. Thursday 13th December 2018 14:42 GMT MJB7
  
  Re: Wrongful dismissal
  
  I don't know where the employee worked, but if it was in an "at will" state, then "wrongful dismissal" isn't a thing. (Unless they can show it was because of race/sex discrimination or similar.)
  
  If you turn up to work one day in a tie that your boss doesn't like they can fire you with absolutely no comeback.
  
  0 0 Reply
Tuesday 11th December 2018 22:34 GMT Destroy All Monsters

After the pwning of its servers was revealed Equifax blamed its woes on an IT staffer who hadn't installed the Apache patch, and fired the person. The report makes it clear that there were many more people involved in Equifax's failings than this one scapegoat.

Woah I didn't expect THAT! Surprising stuff for the 21st century.

"And next week, Mueller will deliver more indictments" (Laugh track)

15 1 Reply
Tuesday 11th December 2018 23:58 GMT DCFusor

Too much power

It's worse than you think. I recently retired (USA) and am on social security. For other reasons I had to get a paper verification of my status to a medical establishment in a tight time frame. So I log on to the government site, and try to start a "MYSSA" account, but the procedure fails. I then call the number, and after the usual multi-hour wait when calling the government, I got to a human who said that if I'm NOT in the equifax or experian databases, they cannot prove I exist! (I am in the OPM as I had a security clearance, or I should be, anyway - but two government entities here can't talk to each other apparently unless there's a political motive to incriminate someone).

Yep, the government can't keep track of my existence - even as an EMPLOYEE(!) if I'm not in a "private" database! One that has data that's all too powerful - identity theft is the least of it - can't get a loan?

Can't even get phone service with some providers, and here in the US you probably don't have a choice of that or ISP. Guess you your government really is - bankers and their services. Notice how they got bailed out with our money, how they get everything they want, and look at the horrible punishment they're getting here for history-making breach. /sarcasm

I'm sure you can connect those dots, they're real close together.

Lucky I was grandfathered in long ago on those things. All you have to do to drop off the earth is not use credit in any form or fail to pay a bill in 7+ years, and bam, you're a ghost. Screw someone - don't pay a bill, have them "screw up your rating" and it turns out that a negative number is better than no number at all! Suddenly everyone wants to lend you money, the government can find you again (which may be good or not)....

When I mentioned this to the government human and pointed out that they must know I exist and where I live as I get checks...they said "shhhhh, don't mess it up, if these dots get connected they'll stop".

And you guys think your UK government is screwy. Hold our beer. No telling who wins that one.

36 0 Reply
1. Wednesday 12th December 2018 00:06 GMT Amos1
  
  Re: Too much power
  
  "I got to a human who said that if I'm NOT in the equifax or experian databases, they cannot prove I exist! (I am in the OPM as I had a security clearance, or I should be, anyway -..."
  
  You could probably ask the Chinese government for an affidavit of your existence since they allegedly owned both Equifax and OPM.
  
  27 1 Reply
2. Thursday 13th December 2018 20:15 GMT Stoneshop
  
  Re: Too much power
  
  And you guys think your UK government is screwy. Hold our beer.
  
  a) uk.gov appears to be a bit busy at the moment, trying to fsck up the already fscked-up dreckshit.
  
  b) beer?
  
  0 0 Reply
Wednesday 12th December 2018 00:56 GMT Anonymous Coward

Retrospective ass-covering ©

“'The report noted some of the previously-disclosed details of the hack, including the expired SSL certificate that had disabled its intrusion detection system for 19 months” ..

Retrospective ass-covering, seeing as there was no one actually tasked with monitoring potential security bugs.

“The report states that Equifax's IT team did scan for unpatched Apache Struts code on its network. But it only checked the root directory, not the subdirectory that was home to the unpatched software”

This is total pseudo technical sounding BS, what kind of a security scan only checks the root directory. The reality more likely that there was no such IT Team, and nobody was tasked with checking Apache Struts for bugs.

“It was only when the certificate was renewed that Equifax saw the massive amounts of data being copied from its servers and realized something was very wrong.”

Enough already, it was only after Equifax customer records was spotted online that Equifax became aware of the hack. And Equifax was being monitored by a respectable security company that shall have to remain nameless.

“Equifax blamed its woes on an IT staffer who hadn't installed the Apache patch, and fired the person.”

What was the name of this imaginary IT staffer person?

12 1 Reply
Wednesday 12th December 2018 01:42 GMT M2

Time machines obviously exist....

"A 2015 audit found that ACIS, a Solaris environment that dated back to the 1970s,"

Even some basic date checking on Wikipedia by an editor should have flagged up some changes were required in that 2015 review.... or maybe it was a sign of the review quality...

And here's me thinking we were early adopters of Solaris 2.1 - seems someone was already using it 13 years before Sun even released SunOS.......

9 1 Reply
1. Wednesday 12th December 2018 12:43 GMT Anonymous Coward
  
  Re: Time machines obviously exist....
  
  13 years before Sun even released SunOS
  
  Indeed, Sun wasn't even founded until the mid-80s.
  
  5 0 Reply
2. Wednesday 12th December 2018 13:54 GMT 's water music
  
  Re: Time machines obviously exist....
  
  "...dated back to the 1970s..." ...13 years before Sun even released SunOS...
  
  I wondered if they might have found elements that dated back to 00:00:00 Jan 1st 1970 or that time +SystemUpTime
  
  6 0 Reply
3. Wednesday 12th December 2018 19:08 GMT Michael Wojcik
  
  Re: Time machines obviously exist....
  
  Yeah, that phrase in the article is clearly wrong. What the report actually says is that the Equifax ACIS application (Automated Consumer Interview System) was originally developed in the 1970s. Obviously it has changed since then, since at the time of the breach it was using Apache Struts.
  
  The report cites an interview with Graeme Payne, Equifax manager of the ACIS system, stating that when he joined the firm in 2014 they were still running ACIS on the original platform (more or less), but then goes on to say that it was running on Sun servers, so obviously he wasn't too clear on the history either.
  
  My guess is that the Struts-using, post-2014 incarnation of ACIS was at least the third platform for it.
  
  3 0 Reply
Wednesday 12th December 2018 02:11 GMT ThatOne

> Such a breach was entirely preventable.

Except it would had cost money to do so. Money not spent = profit.

> tell people what information is being gathered, how it is stored, and who it is shared with

Everything is gathered, it's stored anywhere, and more often than not shared with world & dog.

> The credit biz has yet to identify what in the report is inaccurate.

Obvious: It is inaccurate because it makes them look bad.

17 0 Reply
Wednesday 12th December 2018 06:50 GMT John Smith 19

"Except it would had cost money to do so. Money not spent = profit."

The root cause?

12 1 Reply
1. Wednesday 12th December 2018 09:49 GMT Fred Flintstone
  
  Re: "Except it would had cost money to do so. Money not spent = profit."
  
  The root cause?
  
  Absolutely .
  
  IMHO it ought to be the basis of any fine: make the fine many, many times more than the expense of doing it properly, of course retrospectively applied and aggregated. It's the only way I can see this become a concern for those taking the decision as it hits them in their pocket.
  
  Further, make security audits mandatory as well as their publication for big organisations after, say, a 3 month period to fix the problems found, with an extra 3 month wait extension only available via a rigorous exception process to filter out the usual excuses.
  
  7 0 Reply
Wednesday 12th December 2018 09:19 GMT SimonC

Can someone explain how an expired certificate causes problems? In our systems if a certificate expires the website goes down / APIs stop working / everything grinds to a halt.

I see it like a combination lock that rusts up. Nobody is getting in, even the people that know the passcode.

3 0 Reply
1. Wednesday 12th December 2018 09:48 GMT John Riddoch
  
  The cert was on the security monitoring software, so while service was running fine, it wasn't getting monitored. When they finally upgraded the cert, they had their "ohshit" moment.
  
  3 0 Reply
  1. Wednesday 12th December 2018 09:54 GMT Anonymous Coward
    
    I need some help with Latin here
    
    I'm guessing we'll need "who monitors the monitors" in Latin now to make it sound impressive in reports, it's no longer about the watchers.
    
    Having a problem is one thing, that's life, but leaving it unaddressed for so long on such critical functionality ought to be tagged as criminal neglect.
    
    3 0 Reply
    1. Thursday 13th December 2018 12:13 GMT Anonymous Coward
      
      Re: I need some help with Latin here
      
      _{"I'm guessing we'll need "who monitors the monitors" in Latin now to make it sound impressive in reports, it's no longer about the watchers."}
      
      What you asked for is "quis custodiet ipsos custodes" what you will get in return from Equifax is "futue te ipsum et caballum tuum".
      
      1 0 Reply
2. Wednesday 12th December 2018 09:53 GMT ArrZarr
  
  If only one system relies upon the certificate, and that isn't something checked by another system to inform other systems (or even people) of the failure, then that system can grind to a halt without anything else caring.
  
  3 0 Reply
  1. Wednesday 12th December 2018 23:24 GMT John Brown (no body)
    
    then that system can grind to a halt without anything else caring.
    
    ---------------
    
    It does make one wonder who responsible for checking the security monitoring system and why they never wondered about either the complete lack of reports, logs etc. or even why, if reports were being generated, nothing ever happened for 19 months.
    
    An org the size of Equifax should expect to be under constant attack fron multiple sources.
    
    2 0 Reply
    1. Thursday 13th December 2018 08:54 GMT Anonymous Coward
      
      Surely an outfit that size must be audited regularly? How the heck did they miss this?
      
      Oh, no, they didn't. They had warnings for *years* but chose to ignore them instead.
      
      I think one could translate that as a criminal neglect of duty.
      
      0 0 Reply
Wednesday 12th December 2018 09:53 GMT Anonymous Coward

a stunning catalog of failure

We would like to reassure our stakeholders once again that we remain totally commited to maintaining the highest standards of data security. As per our stellar, world-renown, certification system.

3 0 Reply
Wednesday 12th December 2018 09:55 GMT Anonymous Coward

So, who scores Equifax now?

As far as I can tel, Equifax's credit is now a negative value..

2 0 Reply
1. Wednesday 12th December 2018 19:10 GMT Michael Wojcik
  
  Re: So, who scores Equifax now?
  
  How so? Their stock price recovered quickly, and I don't see much reason to hope that either the corporation itself, or anyone else serving a major role in it, will see any serious consequences.
  
  The moral of Equihax is "it's cheaper to fail and be found out than to do it right in the first place". Perhaps GDPR and similar regulation will change that, but I'm not holding my breath.
  
  3 0 Reply
Wednesday 12th December 2018 10:53 GMT Oh Matron!

"We are deeply disappointed that the Committee chose not to provide us with adequate time to...

spin this into something positive..."

2 0 Reply
Wednesday 12th December 2018 12:04 GMT Herring`

The thing is

it wasn't people who gave their personal data to Equifax - it was companies selling financial products. In a just world, there ought to be some liability on them too. They didn't take steps to ensure that they were handing over our data to someone who was taking the necessary steps to secure it.

Yeah, I know there's no chance of this happening.

9 0 Reply
1. Wednesday 12th December 2018 13:39 GMT Lyndon Hills 1
  
  Re: The thing is
  
  They didn't take steps to ensure that they were handing over our data to someone who was taking the necessary steps to secure it.
  
  I know this is an Amercian story, but this sounds like something covered by the GDPR?
  
  3 0 Reply
  1. Wednesday 12th December 2018 22:16 GMT Richard 12
    
    Re: The thing is
    
    Yes, it would have been, had it occurred after GDPR came into effect.
    
    As it stands, Equifax have dodged that bullet.
    
    Next time, they die.
    
    6 0 Reply
Wednesday 12th December 2018 21:46 GMT SVV

If 148 million customer records can be nabbed

and the blame shunted to some poor developer for not shoving a new version of a library onto a live production server or twenty, then things were clearly so wrong on so many levels that a lengthy essay could be written about all the failures at every level of the company.

Categories including build and dependency management, release management, integration testing, certificate management, access control to live systems, and so much more would show neglect all over the shop. Neglecting all these things for a company with responsibility for so many people's crucial data is fundamentally negligent. Especially in the context of "aggressive expansion".

And criticising obscene rewards for failure ain't socialism bud, capitalists are supposed to believe that failure comes at a price. For the company that failed, not some easy scapegoat. "The buck stops here" has been replaced with "The bucks stop here" for the bosses who rake in millions every year.

4 0 Reply
1. Thursday 13th December 2018 13:56 GMT Anonymous Coward
  
  Re: If 148 million customer records can be nabbed
  
  But the security team sent an e-mail to everyone! Two days too late to stop the breach... And apparently never followed up.
  
  And the person responsible didn't respond! Fire them!!!
  
  Meanwhile, the larger security screw up (i.e. no security monitoring for 19 months, no controls to ensure the monitoring was working as required and no testing to verify the monitoring plus the tesing they did do to verify server compliance was insufficient to detect non-compliance) appears to have resulted in no action. I'm assuming working in Equifax IT security primarily involves coating ones self in teflon.
  
  0 0 Reply
Thursday 13th December 2018 01:23 GMT Cincinnataroo

These guys should not even have much of the information. Effectively stopping that, deleting it thoroughly, preventing recurrence and prosecuting those involved in it's acquistion might fix the world a bit.

0 0 Reply
Thursday 13th December 2018 02:08 GMT astounded1

So Shut Up And Pay Us For Premium Dark Web Insurance

Look, if we didn't surf our greed and disregard for you digits out there into this magnificent fuck up, we wouldn't have jumpstarted our hot, new dark web scanning business so you can watch how your stolen info we let get stolen is put to work.

All for just 75 quid a month.

Once you see your privates on the scary side of the web, you won't be surprised anymore when your bank balance suddenly goes to zero. We will have warned you.

That's all we do here. We lose your shit, then we charge you to warn you. So fuck off.

2 0 Reply
Thursday 13th December 2018 15:18 GMT fredj

From my distant memories when I used to work: I saw a lot of new computer and science technology coming in and easily understood it. I saw old technology managers deliberately plan to stop young, pain in the rear, types like me. I would be discredited, behind my back, at every opportunity such that I would never be promoted and as such senior managers would never get to hear of what I was doing. This tactic prevented middle managers loosing their jobs or having to learn new things to keep up to date.Of course. It all collapsed soon enough but a fine company is now just a memory. Latterly I worked with a company who knew they had to have A1 security for many real, real security reasons. Their techies got on with it and did it well.

(I have heard it said that I have a persecution complex!! It is difficult to disagree.)

1 0 Reply