Unless you’re living under a rock somewhere, you know that Equifax just reported a breach that resulted in the loss of 143 million customer records. Yahoo may still hold the record for the largest breach in history, but Equifax now holds the record for the stupidest.
In the Cybersecurity world, Equifax is the new poster child for carelessness, ignorance, advanced stupefaction and greed. It may also have set the standard for criminal negligence in Cybersecurity.
Starting with a self-declared and widely known to be insecure website technology that was supposed to be protecting the personal and sensitive information of half of America and culminating with a cynical offer of a “trusted” $20/month credit monitoring service for which you would have to sign away your rights to participate in a class action suit, Equifax has set a brand new bar for astounding cluelessness.
Running a transactional website on a stock version of WordPress, perhaps the least secure open-source CMS on the planet is hideous enough, but they could at least have registered their own domain name to themselves, and/or conducted the simplest and most common investigation beforehand to discover that Open DNS was blocking access to the site and warning that it was a suspected phishing threat.
But not these guys.
In fact, the U.S. CIO who ought to be in prison right now, was one of the three insensate senior executives at the company who sold $1.8 million in Equifax stock within hours of discovering the breach. Apparently losing a colossal amount of private customer information wasn’t enough. These clowns rushed to their brokers and quickly offloaded a couple of million bucks in stock which Equifax subsequently explained was only a small percentage of their shares and had no relationship to the breach because … wait for it … they “had no knowledge that an intrusion had occurred at the time they sold their shares.”
I may be a little slow, but I would think that if my company which ranks among the largest credit reporting agencies in the country just allowed the worst breach of consumer information in history, the Chief Financial Officer and the top IT guy would know about it. Especially if they are being compensated so handsomely that 2 million dollars represents “only a small fraction of their holdings”, you could reasonably expect that they would know something like this just happened. I mean c’mon man. There’s plausible deniability and then there’s bullshit.
The simple and obvious technology mishaps are inexcusable and should be punishable by actual jail time. And in case you’re wondering what the consequences might be for the CIO and CFO who both reaped an immediate cash “reward” while 143 million consumers have to rush around, change their credit cards, passwords, sign up for identity theft and credit monitoring services and still will be unable to rest comfortably knowing that their identities remain at risk? As of today, none.
As of today, there is no personal liability that accrues to any of these company officers for a Cybersecurity breach.
And it gets worse. Equifax waited 6 weeks to disclose the breach publicly which allowed the perps plenty of time to assimilate all of that data into their destinations and use it while the victims went about their normal day-to-day unaware that their PII had been compromised. Notification delays like this are inexcusable and should be criminal.
But incredibly, there’s more.
Not only does the company have the cojones to offer you a new website that will let you check to see if your information was compromised, they want you to enter your last name and the last six digits of your Social Security number to do so. In addition to this slap in the face, they are inviting you to sign up for their “TrustedID Premier” credit monitoring service, which if you can prove you were a victim will be at no charge for the first year.
Aside from the obvious inadequacy due to the ability of hackers to exploit stolen personal data for many years, it also gives the company a lucrative database of possible customers to be sold continuing subscriptions for the service after the year is expired — at $19.95 a month! In fact, enrollment in the service requires you to provide them with a credit card number, which they will use to automatically bill you after the free trial is over.
No. I am not making this up.
Assuming of course that you have any credit cards or credit left after the breach and that you are as stupid as the Equifax guys think you are, the final indignity is found in the terms of service which state that enrollees, by signing up, waive their right to sue Equifax and waive all other legal rights including participation in a class action suit against the company.
(This just in: they later clumsily rescinded this waiver, but the point is that their arrogance and disregard enabled them to try it in the first place.)
The Consumer Financial Protection Bureau has finalized a new regulation that would have stopped Equifax from using this sort of anti-consumer arbitration clause, but Congress, backed by the nation’s largest lobbying group, managed to spend some of its August vacation time trying to roll back those protections and allow companies like Equifax to violate the law with impunity.
It should be no surprise to Mitch McConnell and Paul Ryan that their approval ratings are lower than even Antifa’s.
It is clear that companies like Equifax are unwilling and/or unable to provide themselves with appropriate levels of cyber-threat defense. We know this. We talk to hundreds of them every month. New York State finally bit the bullet and instituted a set of fairly rigid regulations this past March that force anyone doing business in the State of New York to comply or be fined and suffer escalating consequences for non-compliance. I am certain that most every other state will follow New York’s lead and implement similar regs.
Criminal negligence is defined as an indifference or disregard for the safety of people and conduct that “grossly deviates” from normal, reasonable standards; a ‘misfeasance or ‘nonfeasance’ where the fault lies in the failure to foresee and so allow otherwise avoidable dangers to manifest. Equifax has now defined the legal application in the realm of Cybersecurity.
If there were harsh federal penalties, not just for companies, but for the officers of those companies for the kind of sloppiness, negligence and stupidity that was demonstrated by Equifax, all companies would move swiftly to get their Cybersecurity isht together and start doing the right things. These things include technology, process, education, training, policy, governance, standards and guidance. Not rocket science but simply the stuff you need to run any competitive business enterprise today.
This time it should be different. This time, instead of talking about taking action, our illustrious lawmakers will likely climb furiously to the very front of the bandwagon and start writing legislation that will get pushed through the House and Senate in time for the mid-term elections.
If not, 143 million pissed-off Americans ought to vote them all out of office.
This is a Security Bloggers Network syndicated blog post authored by Steve King. Read the original post at: News and Views – Netswitch Technology Management