As deposed Equifax CEO Richard Smith made the rounds at Capitol Hill this week for rehearsed, ritual, rhetorical floggings before several congressional committees, it sounded like the world of data security really might be about to change.
There were calls for major reform – for sanctions to include major financial penalties. Congressman Joe Barton (R-TX) suggested that a credit bureau giant like Equifax – even one worth $13b, “might pay a little more attention if you had to pay everybody whose account got hacked a couple thousand bucks or something.”
Especially if “everybody whose account got hacked” is 145.5 million people.
Populist firebrand Sen. Elizabeth Warren (D-Mass.) called for consumers, not credit bureaus, to have control of who sees their data, adding that in cases like this, “senior executives like you should be held personally accountable.”
There was outright mockery. “I don’t think we can pass a law that fixes stupid,” US Rep. Greg Walden (R-Ore.) told Smith.
It sounded like the wake-up call to end all wake-up calls. But don’t hold your breath. The outrage may be real, but in Congress, the heat of the moment tends to last about as long as conversations about a Saturday Night Live skit.
Chances are that a year from now, the world of data security will perhaps have been tweaked, but not fundamentally changed. Congress will be holding hearings on some other outrage. And 145.5 million people will definitely not have each received a $2,000 check from Equifax.
Even though you’d think this kind of event would be an obvious incentive for significant reform. As more than half the country knows directly, this was vastly more damaging than the compromise of credit cards. This was information that you can’t change. As one sardonic tweet put it after Equifax finally got around to making it public in early September 2017, everybody should change their name, date of birth, address, gender and Social Security number.
This failure – not just the breach but the response as well – by one of the “big-three” credit bureaus, was so catastrophic that it left commentators searching for printable expletives to describe it. “Ham-handed,” “unacceptable,” even “shocking” didn’t go nearly far enough. Star security blogger Brian Krebs called it a “dumpster fire.”
The list of outrages, reported by multiple media outlets, goes on and on. Among them:
- Equifax knew in early March about the software flaw in the dispute portal of the Apache Struts platform that allowed the breach. US-CERT and Apache notified Equifax about it. At the time, Naked Security’s Paul Ducklin wrote a tutorial on it. Smith told Congress that an “internal email” requested the fix, but it wasn’t done – in effect leaving the door unlocked. This in a company with 225 people in its security department.
- It took the company another four and a half months, until 29 July 2017, to discover that it had been hacked sometime in May 2017. According to Smith, it took weeks longer to realize that the personal information of consumers had been compromised. While he quickly hired cybersecurity experts from the law firm King & Spalding to look into it, he admitted he didn’t even ask if personally identifiable information (PII) may have been compromised.
- It didn’t publicly disclose the breach until 7 September 2017 – 40 days after it learned of it. During that time – the first and second week of August 2017 – Smith gave two public speeches in which he said, among other things that “the days are bright for Equifax,” that fraud is, “a huge opportunity for Equifax,” and that it was a “massive, growing business.” He told the committee he hadn’t known at the time how much or what data were compromised. Which could be because he didn’t ask for a briefing until 15 August 2017.
- Smith finally said what should be said up front, all the time, by all the credit bureaus: The company’s customers are not the consumers whose information it holds. Its customers are banks and other businesses that want our credit info. Consumers are the product.
- The data compromised was not encrypted. Equifax wasn’t encrypting data “at rest,” Smith said.
- Equifax (and the other credit bureaus) are pushing credit “locks” rather than freezes, saying the freezes are more cumbersome and costly, while the locks are simpler and free. But Consumers Union notes that the freezes are guaranteed by law, while the lock is just an agreement between the consumer and the company. Besides that, the freeze prevents Equifax from selling your credit file to banks and others, including ID thieves.
- Regarding senior executives who sold about $2m in stock during the first week after the company knew of the breach but a month before they announced it publicly, Smith said they didn’t know about the breach. He called them “honorable men of integrity,” apparently forgetting to add, “cosmically prescient.” Members of Congress said it “smelled really bad,” but there was no talk of subpoenas for those execs to put them under oath.
- As a final (maybe) note, Equifax announced on Monday that the number impacted by the breach was actually 2.5 million more than the 143 million they had earlier announced.
- And to pile on one more absurdity, at the end of September 2017, the IRS awarded Equifax a $7.25 million no-bid contract to provide identity-proofing and anti-fraud services. This after massive tax refund fraud in 2015 and 2016, thanks to weak security questions provided to the IRS by Equifax. Sen. John Neely Kennedy (R-La.) quipped that, “You realize to many Americans right now that it looks like we’re giving Lindsay Lohan the keys to the mini bar.”
Is all that enough to generate real, substantive change? History suggests it won’t be.
There should have been more than enough incentive for reform and accountability after the 2014-15 breach of the federal Office of Personnel Management (OPM), in which 22 million current and former federal employees had their PII vacuumed up.
A report released a year ago, titled, “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation,” declared that the breach was made possible, “in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems.”
The government’s response? Federal employees got a letter from OPM offering free credit monitoring for a year and identity fraud insurance as “a courtesy,” but added that, “Nothing in this letter should be construed as OPM or the US Government accepting liability for any of the matters covered by this letter or for any other purpose.”
Personal accountability of top executives? Then OPM CIO Donna K. Seymour retired in February 2016, two days before she was scheduled to appear before Congress to talk about the breach.
The head of OPM during the intrusion, Katherine Archuleta, did resign under pressure from Congress in July 2015.
But both women rode off with no financial harm – their pensions and benefits intact. It likely won’t be all that different for Equifax.Follow @NakedSecurity