
Seriously, Equifax? This Is a Breach No One Should Get Away With - SREinSF
https://www.nytimes.com/2017/09/08/technology/seriously-equifax-why-the-credit-agencys-breach-means-regulation-is-needed.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region&region=top-news&WT.nav=top-news
======
atmosx
"If a bank lost everyone’s money, regulators might try to shut down the bank."

Oh really? I thought it depends on how big the bank is. Agencies giving
tripe-A to junks were punished so harsrhly...

~~~
Spooky23
2008/9 suggests that isn't the case!

Hell, HSBC was actively money laundering and they are still kicking.

~~~
dogma1138
HSBC isn't a monolithic organization, it was fined and people did went to
prison, probably not as many and should've went but still.

------
efoto
I think at this point the smart move to make is to devalue the stolen data:
assume social security numbers are public information.

~~~
efoto
an afterthought: and make Equifax pay for it.

------
qw
I think this incident is a very good argument for why NSA and the agencies in
other countries should focus on publishing known exploits. This was probably
not one that was known, but it shows what could happen if criminals get
access.

~~~
nextweek2
I don't understand that logic? The NSA's mission is not to find exploits, it's
just a means to an end. If they released the problems they find, there is
literally no business case to justify the NSA spending money on finding
exploits to then have them closed.

Arguments like that would make more sense to suggest that a new agency is
setup to find and fix faults in software. You're keeping the agency's mission
focused.

Problem with an agency like that is that in effect it's government support for
software companies. Microsoft, Google, Apple could cut back on security
processes because they know the tax payer is picking up the tab.

Government shouldn't be in the market, they should hold the market to account
for bad actors. We should make having security breaches a painful cost. The
market would adjust to meet the macro economic environment.

~~~
qw
According to Wikipedia, NSA is also tasked with the protection of U.S.
communications networks and information systems. By not disclosing the
exploits they find, they put the information systems at risk. If they can find
it, someone else can too.

------
williamscales
I mean, Equifax is quite literally in the business of making sure people don't
get away with things. It would be unfair to their mission for them to continue
as a going concern.

------
djhworld
I wonder if Equifax will face any international action, for example here in
the UK we have Data Protection laws that can be used to fine companies for
such breaches, although it's not entirely clear if British customer data has
been affected.

Still, Equifax are probably quick to tell everyone if you've missed one
payment on your credit card, but took a few months to say they've been hacked?
Doesn't seem fair

~~~
jlgaddis
> _...although it 's not entirely clear if British customer data has been
> affected._

It has [0]:

"... Equifax also identified unauthorized access to limited personal
information for certain UK and Canadian residents ... no evidence that
personal information of consumers in any other country has been impacted."

[0]:
[https://www.equifaxsecurity2017.com](https://www.equifaxsecurity2017.com)

------
devillius
This is kinda how I feel.
[https://equifaxbreach2017.com/](https://equifaxbreach2017.com/)

FYI. That is not the real site.

------
sillysaurus3
I think it's important to take a step back, take a breath, and look at this
rationally.

Look at what actually happened. Equifax was using the Spring framework. This
is a very safe, popular choice. They were using what everybody else uses.

There was a critical vuln in the framework, and they failed to update their
box for N months. But we're talking only a few months. N is very small --
maybe four? And yeah, you can argue that four months is an absurdly long time
to have a known critical vuln in production. But I guarantee you that
_everybody reading this_ is similarly vulnerable. Whatever company you work
for, if you do not have regular pentests, you are no better off. And even if
you do, it's overwhelmingly likely that you've overlooked some lonely outdated
server that's still running on your network because Bob set it up a year ago
and forgot about it and oh look now you have a pivot into your whole network.

It seems very strange to choose this _one_ company and crucify them just
because they lost your data. Everybody is insecure everywhere always, and
we've learned to tolerate this by pretending it's not true or that it doesn't
exist or that it's not a big deal. But you know what? It is true. That truth
will continue to manifest itself in the years to come. No matter how much
you'd like it not to be true, your stuff will still get stolen. Usually you
just don't hear about it.

Yes, it was stupid for them to have everybody's PII attached to that one
webserver. A single point of failure should never result in compromising the
whole system. But think about how that architecture would work in practice. A
customer service rep still needs to get at most of your data. It's a credit
bureau. Where would the data be stored in a way that a remote code exec
wouldn't be able to snag it?

Equifax's crime boils down to "they failed to run the equivalent of sudo apt-
get update on their framework." When you're managing a fleet of hundreds or
thousands of machines, this is a situation that almost all of us have wound up
in. If _we_ can't get it right, why do you want the execs' heads to roll? Are
you sure you won't be next on the chopping block?

Think about it this way: the time between "someone discovered a vuln in
Spring" and "the attackers stole 150M credit reports" was just a few months.
Are you sure Equifax wasn't a victim here? Someone threw a cinderblock through
their window and made off with their trove of data.

Food for thought.

~~~
raugustinus
They were using what everybody else uses. But not everybody else has financial
data on so many people behind this framework. If you're dealing with this kind
of data there are some additional requirements. I've worked at a few banks and
they all provide a lot of extra security on top of those frameworks. So no
they're not just victims in this.

I read that top management sold a lot of stock prior to the news coming out
about the breach. I hope they get sued for prior knowledge or whatever that is
called.

