
Former Equifax CEO says breach boiled down to one person not doing their job - orange_county
https://techcrunch.com/2017/10/03/former-equifax-ceo-says-breach-boiled-down-to-one-person-not-doing-their-job/
======
justboxing
This is how it always goes down.

\- F*ck your customers over by gross negligence and sheer greed (or stupidity,
or both)

\- Get caught with your pants down

\- Dump your stocks and cash out

\- Apologize when customers and media express outrage

\- Go to Congressional hearing and repeat the magic words "I do not recall"
for every question

\- Find 1 low-level scapegoat employee

\- Fire that employee and declare that the company is now 'clean'

\- Avoid any jail time for wrong doing by paying a fine

\- Collect your 'Golden Parachute' = MILLIONS and slide into a new CEO Job.

\- Rinse and repeat.

White collar crime pays. Big time.

And almost no-one ever goes to Jail -- unless they have the bad-fortune of
being prosecuted by A.G. Preet Bharara (record of 79-0 conviction obtained),
which is also not relevant since Trump fired him soon after taking the White
House Office.

Related: Here's Preet Bharara's Amazing 79-0 Insider Trading Conviction Score
Card - [http://www.businessinsider.com/bharara-insider-trading-
convi...](http://www.businessinsider.com/bharara-insider-trading-
convictions-2014-2)

~~~
vermontdevil
\- collect $90 million and skip the jail part.

~~~
justboxing
lol. Yes. I added your point.

------
openasocket
There's a mantra at my company that you can't assign blame for a problem to a
particular person. If one person is capable of breaking your system, you have
a bad system. The focus isn't on finding the one person or the one mistake
that caused it, but fixing the process so one person or one mistake can't
wreak that much havoc. I think it's a very good philosophy.

~~~
dalore
I remember the huge AWS outage that happened and was due to one engineering
fat fingering a command. Instead of firing him they put in policies in place
so that can't happen again.

~~~
danudey
Why would they fire him? He's the one person in the company who's never going
to make that mistake again.

------
MBCook
Good to know.

And what about the person who’s job was to make sure that one guy did his job?

And the guy who was in charge of that person?

And the department who’s job was makin sure nothing was insecure?

And the guy managing them?

Yep. All one guys fault. Poor guy, ruining the American credit monitoring
system for the rest of us.

------
caconym_
Having just a single point of human failure standing in the way of leaking
145M people's data is already negligent. Trying to foist responsibility onto
this poor individual (presumably some lower-rung employee) is shameful and
just goes to show how ripe their corporate culture was for something like this
to happen.

~~~
zipwitch
Nice of him to publicly testify to their gross incompetence , though. (And
under oath too?)

Doubtless the various lawsuits will be coming back to this testimony for many
years.

------
Thriptic
This is shamefully terrible leadership. If you're the CEO and a subordinate
fucks up, it means you fucked up. At the end of the day the performance of the
entire company is your responsibility.

~~~
notacoward
It's not leadership at all.

------
patmcc
Absolutely true.

That person is the former Equifax CEO.

------
coldcode
Yes, him. Guess what, you are (were) the CEO and you are legally required to
be responsible for what your public company does. Blaming anyone else is what
terrible CEOs do.

------
galeforcewinds
IMO, the board of a public company is responsible for overseeing risk, audit
and internal controls, and the CEO is the one person most responsible for
ensuring the company acts in accordance with those directives on a day-to-day
basis. That an error could be made by a worker is human, though an automated
system could also suffer a fault. Audit would have caught a gap, risk
management would have caught a vulnerability, and internal controls would have
detected incomplete work were these practices properly designed and deployed.
Good CEOs look at governance, process, oversight and don't fling muck at
employees.

------
dudul
Apparently the data was stored in plain text. Sorry, but if not applying a
patch to your Web framework is enough to make it that vulnerable, there are
other problems in your infrastructure, your architecture and your process.

------
aaroninsf
FTA "The notion that just one person didn’t do their job and led to the
biggest breach in history is quite an amazing claim and shows a fundamental
lack of good security practices."

"Amazing" is a word I would use, but not the first one. Or even one of the
first few.

------
Volundr
If one person not doing their job leaves the entire credit card holding
populous of the US vulnerable to this kind of data leak.... then there was a
lot more then one person not doing their job.

------
s73ver_
Well, that person, that person's boss, and so on up to the CEO. The one who is
paid such a large salary to ultimately be responsible for the entire company.

------
rodgerd
People (generally) do the best job they can within the constraints they
operate under. If someone isn't, say, patching things in a timely way, the
most likely explanation is not that the person is lazy or stupid, but that the
system is broken.

And if you run a company with a lazy, stupid person being on the critical path
for your most important systems? Your systems are broken, because that person
shouldn't be there.

------
Pharylon
The CEO is right that it boils down to being one person's fault. He should
know since he sees him every day in the mirror.

------
pixel
FIFY:

"Former Equifax CEO says 'There is only one infosec person in our company'"

------
ww520
Blame the IT peon. Yeah, right. Every single time.

------
jacknews
And, ultimately, that person is the CEO himself.

------
whipoodle
And who built the company that let that slide? Who came up with the practices
that led to such a failure? Et cetera.

------
jepler
Someone needs to read
[http://web.mit.edu/2.75/resources/random/How%20Complex%20Sys...](http://web.mit.edu/2.75/resources/random/How%20Complex%20Systems%20Fail.pdf)
and also probably just stop talking

