Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Former Equifax CEO says breach boiled down to one person not doing their job (techcrunch.com)
41 points by orange_county on Oct 3, 2017 | hide | past | web | favorite | 34 comments

This is how it always goes down.

- F*ck your customers over by gross negligence and sheer greed (or stupidity, or both)

- Get caught with your pants down

- Dump your stocks and cash out

- Apologize when customers and media express outrage

- Go to Congressional hearing and repeat the magic words "I do not recall" for every question

- Find 1 low-level scapegoat employee

- Fire that employee and declare that the company is now 'clean'

- Avoid any jail time for wrong doing by paying a fine

- Collect your 'Golden Parachute' = MILLIONS and slide into a new CEO Job.

- Rinse and repeat.

White collar crime pays. Big time.

And almost no-one ever goes to Jail -- unless they have the bad-fortune of being prosecuted by A.G. Preet Bharara (record of 79-0 conviction obtained), which is also not relevant since Trump fired him soon after taking the White House Office.

Related: Here's Preet Bharara's Amazing 79-0 Insider Trading Conviction Score Card - http://www.businessinsider.com/bharara-insider-trading-convi...

You missed "Sell your stock"

As of 2016 you can now add to the list "suspected state actors." How could any private company be responsible for being able to stop this?

And, if it is bad enough that a CEO has to be let go... they pop that fancy, golden parachute on the way down...

- collect $90 million and skip the jail part.

lol. Yes. I added your point.

There's a mantra at my company that you can't assign blame for a problem to a particular person. If one person is capable of breaking your system, you have a bad system. The focus isn't on finding the one person or the one mistake that caused it, but fixing the process so one person or one mistake can't wreak that much havoc. I think it's a very good philosophy.

I remember the huge AWS outage that happened and was due to one engineering fat fingering a command. Instead of firing him they put in policies in place so that can't happen again.

Why would they fire him? He's the one person in the company who's never going to make that mistake again.

"we built a workflow that allowed one person to ruin the company."

that's one heckuva excuse, dude.

Bought a book mentioned in another thread about understanding system failures.

If the conclusion blames an individual then 100% of the time the real problem is with the system that gave them that much power.

What's the book? Would like to add to my reading list :)

And here I thought I could avoid grabbing it from my shelf...

"The Field Guide to Understanding 'Human Error'" by Sidney Dekker.

Has this mantra been stress-tested in the real world with a large scale data breach?

Edit: to add to his, what I mean to say is: it's great that (some) companies have this culture internally. It remains to be seen whether the mantra would survive a sufficiently large scandal. Maybe that's when the legal team comes in with the damage control plan as outlined in another comment by @justboxing.

I work for AWS. We haven't had a breach, but consider that S3 outage not too long ago, which was due to one engineer fat-fingering a command. Rather than blaming or disciplining that person, AWS changed the process so that people aren't manually typing in those commands.

Good to know.

And what about the person who’s job was to make sure that one guy did his job?

And the guy who was in charge of that person?

And the department who’s job was makin sure nothing was insecure?

And the guy managing them?

Yep. All one guys fault. Poor guy, ruining the American credit monitoring system for the rest of us.

Having just a single point of human failure standing in the way of leaking 145M people's data is already negligent. Trying to foist responsibility onto this poor individual (presumably some lower-rung employee) is shameful and just goes to show how ripe their corporate culture was for something like this to happen.

Nice of him to publicly testify to their gross incompetence , though. (And under oath too?)

Doubtless the various lawsuits will be coming back to this testimony for many years.

This is shamefully terrible leadership. If you're the CEO and a subordinate fucks up, it means you fucked up. At the end of the day the performance of the entire company is your responsibility.

It's not leadership at all.

Absolutely true.

That person is the former Equifax CEO.

Yes, him. Guess what, you are (were) the CEO and you are legally required to be responsible for what your public company does. Blaming anyone else is what terrible CEOs do.

IMO, the board of a public company is responsible for overseeing risk, audit and internal controls, and the CEO is the one person most responsible for ensuring the company acts in accordance with those directives on a day-to-day basis. That an error could be made by a worker is human, though an automated system could also suffer a fault. Audit would have caught a gap, risk management would have caught a vulnerability, and internal controls would have detected incomplete work were these practices properly designed and deployed. Good CEOs look at governance, process, oversight and don't fling muck at employees.

Apparently the data was stored in plain text. Sorry, but if not applying a patch to your Web framework is enough to make it that vulnerable, there are other problems in your infrastructure, your architecture and your process.

FTA "The notion that just one person didn’t do their job and led to the biggest breach in history is quite an amazing claim and shows a fundamental lack of good security practices."

"Amazing" is a word I would use, but not the first one. Or even one of the first few.

If one person not doing their job leaves the entire credit card holding populous of the US vulnerable to this kind of data leak.... then there was a lot more then one person not doing their job.

Well, that person, that person's boss, and so on up to the CEO. The one who is paid such a large salary to ultimately be responsible for the entire company.

People (generally) do the best job they can within the constraints they operate under. If someone isn't, say, patching things in a timely way, the most likely explanation is not that the person is lazy or stupid, but that the system is broken.

And if you run a company with a lazy, stupid person being on the critical path for your most important systems? Your systems are broken, because that person shouldn't be there.

The CEO is right that it boils down to being one person's fault. He should know since he sees him every day in the mirror.


"Former Equifax CEO says 'There is only one infosec person in our company'"

Blame the IT peon. Yeah, right. Every single time.

And, ultimately, that person is the CEO himself.

And who built the company that let that slide? Who came up with the practices that led to such a failure? Et cetera.

Someone needs to read http://web.mit.edu/2.75/resources/random/How%20Complex%20Sys... and also probably just stop talking

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact