Apparently the data was stored in plain text. Sorry, but if not applying a patch to your Web framework is enough to make it that vulnerable, there are other problems in your infrastructure, your architecture and your process.
- F*ck your customers over by gross negligence and sheer greed (or stupidity, or both)
- Get caught with your pants down
- Dump your stocks and cash out
- Apologize when customers and media express outrage
- Go to Congressional hearing and repeat the magic words "I do not recall" for every question
- Find 1 low-level scapegoat employee
- Fire that employee and declare that the company is now 'clean'
- Avoid any jail time for wrong doing by paying a fine
- Collect your 'Golden Parachute' = MILLIONS and slide into a new CEO Job.
- Rinse and repeat.
White collar crime pays. Big time.
And almost no-one ever goes to Jail -- unless they have the bad-fortune of being prosecuted by A.G. Preet Bharara (record of 79-0 conviction obtained), which is also not relevant since Trump fired him soon after taking the White House Office.
There's a mantra at my company that you can't assign blame for a problem to a particular person. If one person is capable of breaking your system, you have a bad system. The focus isn't on finding the one person or the one mistake that caused it, but fixing the process so one person or one mistake can't wreak that much havoc. I think it's a very good philosophy.
Has this mantra been stress-tested in the real world with a large scale data breach?
Edit: to add to his, what I mean to say is: it's great that (some) companies have this culture internally. It remains to be seen whether the mantra would survive a sufficiently large scandal. Maybe that's when the legal team comes in with the damage control plan as outlined in another comment by @justboxing.
I work for AWS. We haven't had a breach, but consider that S3 outage not too long ago, which was due to one engineer fat-fingering a command. Rather than blaming or disciplining that person, AWS changed the process so that people aren't manually typing in those commands.
I remember the huge AWS outage that happened and was due to one engineering fat fingering a command. Instead of firing him they put in policies in place so that can't happen again.
Well, that person, that person's boss, and so on up to the CEO. The one who is paid such a large salary to ultimately be responsible for the entire company.
Having just a single point of human failure standing in the way of leaking 145M people's data is already negligent. Trying to foist responsibility onto this poor individual (presumably some lower-rung employee) is shameful and just goes to show how ripe their corporate culture was for something like this to happen.
FTA "The notion that just one person didn’t do their job and led to the biggest breach in history is quite an amazing claim and shows a fundamental lack of good security practices."
"Amazing" is a word I would use, but not the first one. Or even one of the first few.
This is shamefully terrible leadership. If you're the CEO and a subordinate fucks up, it means you fucked up. At the end of the day the performance of the entire company is your responsibility.
Yes, him. Guess what, you are (were) the CEO and you are legally required to be responsible for what your public company does. Blaming anyone else is what terrible CEOs do.
People (generally) do the best job they can within the constraints they operate under. If someone isn't, say, patching things in a timely way, the most likely explanation is not that the person is lazy or stupid, but that the system is broken.
And if you run a company with a lazy, stupid person being on the critical path for your most important systems? Your systems are broken, because that person shouldn't be there.
IMO, the board of a public company is responsible for overseeing risk, audit and internal controls, and the CEO is the one person most responsible for ensuring the company acts in accordance with those directives on a day-to-day basis. That an error could be made by a worker is human, though an automated system could also suffer a fault. Audit would have caught a gap, risk management would have caught a vulnerability, and internal controls would have detected incomplete work were these practices properly designed and deployed. Good CEOs look at governance, process, oversight and don't fling muck at employees.
If one person not doing their job leaves the entire credit card holding populous of the US vulnerable to this kind of data leak.... then there was a lot more then one person not doing their job.
38 comments
[ 4.6 ms ] story [ 76.3 ms ] threadAnd what about the person who’s job was to make sure that one guy did his job?
And the guy who was in charge of that person?
And the department who’s job was makin sure nothing was insecure?
And the guy managing them?
Yep. All one guys fault. Poor guy, ruining the American credit monitoring system for the rest of us.
- F*ck your customers over by gross negligence and sheer greed (or stupidity, or both)
- Get caught with your pants down
- Dump your stocks and cash out
- Apologize when customers and media express outrage
- Go to Congressional hearing and repeat the magic words "I do not recall" for every question
- Find 1 low-level scapegoat employee
- Fire that employee and declare that the company is now 'clean'
- Avoid any jail time for wrong doing by paying a fine
- Collect your 'Golden Parachute' = MILLIONS and slide into a new CEO Job.
- Rinse and repeat.
White collar crime pays. Big time.
And almost no-one ever goes to Jail -- unless they have the bad-fortune of being prosecuted by A.G. Preet Bharara (record of 79-0 conviction obtained), which is also not relevant since Trump fired him soon after taking the White House Office.
Related: Here's Preet Bharara's Amazing 79-0 Insider Trading Conviction Score Card - http://www.businessinsider.com/bharara-insider-trading-convi...
That person is the former Equifax CEO.
If the conclusion blames an individual then 100% of the time the real problem is with the system that gave them that much power.
"The Field Guide to Understanding 'Human Error'" by Sidney Dekker.
Edit: to add to his, what I mean to say is: it's great that (some) companies have this culture internally. It remains to be seen whether the mantra would survive a sufficiently large scandal. Maybe that's when the legal team comes in with the damage control plan as outlined in another comment by @justboxing.
that's one heckuva excuse, dude.
Doubtless the various lawsuits will be coming back to this testimony for many years.
"Amazing" is a word I would use, but not the first one. Or even one of the first few.
And if you run a company with a lazy, stupid person being on the critical path for your most important systems? Your systems are broken, because that person shouldn't be there.
Not having or addressing any of the women on your IT staff sounds like a systemic issue as well.
"Former Equifax CEO says 'There is only one infosec person in our company'"