[BreachExchange] Lawmaker to former Equifax CEO: 'I don't think we can pass a law that fixes stupid'

[Destry Winant]

https://www.csoonline.com/article/3230450/security/lawmaker-to-former-equifax-ceo-i-dont-think-we-can-pass-a-law-that-fixes-stupid.html

On Monday, Equifax admitted that an additional 2.5 million Americans
may have been affected by the breach reported in September. On
Tuesday, Equifax’s former CEO Richard Smith testified about that
breach that resulted in 145.5 million Americans having their personal
information accessed or stolen.

Smith may be “sorry,” but that simply doesn’t cut it — especially in
light of some of the tidbits that came from Smith’s testimony at
Tuesday’s Congressional hearing.

For starters, the timeline for when Smith knew about the hack is
bizarre. At that time, he was CEO of Equifax, but he claimed he wasn’t
told about the “suspicious activity” — which was first discovered on
July 29 — until July 31. On Aug. 2, he hired cybersecurity experts to
investigate. Smith couldn’t be bothered to even check in on the
investigation for nearly two weeks. He finally asked for a briefing
about the suspicious activity on Aug. 15, but he didn’t receive it
until Aug. 17. Smith claimed it didn’t cross his mind to ask if
personally identifiable information (PII) was affected.

That is beyond belief, considering Equifax stored Americans’ sensitive
information in plaintext. In fact, the company holding all our
information — even though we never asked it to — can only be bothered
to encrypt “some” data.

The timeline of discovery means the sale of $1.8 million in stock by
three people in the company on Aug. 1 and 2 was within the time period
that they would have known about the hack. Yet Smith claimed they are
“men of integrity” that he has known for a dozen years.

“I have no indication that they had any knowledge of the breach when
they made this sale,” he said.

The big fat finger of blame for the hack was eventually pointed at
human error, all boiling down to one person who didn’t do their job.
Apache went public about the vulnerability in the Apache Struts
platform and made the patch available on March 6. According to Smith’s
written testimony (pdf), US-CERT notified Equifax about patching
Apache Struts in its online dispute portal on March 8. Equifax
security policy meant the vulnerability was to be patched within 48
hours.

Despite 225 people working in the security department, the flaw did
not get patched. Smith blamed it on “human error” — the person
responsible for communicating that the hole needed patched did not do
so.

Out of 225 security professionals, someone surely reads the news and
knew about Apache Struts issue! Maybe someone did because on March 15,
Equifax’s security department ran scans that should have identified
the bug but did not. It is unknown why technology glitched and failed
to do its job — maybe it was channeling the lax security mindset of
its masters?

“It’s like the guards at Fort Knox forgot to lock the doors and failed
to notice the thieves were emptying the vaults,” U.S. Rep. Greg Walden
(R-Ore.), the committee’s chairman, told Smith. “How does this happen
when so much is at stake?” Walden asked before adding:

"I don’t think we can pass a law that fixes stupid."

IRS awarded $7.25 million fraud prevention contract to Equifax!

Speaking of stupid, the IRS handed over $7.25 million in taxpayer
money to Equifax for the purpose of verifying taxpayers’ identities.
The money was awarded for a fraud prevention contract posted to the
Federal Business Opportunities database on Sept. 30. The IRS did not
bother to take bids from multiple companies because the contract was a
“sole source order,” meaning the IRS regarded Equifax as the only
company capable of doing the job.

Equifax is “to verify taxpayer identity and to assist in ongoing
identity verification” for the IRS.

The IRS defended its decision, saying IRS data was not involved in the
Equifax breach even though the agency already provides similar
services for the IRS under a previous contract. It is a “critical
service that cannot lapse,” the IRS said.

Senate Finance Chairman Orrin Hatch told Politico, “In the wake of one
of the most massive data breaches in a decade, it’s irresponsible for
the IRS to turn over millions in taxpayer dollars to a company that
has yet to offer a succinct answer on how at least 145 million
Americans had personally identifiable information exposed.”