Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

In Equifax Data Breach, Three Hard Lessons in Risk

Bil Harmer | Sept. 29, 2017
How much security risk can an organisation accept before it’s on very thin ice?


Risk over Governance

In addition to a failure of risk management, we also have a failure of process (not to mention ethics). Consider that three executives sold Equifax stock after the breach was detected, but before it was made public. Either the executives in question (including the CFO) knew about the breach and sold their stock believing it would eventually tank, or they really didn’t know about it. If they didn’t know about such a serious breach, then the breach escalation process within the company was broken. That is a failure of leadership. If there was a breach escalation process and it wasn’t followed, it’s still a failure of leadership. If there was a breach escalation process, and it was followed, then the sale of stock based on insider knowledge is just plain criminal.

What type of organizational culture would permit the idea of not escalating a breach of customers’ sensitive personal and financial information on to senior management? But the questionable behavior continued; Equifax continued to denigrate their brand and customer trust by appearing amateurish in their attempts to remedy the hack.  In what looked to security experts like an after hack phishing attempt, the company recommended customers visit another domain to check if they had been exposed (presumably because they didn’t want traffic going to their domain). Further, the site didn’t provide consistent information to consumers before it offered Equifax’s own service to monitor credit. It seems that there were several failures of judgement and governance both leading to and following the breach, enough that the Department of Justice has already opened a criminal probe into the incident.


Risky motives

While financial profit from the sale of sensitive data is a simple primary motive, what it if is not? We do not yet know who launched the attack. There’s been speculation that this was a nation-state attack – if that’s true, then I believe it could be part of a larger attack on the United States.  I’ve believe that the only way anyone will go to war with the United States is by covertly attacking the principles that make up the country. 

Last year it was an attack on the electoral system – perhaps not directly through manipulating vote counts, but through propaganda and undermining confidence in free and fair elections. This year, there’s been an attack on the American credit system. At the moment, all of the major credit bureaus are fielding so many requests for credit “freezes” that they can’t handle the volume. A flood of credit freeze requests is equal to an attack on the credit system, since this country runs on credit. With credit freezes in place, impulse purchases may slow down, thereby slowing economic growth.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.