Former Equifax CEO Blames a Single Employee Not Working on Breach

monkeymagick

[H]News
Joined
Jun 22, 2008
Messages
480
According to the former CEO of Equifax, Richard Smith, his company has 225 employees. During a live stream to a federal subcommittee, Mr. Smith says that due to "human error," the individual solely to blame failed to notify the organization of the patch required to fix its security hole. The vulnerability left sensitive info of 143 million American out in the wild.

Smith stepped down as CEO last week, shortly after the company's chief security officer and chief information officer also exited the company. New York has also issued a subpoena in regards to the massive breach and the city of San Francisco has opened up a lawsuit against Equifax on behalf of the 15 million Californians affected by the hack.
 
Ultimately it comes down to a person failing to do a job, damn you Bob. I believe he also said the QC process to check that patches were pushed failed to detect the outdated version. So it goes a bit beyond one person and not having a robust process to ensure patches were deployed.
 
Yep, there is a single person that didn't do his job, but it isn't unnamed intern #23. Its you Mr Smith. It was your job to make sure all the other stuff happens on time, is verified to happen and is double checked to make sure it happened. Odd that you didn't try to blame your music major CSO. Or any of the IT Directors and staff who didn't notice the outside world accessing your data for months, including your top notch staff of 225 cyber security folks. What kind of internal security monitoring stuff did you sign off on for that $250 million dollars you claim to have spent on security? What ever it was, it didn't do a very good job, did it? Sounds like a detailed audit might be in order to see just what was purchased with that money. And that was a very effective Incident Response Plan you approved. Worked real well on handling, reporting and containing the breach. About as well as your $250 million in security spending.
 
If an employee fails to patch a system on the day the patch is released, it's solely that employee's fault.
If an employee fails to patch a system on the week the patch is released, it's the manager's fault.
If an employee fails to patch a system on the month the patch is released and nobody cared because the CSO was obviously not qualified for the job, that's kind of directly the CEO's fault.
 
The thing is, consumers have already proven they don't care about breaches. They did it with their wallets. Sure equifax will have a short down turn in stock value, just give it six months to a year and they'll be close to where they were.

Don't believe me? Look at Target, Home Depot, etc.

So while yes, the CEO is to blame for the failings of his company, until we start punishing people in the criminal justice system for this stuff, it's going to continue. Because to do nothing, pay a small fine, and still get a golden parachute is easier than doing the right thing.
 
nice glory hole pic lol. As a former security analyst:
a. "please our servers havnt been patched in six years, we are a hospital!!!"
b. "please our servers have malware can we please remove the viruses?"
c. "please please I see suspicious foreign activity on the network monitor can we block the ips?"
d. "please please can we reboot the machines to patch?"

answer was always NO. What proof do you have that we need to do this stuff?
Then when some other hospital gets hacked "we should probably spend $3 mil on a anti-ddos system to prevent hackers from entering our system"

seriously wtf, you jump to that conclusion but still refuse to do items a-d for free. My guess is this guy is in the same boat.
 
It sounds like a Management failure to have left such a thing in the hands of a single person.

Let me introduce you to j's principle. It takes two people to really fuck something up. Rarely can a person fuck things up on their own.

The nature of most jobs result in an exchange of something. Whether that's code, or a new design, or outputted data. The people you interact with have awareness something is wrong. When that is not the case, a validation or other system to scrutinize your work should be in place. Companies that don't do this, don't last.

In this case whoever was responsible for scrutiny as well as the original coder were at fault. If there was no such system, management who failed to put that in place is also at fault.
 
Last edited:
And he walks away with $18 million in pension benefits. That's criminal.

It might not be "right" but I am not sure any laws were broken which is what it would take for it to be criminal. Unless you know of a particular statue that was violated?
 
It's good that senior management step up and take responsibility.
 
So the CEO would be never guilty for anything because all problems will always come down to some person not doing his job? :)

That is a nice position

Guilty for stuff that is not his job? No, why should they? However he still was as he lost his job.

These other people are in place to do their job, they didn't, but somehow the CEO who doesn't work at that level is supposed to know about an issue they didn't tell anyone about and fix it? Ok....

This is like people blaming Obama or Trump for some super small action of government when they had no actual word in the event.
 
Guilty for stuff that is not his job? No, why should they? However he still was as he lost his job.

These other people are in place to do their job, they didn't, but somehow the CEO who doesn't work at that level is supposed to know about an issue they didn't tell anyone about and fix it? Ok....

This is like people blaming Obama or Trump for some super small action of government when they had no actual word in the event.

And yet the Captain is ultimately responsible for the ship regardless of if they knew or not. When you take a position of authority you know this. If someone fails under you, you fail. If they succeed so do you.

He doesn't work at that level but he is responsible anyway. He can affect the work at that level in numerous ways. For example: Ensuring the people he does work with are qualified and implementing policies/procedures that he agrees with and wants the company to support. They then drive the next level down and so in this corporate direction.

You can do everything right and still fail as a leader if you dont have the right people under you. And it will still be your fault for not realizing that and fixing it. Thats your job as a leader.
 
If it was due to one employee, their security processes need some work. There should be some kind of reporting that shows compliance. You should know that something is not patched. As a CSO, I'd be getting monthly reports showing what's not patched, and if it's not - why? Old OS, broken OS, manual install/bad reporting, etc.. I wouldn't be the one doing the patching (if it came down to it, I would) and that would be that employees responsibility, but I'd have an oversight into what's going on. I'd KNOW about the lack of a patch on that machine. I'd be pressing to have it fixed. It'd be 100% my fault as CSO if this were to happen. The employee may have failed, but I would know about it and have way more resources to get it fixed.
 
With all of the high profile hacks in the recent years you would think that the CEO would be a little more paranoid about getting breached since you know its an actual CREDIT company. Security should be a priority for all CEO's....should be a bullet point for every single staff meeting they have to make sure they are relevant and up-to-date.
 
Your ship, you're still at the helm, you are still responsible. One of the sucky things about being a manager is you have to take responsibility if you employees don't perform their duties and you fail to follow up on it.
 
This is nothing but blame shifting.

First, you don't rely on just your "QA" team doing Qualys scans or whatever to verify a patch is installed. You actually check version numbers, install logs, etc, as well. So their reporting system is either broken, or non-existent.
Second, the day the Struts vulnerability was released, there were tools available to specifically check to see if Apache was vulnerable. Super easy to use tools. Would have taken somebody 10 seconds after "patching" to verify that the system is no longer vulnerable.
Third, I know of no security expert that didn't deem Struts as critical. Reboots would have been pushed up for non-critical systems, and critical systems have scheduled maintenance windows where at least one reboot will occur. Even some of the critical system reboots would have been pushed up, depending if they were external facing or not.
Fourth, I don't care how automated a system is, Equifax isn't small enough to have a patching "guy" rather than a patching team. There's going to be at least 2-4 people responsible for patching for anything the size of Equifax.
Fifth, since when is management not responsible for what their employees do? An employee going rogue is one thing. This is something else entirely.
 
And yet the Captain is ultimately responsible for the ship regardless of if they knew or not. When you take a position of authority you know this. If someone fails under you, you fail. If they succeed so do you.

He doesn't work at that level but he is responsible anyway. He can affect the work at that level in numerous ways. For example: Ensuring the people he does work with are qualified and implementing policies/procedures that he agrees with and wants the company to support. They then drive the next level down and so in this corporate direction.

You can do everything right and still fail as a leader if you dont have the right people under you. And it will still be your fault for not realizing that and fixing it. Thats your job as a leader.

That is responsibility of managers and departments, not the CEO. CEO's job is direction of the company, not hiring individuals or reviewing their technical work. His direction and policies were what created the security department that didn't even exist when he took the CEO position. The team and QA/QC was there and they failed, however it did come down to one person not pushing the update, it then failed to be caught by QA/QC, but the root cause was the individual not performing his job, as the patch was talked about in a meeting and was given 48 hours to be pushed, which never was. Yes, all the other checks also failed, but you have to look for root cause first and work your way through fixing the process. The process however that was in place was enough and should have worked, but it came down to people not doing their job, had they done it, it would have been patched, and if it was not patched QA/QC should have caught it.

Now, had the CEO put in a policy that stopped them for being able to do their job or push the patch, the CEO would be to blame, or had he not provided the resources for the department to do it's job, he would be at fault, but that is not the case. Yet he still lost his job over it, what you are suggesting is the CEO be involved and have the final say in EVERYTHING that happens in the company, and that is just not realistic.
 
With all of the high profile hacks in the recent years you would think that the CEO would be a little more paranoid about getting breached since you know its an actual CREDIT company. Security should be a priority for all CEO's....should be a bullet point for every single staff meeting they have to make sure they are relevant and up-to-date.

Why should they care? There is no punishment for lack of security. Heck even after the breach they have just been given a $7+ million contract by the IRS so they can let even more of our information get stolen. Until CEO are held personally responsible there will be no change.
 
I hope that Mr. Appointed Scapegoat gets a nice retirement package before he gets thrown under the bus. One guy indeed.
 
Their Security department is 225 people, which is even more ridiculous that this happened.
That gives people a lot of targets to point their fingers at and say, "It wasn't my fault."
 
Doesn't this also circle back to the security manager that was a music major? :-D
 
This is a true story:

Back in the early 90s, when the Navy was just starting to switch to mixed crews from male-only ones, a certain ship, the USS Gompers, had to return to its home port after only a few weeks on deployment. The reason? Because a large percentage of the female crewmembers had gotten pregnant and the ship no longer had sufficient crewmembers to deploy. The result (well, one of them anyway)? The Captain was removed from command. Why? Because the Captain is responsible for his ship. Period. It doesn't matter if he (presumably) had nothing to do with knocking up all of those crewmembers. It happened, and he ended up removed form command, which probably destroyed his chance for advancement in the Navy.
 
one of the last places i worked, they had several win7 desktops that had never been patched. I mean, windows update had not EVER been ran on them even.
 
If it was due to one employee, their security processes need some work. There should be some kind of reporting that shows compliance. You should know that something is not patched. As a CSO, I'd be getting monthly reports showing what's not patched, and if it's not - why? Old OS, broken OS, manual install/bad reporting, etc.. I wouldn't be the one doing the patching (if it came down to it, I would) and that would be that employees responsibility, but I'd have an oversight into what's going on. I'd KNOW about the lack of a patch on that machine. I'd be pressing to have it fixed. It'd be 100% my fault as CSO if this were to happen. The employee may have failed, but I would know about it and have way more resources to get it fixed.

At this level of information they possess and control, they should be running their security reports at worst weekly. If they only run them monthly, that's already a problem of its own. Clearly this breach and lack of action is utter incompetence at many levels in the company. Given the massive fallout these execs should be getting a prison sentence.
 
That is responsibility of managers and departments, not the CEO. CEO's job is direction of the company, not hiring individuals or reviewing their technical work. His direction and policies were what created the security department that didn't even exist when he took the CEO position. The team and QA/QC was there and they failed, however it did come down to one person not pushing the update, it then failed to be caught by QA/QC, but the root cause was the individual not performing his job, as the patch was talked about in a meeting and was given 48 hours to be pushed, which never was. Yes, all the other checks also failed, but you have to look for root cause first and work your way through fixing the process. The process however that was in place was enough and should have worked, but it came down to people not doing their job, had they done it, it would have been patched, and if it was not patched QA/QC should have caught it.

Now, had the CEO put in a policy that stopped them for being able to do their job or push the patch, the CEO would be to blame, or had he not provided the resources for the department to do it's job, he would be at fault, but that is not the case. Yet he still lost his job over it, what you are suggesting is the CEO be involved and have the final say in EVERYTHING that happens in the company, and that is just not realistic.

Ignorance of something is not an excuse. It was his responsibility to ensure the company was operating in a manner/direction he approved of. Including policies put in place prior to his job. Like I said - ultimately ever official action that the company takes (both internally and externally) are the responsibility of the CEO. S/he is the captain of that figurative ship.

Do you think it would be appropriate for that CEO to say "Hey I didnt know employee X was doing that...haul that employee before Congress"?
 
The processes they have failed them. The CEO likely hired the CSO. To me, the CSO is the person that should be the main person to blame. She should make sure policies are in place and being enforced. You could easily argue the CEO should have appointed someone more qualified (based on what we've seen, I don't see why she was in the position she was...certainly not experience from her LinkedIn profile.) The higher ups never want to take the blame.
 
As one that works in security, patch management is one of the toughest jobs out there. When you're a company that has so many inputs and outputs, keeping track of systems that are vulnerable is tough. I don't envy the guys in the trenches that spend their entire day patching systems, especially Linux based system. I certainly believe that that there was a significant management/culture issue I think that every year it's something different. Last year it was all about third-party and fourth-party management since that was the 'weakest link' money was being poured into vendor management security where it made it difficult to maintain their own internal security.
 
There are industry standards, best practices that should be followed. They clearly weren't. Two hundred and twenty five employees and no one is responsible? I am certain I could trace the chain of responsibility back.
 
well,
And he walks away with $18 million in pension benefits. That's criminal.
when he took over in 2005 the stock price was low to mid $30s and even with the hit it took after the breach it is still 3.5 times that amount. Like it or not under his tenure with the company was profitable and most senior leaders get rewarded for performance.

He isn't getting severance or the bonus for 2017 which makes sense.
 
Ignorance of something is not an excuse. It was his responsibility to ensure the company was operating in a manner/direction he approved of. Including policies put in place prior to his job. Like I said - ultimately ever official action that the company takes (both internally and externally) are the responsibility of the CEO. S/he is the captain of that figurative ship.

Do you think it would be appropriate for that CEO to say "Hey I didnt know employee X was doing that...haul that employee before Congress"?

Yes, they are responsible for the direction of the company, not the choices of a person or department to not follow through with actions that were discussed. You do understand the department was part of his creation, before there was none at all. That department had a meeting to talk about the patch, where the team who did the patches were told they had 48 hours to push the patch, that team did not perform it's job, QA/QC then failed to notice this and let the right people know so further action could take place. What you are suggesting is that the CEO perform and check up on each person in every job and sign off on all work, which is ridiculous for anyone who has any idea what a CEO does and is not even possible in all but the smallest companies.

At no time did the CEO put in a policy that stopped them from doing the job they were told to do. He also steered the "ship" in the right direction, you sound like someone who has never been in an upper management position and hate on CEOs.....Because. It does not matter what the CEO did or direction he tried to push the company, there is never anything he could do as all actions even those of people not doing their job is their fault, full stop. That stance is just irrational.
 
Yes, they are responsible for the direction of the company, not the choices of a person or department to not follow through with actions that were discussed. You do understand the department was part of his creation, before there was none at all. That department had a meeting to talk about the patch, where the team who did the patches were told they had 48 hours to push the patch, that team did not perform it's job, QA/QC then failed to notice this and let the right people know so further action could take place. What you are suggesting is that the CEO perform and check up on each person in every job and sign off on all work, which is ridiculous for anyone who has any idea what a CEO does and is not even possible in all but the smallest companies.

At no time did the CEO put in a policy that stopped them from doing the job they were told to do. He also steered the "ship" in the right direction, you sound like someone who has never been in an upper management position and hate on CEOs.....Because. It does not matter what the CEO did or direction he tried to push the company, there is never anything he could do as all actions even those of people not doing their job is their fault, full stop. That stance is just irrational.

I think you're partially right... Yes he can't check everything but it's his responsibility to appoint person under him that will do so (ie managers).
Also, didn't they wait before going public with this ? Management was aware of the breach but decided not to release the information until they deem appropriate... which doesn't sound right to me.

Ultimately, no he can't know everything but yes he's responsible... Also I can't help but think they probably went thru cost reduction measure (like it's the new trend...) and cut workforce and/or stopped upgrades/trainings...
Sorry but too many times low level employee are told "NO, it cost money" that I can't do anything else than think this comes from that...
 
There is definitely going to be a Star Trek Red Shirt in Equifax's I.T. Department. Maybe several...
 
I think you're partially right... Yes he can't check everything but it's his responsibility to appoint person under him that will do so (ie managers).
Also, didn't they wait before going public with this ? Management was aware of the breach but decided not to release the information until they deem appropriate... which doesn't sound right to me.

Ultimately, no he can't know everything but yes he's responsible... Also I can't help but think they probably went thru cost reduction measure (like it's the new trend...) and cut workforce and/or stopped upgrades/trainings...
Sorry but too many times low level employee are told "NO, it cost money" that I can't do anything else than think this comes from that...

He did, however even the managers didn't know it never happened, as the person in position to let them know, said nothing. Now, these managers are of a technical nature and should be checking on this for something critical, but they did not until to late. No where has it been shown these people did not have the resources to make this happen to say other wise is pure speculation, everything shown has been they had everything needed AND where told to do it, but failed to follow through. That is in no way the fault of the CEO. As for releasing the information, that is not really up to the CEO, but to the board and legal time limits for releasing this sort of information.
 
Wow so take the golden parachute and just blame Ted in programming. Jeeze.
Between this, yahoo, gov breach and me losing my license I might as well put all my info on facebook and make it public
 
It might not be "right" but I am not sure any laws were broken which is what it would take for it to be criminal. Unless you know of a particular statue that was violated?
Seems to me that there should be some sort of "insider trading" clause in cases like this where said company will be sued out of existence.

Dude did a smart thing in resigning, now he can sell his stock and it's at least worth something, and his pension is paid off before all the lawyers manage to put up their lawsuits against them and freeze the companies earnings.
 
Back
Top