In this Real News Network interview, white collar criminologist Bill Black discusses the state of play with respect to legal investigations, both federal and state, into the Equifax data-breach fiasco.
SHARMINI PERIES: It’s the Real News Network. I’m Sharmini Peries coming to you from Baltimore. The Equifax data breach that we reported on two weeks ago with Bill Black, where the company revealed that hackers might have stolen financial records of 143 million US citizens. This is just the US. It gets far worse if you look at it worldwide. In July, things got, of course, much worse and we didn’t really know very much about what was going on and what Equifax knew and now, meanwhile, several government agencies such as the Consumer Financial Protection Agency, the Federal Trade Commission and at least 34 state attorney generals offices have all opened investigations into the Equifax data breach.
The first state to launch a lawsuit against Equifax is Massachusetts and on Tuesday, the Massachusetts attorney general charged Equifax with not having upgraded the security for its website, though it knew about its vulnerability as early as March. Now joining us to discuss all of this is Bill Black. We have him back. Bill is a white collar criminologist, associate professor of economics and law at the University of Missouri,Kansas City, and the author of the book, The Best Way to Rob a Bank is to Own One”. So good to have you back here, Bill.
BILL BLACK: Thank you.
SHARMINI PERIES: So Bill, give us a rundown of what has happened when and how did all of this lead to the charges that’s been laid against Equifax from Massachusetts.
BILL BLACK: Well there have been a large number of developments. We may not be able to cover them all, but the big ones are revealed perhaps best in the Massachusetts attorney general complaint that was just filed yesterday, at least as we’re talking, that explains the nature of how the breach occurred, and so it turns out that the vulnerability was in an open source software used by Equifax, and this vulnerability was discovered in March of this year. When it was discovered, and it was discovered and reported to the volunteers that run this particular open source software called Apache Struts, they found both that it was very serious, that a significant number of breaches were occurring and they immediately notified the community of the vulnerability, and very quickly developed a patch for this.
So this is all by early to mid-March of this year. The warning went out. Equifax has admitted that it got the warning, knew about it, and did not apply the patch. Because they did not apply the patch and did not increase security in a way that would find people accessing through this known vulnerability, they still say that the hack began in May and persisted through basically the last days in July, and then they’re still saying that they then, they Equifax, then awaited another basically six weeks to warn us that this had occurred and this wasn’t for any tactical reason to protect us because they were doing something secret that was going to help us. No, it was so that they could in fact get their PR campaign and try to convert it into a profit center that we talked about in the last interview on this subject. The myriad ways in which they tried to make money off the victims.
SHARMINI PERIES: Right, and Bill, back then you called this scandal a 10 out of a 10 scandal. Now what do you call it?
BILL BLACK: Well that’s what I … I was actually quoting experts in the field and indeed there’s something called the common vulnerability scoring system that rates vulnerabilities and contemporaneously this was given the rating of 10.0. I’m reading from the Massachusetts complaint against Equifax: “The highest possible severity score on either scale.” The notice stated the attack based on the vulnerability, “allows unauthorized disclosure of information, would be low in complexity to accomplish,” in other words, almost anybody could use this to breach it, “and would not require the attacker to provide authentication, for example, a username and password to exploit the vulnerability,” and the notice documented over 20 other website resources so that you could fix the problem. Now another thing that has happened since last we talked-
SHARMINI PERIES: What is the reason? Why would Equifax not want to apply a patch and why would they not do it, because you would think they want to protect their data and their company?
BILL BLACK: Yeah. No, there’s no good business reason at all. Period, end of story, full stop. Since we last talked, two senior executives have had to walk the plank. One was the chief security officer and the other was the chief information officer, and these are the two obvious folks that, as we said, Equifax has admitted that it knew of the vulnerability. If you’re the chief information officer of Equifax or the security officer, you are online every day, multiple times a day, looking for these kinds of breaches, and if you see them, you instantly go to higher order defenses and you look desperately …
You’ve got, in this case, Apache Struts on the line saying, “Are you working on a patch? When will it be available? Do we have to do anything to be able to implement it immediately once it comes out?” Etc, etc, etc, that’s what you would do. Now it turns out the chief security officer, her degree is in music. These folks … I can’t even think of some incredibly nefarious reason executives would do this deliberately. This one does appear to be incompetence, but you would have to go on a scale not of one to ten but one to several billion and these folks would top out that scale, just the utter indifference to us.
One of the things the Massachusetts complaint stresses, which we talked about briefly last time, is there was nothing we could do to protect ourselves from what Equifax was doing. We’re not customers. We didn’t authorize them to have this confidential information about us. This is an outrageous system in which other people can take our private information that is vital to keeping all kinds of things secure, and we’re just talking about money here. There are other scams that actually physically harm people when they get this kind of information and Equifax thinks that we don’t really need to change the system at all. It loves the system.
Now Massachusetts could do this, but it is only Congress that can fundamentally change this insane system and where even today … So you look at the Massachusetts attorney general site, and it says, “What should you do now that you’ve been a victim?” It says, “Well, you could put a freeze,” but then it explains if you do this you also can’t get new loans and such in a number of instances, so that’s a terrible remedy, just an absolutely terribly remedy. They say that you should, they again being the Massachusetts attorney general, and I’m not making fun of them. Their advice is actually good, but it shows how insane the system is. They say, “You should rush to file your taxes before the frauds do, because if the frauds do, they may get your refund before you can,” and such. What kind of world is it where that has to be our remedy that we have to get in a race with the frauds on filing our tax returns?
SHARMINI PERIES: Right. Bill, there are some very basic questions coming through. Obviously people are so upset about what’s going on out there and some of this seems so abstract to people. So, let’s get to some basics here. How does Equifax gather the information they have on us?
BILL BLACK: In a bunch of different ways. Equifax is not a single business, so the thing that we know it best for, of course, is the credit scores, and of course, we are not the customers. The credit scores, the customers of Equifax and its two sister organizations are lenders in those circumstances and it’s not used just in lending, it’s also used by insurance companies wherever state statutes don’t prohibit it. So, that’s the big line of work, and that’s the one where they get the most information, they get the information from the entities loaning money to us, not from us. They get it from merchants and they get it from banks and such.
As I said, this is much scarier in broad things. We’re going to see scandal after scandal because they have information, for example, and they will sell this information to any bank in the world at a pretty low price as to whether at 2 am you’re buying porn, and you can see what fun politicians will have leaking that information against their opponents and such. You may get charged, by the way, a higher interest rate if you read porn and such and you buy it with a credit card information, so that’s another world they’re in.
They’re in a world of verification as well. When, for example, you forget your password and such. So many people, many businesses hire Equifax to provide that kind of service, and when they do that, they get another whole source of information. There sometimes we might actually be a customer, but usually we’re not. Then they have all kinds of other enterprises where they do basically data mining. This is the stuff that’s really valuable to them is they try to figure out what makes you tick as a consumer, and that information. By the way, that is one of the things that made Walmart very rich. They were among the very first large enterprise to exploit the data mining capacity because they were simply so big and their, the scanning system, they figured out, could be turned and made into a massive data mining system.
SHARMINI PERIES: Bill, does Equifax have a relationship with collection agencies?
BILL BLACK: Well, certainly they get information from the collection agencies. They’ll have information on people’s residences and such, and if the collection agencies have difficulty finding you they can also get information on, of course, where basically you’re operating from because they see your credit card trail.
SHARMINI PERIES: All right, and one question from Adam Mustafa from Facebook. “How do you check if you are affected?”
BILL BLACK: That is one of the additional scandals in all of this. Again, what kind of crazy system where they are completely, they, Equifax, are completely at fault. You are not at fault in any possible way, and then the onus is put entirely on you to find out that you’re a victim. They won’t even tell you that they’ve screwed you up. That’s nuts. That should be an absolute statutory requirement and the requirement that they should notify you should be very quick, not six weeks after they discover a breach. So Equifax has supposedly established this system that you can email into them, but what you get back is “Maybe.” It’s outrageous. It’s outrageous on dimension after dimension after dimension. It’s the gift that keeps on giving. Equifax finds constant new ways to make people outraged because they act outrageously.
SHARMINI PERIES: All right, and we have a question here from Beverly Dycor from Facebook asks, “How do we protect our social security numbers?”
BILL BLACK: You can’t. That’s the point.
SHARMINI PERIES: All right, and another one from Tim Powers from Facebook. He asks, “Who did the hack?”
BILL BLACK: We don’t know.
SHARMINI PERIES: All right. Chris Anderson from Facebook also, “Was this breach by a nation, state, actor or a criminal syndicate?” I guess the answer to that is also we don’t know?
BILL BLACK: We don’t know, but let me say something more general: These are the good old days because what the thieves that break in haven’t yet created the networks to do is a way that they can instantly auction this information for large amounts of money because they are in parallel. The people that buy the information are prepared to make hundreds of thousands of purchases using our information, and that’s technically doable now. Once they complete that nexus, then the amount of money they get for committing these breaches will go from the tens of thousands of dollars to the hundreds of millions of dollars and many of these huge breaches are not in fact followed by identity theft of really large numbers of people but that’s, again, they will fix that. They will develop the technology, well, again, apply the technology, technology already exists, so that they can do this and when the financial incentive, when you can get tens to hundreds of millions of dollars by committing these breaches, of course it’s going to become, it will draw thousands of very skilled people into trying to do exactly that.
SHARMINI PERIES: Right, and Bill, give us a sense of how we could possibly detect on our credit card bills or our bank accounts or whatever if there is suspicious activity. So are we to now check these documents to make sure that there isn’t a suspicious activities?
BILL BLACK: Yeah, now that’s the one where I would differ from the Massachusetts attorney general recommendation list. It isn’t that the things on it are wrong, it’s that they don’t put both of the things you’ve said, which are actually the single most important things you should do and you should do anyway, and you should have done it long before these breaches anyway. How do you figure out? Well, most people can remember in the last 30 days did they in fact buy $2,000 worth of photographic equipment and such. So it’s usually not hard if you do have the discipline. Just look through each of the entries on your credit cards and then look at your bank statements for withdrawals in particular of course that don’t make sense or checks where, “Wait a minute? I wasn’t dealing with that person.” Those are good protections that you should do anyway.
SHARMINI PERIES: Bill, last question from Evanne Katrina, who asks, “If people are trying to confirm whether their data is vulnerable and if they’re checking, are they unknowingly consenting to not pursue a civil action against the company?”
BILL BLACK: Not now, but originally Equifax set up its system in a way that might have led, well, was designed, you could say it more strongly, was designed to lead to wide scale unintended renouncement of your constitutional rights to sue them. And again, that was of course utterly outrageous that, and just again, they’re completely in the wrong. We are completely not in the wrong, and the idea that they would then seek to exploit us rather than help us for something where they did everything wrong is a true demonstration that we’re missing it. I have not seen a single news report about the chief security officer and the chief information officer resigning that says, “Wait a minute. Why isn’t the CEO resigning? Who picked the chief security officer? Who picked the chief information officer? Who developed this outrageous strategy? Who created a culture where they wouldn’t fix known vulnerabilities with patches that essentially cost them essentially nothing to do?”
Somebody created this organization, and it’s the CEO and it’s the board. And there should be, the CEO should have been gone months ago, as soon as this was known. He created one of the worst corporate cultures in the history and the board needs to be cleaned up as well because they’re obviously not functioning at all. So again, this is the cynical stuff of the CEO, I mean the sacrificial victims, clearly they’ve screwed up. I’m not saying that they shouldn’t go, but it’s an attempt to distract attention from the deficiencies of the CEO.
SHARMINI PERIES: All right, Bill. There are so many more questions than we can’t answer today, and I’m wondering if you would come back and we would do this again, which is people can get their questions lined up, have them ready to send in and we would have another Q&A session with you?
BILL BLACK: Yeah. We can even tell them in advance.
SHARMINI PERIES: This time we could do that.
BILL BLACK: A particular date and such, and they could be prepared for all that. That’d be great.
SHARMINI PERIES: All right. Let’s do that. I thank you so much for joining us today, Bill.
BILL BLACK: Thank you.
SHARMINI PERIES: And thank you for joining us here on The Real News Network.
24 comments
Comments are closed.
In case you don’t read the whole article, this bit pretty much says it all –
There has been quite a lot of discussion about this on the web.
Her undergraduate degree is not important, that she was a chief security officer who did not set up a standard operating procedure of immediately applying security patches to Equifax’s software IS important
They should do an analysis of how this happened, the patch in the open source software was free so why didn’t they immediately apply it?
Is Equifax so outsourced that they did not have people on the payroll to fix this?
And applying the patch should not have required many levels of approval or encountered management pushback.
The fail was organizational in that they should have had policies and people in place that immediately responded to the threat, not that the chief security officer was a music major.
I don’t see how Equifax could be viewed as TBTF as it has other competitors.
Washington politicians will have a difficult time pitching that Equifax is important to save.
Agreed. A generation ago, lots of people in information technologies started out in other fields. It used to be a truism that musicians had talents transferable to programming, back when IT was uncool, weird, and kinda fun.
Her degree is not what counts; what counts is her and her reports not doing their due diligence in applying patches and upgrades.
+1
This is exactly right. Her degree is not germane to this epic cluster-f.
I work in IT, and my degree was in English. I’m not a security person specifically, and I don’t work directly with any of the technologies (Apache, Java, Struts) involved in the hack. But when I heard about what the vulnerability was they’d fallen victim to, I was like “But everyone knew about that Struts hole! The fix has been available for months! Are you serious?”
There was no plausible deniability for this failure.
If what you’re saying is that a music degree somehow shows incompetence, stupidity, or irrelevance to complex systems, that’s a cheap shot — and it’s not funny, because the evisceration of arts education in this country over the last 30 years bears some responsibility for the degradation of our society, public discourse and body politic.
Musicians and people with advanced musical training are frequently found in the top levels of almost every other profession. This should not be surprising to anyone; musical is a complex system of communication with mathematical, historical, analytic, psychological and aesthetic components. It stands virtually alone among human activities which engage both halves of the brain in a single goal. The ancient Greeks regarded music as the pinnacle of human knowledge and education — the intersection of science, language, mathematics, and ethics.
Albert Schweitzer was a recitalist for the first 40 years of his life, and Einstein’s love for the violin is well-documented. A disproportionate number of successful medical school applicants received their undergraduate degrees in music — my own physician was a clarinet performance major. And the Albert Einstein College of Medicine in the Bronx has an orchestra made up of students, faculty and staff. Medical schools *want* to train doctors with both analytical and people skills, who are able to synthesize the elements of math, science, and arts.
Musicians often demonstrate a remarkable versatility and level of skill in other areas — Herbie Hancock’s undergraduate degree was in electrical engineering. After Pearl Harbor was bombed, the entire band from the destroyed U.S.S. California was transferred to Station Hypo, the codebreaking unit, where it was discovered the musicians had a natural facility for the work. If I tried to cite all the examples of this kind of cross-platform skill, I would never finish this comment. None of these connected skills should surprise anyone, either.
[Full disclosure: I am a professional musician and college professor with degrees in American history, and in music. If nothing else, this post should show that I can think for myself, write, and use the Oxford comma.]
Lastly: I’m not sure that there’s *any* college degree program that could confer competence and trust upon someone in such a narrow field as “information security”. I’m not saying that field is unimportant, or that people don’t need to be trained for it. But I’m not convinced that the proper way to train people for that field is to create a specialized degree program and send them through it; too many other things get waylaid by such a narrow focus. (I hold the same disdain for MBA programs and “degrees” in such fields as “meeting planning”.) What I am saying is that a *real* college education ought to teach the recipient how to read, write and think — critically, creatively, and a lot. A degree needs to teach students how to teach themselves; how to refine their knowledge and continue to learn so as to adapt to continual changing circumstances.
That the former chief security officer for Equifax has a music degree really doesn’t say it all.
May the musicians inherit the earth.
One of the best programmers I ever met was a history major.
Sorry that I got your and Mr. Wright’s hackles up as my intent was not to disparage music majors, musicians or people with liberal arts degrees.
My point is that the article does not mention any credentials she might have pertaining to actual data security and Bill Black chalks the episode up to gross incompetence which leads me to guess she might not have had much relevant experience. It wouldn’t be the first time someone was promoted who lacked the knowledge necessary for their new position.
For example, I happen to be very familiar with another company that is increasingly reliant on IT but whose upper management has no IT background to speak of. Not surprisingly that company’s IT department is in a shambles, which is why Mr. Black’s comment about the IT security person with a music degree resonated with me.
And I wholeheartedly agree with every single word you said about what the point of an education ought to be. I have a music background myself, and got a degree in classics with minors in various other subjects from a liberal arts college. I’d like to think I’m pretty well rounded and able to think critically but I have no formal training whatsoever in IT. I might be able to think critically enough to diagnose the problems a company is having with their IT department for example, but you definitely do not want me to be the one trying to fix it.
No offense meant and hopefully none taken. And if you’d like to take your comments about education and come read them to my town’s increasingly dysfunctional educational administration, it might finally knock some sense into them ;)
No offense taken; I merely felt compelled to leap to the defense of my profession. And I do think IT and security people should be competent, and critical thinking is a necessary part of that. Stemp’s comment above speaks to that. Cheers!
Actually a music degree might come in handy for this Chief Security Officer (CSO) — especially if that degree conferred any sort of skill for fiddling. Equifax might have kept the CSO around to fiddle while the firm burned.
Ah, but according to what I’ve read, the historical consensus is that the Nero fiddling story is apocryphal. :)
This whole Equifax scandal has been a long time coming. The whole credit coring system in the hands of a company so patently badly managed as this, but which numerous major financial institutions rely upon as do , we their customers is wrong because it is one-sided. A company can put on your entry you owe such and such without any checking by Equifax ( the same goes for the other agencies Experian etc ) and there it sits until such time as it expires by limitation of time by statute. You or I on the other hand cannot challenge this entry about us . By law the proper process should be that a company wishes to put something on Equifax and it is then communicated to you that they wish to do this and you should be allowed to challenge this if you disagree with it. Not a chance. It is one of the most egregious pieces of corporate preferment ever made legal and this scandal gives everyone of this the opportunity to challenge it . So write to your bank if they use Equifax and ask them if they are going to part company with them and publish the enquiry and the reply on the internet .
Think how much “better” (ahem) this would all be – in the Equifax world of unregulated and slipshod credit agencies – if we were additionally forced to use digital currency. What could go wrong? /s
Brian Krebs has a decent story on how the press is mostly giving Equifax a pass:
Isn’t the chief security officer of an organization this size going to be a manager, and not someone sitting poring over server logs? There should be systems administrators who are watching for problems and applying patches as needed. That’s the way things worked when I was a “front line” Federal IT specialist before retiring.
I adore Bill Black, but I must push back on one point he raised. Being a music major is not an impediment to success in other fields and shouldn’t be cited as such. Mayor Richard Riordan’s law firm in Los Angeles used to prefer hiring musicians for temp work because they found that the quality of the work was higher on average. I believe there are also studies that show that engaging in artistic endeavor has a positive effect on one’s mental faculties. I was a voice major and I’m successful in my field, which has absolutely nothing to do with music. Music taught me to see both the detail and the whole at the same time, which was necessary to successfully perform, and has been an invaluable skill throughout my professional career.
I’m currently writing a profile about a musician who was good enough to be offered a full-ride scholarship to the Eastman School. Her life went in a different direction, and she has grown into an excellent businesswoman.
Through her musical training, she developed an exquisite attention to detail and the willingness to persevere. Through her business experience, she learned how to relate to people — all kinds of people.
Music also teaches “people skills”, especially if you play in an ensemble or have a musical role where you must interact often with the general public. Collaboration is key.
So much for Equifax — what about Experian and TransUnion? How good is their security?
Also — assuming we need credit agencies — why do we need three credit agencies?
Funny you should ask. From Krebs on Security about Experian:
https://krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-credit-freeze-pin/
Thanks for the link! I added Krebs to my bookmarks.
I recall some reasoning used to justify classifying a report ‘Secret’ even though all of the information it contained derived directly from unclassified sources. Our security officer repeated the guidance which argues how bits and pieces of unclassified information might convey Secret information when those bits and pieces are assembled together into a single source.
Consider the many large scale data breaches reported in the last year or two. Now regard what kind of data might be obtained by assembling and organizing this “lost” data. What banks and vendors, and willing and unwilling customers conveniently treat as our identities are now widely amassed in the hands of criminals. The backdoor for obtaining the Experian Credit Freeze Pin reported in your Krebs link is one of many insidious backdoors to passwords, medical records, bank accounts(?) and ….
Banks and vendors remain comfortable with the convenience of the “identities” they’ve constructed for us and now lost. I fear Bill Black’s warning at the end of this video will come true all too soon. And even if it takes a while for criminals to get everything organized — Social Security Numbers and other assemblages of personal data used throughout our economy to represent our personal liability for debt and our claims for credit remain widely used and nothing is being done to stop this practice and protect individuals from the sword now hanging over almost every head.
I’m assuming that the “music degree” implied no other technical training. I wouldn’t choose a musician to do brain surgery, unless she had the additional training required. A musician *and* brain surgeon would probably be a very skilled one.
Oh, and do go up to the Equifax site. Put in some random made up name and number.
You will be told you have been hacked.
I don’t know what code they put behind that button, but it doesn’t do anything.
They’d be crazy to, because it would mean they were linking databases filled with vulnerability information on a web portal. A web portal on a network that has been completely and utterly compromised for months, and that will probably be compromised forever until they throw away the bare metal.
There’s very little they can do right now to make this situation better even if they wanted to. Their entire business model has just been completely vitiated by a hack.The best comment on this was one Slashdot: we are incensed that they let our information get stolen by bad guys, sure; but we should have been even more incensed before the hack, because they were selling our information indiscriminately, to good guys and bad guys alike.
The people who suffered the most from this theft were the shareholders of Equifax; you and I had already been screwed long ago, and this hack might even trigger a bit of remedy for some of the systemic screwage the credit bureaus were inflicting on an ongoing basis, such as the fact that I had already spent 30 bucks to freeze my credit, which was blackmail.
Schadenfreude never felt so good!