Equifax CEO Richard Smith has become the latest casualty of the company’s huge and mishandled data breach.
The company announced this morning that Smith has joined the CIO and CISO in leaving the international credit rating company following an admission that personal data of more than 143 million consumers — including 8,000 in Canada and 400,000 in the U.K. — were exposed in a breach earlier this year.
[UPDATE: Equifax initially said 100,000 Canadians were affected. That was corrected with a lower number on Oct. 2]
What made the breach bad was not just the size — 143 million would roughly be half the U.S. population — but two other things: First, there was confusion over whether victims who accepted Equifax’s offer of a free year of credit monitoring gave up their right to sue the company (it quickly said no it didn’t) and the admission that the vulnerability attackers used was an Apache Struts hole that a fix had been issued for. Equifax acknowledged its IT staff knew about the fix but for some reason it wasn’t addressed for weeks, at least on the server that was hit.
Paulino do Rego Barros, Jr., Equifax’s former president, Asia Pacific, is now interim CEO, and Mark Feidler, a current board member, was appointed as non-executive chairman of the board.
In a statement Feidler said the Board “remains deeply concerned about and totally focused on the cybersecurity incident. We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again. Speaking for everyone on the board, I sincerely apologize. We have formed a Special Committee of the Board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken.”
For his part departing CEO Smith said “The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right. At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”
SecurityWeek reports that Smith will not receive his annual bonus outlined in a 2008 employment agreement, and added that he “irrevocably disclaims any right he may have to such bonus.”
Those who use the Apache Struts framework and worry about possible vulnerabilities should note that on Sept. 22 Oracle released a security alert seven patches for the software which recently were put out by the Apache Foundation.
The Oracle bulletin also notes the Apache Foundation’s fixes for CVE-2017-5638, the Apache Struts 2 vulnerability identified by Equifax in relation to the breach, were distributed by Oracle to its customers in the April 2017 Critical Patch Update. By now, it adds to admins around the world, that patch should have been applied.
Security industry experts have no shortage of feelings on the departure of Equifax execs. “Even if ‘retired’ is a polite way of saying ‘fired’, it does not feel like these individuals and/or the company are being held accountable for a grotesque security failure,” said David Swan, Alberta-based director of intelligence at the Centre for Strategic Cyberspace and Security Science, a consulting firm. “The company has not addressed the potential ripple impacts of secondary and tertiary effects of the breach.”
“I see this breach as driven in part by a cultural issue: Many of the current generation of business leaders have not grasped the deadly potential of ‘getting hacked’.”
Gartner cyber security analyst Avivah Litan feels the first to go at Equifax should have been the CEO. “It’s easy to blame the security people,” she said in an interview this morning, although it’s also possible the CIO and CISO were to blame. “We never knew what the CIO and CISO tried to do. It’s quite possible they tried to make management aware of security, they tried to get budget — we don’t really know. But they always say ‘The buck stops here,’ so it would have been more appropriate if the CEO stepped down first.”
While Equifax has admitted its IT staff did know a patch was available in March for the Apache Struts vulnerability but for some reason something wasn’t fixed for weeks, Litan said there are still questions. “There’s a lot of patches that come out all the time, yet IT needs to patch systems … I’m not saying they weren’t a bit negligent in their duties but there are so many priorities in IT and if you don’t have the right resources you just can’t implement all these patches.”
Still, she added, “there should have been layered security so if it wasn’t patched there were other controls that would have caught the hacker …. You have to have layered security, and if companies only rely on patch management they’d be in serious trouble.”
And while there are many questions about how the breach was allowed to occur, Litan also said “the CEO completely messed up on the response. They came out very wishy-washy on how many people potentially were impacted, their Web site was not clear at all when people wanted to know if they were impacted, the services they provided at first said if [victims] took the [credit monitoring] service they’d waive the right to sue, then they took that clause off. It was a house of cards — pretty much everything kept falling down.”
There are also complaints that some execs dumped their shares before the breach was made public. Equifax has denied any wrong-doing.
Aside from the fact that organizations don’t seem to be learning lessons from breaches, Litan said this incident shows credit monitoring companies have to be regulated more tightly.