I don't care how secure your systems are, if they're connected to the internet, they can be hacked. That's just a fact of digital life. What isn't a fact, however, is negligence (and possibly gross negligence), which is what Equifax displayed in delaying a patch to a known Apache Struts security bug.
Equifax now stares bankruptcy in the face, which just might be an adequate wake up call to push enterprises to take software security seriously.
Bozo security practices invite hacks
Despite Equifax holding mountains of personal data, the company appears to have been somewhat blase about securing it. The most recent example is Equifax's failure to patch Apache Struts CVE-2017-5638 in March 2017, when it was first reported. Given that Equifax indicated that it got hacked in "mid-May," the company had upwards of nine weeks to patch the problem. It's therefore irresponsible for the company to blame Apache Struts, as it initially did, when the fault was its failure to use the software correctly.
SEE: Information security incident reporting policy template (Tech Pro Research)
That isn't the only example of the company's negligence. As security expert Brian Krebs has written, "an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: 'admin/admin.'" This from the company that holds a hacker's honeypot of personal data.
This the sort of gross negligence that gets companies sued—and buried in lawsuits.
Indeed, Gartner analyst John Wheeler, who leads the firm's coverage of integrated risk management (IRM) technology solutions, has noted, Equifax "currently faces more than 23 class-action lawsuits with at least one seeking more than $70 billion in damages." Add this to the estimated $20.2 billion in costs associated with repairing the damage of its breach ($8.3 billion more than the company's market valuation), and Equifax looks certain to nosedive into bankruptcy, and ultimately will be sold for scrap to one of its competitors.
The enemy is us
Before we get too cozy in our schadenfreude or sanctimony, consider Wheeler's prediction that the Equifax debacle will drive the US Congress to get involved in a big way. He wrote: "Similar to the Sarbanes-Oxley requirement on the certification of internal control over financial reporting, CEOs and other executives will be required to disclose any material data breach upon discovery and personally certify to the effectiveness of their internal control over data security."
SEE: Information Security Management Fundamentals (TechRepublic Academy)
The key word here is "personally." It's one thing for executives to hide behind a corporate cloak of indemnity, but make them personally liable and things get real.
Suddenly, IT will find itself nailed to the wall for negligently postponing bug fixes. We'll see those same executives in turn push their vendors to certify their software is constantly patched, and possibly see more enterprises choose to buy their open source software through vendors that will certify it and thereby take on some of the risk.
In short, enterprise security might have just become top of mind for executives, which could finally make it real.
- Information Security Management Fundamentals (TechRepublic Academy)
- Massive Equifax data breach exposes as many as 143 million customers (ZDNet)
- Information security incident reporting policy (Tech Pro Research)
- How to calculate the cost of data breaches (TechRepublic)
- Report: Data breaches growing more complex, causing more damage (TechRepublic)
Matt is currently head of the developer ecosystem at Adobe. The views expressed are his own, not those of his employer.
Matt Asay is a veteran technology columnist who has written for CNET, ReadWrite, and other tech media. Asay has also held a variety of executive roles with leading mobile and big data software companies.