The IT Nerd

Yesterday, Equifax put out a statement that says a couple of things. First, it says that the Chief Information Officer and Chief Security Officer are retiring. The latter being Susan Mauldin who had no formal IT education. The former being David Webb who’s profile is still on the Equifax website for some weird reason. Though I am using a cached copy of the page from the Equifax website if Equifax decides to change that. The interesting thing is neither was mentioned by name in the statement. What’s up with that? Also, what’s up with this “retirement” thing? Is this another way of saying that they were fired with a nice big golden parachute?

The second thing is that they also put out a timeline of what happened and what they did. I am sure that they’re doing this so that they can manage the message and I’ll let you read it yourself so that you see what their message is, But abruptly canning the CSO and CIO as well as putting out a timeline like this says three things to me:

1. Equifax’s internal investigation (perhaps aided by Mandiant who is the outside firm that Equifax hired to investigate this mess) shows that this mess is considerably worse than what has been publicly revealed so far.
2. Equifax CEO Richard Smith is clearly trying to save his own job. Thus the CSO and CIO have been thrown under the bus. Though you could make an argument that they were also negligent in their respective positions. It’s also a safe bet that more people will be tossed under any bus that’s available before this is over.
3. Financially, Equifax is screwed because the lawsuits are going to increase exponentially from this point onwards. Not only that, nobody is going to use their services going forward. Not consumers. Not credit card companies, banks, or any other financial institution. But worse than that is the overwhelming demand by millions of consumers to freeze their credit reports. Equifax (along with Experian and Trans Union) makes a lot of money selling credit information to banks so that they can offer credit cards to you. Credit freezes prevent that. Every new credit freeze is another hit on the annual bottom line. Equifax is bleeding from millions of tiny cuts, and it will only get worse.

Based on the above, this gong show is going to be better to watch than any soap opera because the hits to Equifax are going to keep coming. You should stay tuned to see this company and its CEO get smacked silly.

From the “are you serious department?” comes this story from Marketwatch which details the fact that the Chief Security Officer of Equifax had no formal IT background as she was a music major:

Equifax “Chief Security Officer” Susan Mauldin has a bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia. Her LinkedIn professional profile lists no education related to technology or security.

This is the person who was in charge of keeping your personal and financial data safe — and whose apparent failings have put 143 million of us at risk from identity theft and fraud. It was revealed this week that the massive data breach came due to a software vulnerability that was known about, and should have been patched, months earlier.

A person with no IT training working as a CSO for an organization that has the personal data of millions? That sounds like an #EpicFail. If that’s not stunning enough, there’s more:

Reporting by a few tech-savvy blogs has found that as soon as the Equifax data breach became public, someone began to scrub the internet of information about Mauldin.

Her LinkedIn page was made private and her last name replaced with “M.” Two videos of interviews with Mauldin have been removed from YouTube. A podcast of an interview has also been taken down.

Unhappily for the scrubbers, the internet archives some material and a transcript of one interview has survived.

This illustrates that once something gets put onto the Internet, it’s very hard to remove it.  But let me get to the key point. On top of having shoddy IT practices and not patching their infrastructure in a timely manner, this failure to have someone who actually knows what they are doing in terms of securing the personal information of millions underscores the fact that it should be no shock that these clowns got pwned in epic fashion. It also underscores that they need to be punished for their absolute stupidity in the most severe way possible to ensure that others who think that this sort of behavior is acceptable changes their mind immediately.

The hits keep on coming for Equifax. Canada’s Privacy Commissioner has launched an investigation into the epic hack that has put the personal info of millions of people at risk. Not much is said in the release that the Privacy Commissioner put out. But it does have some interesting facts in it:

• Equifax has committed to notifying all impacted Canadians in writing as soon as possible. The company will also offer free credit monitoring to those individuals.
• The company is still working to determine the number of Canadians affected by this incident. At this point in time, it is not clear that the affected data was limited to Canadians with U.S. dealings.

The key thing is that the investigation is a priority for the Privacy Commissioner. That’s not good if you’re Equifax because Canada’s privacy laws actually have some teeth to them. Thus I am hoping that Equifax will get some of the punishment that it deserves.