As the RSA Conference Rages On, Equifax Faces the Music - Again

Posted on by Tony Kontzer

Equifax was back in the cyber security news cycle this week, and once again for all the wrong reasons.

No, the company charged with storing, analyzing and judging consumer credit data did not suffer another breach. Rather, it was facing the music for its actions and inactions leading up to the 2017 breach that saw 143 million Americans' sensitive personal data exposed.

First, a blistering report from the U.S. Senate Permanent Subcommittee on Investigations made it sound as if Equifax was securing data with a speakeasy bouncer opening a little sliding window and asking customers for the password "swordfish." One doesn't even have to get into the meat of the report to get to the head-shaking assertions. A mere skim of the table of contents of the 67-page document does the job.

For example, the second section of the report, which is titled "Equifax was aware of cybersecurity weaknesses for years," has subsections with titles such as "Equifax did not follow it's own schedule for remediating vulnerabilities," "Equifax lacked a comprehensive IT asset Inventory," and "Equifax had a reactive patching process."


The third section's title reads like a security executive's worst nightmare: "Equifax's response to the vulnerability that facilitated the breach was inadequate and hampered by its neglect of cybersecurity."

Double ouch.

Not surprisingly, Equifax took issue with the tone of the report in an email to Bloomberg Law report, which the publication quoted in a story posted Wednesday.

“Equifax has cooperated with the Subcommittee in its investigation and, while we do not agree with a number of findings and characterizations in the report, we remain committed to being transparent and cooperative, while sharing important learnings from the 2017 incident with the cybersecurity community,” Equifax spokesman Jacob Hawkins wrote, according Bloomberg Law.

As if the senate report wasn't enough, Equifax CEO Mark Begor, who replaced former CEO Richard Smith after the breach, had to follow that up by appearing before that same subcommittee Thursday alongside equally beleaguered Marriott CEO Arne Sorenson, who's company managed to out-breach Equifax by exposing as many as 383 million guest records. (Let's be honest, though: For better or worse, we expect a lot more in the way of security from a financial services data analyzer than we do a hotel chain.)

During his testimony, Begor said that Equifax has beefed up security significantly since the breach, but he also bristled at the notion that the company was lax about cyber security prior to the breach.

"There were controls in place," he said. "They clearly weren't strong enough."

Lawmakers reacted to this the way any reasonable person would: with a dismissive wave of the hand. Sen. Maggie Hassan (D-N.H.) said it doesn't help consumers to be diligent after a breach.

"I want to make sure that Americans -- whose information is in the custody of an entity they may not even know anything about -- don’t have to wait for there to be a breach before companies start doing what they should responsibly do," said Hassan.

(You can watch the full hearing and download witness testimony and legislator statements here.)

At least one observer believes that even if concrete action doesn't immediately result, a certain threshold has been passed in the discussion of consumer data and the responsibilities surrounding it.

"Whether growing public intolerance of companies mining vast troves of personal data without perceived benefit to consumers, coupled with impatience over what many view as the abject failure of self-regulation, will be sufficient to overcome resistance to a more aggressive uniform standard of regulation remains to be seen," Robert Cattanach, a partner at international law firm Dorsey & Whitney and former trial attorney for the U.S. Department of Justice, said in an email. "One thing can be certain. The dams holding back public outrage over how customer data is being collected and protected have now begun to burst."


Equifax's dam burst in 2017. This week, the wall of water circled back for it. Here's hoping a lot of other companies are learning from its experience.

Tony Kontzer

, RSA Conference

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community