Former Equifax CEO says breach boiled down to one person not doing their job

This is how it always goes down.<p>- F*ck your customers over by gross negligence and sheer greed (or stupidity, or both)<p>- Get caught with your pants down<p>- Dump your stocks and cash out<p>- Apologize when customers and media express outrage<p>- Go to Congressional hearing and repeat the magic words &quot;I do not recall&quot; for every question<p>- Find 1 low-level scapegoat employee<p>- Fire that employee and declare that the company is now &#x27;clean&#x27;<p>- Avoid any jail time for wrong doing by paying a fine<p>- Collect your &#x27;Golden Parachute&#x27; = MILLIONS and slide into a new CEO Job.<p>- Rinse and repeat.<p>White collar crime pays. Big time.<p>And almost no-one ever goes to Jail -- unless they have the bad-fortune of being prosecuted by A.G. Preet Bharara (record of 79-0 conviction obtained), which is also not relevant since Trump fired him soon after taking the White House Office.<p>Related: Here&#x27;s Preet Bharara&#x27;s Amazing 79-0 Insider Trading Conviction Score Card - <a href="http:&#x2F;&#x2F;www.businessinsider.com&#x2F;bharara-insider-trading-convictions-2014-2" rel="nofollow">http:&#x2F;&#x2F;www.businessinsider.com&#x2F;bharara-insider-trading-convi...</a>

There&#x27;s a mantra at my company that you can&#x27;t assign blame for a problem to a particular person. If one person is capable of breaking your system, you have a bad system. The focus isn&#x27;t on finding the one person or the one mistake that caused it, but fixing the process so one person or one mistake can&#x27;t wreak that much havoc. I think it&#x27;s a very good philosophy.

Good to know.<p>And what about the person who’s job was to make sure that one guy did his job?<p>And the guy who was in charge of that person?<p>And the department who’s job was makin sure nothing was insecure?<p>And the guy managing them?<p>Yep. All one guys fault. Poor guy, ruining the American credit monitoring system for the rest of us.

Having just a single point of human failure standing in the way of leaking 145M people&#x27;s data is already negligent. Trying to foist responsibility onto this poor individual (presumably some lower-rung employee) is shameful and just goes to show how ripe their corporate culture was for something like this to happen.

This is shamefully terrible leadership. If you&#x27;re the CEO and a subordinate fucks up, it means you fucked up. At the end of the day the performance of the entire company is your responsibility.

Absolutely true.<p>That person is the former Equifax CEO.

Yes, him. Guess what, you are (were) the CEO and you are legally required to be responsible for what your public company does. Blaming anyone else is what terrible CEOs do.

IMO, the board of a public company is responsible for overseeing risk, audit and internal controls, and the CEO is the one person most responsible for ensuring the company acts in accordance with those directives on a day-to-day basis. That an error could be made by a worker is human, though an automated system could also suffer a fault. Audit would have caught a gap, risk management would have caught a vulnerability, and internal controls would have detected incomplete work were these practices properly designed and deployed. Good CEOs look at governance, process, oversight and don&#x27;t fling muck at employees.

Apparently the data was stored in plain text. Sorry, but if not applying a patch to your Web framework is enough to make it that vulnerable, there are other problems in your infrastructure, your architecture and your process.

FTA &quot;The notion that just one person didn’t do their job and led to the biggest breach in history is quite an amazing claim and shows a fundamental lack of good security practices.&quot;<p>&quot;Amazing&quot; is a word I would use, but not the first one. Or even one of the first few.

If one person not doing their job leaves the entire credit card holding populous of the US vulnerable to this kind of data leak.... then there was a lot more then one person not doing their job.

Well, that person, that person&#x27;s boss, and so on up to the CEO. The one who is paid such a large salary to ultimately be responsible for the entire company.

People (generally) do the best job they can within the constraints they operate under. If someone isn&#x27;t, say, patching things in a timely way, the most likely explanation is not that the person is lazy or stupid, but that the system is broken.<p>And if you run a company with a lazy, stupid person being on the critical path for your most important systems? Your systems are broken, because that person shouldn&#x27;t be there.

The CEO is right that it boils down to being one person&#x27;s fault. He should know since he sees him every day in the mirror.

FIFY:<p>&quot;Former Equifax CEO says &#x27;There is only one infosec person in our company&#x27;&quot;

Blame the IT peon. Yeah, right. Every single time.

And, ultimately, that person is the CEO himself.

And who built the company that let that slide? Who came up with the practices that led to such a failure? Et cetera.

Someone needs to read <a href="http:&#x2F;&#x2F;web.mit.edu&#x2F;2.75&#x2F;resources&#x2F;random&#x2F;How%20Complex%20Systems%20Fail.pdf" rel="nofollow">http:&#x2F;&#x2F;web.mit.edu&#x2F;2.75&#x2F;resources&#x2F;random&#x2F;How%20Complex%20Sys...</a> and also probably just stop talking