Equifax CEO to Congress: Not Sure We Are Encrypting Data

Encryption wouldn&#x27;t have mattered here. To a pretty good first approximation, none of the &quot;encryption&quot; done at scale at any Fortune 500 company in the US is more than a speed bump for attackers. Unless you&#x27;re using moon math --- nobody is --- enterprise backend encryption is hamstrung by the fact that you&#x27;re keeping the data because <i>automated business processes need to use it</i>, which means automated systems need to decrypt it.

I don&#x27;t know which is worse: That Equifax is straight up lying about their infrastructure to hide malpractice, or that they don&#x27;t even know

If encryption is enriched with appropriate identity, authorisation and authentication systems then...<p>Encryption at network level is a must. Corporate routers&#x2F;firewalls have been very vulnerable before and the risk of grabbing everything is a lot easier if you&#x27;ve comprised the network.<p>Encryption at rest is a must, as at some point you need to replace those disks and it&#x27;s a lot easier if you can be cavalier with the handling afterwards because you know it is unreadable.<p>Encryption at application level (object encryption and between services) is a must. Which means if a service is hacked or you dump the dB you may not be able to read any of it or only those records accessed whilst the hack happens. You replicate access control patterns, like in a secure building... These may come down to one or more common denominators (can you trust the security receptionist), but better that than the whole chain is vulnerable... You then only have one set of alarms, logs, metrics, etc to keep an eye on and to test very thoroughly.<p>In the physical world: for security scenarios we have very strict procedures with locks, boxes, safes, multiple security door&#x2F;gate entry systems, multiple participants and signatures involved in every action, etc to mitigate internal and external error, failure or attack - all of these can have an electronic information system equivalent and we should start designing security in web systems with these ideas in mind when it as significant as Equifax.

Well I heard from the FBI that only criminals encrypt data using these fancy counting machine things. So it seems like Equifax may have actually done the right thing here. &#x2F;sarcasm&gt;<p>On a serious note, we really need to make encryption a part of high school mathematics. What teenager doesn&#x27;t want to write secret messages?<p>When I took an intro to security course in college we spent a couple of classes building a very elementary understanding of how encryption works with plenty of hands on examples (using laughably insecure algorithms, but still enough to get the points across). I think most students found it the most interesting part of the course since most everything else was more about security policy (a MBA could&#x27;ve probably easily taken the course successfully).

At this point I think there is literally nothing about Equifax incompetence that would surprise me. I mean nothing.<p>They could reveal tomorrow that their data center fire protection protocols mandate the use of printed backups, feeding them to the flames with hopes the god of data destruction would be appeased and leave their servers alone. I would not be surprised. Nor would I be surprised if the paper backups were only available as printouts on toilet paper, 1000 miles away, in the CEO&#x27;s office.<p>No, my reaction would be, &quot;sounds about right for them, though I guess it&#x27;s +1 point for effort on keeping any backups at all&quot;

I would like to quote PostgreSQL Experts (this applies to all DBs): FULL DISK ENCRYPTION IS USELESS. [1]<p>FDE protects against… • … theft of the media. • That’s it. • That is about 0.00000002% of the actual intrusions that you have to worry about. • Easy rule: If psql can read it in cleartext, it’s not secure. • (It’s a great idea for laptops, of course.)<p>And then it recommends: &quot;Always encrypt specific columns, not entire database or disk&quot;<p>However encrypt your backups.<p>I think it is fairly sensible.<p>[1] Securing PostgreSQL [PDF], Page 31 : <a href="http:&#x2F;&#x2F;thebuild.com&#x2F;presentations&#x2F;pgconfeu-2016-securing-postgresql.pdf" rel="nofollow">http:&#x2F;&#x2F;thebuild.com&#x2F;presentations&#x2F;pgconfeu-2016-securing-pos...</a>

Not a lawyer, curious if this would be a violation of <a href="https:&#x2F;&#x2F;www.law.cornell.edu&#x2F;uscode&#x2F;text&#x2F;15&#x2F;6801" rel="nofollow">https:&#x2F;&#x2F;www.law.cornell.edu&#x2F;uscode&#x2F;text&#x2F;15&#x2F;6801</a><p>Equifax themselves are not a financial institution, but as a vendor of one, would it not apply to them too?

Just give them the corporate death penalty all ready.

Is there any way for me to get my information removed from Equifax?<p>Do I need to contact all of my line item creditors and ask them to remove references to Equifax?

This guy needs to be held personally responsible. But he won’t be and that makes me extremely mad.<p>It sucks that the rich and wealthy can be as morally bankrupt as they want without any&#x2F;many consequences.

Non-Paywall version <a href="http:&#x2F;&#x2F;archive.is&#x2F;ikG4d" rel="nofollow">http:&#x2F;&#x2F;archive.is&#x2F;ikG4d</a>

Can anyone give a summary or point me to another article (not paywalled) with similar information? I&#x27;m very interested, but don&#x27;t have a WSJ subscription.

So, has the data been actually leaked, or do you still have to pony up a load of BTC to see this?