Saturday, September 9, 2017

Equifax is "SCREWING" their "customers".

This is an opinion piece... so grab a beer or a line of coke like the Equifax execs have been doing.

First they have repeated security issues, many reported to them and they do nothing.  And they have had breaches in the past (2 others in the last year or so).

Second they appear to be taking full advantage of this "breach" in a way that Donald Trump would appreciate.

Hey, business is business, not my fault you happened to be bent over while I was getting ready to...  All right, let's keep it clean.

Researchers (friendly hackers) noticed something really cool about the NEW service being offered by Equifax to check if your data is part of the breach.

Drum roll please.....

It doesn't really matter what you enter, the answers are random and they just want to push you to their TrustedID service.

Coincidentally subscribing to this service means you are agreeing with their terms and you give up your right to sue their sorry asses.

Take a look at this posting from Sarah Buhr at TechCrunch and your aggravation level is certain to rise unless your dead inside.   

PSA: no matter what, Equifax may tell you you’ve been impacted by the hack

A while back I wrote about the Ashley Madison "hack" and the fact that this company had self proclaimed themselves secure with a made up Security Award.  Well... seems they all went to the same business school as what Equifax is doing and how they are responding to this breach is inline with this type of business practice.

Combine all this with the fact that senior executives sold 2 million in stocks prior to the announcement, and then you add to that the unknown person or persons who shorted the stock and made another 4 million.... you have yourself a really nice picture generally called insider trading along with a few more terms not fit for small children.

Suspect trading in Equifax options before breach might have generated millions in profit

This all points to something missing in our wonderful world called PENALTIES.   Not penalties for the enterprise.  The executives do not care if the enterprise has to pay some penalties.  Penalities for the executives including jail time when their actions are criminal in nature.  

I'm not referencing the insider trading, which I hope is considered criminal.  I'm referencing the lack of respect for their customers data and willful blindness when serious security shortcomings are reported up the chain of command.

And by the way, why are we calling ourselves customers, when in fact we are their product, not their customers.  We are forced to deal with companies run by clowns, and the only time we are customers is if we subscribe to one of their shitty services to access our own damned data and make sure they are reporting accurately on our data !!!  What world are we allowing ourselves to live in.

I have to pay a monthly fee to access my data that I never wanted these idiots to have.  Why... because the banks "need" it the authorize my mortgage.  We certainly don't want the banks taking too much risk.  Wait... didn't they seriously screw up a few years back and lend billions of dollars that they shouldn't have and then the US government bailed them out and they all took in BONUSES !

If you want a really good laugh, take a look at Equifax's SOC 2 TYPE II attestation report.

Proof again, that traditional auditing mechanism are meaningless because people LIE. 

Listen up folks:  Companies on the stock market are filled with executives who have ONE priority, themselves.  Therefor they LIE, COVER UP, and IGNORE some pretty significant elements that lead to events like this.  Their bonuses are dependant on everything looking great.

So there you have it folks.  A great big company, audited by other great big companies, compromised at all levels including ethically and morally.

No wonder I prefer family run businesses.  My two most significant clients are family run (one is 500m revenue and the other is several billion) and surprise surprise, when something comes up as a security risk, the CIO brings to the the CEO and no one hides anything.   They just manage the risk, takes decisions, figure out how to be better and fix things.  

Wow.... that's revolutionary.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...