Equifax Hack Blamed On Single Employee

Outsmart Malicious Hackers


We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn’t been patched.

Equifax Hack Blamed On Single Employee


Now it seems the CEO Rick Smith is basically placing the blame on a single employee that failed to pass a message on to the right people, rather than taking responsibility for an organisational failure. It’s also interesting there was a scheduled security scan not long after the flaw was disclosed and it wasn’t detected.

Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz’s IT security breach on a single member of the company’s security team.

In testimony on Tuesday before a US House subcommittee on consumer protection, Smith explained that Equifax has a protocol whereby news of important software patches is communicated to the appropriate people within a certain time. When details of security vulnerability CVE-2017-5638 landed in March 2017, bearing bad news about Apache Struts, that protocol broke down at Equifax due to human error, meaning no one was told to apply patches for the flaw. And, astonishingly, this is all one person’s fault rather than an obvious failure for the business as a whole, according to Smith.

“The human error was the individual who is responsible for communicating in the organisation to apply the patch, did not,” Smith told the subcommittee at around the 1:05:15 mark in the video below.

Congressman Greg Walden sought clarification of that statement, asking “Does that mean that that individual knew the software was there, and it needed to be patched, and did not communicate that to the team that does the patching? Is that the heart of the issue here?”

Smith’s reply was: “That is my understanding, sir.”


This Equifax hack was so avoidable, do they not use some kind of issue tracking or ticketing system, did someone not just need to create a Jira ticket and someone else checks that they created it, how can such a huge multi-million dollar corporation with such critical user data not have simple, industry standard check and balance procedures.

It’s sad, and it’s messed up and honestly, it’s also depressingly unsurprising.

Smith said the company had otherwise followed its protocol of distributing information on necessary patches and that in the case of CVE-2017-5638 its procedures were observed, except by the individual mentioned above.

The former CEO said the second cause of the attack was a failure of automated scanning conducted a week after the patch should have been applied. For as-yet-unknown reasons, scans did not detect the presence of un-patched Struts implementations.

Smith spent more than two-and-a-half hours testifying and, after apologising and taking responsibility for the hack, spent much of that time defending Equifax’s decision to withhold news of the hack for many days after discovering it. Smith repeatedly justified the delay on grounds of avoiding further attacks and ensuring consumer protection measures could be in place.

“It did not help that hurricane Irma took down two of our larger call centres in the early days after the breach,” he said.

Committee members were not kind to Smith, who did not flinch in the face of stern criticism of Equifax’s security practices and response.

I hope the committee comes down like a tonne of bricks on all of those negligently involved in this travesty that has affected the majority of American citizens.

I’m also curious to see if the details are exposed of why the subsequent scan did not detect the vulnerability that caused the Equifax hack.

The law is also pretty sad, under current law they are required to alert those whos accounts have been hacked..but there’s no penalty if they dont.

Source: The Register

Posted in: Hacking News


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


Comments are closed.