At this point in the game there should be a single page on every corporate website, preferably accessible from its front page, that includes the name and all contact details for the Chief Security Officer, including the last four digits of her social security number. It should be her responsibility to ensure that no one uses this information for nefarious purposes in addition to her daily operations. This honeypot should inspire the this CSO to go to great lengths to protect herself and her company's data.
It's only fair, right?
This person - who in Equifax's case was named John Kelley III and earned nearly $3 million for releasing 143 million customer records (about 2 cents per record) - should also be the first to be fired during a breach. Further, this person should no longer work in "security" and instead be relegated where he can do less damage, perhaps in food service but not food preparation.
I doubt they'd be trustworthy enough to fry a hamburger.
I know it's a little Hunger Games but I think that's where we are in 2017. Corporate security is an afterthought.
I propose this for a simple reason: no one else on Equifax's corporate leadership board works on security. There are plenty of folks dedicate to sales and revenue growth but only Kelley has "has responsibility for legal services, global sourcing, security and compliance, government and legislative relations and more." He's a lawyer.
Breaches are an affront to decades of innovation and research. Breaches are an affront to ethics, customer support, and trust. Breaches are an affront to shareholders and those who depended on Equifax for, arguably, a ridiculous service in these days of trust-less networks and powerful data mining tools.
Add in a clearly inept team at, we assume, Edelman, and you have a perfect storm of corporate idiocy. Look at this:
Yesterday I tried Equifax's "security checker"/Wordpress instance yesterday, September 8. It said:
Apparently, however, you could type in Booger/123456 and get the same answer. Now, thanks to what we can assume was some interference by Equifax's legal department, nobody is affected, not even Booger.
That's right: it went from "Yeah, you're definitely probably hacked" to "No, you're probably not hacked" overnight. This tool should be burnt down.
In short, Equifax can't protect your data, can't build a website, and can't get its story straight. And this is a publicly-traded company with a century of tradition and trust behind it.
Why am I so angry at this? Imagine John Kelley III had a box of family photos. He sent those family photos to a service for digitization. Those photos included tender moments, pictures loved ones dead and gone, and snaps joyous occasions. There's ap picture there of him passing the bar, of getting married, of saying goodbye to his father. This photo digitization service did the job - poorly, to be clear, because we're equating it to Equifax - and then threw the box of photos with full identifying information onto the street. John Kelley's grandmother's photo was used to create a fake ID. John Kelley's birthday party pic was posted to Facebook and someone figured out his birthdate or some other piece of trivial information and opened a credit card in his name. Trolls found a picture of his car, deduced its location, and cut the brake lines. The list of offenses can go on ad nauseam.
Now imagine the same thing is happening to you. Almost monthly your family photos, your birth certificate, and your diary are being ransacked or nearly ransacked by criminals. Your valuables are being broadcast to those who would like to steal them. Imagine that the companies you trust with your health, wealth, and privacy are leaking your information almost daily and that the tools used to secure that data are infuriatingly easy to crack as possible. You'd be mad as hell and you wouldn't take it anymore.
But you aren't. And you do.
Until John Kelley III is held accountable, until everyone who leaks our data and uses weak tools and methods to secure our data is out of a job, we will not be safe. Sure, many of us have little to hide but it is our right to nonetheless hide what little we do have. Corporate security talks a big game but fails every time. That has to change.