Equifax soaks up a lot of news as the example of bad leadership, and there has been a lot said about the CSO role and person.
However, by the numbers, Equifax appears to sit among a wide group of breaches that each lost around 100-150 million accounts (Under Armor, eBay, Target, Heartland, Rambler, TJX, AOL, MyHeritage and LinkedIn).
Granted that the group is defined by a quantitative measure, it is not clear how qualitative measures (type of data) would change the discussion.
Applying qualitative measures doesn’t explain, for example, why three of the biggest breaches of all time (on the relatively new “best in business” identity platforms containing all information about a person) saw a CSO treated so incredibly lightly compared to the breach of the antique Equifax.
When you look for a correlation of CSO to massive breaches (both quantity and quality of data), all of the following track back to a single person who never did the job before (or even a similar job at a public or large organization) and arguably never should be allowed to attempt it again:
- Yahoo 2013 (undisclosed until 2016) 3 billion breached
- Facebook 2017-2019 over 600 million breached
- Yahoo 2014 500 million breached
And yet nothing like the following seems to exist for Yahoo or Facebook…
- Equifax’s security chief had some big problems…
- Equifax hired a music major as chief security officer…
- Equifax Deep Dive and CSO Qualifications
We need to seriously consider whether an Equifax CSO was treated by social media pundits as an outlier and pilloried because she is a woman.
Why wasn’t the Yahoo/Facebook CSO scrutinized in a similar fashion given his documented/obvious lack of qualifications in organizational leadership, let alone all the other CSO within the “100-150 million tier” of breached companies?
On top of the massive confidentiality breaches under the Facebook CSO, his legacy also is some of the biggest data integrity failures in history (given 50 million accounts breached, failed to block unfiltered harmful content and is alleged to have facilitated political destabilization and atrocity crimes).
The bottom line is one person attempted to be CSO twice, with no prior experience, and seems to have a track record now of nearly 4 billion accounts compromised with highly questionable disclosure practices. Yet this man seems to have escaped all the scrutiny applied to a woman.
Update Feb 3, 2020: Vice reports “penalties for data breaches and lax security are often too pathetic to drive meaningful change”.
Update Feb 10, 2020: While Facebook pivoted its CSO role to an external academic appointment at Stanford, and thus continues to be embroiled in breaches, Equifax went the other direction and has stayed above board.
Statement from the new Equifax CSO and criminal charges by US Gov shows a clear difference:
This morning, the DOJ identified the perpetrators who attacked Equifax in 2017. With breaches, identification of the attackers (or “attribution”) can be incredibly difficult—even impossible. Being able to share this information is the result of an enormous amount of work by authorities. We cannot thank the U.S. Department of Justice, Federal Bureau of Investigation (FBI), and so many others enough for their tireless efforts to achieve this result.
In parallel, Equifax has been transforming our security program—embedding security into our DNA by driving cultural change, implementing advanced controls tailored to the specific threats we face, achieving relevant certifications, and—just as importantly—sharing what we’ve learned with our customers, partners, and authorities.
Equifax partnered with authorities right from the beginning, and two-way information sharing remains a key part of our security program. The importance of partnering with authorities cannot be overstated. If your security team doesn’t know who to contact at the FBI and the Secret Service, change that today.
At Equifax, we are doing our best to make sure that this never happens again and to support others who want to learn from our experience.
Nothing even close to that for Facebook has appeared, only more breaches.