As details emerge regarding the Equifax hack, we all seem to get more and more angry. If the details released thus far are any indication of the level of baby-town frolicks that were going on with cyber-security at Equifax (default passwords, unpatched old vulnerabilities, etc.), then all of us affected have reason to want to see Equifax and its senior security staff tarred and feathered. If the stories prove true, there is absolutely no reason why people should not be fired (at the least) or jailed (more appropriately) for wanton sloth and laziness in the face of such risk to the lives, security, and hard work of all of us customers.
There is much talk in the press as well that the government will levee hefty fines on the firm, with estimates already over $350 Million U.S. dollars. Again, all well-deserved if the details are accurate.
But what I am wondering is if Equifax executives will have the guts to stand up in front of the U.S. government and say “NO. Not until you hold yourselves at least as accountable as you hold us.”
The U.S. government is responsible for the OPM breach – easily as devastating to Americans (if not more so) than Equifax. In fact, if you consider not just the directly-affected holders of USG security clearances but all the people they listed (including PII information such as social security numbers) on their SF86 applications such as family members, friends, references, past neighbors, etc., then you begin to understand the order of magnitude that the OPM breach represented. Millions and millions (the number keeps rising) of people, both U.S. and international citizens.
Yet no one was fired. No one was fined. No one served a day in jail. Director Archuleta resigned under pressure, but walked away. No punishment for putting all those people at risk. No fines or jail time or public humiliation for allowing a breach into the records of more than 20 million people (at the very least) – most of whom protect the lives and liberties of the rest of us every single day.
She walked away. Unscathed. And left the mess for the rest of us (with clearances who were exposed) to clean up. Yeah, thanks for the free credit monitoring…
So why should Equifax be any different? Is ours a government of only do-as-I-say-not-as-I-do? Are we as Americans so complacent with cyber-security breaches (after Home Depot, Target, Snowden, etc. etc. etc.) that we just let such an egregious breach as OPM go without so much as a single person who matters getting fired? And if we are okay with that, why should any of us be mad at Equifax?
The U.S. Government gave us not only OPM and Snowden, but how about Harold Martin (https://en.wikipedia.org/wiki/Harold_T._Martin_III \\ https://www.washingtonpost.com/local/public-safety/ex-nsa-contractor-to-face-spying-charges-in-federal-court/2017/02/13/01168ad6-f22a-11e6-b9c9-e83fce42fb61_story.html?utm_term=.75b1e07a28d2 \\ http://www.cnn.com/2017/02/08/politics/nsa-contractor-alleged-classified-theft-harold-martin-indictment/index.html)? He walked right out the front door of the NSA, day-after-day with classified information – information that put the entire country at risk. Yet that news item passed through the media quicker than excrement through a goose. Most people don’t even know who Harold Martin is, nor could they describe what he was accused of doing. It was swept away in an instant and yet, once you read the story, was even more egregious than Snowden simply by virtue of the fact that it took place at the same agency after Snowden. Did the U.S. Government learn nothing?
No one in the U.S. Government was fired. No one served a day in jail for allowing such blatant activity to take place. No one was fined.
I doubt it will happen, but I would love to see the senior leadership at Equifax tell the U.S. Government to get its own house in order before it goes trying to punish commercial companies, levee hundreds of millions of dollars in fines on them, or demand firings or jail time for executives.
Robert J Bagnall