EP 4: What Went Wrong After? - How did Equifax fail consumers even more in the aftermath? How many fumbles can one company make in a row (turns out: more than you’d think), and how did they put us in even more danger.
ALIA: Bob, I want us to creatively imagine someone’s morning. Last season we imagined a hacker’s morning, but I have someone else in mind this time.
BOB: Okay
ALIA: Let’s do this.
Your alarm goes off, very, very early. You wake up. It’s still dark outside.
You turn off the alarm. You’re not much of a snoozer.
You have a suit waiting for you, it’s blue and very expensive and you look sharp in it. But you’re not ready to get up and put it on.
You’re lying in bed thinking about the security incident on one of the servers at your company. It’s not great, but your direct reports are taking care of it. They’ve kept you updated as they’ve begun all the routine practices for dealing with it.
These things happen. That’s why there are procedures in place.
You like procedures. You’re good at running this business. You’re going to be okay. You rollover and check your phone.
You have messages. A lot of them.
You make a call.
Your direct report’s voice sounds *different* now. Oh shit.
It’s not routine anymore. It’s bad. How bad?
Very bad.
In a few months, you’ll be testifying before Congress. In a few weeks, you’ll tell the public what’s happened. But it’s today.
What are you going to do about this today?
You’ve just found out your company is the victim of maybe the worst breach ever. What do you do right now?
Intro:
ALIA: Bob, how’d I do?
BOB: I thought it was great! Other than, man, can you imagine lying in bed like that and wondering, “Am I dreaming? Is this a nightmare or is this real life?”
ALIA: I’m Alia Tavakolian, podcast civilian, and resident morning-imaginer.
BOB: And I’m Bob Sullivan, veteran tech journalist, and resident metaphorist.
ALIA: This is Breach, brought to you by Carbonite: how businesses protect their data.
BOB: Last week, we talked about Equifax’s failures leading up to the breach -
ALIA: And this week, we’re diving into how they failed in the aftermath. What should a company do once they’ve been breached?
BOB: Or, in Equifax’s case: “What should a company definitely NOT do once they’ve been breached?”
ALIA: Yes. There are trolls, fake websites, hurricanes. Stick around.
BOB: Ok so before we get into all those mistakes, I want to go back to that “Oh Shit Moment” that you represented in your conjured-up morning, which I think is spot on. It takes longer than you might think to discover that this is the big one, or this is serious. But until, for the most part, you hire an outside company to come in and do an analysis, you don’t really know how bad it is. That moment when some outside entity confirms for you, “Oh no, this is much bigger. Of the 5,000 security incidents that you’ve had this year, this is the one that might take your whole company down.” Everything’s changed. I don’t think it’s a stretch to say you start counting time differently.
ALIA: Let’s go through the timeline with this in mind: July 29th, 2017 -
BOB: That certificate is finally updated, and the security team notices suspicious activity happening on the dispute portal.
ALIA: Also Graeme’s birthday, the guy who later gets pinned as the one “human error”. I just can’t get over that. Happy Birthday, Graeme.
July 30th - More suspicious activity is noticed from a second IP address.
BOB: Equifax takes the consumer dispute website and server offline.
ALIA: CSO Susan Mauldin is asked to join an incident management call and is informed of the situation. She emails her boss, Chief Legal Officer John Kelley, and the person covering for him (he’s away on vacation).
BOB: She then calls Graeme Payne, who emails his boss, Chief Information Officer David Webb.
ALIA: July 31st - CIO David Webb tells CEO Rick Smith about the suspicious activity on the dispute portal, and that it had been taken offline to address, quote, “potential issues.”
BOB: Equifax staff determines that PII may have been accessed.
ALIA: This has to be the first inkling of that “Oh Shit Moment”. Like, it’s not just a security incident. PII may have actually been accessed.
August 2nd - they bring in an outside security consulting firm called Mandiant.
BOB: An investigation begins.
ALIA: Equifax contacts the FBI. That can never feel good, that’s gotta be an “Oh Shit Moment”.
BOB: In his testimony, CEO Rick Smith contends this is all still routine. So maybe it’s just an “Oh Damn Moment” to him.
ALIA: Sometime after this - 6 or 7 days after the discovery - is when Graeme mentioned they started getting analysis back and began to notice how serious the breach was.
BOB: This is his likely version of the “Oh Shit Moment”.
ALIA: According to the House Committee on Oversight and Government Reform report, it’s later, on Aug 11th, when the investigation reveals that PII has likely been taken.
BOB: It’s not until August 15th that CEO Rick Smith says he’s notified that PII had likely been taken. If not before, I’d say that by now Smith has definitely had his “Oh Shit Moment”. And now, it’s time to tell the team.
ALIA: August 17th - Smith holds a “senior leadership team meeting” to loop in the rest of the higher-ups (CIO, CLO, CFO, business lead for ACIS). They get a detailed briefing on the Mandiant investigation.
BOB: And drops the bomb: consumer data compromise has been confirmed.
ALIA: That is a collective, C-suite team-wide, “Oh Shit”.
August 24th and 25th - more meetings, more “Oh Shit”’s - Smith tells his Board of Directors.
They talk about efforts to develop a notification and remediation program for consumers in the wake of the breach.
September 4th -
BOB: On this day, based on Mandiant's investigation, Equifax compiles their list of 143 million consumers whose data may have been compromised. That’s when this suddenly becomes enormous.
ALIA: September 7th -
BOB: Equifax announces the breach publicly. That’s an “Oh Shit” for us.
ALIA: Yeah. September 18th -
BOB: Federal prosecutors and the FBI announce investigation into the hack.
ALIA: Fast-forward to October 2nd -
BOB: The outside cybersecurity firm, Mandiant, concludes its investigation.
ALIA: Equifax announces an additional 2.5 million people might be affected by the breach, upping the total to 145.5 million affected civilians.
BOB: Also that day, Graeme Payne is fired for failing to forward an email regarding the Apache Struts vulnerability.
ALIA: October 3rd, the next day, Rick Smith appears before a Congressional Subcommittee. And over the next few days, Smith bounces from committee and subcommittee hearings in the House and Senate, answering repeated questions about everything that went wrong. “Oh Shit.”
ALIA: When we first heard that Equifax took 6 weeks between realizing something was wrong and telling the public, I thought that was an absurdly long time. But now, I’m thinking of all the stuff you have to do to get ready to tell the public. You have to put together an entire plan of attack for the worst breach ever, and that’s a lot.
BOB: So, you have this horrible data breach. What’s the first slide on your PowerPoint to explain this?
ALIA: Moving On After The Worst Breach In History.
Imagine you are Equifax. Dear Listener, you’re in the game now. We’re putting you in!
BOB: You’re the CEO.
ALIA: You’re putting together your plan of attack for how you’re gonna recover from this thing, and you’ve got that first PowerPoint slide. Where do you start? What’s the first issue on deck, Bob?
BOB: Issue #1 - A lot of people are going to want to know if they’ve been breached. You have an initial list of 143 million people whose information you’ve lost - they’re going to want to know if their name is on that list.
ALIA: Your solution: build a website to help people figure out if they’re one of the people who’s been hacked. To do that, you buy a new domain name.
BOB: Which is where Montreal-based software engineer Nick Sweeting comes in:
NICK: …from what I remember, the Equifax breach day, actually it wasn't that big of a deal in my mind at the time - until I saw that the domain that they registered was not their official domain.
ALIA: They’d bought the new domain name “equifaxsecurity2017.com”. This might not sound like a big deal, but it is - because in the Wild West of the Internet, domain names are important.
NICK: because they represent sort of the root of trust for a company.
ALIA: I trust Equifax.com belongs to the real Equifax, the same way I trust Google.com belongs to the real Google, or CNN.com belongs to the real CNN. So If Equifax had used the main Equifax.com, slash, SecurityBreach2017 or something, I’d know I was in the right place.
NICK: So Equifax threw all of that out the window by buying a brand new domain that doesn't have any trust associated with it.
ALIA: You’re supposed to go to EquifaxSecurity2017.com...or was it EquifaxSecurityBreach2017.com?
BOB: It’s as if Google sent you to GoogleSearch.com, or CNN created CNNnewsfrom2018.com. I mean, what in the world?
NICK: I realized that basically any old scammer or, or phisher out there could register a similar domain. And I thought, “What the heck,” you know, “I might as well do it myself and make a site to kind of make fun of them.” Um, and so I did that.
ALIA: He selects the almost identical SECURITYequifax2017.com.
BOB: I can’t even remember how the correct one’s different from that.
ALIA: EQUIFAXsecurity2017.com
BOB: Oh, yeah that’s right. I think this is exactly Nick’s point.
NICK: I bought the domain, and I cloned the Equifax website in about 30 seconds.
ALIA: It’s identical to the original site, except for the results page - once you type in your Social Security Number to see if you’ve been affected, it says:
NICK: “Ha ha, you've been bamboozled. This is a fake site. Go tell Equifax that they should host this on a real domain and not some cheap domain.” Just to make it clear that I wasn't actually trying to get anyone's info.
ALIA: Yeah. You weren't like tricking people.
NICK: Well, I was sort of tricking people, but not maliciously. I didn't keep any of the data that they gave me.
ALIA: He makes sure that no one’s data will be stored on his site, then he puts it out in the world.
NICK: ...and then kind of forgot about it for a week.
ALIA: The site has a pretty high hit-rate. He later figures out that in a 2-3 hour period it got 250,000 hits. He keeps it up for a couple weeks, hopes it teaches Equifax (or someone) a lesson about registering new domains, and that would have been all. But then -
NICK: On September 20th, so about two weeks later...
ALIA: Equifax tweets eight links to SecurityEquifax2017.com - Nick’s site.
NICK: And the way I found out is that someone on Twitter mentioned it to me. They said, “Hey, have you noticed that Equifax has been tweeting out links to your site?” It went viral, it got published everywhere, the media started contacting me...
ALIA: And then he discovers -
NICK: Not only had they been tweeting it, but it was in their official marketing materials that were being auto-completed by their social media management application.
ALIA: So Equifax has support reps all across the country responding to people, typing in the first few letters, and then the Equifax-approved message auto-completes with a link to Nick’s fake website.
ALIA: Unbelievable.
NICK: Yeah. And Google blacklisted the site across all browsers with their safe browsing initiative at around 4:00 PM. So it all took place in the span of a few hours.
ALIA: How much time did it take you and how much money did it cost you to create this website?
NICK: (laughs) Uh, somewhere in the range of, of I think 10-15 dollars total. And then the day of, my whole day was gone because it was going viral and the media was contacting me.
ALIA: Oh my God. What do you make of that?
NICK: (laughs) Well, it's, it’s great to see that people can make such a powerful statement with, with very little money and time investment.
ALIA: For Nick, it’s not just the one mistake of buying a new domain that bothers him - it’s the lack of accountability for big companies when they don’t take security seriously. His end goal was some kind of accountability, even in the form of trolling.
NICK: But, uh, I think naming and shaming is one of the few things that works for big companies in the security space. Uh, you really have to point out when someone has made a mistake, make it public, and do it in a responsible way. I have no hope for Equifax fixing their security, but hopefully some other company will learn from their mistake, and this doesn't happen again.
ALIA: Alright - so we’ve asked you to wear Equifax’s shoes and figure out how to respond to the worst breach ever.
BOB: Not an enviable task.
ALIA: You registered a new domain name.
BOB: That’s just not a good idea.
ALIA: Nick Sweeting has created a look-a-like website.
BOB: And that’s why that wasn’t a good idea.
ALIA: Not only that, your Equifax marketing team keeps tweeting the fake website out to the world. Things are not going great.
BOB: And people are worried. They’re angry, they’re afraid, and they want answers.
ALIA: A lot of those folks reach out to Ron Leiber, our friend at The New York Times.
BOB: Can you talk about the emotions of the people writing to you?
RON: Sure. So, at first there was a sort of desperation, right? I'm at risk. My financial life is at risk.
ALIA: So your solution is this website. Now that you’re finally tweeting the right link to EquifaxSecurity2017.com, people will go there, and input their Social Security Number, and finally find out, “Am I one of the ones who got breached?”.
BOB: But here’s the first problem with your website: people don’t trust you.
RON: Why should I trust these Bozos with my Social Security Number if they've already proven, uh, that they can't handle people's information? Excellent question, right? You had to take it on faith at that point.
ALIA: Next problem - whoever made your website, unintentionally included an arbitration clause, essentially saying, if you check our site to see if you’ve been breached, you’re signing away your right to sue us. CEO Rick Smith claims that that language had been, quote, “‘cut and pasted’ from a different Equifax offering,” and they removed it as soon as they discovered it. But still, not great out of the gate. So let’s say people get over the fact that they have to give your company more data after you just lost their data, and they forgive you for that arbitration bit which made it seem like you’re trying to trick them out of their right to sue, and they go to the website and they enter their Social Security Number: it doesn’t even work.
RON: And then the ones that did input their Social Security Number were saying, “You know, I did it last night and they said I had been impacted, and then I did it again today and it says that I hadn't been impacted.” Um, and then, jokesters, uh, on the Internet were typing in random sets of numbers and you know, getting different responses for the same numbers. And it became clear that the, that part of the website wasn’t functioning.
BOB: Frankly, what this looks like is that it’s a dummy website that doesn’t really do anything.
ALIA: These problems are later attributed to a coding issue. Graeme Payne, who you’ll hear from later, testifies that this mistake was likely a result of everyone working under intense pressure, quote, “day in and day out,” and says the coding mistake was resolved quickly, but by then it was too late.
Okay, so for those who forgive you for that shady stuff at the top and input their Social Security Number, then navigate through your inaccurate and faulty website to eventually find out they’ve been affected by your breach, you’ve got to offer them some kind of product or services to help take care of them and clean up your mess. Equifax offered a suite of services after the breach, which we talked about more in depth last week. Services like: copies of Equifax credit reports, free monitoring of credit reports from the three major credit bureaus, that credit “lock” tool, identity theft insurance, and internet scanning for Social Security Numbers. None of these are as effective as a credit freeze, but they’re at least something. That is, until people try to actually use these promised services.
RON: And then I started to get more email from people who are trying to set up this, this credit monitoring, saying, “The website is frozen,” or, “I put my information in and it quits halfway through,” or, “It tells me I need to call, and when I call I can’t get ahold of anybody.”
ALIA: When people try to claim their free credit monitoring, their registrations are delayed.
BOB: The internal Equifax system simply can’t process that many requests at the same time.
ALIA: I found a quote from Graeme Payne in a report from the House Committee on Oversight and Government Reform. He uses a metaphor, Bob, for why they were unprepared. He says that their website was essentially a bathtub that had a finite capacity, and people registering were like water filling up the tub. And behind the scenes they were turning on a tap to let some of the water out, drip drop, but every day the bathtub kept filling up faster than they could open taps to drip the water out. That’s why there was a huge backlog of people who registered, but didn’t get a notification.
BOB: CEO Rick Smith testifies that they experienced somewhere between 400 and 420 million visitors over 3 weeks. That’s an incredible number. I mean, that’s like twice the US adult population. It’s insane.
ALIA: I cannot even fathom that number.
BOB: I mean, Google couldn’t handle a certain number of requests. That’s what a denial of service attack is. So, I mean, what really happened here is Equifax created their own denial of service attack against themselves.
RON: And it becomes clear very quickly that even though they'd had three, four, five, six weeks kind of scurrying behind the scenes getting ready to announce that this had happened, that they in no way had planned for any part of the infrastructure to deal with all of this consumer angst. None of it was in place.
ALIA: Alright, you’re Equifax - what are you going to do next? The site isn’t working, people have questions, they don’t know why the credit monitoring you offered them isn’t coming through, they want to talk to someone.
BOB: So you make sure to open...
ALIA & BOB: Call Centers!
ALIA: And it goes great! ...No it doesn’t, it’s a dumpster fire. Equifax did what a lot of companies do in an emergency situation: hire some outsourced customer service centers and train people quickly. Give them an FAQ to read from...
RON: The information that they were giving to the reps, uh, you know, was outdated almost as quickly as they gave it to them. Some of the information was in fact factually inaccurate, and these poor people were overmatched. I mean, these were not people who had worked in financial services before, they had not worked for credit reporting agencies, they just had no idea. And they had no answers for the fact that Equifax’s basic technology, their website, just wasn't working.
ALIA: People are just trying to do whatever Equifax is telling them they’re supposed to do to get help.
RON: And they couldn't do the thing that the company had very specifically sent them to do because the company's infrastructure was nonfunctional.
ALIA: Graeme Payne testifies that they “had to ramp up 1,500 call center agents in a week or so.” There’s a huge flurry of activity getting these call centers ready before the September 7th announcement. And then -
[News montage of Hurricane Irma]
BOB: You remember how Ron was trying to get his dad out of Florida during a hurricane while the Equifax story was breaking? Well, while all that is happening, Hurricane Irma forces Equifax to close some of its call centers, leaving them even more understaffed, and making it even harder for people to get through on the phone lines to get answers.
ALIA: Equifax truly is the Fyre Fest of breach responses. They’re already failing miserably, and then - add bad weather.
BOB: Okay so the result of all of this: weeks, and then months go by, and people are unable to find out if and how they’ve been affected, and it’s unclear what they’re supposed to do.
ALIA: Which made me wonder - if I were a company like Equifax, in possession of some of the most valuable information on Americans, why wouldn’t I have a contingency plan in place for something like this?
RON: That's an excellent question. I never actually thought to ask them that. It was such a debacle that I just assumed all along that they had never rehearsed for anything like this, that they had no idea what to do. And to be honest, you know, getting this right would not have been that hard. Right? ...
ALIA: For instance, he points out, you can contract with Amazon or Microsoft so you have extra server capacity if millions of people show up on your website. You can put basic facts on the Internet and have them be correct. You can anticipate consumers are going to want free credit freezes. But it’s hard to get it right if you’re not used to thinking about consumers as people instead of products.
RON: ...they deal with consumers reluctantly and only when forced to by regulators and legislators. Um, they do it kicking and screaming. And that's what happened to them here too.
ALIA: With Equifax dropping the ball, Ron finds himself in the position of helping concerned consumers fight their way through this.
RON: Sometimes I would get up at two in the morning and tweet and say, “Hey, lines are open!” You know, um, “You could actually get through at this point, the website appears to be functioning!” But after five or ten days, then there was a sort of exasperation replaced by disillusionment and despair. And the despair came from the fact that nobody had...nobody had signed up to be tracked this way.
ALIA: And now I’d like for us to take a brain break. When we get back, we’ll hear from Graeme Payne about what things were like inside Equifax while they’re gearing up to go public with the breach. In the meantime, let’s hear from another friend of mine at Carbonite, who has her own “Other Identity.” This time, maybe not because of a fraudster - it might have been the debt collectors’ mixup. I’ll let Allison tell you:
ALLISON: My name is Allison Cook, I am a marketing manager at Carbonite, and I live in Boston.
ALIA: So Allison, can you tell me about the other Allison Cook?
ALLISON: I met her when I was 14 years old. She stuck with me for quite a while, about four years or so.
ALIA: Ugh, and what did Other Allison Cook buy with your identity?
ALLISON: She got an education, I’m not entirely sure what kind of education, but it was expensive enough that she had trouble paying her loans back for it. So I started getting phone calls at home on my parents’ landline. And then around when I needed to start applying for my own student loans, when I was about to graduate high school, the calls stopped. It’s almost as if once I became a legal adult something, like, snapped in their system and they realized their mistake.
ALIA: So, okay, I’m wondering, what do you imagine Other Allison Cook is doing out there in the world in 2019?
ALLISON: I really, really hope she’s getting her money’s worth for her education. I understand now more than ever it is really hard to pay back student loans. I’d like to think she has her PhD, and that she’s just out there, it just took a little extra to pay it off.
ALIA: Is there anything that you want to say to the other Allison Cook? Like, if, if she’s listening to Breach, what would you want her to hear from you?
ALLISON: That I don’t think she did it on purpose, so I forgive her. However, it was very, very frustrating to have my entire high school every time I got a phone call thinking it was a boy that I liked that it was just a debt collector.
ALIA: Welcome back to the Equifax breach aftermath. So, things are going pretty awfully for Equifax on the consumer-facing front. Now let’s go inside the organization itself. We asked Graeme Payne what this period was like for the employees at Equifax. Remember, he’s part of the organization that jumped into action when suspicious activity is finally noticed on the servers.
GRAEME: Um, you know, obviously during that period only a small number of people knew what was actually happening.
ALIA: Graeme and those lucky few are busy getting things ready in the six weeks leading up to September 7th - the day they go public.
GRAEME: And I think the general feeling, um, in the company was one of shock. And then over the next couple of days, you know, all the obvious questions started to come, um, from, you know, people that I worked with that like, you know, why did it happen? Where did it happen? You know, who was responsible? As well as questions like, you know, is, what, is the company going to be investigated? Is the company okay? I mean, what's happening to my bonus? A lot of these-- but then it becomes very personal to, to people, right?
BOB: I think it’s important to remember there are real people being impacted inside the company too - people with lives, and mortgages, and kids in school. And it’s probably really scary for those employees.
GRAEME: There was, there was certainly a period of uncertainty and then, um, following that, Rick Smith steps down as CEO. My boss, who was Dave Webb, stepped down, the Chief Information Security Officer stepped down. So, that creates another, sort of wave of emotions through the, through the organization.
ALIA: They didn’t so much step down as, quote, “retire at an accelerated rate” - that’s how Chief Information Officer, David Webb (Graeme’s boss) put it.
BOB: He retires on September 15th (a week after the breach is announced), as does Chief Security Officer Susan Mauldin.
ALIA: Last week we talked about how the Security and Tech teams didn’t cross reporting paths at Equifax, because the prior leaders didn’t like each other, which led to a breakdown in accountability between the folks setting policy for patch implementation and the folks actually patching the tech. Those teams are now lead by Susan, CSO of Security, and David, CIO for Tech. And it doesn’t matter what system they inherited, they’re out the door. Ten days after Susan and David retire, on September 25th, Rick Smith retires as CEO, but stays on as an “unpaid adviser to Equifax to assist in the transition.” In doing so, he won’t take his bonus for the year, which in 2016 was $3 million.
BOB: But there is a lot more money than that on the table. Because he’s retired and not fired, there’s a retirement package on the table, with some vested stock. We don’t know exactly how much he got. Fortune estimated he was eligible to receive around $90 million.
ALIA: Okay, that is a lot of money. Like, that is a lot of money, Bob.
BOB: Makes the 3 million sound kind of inconsequential, right?
ALIA: Yeah!
BOB: Now, he wiggles around this in one of those hearings before Congress.
REP. SCHAKOWSKY: So now I understand that you agreed to forego your 2017 bonus, which has, uh, been about $3 million for the past two years, correct?
SMITH: That is correct.
SCHAKOWSKY: But it’s been reported that you will still retain $18 million in pension benefits from Equifax, is that accurate?
SMITH: That is correct.
SCHAKOWSKY: Uh, retiring - which is the category right now, although the company maintains, uh, the right to change that designation - also means you’ll be free to sell your Equifax stock which is worth about $24 million, is that correct?
SMITH: Congresswoman, that calculation is, it’s hard to say, it’s a complicated calculation. It depends on the total shareholder return of the company at the time the stocks vest, there’s multiple variables. That may be an estimate, I’ve seen different estimates, but it’s hard to say what that number is, you won’t know until the end of the year.
SCHAKOWSKY: And that’s in addition to Equifax stock you sold earlier in this year for $19 million, is that correct?
SMITH: Uh...that sounds correct.
SCHAKOWSKY: And according to one report you could be eligible for $22 million in performance based compensation depending how Equifax stock, uh, performs in the next three years, is that right?
SMITH: Let me be very clear, if I may, Congresswoman - when I announced my retirement, and thought it was best for the company to move forward with a new leader, I agreed to step down at that time with no further compensation, and I agreed I should not get a bonus, uh, I agreed there would be no severance, I asked for nothing beyond what I had already earned.
BOB: So, good on him for leaving $3 million on the table, but he’s going home with a lot of comfortable perks.
ALIA: Okay, you know who was fired (NOT retired)? Graeme Payne.
GRAEME: Uh, I was surprised. Well so at that at that point, a interim CIO had come into place, um, and so I was reporting to him and so, supposedly it was a meeting with him. Um, and when I arrived it was just the two HR people.
ALIA: An awful surprise. And at this point, his boss David Webb, and his boss’s boss Rick Smith, got to retire as a result of the breach -
GRAEME: And so I was a little surprised that, um, I was being terminated and not offered, you know, some sort of retirement. But uh, at that point I had, had no idea how deep or wide this was going to go.
BOB: And then when it turned out to be just you, and then you turned out to be mentioned at this hearing...that, I mean that just seems out of scale. Politely, as Alia put it, a lack of accountability. But I can think of less polite ways to put it.
GRAEME: I think the committee concluded that it didn't align with the backdrop of the facts.
JAN: Hey Bob, hey Alia. There’s something that Graeme said earlier that I think is really important that I want us to talk about.
ALIA: Okay.
BOB: Yeah.
ALIA: This is Producer Jan joining us remotely in the studio.
JAN: So, he talked about the internal climate at Equifax in all the weeks leading up to the public announcement and he said:
GRAEME: Obviously during that period only a small number of people knew what was actually happening.
BOB: Yeah that makes sense, you would want to keep the group who knew what was going on as small as possible before rumours would spread.
ALIA: Mmm.
JAN: Who really knew about the breach when is a really important question for a very legal reason: insider trading.
ALIA: Mmmmm
BOB: Oh yeah.
JAN: Here’s what we figured out through a combination of the various testimonies, government reports, Equifax's investor website, and different news articles: So right off the bat, several executives are publicly suspected of insider trading. ‘Cause remember, the certificate updated on July 29th; all that suspicious stuff in the portal is discovered the next day, July 30th; Equifax staff realizes they may have lost PII on July 31st; then on August 1st, the next day, the CFO of the company, John Gamble, sells nearly $950,000 worth of stock, and the President of Information Solutions, Trey Loughran, sells $584,000 worth. August 2nd, the day after that, the President of Workforce Solutions, Rodolfo Ploder, sells more than $250,000 worth of stock, and the SVP of Investor Relations, Douglas Brandburg, sells about 1,000 shares.
ALIA: That seems really shady.
JAN: It does seem incredibly shady. But there are non-shady cases to be made for the timing. Like apparently, lots of people sell stock at the beginning of the month. An Equifax rep also makes the point that while these are big chunks of money to sell, they’re only small percentages of what these execs actually owned. And, these executives weren’t in the small circle of people who knew about the breach in late July, these guys were officially notified of the breach after having sold all this stock. The optics are bad - like, clue-in-a-bad-detective-novel bad - to sell stock the day after your senior executive colleagues at your company have discovered the first inklings of the worst breach ever, but an internal investigation is done at Equifax, and an external investigation, too: all of these executives are cleared.
Now let’s fast forward to August 25th. It’s a Friday, more Equifax team members know about the Breach now, but Jun Ying (who’s the CIO of a division at Equifax called “U.S. Information Solutions”) has no idea. He gets an email asking him to work on “breach remediation” for an internal project that’s code-named “Project Sparta”. The email says that Equifax’s global consumer-solutions business is working on a, quote, “very large breach opportunity,” and that it’s, quote, “extremely time sensitive,” (all of this is according to the SEC.) So hours after getting this email, Ying is then invited to a mandatory conference call - which, don’t you just hate those?
ALIA: Yes
JAN: Getting volun-told that you have to join a mandatory conference call
ALIA: Terrible
JAN: Yeah - he doesn’t join the call (I wouldn’t either, it’s a Friday), but one of his direct reports did. And that direct report texts Ying, saying something like, “Hey so we’ve been asked to help prepare our IT applications to handle roughly 10 million customers,” which is a very big Friday request. So, Ying hops on the conference call, and apparently he resists assisting on this Project Sparta. He is, like, not into it. So Ying then goes and talks to his supervisor, who is really shady and vague about Project Sparta. The supervisor tells Ying that he really doesn’t need to know why he needs to comply with Project Sparta right now, but at some point later he will come to understand what’s happening and why it’s important.
BOB: So to clarify here, there’s still the possibility that this involves some outside company. Right?
JAN: Yeah, absolutely.
BOB: Yeah. This is, we, “breach opportunity” means they’re going to do this for someone else.
ALIA: “Breach opportunity,” that’s what that means! Okay, I wondered. I thought, what a bizarre choice of words.
JAN: So anyways, on that day - August 25th, the day of this email and this conference call - Jun Ying was texting his direct report and he sends this text: “Sounds bad. We may be the one breached.”
ALIA: DAMN.
JAN: And he also says, “Starting to put two and two together.”
ALIA: He’s not an idiot.
JAN: He’s not an idiot...or is he? Because those texts could be evidence that he knows about the breach before he’s officially told about it. Remember, those execs from before sold their stock before being notified. There’s no evidence that they put two and two together. For Jun Ying there’s now literal evidence that he “put two and two together.” The next Monday, August 28th, Jun Ying searches the web for information on the impact of Experian’s 2015 data breach on their stock prices, and it’s apparently scary enough that a few hours later he exercises all his available stock options and sells them for more than $950,000.
ALIA: So, what happened to this guy?
JAN: Well, Jun Ying originally pled not-guilty, but then in a hearing a few weeks ago (on March 7th), he pled guilty. His sentencing is scheduled for June of this year.
ALIA: Ugh. That’s really intense.
JAN: Yeah, insider trading is taken really seriously. Like, the SEC is no joke. Like, justice was swiftly administered for Jun Ying, but it just makes me wish that data security was taken as seriously as insider trading was. Like, where’s the data security SEC to come in, guns blazing, to administer justice for putting 145 million of us in danger?
ALIA: How was Equifax effected afterwards?
BOB: Well, let’s look at a stock chart. You can see on September 8, the day after the announcement, Equifax stock fell a lot - 13% actually. And within a week, about $5 billion of market capitalization had been wiped out.
ALIA: Gosh. So, when I look at this chart of Equifax’s stock over the last 5 years, you can see this enormous dip in September of 2017. And like, Bob, if I was just looking at that dip and didn’t see what comes afterwards, and I had to guess, I would guess that that line would just continue to dip, or would like, sort of plateau. And it doesn’t. It just creeps back up, like, kind of immediately, right?
BOB: Yeah, within a few months, most of that money that had been lost has now been regained.
ALIA: That’s nuts. That seems nuts to me.
BOB: The punishment, according to Wall Street, really didn’t happen.
ALIA: I looked into it. The quarter in which Equifax announced it’s breach turned out to be the second-best quarter it had ever had. They earned $835 million. After all of this, they stayed profitable. They just keep getting to be a profitable business.
BOB: And remember, that’s because the thing that they sell wasn’t impacted by this breach.
ALIA: Earlier when we asked you, listener, to step into Equifax’s shoes, to imagine yourself figuring out how to recover from this breach - as all this bad stuff happened, and you kept failing (tweeting the wrong link, not giving people adequate information, understaffing call centers, hurricanes) - as you swirled in your own failure, did it occur to you that financially...it may not even matter? That you’d be fine? You won’t have to pay. Could that have been their plan all along? Could Equifax’s PowerPoint presentation secretly have been: push through, half-ass a response, count on not having to pay for it, and just hope people forget? Ron Leiber from the Times tried to talk to Equifax after their weeks of failed consumer response, to give them a chance to speak about it honestly, address consumers directly. And finally, they said yes, and Ron bought a plane ticket.
RON: And then they changed their mind and they said no. I think they just figured that when the breach first happened, that this was all just going to go away eventually, and people like me would move on to something else. Which was right, right? You know, I couldn't write about Equifax forever.
ALIA: We reached out to Equifax too, with our questions, and got an email back from them while I was debriefing in the booth. Associate Producer Caroline was recording.
CAROLINE: Um, “Equifax remains committed to working in good faith with stakeholders to be transparent and cooperative, while sharing important learnings from the 2017 incident in order to enrich the entire cybersecurity community. As a company, we have made significant progress since the incident to enhance our security and technology operations. This includes strategic leadership changes with the addition of highly qualified Chief Technology and Chief Information Security Officers reporting directly to the CEO, as well as nearly 1,000 full-time IT and security professionals. In addition, we have increased our technology and security spending by approximately $1.25 billion between 2018 and 2020, and will continue to invest heavily to transform our technology and security to industry-leading capabilities. In addition, please feel free to visit the dedicated website EquifaxSecurity2017.com for any additional information and answers to frequently asked questions.”
ALIA: Un-fucking-believable.
CAROLINE: So, now they’re using that website as, like, “this is how you can find out what we’re doing to keep people safe!”
ALIA: They’re still using the goddamn website!
ALIA: So, great. They’ve spent a ton of money on hiring people and creating new security and technology operations that should have been there to begin with, and they finally got their 2017 domain name right. Equifax seems to think we should move on. Should we? Let’s go back to Ron.
RON: I have no reason to think that the people there did not genuinely want to be helpful, but I think they were silenced almost immediately and said, “don't give anything to anyone, um, because every word that we utter in public from this point forward becomes part of the legal proceeding.” It was a legal strategy, but I think they were genuinely hoping that this was just all going to go away.
ALIA: In thinking about consequences of the Equifax breach, I wondered if Nick, the fake Equifax website creator, faced any consequences after trolling them.
NICK: Yeah. For, for a few months I definitely lived in fear of swiping my credit card and getting a credit card declined message, and checking my credit and having a zero or something. Um...but surprisingly, nothing happened. However, I did actually reach out to the employee that got fired. Uh, they, they used one employee as a scapegoat.
ALIA: Not Graeme Payne, a different scapegoat for the Twitter problem. Equifax ended up firing one of the lower level social media marketing guys for tweeting out Nick’s false link so many times, even though he was just autocompleting messages using the program his supervisors gave him. Meanwhile, Nick is being contacted by the press asking him for quotes -
NICK: They asked if I knew at all about the internal situation in Equifax, and I realized that Equifax is probably going to skin this guy alive. And I wanted to get out in the press that it wasn't his fault very early.
ALIA: So he gives a shout-out in The New York Times.
NICK: “Nick Sweeting says that the person who typed this in shouldn't be responsible, it's the fault of the higher up executives,” or something like that, I don't remember the exact quote. But after giving that quote, I realized I should probably talk to this person and make sure that they're okay, and that they have some job opportunities in the future.
ALIA: Can I just say - I feel like our software-engineer-turned-troll Nick Sweeting did a far better job caring about the repercussions his fake website had on their social media guy than Equifax did with their real website and the repercussions it had on us.
ALIA: What surprised you most about this whole experience with Equifax?
NICK: I guess the fact that so many levels of management had to have backed off on these really major mistakes, and at no point did someone decide to talk to someone who actually knew what they were talking about. Uh, and they just, time and time again, made the worst possible mistake that they could make in each case.
BOB: Graeme disagrees that Equifax was apathetic. He says there were a lot of executives working very hard behind the scenes and trying to execute a plan, it just wasn’t one that would work on a breach this bad.
GRAEME: I mean we had in place, um, yeah, crisis management processes. We had, uh, tabletop exercises and so on, but I don't believe that we really simulated to the extent that what happened in this particular breach.
BOB: They were prepared for a snowball fight, they weren’t prepared for a war.
GRAEME: I just think that, you know, the devil's in the details, Bob, and I don't think that anyone expected a breach of this magnitude and impact.
BOB: Okay, so Equifax did prepare for a breach, just something not as large as this. So does that mean that large companies simply cannot prepare for “the big one”, as Ron keeps telling us? Like, you can run tests for your emergency plan B, break glass in case of emergency, but it’s incredibly hard to simulate losing all of American Social Security numbers. Or, let your mind wander about what that might mean at a big bank, at a bigger internet company. Can they really simulate the big one?
ALIA: This is something that made Nick Sweeting angry. He’s not convinced that, without more naming and shaming, companies like Equifax will even try to prepare for the big one, because they don’t have to. There aren’t enough big consequences for “the big one”.
NICK: Given the severity of the incident, and given the fact that Equifax’s main job is to manage Social Security information and credit information safely, I think this is a company ending incident. I think it probably makes sense for either Equifax to be dissolved and restructured, passed off to other companies - or, if they are to stick around, at a minimum for them to entirely rewrite their, their technical stack from scratch and have third party auditors tearing apart every part of the company. It's essentially a company ending incident. It's like if all of the Uber self driving cars all decided to crash at the same time and killed all their occupants. It’s, it's similarly detrimental for a credit reporting bureau to, to publicize all of the credit information.
ALIA: But, even after all that, it’s impossible for Nick to escape Equifax.
NICK: I had to sign a lease, uh, about six months ago, and I tried to get my credit report from the other two credit bureaus, and I couldn't. And I’m really sad to say that I had to pay Equifax like 20 bucks to get my credit report from them after all this.
ALIA: Ugh, how did that feel?
NICK: (laughs) It was gut wrenching. I just, I really hoped that the other two companies would be better, but their, their sites didn't even work. Like, I couldn't request the report. You know, you get one free credit report a year, and I clicked the link to get it on the other two pages and it's just a 503. Equifax is the only one that works. That's just depressing.
ALIA: You should troll the other two!
ALIA: I want consequences. I cannot believe they’re still here. Financial, legal, personal. I want them to pay us what they owe us.
BOB: Yeah, I know. It sounds like there haven’t been any consequences...but, we found some! People are quite literally inventing consequences. There are people fighting this unjust system, and there is a reason to have hope that we can hold companies like this accountable. Through individuals fighting in Small Claims Court...
JESSAMYN: Maybe it would be fun to try to file a small claims case against Equifax.
BOB: ...large Class Action Lawsuits...
CATHERINE: Class Actions represent the collective consumers.
BOB: ...legislation...
MIKE: We did get a free credit freeze law into place.
BOB: ...but it all starts with a truly insane testimony before Congress.
CONGRESSMAN: But I can’t fix stupid, as a colleague of mine used to say.
ALIA: Equifax: Avoiding the Consequences. Consumers: Inventing the Consequences. That’s next week on Breach.
ALIA: Breach is a branded podcast brought to you by Carbonite in partnership with Midroll and Spoke Media. You can find transcripts and show notes at carbonite.com/breach
A correction from last week - we refer to the GAO as both the General Accountability Office and the Government Accountability Office - they officially changed their name to Government Accountability Office in 2004.
Follow along on twitter - we’re @breachpodcast.
If Cyber Security reporting were continuous remakes of A Star is Born, Bob Sullivan would be Barbra Streisand, and I would be Lady Gaga.
If, out of a hundred people in the room, you’re the one who believes in Breach - head to Apple Podcasts and rate and review our show! It helps people find us! And tell all your friends!
Our show is executive produced by me, Alia Tavakolian,
and produced and written by Janielle Kastner (aka “Producer Jan”).
With Associate Producer Caroline Hamilton, and Production Assistant Kelly Kolff. Research by Haley Nelson.
When Bob and I are in the studio we’re recorded by Casey Holford and Jared O’Connell. Today’s episode was mixed and sound designed by Evan Arnett.
Our Head of Post-Production is Will Short.
The songs you hear come from APM Music and FirstComm.
Our Executive Producer is Keith Reynolds, who has not seen A Star is Born.
Special thanks to the folks you heard from today: Ron Lieber, Graeme Payne, and Nick Sweeting.
And thanks to our friend at Carbonite, Allison.