IT is Not a Profit Center

Published: Oct 1, 2017   |   736 words with about 4 minutes reading time   |   ©2022 by Bob Smith
Category: Technology   |   Tags: SECURITY

When asked about emerging technology and products, Equifax, like many other legacy companies, cites their operational-excellence and size as able to take on any disruptive threat once proven to be a risk. They prefer to allow others to make the investment gamble being a fast-follower.

A pile of annual reports proudly claiming this strategy from once relevant, now forgotten companies displaced by new ones disrupting their category continues to grow. Even though the rising evidence strongly suggests a defective corporate development strategy, nevertheless, many soon to be legacy companies continue to soldier down this track.

Regardless of the company’s long term development strategy, if they claim operational- excellence, they need to be operationally-excellent. Information management is the only business EFX is in. GM would not fare well manufacturing 300-million cars where 143-million have brake failures amplified by the revelation of a fix available for 57-days but ignored.

The table illustrates a timeline of weak management. Congress will hammer EFX with updated laws and fortify their main regulatory agency the Consumer Financial Protection Bureau and Department of Justice with new administrative law and criminal teeth. State Attorney Generals and the class-action suit industry will address EFX with civil penalties in the courts.

However, history will hammer EFX not for the breach, but for their cavalier handling especially exasperated by their complete and derelict failure in their core competency. These and other actions illustrate a pattern of optically arrogant decisions.

  1. Filed form-4’s allowing three officers to sell stock 5 days after discovering the breach.
  2. With 40 days to prepare, pointed consumers to a security defective remediation site with a non-brand conforming and a sketchy domain name.
  3. Baited customers into a commercial subscription product with only the first year free for exposure that will never expire.
  4. Required consumers wave their rights to recover damages if they took the bait.

EFX Information Technology (IT) leaders will quietly continue to retire. But they are far from the only bad actors. Historically, IT is a cost-center, like human resources or accounting outside line organizations that produce, distribute and service the products sold, profit-centers. E-commerce has up-ended the IT world.

Instead of supporting products, e-commerce makes IT the product. Many IT leaders have deliberately leveraged their domain over all things digital to re-cast their departments as profit- centers. More closely aligned with revenue this elevates IT departments to the main finance table prioritizing resources to the profit centers first addressing revenue opportunities.

When IT focus must compete between a new widget and routine maintenance, the profit-center culture wins every time. The IT culture and organization needs a rebalance to the cost-center side of the equation, resourced first to perform their job securing the company and customers from sinister activity.

Date Attack Discovery Event
3/17/17 -57 -134 Apache patches discovered Struts vulnerability CVE-2017-5638
5/13/17 0 -77 Unauthorized access starts [see finding below]
7/29/17 77 0 EFX observes suspicious activity on dispute web portal and blocked it
7/30/17 78 1 EFX observes more suspicious activity - turned down server
8/2/17 81 4 EFX engages cybersecurity firm Mandiant to conduct forensic review. Findings 1) Apache Struts CVE-2017-5638 vulnerability was attack vector 2) Unauthorized access lasted May 13 through July 30, 2017 Exposing 143m consumer names, Social Security numbers, birth dates, addresses and driver’s license numbers; 209K consumer credit card numbers, 182K consumer dispute documents with personal identifying information
8/3/17 82 5 Files Form-4’s allowing three Section-16 officers to exercise stock. None were part of 10b5-1 automated scheduled trading plans
8/22/17 101 24 DNStination Inc. registers
9/7/17 117 40 EFX publicly discloses breach offering 1-year free TrustedID (EFX owned) credit monitoring, but taking offer waives right to class-action and suit. Advertises remediation / vulnerability determination web site with defects at time of launch. TLS certificate function vital to browser / server transaction security didn’t perform proper checks, not brand conforming nor initially registered to EFX, Cisco Open DNS domain security watchdog flagged site as possible threat, site admin username accessible from this page
9/10/17 120 43 Domain Registrant name changed to Equifax and other vulnerabilities patched
9/12/17 122 45 EFX backtracks on right to class-action and suit waivers

From EFX 9/15/17 statements and reporting by Dan Goodin and other sources such as reddit