I recall someone who was a security director at Panera Bread (a US based fast casual restaurant). Was confused and upset when a security researcher contacted them and asked to exchange a PGP key ... I suspect he straight up didn't understand what the request for a key meant or possibly even the issue as it was a very obvious issue and they did nothing about it until it hit the press.
The initial email exchange is indeed a sight to see, so I transcribed the text in the image:
---------
Hello Mike et al
Thank you for making yourself available. There is a security vulnerability on the delivery.panerabread.com website that exposes sensitive information belonging to every customer who has signed for an account to order Panera Bread once. This shows the customer's full name, email address, phone number and the last four digits of their saved credit card number. Moreover, the users are easily enumerable which means an attacker can crawl through the records.
I can provide the specific details of the vulnerability over email once you respond, but if you prefer (for more security), I can also encrypt the information with a PGP key you provide me. Alternatively we can hop on a phone call.
Best Regards,
Dylan Houlihan
--------------
Dylan
My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.
If you are in a position where you don't understand the e-mail then ASK someone who does. Or a quick google search with "PGP e-mail", wow was that so hard. The guy was probably late for a golf game or something (ok now i am being mean). Idiots.
In my last job I was responsible for onboarding b2b clients to send us hr data through sftp with key authentication. We also recommended they encrypt with our public pgp key and sign with their private key.
Trying to explain the difference between ssh keys and pgp/gpg keys took up a good 20% of my time some weeks. Often, I was talking to tech companies, or companies with a reputation for technology... I don't think the majority of Windows admins understand public/private keys.
CCPA -- the California Consumer Privacy Act -- has real penalties for data breaches [0]. When there is pure negligence in play and the business doesn't cure with 30 days notice, the law seems to explicitly provide for a minimum $100 / person penalty. And up to $750. There are amendments in play to remove the 30 day cure grace period; whether they pass this year or not, we'll have them within 5 years (personal bet).
Basically, breaches can be an extinction event for a company in California starting 1 January 2020. A couple companies are gonna take one for the team, and shortly thereafter, boards will be very interested in security postures.
We are perhaps being too cynical, it isn't quite that straight forward. I hear you also need to wear the right tie and buy the correct pair of expensive shoes.
I think it's the same everywhere. I work in finance, after 5 years of working out of college in almost convinced that incompetence is a requirement for senior management positions. That and ass kissing and the ability to twist facts
One day, my son was ranting about some guy who, in my son's opinion, was the death of multiple cool projects. He was like "I don't know how he keeps getting hired! He destroys everything he touches!"
And I told him "His resume lists multiple cool projects that he worked on."
In a world where even Rudy Giuliani is able to become a renowned 'cyber security' expert with his own consulting firm, job titles can obviously be misleading.
Something similar happened to me years ago. In the process I sent a tar-ball. He replied with, "Please resend the attachment as industry standard ZIPFILE."
I would hope that any security person, even Windows based, understands what a .tar (or .tar.gz) is. If they don't, I'd be very worried for what else they haven't been paying attention to.
No one in their right mind would use anything but 7zip... especially trailware like WinZip and WinRar. Windows has built in Zip support if you're not in-the-know but to go out of your way to use WinZip/WinRar implies a certial level of out of date knowledge.
By default Windows handles Zip files in Explorer. Ostensibly it's fair to assume that "I don't run non-standard apps when I can avoid it" is a reasonable (if limiting) premise.
Will any of the individuals responsible face direct consequences for their actions? Or, will the cost of their mistakes be borne entirely by shareholders?
I don't think it's necessarily a bad thing that existing laws and civil structures are capable of dealing with this without new laws having to be passed explicitly for this case.
If the system works as-is, does Congress need to do anything?
Ideally, I think that we'd want the federal Congress and the individual state legislatures being reflective, making prospective decisions which anticipate future events and impose the correct structure to deal with them, rather than retrospectively doing something in order to be seen to do something.
But no-one ever got elected on a platform of 'my predecessors did a great job; I'm going to play some golf!'
It sounds like most of these costs are just from having to finally do the things they skimped on in the first place. If so, it's not really a loss compared to if they had taken the right steps at the beginning. So it may not really disincentivize them from cutting corners again in the future.
It'd be like if the only punishment for getting caught cheating on a test was "well now you have to take the test without cheating". You're probably going to give it a try every time.
I'm seeing a pattern with these "Congressional hearings" where politicians bring in CEOs, let off a few zingers to really stick it to 'em, score some points with their constituents, and then... do absolutely nothing of substance.
It’s more like if you got caught cheating during a test you had to stop cheating but kept taking the same test and got credit for all of your previous answers. Equifax still has its past profits.
> It sounds like most of these costs are just from having to finally do the things they skimped on in the first place.
Source? It's not TFA. TFA only talks about legal costs in the past, and doesn't state it but implies future projections are also for legal costs.
With $700MM of legal costs in 1 quarter, if that is 49% of the total (51% --most-- going to finally do the things) expenditure, that's $1.4bn in one quarter. Their entire 2018 revenue was just $3.4bn ($835MM in Q4).
The article placed a general emphasis on "cybersecurity costs"; I guess it didn't really indicate what percentage was that vs. litigation, but any "cybersecurity costs" are as I described above: costs that should've already been spent before the breach and are just being forced now. Only the litigation is a true "penalty".
EquiFax outsourced its network monitoring to ReliaQuest, and I have friend who works at ReliaQuest, so I've followed this with some interest. There is a general issue here too. Back in 2017 I wrote:
"But I don’t mean to only focus on EquiFax. I’ve seen many small companies where computer security was considered the exclusive job of the tech team. I recall a jewelry manufacturer in Richmond, Virginia, which had about 100 people, including a tech team of 3. Top management of such a company has the option to educate everyone about the importance of security, or they can just leave the task to the tech team. The tech team is often happy to gain the power granted by being in charge of such an important function. And then they implement silly rules, like forcing all passwords to change each week — minor rituals that annoy a lot while offering little real security. Real security could only come from educating the staff about the open nature of email, the importance of using encrypted communications, the importance of protecting the intellectual property of the firm. A company with 97 ignorant people and 3 security minded people can never be as secure as a company with 100 security minded people."
What gizmodo overlooks is that a Moody's rating is usually related to company debt, which means that a ratings downgrade increases the interest rate they have to pay to roll over existing debt or issue new debt.
Seems like a company with a large debt/income ratio could be crippled pretty fast by a ratings downgrade because it increases the percentage of revenue they pay in debt interest. If they have a high debt load and their profit margins are single digit, they risk ceasing to be profitable, which will tank the stock. It's a spiral.
If they have catastrophic cybersecurity exposure that opens them up to fines, settlements, and customer attrition as a result of an incident like the one that affected Equifax, well that's a target for a fire sale.
It's practically inviting hackers to target companies with high debt/income ratios on behalf of short sellers for that reason. It would be a slow motion car crash that would be hard to time correctly, but the confluence of debt/leverage and security risk seems like a perfect storm.
Another situation of too big to fail? I sure hope not.
Why are they still in business? Any worthy regulation of any type would have shut them down already no?
Lawsuits are progressing. It's possible legal costs (plus the accompanying reputational damage) will eventually force Equifax into bankruptcy. (I, for example, refuse to open credit lines if they require an Equifax credit check.)
At the end of the day, you can't just kill companies because you don't like them. We don't have general data protection laws with heavy penalties in the United States. The only way to extract a pound of flesh is to show damages, which has been difficult given how little we know about who stole the data and what they did with it. Nevertheless, the lawsuits progress.
Here in Canada you basically must go to them to do anything credit related ie get a car or home loan. I don't see how they have any incentive to do better because they are a monopoly. And I cannot get my credit score from the bank as it's illegal I must go through this joke of a credit agency.
It will never mean a thing and will never change until those in leadership positions in corporations suffer criminal penalties for lack of oversight and protection of data.
Unfortunately, the federal government has no appetite for holding corporations criminally responsible for actions in this day and age. The belief in too big to fail and campaign donations are monumentally hard to overcome.
For me, it was unsuccessful. They sent out a representative and we argued away from a judge (forget the term used) and I decided not to see the judge because if I argued before him and lost, I would be "unable" to bring it before a judge again.
I've heard of this tactic working for certain consumers (like in the article above) but for me what was hard to establish via small claims court, was how exactly I was facing monetary damages. Most lawsuits allow punitive damages, but small claims court does not, so you have to prove exactly how you were monetarily damaged.
That being said, I would definitely be down to sue them in small claims court again using a better strategy. I would also join a class action lawsuit.
I'm planning to do this (small claims court). When I looked into it a year ago I did not have confirmation that Equifax did business in the juristiction, which was a requirent. My previous employer (I'm still on their payroll as a part time employee) recently notified me that they are now participating in Equifax's "The Work Number" so I'm going to request my data in a month or so as confirmation of Equifax operating in this jurisdiction. I plan to claim damages as the service cost of enhanced credit monitoring service in perpetuity, at least up to the limit of $6,500. Any thoughts on this approach? What did you declare as damages and what was the representatives rebuttal?
Usually in front of the judge in small claims nobody is allowed a lawyer. You could argue that you now need unlimited credit monitoring on all credit reporting agencies. The most likely outcome is that they would agree to this. Honestly, I think Congress should just mandate that they be required to have free monitoring, free locks, free reports... basically any personal inquiry should be free.
In the long run I don't think anything will change at Equifax. At worst, it will get absorbed by another company, re-branded, and no one will know where the former Equifax has gone. At best, it will get disbanded and its executives put in prison.
I am Victor, the CTO of Truework (https://www.truework.com), a startup providing an alternative to Equifax / TheWorkNumber.
We are working to change the way employment & income information is shared by employers with a more privacy focused approach where you, as an employee, decide if you want to give the information with the requester.
I started this company after I found out that Equifax shared my employment and income information without my consent when I was working at LinkedIn...
You're not wrong, companies can add as much security as they like but there will still be breaches, root cause is them having the data in the first place.
Yes Equifax has accumulated employment and income information through their purchase of The Work Number (https://en.wikipedia.org/wiki/The_Work_Number) in 2007. They have 200 million of employment records and likely a higher multiple of paychecks.
They have a large share of the fortune 500 companies in the US. If you have worked for a large firm in the past, it's likely that every single one of your paycheck is somewhere in their database.
Watch out Equifax, here come those collection calls.
If owing thousands as a US peasant earns you harassment and dozens of calls a week, I'd love to see the Experian leadership get thousands a second if we're staying proportional.
His previous job... at Equifax.
Oh I found the story:
https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-s...