Bloomberg has published an Equifax breach story that seems to have a fair amount of inside knowledge about the investigation, and I encourage everyone to read the full article.
While the Bloomberg title and much of the article focuses on fingerprints of professional hackers, I want to highlight two other aspects of the story - the differences in rewards and experience between the executive staff and the IT and cyber security staff.
The executive experience
Business was good—the company’s stock price quadrupled under Smith’s watch, before the breach was announced—and its leaders lived well. Equifax executives were prone to bragging about their mansions and expensive gadgets. They took lavish trips to Miami, where they stayed in luxury hotels costing as much as $1,000 a night. Last year, Smith's compensation was almost $15 million.
The IT & Cyber experience
[Tony] Spinelli left in 2013, followed less than a year later by his top deputy, Nick Nedostup. Many rank and file followed them out the door, and key positions were filled by people who were not well-known in the clubby cybersecurity industry.
Overseeing technology for Equifax was David Webb, a Kellogg MBA and Russian-language major hired in 2010 from Silicon Valley Bank, where he had been chief operations officer. But one former security leader said he finally joined the talent exodus because it felt like he was working with the “B team.”
Lapses in security began to catch up to the company in myriad ways beginning early this year.
Add to this Brian Krebs' articles documenting the many missteps by Equifax after the breach as well as breaches earlier this year, and you begin to get the feeling that Equifax may have gutted its IT and cyber security staff too much while its top executives lived large.
Too often IT and cyber security jobs can be exhausting and thankless. If your organization has important information to protect, if your organization has *my* sensitive information to protect, please support your IT and cyber security employees appropriately, so you have a deep enough bench of qualified personnel who understand and can effectively run and protect your network against the large number of professional attackers who are out there.