Originally Posted by
pinzgauer
This one is close to home for many reasons...
First, as an expert in derogatory UGA jokes, I have to painfully admit that their school of business, and specifically their MIS degree is very highly regarded, with good reason.
Also, I know Susan, worked with her indirectly over a decade, and briefly for her, a decade ago. Solid technical manager, strong business acumen and a great people manager. So I gave her a pass on her school and degree. Been out of touch for a while, but if this was on her watch I'll tell you it's bigger then her, has to be.
Which leads to the real issue... This problem was not just a matter of just applying patches, and after the patch was applied the entire subsystems had to be rebuilt. Essentially rebuilding your entire site and code.
Many, many companies with sensitive information were vulnerable to this issue. Likewise, many businesses do not fully understand that code is a liability. It has to be maintained, actively managed. Most likely there was not budget or permission to do an outage, or something like that to get the patch in place.
And they got bit.
The real issue is that these companies (credit agencies) are allowed to maintain the type of information they have and there's no real negative consequences for allowing a problem to occur.
Equifax will pay big time for this, but it still probably less than what it would be trying to maintain a Fail-Safe environment. No code can be managed to the level of protection needed and still allow consumer and Industry access the way the credit services do.
Meanwhile the government routinely has leaks that are as bad or worse. If you have a family member in the military or has ever gotten a security clearance, your info has been hacked.
It's been pretty much a yearly event for us between medical industry, the OPM hack, merchandise/vendors, etc., your information is vulnerable.
The only thing that makes this even notable is its scale. You're still most likely at risk from someone like a car salesman having access to your information through credit reporting agencies when they should not.
How many times are you asked for the last 4 digits of your social as some form of authorization? Totally bogus check, that's the real issue.
The problem is not how to keep info like your social security number or bank account numbers private. It's making the systems that leverage that information robust so that knowing the ID does not compromise it.
Technology exists now that totally secured credit card transactions even if you have the card number. Want to know why it's not been implemented in the US? Look to the big retailers and the big Banks.
Meanwhile Europeans easily send cash directly from their accounts to other individuals or vendors in a very secure fashion.
Why can't the banks confirm and transact a certified check instantaneously instead of you being stuck with the problem if it turns out to be counterfeit? They choose not to, can't be bothered.
This stuff happens. It will happen again as it's systematic in the collective Industries. They won't fix it unless forced, and the current system will never make that happen.
Bookmarks