Earlier this week, the Wall Street Journal reported that members of China’s military were indicted over the Equifax Breach of 2017. While those individuals remain in China and may never actually face prosecution, it raised questions regarding the role of companies in cyber-breaches. China was also blamed for the hack of 20 million files at the Office of Personnel Management of the U.S. government, as well as the Anthem breach of health records. Likewise, the hack of Marriott is said to be sourced back to the Chinese military.
Many of the comments on this and related articles seemed to indicate that this vindicated in some way the responsibility of Equifax, or the others, of their liability in the breach. They likened it to a homeowner being burglarized, but is that really true? Equifax was hacked because it was relatively easy to hack it and they had a treasure trove of data on U.S. citizens – their social security numbers and credit information. The hack was the result of their security team failing to patch a known open source code vulnerability with a free patch. Their head of security was forced to resign (she was found out to be a music major without significant training in security) and the CEO ultimately resigned as well amidst an outcry to how he could have put someone in such an important role without the proper education. The analogy to a homeowner is only complete if you add these facts: the homeowner left the doors and windows unlocked and posted on social media that they were gone for two weeks and then came home to find their home burglarized.
Will this new information about who was responsible change accountability for companies? I don’t think it does. Senior executives and the board of directors of companies who maintain private and sensitive data (referred to as personally identifiable information) have a responsibility to their customers and employees to take appropriate measures to protect that data. It’s true that you can never fully mitigate against all risk, but you can certainly address the easier stuff – like patching software and open source code. These are basic security principles and isn’t even that expensive to implement. In the boardroom, articles like this may also raise questions about your business dealings in China and the cost benefit analysis of where you source your technology. If you haven’t read the Big Hack in Bloomberg, it’s worth a read – link below. If you haven't talked about this with your board, consider this a good conversation starter at your next board dinner.
Articles related to this story:
How China Used a Tiny Chip to Infiltrate American Companies, Bloomberg
Four Members of China’s Military Indicted for Massive Equifax Breach, Wall street Journal
Equifax Hack - DOJ charges Chinese Military, CBS
DOJ: Chinese Army Hacked Equifax Stole 145 Million American’s Data, USA Today
If you are interested in a keynote, workshop or facilitated discussion on emerging technologies, future trends, cyber security or cultural shifts for your next board meeting or executive retreat, contact me at jwolfe@consultwolfe.com or 513.746.2801.