Choicepoint – Adam Shostack & friends

It’s Not The Crime, It’s The Coverup or the Chaos

Well, Richard Smith has “resigned” from Equifax.

The CEO being fired is a rare outcome of a breach, and so I want to discuss what’s going on and put it into context, which includes the failures at DHS, and Deloitte breach. Also, I aim to follow the advice to praise specifically and criticize in general, and break that pattern here because we can learn so much from the specifics of the cases, and in so learning, do better.

Smith was not fired because of the breach. Breaches happen. Executives know this. Boards know this. The breach is outside of their control. Smith was fired because of the post-breach chaos. Systems that didn’t work. Tweeting links to a scam site for two weeks. PINS that were recoverable. Weeks of systems saying “you may have been a victim.” Headlines like “Why the Equifax Breach Stings So Bad” in the NYTimes. Smith was fired in part because of the post-breach chaos, which was something he was supposed to control.

But it wasn’t just the chaos. It was that Equifax displayed so much self-centeredness after the breach. They had the chutzpah to offer up their own product as a remedy. And that self-dealing comes from seeing itself as a victim. From failing to understand how the breach will be seen in the rest of the world. And that’s a very similar motive to the one that leads to coverups.

In The New School Andrew and I discussed how fear of firing was one reason that companies don’t disclose breaches. We also discussed how, once you agree that “security issues” are things which should remain secret or shared with a small group, you can spend all your energy on rules for information sharing, and have no energy left for actual information sharing.

And I think that’s the root cause of “U.S. Tells 21 States That Hackers Targeted Their Voting Systems” a full year after finding out:

The notification came roughly a year after officials with the United States Department of Homeland Security first said states were targeted by hacking efforts possibly connected to Russia.

A year.

A year after states were first targeted. A year in which “Obama personally warned Mark Zuckerberg to take the threats of fake news ‘seriously.’” (Of course, the two issues may not have been provably linkable at the time.) But. A year.

I do not know what the people responsible for getting that message to the states were doing during that time, but we have every reason to believe that it probably had to do with (and here, I am using not my sarcastic font, but my scornful one) “rules of engagement,” “traffic light protocols,” “sources and methods” and other things which are at odds with addressing the issue. (End scornful font.) I understand the need for these things. I understand protecting sources is a key role of an intelligence service which wants to recruit more sources. And I also believe that there’s a time to risk those things. Or we might end up with a President who has more harsh words for Australia than the Philippines. More time for Russia than Germany.

In part, we have such a President because we value secrecy over disclosure. We accept these delays and view them as reasonable. Of course, the election didn’t turn entirely on these issues, but on our electoral college system, which I discussed at some length, including ways to fix it.

All of which brings me to the Deloitte breach, “Deloitte hit by cyber-attack revealing clients’ secret emails.” Deloitte, along with the others who make up the big four audit firms, gets access to its clients deepest secrets, and so you might expect that the response to the breach would be similar levels of outrage. And I suspect a lot of partners are making a lot of hat-in-hand visits to boardrooms, and contritely trying to answer questions like “what the flock were you people doing?” and “why the flock weren’t we told?” I expect that there’s going to be some very small bonuses this year. But, unlike our relationship with Equifax, boards do not feel powerless in relation to their auditors. They can pick and swap. Boards do not feel that the system is opaque and unfair. (They sometimes feel that the rules are unfair, but that’s a different failing.) The extended reporting time will likely be attributed to the deep analysis that Deloitte did so it could bring facts to its customers, and that might even be reasonable. After all, a breach is tolerable; chaos afterwards may not be.

The two biggest predictors of public outrage are chaos and coverups. No, that’s not quite right. The biggest causes are chaos and coverups. (Those intersect poorly with data brokerages, but are not limited to them.) And both are avoidable.

So what should you do to avoid them? There’s important work in preparing for a breach, and in preventing one.

First, run tabletop response exercises to understand what you’d do in various breach scenarios. Then re-run those scenarios with the principals (CEO, General Counsel) so they can practice, too.
To reduce the odds of a breach, realize that you need continuous and integrated security as part of your operational cycles. Move from focusing on pen tests, red teams and bug bounties to a focus on threat modeling, so you can find problems systematically and early.

I’d love to hear what other steps you think organizations often miss out on.

Breach Vouchers & Equifax 2017 Breach Links

[Thursday, September 21th is the latest of 5 updates.]

When I wrote “The Breach Response Market Is Broken,” I didn’t expect one of the players to validate everything I had to say. What I said was that the very act of firms contracting with breach response services inhibit the creation of a market for breach response, and the FTC should require them to give vouchers to consumers.

Vice Motherboard is reporting that “Firm Hired to Monitor Data Breaches Is Hacked, 143 Million Social Security Numbers Stolen.”

It’s not clear what database was accessed. On their website, Equifax says “No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases” and “Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers.”

But here’s the thing; I don’t trust Equifax to protect data that … they just failed to protect. I want protection from an independent firm.

Equifax’s self-dealing in providing breach response services is unfair. No rational, well-informed consumer would select Equifax’s service in this situation. Equifax’s offering of credit file monitoring to all US consumers is also an unfair trade practice, which undercuts innovation, and limits the ability of new entrants to deliver effective services.

The FTC should require Equifax to send a voucher to each impacted individual which can be used to purchase any identity theft protection service on the market as of August, 2017.

Usually I don’t try to blog fast moving stories, but I may make an exception.

Update 1, later that day:

Jeremiah Grossman points out: “As we’ve seen, breaches often negatively impact stocks (1-10%). We also know prices quickly bounce back. If we’re really smart, we’d buy.” I wonder — will this impact their business substantially? Probably revenue will be unaffected; costs may go up, not in the sense of notification (they’re not bothering to mail you a letter) or breach response costs, but in expenses around computer security: software, staff, subscriptions, which may depress profitability over time if most of the new expenses are a new normal after an FTC consent decree.
Brian Krebs has context and history.
Bloomberg reports that “Three Equifax Managers Sold Stock Before Cyber Hack Was Revealed.” “None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans.”

Update 2, Sept 9:

The International Business Times reports “Equifax Lobbied To Kill Rule Protecting Victims Of Data Breaches.” They report Equifax wrote “a rule blocking companies from forcing their customers to waive class action rights would expose credit agencies ‘to unmanageable class action liability that could result in full disgorgement of revenues’ if companies are found to have illegally harmed their customers.” It’s a nice life, having the government block your victims from suing you, especially if you’re worried that the harm is great enough to result in ‘full disgorgement of revenues.’ Now, you might argue that’s hyperbole, but maybe it’s a real fear.
The Onion reports “Equifax Impressed By Hackers’ Ability To Ruin People’s Finances More Efficiently Than Company Can.”
Equifax once brought me to a Nine Inch Nails concert, and under the payola rules, I ought to have disclosed that when writing about them. It was over a decade ago, and had slipped my mind.

Update 3, Sept 12:

TechCrunch reports “no matter what, Equifax may tell you you’ve been impacted by the hack,” even for random last name and SSN combos. Maybe that’s not trying to drive anxiety, but their data really is that bad? (Thanks to Joey Gray for the pointer.)
Patrick McKenzie has a long article on what to do when a bank issues credit to someone they think is you, “Identity Theft, Credit Reports, and You.”

Update 4, September 16:

Lawmakers: The Democrats of the House Committee on Energy and Commerce sent Equifax a letter, as did Senators Hatch and Wyden, (Hatch/Wyden Letter), and 30 state attorneys general, “States Call On Equifax To Halt Marketing Of Its Paid Credit Monitoring Service.”
In other legislative news, “Sen. Elizabeth Warren slams Equifax and introduces bill to ban fees for freezing credit.”
Someone tried to report the PIN generation issue over a year ago.
Equifax’s CEO makes statements intended to reassure in USA Today, including “We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” but they don’t seem to have reported that claim to their shareholders via an 8K. (The one I see at the SEC, filed September 7, says “it’s too early to tell.”)
Reporters: Bob Sullivan has a “what now.” I respect Bob as a consumer-centric reporter, and he’s covered these issues for a while. I’m quoted in Howstuffworks’s “After the Equifax Breach, Does Credit Fraud Monitoring Really Help?”
The public has still not been told what database was accessed.

Update 5, September 21:

“Equifax Has Been Sending Consumers to a Fake Phishing Site for Almost Two Weeks.” I believe that Gizmodo means either “a phishing site” or “a fake, phishing site,” because the site to which Equifax was directing people was not theirs.
Equifax’s former Chief Privacy Officer posted “Understanding the Equifax Data Breach,” including an explanation of why the breach was likely consumer dispute information.

Choice Point Screening

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“)

I don’t want to minimize the issue here. Assuming the allegations are correct, the company’s assurance in their trust of their employees is diminished, they may face compliance or contractual issues, and they’re out at least 1.4 million dollars, most of which has likely been spent. A good number of folks are having bad days, and I don’t want to add to that.

At the same time, I do have a number of comments.

First, Those background check services sure are expensive! I wonder how many people that was.

Hmmm, according to their website, “In the past six years Noble has grown from 1,500 employees to over 14,000.” I do wonder how many of the “background checks” came back with false allegations of past misconduct. If there were 14,000 people with no red flags, isn’t that something of a red flag in and of itself? I also wonder (in a law school hypothetical sort of way, and assuming with no evidence that Wright or an accomplice fabricated false reports on some people so that his fraud went undetected) what sorts of claims might be available to those denied employment based on those untrue statements?

Second, there’s something of a natural experiment here that lets us assess the value of background checking. Assuming Noble Americas Corporation runs a second set of background checks, I’m very curious to know how well spent that $2m* will have been: how many employees do they fire, having learned of something so heinous that the employee can’t be kept, and how many do they fire, having been handed a reason to get rid of a poor performer? (Naturally, those 2 numbers will be rolled into one.)

Lastly, there’s an interesting social engineering angle here. There’s a real company “ChoicePoint” now part of LexisNexis. (ChoicePoint was made famous for their awesome handling of a 2003 data breach, which this blog diligently covered.) So when naming a false background check company, Choice Point Screening seems like it might be a new brand for the company. An auditor, seeing all those background checks, is unlikely to focus in on the extra space. It’s a nice touch.

Dear ChoicePoint: Lying like a cheap rug undercuts all that

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized individuals used stolen credentials to look up personal information on 13,750 people in one of ChoicePoint’s consumer databases.

In a written statement, ChoicePoint blamed the incident on a government customer that failed to properly safeguard one of its user IDs needed to access ChoicePoint’s AutoTrack XP Product…

Really? You’re blaming customers? Saying it’s not your fault? Claiming to be the victim? Ummm, lemme use small words here: you’ve played that card. Shot that wad. From 2004 onwards, you own all failures. You should have had systems to watch for unauthorized access, and failure to properly safeguard credentials.

Oh wait. You did. We agree on that need. You had a system to do that, and you turned it off. So really, all that work you’ve done to convince people you’d turned a corner? This undercuts that. You need to come out with an explanation of why you turned off that system, and you need to do it this week. It needs to be comprehensible to the techies who are taking you to task all over the blogosphere. No legal defensiveness. Tell people what happened. This:

The FTC expressed concerns that not detecting the former government customer’s inappropriate access was inconsistent with ChoicePoint’s obligations under the Final Order, which ChoicePoint denies. Notably, the Supplemental Order does not allege any current or ongoing violations of ChoicePoint’s Final Order. Following the incident and acquisition by Reed Elsevier, new policies and practices were put into place to enhance the strength and quality of ChoicePoint’s security. As part of that effort, certain security enhancements were made to the ChoicePoint product at issue including providing additional information and steps customers could take to further safeguard their IDs and passwords.

is incomprehensible. Your customers know what you did. Why not talk about both what you did and what you turned off, and most importantly, why? I bet there are real reasons, but your lawyers ain’t saying. How many false positives was that system shooting out? What did it cost to investigate them?

Either come clean, or suck it up, and be glad it was only $275,000.

For more, “ChoicePoint Breach Exposed 13,750 Consumer Records,” or our prior posts on Choicepoint.

[Update: Comments from ChoicePoint in the comments.]

PS to C: This is, once again, my opinion, on my blog, and has nothing to do with my employer.

University of Miami: Good for the body, bad for the soul?

The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes.

The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there’s no financial identity theft risk associated with it. If you believe the sorts of people who notify 1.9% of the victims of a breach. Sorry, ChoicePoint. Unfair comparison. You notified about 18% of the victims*, nearly ten-fold as many.

There’s some analysis of how hard it would be to read the tapes. I’m skeptical: why does someone steal tapes from an Iron Mountain van if not to read them?

The Breach Blog feels differently. In “University of Miami reports stolen tapes affecting patients,” he digs into the likelihood of the data being accessed.

Now, the University claims that the tapes are in a “complex and proprietary format,” which seems to be “Tivoli Storage Management” from IBM. Now, Tivoli storage manager has encryption capabilities (page 3 of this PDF.) I’m curious why that wasn’t in use.

Also, looking around, I found this quote at an IBM partner site:

Much is made of the inbred security of the TSM system since the backed up data is so closely linked with the TSM database. While, to the layman this is true, and it is almost impossible to reconstruct TSM data without the database, it is possible in the right scenario, with the right skills at your disposal.

Until I hear more, I’m skeptical of the University’s claims. I don’t believe, and I have not believed for a long time, that breach notices are about identity theft. They’re about the performance of a promise to protect information.

(*Footnote: 18% being 30/160, approximate numbers for the ChoicePoint incident.)

ChoicePoint's data quality

In a comment, Tom Lyons asked:

I have two clients who are asking me to investigate matters with Choice
Point as it relates to inaccurate employment records provide to
prospective employers. I am seeking persons who have similar
experiences to determine a “pattern and practice” on the part of Choice
Point.

I don’t know Mr. Lyons, but I can’t imagine anyone would object to “more informed, more timely decisions that positively impact society.” Feel free to get in touch with him.

Choicepoint’s Error Rate

Choicepoint regularly claims a very low rate of errors in their reports. In the Consumer Affairs story, “Choicepoint gets a Makeover,” Choicepoint President Doug “Curling claims his company has a less than 1/10th of 1 percent error rate.”

Now WATE in Knoxville, TN, reports that “Anderson Co. man finds credit report error:”

At his insurance company’s request, ChoicePoint gathered the sum total of Ray’s credit, what he owes for his car, his house, credit cards and other purchases. “It says my grand total of indebtedness is $426,000. That’s about five times what I currently owe,” Ray says.

Some debts Ray paid off showed as though they hadn’t been paid at all. “This was a boat loan” for $50,000, Ray says. “I paid it off over a year ago.”

He also says he went online to ChoicePoint, filed a dispute and spoke with company officials. “My data had not been updated. It was incorrect. My employer was incorrect,” Ray says.

…

ChoicePoint disputes that any errors were made.

See also my May 2005 posting, “Choicepoint Analyses:”

Choicepoint defines an error as a problem between their collector and the report; bad data collected, which we used to call the “garbage in, garbage out” problem, has been defined away.

and finally, don’t forget Deborah Pierce’s work in “Data Aggregators:
A Study of Data Quality and Responsiveness:”

100% of the reports given out by ChoicePoint had at least one error in them.

The deep trouble here is not that Choicepoint reports are inaccurate (although that seems to be a problem based on impartial reports). The trouble is the accountability disconnect between data collection, aggregation, and use. No one takes responsibility for the decisions that are made based on bad data.

[Update: Just after posting this, I came across “Where’s Waldo? Spotting the Terrorist using Data Broker Information:”

In its coverage of the issue, the Ottawa Citizen reported that since September 2001, the RCMP has been buying and retaining this kind of personal information from data brokers, and in some instances may have forwarded that information to U.S. law enforcement.

Good thing Ray’s inaccurate data was “only” used to deny him credit.]

[Update 2: Choicepoint’s Chuck Jones disagrees; please see comments.]

"Free the Grapes" Externalizes Risk

Or so “Shipcompliant” would have us believe, with a blog post entitled “Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices.”

The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions (Internet, phone, mail, fax, etc.). This can be done either by obtaining a photocopy of the purchaser’s drivers license or by using an approved online age verification vendor such as ChoicePoint or IDology.

So to protect themselves from liability, wine merchants who sign up for this code will be putting their customers at risk. Of course, the code already says:

Free the Grapes! encourages licensees to contract only with shippers who check the identification of recipients at the time of delivery to ensure that the recipient is 21 years of age or older.

So there’s no reason to add this step. The very next step ensures that wine won’t get into the hands of our corruptable youth.

This is two steps backwards: We’re creating more work for the wineries and wine sellers, exposing their customers to increased risk of privacy violations, and all to cover a risk that’s already covered.

Free the grapes? How about free the people from this nonsense?

Photo: “A sculpture commemorating the wine press and its importance to California history in Golden Gate Park near the De Young Museum of Fine Arts (6)” by mharrsch.

Choicepoint reports $50M more expenses, some due to breach

The Atlanta Business Chronicle reports that “ChoicePoint tumbles to third-quarter loss:”

ChoicePoint Inc. went into the red in the third quarter, hurt by about $50 million in charges related to asset impairment, stock expenses and legal fees from a data breach in 2005.

Choicepoints losses are a severe outlier. As I said in March, 2005, “Why Choicepoint Resonates:

It’s now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I’d like to think back, and ask, why does this story have legs? Why are reporters still covering it?

There are a couple of important trends which combine to make this a perfect storm, attractive to editors and readers.

I still think my analysis is decent, and that any serious statistical analysis of breach costs must show “without Choicepoint” numbers.

[Update: Clarified title, which attributed all expenses to the breach.]

Fines, Settlements in Privacy Invasions

Topping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. “Greek Scandal Sees Vodaphone fined” at the BBC, via Flying Penguin.

On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers in the US. None of that money would go to those whose privacy was invaded. (“Driver Data Lawsuits Settlement Proposed.”)

Pop quiz: Which do you think will influence behavior more?

Photo: Peeping Dog, by ErinV.