The Equifax Breach | One of the Largest Data Exposures in History
How’re we baselining what good looks like
and what is the art of the possible
for us to get there.
That's really the question that comes up.
Cyber resilience readiness.
Like, what are the gaps?
Welcome to The CISO Signal.
I'm Jeremy Ladner.
If you enjoy true cyber
crime investigations like this,
please take a moment to like,
share and subscribe.
It really helps us grow the show
and reach other cybersecurity leaders
just like you.
Now picture this a continent sized
vault of identity
humming along in the darkness.
Billions of records,
decades of credit histories,
the financial DNA of nearly
every working adult in America.
And then one sunny summer day,
a single unremarkable
web portal inside that empire is unlocked.
The victim was Equifax.
And what slipped through that door?
Well, it touched the lives
of almost 150 million people.
For weeks, an invisible
hand moved through their systems.
Quiet, patient and deliberate.
No ransom note. No flashing alerts.
Just a silent siphoning,
drawing identity data into shadows.
Investigators would eventually conclude
this wasn't a lone hacker,
a crime of opportunity.
It was the work of a foreign
national state adversary, a threat actor
with motives bigger than money,
possessing patience measured in months.
And when the breach finally came to light,
the fallout inside
Equifax was catastrophic.
Careers ended overnight.
Leaders resigned under pressure.
And yes, one executive
ultimately served time in prison.
It remains one of the most
consequential breaches in modern history,
not because of how it happened,
but because of what it revealed
about trust, leadership
and the fragility of the systems
we all depend on.
Today, we're joined by someone
uniquely qualified to help us
navigate the layers beneath this incident:
Kavitha Mariappan,
Chief Transformation Officer at
and this episode's sponsor, Rubrik.
Kavitha is a seasoned
cybersecurity and technology executive.
She spent more than two decades
shaping transformation
at companies like Zscaler, Databricks,
Cisco
and now Rubrik, where she leads
CXO engagement across the Global 2000
and helps enterprises rethink resilience
in the age of modern cyber risk.
And we're welcoming back to The CISO
Signal, Mark Dorsi.
Mark is the CISO at Netlify,
bringing his cloud scale experience
and practical perspective
to help us unpack what really happened
inside Equifax.
Kavitha, Mark, welcome to The CISO Signal.
Jeremy, thanks so much for having me.
It's great to be here.
Yeah, I love this.
Thanks so much for having me again.
Absolutely.
Great to have you both with us.
Now let's begin the investigation.
We are in the midst of a ceaseless war.
But of bombs or bullets, but of breaches,
firewalls and silent incursions.
The targets
our borders are banks, our commerce
and the critical infrastructure
that underpins a free civilization.
The enemy is cloaked in code,
fueled by greed,
glory, and a desire for chaos.
This is the story of the unseen
protectors, the nameless
generals, the CISOs, chief information
security officers.
They are the guardians at the gate.
The watchers on the wall.
Ever vigilant and always listening
for The CISO Signal.
Act one: The Forgotten Portal.
Kavitha, you work
with some of the biggest companies
in the world, and you've seen this pattern
over and over.
A vulnerability is known.
The patch exists, but somehow
it still slips through the cracks.
When you look at Equifax through
that real world lens, what does a miss
like that tell you about the challenges
enterprises face at scale?
You know, Jeremy,
I think with this specific incident,
the vulnerability itself,
it wasn't that unusual.
What stood out was how easily it slipped
between the teams once awareness
didn't translate into action.
Most large organizations were aware
of the Apache Struts issue, right?
The patch did exist.
Regardless, awareness wasn't the failure,
it was around execution.
We think about this at enterprise scale
how patching competes with uptime.
In early 2017,
nothing about Equifax suggested danger.
The lights stayed on late.
In Atlanta, data centers breathed evenly.
Air conditioned aisles,
blinking status LEDs, the steady
rhythm of machines
doing what they had always done.
Credit files moved invisibly across
networks,
scores
updated, overnight, mortgages cleared.
Background checks passed.
Millions of lives advanced
one quiet transaction at a time.
Equifax did not sell products to consumers
in the way banks or retailers do.
It sold certainty,
or at least the appearance of it,
a numerical judgment
about who could be trusted,
distilled from addresses, birth
dates, payment histories
and one unchangeable identifier
a social security number.
For most Americans,
this data was not optional.
It was collected by default, stored
indefinitely, and guarded,
at least in theory, by professionals.
You deal with legacy systems,
you deal with deadlines
and a lot of invisible hand offs.
And so these teams,
you know, assume someone else owns it.
I think this is the problem today, right?
It's everyone's responsibility
and no one is accountable for it.
As we start talking about resilience
more and more, I think that so much onus
and pressure on CISOs
and on the security teams.
But, and yet and are they empowered
to own organizational resilience.
Right?
And I think this is where responsibility
or accountability diffuses, risk hides.
And this complexity doesn't
just slow things down.
It creates
massive vulnerabilities and security gaps,
organizational gaps, enterprise gaps
that actually obscure accountability.
And it's not that organizations
don't follow process
and that they don't patch
or they don't care.
Or they don't have the rigor, there’s
a lot of it, there’s a lot of legacy
technology in our environment: legacy
processes, organizational structure.
But clear lines of ownership
start to become very important.
Inside the company, the work felt routine
security notices arrived, patches
were discussed, risk registers updated, no
alarms rang, no screens flashed red.
The system was calm.
But calm in large
organizations can be very deceptive.
In March of 2017, the Apache Software
Foundation issued a public advisory.
A critical vulnerability
had been discovered in Apache Struts,
a widely used open source web framework.
The flaw, later cataloged
as CVE-2017-5638,
allowed remote code execution
in plain terms, if a system was exposed
and unpatched, an attacker
could send a specially crafted
request and gain control.
The advisory was not obscure.
It was not whispered,
it was posted publicly.
A patch was available immediately
and across the internet,
most security teams took note.
It's not a technology problem
patching in itself.
It is a governance and accountability
problem.
It's an organizational problem.
This specific incident that's really
a painful reminder of what happens
when gaps go unchallenged.
Inside Equifax,
according to later congressional
testimony and internal reviews,
the alert was circulated.
Teams were notified.
Instructions were issued to identify
and remediate vulnerable systems.
On paper, the process worked
the way it always did, but in reality
it depended on something far more fragile.
Ownership.
Knowing exactly who is responsible
for what.
Large enterprises grow
by acquisition, integration and urgency.
Systems are spun up to meet deadlines.
Temporary solutions
often become permanent.
Asset inventories drift out of date
and responsibility fragments.
One team
makes the incredibly dangerous assumption
that the other team, well,
they have it covered.
Mark, when you see an 11 week dwell time,
like what happened at Equifax,
what does that say to you
about the challenges big organizations
face when older systems
meet modern identity problems?
These types of dwell times
are not uncommon, unfortunately,
and we see them all the time
in the industry.
So the dwell times can be very long
depending on what an individual
is trying to get done.
And or they might just sit on it.
Then all of a sudden they need some cash,
they sell it, and another threat actor
rolls through that actually,
you know, makes the exploit occur.
So what I see from an organization
perspective is that we have long
tried a variety of methods,
from SIMs to all that other sort of stuff,
and we've tried a lot of different areas
in order to try and get that to happen.
And there are different approaches.
You can combine these things.
You can put them together.
Somewhere inside Equifax's
vast infrastructure, sat
a consumer dispute web portal
that relied on Apache Struts.
It was internet facing.
It handled sensitive data
and it did not receive the patch.
No one marked the moment,
there was no failure
log that read
this is where it all went wrong.
The vulnerability existed quietly,
like a cracked seal
in a pressurized system, holding
until it didn't.
From the outside, Equifax
still looked solid.
A cornerstone institution,
a necessary one.
Few consumers could even describe
how it worked, only that it did.
That trust was structural, not earned day
by day, but assumed by design.
And that was the danger.
And as the CISO of the organization,
you are attempting to balance risk.
Most CISOs struggle not because,
they don't want to do the right thing
in these areas.
It's mostly because as they're trying
to defend, the castle,
there are a lot of folks
who are attacking at all times.
The questions are
which ones would have access,
and which ones can find their way
through your defenses at speed?
Security at scale is less about dramatic
attacks than about mundane follow through.
It lives or dies in inventories,
ownership charts
in the unglamorous discipline
of patch management.
When those processes fail,
nothing happens at first.
Systems continue to run.
Businesses continue as usual,
which is why the most important moment
in this story passed without notice.
No attacker had yet been detected.
No data had yet been stolen,
at least not that anyone could prove.
But the conditions were set.
The door was left unlocked,
the lights were still on,
and the organization, confident in
its routines, went on with its day to day.
What the company cannot yet
see is already obvious to anyone paying
attention: In modern cybercrime,
the breach rarely begins with intrusion.
It begins with neglect.
Somewhere beyond the firewall,
someone would eventually notice
that the door was unlocked, and when they
did, they would just let themselves in.
Act two: The Silent Siphon.
By mid
to 2017, the door that had been left
unlocked was finally opened.
There was no overt
break in or loud failure.
According to Equifax's later
reconstruction of events...
The attackers said a single,
carefully crafted request
to the consumer dispute web portal,
one that took advantage of the unpatched
Apache Struts vulnerability,
disclosed months earlier.
The response they received
wasn't an error message, it was access.
Rubrik’s Zero Labs
research shows that identity activity
often gives the first real clues
that a breach is unfolding.
When you apply that to Equifax,
how should companies
think about identity behavior
as an early warning?
You know Jeremy, we just heard
Mark talk about dwell time, right.
I think one of the things we're seeing is,
like,
threat actors are not breaking
in, they're logging in
and they’re in environments for six months
a year doing their recon.
And whether it's that specific
threat actor or,
you know, another group of threat actors
are actually going to perpetrate,
they're in the environment.
And I would say, you know, identity
compromise is one of the most reliable
ways of achieving dwell time, like what
we saw with this specific Equifax breach.
And the significance of the statistic
that, at least you know, from CrowdStrike,
for example, is that 79% of incidents
that they've investigated over
the past year were malware-free.
Threat actors today are prioritizing
credential theft over malware
because it's less noisy.
From the outside,
the request looked like routine traffic.
From the inside,
it executed commands on the server itself.
Remote code execution is a blunt phrase
for something disturbingly intimate.
The ability
to tell another organization's machines
what to do and have them obey.
What followed did not unfold fast,
it was painfully patient.
And unless some exploit
is completely novel
today, security tools
have pretty good chance at catching them.
And I think we're going to see
a lot more happen, a lot more telemetry
and signals as we start using AI.
And that becomes kind of a
whole new domain in terms of like,
what signals do we act upon?
When a threat actor logs on
with legitimate credentials,
the indicators of compromise
are more subtle, right?
They may start with someone authenticating
in ways that don't quite align
with normal behavior.
We see this as anomalous,
but someone's behavior at odd hours,
from odd locations, unfamiliar paths,
privileges they don't have access to.
And we always think about the ultimate
act, which is has data being exfiltrated?
We should be thinking about
what is anomalous
from a behavior perspective, right
from the endpoint all the way through.
Once inside the portal,
the attackers began to explore:
file paths, permissions, connections
to back end systems.
According to subsequent investigations,
they escalated privileges and moved
laterally through the network,
stepping carefully, testing boundaries,
learning where valuable data lived
and how it flowed.
There were no overt messages,
no systems went dark.
These sorts of behavior
anomalies are often tip offs.
And, you know, Mark touched a little bit
upon the character of some of this.
And this is what comes when someone's
trusted identity is compromised.
And we haven't even touched upon non-human
agent identities or agenetic identities
or how we're going to handle all of that.
But the signals are usually there.
The question is going to be
about the sophistication
and the resourcing around interpretation
and organizational culture.
Customers continued submitting disputes,
employees continued their shifts,
and the machinery of credit reporting
never paused.
Behind the scenes,
however, the attackers reach databases
that should never have been reachable
from a public facing application.
There, stored in plain relational tables,
where the building blocks of identity
itself:
names, social security
numbers, dates of birth, addresses,
driver's license numbers,
and in some cases, credit card data.
This was not data that ever expired.
It did not rotate.
It did not change with a password reset.
Once copied, it was useful, relevant
and dangerous forever.
And we're seeing organizations
collect a vast,
enormous amount of data,
an enormous amount of identity.
The identity space itself is becoming like
this, like robust ecosystem unto itself.
Like ... top three for all CISOs.
I see Mark smiling
like everyone's talking about
that,
everyone's story’s about segmentation.
But often it's, you know,
we talk about authorization telemetry
rather than truly like authenticating
a user from a context perspective, right.
From a behavioral perspective.
And all of this,
which is why we see kind of this explosion
around the posture management space, etc..
So why identity has effectively become
the new perimeter
is it's easy, it's easier,
so much easier to compromise identities.
So much easier to compromise.
And I think the hybrid workplace
has also created this environment of,
you know, people patching
and other people getting upgrades.
You know, these user awareness
trainings really sticking, right.
And without the ability
to secure these identities or to establish
the veracity thereof and recover it
once it's compromised, the game is up.
So I think that's really where we are.
One of Equifax’s network monitoring
tools, the system responsible
for inspecting encrypted outbound
traffic was effectively blind.
According to Equifax's own disclosures
to Congress, the device
relied on an SSL certificate
that had expired.
Without a valid certificate,
the system could not decrypt
or inspect the traffic passing through it.
Kavitha, when people bring up Equifax,
there's always this kind of lingering
sense of unease.
What do you think causes that?
Is it the sheer number of data
stolen, the silence
while it happened
or the bigger implications behind it?
Personally, I think it unsettles people
because it was quiet
and for an attack of that scale.
Right.
It was present, it's persistent.
Nothing exploded.
There was no ransom note.
And then for weeks,
the system looks stable.
But, you know, the stability
and invisibility of that
can look pretty identical from outside.
Right.
And so I think that creates a false
sense of security, which is kind of what,
you know, both of us have been saying,
sort of in this conversation
about how long
has someone been in your environment?
The attackers did not
need to disable detection
because detection was already disabled.
Alerts that might have raised questions
never fired, logs
that could have told a story
stayed silent, and the breach progressed
not because defenses were overwhelmed, but
because they were looking the other way.
From the attacker's perspective,
this was ideal.
There was no need for ransomware
theatrics, no reason
to announce themselves.
This was not a smash for cash.
It was acquisition – quiet,
systematic and disciplined.
It wasn't an alert
that surfaced the breach.
It was someone paying closer
attention than usual.
And this is all about signals
and remediation.
And then I think I always worry
about how much they,
you know, the explosion of AI
and AI SIMs, etc.
are going to create an environment
where we have signal fatigue.
So it underpins everything:
credit, trust, safety, daily life.
Right.
And that silence stops being limited to an
IT issue or a security issue.
This is an organizational issue.
This is a, you know, people trust us [...]
to hold their
very confidential credentials.
What's our duty of care around that?
And that's a huge part of it.
Yeah.
I think that that falls right in line
with, you know, silence being,
a very dangerous symptom.
Like you mentioned,
you know, this wasn't discovered
because of the amount of noise
that was created.
Someone was really curious
about what was going on in a particular
area, in their environment,
and the size and scope of the breach.
Right.
Just make it so unforgettable
and why folks harken back to it with
relative ease right?
There's also,
you know, a few from target
and those sorts of things
that sit out there
that that sort of linger in our minds.
Not too long ago,
I was contacted to pay the remainder of,
a hospital visit,
and they wanted me to verify myself
versus them
being able to verify themselves.
And would you talk about identity? Right.
They call me and they say,
can you please verify who you are?
And I said, well,
I don't know who you are.
You first. You contacted me.
I did not contact you.
And so [...] the systems are also
just not set up for success,
especially when it comes
to trying to identify someone.
Outside the walls of Equifax.
Life went on credit approvals, apartment
leases, job offers, every transaction
assuming the integrity of data
that was at that very moment
being siphoned away.
On July 29th, 2017,
something finally shifted.
Security personnel
noticed suspicious outbound
traffic: connections
that did not fit expected patterns.
The portal was then taken offline.
An internal investigation began,
and of course, the company's tone
forced to change from routine
to controlled urgency.
But by then the damage was already done.
The data had been copied,
and whatever questions
investigators would later ask like:
Who did this?
How much was taken?
And, where did it all go?
None of those questions
could reverse the act itself,
because data, once exfiltrated,
does not come back.
So, Mark,
you have led teams through acquisitions
and high pressure investigations
where leadership wants answers fast.
In the first few hours of a major breach
like the one with Equifax.
Before anyone knows the full scope,
what does that moment feel like?
How do you drive clarity
when there is just so much uncertainty?
This is that moment where you try and get
folks out of feeling mode,
and you need to get into just the facts,
what's going on from a facts perspective.
And it's definitely
this fog of uncertainty.
But decisions really can't
wait in that moment.
And what you're going to try and really do
is focus on, you know, that containment.
Right.
So we're going to come through and say,
all right, [...] what areas
do we think of the business are impacted
and how do we contain what's going on?
And then, you know, just that moment
where you have sometimes a conflation of
folks who were directly responsible for
the overall security of the environment
and then they're now going to have to go
figure out what went wrong.
And that's that moment where for a long
period of time, you needed to have really
had this culture built in, not of blame,
but we need to have a culture where folks
can go through and feel safe to say,
oh yeah, they came through this.
Kind of knew it was a problem
or we didn't know it was a problem at all.
And then now we understand why
and then we can take a look
in other parts of the business.
This happens a lot, I would say in
just in, day in, day out around
fraud and abuse.
And in those ways, you're really trying
to find your way through to say,
look, I need everyone to calm down
just a little bit.
Inside Equifax, decision making moved
quickly out of technical teams
and into executive legal
and communications channels.
Incident response firms were engaged,
law enforcement was notified and plans
were drafted not to stop the breach,
but to manage its consequences.
We're all human [...] mistakes were made,
it's fine.
But what we need to do then
is just be responsive, be transparent.
And as much as you can, just be upfront
with your customers about what's happened.
And you're going to have to apologize
because the person on the other
end of the line is contacting you
most of the time as a customer,
and they've been affected
in some material way.
Typically, that is then going to lead
to lots of discussions between yourself,
the customer, and leadership on how
everyone is going to have to direct,
or redirect their efforts so that we can
avoid similar issues in the future.
And I think that's exactly what,
for example, Equifax did, right?
They did their best to pivot.
They went out and they got security
champions across the organization.
So they really made a hard pivot
and change.
In order to address some failings
that existed for quite some time.
Notably absent was any immediate signal
to the outside world
for more than a month after discovery,
consumers were not told.
During that time their identities remained
exposed, their risk unchanged,
and their trust intact
only because they had not yet
been given reason to doubt it.
When investigators start
suspecting a foreign adversary,
even before attribution
is completely 100% confirmed,
how does that shift the mindset
for a security team?
Understand, that they are well resourced
and likely right?
They're going to be better than you are.
And the question is,
then how can you recover?
That's the biggest piece that I see.
And hopefully you have some immutable
backups somewhere that are well protected
and not also compromised,
so that you can recover in those moments.
The breach had ended,
the crime had already occurred.
What remained was the reckoning.
And when it came, it would not be
contained within firewalls or boardrooms.
It would spill outward into Congress,
into courtrooms,
into the lives of millions of people
who would never know precisely
when their personal histories
crossed a border they could not see.
The attackers vanished as quietly
and quickly as they had arrived,
and the system kept on running.
Something that your Zero Labs
research really brings to
the surface is how much identity sprawl
around things like service accounts,
old credentials, stale permission,
those things build up over time.
In a situation like Equifax,
why does that type of identity
sprawl amplify the impact so dramatically?
Mark, I think identity sprawl
is one of the most underestimated risks
in a large organization
because it accumulates over time.
And in our conversation today, we've been
really unpacking a lot of that, right.
It's not just about people anymore.
And you sort of said threat actors,
pretty nefarious.
Part of it is also because they don't
have organizational inertia the way we do.
They don’t have legacy technology
the way we do.
So they're able to be laser
focused and precise in what they want.
And I think there's also a conversation
around what we as security professionals
deem to be crown jewels and what they deem
to be high value targets.
One of the things we're seeing [...]
with our Zero Labs data is that AI agents,
service accounts, API tokens outnumber
human users by a ratio of 82 to 1.
And that was,
you know, in modern enterprises.
And that was in our recent survey,
I'm going to say in October.
And I'm already seeing numbers
from the team
that it's like 100 to 1 right now.
And so that change happened quickly
and organizations are just not keeping up.
I mean, yeah, we all have AI initiatives.
You know, everyone's got use cases,
projects, low hanging fruit.
Everyone's trying to figure this out.
But that is something that we're seeing.
And this is highly, sort of
I would say, shifting the identity
landscape,
and service accounts that really rotate:
Permissions that made sense
years ago but have never been updated;
Lifecycle management
that's been neglected completely ad hoc
for many of these non-human identities.
If you're
enjoying The CISO Signal,
please drop a comment
and let us know
what you think of the show.
And if there's a true cybercrime
you'd like us to investigate, or a CISO
you'd like to see featured on the podcast,
please share it in the comments.
We'd love to hear from you.
Now back to the episode.
Act three: The Cost of Exposure.
The public learn the truth on September
7th, 2017.
By then, the breach was already history,
at least in technical terms.
The servers had been examined,
the vulnerable portal
had been taken offline
and the incident response firms
had finished reconstructing
what could be reconstructed.
The attackers were long gone.
All that was left to do was to say it out
loud.
Cloud sprawl, I would say, would actually
be another contributor to this problem.
And our Zero Labs research actually found,
I'm going to say, about 90% of IT
and security leaders that we surveyed
are managing hybrid cloud environments.
So with each provider
having their own native solution
for identity and access management,
this really like overloads and taxes
the teams and leads
to a lot of cloud misconfigurations
that are frequently exploited.
Equifax disclosed
that attackers had access to sensitive
personal information belonging
to approximately 147 million people,
mostly Americans, but some residents
of the United Kingdom and Canada as well.
The numbers were so large
they defied intuition.
Nearly half the U.S.
population, a statistical event
masquerading as a corporate incident.
For consumers.
The news arrived
without context or comfort.
This is an area that threat access know
very well off and really does
complicate recovery. Right?
And individually,
none of this in an isolated environment,
not catastrophic, but collectively
it does create an environment
where threat actors don't need to break
doors down.
I mean, they're able to walk
through these doors that are already open.
And like we said, they know they log in.
And between cloud sprawl
and identity sprawl,
you know, it really amplifies
the impact pretty significantly and turns
sort of this one single foothold
into the door, into this massive
lateral movement and kind of escalates
and persists within the environment.
So yeah, over time, it
quietly does remove the boundaries
that teams assume are still there.
And I mean, if Equifax shows us anything,
this is what happens
when sprawl meets scale.
And we haven't even touched AI.
I would agree with that.
You know, identity spawl really
is the attacker's best friend.
So yeah, this is definitely an issue
across the industry for sure.
A hastily launched website offered a way
to check whether one had been affected.
It faltered under the load, phone lines
jammed, instructions were unclear,
and at one point Equifax directed victims
to a separate domain, raising
immediate concerns
among security professionals
that the response itself
looked like phishing.
Trust behaves like glass:
The first crack is quiet,
but what follows is a deafening,
shattering.
Inside Washington,
the tone was much sharper.
Congressional hearings followed quickly.
Executives were summoned and questions
focused on patching
failures, asset visibility
and expired certificates.
Mundane details
that now carried national weight.
After Equifax, the CEO,
the CIO and the CISO were gone
almost instantly.
You've worked closely with leaders
in those high pressure moments.
What do the really good ones do
differently when everything else
is on the line?
Leaders who handle these moments best
don't wait for that perfect information.
They're communicating,
they're transparent, and the best leaders
anchor their teams around facts,
not the optics.
Leaders
who show up and answer questions...
I think we have to, like, empower
our leaders: CEOs and their directs.
Yeah.
And I think that highlighting of risk is
so critical all the way up the chain.
Right.
So highlight the risk to the business
and everybody understands what it is.
And then you can
you know here's our top three risks.
You know these are
these are potentially business ending.
And then just be sure
that everybody's anchored in facts.
Equifax's CEO Richard Smith acknowledged
failures and apologized publicly.
He resigned later that month.
The company's chief security officer and
chief information officer also departed,
but the departures, critics argued, looked
more like rotation than accountability.
And resignation was not the final word.
In March 2018, federal prosecutors
announced something different.
The Securities and Exchange Commission
charged Jun Ying,
the former chief information
officer of Equifax's US
Information Solutions division,
with insider trading.
According to the complaint,
Ying had reviewed internal information
about the breach
and before the public disclosure,
sold shares worth nearly $1 million.
He pleaded guilty and was later
sent to federal prison.
From your experience,
how does internal misconduct,
incidents like this, change
how you respond?
I try to be really careful with my team
members,
my business partners
and those sorts of things.
So it's just, look,
a mistake has happened.
Let's not compound that mistake
by doing other things
that would really make it worse.
Please, please just stick to the facts.
And please do not alter the environment
in any way.
It's okay. What happened?
Right.
All we're going to do
is we're going to investigate,
we're going to contain it,
and we're going to do our best to recover.
And if we just stick to that
and stick as a team
and you get out of this blame culture,
then I think everything will be okay.
And another employee, software
development manager Sudhakar Reddy Bonthu,
also pleaded guilty
to insider trading related to the breach
and received home confinement.
At the same time, scrutiny widened.
Several senior executives, including CFO
John Gamble and other vice presidents,
had also sold stock in August of 2017,
shortly after the breach
was internally discovered,
but before it was disclosed publicly.
In total, roughly $1.8
million in shares changed hands.
Investigations followed, internal
and independent reviews concluded:
these executives did not know about
the breach at the time of their trades.
They were not charged,
but for millions of consumers
learning
that their identities had been exposed,
the idea that anyone inside
the company might have moved first
before the public knew,
cut deeper than technical failure.
So when I talked to boards
after an incident, during an incident,
the same questions come up over and over,
usually around impact, exposure,
and what they're not seeing.
I'm guessing
you hear a lot of these patterns too.
After a breach, like on Equifax,
what's the question boards
asked you and Rubrik most often?
They don't ask
how the breach happened. Right.
They want to understand
what the blast radius of that is.
And [...] is this going to be persistent?
And what is the risk to the organization?
Is this going to recur?
And, you know, it's really
not about blame, the blame game,
this is about containment
and business viability.
And I think the number one question is
how resilient is the organization.
And you know, cyber resilience
or AI resilience equates to enterprise
resilience.
Like are we fiscally going to be able
to stay afloat and run the business?
Right?
Is this going to impact the franchise’s
trust reputation?
So that's the first question.
As an industry we haven't really
benchmarked you know resilience readiness.
Right. What is sort of the rubric?
And there's a lot of work around this.
But what is that rubric?
How’re we baselining what good looks like
and what is the art of the possible
for us to get there?
That's really the question that comes up.
Cyber resilience readiness.
Like what are the gaps?
How good are we?
How healthy is this company?
And are we, you know, and what do we need
to be doing to get better?
The victims meanwhile,
we're left with a new kind of burden.
Unlike a stolen credit card,
an exposed identity cannot be canceled.
Social security numbers don't rotate.
Birthdays, they don't expire.
The harm was not immediate or guaranteed,
but probabilistic and permanent.
A low level of risk that would
follow people for the rest of their lives.
Kavitha, Equifax went through
a major transformation after the breach.
From your perspective as Chief
Transformation Officer, what signals
tell you a customer is genuinely ready
to commit to transformation?
This is the complexity of transformation.
Let me give you an example
to answer that question.
Recently, I've been working with a CISO
for an organization that, you know,
had an incident,
brought the CISO and said, okay, we've
got to build a lot of security hygiene.
We've got to completely
like revamp, you know, take a look at what
our security posture is, etc.
Obviously, infrastructure, IT, owned
a lot of the services
and infrastructure budget.
So you have a CISO
who has 100% responsibility,
but zero empowerment
to make the right decisions around,
you know, a majority of the technology
stack.
The signals that tell us
whether an organization is ready to commit
to transformation is when we start
seeing the breaking down of silos
from a cultural perspective, between IT
and security, because this sort of culture
and organizational sort of inertia
really holds organizations back.
Credit freezes surged across the country,
identity monitoring became routine,
and a generation learned belatedly
how fragile
their digital selves really are.
Why do you think organizations struggle
so deeply with systems
that seem too important to touch,
even when they're too old to trust
perhaps?
These critical systems
become really invisible over time.
They just become part of the cog,
and they continue to spin and go.
But what's happened in the background
is that as a part of a complete
implementation, folks either
didn't have time,
didn't have the resources,
didn't have the competency, in order
to put in a full cycle
or full lifecycle management,
for that particular service,
and in which case they age.
And now you're left “vulnerable”.
In 2019, Equifax reached a settlement
with the US Federal Trade Commission,
the Consumer Financial Protection
Bureau, and state attorneys general.
The headline
figure reached up to $700 million,
including restitution, fines
and mandated security improvements.
Equifax would never admit wrongdoing,
but the money changed hands,
even though the data
would never be recovered.
For CISOs and CXOs listening,
what's the one big identity lesson
they should carry forward from Equifax,
you think?
I think it's the modern attack surface.
I think everything pivots through access,
and you can't protect your data
if you don't understand
who can touch it, when, and why.
I think
if we can't explain our identity posture,
then we cannot explain our risk posture.
And Mark’s talked a lot about risk,
assessing risk.
I think the one other thing,
you asked me for one,
but I’m going to give you two:
Beware of concentration risk,
you know, the very vendor that selling you
your applications is the very vendor
that’s securing your application.
Then in February of 2020, a new chapter
opened, one that complicated the story
rather than closing it,
the US Department of Justice indicted
four members of China's
People's Liberation Army,
alleging that they were responsible
for the Equifax intrusion.
According to the indictment,
the breach was not financially motivated,
but part of a state sponsored
intelligence operation designed
to assemble dossiers on American citizens.
China denied the allegations.
None of these defendants were arrested,
of course.
No trial followed.
The data's ultimate use remains unknown.
Was it used for espionage?
Counterintelligence perhaps?
Future leverage?
According to public reporting, an expert
analysis, it's impossible to say,
but the absence of evidence
is not evidence of absence.
If a new CISO pulled you aside and said,
how do I prepare
for the next Equifax,
what would you tell them to do first?
The classic line is assume breach.
And one of the areas
that I tell folks to take a look at,
and hopefully they have mechanisms
like this in place.
They're not universal.
But take a look at some very common
signals.
Number one: and so you can prepare,
right, is to understand
just how susceptible
your folks are to things like phishing.
How good
is the
posture of the organization already?
And then you can understand
just how much you are assuming breach.
Kavitha,
thank you so much for being on the show.
Really appreciate having you here
and hope you come back again soon.
Jeremy, thank you so much for having me.
It's been a great pleasure.
And Mark, thanks for coming back again.
It's your second time on the show.
Looking forward
to having you back for a third time.
Yeah. Loved it.
Loved meeting you Kavitha.
Looking forward
to more of these in the future.
And so the Equifax breach ends
without the blood
red rare satisfaction
of a dramatic stakeout and takedown.
No recovered database.
No moment where the criminals are caught
and cuffed and harm undone.
Just a system
that failed quietly, recovered publicly
and then moved on while the consequences
were quickly covered
like a corpse in a shallow grave.
Today, Equifax still operates.
Credit scores are still calculated.
Decisions are still made in milliseconds,
based on data that once slipped out
the back of the system
without anyone noticing.
The breach is
no longer active, but the risk.
The risk is.
In a world of cybercrime,
this is often how the story ends.
Not with a clean resolution,
but with exposure.
A reminder that in digital systems
built on trust,
the most dangerous failures
to not announce themselves.
They simply persist.
And so we must remain forever
vigilant and always listening
for The CISO Signal.
If you enjoyed this episode,
please like, share and subscribe.
If you didn't, thanks for listening
this long.
We'll see you
on the next episode of The CISO Signal.
All episodes are based on publicly
available reports,
post-mortems, and expert analysis.
While we've done our best
to ensure accuracy, some cybersecurity
incidents evolve over time
and not all details have been confirmed.
Our goal is to inform and entertain,
not to assign blame
where facts are unclear,
we've used cautionary language
and we always welcome your corrections.
Thanks for listening to The CISO Signal.
