People

Equifax paints itself as a cybersecurity leader now

Nearly three years after its massive breach, Equifax says it has a lot to teach the industry. Will experts buy it?

Bryson Koehler, CTO of Equifax (left), and Jamil Farshchi, chief Information security officer at Equifax at the RSA Conference

Equifax is pitching itself as a bonafide leader in cybersecurity that others should follow.

Photo: Courtesy of Equifax

Yes, Equifax wants to talk about cybersecurity.

The credit reporting firm that suffered a colossal data breach in 2017 that exposed personal, sensitive data on 147 million people is making a deliberate effort to be front-and-center at this year's RSA conference in San Francisco. Executives from the company will be speaking on seven panels, and chief technology officer Bryson Koehler and chief information security officer Jamil Farshchi, delivered a joint keynote Monday afternoon.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

"We know we've been through something that few other organizations have, and we know we're taking a bold stand in our way of addressing it," Farshchi told Protocol in an interview before the event.

Unlike many of RSA's more than 40,000 attendees, Equifax isn't at the conference exclusively to learn. Instead, the company is pitching itself as a bonafide leader in cybersecurity that others should follow.

"Our goal is to say it's not just us, everyone is dealing with these threats, and the more we can share and the more we can teach you all, the better chance we have of being able to lift all boats in this space," Farshchi said.

Both Farshchi and Bryson Koehler said they're irked by the cybersecurity mistakes they see other companies make. One of them is "toolitis": the affliction of thinking that buying more tools will solve your problem," said Koehler.

"It happens all the time, it's so frustrating … people love the shiny toys and think whatever new tool is out there — artificial intelligence, blockchain applications — is going to solve all your problems," Farshchi said. "The solutions are staring you right in the face, and it's frustrating because we see so many folks in tech and security that aren't focused on what we think are the fundamentals."

Other common issues they see are companies that bolt cybersecurity solutions onto the organization instead of building them in from the beginning, and a lack of alignment between the cybersecurity team and the rest of the business.

"You'll find in every security organization out there the notion that it's two separate teams with different incentives marching towards different goals, but we ultimately should be striving toward the same thing," Farshchi said.

In addition to calling the company a leader in cybersecurity, the executives said Equifax has "best in class" patching practices and has a goal of making "the world a better, safer, more secure place"

This confidence may come off as puzzling to other professionals, said Ann Cleaveland, executive director of UC Berkeley's Center for Long-Term Cybersecurity. Companies rarely brag about being cybersecurity leaders because "it immediately paints a target on your back," she said.

Additionally, Cleaveland expects that many cybersecurity experts will be skeptical of the company's claims, given its history. "If their efforts now are genuinely about helping the industry learn from what they've learned, good for them," she said. "But a lot of people are going to see it as marketing."

In their Monday keynote, Koehler seemed to expect some doubt, inviting audience members' toughest assessments during a Q&A. But most of the questions were largely technical.

Farshchi and Koehler argue that there are plenty of reasons to take them seriously. Few security teams have dealt with an incident like the one they experienced, so there's a lot of lessons to be learned from the recovery efforts, they say.

Federal prosecutors said earlier this month that Chinese military hackers were behind the breach in 2017 that compromised personal data including names, birth dates and Social Security numbers of 145 million Americans. The hackers were also able to steal drivers license numbers for at least 10 million Americans, and credit card details for 200,000 Americans.

The attackers were able to access the data by exploiting a software vulnerability in Equifax's online dispute portal. A patch for the vulnerability had existed for months, but Equifax did not implement it. A 67-page investigation report from a Senate panel last March blamed the incident on Equifax's negligence.

The company has made huge cybersecurity investments and changes since the breach to reassure shareholders, customers and employees that it won't make the same mistakes twice.

The company has hired about 1,000 technology and cybersecurity specialists since the breach and committed $1.25 billion to security improvements, Farshchi said. The company's leadership has also changed. The company's CEO Richard Smith and several technology chiefs left the company in the weeks after the breach was announced. Both Farshchi and Koehler were hired in 2018, from Home Depot and IBM, respectively. Equifax changed its reporting line so that Farshchi and his team reports directly to CEO Mark Begor. They've also focused on making all employees feel responsible for cybersecurity by adding things like security measures that tie into employee bonuses.

Koehler said he's had to dismiss groups and replace about a quarter of his team for not taking security policies seriously. "We've had to break some glass to change and shift," he said.

Farshchi said he hopes that these efforts can serve as an example to the broader cybersecurity industry.

"I can't think of any other company that has been as forward-facing as Equifax has been. …" he said. "The ultimate goal [for us at RSA] isn't a self-serving one. It's really to try to help the security industry and all the companies trying to defend themselves against all the attackers hitting them every day."

Fintech

Wall Street is warming up to crypto

Secure, well-regulated technology infrastructure could draw more large banks to crypto.

Technology infrastructure for crypto has begun to mature.

Illustration: Christopher T. Fong/Protocol

Despite a downturn in crypto markets, more large institutional investors are seeking to invest in crypto.

One factor holding them back is a lack of infrastructure for large institutions compared to what exists in the traditional, regulated capital markets.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.
Policy

How I decided to go all-in on a federal contract — before assignment

Amanda Renteria knew Code for America could help facilitate access to expanded child tax credits. She also knew there was no guarantee her proof of concept would convince others — but tried anyway.

Code for America CEO Amanda Renteria explained how it's helped people claim the Child Tax Credit.

Photo: Code for America

Click banner image for more How I decided series

After the American Rescue Plan Act passed in March 2021, the U.S. government expanded child tax credits to provide relief for American families during the pandemic. The legislation allowed some families to nearly double their tax benefits per child, which was especially critical for low-income families, who disproportionately bore the financial brunt of the pandemic.

Keep Reading Show less
Hirsh Chitkara

Hirsh Chitkara ( @HirshChitkara) is a reporter at Protocol focused on the intersection of politics, technology and society. Before joining Protocol, he helped write a daily newsletter at Insider that covered all things Big Tech. He's based in New York and can be reached at hchitkara@protocol.com.

Climate

This carbon capture startup wants to clean up the worst polluters

The founder and CEO of point-source carbon capture company Carbon Clean discusses what the startup has learned, the future of carbon capture technology, as well as the role of companies like his in battling the climate crisis.

Carbon Clean CEO Aniruddha Sharma told Protocol that fossil fuels are necessary, at least in the near term, to lift the living standards of those who don’t have access to cars and electricity.

Photo: Carbon Clean

Carbon capture and storage has taken on increasing importance as companies with stubborn emissions look for new ways to meet their net zero goals. For hard-to-abate industries like cement and steel production, it’s one of the few options that exist to help them get there.

Yet it’s proven incredibly challenging to scale the technology, which captures carbon pollution at the source. U.K.-based company Carbon Clean is leading the charge to bring down costs. This year, it raised a $150 million series C round, which the startup said is the largest-ever funding round for a point-source carbon capture company.

Keep Reading Show less
Michelle Ma

Michelle Ma (@himichellema) is a reporter at Protocol covering climate. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at mma@protocol.com.

Workplace

Why companies cut staff after raising millions

Are tech firms blowing millions in funding just weeks after getting it? Experts say it's more complicated than that.

Bolt, Trade Republic, HomeLight, and Stord all drew attention from funding announcements that happened just weeks or days before layoffs.

Photo: Pulp Photography/Getty Images

Fintech startup Bolt was one of the first tech companies to slash jobs, cutting 250 employees, or a third of its staff, in May. For some workers, the pain of layoffs was a shock not only because they were the first, but also because the cuts came just four months after Bolt had announced a $355 million series E funding round and achieved a peak valuation of $11 billion.

“Bolt employees were blind sided because the CEO was saying just weeks ago how everything is fine,” an anonymous user wrote on the message board Blind. “It has been an extremely rough day for 1/3 of Bolt employees,” another user posted. “Sadly, I was one of them who was let go after getting a pay-raise just a couple of weeks ago.”

Keep Reading Show less
Nat Rubio-Licht

Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.

Latest Stories
Bulletins