Expirian Board of Directors: Growth Through Acquisition – But Without Security Testing

David Krebs story: http://krebsonsecurity.com/2015/10/at-experian-security-attrition-amid-acquisitions/


I want to focus on Board of Directors decisions to grow through acquisition, wanting to do growth securely, but in practice has lots of problems.

The term I like the most is Black Box Magic.  (as if security is gotten with a black box magic)

black-box magic   image from Martin’s Magic collection: http://www.martinsmagic.com/product-tag/wagoncollector/ 

Purchased Decision Solutions in April 2013 and placed the company into its Decision Analytics platform. Soon thereafter it was obvious that a support ticket to hardware support was unauthenticated in the company’s Global Technology Services Division.

Viewing these support tickets meant that some of them gave out detailed internal data. Including if an attacker just created a ticket to create an account for themselves.

This was not the only cyber acquisition problem: In March 2012 Court Ventures Inc.  was purchased and unfortunately they did not vet the customers of this company, as Hiey Minh Ngo had gained access to Court Ventures database by posing as a private investigator in the US.  So now Ngo was able to sell credit card identity information to his nefarious customers (which are being prosecuted).

http://www.blumenthal.senate.gov/newsroom/press/release/demand-answers-from-t-mobile-and-experian   has the details of the 15million customer personal data that was stolen.

the Cybersecurity headlines of 2014 has forced Boards of Companies to make a higher focus to computer security a must do. BUT…  it does not mean one takes shortcuts, as Cybersecurity takes time and effort, which seems was in short supply at Experian.


As we have mentioned in past – Security is people, process, and technology. And most importantly one must test the output (as the feedback loop denotes below.


If one takes shortcuts it will become evident eventually and then it will not be pretty.