Another Coverup? Equifax Accused Of Scrubbing That Its Chief Security Officer Was A Music Major

Update: And... she's gone: EQUIFAX SAYS CIO AND CHIEF SECURITY OFFICER ARE RETIRING

* * *

One week after what may be the biggest security leak in US history, when Equifax belatedly admitted that hackers had made off with over 143 million private data profiles, sending the company's stock 37% lower in the past week...


... leading to a massive scandal which will go through at least one round of Congressional hearings in which company CEO Richard Smith will have to explain why the company waited for weeks before making this unprecedented data breach public (a breach which came due to a vulnerability the company was aware of and should have patched months prior) and will likely culminate with prison time for one or more company executives, questions have emerged if Equifax was involved in another cover up, this time involving the background of its Chief Security Officer.

Meet Susan Mauldin, the Equifax Chief Information Security Officer, and the person who was responsible for keeping the highly confidential and secret information of over 100 million Americans well... highly confidential and secret.

Mauldin has been with Equifax as CSO / CISO since 2013. She was previously Senior Vice President and Chief Security Officer at First Data Corporation, until July 2013. Mauldin was also SunTrust Banks’ Group Vice President from 2007 to 2009. 

So far so good, but a problem emerges: according to LinkedIn, Mauldin’s stated educational background has no security or technology credentials, and consists of.... a bachelor’s degree in music composition (magna cum laude) and a Master of Fine Arts degree in music composition (summa cum laude), both from the University of Georgia. Once again, this is the person who was in charge of keeping your personal and financial data safe — and whose failure to do that have put 143 million at risk from identity theft and fraud.

Or rather, that's what her LInkedIn profile would have disclosed if in the hours after the scandal broke, "someone" didn't thoroughly scrub and censor it.

As MarketWatch's Brett Arends writes, "there has been very little coverage so far of Susan Mauldin’s background and training. Given the ongoing disaster of the hack and Equifax’s handling of the affair, the media spotlight has so far been elsewhere." It now emerges that someone was very keen on keeping as little information about Mauldin's background in the public domain as possible.

Shortly after the Equifax scandal broke, Maludin's LinkedIn page was made private and her last name replaced with “M.” Below is a screengrab showing Susan Mauldin’s old and current LinkedIn pages in Google search results as of 9/9/2017.

Mauldin’s original LinkedIn page was on this url before it was made completely private: linkedin.com/in/susan-mauldin-93069a (now a 404 page not found)

A few days after the news of the data hacking broke, the following page reappeared a with a different url, with the specific detail that her degrees were in Music Composition removed. Also, her surname Mauldin was replaced with the initial letter M. to complicate profile discovery.

Among the skills touted on her LinkedIn page: Data Center, IT Solutions, PCI DSS, IT Service Management, IT Outsourcing.

Additionally, two videos of interviews with Mauldin have been removed from YouTube. A podcast of an interview has also been taken down. As Hollywoodlanews.com reports, in March 2016, Mauldin was interviewed on camera by the CEO of the big-data company Cazena.

The videos featuring parts of an interview with Susan Mauldin, which were embedded on this page, have been taken down as of the afternoon of September 10.

https://www.youtube.com/watch?v=3O-VB09IdHU

https://www.youtube.com/watch?v=w_2ABbwSYbs

A partial transcript of her remarks during the interview have been archived for posterity by a third party. http://archive.is/6M8mg

The full interview videos went far in explaining what may have been the eventual cause of the massive leak of information now gravely affecting 143 million Americans.

The audio-only version of the interview that was publicly available on Soundcloud has also been scrubbed from the web.

* * *

Unfortunately for the scrubbers, internet archives preserved her original LinkedIn profile (shown above) which revealed her "music" background, and a transcript of one interview has survived.

So as CEO Richard Smith prepares for the upcoming congressional grilling, here are two more questions he can add to the list: first, how far can a Chief Security Officer go in this business without a formal education in technology. In an interview uncovered by Brett Arends he notes that Mauldin said that in recruiting, “[w]e’re looking for good analysts, whether it’s a data scientist, security analyst, network analyst, IT analyst, or even someone with an auditing degree. ... Security can be learned.”

But she also said she focuses college recruitment, understandably, on “universities that have programs in security, cyber security, or IT programs with security specialties.” She did not mention music composition.

And second, was the company actively involved in what appears to be an active campaign to scrub the potentially embarrassing background of its Chief "Security" Officer?

As Arends concludes, and we agree, "everything about this fiasco just gets more and more surreal." It will be even more surreal however if as a reader points out, a woman diversity hire is the reason behind one of the largest hacks of financially sensitive data ever...

Comments

vato poco peddling-fiction Fri, 09/15/2017 - 18:39 Permalink

my question is WHO in the c-suite is the fucking *idiot* that a) thought this was a good plan and b) signed off on it? it's the USA, the lawsuit capitol of the world, and equifax has just royally and very publicly screwed the pooch. they KNOW they're gonna get sued; and get sued a lot. and still some genius - no doubt with an MBA and an 7-figure pay plan - thought this was a good idea. that the lawyers would never find out. and that jurors wouldn't crucify them when they hear the tawdry tale in the courtroom. jesus! does no one have even a lick of common sense anymore?!? 

In reply to by peddling-fiction

land_of_the_few MANvsMACHINE Sat, 09/16/2017 - 11:02 Permalink

Would be a step up in some ways :DWhy didn't they hire someone with at least some knowledge of the subject area?The clue seems to be "outsourcing". Anyone who lists that in their resume does not have good understanding of security, for obvious reasons.If it's not obvious, look at what happened to Sweden.Plus you can see the person has complete disregard for the technical side of security ... "old-fashioned tech-based approach" "need to concentrate on brand management instead".So basically for these kinds of people, a security breach is managed by hiring ad agency execs to spew out a comforting story as the main "remedy".

In reply to by MANvsMACHINE

blentus land_of_the_few Sat, 09/16/2017 - 12:38 Permalink

Some 15 years ago, I was doing a pentest of a major bank.During initial conversations and discussions about the scope, one of the guys from the bank was explaining that our testing is simply pointless and that they should have not bothered.His reasoning was very simple, honest and scary.If they don't hire us (or anyone else), they save the money (tests could be, and still can be, quite costly). If something bad happens and they get hacked, they would just send out standard PR releases with usual statements like "No confidential information has been compromised", etc - even if it was not true. They'd give an interview or two for papers/TV and just downplay everytying. And that would be much much cheaper then the price of our security test. Keep in mind - in those times it was easier to handle/ignore breaches (and they were happening on a daily basis, everywhere) and people were not as reliant on Internet technologies as the are now. So it was piss easy to just ignore breaches alltogether.What is scary is the he (and few others who agreed with him) were dead serious and was thinking that security is just an annoynance.You still have plenty of such people in positions of power, within many organizations. And they still find PR angle to be much easier than anything else.

In reply to by land_of_the_few

blentus DollarMenu Sat, 09/16/2017 - 12:41 Permalink

Oh, it doesn't matter to them.The same way they tried taking advantage (and failing, luckily) of 'terrorist iPhone' situation and trying to sway public opinion towards accepting crypto backdoors in consumer products, they will now try to use this opportunity to introduce mandatory new IDs.I mean, if they haven't at least tried, I'd be very disappointed :)

In reply to by DollarMenu

Lucretius vato poco Sat, 09/16/2017 - 03:26 Permalink

+1 more! My first thought was" WTF, weekend humor???""and will likely culminate with prison time for one or more company executives" Ya gawdamned killing me! On what F*kn planet?" (magna cum laude)" (summa cum laude)all I can say is that bitch must play a mean skin flute!No, I'm not ignorant, this broad WAS, at one time quite acomplised at music, and I get the latin, but who TRUSTED this incompetent person with all that data??? inquiring minds and hooked nosed hebes want to know. Tick tock bitchez!

In reply to by vato poco

HardlyZero peddling-fiction Fri, 09/15/2017 - 19:29 Permalink

Debbie Wasserman Schultz and Susan Mauldin, it is all the same problem.These un-educated managers in their "chosen field",  hire people much smarter than them, and then the workers tell the boss how to run things into the ground, while the workers take everything lock stock and barrel.  Meanwhile the bosses get their bonuses.In thise case...when asked about her credentials they only get...Sounds of Silence.

In reply to by peddling-fiction

Curiously_Crazy J S Bach Fri, 09/15/2017 - 20:00 Permalink

Yeah the whole article is overblown, and I speak as one who actually has a computer science degree.The IT field is nothing like say surgery or dentistry and it's common (or at least it was) for people to enter the field without a formal piece of paper. One of my good mates got a job at Symantic in the 90's as a programmer because he writing assembly code and bootstraps from the age of 13 and not because of a degree, they grilled him in all 3 interviews but they were impressed by the way he thought.. he's currently programming PS4 games for one of the big players earning 10 times more than I ever would.As an aside, it's also been shown that people that do well with instruments (ie reading sheet music on the fly) can naturally be quite adept at coding, and visa versa.Should they have tried to cover shit up? No. Does it mean not having a degree was what made her incompetent? No. She could have a Masters or PHD and have been just as neglectful to her duties. God knows there are enough of them about.

In reply to by J S Bach

813kml Curiously_Crazy Fri, 09/15/2017 - 21:18 Permalink

The IT field is one of the last meritocracies, but she should at least have a laundry list of security certs.  I doubt she even has that much or else they would be listed.  Once you rise to the VP level in corporate America it's all about who you know not what you know, especially if you can check the box of a diversity hire.  This lady was clearly incompetent and the board is going to throw her under the bus repeatedly to save their asses.

In reply to by Curiously_Crazy

Curiously_Crazy 813kml Fri, 09/15/2017 - 21:49 Permalink

Fair call, but the fact remains even if she had those certs they're all pretty much useless compared to someone who learnt themselves (bare with me heh).Who is more qualified.. someone who got one of the new trendy "ethical hacker" certifications after 6 months, or someone who has been, oh I dunno, actually writing real scripts, decompiling code to exploit buffer overflows, understands the entirety of the OSI model and how it applies so they could infiltrate all the systems they have over the past 5/10/20 years?The real hackers are always one step ahead, and none of the real hackers have any formal education yet they have the 'experts' chasing their own tails.Granted, none of the above would apply to her firstly because she chose to undertake any formal education at all and secondly because she is female (hopefully I can say that on this site without the do gooders crying sexism - but just in case, there are close enough to zero females interested in IT security during their formative ages it might as well be zero..  it's an overwhelmingly male thing to want to understand). In short I was talking about the security arena on the whole and not this one specific case. Remember Kevin Mitnick? Hacks the government, they can't catch him for several years, gets caught, goes to Jail, hired by FBI as consultant. He started at 13.

In reply to by 813kml

813kml Curiously_Crazy Fri, 09/15/2017 - 23:14 Permalink

Savant abilities and extensive real world experience would trumps certs, but you can tell by looking at her she's not a Kevin Mitnick.  She's a drone that lucked into a security management position early in her career and floated to the top.  She should have at least basic certs to be taken halfway seriously.There are more women than you think involved in security.  I have an ex-GF that wrote her own ticket because she's:1)  Competent2)  A female minority3)  HotNot necessarily in that order...  ;-)

In reply to by Curiously_Crazy

Lucretius Curiously_Crazy Sat, 09/16/2017 - 03:56 Permalink

Good call CC, my field of expertise is in mechanics, automotive in the main. But as a 57 year old child, I still love to learn, studying all physical sciences, astrophysics, electronics, loving history, monetary circuses, schemes, etc! I don't want to be the smartest guy on the planet, I just want to know how everything works! I totally get your point about females and IT science, a rare bird. It's like a woman in that auto parts industry... they are a great asset/distraction in delivery, but ALMOST useless in the counter position. I've known 2 women that were really good at parts sales, after forty years in the industry. It is rare, but not unheard of, but let's face it, this broad FAILED, miserably!

In reply to by Curiously_Crazy

Curiously_Crazy Proofreder Sat, 09/16/2017 - 00:02 Permalink

A. You'd note I wrote he worked there in the 90's - soon after the merger with Peter Norton Computing, an utterly different firm to the Symantec/Norton we know today (since the early 2000's really). Okay so I spelt it wrong... simple typing stuff up and I've not used any windows products since win 98 anyway.B. Even if the above wasn't the case, you're implying that because someone gets their first job in a company you don't like you're going to ignore everything else; there's a name for that line of reasoning.. I'm sure you know it. I guess there is no competetion whatsoever for jobs at Google and their employees are all dunderheads too?C. I don't think it's me who's lost credibility, and no I won't resort to name calling.

In reply to by Proofreder

Doomer_Marx Curiously_Crazy Fri, 09/15/2017 - 23:59 Permalink

I programmed for a decade before going back and getting a masters. There's no way this woman should have been put in charge of ALL AMERICANS' information. Yes, you can program without a degree but you'd be a better programmer with both experience and the degree. For a company that handles that much, very sensitive data, she shouldn't be chief security officer without the proper background which includes both experience and education.

In reply to by Curiously_Crazy

venturen Curiously_Crazy Sat, 09/16/2017 - 15:19 Permalink

Are you a check out clerk? Have you ever hired an IT person? I have...hundreds of them. In today's politically correct world...she got there because she had diversity training, loved commitee meetings and they needed a token woman in the organization. They fired a 100 Cranky Old White Guys...that hate diversity meetings, hate useless committee meetings and were WHITE GUYS THAT LOVE IT...but love all the arcane pieces of IT. I have worked in IT for 30 years and see it day in and day out! I interviewed a music major once...was completely useless...got hired because the VP was his neighbor....he lasted 3 weeks!

In reply to by Curiously_Crazy