Mr. Smith: uhhh....
Mr. Smith: Yep. And has been for years.
gabe: uh....
Mr. Smith: I don't know but I was responsible during the breach so I'm here.
Mr. Smith: No indication it's been changed.
Mr. Smith: <something about a 'decrypter'>. Sounds like DLP?
Mr. Smith: Attribution is hard.
Mr. Smith: yes but..
Mr Lance: Is it possible another country?
Mr. Smith: Ask the FBI
Mr. Smith: I don't know.
(Gabe: this is an interesting one...)
Mr. Smith: 'we are part of a federally regulated ecosystem...'
Mr. Smith: We're giving away a product next year.
Mr. Smith: You'll be able to control who accesses it...
Mr. Smith: oops. boilerplate.
Mr. Smith: Not related to breach.
K: where else?
S: it's standard.
Mr. Smith: Dispute portal is separate from 'core' data.
K: so 145M disputed?
S: it's a portal
Mr. Smith: Simple. We have more security on the core database.
Smith: we use many techniques. This wasn't encrypted at rest.
K: & the core?
S: We use techniques
Mr. Smith: nope.
Mr. Smith: no. that's part of the core.
Mr. Smith: 225 people. $250M in sec over last 3 yrs.
Mr. Smith: Communication error to person in charge of patching.
Mr. Smith: We're offering services
...
Mr. Smith: Lots of SSN breaches. SSNs may not be good identifiers.
Mr. Smith: I haven't had time to reflect.
Mr. Smith: Volume.
Mr. Smith: It wasn't matching on full SSN so was inaccurate.
Mr. Smith: You have now been notified & can access our services.
Mr. Smith: 1yr from sign-up. Product in 2018.
Mr. Smith: Infosec reported to GC. I met routinely with CISO/GC through yr
Mr. Smith: core. she headed infosec and physical
Mr. Smith: I don't know.
Mr. Smith: None
Mr. Smith: Yes
Mr. Smith: we get data from other companies
Mr. Smith: Call centers
B: So they need to be proactive?
S: ...
Mr. Smith: I don't know. They could have come to us directly..
Mr. Smith: we don't do behavioral analytics
Mr. Smith: We take credit data, add analytics, and sell it
S: yeah, we sell data.
Mr. Smith: retired but I work for free as long as board needs.
Mr. Smith: yes. Yes. Not since breach.
Mr. Smith: They only have a small windows after 2nd quarter window.
Mr. Smith: open source software
M: who's responsible to watch portal?
S: me.
...
S: CISO. no.
Mr. Smith: <I missed answer but I think it was 'no'>
Mr. Smith: We prioritized securing it.
Mr. Smith: Backlog is now fulfilled.
Mr. Smith: yeah, people are angry ... (interrupted)
Mr Smith: We tried. We weren't prepared.
C: How couldn't you be
S: not our traditional business model
(Gabe: let that sink in)
Mr Smith: we were willing and able to invest. we just had errors.
Mr Smith: our services. Free.
Mr Smith: we still help people.
Mr smith: not our intent. services will be free.
Mr Smith: Following recommendation, we used a press release
Mr Smith: I've already answered that.
Mr Smith: random.
Mr Smith: "I have no knowledge of that"
Mr Smith: I have no information that that is the case.
Mr Smith: the microsite is...
Mr Smith: patching takes time.
<back and forth w/o smith really getting the question>