One Year After Data Breach, Equifax Goes Unpunished (boingboing.net) 88
"It's been a year since Equifax doxed the nation of America through carelessness, deception and greed, lying about it and stalling while the problem got worse and worse," writes Cory Doctorow. Equifax's new CSO says they've spent over $200 million on security upgrades, in work being overseen by auditor from eight different states. An anonymous reader quotes Doctorow's response:
This all sounds very good and all, but it's still monumentally unfair. The penalty for Equifax's recklessness should have been the corporate death penalty: charter revoked, company shut down, assets sold to competitors... The fact that Equifax's investors and execs kept all the money they made by risking all America with shoddy security, and that no one went to jail for a monumental act of corporate recklessness, is a moral hazard, virtually guaranteeing that Equifax's competitors will not take the care they owe to the people on whom they have amassed nonconsensual, potentially life-destroying dossiers.
Equifax's CEO and several top officials did leave the company, notes Government Technology -- but that's about it. Thus far, no financial punishment has been imposed on Equifax itself. Despite contentious hearings, no Congressional action has been taken. A few months later, the Consumer Financial Protection Bureau tabled action against the company. And while the Federal Trade Commission said it opened an investigation into the Equifax breach in September, the agency has since named as chief of its consumer protection division a lawyer who has represented Equifax. This past week, Equifax asked a federal judge to reject the claims from 46 banks and credit unions for payment of damages because of the massive data breach. The companies claimed that Equifax owes them for all the costs they incurred protecting data after the breach was revealed, costs that could easily run into many millions of dollars....
Equifax had revenue of $876.9 million during the second quarter of 2018, up 2 percent from the same quarter of last year, officials said.
Equifax's CEO and several top officials did leave the company, notes Government Technology -- but that's about it. Thus far, no financial punishment has been imposed on Equifax itself. Despite contentious hearings, no Congressional action has been taken. A few months later, the Consumer Financial Protection Bureau tabled action against the company. And while the Federal Trade Commission said it opened an investigation into the Equifax breach in September, the agency has since named as chief of its consumer protection division a lawyer who has represented Equifax. This past week, Equifax asked a federal judge to reject the claims from 46 banks and credit unions for payment of damages because of the massive data breach. The companies claimed that Equifax owes them for all the costs they incurred protecting data after the breach was revealed, costs that could easily run into many millions of dollars....
Equifax had revenue of $876.9 million during the second quarter of 2018, up 2 percent from the same quarter of last year, officials said.
GDPR and credit agencies (Score:5, Interesting)
Re: (Score:2)
As a European, and with GDPR in force, can I demand that Equifax delete all the data they hold on me?
Can you ask? Yes.
Will they do anything about it? Magic Eight Ball says "Don't count on it"
Re:GDPR and credit agencies (Score:4, Interesting)
Yes, but you'll never be able to get a mortgage, loan, new mobile phone contract, insurance, etc. again.
Re: (Score:1)
That's the corrupt USA, not Europe. Moron!
Captcha: reptiles
Re: (Score:1)
Yes, but you'll never be able to get a mortgage, loan, new mobile phone contract, insurance, etc. again.
I have never had any debt of any kind yet I have insurance, a mobile phone, a modest home, and several degrees from a leading american university.
You don't have to play their games. You don't have to be the peasant working their fief.
Re: (Score:1)
I have insurance, a mobile phone, a modest home
All of which send regular reports to your nation's credit reporting agency that is used by the same companies you get the mortgage or services from. If you default on those payments for your mortgage, make late payments on your insurance or phone watch how hard it becomes to get new credit or what interest rate you get or what insurance rate you get.
Re: (Score:2)
Re: (Score:2)
Re:GDPR and credit agencies (Score:5, Informative)
What one might do is freeze their credit with Equifax, and only Equifax. That would prevent them from profiting off of you. If a creditor wants to check you, they can use Experian or TransUnion. If the creditor demands Equifax, then you have a choice to make.
Re:GDPR and credit agencies (Score:5, Interesting)
It'll still depend somewhat on national implementation of GDPR quite how many rights you have in this area, as some countries tend to gold-plate the legislation.
I work for a CRA, and we've put a substantial amount of effort into ensuring GDPR compliance, what scares me the most though is that the corporate attitude was to get us compliant at all costs, but that our client's compliance was their own problem. I disagreed with this, I believe we had an obligation to at least let them know what they needed to do to be compliant with our software. It irks me that we're compliant but we knowingly allow clients to use the data in a non-compliant way.
So make no mistake, here in my country a large number of financial services organisations are currently NOT compliant.
To be clear though, CRAs have always had exceptions under data protection law, much as with law enforcement. This is because they tend to support anti-crime activities such as fraud prevention and detection and use their data for those purposes. It's a tough one because you could argue private companies shouldn't do this and such anti-fraud measures should be publicly run, but let's be clear, this is one area where free market competition is a good thing - having companies play each other off at providing better and better fraud prevention and detection is far better than the stagnation you'd get from a publicly run version.
Mostly you don't have a contract with a CRA though, typically you interact with them indirectly through your credit card provider, mortgage provider, and so on and so forth. Where you do have rights under GDPR is with these guys - you can demand they cease processing your data, you can demand to see what information they have on you, and so on and so forth. That only extends to the point of provisioning a service to you however, you cannot for example demand a credit card supplier delete all data on you if you still owe them for credit card debt. You can also request that financial services organisations don't send your data to a credit reference agency, and that they don't run a credit check on you, but they may simply refuse to accept you as a client in this case.
The biggest benefit of GDPR IMO is in breach reporting - it's now a legal obligation to let you know if your data has been stolen, this means Equifax's handling of this breach would now be outright illegal under GDPR, because they not only didn't let people know, but kept it secret for a while. GDPR requires that you inform affected people as soon as you're aware of a breach - if you don't know which of your customers explicitly were affected you have to notify the minimal possible pool that could potentially have been affected, which might be your entire client base if you don't have sufficient auditing.
So mostly you're not going to get much more ammo against CRA's with GDPR, but it does at least enforce much higher standards on us, which IMO is a good thing. I know we're widely hated as organisations, but some of us working in such agencies do at least have morals and do our best to keep these organisations as honest as we can - I have refused to allow my team to implement certain things because I've found them to be morally reprehensible on a number of occasions. Similarly I've written extensive documents detailing ethical, and sometimes legal problems surrounding existing software and passed it upto the directors to get the product killed, as when made aware of such issues they can't practically continue provisioning said software. You may question why I'm still even employed there given the problems I cause, but in a strange way even the directors accept when called out on bad stuff that I'm only keeping them honest in the way they publicly profess the organisation to be, I get a strange type of respect for helping keep the corner of the company I'm in charge of development for true to it's publicly professed ideals - a kind of love/hate relationship. Make no mistake, I don't buy the bullshit the companies spreads about how we're a public good, but I do at least do my bit to try and keep at least the CRA I work for firmly on the right side of the grey lines, I suspect if I didn't, we'd be just like Equifax showed itself to be.
Re: (Score:2)
Re: (Score:2)
Maybe their copy. Good luck finding everyone else with a copy.
Penalties (Score:3)
The penalty for Equifax's recklessness should have been the corporate death penalty: charter revoked, company shut down, assets sold to competitors
If this is truly a case of recklessness, lying and stalling, then it sounds like their reaction to the breach was a matter of policy or strategy set by upper management. So how come none of these guys are rotting in gaol?
Re: (Score:3)
They're rotting in Gaul. Somewhere near St. Tropez.
Shareholders (Score:5, Insightful)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
vs Facebook (Score:5, Interesting)
Fuckers in congress cared more about the Facebook fiasco - and that was their business model. People signed up for FB. No one signed up for Equifax. They collected and lost our data, but no one gave a flying fuck.
Not News (Score:5, Interesting)
Corporations haven't been accountable for anything in this country for years, because those in power (yes, Democrats AND Republicans) are in their pockets. If you want to see what happens when Government actually tries to strike back at corporations with these assholes in power, look no further than the CFPB, which has had its power castrated and is currently in the process of being de facto dismantled because it ruffled too many powerful feathers by actually punishing a company (Wells Fargo) for breaking the law.
What would have been news is if Equifax or its top brass received any actual meaningful punishment.
Re: (Score:2, Informative)
Enron and Worldcom executives have been tried, convicted and jailed. Both companies are essentially gone due to government prosecution and their own corporate malfeasance. So your assertion that corporations have not been held accountable is blatantly false. There are many more examples than these two.
Why did you come here to lie, and why would others promote your false post to Information with a score of 5?
Re: (Score:2, Interesting)
Exactly this. You'd think it is the one area where genuine liberals and conservatives can get along because whenever I listen to reasonable people on either side talking in the absence of the other they all say similar things. Both are very concerned about corporate power and corporate accountability.
The problem is that the controlling interests in both major parties are not and have not been in line with the people on this one for a very long time. Bill Clinton completed the corporate takeover of the De
Re: (Score:3, Insightful)
Corporations haven't been accountable for anything in this country for years, because those in power (yes, Democrats AND Republicans) are in their pockets. If you want to see what happens when Government actually tries to strike back at corporations with these assholes in power, look no further than the CFPB, which has had its power castrated and is currently in the process of being de facto dismantled because it ruffled too many powerful feathers by actually punishing a company (Wells Fargo) for breaking the law.
What would have been news is if Equifax or its top brass received any actual meaningful punishment.
Try to remember that it was Democrats that created the CFPB in the first place and Republicans that are dismantling it. Every time the Republicans get the White House they gut the regulatory agencies, from the EPA to the SEC. There are corrupt Democrats but establishment Republicans are the worst.
Re: (Score:2, Insightful)
You're delusional if you think the Democrats aren't equally complicit in propping up this crony capitalist system. Or are you going to pretend that financial companies weren't subsidized at taxpayer expense under Obama during the great recession? There's simply no difference. Neither party is going to effect change in this area.
But Americans love their football teams and political parties, I guess.
Re: (Score:2)
CFPB is a joke from my personal experiences and it seems like a waste of money from my perspective. Name some positive things they have done that weren't already going to happen due to existing class action lawsuits at the time.
That's the corporate structure (Score:3)
If a small business owner does something horrible that hurts, kills, or otherwise damages people, customers or not, that business owner will end up in jail.
Once that business gets a bit bigger, and becomes a corporation, the owners are now called "shareholders". In the US, "shareholders" of a corporation are not legally liable for anything the corporation does. That's the crux of the problem
Ideally, all of the owners of a company should be just as lia
Re: (Score:2)
Re: (Score:2)
Last I read there was at least a couple dozen class action law suits pending against Equifax. These sort of things take time to process through the system and its obviously not over or the end to litigation penalties for Equifax.
...and for our next trick, we restrict the filing of those pesky class action suits!
sarcasm But we have the best gov't money can buy! (Score:2)
/sarcasm I mean, its not like corporations bribe, er, lobby congress, right?
--
The Best thing about America: Capitalism
The Worst thing about America:Capitalism
Re: (Score:2)
--
The Best thing about America: Capitalism
The Worst thing about America: Capitalism
--
The Best thing about America: Capitalism
The Worst thing about America: Capitalists
FTFY
You mean centuries, since ancient Rome (Score:3)
> the U.S. Supreme Court has waved for decades
I think you mean centuries. The first business corporations were for road building and other government contracts in ancient Rome. An individual mason couldn't build a road, a baker couldn't feed the army. Together, a thousand craftsmen could bid to do these things. If the project was late, or there were quality problems, the corporation so established would be penalized for the poor performance, rather than trying to figure out which of the many workers cau
Re: (Score:3)
Good question. The answer is (Score:5, Insightful)
You bring up some good questions. With a little investigation, you can discover that the CEO did not order the network security tech "be careless about how you configure the zones on the ASA". The CEO doesn't know what an ASA is, and the tech has never met the CEO. So it gets rather complicated.
When there is a specific law related to an overt act, such as dumping toxic waste somewhere, you may be able to follow the chain of command and figure out who knew what and who authorized what. The problem at Equifax was mostly not be careful on general. There was no one item that they did or failed to do which caused the breach. Their security just generally sucked all around, they were sloppy. Notice "they" is plural. Even if they had updated the application that was actually used in the breach, the bad guys would have just used one of their other security holes. Anyway, no boss sent out a memo saying "be sure to be sloppy about updating software".
So I don't think you can pin this on one person, or a few people. What you CAN do is identify who profited from their decision to be sloppy, to not invest in security. That would the shareholders. They can be penalized by taking the money that they inappropriately got by failing to pay for proper security, and perhaps more. The way you get money back from the shareholders is by fining the company.
Re: (Score:3)
Determining who had what res
How would MORE sloppy people help? (Score:3)
> Did the IT director ever put in a request for additional personnel, funding, or authorizations to address their poor security?
Equifax, throughout the company, had a culture of sloppy. It was sloppy before that IT director arrived. More people doesn't fix sloppy.
The CEO *tried* to blame one of the techs. That didn't go over so well.
Re: (Score:2)
If the project was late, or there were quality problems, the corporation so established would be penalized for the poor performance,
That's the part that's missing in the U.S. today.
That and dissolution of corporate charter if the corporation fails to operate in the public interest.
Re: (Score:2)
Raymond Williams, Daryl Duncan, Penny Duncan, US T (Score:2)
You mean like Raymond Williams, Daryl Duncan, Penny Duncan, from U.S. Technology Corporation? And William Terry Wright, president of Explo? Those were last month. In May we had guys like Gavin Rexer, Dennis Paulhamus Timothy Sweitzer, Joseph Powell, and John Joseph from Rockwater Northeast. This month it's Trey Glenn headed to prison.
Who did it? (Score:2)
With megacorps spanning the world, no one countries data laws
Re: (Score:2)
Have no fear (Score:3)
civil lawsuits and not just for Equifax (Score:2)
For example, did any executives do time for the deaths on the deepwater horizon? Nope.
3 companies paid out $54B, and several engineers were punished for hiding data because they were told from above to hide the data. No jail time for the murders of 11 ppl.
Now, we have companies like Equifax and many other large companies that are irresponsible in dealing with our data, and very little happens to them.
What is needed is a massive law
Sure. Because The Rich weren't affected. (Score:3)
Re: (Score:2)
And we do exactly that . . . (Score:2)
And it brings to light (Score:2)