Equifax Slapped With UK's Maximum Penalty Over 2017 Data Breach (techcrunch.com) 66
Credit rating giant Equifax has been issued with the maximum possible penalty by the UK's data protection agency for last year's massive data breach. From a report: Albeit, the fine is only 500,000 Pound (roughly $658,000) because the loss of customer data occurred when the UK's prior privacy regime was in force -- rather than the tough new data protection law, brought in via the EU's GDPR, which allows for maximum penalties of as much as 4% of a company's global turnover for the most serious data failures.
So, again, Equifax has managed to dodge worse consequences over the 2017 breach, despite the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months -- thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers. Personal information that was lost or compromised in the 2017 Equifax breach included names and dates of birth, addresses, passwords, driving licence and financial details.
So, again, Equifax has managed to dodge worse consequences over the 2017 breach, despite the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months -- thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers. Personal information that was lost or compromised in the 2017 Equifax breach included names and dates of birth, addresses, passwords, driving licence and financial details.
Better solution (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Wait? The people seeking full autonomy for the country so that it doesn't have unwanted laws imposed upon it are the traitors?
When the fuck did that word get its definition changed?
Re: Better solution (Score:2)
The teeth thing again? We've got better things to do with our time and money than sticking bits of plastic to them on the off-chance we get a call from Hollywood.
Re: Better solution (Score:2)
Yeah, British teeth get a bad rap because you aren't into cosmetic whitening and straightening like Yankees, but you don't have more cavities. Maybe it's too hard to keep them white with all the tea. :)
Re: (Score:2)
Re: (Score:2)
50,000 pounds paid directly to each party ID hacked, and 50,000 each paid directly to UK.
And from TFA:
Albeit, the fine is only 500,000 Pound (roughly $6,62,000)
AC: 100,000 pounds fine!
/. editor: $6,62,000 fine!
/, reader: wow, $6,620,000 fine!
TFA: 500,000 pounds fine!
It's the opposite of the police drug bust scam.
Re: (Score:2)
Re: (Score:2)
As much as I'd like to see that, there is a general principal in most legal systems that laws and punishments can't be retroactive. Otherwise governments would simply criminalize something you did perfectly legally yesterday and slap a hefty sentence on it.
If the beech had been more recent then the GDPR rules would have applied, which would be a maximum of 4% of global turnover. I believe that would be around $135 million, still only a fraction of their $580 million net income.
In Japan they have corporate j
Fine (Score:4, Funny)
Oh no! However will Equifax survive having to dip into the petty cash to pay a fine that's less than the lunch tab for yesterday's executive meeting about it?
Meaningless Penalty (Score:5, Insightful)
What about considering the cost of implementing sound security policies? No one will do it if the fine is less than the cost of implementation.
Re: (Score:2)
4% of global annual revenue... what about considering the cost of the damage done? What about considering the cost of implementing sound security policies? No one will do it if the fine is less than the cost of implementation.
4% of global annual revenue would be $124m.
Re: (Score:2)
To be clear 4% of global revenue for Equifax is the equivalent of 25% of its entire yearly profit ($125m). I think you can trust the gut instinct that there is going to be almost no policies out there where the cost of implementation will be this much of a normally operating company's annual profit.
Re: (Score:2)
Have the EU decree that Equifax can't do business in the EU anymore. Then they might actually realize just how insanely inexcusable their actions were.
4% of global revenue would probably get that point across.
Re: (Score:2)
there is going to be almost no policies out there where the cost of implementation will be this much of a normally operating company's annual profit
Almost, but.. there is one.
Implementing proper data security would easily wipe at one year's annual profit, and create an environment with run costs that could easily eat up that 25% every subsequent year.
Securing that volume of data used in so many ways isn't cheap.
Re: (Score:2)
Implementing proper data security would easily wipe at one year's annual profit
No. Paying some overpriced Accenture contractor and buying the resulting equipment needed from IBM will do that.
Re: (Score:2)
What about considering the cost of implementing sound security policies? No one will do it if the fine is less than the cost of implementation.
Where I grew up, there was a fine for farmers irrigating county roads. Let's call it $500. The fine could only be applied once per year, and the cost of fixing their irrigation to not water the roads is, let's say, $10,000 (plus the additional maintenance).
Don't fix it, just pay the fine.
Re: (Score:2)
Re: (Score:2)
There is a good case to be made for a more complete compensation package being legally mandated. At the moment individuals and companies affected have to claim from Equifax directly, i.e. sue them.
It would be better to appoint an administrator, similar to when a company goes bankrupt, who will accept claims from those affected and pay out.
There's a lesson in this (Score:3)
I'm sure that between this and all the money they made from people locking their credit score and all the money they made from selling identity theft protection plans and their stock price (which has almost completely recovered) I'm sure their security is top notch now.
Let this be a lesson to the rest of you companies who think you need to foolishly spend money on IT security.
Re: (Score:1)
I'm not sure if you're being sarcastic or not. The way I see it reminds me of an analogy: in a town near me the local parking authority finally figured out that people were knowingly parking illegally because the fine was only $2 or $5 / day, and parking lots were $10 - $25. This UK fine is roughly the cost of 2 or 3 IT security employees, and with those employees there's still no guarantee of security. So they spend as little as possible on IT security, and take the risk of paying the relatively tiny fi
Re: (Score:1)
Actually lots, especially sw dev. managers and IT security. It's been in the news here and elsewhere and you can do your own search.
But more importantly, I said the "cost" of IT security. The total cost of an employee is usually 1.25 - 1.4 times the base salary. Again, you can do a search, but here's one reference: http://web.mit.edu/e-club/hadzima/how-much-does-an-employee-cost.html [mit.edu]
Even if you tighten the numbers, that fine will still only buy you 4 or 5 IT security analysts for 1 year. Maybe that would
Re: (Score:2)
In Europe you can see your credit report for free. There used to be a small charge allowed by law, but now I believe it's free EU wide. Certainly it is in the UK.
Why assume the hacker is always stupid? (Score:5, Interesting)
.
Ever notice how this possibility is never, ever mentioned? This dog ain't barking so loudly it's deafening. So, are both sides really that stupid, or is someone covering up something? I find the former hard to believe - once, maybe, but every single time this sort of thing happens?
Re: (Score:2)
They catch basically only the stupid ones, so the conclusions drawn from who gets caught are badly skewed.
Re: (Score:2)
.
Now, it turns out I cannot register such an account, I can't create a sign-in, it just barfs. So I called the contact number, and after waiting the requisite few hours, I had a gov employee tell me that
You're in a corporate oligarchy. Duh. (Score:1)
You don't have a government. You have a council where corporate spokespeople present the laws their corporations have written, so the oligarchy of corporations can decide if that new regulation maximizes their own profit. And those who got overruled then bitch about "government regulation" and "lack of a free market". Like their goal isn't to regulate things their way... Only Master Pain ... err ... Betty, is missing. Darth Cheney is there though.
Actually, you have two councils. One for the royalty (senate)
Re: (Score:2)
So I just drop hints...I think it works better.
Re: (Score:2)
Well. I agree to your points. While hinting at things may or may not work, saying them clearly does certainly not work. Personally, I have mostly given up on people and say what I think clearly now. Fortunately, not many even listen, so the risk for me is small. And yes, that one guy you could (maybe) get rid of is only a symptom. Actually getting rid of him would not solve anything.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I'm not sure you understand anything here.
This data you're changing.. it all belongs to people. They'll notice that it's wrong, especially if it negatively impacts them, and they'll demand correction.
Then there are the regular data refreshes.
As for making someone rich.. no. At best you could enable them to incur financial risk they're entirely unequipped to manage, resulting in them ending in an even worse financial position.
Plus.. wtf are
databases that take weeks to just read
I've worked with databases very much larger than Equifax and they tak
Re: (Score:2)
Read doesn't mean one query. That comeback tells me - and anyone who knows anything, you're the one who doesn't get it.
These guys have data on everyone in the financial system, worldwide - your'e off by ~ factor billion. A billion seconds is...work it out.
There are constantly errors people bitch about. Have you ever tried to get one fixed? Do you think they fix the ones no one even bitches about?
Ever rebuilt a raid array with 10 tb drives? Thousands of
Re: (Score:2)
Name one larger than Equifax or OPM, dare ya,
What, like Google or Facebook?
Shit, even in the same industry as Equifax there's the rather larger Experian.
Read doesn't mean one query. That comeback tells me - and anyone who knows anything, you're the one who doesn't get it.
Databases are transactional. Data that isn't read is irrelevant, and transactional reads are trivial.
These guys have data on everyone in the financial system, worldwide -
No, they don't. They have good coverage in the US and the UK, poor to reasonable coverage elsewhere and no coverage at all in many countries.
your'e off by ~ factor billion. A billion seconds is...work it out.
No, I just understand how these systems work.
There are constantly errors people bitch about.
With that much data, from so many sources, of such variable quality, of course there are errors. This isn't exactly a
Much, much cheaper than having done anything (Score:2)
That way, the CISO with the master's in music makes perfect sense. Obviously, if you are large enough, it is much, much cheaper to just hope you do not get attacked too often than actually invest anything into security.
Now, if that hat been 500'000 pounds per customer data set stolen, that would have been something else.
Maximum Possible Penalty (Score:3)
If it was per person, it would be better.
As a total, it's embarrassing.
European Localization (Score:4, Funny)
the fine is only 500,000 Pound (roughly $6,62,000)
Damn, I will never get used to the way the Europeans use commas and decimal points.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Wait?! You have a working £ symbol in your post.
Did Slashdot fix it or are you using something other than 'Plain Old Text' as your comment format?
Re: (Score:2)
Wait?! You have a working £ symbol in your post.
Did Slashdot fix it or are you using something other than 'Plain Old Text' as your comment format?
You need to use the unicode forma of:
and you get £
Slashdot hasn't updated it, they never will and that's how we like it.
Credit bureaus should be illegal (Score:2)
The only people that *actually* benefit from credit bureaus are the banks and other lenders that use them. Consumers don't actually benefit at all. Contrary to the popular narrative, there is no need for credit bureaus in order for lenders to make decisions about extending credit. They did just fine making those decisions before the credit bureaus existed. It just meant they had to actually do the leg work to verify information on credit applications. You know, by making a few phone calls or checking their
Rich People DGAF about this (Score:2)
"maximum" penalty (Score:2)
The Maximum penalty would be dissolution of the company. The maximum penalty the UK could probably make happen is they are no longer allowed to operate in the UK in any capacity.
IMO, a breach like this means they have demonstrated they cannot be trusted with private data, and should no longer be allowed to store private data.
The other question everyone should be asking is: How did they get this private data? I sure as hell didn't give them permission to have it. (I know, likely hidden away in the TOS of cre
Re: (Score:2)
The maximum penalty the UK could probably make happen is they are no longer allowed to operate in the UK in any capacity.
That would be highly damaging to the UK economy - substantial impact across the financial sector, knock-on impacts across retail, and also remove a key competitor within Equifax's own market.
Long before Equifax reached a position where dissolution (or banning) was considered they'd have had their operations brought forcibly under third party control.
a breach like this means they have demonstrated they cannot be trusted with private data
No, it demonstrated that they couldn't be trusted. The FCA can (and will) demand evidence that they can now be trusted, and have a range of sanctions available
Remember kids - GDPR is evil socialism (Score:2)
This is the kind of behaviour that GDPR is for. Not for harassing small traders but real punishment for significant failings from corporations that see these pitiful fines as just a business expense.