Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
EU Privacy Security

Equifax Slapped With UK's Maximum Penalty Over 2017 Data Breach (techcrunch.com) 66

Credit rating giant Equifax has been issued with the maximum possible penalty by the UK's data protection agency for last year's massive data breach. From a report: Albeit, the fine is only 500,000 Pound (roughly $658,000) because the loss of customer data occurred when the UK's prior privacy regime was in force -- rather than the tough new data protection law, brought in via the EU's GDPR, which allows for maximum penalties of as much as 4% of a company's global turnover for the most serious data failures.

So, again, Equifax has managed to dodge worse consequences over the 2017 breach, despite the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months -- thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers. Personal information that was lost or compromised in the 2017 Equifax breach included names and dates of birth, addresses, passwords, driving licence and financial details.

This discussion has been archived. No new comments can be posted.

Equifax Slapped With UK's Maximum Penalty Over 2017 Data Breach

Comments Filter:
  • Better solution (Score:5, Insightful)

    by nwaack ( 3482871 ) on Thursday September 20, 2018 @10:53AM (#57348616)
    Have the EU decree that Equifax can't do business in the EU anymore. Then they might actually realize just how insanely inexcusable their actions were.
    • by nwaack ( 3482871 )
      Sorry, meant to say UK, not EU. Don't want to get the Brexit-ers in a kerfuffle.
    • Comment removed based on user account deletion
    • by AmiMoJo ( 196126 )

      As much as I'd like to see that, there is a general principal in most legal systems that laws and punishments can't be retroactive. Otherwise governments would simply criminalize something you did perfectly legally yesterday and slap a hefty sentence on it.

      If the beech had been more recent then the GDPR rules would have applied, which would be a maximum of 4% of global turnover. I believe that would be around $135 million, still only a fraction of their $580 million net income.

      In Japan they have corporate j

  • Fine (Score:4, Funny)

    by Scutter ( 18425 ) on Thursday September 20, 2018 @10:57AM (#57348638) Journal

    Oh no! However will Equifax survive having to dip into the petty cash to pay a fine that's less than the lunch tab for yesterday's executive meeting about it?

  • by h4x0t ( 1245872 ) on Thursday September 20, 2018 @11:03AM (#57348686) Homepage
    4% of global annual revenue... what about considering the cost of the damage done?
    What about considering the cost of implementing sound security policies? No one will do it if the fine is less than the cost of implementation.
    • by ljw1004 ( 764174 )

      4% of global annual revenue... what about considering the cost of the damage done? What about considering the cost of implementing sound security policies? No one will do it if the fine is less than the cost of implementation.

      4% of global annual revenue would be $124m.

    • To be clear 4% of global revenue for Equifax is the equivalent of 25% of its entire yearly profit ($125m). I think you can trust the gut instinct that there is going to be almost no policies out there where the cost of implementation will be this much of a normally operating company's annual profit.

      • Have the EU decree that Equifax can't do business in the EU anymore. Then they might actually realize just how insanely inexcusable their actions were.

        4% of global revenue would probably get that point across.

      • by Cederic ( 9623 )

        there is going to be almost no policies out there where the cost of implementation will be this much of a normally operating company's annual profit

        Almost, but.. there is one.

        Implementing proper data security would easily wipe at one year's annual profit, and create an environment with run costs that could easily eat up that 25% every subsequent year.

        Securing that volume of data used in so many ways isn't cheap.

        • Implementing proper data security would easily wipe at one year's annual profit

          No. Paying some overpriced Accenture contractor and buying the resulting equipment needed from IBM will do that.

    • What about considering the cost of implementing sound security policies? No one will do it if the fine is less than the cost of implementation.

      Where I grew up, there was a fine for farmers irrigating county roads. Let's call it $500. The fine could only be applied once per year, and the cost of fixing their irrigation to not water the roads is, let's say, $10,000 (plus the additional maintenance).

      Don't fix it, just pay the fine.

    • Comment removed based on user account deletion
    • by AmiMoJo ( 196126 )

      There is a good case to be made for a more complete compensation package being legally mandated. At the moment individuals and companies affected have to claim from Equifax directly, i.e. sue them.

      It would be better to appoint an administrator, similar to when a company goes bankrupt, who will accept claims from those affected and pay out.

  • by AlanBDee ( 2261976 ) on Thursday September 20, 2018 @11:03AM (#57348690)

    I'm sure that between this and all the money they made from people locking their credit score and all the money they made from selling identity theft protection plans and their stock price (which has almost completely recovered) I'm sure their security is top notch now.

    Let this be a lesson to the rest of you companies who think you need to foolishly spend money on IT security.

    • by bobby ( 109046 )

      I'm not sure if you're being sarcastic or not. The way I see it reminds me of an analogy: in a town near me the local parking authority finally figured out that people were knowingly parking illegally because the fine was only $2 or $5 / day, and parking lots were $10 - $25. This UK fine is roughly the cost of 2 or 3 IT security employees, and with those employees there's still no guarantee of security. So they spend as little as possible on IT security, and take the risk of paying the relatively tiny fi

    • by AmiMoJo ( 196126 )

      In Europe you can see your credit report for free. There used to be a small charge allowed by law, but now I believe it's free EU wide. Certainly it is in the UK.

  • by DCFusor ( 1763438 ) on Thursday September 20, 2018 @11:12AM (#57348756) Homepage
    I'm a white hat, but damn, if I got access to a DB, I'd to a lot more interesting stuff - modify the records. The power inherent in a credit rating agency - or say, the OPM, means you can effectively make someone rich or poor, give them or take away a security clearance, or any of a long list of other "fun". Then and only then do any exfiltration without erasing logs, just to cover your tracks. The exfiltration simply complicates things so much it makes "following the money" impractical - which money?....
    .

    Ever notice how this possibility is never, ever mentioned? This dog ain't barking so loudly it's deafening. So, are both sides really that stupid, or is someone covering up something? I find the former hard to believe - once, maybe, but every single time this sort of thing happens?

    • by gweihir ( 88907 )

      They catch basically only the stupid ones, so the conclusions drawn from who gets caught are badly skewed.

      • Perhaps it's just the inverse of survivor bias, I'm not so sure. It's clear that there's a lot of dumb around. I recently reached retirement age, and to handle things like SS, I was encouraged to start a MySS account online. Heck, they were (and are) already sending me checks, a medicare card, all that.
        .

        Now, it turns out I cannot register such an account, I can't create a sign-in, it just barfs. So I called the contact number, and after waiting the requisite few hours, I had a gov employee tell me that

        • by Anonymous Coward

          You don't have a government. You have a council where corporate spokespeople present the laws their corporations have written, so the oligarchy of corporations can decide if that new regulation maximizes their own profit. And those who got overruled then bitch about "government regulation" and "lack of a free market". Like their goal isn't to regulate things their way... Only Master Pain ... err ... Betty, is missing. Darth Cheney is there though.
          Actually, you have two councils. One for the royalty (senate)

          • Thanks, been saying the same for years myself - but as the idea that we've been effectively Fascist for quite awhile now offends a lot of people, saying it as directly as you just did doesn't get it across well - the people who most need to hear it rage-quit reading before their worldview gets messed with - they want simple, to blame it on maybe one guy they think they can get rid of, not complex and deeply embedded and hard to solve...
            So I just drop hints...I think it works better.
            • by gweihir ( 88907 )

              Well. I agree to your points. While hinting at things may or may not work, saying them clearly does certainly not work. Personally, I have mostly given up on people and say what I think clearly now. Fortunately, not many even listen, so the risk for me is small. And yes, that one guy you could (maybe) get rid of is only a symptom. Actually getting rid of him would not solve anything.

    • Comment removed based on user account deletion
      • Yeah, I'm sure they conflict-check all the time, especially databases that take weeks to just read. And they never find discrepancies when they do that themselves, even in the absence of interference, overwhelm all ability to resolve....I'm not sure you understand the scale, here.
        • by Cederic ( 9623 )

          I'm not sure you understand anything here.

          This data you're changing.. it all belongs to people. They'll notice that it's wrong, especially if it negatively impacts them, and they'll demand correction.

          Then there are the regular data refreshes.

          As for making someone rich.. no. At best you could enable them to incur financial risk they're entirely unequipped to manage, resulting in them ending in an even worse financial position.

          Plus.. wtf are

          databases that take weeks to just read

          I've worked with databases very much larger than Equifax and they tak

          • Name one larger than Equifax or OPM, dare ya,
            Read doesn't mean one query. That comeback tells me - and anyone who knows anything, you're the one who doesn't get it.
            These guys have data on everyone in the financial system, worldwide - your'e off by ~ factor billion. A billion seconds is...work it out.
            There are constantly errors people bitch about. Have you ever tried to get one fixed? Do you think they fix the ones no one even bitches about?
            Ever rebuilt a raid array with 10 tb drives? Thousands of
            • by Cederic ( 9623 )

              Name one larger than Equifax or OPM, dare ya,

              What, like Google or Facebook?

              Shit, even in the same industry as Equifax there's the rather larger Experian.

              Read doesn't mean one query. That comeback tells me - and anyone who knows anything, you're the one who doesn't get it.

              Databases are transactional. Data that isn't read is irrelevant, and transactional reads are trivial.

              These guys have data on everyone in the financial system, worldwide -

              No, they don't. They have good coverage in the US and the UK, poor to reasonable coverage elsewhere and no coverage at all in many countries.

              your'e off by ~ factor billion. A billion seconds is...work it out.

              No, I just understand how these systems work.

              There are constantly errors people bitch about.

              With that much data, from so many sources, of such variable quality, of course there are errors. This isn't exactly a

  • That way, the CISO with the master's in music makes perfect sense. Obviously, if you are large enough, it is much, much cheaper to just hope you do not get attacked too often than actually invest anything into security.

    Now, if that hat been 500'000 pounds per customer data set stolen, that would have been something else.

  • by bobstreo ( 1320787 ) on Thursday September 20, 2018 @11:32AM (#57348934)

    If it was per person, it would be better.

    As a total, it's embarrassing.

  • by lazarus ( 2879 ) on Thursday September 20, 2018 @11:52AM (#57349052) Journal

    the fine is only 500,000 Pound (roughly $6,62,000)

    Damn, I will never get used to the way the Europeans use commas and decimal points.

    • No, that's just the editor. It should be $662,000
      • Yeah. I'd had written £500,000 as well because Pound is just too heavy.
        • by Cederic ( 9623 )

          Wait?! You have a working £ symbol in your post.

          Did Slashdot fix it or are you using something other than 'Plain Old Text' as your comment format?

          • by mjwx ( 966435 )

            Wait?! You have a working £ symbol in your post.

            Did Slashdot fix it or are you using something other than 'Plain Old Text' as your comment format?

            You need to use the unicode forma of:

            £

            and you get £

            Slashdot hasn't updated it, they never will and that's how we like it.

  • The only people that *actually* benefit from credit bureaus are the banks and other lenders that use them. Consumers don't actually benefit at all. Contrary to the popular narrative, there is no need for credit bureaus in order for lenders to make decisions about extending credit. They did just fine making those decisions before the credit bureaus existed. It just meant they had to actually do the leg work to verify information on credit applications. You know, by making a few phone calls or checking their

  • So long as Equifax keeps making money they don't give a fuck about the rest of us peons and our little bank accounts/identities/lives.
  • The Maximum penalty would be dissolution of the company. The maximum penalty the UK could probably make happen is they are no longer allowed to operate in the UK in any capacity.

    IMO, a breach like this means they have demonstrated they cannot be trusted with private data, and should no longer be allowed to store private data.

    The other question everyone should be asking is: How did they get this private data? I sure as hell didn't give them permission to have it. (I know, likely hidden away in the TOS of cre

    • by Cederic ( 9623 )

      The maximum penalty the UK could probably make happen is they are no longer allowed to operate in the UK in any capacity.

      That would be highly damaging to the UK economy - substantial impact across the financial sector, knock-on impacts across retail, and also remove a key competitor within Equifax's own market.

      Long before Equifax reached a position where dissolution (or banning) was considered they'd have had their operations brought forcibly under third party control.

      a breach like this means they have demonstrated they cannot be trusted with private data

      No, it demonstrated that they couldn't be trusted. The FCA can (and will) demand evidence that they can now be trusted, and have a range of sanctions available

  • This is the kind of behaviour that GDPR is for. Not for harassing small traders but real punishment for significant failings from corporations that see these pitiful fines as just a business expense.

You are always doing something marginal when the boss drops by your desk.

Working...