Equifax Lobbied For Easier Regulation Before Data Breach

WSJ reports: Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies. That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans. Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.

They knew

[Calydor]

They knew about the breach when they started lobbying for that. LONG before the poor schmucks were allowed to know about it.

Re:They knew

[PolygamousRanchKid+]

They knew about the breach when they started lobbying for that.

How do we even know if this was a "breach" at all . . . ? Maybe some folks at Equifax were just following the Facebook and Google business model, and were just selling "information services" on the side . . . ?

Hey, the old, time-tested methods work best: You want something? Bribe or blackmail someone. It works all the time.

Re:They knew

[HiThere]

No. We can claim that they did not prevent the breach, but they may well have delayed it or made it more difficult.

That said, they clearly don't suffice. The executives and management should be held personally responsible for the time, effort, and financial damages that this breach caused to every single individual affected, including only those who had to spend time figuring out how to try to deal with it. At a reasonable hourly rate, say the average hourly rate of the corporation management (figured from their salary and their nominal working time).

Re:They knew

[MickyTheIdiot]

The corporate death penalty, i.e. the loss of charter, needs to be a thing. The possibility of all the stock becoming worthless would be a great tool in getting corporations to actually follow the law.

However since we have a congress that is OWNED by corporations there isn't a way for it to happen.

Re:They knew

[MickyTheIdiot]

The executives and management should be held personally responsible

Though I agree in this case, this is a dangerous line of thinking — not entirely unlike blaming a rape victim for wearing too short a skirt...

This is the worst simile I have EVER seen on Slashdot. That's saying a lot.

The corporate CxOs are NOT the victim in this scenario. The corporate worshipers on /. and the Internet love to tell us that the executives deserve huge pay packets because they are responsible. However in *every case* when something happens that hurts thousands of people they are always don't know what happened. Executives hold responsibility and deserve what they are paid or they don't know what is going on and they are overpaid. You can't have it both ways.

The CxOs were the benefactors of the malfeasance. Calling them rape victim is idiotic.

Re:They knew

[muecksteiner]

You would be surprised how fast people start to care a lot more about the performance and character of the CxOs of the companies they have in their 401k accounts once a total, sudden loss due to criminal activity on part of said CxOs becomes a reality.

cyberattack?

Equifax disclosed the cyberattack

Welcome to the age of "cyber war", where every crap system connected to the internet can hide under the umbrella of an "attack" rather than face the consequences of a complete disregard for properly designed information security.

This will be proof that fewer regs are needed

[sandbagger]

If only they could have been freed from the yoke of these onerous, confusing regulations, this never would have happened!

Re:This will be proof that fewer regs are needed

[140Mandak262Jamuna]

Dont forget "job killing". Every focus group research done by them have shown the value of that adjective. Always say job killling

Just think...

[Gravis+Zero]

Your data wouldn't have been given to criminals if they had invested that $500K in security.

Re:Just think...

[fustakrakich]

Sorry, but they are the criminals. What they call a "breach", I would call a sale. Why should we believe this was an accident?

Re:Just think...

[markdavis]

>"Your data wouldn't have been given to criminals if they had invested that $500K in security."

Actually, according to the summary, they spent at least $2.6 MILLION dollars in just the last 2.75 years, alone. Imagine how much that money COULD have done if they had used it to hire a few good security engineers and made meaningful changes.

Re:Just think...

[CaptainDork]

Well said.

Security will not be historical subject until after serious litigation.

Re:Just think...

[tlhIngan]

Actually, according to the summary, they spent at least $2.6 MILLION dollars in just the last 2.75 years, alone. Imagine how much that money COULD have done if they had used it to hire a few good security engineers and made meaningful changes.

You guys are looking at it the wrong way. You're looking at it as a victim, you should look at it as what it brought them.

With this one breach, that $2.6M is now completely wasted - in fact, it's even worse since it's now achieving the opposite effect - instead of trying to buy reduced scrutiny, their failure to spend on security is working against their campaigning. Even worse, it's brought government scrutiny on all the credit reporting agencies, with increased regulation likely the result.

By failing to spend on security, Equifax has basically made life in their industry much harder for everyone. Ezperian and TransUnion should be applying peer pressure for making it much more expensive to do business now.because any law that comes down, any scrutiny that happens will apply equally to all three of them.

And financial institutions HATE government oversight.; When "too big to fail" banks started having government oversight as required by their bailout packages, they couldn't get rid of them fast enough.

That's how you're supposed to frame it. Protecting your data? You're not worth that much to them. But ensuring their future is free of government oversight and extra regulation? That's something that does affect them directly and the cost of doing business

Re:Investment

[Archangel+Michael]

Actually, the cost of doing business it is always cheaper for lawyers than just about anything else. Lawyers keep you out of Legal Danger (or at least are supposed to).

And until the Corporate board and the CxOs and the Shareholders are held accountable, nothing will actually change.

The only way to solve this problem is start charging the bigwigs at the top for criminal negligence of the corporate culture they foster. Followed by Corporate Death Penalty where the corporate charter is revoked. When shareholders are caught empty handed with nothing to show, they will DEMAND corporations uphold their due diligence and actually start protecting their data.

Lastly, I would suggest that the default nature of Credit is keeping it in a frozen state. It should take extraordinary effort to open credit account.

Sounds familiar

[smooth+wombat]

I clearly remember the banks and Wall Street firms lobbying Bush and Congress not to implement any new regulations back in 2006. Their words were, more or less, any new regulations would kill their competitive nature on the world market. Trust us, we know what we're doing.

The following year we know what happened.

Now here we are again, with a very similar situation. Regulations are evil! Don't kill us with regulations, bro!

I can guarantee not a single executive at Equifax will go to jail or pay a fine. Further, every excuse imaginable will be given why requiring such breaches to be announced immediately should not be done.

In a few years, this will happen again and everyone will look around and ask, "How did this happen?"

Re:Sounds familiar

[Tablizer]

The USA is mostly a bribocracy at the federal level, plain and simple. Both parties are culprits. If you don't kiss up to those who give campaign donations, you get less campaign money and lose elections. It's legalized political prostitution and Americans should be ashamed of such a system.

Re:Sounds familiar

[Required+Snark]

The people who run our economy act like meth freaks with rabies where meth == money and rabies == corporate greed.

Until there is a general understanding that big business is not a noble pursuit, but a socially sanctioned form of criminal activity, we will continue to suffer this kind of crap. The basic assumption should be that corporations always become corrupt and that the law exists to root out that corruption.

There must be accountability for organizations and the people in charge of those organizations. This means if you are in the executive suite or the boardroom and the company commits crimes that you will end up in jail and penniless. Nothing short of that will have any impact. Investors must also be put at risk; if the company goes over the line they should loose their entire investment. That way they will be keep an eagle eye on the management and keep them honest.

Note that this is exactly the opposite of our current system. The people at the top of the corporate pyramid pay themselves vast sums of money while they take insane risks so they can gouge even more money. When it all goes sour they keep their fortunes and investors and taxpayers pick up the tab. All this occurs at the same time the same companies engage in international tax avoidance schemes that might as well be evil magic.

Don't believe me? We are in a yet another bubble and the next crash will happen before 2020, and perhaps as early as next year. And like the last time corporate malfeasance will be the cause.

Hangin's too good for 'em

[Rick+Schumann]

You think maybe Equifax is exemplar of all the other credit reporting agencies? I think they might be. I think there needs to be some corporate nutsacks put on the congressional anvil, with liberal application of the judicial sledgehammer over this, to ALL of them. It's bad enough that jackass businesses like Facebook and Google and ISPs are invading our privacy, but companies like these credit reporting agencies MUST BE ABOVE REPROACH AT ALL TIMES OR THEY ARE WORSE THAN USELESS. It is totally, completely unacceptable that this happened at all and it has to STOP.

regulation is always bad for business

[Revek]

Its normally quite good for the public, though you couldn't convince them of that since they get their swill from big media.

Re:regulation is always bad for business

[HiThere]

It's normally good for the public until regulatory capture happens. Then it continues to be slightly less bad for the public...but often only slightly.

Regulators need to be forbidden to accept payments from the groups they regulate not only while in office, but also after leaving. And that includes jobs.

I have the same combination on my luggage!

[xxxJonBoyxxx]

Until at least late 2016, there was this hardcoded into their mobile app (http://www.apkmonk.com/app/com.equifax/):

UtilitiesHandler.java
                static final String masterKey = "EqUiFaX2468";

Not quite "1...1!...2....2!..." but it's pretty darn close.

To be fair, I couldn't tell if it's actually ever used in the mobile app. It seems like the kind of intentionally stupid/obvious password-but-not-really-a-password string you'd leave hanging around in a file on the network if you were tuning your DLP. (The full Zip code of the company is 30309-2468 so the "plus 4" is probably where the ending came from.)

Re:I have the same combination on my luggage!

[Xyrus]

It's all a plot. Cause a massive leak and that forces everyone to freeze their credit reports. Charge $60 a pop to lock and unlock them. Bam, instant profit.

My question about this mess is...

[Stomper_Stoddard]

They said this data breach took place from May through July. How exactly does one miss terabytes, possibly petabytes of data being transferred to an IP address outside of your network for 3 months? I mean to me this sounds like either the hackers were god like in their ability to hide what they were doing, or the people whose job it was to prevent these things from happening, simply didn't give a shit.

Re:My question about this mess is...

[Ol+Olsoc]

They said this data breach took place from May through July. How exactly does one miss terabytes, possibly petabytes of data being transferred to an IP address outside of your network for 3 months? I mean to me this sounds like either the hackers were god like in their ability to hide what they were doing, or the people whose job it was to prevent these things from happening, simply didn't give a shit.

Hiring people to monitor this stuff costs money, and why punish the shareholders with a cost cernter? This will all self correct anyhow, amirite?

Re:Investment

[MickyTheIdiot]

The constant whine about regulations when as a country we pretty much allow our large corporations to get away with anything is rather tiresome.

Well duh!

[Ol+Olsoc]

Regulations are bad and regressive! Business always self polices itself better, and the invisible hand of the free market is never wrong, and always self correcting.

If there were no regulations, this would never have happened, and we would all enjoy perfect internet security.

Re:That just means they knew about the breach...

[jafiwam]

You are taking their word for when the breach started? LOLOLO ahaha ahaqhaa !! Aren't you cute.