Equifax Lobbied For Easier Regulation Before Data Breach

WSJ reports: Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies. That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans. Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.

They knew

[Calydor]

They knew about the breach when they started lobbying for that. LONG before the poor schmucks were allowed to know about it.

Re:They knew

[MickyTheIdiot]

The corporate death penalty, i.e. the loss of charter, needs to be a thing. The possibility of all the stock becoming worthless would be a great tool in getting corporations to actually follow the law.

However since we have a congress that is OWNED by corporations there isn't a way for it to happen.

Re:They knew

[MickyTheIdiot]

The executives and management should be held personally responsible

Though I agree in this case, this is a dangerous line of thinking — not entirely unlike blaming a rape victim for wearing too short a skirt...

This is the worst simile I have EVER seen on Slashdot. That's saying a lot.

The corporate CxOs are NOT the victim in this scenario. The corporate worshipers on /. and the Internet love to tell us that the executives deserve huge pay packets because they are responsible. However in *every case* when something happens that hurts thousands of people they are always don't know what happened. Executives hold responsibility and deserve what they are paid or they don't know what is going on and they are overpaid. You can't have it both ways.

The CxOs were the benefactors of the malfeasance. Calling them rape victim is idiotic.

cyberattack?

Equifax disclosed the cyberattack

Welcome to the age of "cyber war", where every crap system connected to the internet can hide under the umbrella of an "attack" rather than face the consequences of a complete disregard for properly designed information security.

This will be proof that fewer regs are needed

[sandbagger]

If only they could have been freed from the yoke of these onerous, confusing regulations, this never would have happened!

Just think...

[Gravis+Zero]

Your data wouldn't have been given to criminals if they had invested that $500K in security.

Re:Just think...

[markdavis]

>"Your data wouldn't have been given to criminals if they had invested that $500K in security."

Actually, according to the summary, they spent at least $2.6 MILLION dollars in just the last 2.75 years, alone. Imagine how much that money COULD have done if they had used it to hire a few good security engineers and made meaningful changes.

Re:Just think...

[tlhIngan]

Actually, according to the summary, they spent at least $2.6 MILLION dollars in just the last 2.75 years, alone. Imagine how much that money COULD have done if they had used it to hire a few good security engineers and made meaningful changes.

You guys are looking at it the wrong way. You're looking at it as a victim, you should look at it as what it brought them.

With this one breach, that $2.6M is now completely wasted - in fact, it's even worse since it's now achieving the opposite effect - instead of trying to buy reduced scrutiny, their failure to spend on security is working against their campaigning. Even worse, it's brought government scrutiny on all the credit reporting agencies, with increased regulation likely the result.

By failing to spend on security, Equifax has basically made life in their industry much harder for everyone. Ezperian and TransUnion should be applying peer pressure for making it much more expensive to do business now.because any law that comes down, any scrutiny that happens will apply equally to all three of them.

And financial institutions HATE government oversight.; When "too big to fail" banks started having government oversight as required by their bailout packages, they couldn't get rid of them fast enough.

That's how you're supposed to frame it. Protecting your data? You're not worth that much to them. But ensuring their future is free of government oversight and extra regulation? That's something that does affect them directly and the cost of doing business

Sounds familiar

[smooth+wombat]

I clearly remember the banks and Wall Street firms lobbying Bush and Congress not to implement any new regulations back in 2006. Their words were, more or less, any new regulations would kill their competitive nature on the world market. Trust us, we know what we're doing.

The following year we know what happened.

Now here we are again, with a very similar situation. Regulations are evil! Don't kill us with regulations, bro!

I can guarantee not a single executive at Equifax will go to jail or pay a fine. Further, every excuse imaginable will be given why requiring such breaches to be announced immediately should not be done.

In a few years, this will happen again and everyone will look around and ask, "How did this happen?"

Hangin's too good for 'em

[Rick+Schumann]

You think maybe Equifax is exemplar of all the other credit reporting agencies? I think they might be. I think there needs to be some corporate nutsacks put on the congressional anvil, with liberal application of the judicial sledgehammer over this, to ALL of them. It's bad enough that jackass businesses like Facebook and Google and ISPs are invading our privacy, but companies like these credit reporting agencies MUST BE ABOVE REPROACH AT ALL TIMES OR THEY ARE WORSE THAN USELESS. It is totally, completely unacceptable that this happened at all and it has to STOP.

regulation is always bad for business

[Revek]

Its normally quite good for the public, though you couldn't convince them of that since they get their swill from big media.

Re:regulation is always bad for business

[HiThere]

It's normally good for the public until regulatory capture happens. Then it continues to be slightly less bad for the public...but often only slightly.

Regulators need to be forbidden to accept payments from the groups they regulate not only while in office, but also after leaving. And that includes jobs.

I have the same combination on my luggage!

[xxxJonBoyxxx]

Until at least late 2016, there was this hardcoded into their mobile app (http://www.apkmonk.com/app/com.equifax/):

UtilitiesHandler.java
                static final String masterKey = "EqUiFaX2468";

Not quite "1...1!...2....2!..." but it's pretty darn close.

To be fair, I couldn't tell if it's actually ever used in the mobile app. It seems like the kind of intentionally stupid/obvious password-but-not-really-a-password string you'd leave hanging around in a file on the network if you were tuning your DLP. (The full Zip code of the company is 30309-2468 so the "plus 4" is probably where the ending came from.)

Re:Investment

[MickyTheIdiot]

The constant whine about regulations when as a country we pretty much allow our large corporations to get away with anything is rather tiresome.