Slashdot Mirror
One Year After Data Breach, Equifax Goes Unpunished (boingboing.net)
"It's been a year since Equifax doxed the nation of America through carelessness, deception and greed, lying about it and stalling while the problem got worse and worse," writes Cory Doctorow. Equifax's new CSO says they've spent over $200 million on security upgrades, in work being overseen by auditor from eight different states. An anonymous reader quotes Doctorow's response:
This all sounds very good and all, but it's still monumentally unfair. The penalty for Equifax's recklessness should have been the corporate death penalty: charter revoked, company shut down, assets sold to competitors... The fact that Equifax's investors and execs kept all the money they made by risking all America with shoddy security, and that no one went to jail for a monumental act of corporate recklessness, is a moral hazard, virtually guaranteeing that Equifax's competitors will not take the care they owe to the people on whom they have amassed nonconsensual, potentially life-destroying dossiers.
Equifax's CEO and several top officials did leave the company, notes Government Technology -- but that's about it. Thus far, no financial punishment has been imposed on Equifax itself. Despite contentious hearings, no Congressional action has been taken. A few months later, the Consumer Financial Protection Bureau tabled action against the company. And while the Federal Trade Commission said it opened an investigation into the Equifax breach in September, the agency has since named as chief of its consumer protection division a lawyer who has represented Equifax. This past week, Equifax asked a federal judge to reject the claims from 46 banks and credit unions for payment of damages because of the massive data breach. The companies claimed that Equifax owes them for all the costs they incurred protecting data after the breach was revealed, costs that could easily run into many millions of dollars....
Equifax had revenue of $876.9 million during the second quarter of 2018, up 2 percent from the same quarter of last year, officials said.
Equifax's CEO and several top officials did leave the company, notes Government Technology -- but that's about it. Thus far, no financial punishment has been imposed on Equifax itself. Despite contentious hearings, no Congressional action has been taken. A few months later, the Consumer Financial Protection Bureau tabled action against the company. And while the Federal Trade Commission said it opened an investigation into the Equifax breach in September, the agency has since named as chief of its consumer protection division a lawyer who has represented Equifax. This past week, Equifax asked a federal judge to reject the claims from 46 banks and credit unions for payment of damages because of the massive data breach. The companies claimed that Equifax owes them for all the costs they incurred protecting data after the breach was revealed, costs that could easily run into many millions of dollars....
Equifax had revenue of $876.9 million during the second quarter of 2018, up 2 percent from the same quarter of last year, officials said.
As a European, and with GDPR in force, can I demand that Equifax delete all the data they hold on me?
Trump 2020
The penalty for Equifax's recklessness should have been the corporate death penalty: charter revoked, company shut down, assets sold to competitors
If this is truly a case of recklessness, lying and stalling, then it sounds like their reaction to the breach was a matter of policy or strategy set by upper management. So how come none of these guys are rotting in gaol?
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
I laugh when the shareholders say, "but what about me?". Possibly the biggest motivation to keep companies honest is to hurt the shareholders. We should be expecting people to consider the moral standing of companies they invest in and let them hurt when they have supported a company that will do something like this.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Fuckers in congress cared more about the Facebook fiasco - and that was their business model. People signed up for FB. No one signed up for Equifax. They collected and lost our data, but no one gave a flying fuck.
Corporations haven't been accountable for anything in this country for years, because those in power (yes, Democrats AND Republicans) are in their pockets. If you want to see what happens when Government actually tries to strike back at corporations with these assholes in power, look no further than the CFPB, which has had its power castrated and is currently in the process of being de facto dismantled because it ruffled too many powerful feathers by actually punishing a company (Wells Fargo) for breaking the law.
What would have been news is if Equifax or its top brass received any actual meaningful punishment.
Last I read there was at least a couple dozen class action law suits pending against Equifax. These sort of things take time to process through the system and its obviously not over or the end to litigation penalties for Equifax.
/sarcasm I mean, its not like corporations bribe, er, lobby congress, right?
--
The Best thing about America: Capitalism
The Worst thing about America:Capitalism
One Year After Data Breach, Equifax Goes Unpunished
Stop referring to companies as if they were people. That is a false flag that the U.S. Supreme Court has waved for decades (by the way, Hobby Lobby is a person with a religion too).
Hold the executives individually responsible for the debacle. Throw their asses in prison for decades (which can not be done to a corporation). The rest of the psychopaths running corporations will get the message and avoid making similar mistakes.
Ffs, don't listen to Boing Boing. That guy is a hack. He isn't honest, and he's just trying to piss you off.
The time it took to execute a freeze on their website?
> the U.S. Supreme Court has waved for decades
I think you mean centuries. The first business corporations were for road building and other government contracts in ancient Rome. An individual mason couldn't build a road, a baker couldn't feed the army. Together, a thousand craftsmen could bid to do these things. If the project was late, or there were quality problems, the corporation so established would be penalized for the poor performance, rather than trying to figure out which of the many workers caused the delay. If it was finished ahead of schedule, the contract could include a bonus the bakers' corporation. If a road needed certain materials, the road building corporation could make a deal to buy 100 tons of pitch - you didn't need a single ultra-wealthy individual to personally buy enough material to build a road. The corporation meant ordinary workers, together, could do so. If there was a dispute with the pitch merchant, the merchant could bring an action against the corporation before the magistrate, rather than individually suing each of the 1,000 road workers.
> Throw their asses in prison for decades
Okay, which executives? How many decades should the head of accounting, the CFO, serve for the carelessness of some people in IT? The vice president of marketing? How about the head of HR? Penalizing the corporation, and thus the people who made money from it solves this issue.
--
The Best thing about America: Capitalism
The Worst thing about America: Capitalism
--
The Best thing about America: Capitalism
The Worst thing about America: Capitalists
FTFY
This is the TrumpVerse! Your days are long gone, socialist swine dogs.
We, the public affected by this breach, still have very little information on just what happened or by whom. We have a bit of "how" info, in articles like this, and this shows another penetration in Argentina. "online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”"
With megacorps spanning the world, no one countries data laws are doing shit to stop any of this. Megacorps will just move portals to the easiest country to operate in, and then obfuscate, confuse, and stall any inquiries while they furiously delete off-shore evidence because it's not strictly "illegal" for some separate, non-US company to do so. "the credit bureau took the whole thing offline shortly after being contacted by KrebsOnSecurity this afternoon". My bet is it's more than offline; or offline as in deleted and all servers and backups burned with thermite and dumped into the ocean.
The US government doesn't even consider any of this "Critical infrastructure". This isn't in the same league as these reports, so it's all left up to the "free hand of the market". This attack is affiliated with China and not Russia: "One tool used by the hackers, China Chopper, has a Chinese-language interface but is also in use outside China"
There has been lingering suspicions of internal bad actors in this. "The company hired Susan Mauldin, a former security chief at First Data, to run the global security team. Mauldin introduced herself to colleagues as a card-carrying member of the National Rifle Association, according to a person familiar with the changes." With the current probes pointing towards massive Russian money laundering into the GOP via the NRA, this is very bad. Also, "Overseeing technology for Equifax was David Webb, a Kellogg MBA and Russian-language major hired in 2010 from Silicon Valley Bank, where he had been chief operations officer. "
Most frighteningly, this stolen info has STILL never shown up on the dark web. Looking at the Moloch data, there were two separate teams who spent quite some time on this. Obviously it is an APT, like Shell Crew, or such. This means government sponsored, someone had to pay for all of this and the info wasn't sold off for a profit. This is what happens when "unregulated industry" meets 21st century cyber economic warfare.
Regarding Wells Fargo...
Why haven't 100% of their customers transferred to some other bank or credit union? Vote with $$$, don't reward bad behaviour.
A reminder:
In Soviet America, [wells-fargo] stage coach robs you!!
All the big defense contractors (Lockheed, General Dynamics etc.) lost all the U.S. military secrets but noone was punished. Instead they howl about Snowden and Assange. They probably lost the secrets on purpose (war is more profitable than peace to them).
fellow /.ers. The free market will punish them any minute now. Yep. Any. Minute. Now.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
You bring up some good questions. With a little investigation, you can discover that the CEO did not order the network security tech "be careless about how you configure the zones on the ASA". The CEO doesn't know what an ASA is, and the tech has never met the CEO. So it gets rather complicated.
When there is a specific law related to an overt act, such as dumping toxic waste somewhere, you may be able to follow the chain of command and figure out who knew what and who authorized what. The problem at Equifax was mostly not be careful on general. There was no one item that they did or failed to do which caused the breach. Their security just generally sucked all around, they were sloppy. Notice "they" is plural. Even if they had updated the application that was actually used in the breach, the bad guys would have just used one of their other security holes. Anyway, no boss sent out a memo saying "be sure to be sloppy about updating software".
So I don't think you can pin this on one person, or a few people. What you CAN do is identify who profited from their decision to be sloppy, to not invest in security. That would the shareholders. They can be penalized by taking the money that they inappropriately got by failing to pay for proper security, and perhaps more. The way you get money back from the shareholders is by fining the company.
Enron and Worldcom executives have been tried, convicted and jailed. Both companies are essentially gone due to government prosecution and their own corporate malfeasance. So your assertion that corporations have not been held accountable is blatantly false. There are many more examples than these two.
Why did you come here to lie, and why would others promote your false post to Information with a score of 5?
What about the customers and shareholders who have been screwed? Yeah, sure, the bosses went to jail (so what?!) the little people were screwed and have to suck it up.
Corps need to pay out damages - even if it means liquidation to make things right.
THEN and only THEN will corporate America take corporate malfeasance seriously. Otherwise, it's just a nuisance cost of doing business.
Far too many companies and their executives, get passes on all the BS.
For example, did any executives do time for the deaths on the deepwater horizon? Nope.
3 companies paid out $54B, and several engineers were punished for hiding data because they were told from above to hide the data. No jail time for the murders of 11 ppl.
Now, we have companies like Equifax and many other large companies that are irresponsible in dealing with our data, and very little happens to them.
What is needed is a massive lawsuit against these companies AND the individuals that make the bad choices.
I prefer the "u" in honour as it seems to be missing these days.
That's a huge problem in the US: The corporation.
If a small business owner does something horrible that hurts, kills, or otherwise damages people, customers or not, that business owner will end up in jail.
Once that business gets a bit bigger, and becomes a corporation, the owners are now called "shareholders". In the US, "shareholders" of a corporation are not legally liable for anything the corporation does. That's the crux of the problem
Ideally, all of the owners of a company should be just as liable as the single owner of a company. In the US, money is King, so that's never going to happen. Corporations can do whatever they want, with no legal repercussions, but individuals can't.
It's really fucked up, and it's the cause of so many problems in our society. That's why our government is for sale. That's why bribery is 100% legal at the highest levels of government. Make the individual owners of every company liable, and watch how fast companies of all kinds clean up their acts. I doubt that Equifax would have done what they did, if every one of their millions of owners was looking down the barrel of some serious jail time. Or, Equifax wouldn't have millions of owners in the first place.
I don't respond to AC's.
Only us plebian nobody Poor could possibly be affected, so why should The Rich give a flying fuck about us? We can all go bankrupt and get our identities stolen so far as those cocksucking bastards are concerned, they don't have to care because all their shit was protected to the Nth degree. So rather than spank their other Rich buddies that run Equifax they just ignore the whole thing. Fuck them, sideways with a rusty chainsaw. It almost makes me wish Russian and Chinese hackers would crash the whole thing and destroy it, then while chaos ensues we can find these Equifax bastards and cut their gods-be-damned heads off.
You mean like Raymond Williams, Daryl Duncan, Penny Duncan, from U.S. Technology Corporation? And William Terry Wright, president of Explo? Those were last month. In May we had guys like Gavin Rexer, Dennis Paulhamus Timothy Sweitzer, Joseph Powell, and John Joseph from Rockwater Northeast. This month it's Trey Glenn headed to prison.
Just what we need, more sue happy Americans.
Corporate criminals get rich and face no penalty. The average citizen gets screwed over. The US political system (both parties, remember Obama let off the Wall Street crooks during the 2008 Great Recession) is f'ed.
> Did the IT director ever put in a request for additional personnel, funding, or authorizations to address their poor security?
Equifax, throughout the company, had a culture of sloppy. It was sloppy before that IT director arrived. More people doesn't fix sloppy.
The CEO *tried* to blame one of the techs. That didn't go over so well.
Since when a big corporation with $$$ is punished? What world do you guys live???
Do you want change??? Vote right next time and dont reelect those that are alteady there and not doing anything.
VW: US$2.8 billion criminal fine and US$1.5 billion in civil penalties + $15.3 billion for public and private civil actions+ criminal charges + ...
Equifax: nothing
. . . in a free market. Check out BP's and Enron's historic stock prices for proof of this, trued up chronologically with the Horizon spill and the Lay / Skilling shred-fest, respectively. Of course, we bailed out the auto and financial industries and sent future generations the bill, but that's free market intervention.
That all the credit rating agencies have bunk data. It's why I froze all my info.
I think Americans at large would feel redeemed if we could have a list of home addresses these top executives and investors, so we could pay them a "visit" and "discuss" our "opinions" with them.