One Year After Data Breach, Equifax Goes Unpunished

"It's been a year since Equifax doxed the nation of America through carelessness, deception and greed, lying about it and stalling while the problem got worse and worse," writes Cory Doctorow. Equifax's new CSO says they've spent over $200 million on security upgrades, in work being overseen by auditor from eight different states. An anonymous reader quotes Doctorow's response: This all sounds very good and all, but it's still monumentally unfair. The penalty for Equifax's recklessness should have been the corporate death penalty: charter revoked, company shut down, assets sold to competitors... The fact that Equifax's investors and execs kept all the money they made by risking all America with shoddy security, and that no one went to jail for a monumental act of corporate recklessness, is a moral hazard, virtually guaranteeing that Equifax's competitors will not take the care they owe to the people on whom they have amassed nonconsensual, potentially life-destroying dossiers.
Equifax's CEO and several top officials did leave the company, notes Government Technology -- but that's about it. Thus far, no financial punishment has been imposed on Equifax itself. Despite contentious hearings, no Congressional action has been taken. A few months later, the Consumer Financial Protection Bureau tabled action against the company. And while the Federal Trade Commission said it opened an investigation into the Equifax breach in September, the agency has since named as chief of its consumer protection division a lawyer who has represented Equifax. This past week, Equifax asked a federal judge to reject the claims from 46 banks and credit unions for payment of damages because of the massive data breach. The companies claimed that Equifax owes them for all the costs they incurred protecting data after the breach was revealed, costs that could easily run into many millions of dollars....

Equifax had revenue of $876.9 million during the second quarter of 2018, up 2 percent from the same quarter of last year, officials said.

GDPR and credit agencies

[BellyJelly]

As a European, and with GDPR in force, can I demand that Equifax delete all the data they hold on me?

Re:GDPR and credit agencies

[raburton]

Yes, but you'll never be able to get a mortgage, loan, new mobile phone contract, insurance, etc. again.

Re:GDPR and credit agencies

[Presence+Eternal]

What one might do is freeze their credit with Equifax, and only Equifax. That would prevent them from profiting off of you. If a creditor wants to check you, they can use Experian or TransUnion. If the creditor demands Equifax, then you have a choice to make.

Re:GDPR and credit agencies

It'll still depend somewhat on national implementation of GDPR quite how many rights you have in this area, as some countries tend to gold-plate the legislation.

I work for a CRA, and we've put a substantial amount of effort into ensuring GDPR compliance, what scares me the most though is that the corporate attitude was to get us compliant at all costs, but that our client's compliance was their own problem. I disagreed with this, I believe we had an obligation to at least let them know what they needed to do to be compliant with our software. It irks me that we're compliant but we knowingly allow clients to use the data in a non-compliant way.

So make no mistake, here in my country a large number of financial services organisations are currently NOT compliant.

To be clear though, CRAs have always had exceptions under data protection law, much as with law enforcement. This is because they tend to support anti-crime activities such as fraud prevention and detection and use their data for those purposes. It's a tough one because you could argue private companies shouldn't do this and such anti-fraud measures should be publicly run, but let's be clear, this is one area where free market competition is a good thing - having companies play each other off at providing better and better fraud prevention and detection is far better than the stagnation you'd get from a publicly run version.

Mostly you don't have a contract with a CRA though, typically you interact with them indirectly through your credit card provider, mortgage provider, and so on and so forth. Where you do have rights under GDPR is with these guys - you can demand they cease processing your data, you can demand to see what information they have on you, and so on and so forth. That only extends to the point of provisioning a service to you however, you cannot for example demand a credit card supplier delete all data on you if you still owe them for credit card debt. You can also request that financial services organisations don't send your data to a credit reference agency, and that they don't run a credit check on you, but they may simply refuse to accept you as a client in this case.

The biggest benefit of GDPR IMO is in breach reporting - it's now a legal obligation to let you know if your data has been stolen, this means Equifax's handling of this breach would now be outright illegal under GDPR, because they not only didn't let people know, but kept it secret for a while. GDPR requires that you inform affected people as soon as you're aware of a breach - if you don't know which of your customers explicitly were affected you have to notify the minimal possible pool that could potentially have been affected, which might be your entire client base if you don't have sufficient auditing.

So mostly you're not going to get much more ammo against CRA's with GDPR, but it does at least enforce much higher standards on us, which IMO is a good thing. I know we're widely hated as organisations, but some of us working in such agencies do at least have morals and do our best to keep these organisations as honest as we can - I have refused to allow my team to implement certain things because I've found them to be morally reprehensible on a number of occasions. Similarly I've written extensive documents detailing ethical, and sometimes legal problems surrounding existing software and passed it upto the directors to get the product killed, as when made aware of such issues they can't practically continue provisioning said software. You may question why I'm still even employed there given the problems I cause, but in a strange way even the directors accept when called out on bad stuff that I'm only keeping them honest in the way they publicly profess the organisation to be, I get a strange type of respect for helping keep the corner of the company I'm in charge of development for true to it's publicly professed ideals - a kind of love/hate relationship. Make no mistake, I don't buy the bullshit the companies spreads about how we're a public good, but I do at least do my bit to try and keep at least the CRA I work for firmly on the right side of the grey lines, I suspect if I didn't, we'd be just like Equifax showed itself to be.

Penalties

[JaredOfEuropa]

The penalty for Equifax's recklessness should have been the corporate death penalty: charter revoked, company shut down, assets sold to competitors

If this is truly a case of recklessness, lying and stalling, then it sounds like their reaction to the breach was a matter of policy or strategy set by upper management. So how come none of these guys are rotting in gaol?

Re:Penalties

[msauve]

"So how come none of these guys are rotting in gaol?"

They're rotting in Gaul. Somewhere near St. Tropez.

Shareholders

[fluffernutter]

I laugh when the shareholders say, "but what about me?". Possibly the biggest motivation to keep companies honest is to hurt the shareholders. We should be expecting people to consider the moral standing of companies they invest in and let them hurt when they have supported a company that will do something like this.

Re:Shareholders

[fluffernutter]

Simple, penalties need to be high enough to affect stock performance. Let everything else take care of itself.

vs Facebook

Fuckers in congress cared more about the Facebook fiasco - and that was their business model. People signed up for FB. No one signed up for Equifax. They collected and lost our data, but no one gave a flying fuck.

Not News

[Sydin]

Corporations haven't been accountable for anything in this country for years, because those in power (yes, Democrats AND Republicans) are in their pockets. If you want to see what happens when Government actually tries to strike back at corporations with these assholes in power, look no further than the CFPB, which has had its power castrated and is currently in the process of being de facto dismantled because it ruffled too many powerful feathers by actually punishing a company (Wells Fargo) for breaking the law.

What would have been news is if Equifax or its top brass received any actual meaningful punishment.

Re:Not News

Enron and Worldcom executives have been tried, convicted and jailed. Both companies are essentially gone due to government prosecution and their own corporate malfeasance. So your assertion that corporations have not been held accountable is blatantly false. There are many more examples than these two.

Why did you come here to lie, and why would others promote your false post to Information with a score of 5?

Re:Not News

Exactly this. You'd think it is the one area where genuine liberals and conservatives can get along because whenever I listen to reasonable people on either side talking in the absence of the other they all say similar things. Both are very concerned about corporate power and corporate accountability.

The problem is that the controlling interests in both major parties are not and have not been in line with the people on this one for a very long time. Bill Clinton completed the corporate takeover of the Democratic party when he was in office, quite deliberately, and the Republican party has been owned by large corporate interests for longer than that. You can see the disagreement between the people and the parties in the way the Democrats deliberately and a lot would say illegally sabotaged the Bernie Sanders campaign, and in the way people on the other side elected Donald Trump. (Quick aside to those who don't pay attention: Trump is no anti-corporate crusader, but at least he's not afraid to call out wrongdoers and he is genuinely and vehemently disliked by the Republican party leadership--as are most of his supporters, and the feeling is very mutual.) One thing I said about the primaries was that Bernie and Donald both had very different solutions to our economic issues, but they both correctly and surprisingly identified the causes of the problems. Simply identifying the problem and calling out corporate corruption was an act of blasphemy completely beyond anybody else on either side in that race.

Conservatives in particular ought not to be corporate apologists. Large corporations are not the embodiment of capitalism, they are its antithesis. They seek to minimize and end competition and to control and manipulate markets, not to compete in them. Conservatives believe in adhering to the founding principles of this country but a lot of those principles are never really taught properly. The founders knew how to deal with corporations: in their day, corporations could only be founded for limited periods of time, and for a single purpose (no conglomerates). At the end of that time the corporation was dissolved and the proceeds distributed to the shareholders. If a corporation was found not to be acting in the public interest, the corporate death penalty was very real. THAT is how the founders governed corporations and monied interests, it's why the US didn't produce its first millionaire-equivalent for several decades after the founding of this nation, and frankly it's one reason the founders are quite misunderstood today: they owned houses and land that today you'd have to be extremely rich to afford and yet back then were residences and enterprises of people who were for the most part upper middle class in their society.

The founders were also protectionists and the notion of free unfettered corporate driven trade would have been absurd to them: the British forbade the manufacture of lots of finished goods and things like fine clothing in the colonies. When George Washington was elected President the first thing he did was send his measurements to a tailor in New York, said tailor being one of the only makers of fine clothing we had at the time. He was NOT going to be sworn in wearing British-made formalwear. Two of the very first actions of the very first Congress would draw screams and temper tantrums from today's Republican leaders: they voted funds to help the poor in the nation's capital, and they put in place a framework of tariffs designed to protect American industry and encourage manufacturing of key necessary things in this country. That framework funded most of the federal government until World War I, and the tariff structure largely stayed in place until Jimmy Carter started and Ronald Reagan finished destroying it--a time period that of course coincided with serious advances in corporate power and serious declines in manufacturing and our standard of living. Isn't bi-partisan cooperation wonderful?

When the Hoover Dam was constructed, 7 different companies

Re:Not News

[mschwanke97402]

Corporations haven't been accountable for anything in this country for years, because those in power (yes, Democrats AND Republicans) are in their pockets. If you want to see what happens when Government actually tries to strike back at corporations with these assholes in power, look no further than the CFPB, which has had its power castrated and is currently in the process of being de facto dismantled because it ruffled too many powerful feathers by actually punishing a company (Wells Fargo) for breaking the law.

What would have been news is if Equifax or its top brass received any actual meaningful punishment.

Try to remember that it was Democrats that created the CFPB in the first place and Republicans that are dismantling it. Every time the Republicans get the White House they gut the regulatory agencies, from the EPA to the SEC. There are corrupt Democrats but establishment Republicans are the worst.

Re:Not News

You're delusional if you think the Democrats aren't equally complicit in propping up this crony capitalist system. Or are you going to pretend that financial companies weren't subsidized at taxpayer expense under Obama during the great recession? There's simply no difference. Neither party is going to effect change in this area.

But Americans love their football teams and political parties, I guess.

You mean centuries, since ancient Rome

[raymorris]

> the U.S. Supreme Court has waved for decades

I think you mean centuries. The first business corporations were for road building and other government contracts in ancient Rome. An individual mason couldn't build a road, a baker couldn't feed the army. Together, a thousand craftsmen could bid to do these things. If the project was late, or there were quality problems, the corporation so established would be penalized for the poor performance, rather than trying to figure out which of the many workers caused the delay. If it was finished ahead of schedule, the contract could include a bonus the bakers' corporation. If a road needed certain materials, the road building corporation could make a deal to buy 100 tons of pitch - you didn't need a single ultra-wealthy individual to personally buy enough material to build a road. The corporation meant ordinary workers, together, could do so. If there was a dispute with the pitch merchant, the merchant could bring an action against the corporation before the magistrate, rather than individually suing each of the 1,000 road workers.

> Throw their asses in prison for decades

Okay, which executives? How many decades should the head of accounting, the CFO, serve for the carelessness of some people in IT? The vice president of marketing? How about the head of HR? Penalizing the corporation, and thus the people who made money from it solves this issue.

Re:You mean centuries, since ancient Rome

[JaredOfEuropa]

Which, how long? Investigate. Was this done through carelessness or (as their subsequent actions seem to indicate) did they attempt to cover up their snafu? They discovered the breach but sat on it. Who signed off on that? And if you can't find those directly responsible, then jail or at least fine (out of their own personal fortunes) the nominally responsible persons in the boardroom. That's what "accountable" means.

Have no fear

[rsilvergun]

fellow /.ers. The free market will punish them any minute now. Yep. Any. Minute. Now.

Good question. The answer is

[raymorris]

You bring up some good questions. With a little investigation, you can discover that the CEO did not order the network security tech "be careless about how you configure the zones on the ASA". The CEO doesn't know what an ASA is, and the tech has never met the CEO. So it gets rather complicated.

When there is a specific law related to an overt act, such as dumping toxic waste somewhere, you may be able to follow the chain of command and figure out who knew what and who authorized what. The problem at Equifax was mostly not be careful on general. There was no one item that they did or failed to do which caused the breach. Their security just generally sucked all around, they were sloppy. Notice "they" is plural. Even if they had updated the application that was actually used in the breach, the bad guys would have just used one of their other security holes. Anyway, no boss sent out a memo saying "be sure to be sloppy about updating software".

So I don't think you can pin this on one person, or a few people. What you CAN do is identify who profited from their decision to be sloppy, to not invest in security. That would the shareholders. They can be penalized by taking the money that they inappropriately got by failing to pay for proper security, and perhaps more. The way you get money back from the shareholders is by fining the company.

Re:Good question. The answer is

[fafalone]

Did the IT director ever put in a request for additional personnel, funding, or authorizations to address their poor security? No, it's on him. Yes, it's on who denied it (ultimately, if it was passed up the chain) or didn't respond. Or if it was granted and not acted on, back to the IT director. Last option, the IT director was underqualified and couldn't have been expected to know they didn't have proper security, then it's on the person responsible for staffing that position.
Determining who had what responsibility is the whole point of investigations. Most of the time it winds up being crystal clear.

That's the corporate structure

[DogDude]

That's a huge problem in the US: The corporation.

If a small business owner does something horrible that hurts, kills, or otherwise damages people, customers or not, that business owner will end up in jail.

Once that business gets a bit bigger, and becomes a corporation, the owners are now called "shareholders". In the US, "shareholders" of a corporation are not legally liable for anything the corporation does. That's the crux of the problem

Ideally, all of the owners of a company should be just as liable as the single owner of a company. In the US, money is King, so that's never going to happen. Corporations can do whatever they want, with no legal repercussions, but individuals can't.

It's really fucked up, and it's the cause of so many problems in our society. That's why our government is for sale. That's why bribery is 100% legal at the highest levels of government. Make the individual owners of every company liable, and watch how fast companies of all kinds clean up their acts. I doubt that Equifax would have done what they did, if every one of their millions of owners was looking down the barrel of some serious jail time. Or, Equifax wouldn't have millions of owners in the first place.

Sure. Because The Rich weren't affected.

[Rick+Schumann]

Only us plebian nobody Poor could possibly be affected, so why should The Rich give a flying fuck about us? We can all go bankrupt and get our identities stolen so far as those cocksucking bastards are concerned, they don't have to care because all their shit was protected to the Nth degree. So rather than spank their other Rich buddies that run Equifax they just ignore the whole thing. Fuck them, sideways with a rusty chainsaw. It almost makes me wish Russian and Chinese hackers would crash the whole thing and destroy it, then while chaos ensues we can find these Equifax bastards and cut their gods-be-damned heads off.

How would MORE sloppy people help?

[raymorris]

> Did the IT director ever put in a request for additional personnel, funding, or authorizations to address their poor security?

Equifax, throughout the company, had a culture of sloppy. It was sloppy before that IT director arrived. More people doesn't fix sloppy.

The CEO *tried* to blame one of the techs. That didn't go over so well.