Slashdot Mirror

← Back to Stories (view on slashdot.org)

One Year After Data Breach, Equifax Goes Unpunished (boingboing.net)

Posted by EditorDavid on from the unhappy-anniversaries dept.

"It's been a year since Equifax doxed the nation of America through carelessness, deception and greed, lying about it and stalling while the problem got worse and worse," writes Cory Doctorow. Equifax's new CSO says they've spent over $200 million on security upgrades, in work being overseen by auditor from eight different states. An anonymous reader quotes Doctorow's response: This all sounds very good and all, but it's still monumentally unfair. The penalty for Equifax's recklessness should have been the corporate death penalty: charter revoked, company shut down, assets sold to competitors... The fact that Equifax's investors and execs kept all the money they made by risking all America with shoddy security, and that no one went to jail for a monumental act of corporate recklessness, is a moral hazard, virtually guaranteeing that Equifax's competitors will not take the care they owe to the people on whom they have amassed nonconsensual, potentially life-destroying dossiers.
Equifax's CEO and several top officials did leave the company, notes Government Technology -- but that's about it. Thus far, no financial punishment has been imposed on Equifax itself. Despite contentious hearings, no Congressional action has been taken. A few months later, the Consumer Financial Protection Bureau tabled action against the company. And while the Federal Trade Commission said it opened an investigation into the Equifax breach in September, the agency has since named as chief of its consumer protection division a lawyer who has represented Equifax. This past week, Equifax asked a federal judge to reject the claims from 46 banks and credit unions for payment of damages because of the massive data breach. The companies claimed that Equifax owes them for all the costs they incurred protecting data after the breach was revealed, costs that could easily run into many millions of dollars....

Equifax had revenue of $876.9 million during the second quarter of 2018, up 2 percent from the same quarter of last year, officials said.

8 of 88 comments (clear)

  1. GDPR and credit agencies by BellyJelly · · Score: 5, Interesting

    As a European, and with GDPR in force, can I demand that Equifax delete all the data they hold on me?

    1. Re:GDPR and credit agencies by raburton · · Score: 3, Interesting

      Yes, but you'll never be able to get a mortgage, loan, new mobile phone contract, insurance, etc. again.

    2. Re:GDPR and credit agencies by Presence+Eternal · · Score: 5, Informative

      What one might do is freeze their credit with Equifax, and only Equifax. That would prevent them from profiting off of you. If a creditor wants to check you, they can use Experian or TransUnion. If the creditor demands Equifax, then you have a choice to make.

    3. Re:GDPR and credit agencies by Anonymous Coward · · Score: 5, Interesting

      It'll still depend somewhat on national implementation of GDPR quite how many rights you have in this area, as some countries tend to gold-plate the legislation.

      I work for a CRA, and we've put a substantial amount of effort into ensuring GDPR compliance, what scares me the most though is that the corporate attitude was to get us compliant at all costs, but that our client's compliance was their own problem. I disagreed with this, I believe we had an obligation to at least let them know what they needed to do to be compliant with our software. It irks me that we're compliant but we knowingly allow clients to use the data in a non-compliant way.

      So make no mistake, here in my country a large number of financial services organisations are currently NOT compliant.

      To be clear though, CRAs have always had exceptions under data protection law, much as with law enforcement. This is because they tend to support anti-crime activities such as fraud prevention and detection and use their data for those purposes. It's a tough one because you could argue private companies shouldn't do this and such anti-fraud measures should be publicly run, but let's be clear, this is one area where free market competition is a good thing - having companies play each other off at providing better and better fraud prevention and detection is far better than the stagnation you'd get from a publicly run version.

      Mostly you don't have a contract with a CRA though, typically you interact with them indirectly through your credit card provider, mortgage provider, and so on and so forth. Where you do have rights under GDPR is with these guys - you can demand they cease processing your data, you can demand to see what information they have on you, and so on and so forth. That only extends to the point of provisioning a service to you however, you cannot for example demand a credit card supplier delete all data on you if you still owe them for credit card debt. You can also request that financial services organisations don't send your data to a credit reference agency, and that they don't run a credit check on you, but they may simply refuse to accept you as a client in this case.

      The biggest benefit of GDPR IMO is in breach reporting - it's now a legal obligation to let you know if your data has been stolen, this means Equifax's handling of this breach would now be outright illegal under GDPR, because they not only didn't let people know, but kept it secret for a while. GDPR requires that you inform affected people as soon as you're aware of a breach - if you don't know which of your customers explicitly were affected you have to notify the minimal possible pool that could potentially have been affected, which might be your entire client base if you don't have sufficient auditing.

      So mostly you're not going to get much more ammo against CRA's with GDPR, but it does at least enforce much higher standards on us, which IMO is a good thing. I know we're widely hated as organisations, but some of us working in such agencies do at least have morals and do our best to keep these organisations as honest as we can - I have refused to allow my team to implement certain things because I've found them to be morally reprehensible on a number of occasions. Similarly I've written extensive documents detailing ethical, and sometimes legal problems surrounding existing software and passed it upto the directors to get the product killed, as when made aware of such issues they can't practically continue provisioning said software. You may question why I'm still even employed there given the problems I cause, but in a strange way even the directors accept when called out on bad stuff that I'm only keeping them honest in the way they publicly profess the organisation to be, I get a strange type of respect for helping keep the corner of the company I'm in charge of development for true to it's publicly professed ideals - a kind of love/hate relationship. Make no mistake, I don't buy the bullshit the companies spreads about how we're a public good, but I do at least do my bit to try and keep at least the CRA I work for firmly on the right side of the grey lines, I suspect if I didn't, we'd be just like Equifax showed itself to be.

  2. Shareholders by fluffernutter · · Score: 5, Insightful

    I laugh when the shareholders say, "but what about me?". Possibly the biggest motivation to keep companies honest is to hurt the shareholders. We should be expecting people to consider the moral standing of companies they invest in and let them hurt when they have supported a company that will do something like this.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  3. vs Facebook by Anonymous Coward · · Score: 5, Interesting

    Fuckers in congress cared more about the Facebook fiasco - and that was their business model. People signed up for FB. No one signed up for Equifax. They collected and lost our data, but no one gave a flying fuck.

  4. Not News by Sydin · · Score: 5, Interesting

    Corporations haven't been accountable for anything in this country for years, because those in power (yes, Democrats AND Republicans) are in their pockets. If you want to see what happens when Government actually tries to strike back at corporations with these assholes in power, look no further than the CFPB, which has had its power castrated and is currently in the process of being de facto dismantled because it ruffled too many powerful feathers by actually punishing a company (Wells Fargo) for breaking the law.

    What would have been news is if Equifax or its top brass received any actual meaningful punishment.

  5. Good question. The answer is by raymorris · · Score: 4, Insightful

    You bring up some good questions. With a little investigation, you can discover that the CEO did not order the network security tech "be careless about how you configure the zones on the ASA". The CEO doesn't know what an ASA is, and the tech has never met the CEO. So it gets rather complicated.

    When there is a specific law related to an overt act, such as dumping toxic waste somewhere, you may be able to follow the chain of command and figure out who knew what and who authorized what. The problem at Equifax was mostly not be careful on general. There was no one item that they did or failed to do which caused the breach. Their security just generally sucked all around, they were sloppy. Notice "they" is plural. Even if they had updated the application that was actually used in the breach, the bad guys would have just used one of their other security holes. Anyway, no boss sent out a memo saying "be sure to be sloppy about updating software".

    So I don't think you can pin this on one person, or a few people. What you CAN do is identify who profited from their decision to be sloppy, to not invest in security. That would the shareholders. They can be penalized by taking the money that they inappropriately got by failing to pay for proper security, and perhaps more. The way you get money back from the shareholders is by fining the company.