Slashdot Mirror
Two Lawmakers Urge FTC, CFPB To Keep Pressure On Equifax (techcrunch.com)
An anonymous reader quotes a report from TechCrunch about the little fallout Equifax has faced for one of the worst data breaches in U.S. history: The credit rating giant, one of the largest in the world, was trusted with some of the most sensitive data used by banks and financiers to determine who can be lent money. But the company failed to patch a web server it knew was vulnerable for months, which let hackers crash the servers and steal data on 147 million consumers. Names, addresses, Social Security numbers and more -- and millions more driver license and credit card numbers were stolen in the breach. Millions of British and Canadian nationals were also affected, sparking a global response to the breach. Yet, a year on from following the devastating hack that left the company reeling from a breach of almost every American adult, the company has faced little to no action or repercussions.
"There was a failure of the company, but also of lawmakers," said Mark Warner, a Democratic senator, in a call with TechCrunch. Warner, who serves Virginia, was one of the first lawmakers to file new legislation after the breach. Alongside his Democratic colleague, Sen. Elizabeth Warren, the two senators said their bill, if passed, would hold credit agencies accountable for data breaches. "With Equifax, they knew for months before they reported, so at what point is that violating securities laws by not having that notice?," said Warner. "The message sent to the market is 'if you can endure some media blowback, you can get through this without serious long-term ramifications', and that's totally unacceptable," he said. Earlier this year, the company asked a federal judge to reject claims from dozens of banks and credit unions for costs taken to prevent fraud following the data breach. The claims, if accepted, could force Equifax to shell out tens of millions of dollars -- perhaps more. The hundreds of class action suits filed to date have yet to hit the courts, but historically even the largest class action cases have resulted in single dollar amounts for the individuals affected. And when the credit agent giant isn't fighting the courts, federal regulators have shown little interest in pursuit of legal action. Sen. Elizabeth Warren wrote a letter Thursday to the heads of the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) complaining about their lack of action. "Companies like Equifax do not ask the American people before they collect their most sensitive information," said Warren. "This information can determine their ability to access credit, obtain a job, secure a home loan, purchase a car, and make dozens of other transactions that are critical to their personal financial security. The American people deserve an update on your investigations."
"[O]nly the Securities and Exchange Commission has brought charges -- not for the breach itself, but against three former staffers for allegedly insider trading," TechCrunch points out.
"There was a failure of the company, but also of lawmakers," said Mark Warner, a Democratic senator, in a call with TechCrunch. Warner, who serves Virginia, was one of the first lawmakers to file new legislation after the breach. Alongside his Democratic colleague, Sen. Elizabeth Warren, the two senators said their bill, if passed, would hold credit agencies accountable for data breaches. "With Equifax, they knew for months before they reported, so at what point is that violating securities laws by not having that notice?," said Warner. "The message sent to the market is 'if you can endure some media blowback, you can get through this without serious long-term ramifications', and that's totally unacceptable," he said. Earlier this year, the company asked a federal judge to reject claims from dozens of banks and credit unions for costs taken to prevent fraud following the data breach. The claims, if accepted, could force Equifax to shell out tens of millions of dollars -- perhaps more. The hundreds of class action suits filed to date have yet to hit the courts, but historically even the largest class action cases have resulted in single dollar amounts for the individuals affected. And when the credit agent giant isn't fighting the courts, federal regulators have shown little interest in pursuit of legal action. Sen. Elizabeth Warren wrote a letter Thursday to the heads of the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) complaining about their lack of action. "Companies like Equifax do not ask the American people before they collect their most sensitive information," said Warren. "This information can determine their ability to access credit, obtain a job, secure a home loan, purchase a car, and make dozens of other transactions that are critical to their personal financial security. The American people deserve an update on your investigations."
"[O]nly the Securities and Exchange Commission has brought charges -- not for the breach itself, but against three former staffers for allegedly insider trading," TechCrunch points out.
I see this all the time in security. The company responsible for the security isn't the one hurt by a security breach so they put almost no effort into security. Banks in the UK used to be the worst example of this. Internal fraud was so bad they would resist any controls so that they could deny it was their fault. Small toy companies and companies printing tickets had the best security. (Military security is in just incompetent by inertia)
What we need are regulations that shift the cost of security breaches onto the entities best able to prevent them. We also need to make stored data toxic so that most companies won't even keep your information.