Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Slapped With UK's Maximum Penalty Over 2017 Data Breach (techcrunch.com)

Posted by msmash on from the no-mercy dept.

Credit rating giant Equifax has been issued with the maximum possible penalty by the UK's data protection agency for last year's massive data breach. From a report: Albeit, the fine is only 500,000 Pound (roughly $658,000) because the loss of customer data occurred when the UK's prior privacy regime was in force -- rather than the tough new data protection law, brought in via the EU's GDPR, which allows for maximum penalties of as much as 4% of a company's global turnover for the most serious data failures.

So, again, Equifax has managed to dodge worse consequences over the 2017 breach, despite the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months -- thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers. Personal information that was lost or compromised in the 2017 Equifax breach included names and dates of birth, addresses, passwords, driving licence and financial details.

66 comments

  1. Better solution by nwaack · · Score: 4, Insightful

    Have the EU decree that Equifax can't do business in the EU anymore. Then they might actually realize just how insanely inexcusable their actions were.

    1. Re:Better solution by nwaack · · Score: 1

      Sorry, meant to say UK, not EU. Don't want to get the Brexit-ers in a kerfuffle.

    2. Re: Better solution by Anonymous Coward · · Score: 0

      But will the brits use this money to fix their goddamn teeth? Lol we all know the answer to that one

    3. Re:Better solution by Anonymous Coward · · Score: 0

      The Brexiters are traitor morons. Pissing them off is good for Britain.

    4. Re: Better solution by datavirtue · · Score: 1

      "Slapped" with a fine? More like, gently brushed against thier genitals with a daring scowl.

      --
      I object to power without constructive purpose. --Spock
    5. Re:Better solution by Anonymous Coward · · Score: 0

      Shut it remoaner. You can go wrap yourself in that star flag as much as you want but like it or not we're leaving. ;)

    6. Re: Better solution by cyber-vandal · · Score: 1

      The teeth thing again? We've got better things to do with our time and money than sticking bits of plastic to them on the off-chance we get a call from Hollywood.

    7. Re: Better solution by KingAlanI · · Score: 1

      Yeah, British teeth get a bad rap because you aren't into cosmetic whitening and straightening like Yankees, but you don't have more cavities. Maybe it's too hard to keep them white with all the tea. :)

      --
      I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
    8. Re: Better solution by Anonymous Coward · · Score: 0

      The tea ... yes.... the tea. Hmm.

    9. Re: Better solution by fuzzywig · · Score: 1

      We don't need to spend money, we can get our teeth fixed on the NHS. It's you yanks who need to pay to get them fixed because US dental health is no better than the UK.

    10. Re:Better solution by Cederic · · Score: 1

      Wait? The people seeking full autonomy for the country so that it doesn't have unwanted laws imposed upon it are the traitors?

      When the fuck did that word get its definition changed?

    11. Re:Better solution by AmiMoJo · · Score: 1

      As much as I'd like to see that, there is a general principal in most legal systems that laws and punishments can't be retroactive. Otherwise governments would simply criminalize something you did perfectly legally yesterday and slap a hefty sentence on it.

      If the beech had been more recent then the GDPR rules would have applied, which would be a maximum of 4% of global turnover. I believe that would be around $135 million, still only a fraction of their $580 million net income.

      In Japan they have corporate jail. Company can't do any business for a certain period of time. Staff get paid and can be required to work (just not making sales or supplying services) and it's generally limited a period of time that hurts the company but won't destroy it or cause layoffs.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Fine by Scutter · · Score: 3, Funny

    Oh no! However will Equifax survive having to dip into the petty cash to pay a fine that's less than the lunch tab for yesterday's executive meeting about it?

    --

    "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
  3. Meaningless Penalty by h4x0t · · Score: 4, Insightful

    4% of global annual revenue... what about considering the cost of the damage done?
    What about considering the cost of implementing sound security policies? No one will do it if the fine is less than the cost of implementation.

    1. Re:Meaningless Penalty by ljw1004 · · Score: 1

      4% of global annual revenue... what about considering the cost of the damage done? What about considering the cost of implementing sound security policies? No one will do it if the fine is less than the cost of implementation.

      4% of global annual revenue would be $124m.

    2. Re:Meaningless Penalty by thegarbz · · Score: 1

      To be clear 4% of global revenue for Equifax is the equivalent of 25% of its entire yearly profit ($125m). I think you can trust the gut instinct that there is going to be almost no policies out there where the cost of implementation will be this much of a normally operating company's annual profit.

    3. Re:Meaningless Penalty by Scarred+Intellect · · Score: 1

      What about considering the cost of implementing sound security policies? No one will do it if the fine is less than the cost of implementation.

      Where I grew up, there was a fine for farmers irrigating county roads. Let's call it $500. The fine could only be applied once per year, and the cost of fixing their irrigation to not water the roads is, let's say, $10,000 (plus the additional maintenance).

      Don't fix it, just pay the fine.

    4. Re:Meaningless Penalty by Krishnoid · · Score: 1

      Have the EU decree that Equifax can't do business in the EU anymore. Then they might actually realize just how insanely inexcusable their actions were.

      4% of global revenue would probably get that point across.

    5. Re:Meaningless Penalty by Cederic · · Score: 1

      there is going to be almost no policies out there where the cost of implementation will be this much of a normally operating company's annual profit

      Almost, but.. there is one.

      Implementing proper data security would easily wipe at one year's annual profit, and create an environment with run costs that could easily eat up that 25% every subsequent year.

      Securing that volume of data used in so many ways isn't cheap.

    6. Re:Meaningless Penalty by Anonymous Coward · · Score: 0

      Implementing proper data security would easily wipe at one year's annual profit

      If you hire incompetent programmers and administrators.

    7. Re:Meaningless Penalty by houghi · · Score: 1

      Look ar it another way. The EU asks for 4%. The US asks for 4%, Argebtina asks for 4%. So now we are talking 12% of their annual worldwide revenue.

      There is a lot security to be bought for that 4%. Especially as they would be required to implement it anyway, regardless of the fine.

      --
      Don't fight for your country, if your country does not fight for you.
    8. Re:Meaningless Penalty by AmiMoJo · · Score: 1

      There is a good case to be made for a more complete compensation package being legally mandated. At the moment individuals and companies affected have to claim from Equifax directly, i.e. sue them.

      It would be better to appoint an administrator, similar to when a company goes bankrupt, who will accept claims from those affected and pay out.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:Meaningless Penalty by thegarbz · · Score: 1

      Implementing proper data security would easily wipe at one year's annual profit

      No. Paying some overpriced Accenture contractor and buying the resulting equipment needed from IBM will do that.

  4. There's a lesson in this by AlanBDee · · Score: 2

    I'm sure that between this and all the money they made from people locking their credit score and all the money they made from selling identity theft protection plans and their stock price (which has almost completely recovered) I'm sure their security is top notch now.

    Let this be a lesson to the rest of you companies who think you need to foolishly spend money on IT security.

    1. Re:There's a lesson in this by bobby · · Score: 1

      I'm not sure if you're being sarcastic or not. The way I see it reminds me of an analogy: in a town near me the local parking authority finally figured out that people were knowingly parking illegally because the fine was only $2 or $5 / day, and parking lots were $10 - $25. This UK fine is roughly the cost of 2 or 3 IT security employees, and with those employees there's still no guarantee of security. So they spend as little as possible on IT security, and take the risk of paying the relatively tiny fine. The fine needs to be big enough to really hurt them.

      The problem: the public is complacent, and largely because we have no choice in the whole credit reporting / database system.

    2. Re:There's a lesson in this by Anonymous Coward · · Score: 0

      Wow, what kind of IT employees are making $200k to $300k a year?

    3. Re:There's a lesson in this by bobby · · Score: 1

      Actually lots, especially sw dev. managers and IT security. It's been in the news here and elsewhere and you can do your own search.

      But more importantly, I said the "cost" of IT security. The total cost of an employee is usually 1.25 - 1.4 times the base salary. Again, you can do a search, but here's one reference: http://web.mit.edu/e-club/hadzima/how-much-does-an-employee-cost.html

      Even if you tighten the numbers, that fine will still only buy you 4 or 5 IT security analysts for 1 year. Maybe that would have made a difference, maybe not.

      My point stands, and we see many similar stories here and in IT news: corporations would rather take the higher-profit route of minimizing hiring IT security, frequently "outsourcing" it, rather than build and support a strong permanent team.

    4. Re:There's a lesson in this by AmiMoJo · · Score: 1

      In Europe you can see your credit report for free. There used to be a small charge allowed by law, but now I believe it's free EU wide. Certainly it is in the UK.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. This makes my morning a better by Anonymous Coward · · Score: 0

    I just got to see how it happened last Friday. The only way we can make a difference between the first time is to be happy. Trump will probably have to be there.

  6. Why assume the hacker is always stupid? by DCFusor · · Score: 4, Interesting
    I'm a white hat, but damn, if I got access to a DB, I'd to a lot more interesting stuff - modify the records. The power inherent in a credit rating agency - or say, the OPM, means you can effectively make someone rich or poor, give them or take away a security clearance, or any of a long list of other "fun". Then and only then do any exfiltration without erasing logs, just to cover your tracks. The exfiltration simply complicates things so much it makes "following the money" impractical - which money?....
    .

    Ever notice how this possibility is never, ever mentioned? This dog ain't barking so loudly it's deafening. So, are both sides really that stupid, or is someone covering up something? I find the former hard to believe - once, maybe, but every single time this sort of thing happens?

    --
    Why guess when you can know? Measure!
    1. Re:Why assume the hacker is always stupid? by gweihir · · Score: 1

      They catch basically only the stupid ones, so the conclusions drawn from who gets caught are badly skewed.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Why assume the hacker is always stupid? by DCFusor · · Score: 1
      Perhaps it's just the inverse of survivor bias, I'm not so sure. It's clear that there's a lot of dumb around. I recently reached retirement age, and to handle things like SS, I was encouraged to start a MySS account online. Heck, they were (and are) already sending me checks, a medicare card, all that.
      .

      Now, it turns out I cannot register such an account, I can't create a sign-in, it just barfs. So I called the contact number, and after waiting the requisite few hours, I had a gov employee tell me that without a credit rating - I don't have one, don't use the credit system - I can't prove I'm myself, and can't have an online account with them - despite they know it's me and send me checks! Which is probably breaking some law about how the gov has to provide online access, but...nothing can be done, according to them (sorry, Joni Mitchell).
      .

      This points out where the real power lies perhaps. A private company, collecting our data with no recourse - you can't opt out - has more power over government operations than...the government. Interesting. https://www.ssa.gov/myaccount/
      All you have to do to have no credit rating is not use any credit for 7+ years. You are then a ghost. Also interesting is that "no" credit rating is worse than a bad one! I had a dispute with Verizon some years ago - sold me a phone, no service in my area, wouldn't cancel - I wouldn't pay! They sold me off to a debt collection agency who threatened to screw up my rating. Net result - endless offers of credit from all and sundry due to now having a rating at all. Which is now long gone.
      .

      Obviously you're not going to see this kind of story in the MSM. But it's true. Probably doesn't affect that many, but it was eye-opening for me.

      --
      Why guess when you can know? Measure!
    3. Re: Why assume the hacker is always stupid? by datavirtue · · Score: 1

      If that happened they would just get access to the other bureaus data to update thier records and move on.

      --
      I object to power without constructive purpose. --Spock
    4. Re:Why assume the hacker is always stupid? by Anonymous Coward · · Score: 0

      Most criminals are stupid. The rest run successful problem solving consulting firms.

      (/joke)

    5. Re:Why assume the hacker is always stupid? by Anonymous Coward · · Score: 0

      The way bureaus work is that they receive data from financial services organisations such as banks on fixed intervals. Typically they in turn give said organisations a discount on bureau requests, so effectively Bank A gives a credit agency all their customer's financial data, and in turn gets to query the overall credit database which has a combination of data from multiple other sources like Bank B, C, and D at a reduced rate for contributing to the credit database. Everyone else who just wants to query only without contributing pays a much higher rate.

      But it's not as simple as "if I got access to a DB", credit agencies pretty much all still just do batch updates on a fixed interval, that means even if you were able to manipulate the database anything you put in will be overridden by data from the original source within a month the next time a batch update occurs. Some changes may persist as historical data depending on what exactly you changed, but it would then be fairly trivial to pick out clear blips in data, especially when compared against backups. Because agencies still all largely work this way they have massive ETL teams and half the work at such places is the utter tedium of getting data from organisation X into the credit database.

      So you're never going to just alter the odd record here or there, you're never going to have that access to the database unless you gain physical entry into the building. You'll be stuck doing a batch load of records, and sure you could do a bunch of batches of size 1 to make those changes, but that's going to be trivial for any DBA to spot. Regardless, to even get to that point there is a massive amount of controls around such data loads in that they go through various quality gates before they ever hit the live database, and to pass those requires sign off (typically through a digital mechanism, involving say, an RSA key) by various people such as data protection officers, project managers, client liaison managers, principal DBAs and so forth. So even if you manage to get past all that to get your data loaded, you're still going to be in a situation where a whole bunch of people are going to be able to point to your data load and say "Yeah, none of us actually signed that batch load off or know where it came from" and a rollback of your manipulated data will be trivial.

      In contrast, exfiltrating data is a much easier task, whether it's by repeated queries against the service fronting the database, which as read-only tasks are typically much less controlled, or simply by grabbing a data batch where a copy of all or a large chunk of data from the main database has been extracted for some kind of offline batch processing. Typically usage scenarios for that kind of thing are running new credit scoring algorithms against historical data to check relative performance against existing algorithms - i.e. predicting how someone will perform using old data, then comparing with how they actually performed in reality. If someone managed to access some analyst's PC and they had access to this they could potentially extract something like that. Alternatively, they could've just hijacked the servers running the (typically) SOAP service that queries the credit database and just logged every incoming request and response from every client over a period of time.

      So there are good reasons why what you're saying is unlikely no matter how good the hacker is, it's just simply that much more easy to extract data from a CRA than it is to manipulate.

      Disclaimer: I work for a credit agency (though thankfully not in data loading because I'd probably have slit my wrists from boredom by now), and yes that makes me a horrible person, though part the reason I'm being transparent about the way things work internally is precisely because I do believe the industry I work for needs a good tidy up and greater transparency. If the industry doesn't like me being candid about it, then well, I guess they can be more ethical can't they?

    6. Re: Why assume the hacker is always stupid? by DCFusor · · Score: 1

      Yeah, I'm sure they conflict-check all the time, especially databases that take weeks to just read. And they never find discrepancies when they do that themselves, even in the absence of interference, overwhelm all ability to resolve....I'm not sure you understand the scale, here.

      --
      Why guess when you can know? Measure!
    7. Re: Why assume the hacker is always stupid? by Cederic · · Score: 1

      I'm not sure you understand anything here.

      This data you're changing.. it all belongs to people. They'll notice that it's wrong, especially if it negatively impacts them, and they'll demand correction.

      Then there are the regular data refreshes.

      As for making someone rich.. no. At best you could enable them to incur financial risk they're entirely unequipped to manage, resulting in them ending in an even worse financial position.

      Plus.. wtf are

      databases that take weeks to just read

      I've worked with databases very much larger than Equifax and they take under a second to read. Shit, even Equifax can provide you with a credit score almost instantly.

      Sure, some activities can take a while. If you change the scoring algorithm and want to update the entire system, that could even take hours. But that's read, process, correlate with other data, apply complex algorithm, write.

      Still well short of 'weeks to read'.

    8. Re: Why assume the hacker is always stupid? by DCFusor · · Score: 1
      Name one larger than Equifax or OPM, dare ya,
      Read doesn't mean one query. That comeback tells me - and anyone who knows anything, you're the one who doesn't get it.
      These guys have data on everyone in the financial system, worldwide - your'e off by ~ factor billion. A billion seconds is...work it out.
      There are constantly errors people bitch about. Have you ever tried to get one fixed? Do you think they fix the ones no one even bitches about?
      Ever rebuilt a raid array with 10 tb drives? Thousands of such, while staying online?
      Consistency check thousands of such that have errors you have no reports of? While things are changing thousands of transactions/second?
      Think that competing orgs are going to snapshot and share at their own cost because they are nice?
      That it would even help, because there are already so many inconsistencies no one can sort it out quickly - and the additional evidence required takes time to get.
      How about assuming that someone who has root access, which is usually assumed, can't munge the datestamps and logs,
      ..

      You might have a low ID, but that doesn't mean I have to believe things utterly contrary to my own real world experience just because you say them. It's pretty obvious you don't see the big picture here. OR simply wish to keep people believing that some agency that doesn't give a sh*t about you, but makes money off your data - actually both them and their customers control your life - can be trusted despite inability to do what they claim and huge amounts of evidence to the contrary. Sure, ID theft is easy to fix, everyone knows that right? Seems you're implying that. /sarc
      And what simplistic world view does it take to think a huge credit availability won't be used to borrow money that can be bet on winners, or for so long it doesn't matter about being paid back - shifting things around as is done in all big finance. See - Government, see any big corp with plenty of rolling debt on the books.
      We all know the financial system doesn't admit of crime, or that one can't manipulate loans, bonds, go bankrupt as convenient and so forth...that's just impossible. As GM bondholders - or even some who held bonds let by companies our current leader set up. Give me a break. Believe what you want. Many people believed the banking system was fine till they lost their homes, many people thought the three letter agencies worked for our benefit till Snowden proved what many of us already guessed - and shadow brokers released some of their code used in attacks today...but nope, this is all easy bordering on trivial, and you just own that space, I get it. My nearly 50 years experience don't mean shit. Got it. /flame

      --
      Why guess when you can know? Measure!
    9. Re: Why assume the hacker is always stupid? by Cederic · · Score: 1

      Name one larger than Equifax or OPM, dare ya,

      What, like Google or Facebook?

      Shit, even in the same industry as Equifax there's the rather larger Experian.

      Read doesn't mean one query. That comeback tells me - and anyone who knows anything, you're the one who doesn't get it.

      Databases are transactional. Data that isn't read is irrelevant, and transactional reads are trivial.

      These guys have data on everyone in the financial system, worldwide -

      No, they don't. They have good coverage in the US and the UK, poor to reasonable coverage elsewhere and no coverage at all in many countries.

      your'e off by ~ factor billion. A billion seconds is...work it out.

      No, I just understand how these systems work.

      There are constantly errors people bitch about.

      With that much data, from so many sources, of such variable quality, of course there are errors. This isn't exactly a surprise or (at a macro level) an issue.

      Have you ever tried to get one fixed? Do you think they fix the ones no one even bitches about?

      Yes, and absolutely fucking yes. The data has no value if it's wrong, and they'll lose customers if they don't correct it. The regulators will impose restraints if they don't correct it. The people that work there generally want to correct it.

      Ever rebuilt a raid array with 10 tb drives? Thousands of such, while staying online?

      Ever managed a database large enough that you don't store it on a single RAID array? Who the fuck uses 10TB drives anyway, far too expensive. Go smaller, cheaper, easier to replace, and use modern storage solutions that largely handle this shit for you.

      Consistency check thousands of such that have errors you have no reports of? While things are changing thousands of transactions/second?

      Thousands? Oh no, you mean I need three hardware techs to swap them out instead of two?

      Data centres self-manage to an amazing degree these days.

      Think that competing orgs are going to snapshot and share at their own cost because they are nice?

      If three credit agencies decide to compare and contrast records for validation, they all benefit. I doubt that's likely to happen though, they validate against the source data - e.g. the financial data coming from banks.

      That it would even help, because there are already so many inconsistencies no one can sort it out quickly - and the additional evidence required takes time to get.

      From where did these inconsistencies come?

      I'll be kind, and help you: They come from either
      - the source of the original data, in which case it would be wrong for Equifax to even attempt to change it. The data subject should engage with the data provider to get it corrected at source
      - or, the algorithms Equifax uses to match records from disparate sources into a single coherent subject record

      If the algorithms are matching wrong, you just fix them and re-run them. No manual changes needed.

      As it happens Equifax will have a team that both engages with data providers to assure data is fixed at source, and that can correct data created and/or held by Equifax themselves. That team probably has about a dozen people in the US, because that's how low the volume of required changes will be.

      How about assuming that someone who has root access, which is usually assumed, can't munge the datestamps and logs,

      Whatever the fuck makes you think that privileged system access is so easily subverted? Even before the breach Equifax will have had multiple layers of protection. Could a bad actor intentionally breach all of those layers and cause mischief? Obviously; they did. It's fucking hard though, and financial institutions know that internal threat

  7. Oi! Stop roight there! by Anonymous Coward · · Score: 0

    Go to jail for owning hand tools.

    Go to jail for plastic sporks.

    Go to jail for mean tweets.

    Go to jail for wrong think.

    Leak personal financial data of a huge percentage of the public? Small fine and a handjob from Prince Chuck himself, courtesy of his Rothschild owners.

  8. Much, much cheaper than having done anything by gweihir · · Score: 1

    That way, the CISO with the master's in music makes perfect sense. Obviously, if you are large enough, it is much, much cheaper to just hope you do not get attacked too often than actually invest anything into security.

    Now, if that hat been 500'000 pounds per customer data set stolen, that would have been something else.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. Maximum Possible Penalty by bobstreo · · Score: 2

    If it was per person, it would be better.

    As a total, it's embarrassing.

  10. British Pound... by Anonymous Coward · · Score: 0

    ...is about 1.32 x dollar; the currency (in pounds) should read more like $62,200 (precisely $62,183).

  11. NaN - Basic Math by Anonymous Coward · · Score: 0

    the fine is only 500,000 Pound (roughly $6,62,000)

    1. Re: NaN - Basic Math by Anonymous Coward · · Score: 0

      Is this india or a type? Fix the notation

  12. Re: Better solution 100,000 pounds EACH. by Anonymous Coward · · Score: 0

    50,000 pounds paid directly to each party ID hacked, and 50,000 each paid directly to UK.

    The funds would improve everyone's credit rating as they each get $50,000 to pay off existing debts.

  13. European Localization by lazarus · · Score: 3, Funny

    the fine is only 500,000 Pound (roughly $6,62,000)

    Damn, I will never get used to the way the Europeans use commas and decimal points.

    --
    I am not interested in articles about life extension advancements.
    1. Re:European Localization by zennyboy · · Score: 1

      No, that's just the editor. It should be $662,000

    2. Re:European Localization by Guybrush_T · · Score: 1

      Yeah. I'd had written £500,000 as well because Pound is just too heavy.

    3. Re:European Localization by Anonymous Coward · · Score: 0

      Please replace the EU Flag with the Union Jack. GB is leaving

    4. Re:European Localization by Anonymous Coward · · Score: 0

      10 dollar I comma you long time!

    5. Re:European Localization by Cederic · · Score: 1

      Wait?! You have a working £ symbol in your post.

      Did Slashdot fix it or are you using something other than 'Plain Old Text' as your comment format?

    6. Re:European Localization by mjwx · · Score: 1

      Wait?! You have a working £ symbol in your post.

      Did Slashdot fix it or are you using something other than 'Plain Old Text' as your comment format?

      You need to use the unicode forma of:

      £

      and you get £

      Slashdot hasn't updated it, they never will and that's how we like it.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  14. Credit bureaus should be illegal by LostOne · · Score: 1

    The only people that *actually* benefit from credit bureaus are the banks and other lenders that use them. Consumers don't actually benefit at all. Contrary to the popular narrative, there is no need for credit bureaus in order for lenders to make decisions about extending credit. They did just fine making those decisions before the credit bureaus existed. It just meant they had to actually do the leg work to verify information on credit applications. You know, by making a few phone calls or checking their own records.

    Since credit bureaus really only facilitate lenders' laziness, regularly have inaccurate information, and, as Equifax has so effectively demonstrated, are not secure repositories of information, the entire credit bureau system should be abolished and made illegal.

    For anyone that argues that this will make borrowing harder, I say, "Good!" If borrowing money was harder, a lot fewer people would be massively over extended which would be an immense improvement for the future economic outlook.

    --

    If it works in theory, try something else in practice.
  15. Rich People DGAF about this by Rick+Schumann · · Score: 1

    So long as Equifax keeps making money they don't give a fuck about the rest of us peons and our little bank accounts/identities/lives.

  16. Still missing the point. by Anonymous Coward · · Score: 0

    * The fine should not be decoupled from the damages done, in the first place.
    * Fairness is an essential principle of any legal system.
    * Fairness also means, that the damage done must be compensated. (Evil people like to add harm on top of that and excuse it by calling it "punishment", because they know no legitimate way that would actually serve as a detriment, which mere compensation would not provide ... but that's a discussion for another time.)
    * The damage done by Equifax in the UK do not amount to $124m. Not even if the total damage was smaller.

  17. You're in a corporate oligarchy. Duh. by Anonymous Coward · · Score: 1

    You don't have a government. You have a council where corporate spokespeople present the laws their corporations have written, so the oligarchy of corporations can decide if that new regulation maximizes their own profit. And those who got overruled then bitch about "government regulation" and "lack of a free market". Like their goal isn't to regulate things their way... Only Master Pain ... err ... Betty, is missing. Darth Cheney is there though.
    Actually, you have two councils. One for the royalty (senate) and one for the interests of regional industry (house).

    The "merger of industry and state", was how Mussolini, who AFAIK invented the ideology, defined "fascism", just by the way.

    And I, for the record, think like this, exactly because I wish the best to every American.

    1. Re:You're in a corporate oligarchy. Duh. by DCFusor · · Score: 1

      Thanks, been saying the same for years myself - but as the idea that we've been effectively Fascist for quite awhile now offends a lot of people, saying it as directly as you just did doesn't get it across well - the people who most need to hear it rage-quit reading before their worldview gets messed with - they want simple, to blame it on maybe one guy they think they can get rid of, not complex and deeply embedded and hard to solve...
      So I just drop hints...I think it works better.

      --
      Why guess when you can know? Measure!
    2. Re:You're in a corporate oligarchy. Duh. by gweihir · · Score: 1

      Well. I agree to your points. While hinting at things may or may not work, saying them clearly does certainly not work. Personally, I have mostly given up on people and say what I think clearly now. Fortunately, not many even listen, so the risk for me is small. And yes, that one guy you could (maybe) get rid of is only a symptom. Actually getting rid of him would not solve anything.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  18. "maximum" penalty by KSeghetti · · Score: 2

    The Maximum penalty would be dissolution of the company. The maximum penalty the UK could probably make happen is they are no longer allowed to operate in the UK in any capacity.

    IMO, a breach like this means they have demonstrated they cannot be trusted with private data, and should no longer be allowed to store private data.

    The other question everyone should be asking is: How did they get this private data? I sure as hell didn't give them permission to have it. (I know, likely hidden away in the TOS of credit cards I have).

    --
    Kevin Seghetti: kts@tenetti.org, HTTP: www.tenetti.org GPG key: http://tenetti.org/phpwiki/index.php/KevinSeghett
    1. Re:"maximum" penalty by Cederic · · Score: 1

      The maximum penalty the UK could probably make happen is they are no longer allowed to operate in the UK in any capacity.

      That would be highly damaging to the UK economy - substantial impact across the financial sector, knock-on impacts across retail, and also remove a key competitor within Equifax's own market.

      Long before Equifax reached a position where dissolution (or banning) was considered they'd have had their operations brought forcibly under third party control.

      a breach like this means they have demonstrated they cannot be trusted with private data

      No, it demonstrated that they couldn't be trusted. The FCA can (and will) demand evidence that they can now be trusted, and have a range of sanctions available should that evidence be unavailable or insufficient.

      How did they get this private data?

      Electoral records, court records, social media activity and (mostly) data provided by financial institutions.

      I sure as hell didn't give them permission to have it.

      Some of it doesn't need your permission (under current law). Some of it you almost certainly have consented to.

      (I know, likely hidden away in the TOS of credit cards I have).

      Not necessarily even your credit cards. See Section 10 (page 35) of the T&Cs of one of the UK's largest banks:
      https://www.barclays.co.uk/con...

      While many people wont read that far, it is to be fair written in easy to understand language and doesn't shy away from the ugly details: They're going to give all your data to Equifax.

  19. Meanwhile, in the USA... by Anonymous Coward · · Score: 0

    ...

  20. Re: Better solution 100,000 pounds EACH. by sabri · · Score: 1

    50,000 pounds paid directly to each party ID hacked, and 50,000 each paid directly to UK.

    And from TFA:

    Albeit, the fine is only 500,000 Pound (roughly $6,62,000)

    AC: 100,000 pounds fine!
    TFA: 500,000 pounds fine!
    /. editor: $6,62,000 fine!
    /, reader: wow, $6,620,000 fine!

    It's the opposite of the police drug bust scam.

    --
    I'm not a complete idiot... Some parts are missing.
  21. Remember kids - GDPR is evil socialism by cyber-vandal · · Score: 1

    This is the kind of behaviour that GDPR is for. Not for harassing small traders but real punishment for significant failings from corporations that see these pitiful fines as just a business expense.

  22. If this was based on GDPR... by Anonymous Coward · · Score: 0

    The fine would have been EUR 20M, not just GBP 500k.

    From article 83:
    5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher

  23. When do they go to prison? by Anonymous Coward · · Score: 0

    Weren't they insider trading?

    What about all the Wall Street executives that got away (except Bernie Madoff - he stole from rich people)?

    Funny that VIetnam seems to know what to do with these criminals, yet the first world western nations do not.