I feel like this has to do with Equifax basically not being punished in any major way over the last breach. Their stocks are still priced reasonably well, most of their board is still intact, and US citizens are still required to work with them for credit reasons.
And the worst part is, I have no idea how I as a person could say "I don't want to do work with Equifax because I don't trust them." And if anybody has suggestions on that, I'm totally open, because if Equifax was a dripping faucet, they'd be flooding the house by now.
If that's the case, it seems like the executives at Equifax who were dumping stock after they learned of the breach (but before it was reported) were jumping the gun. They should have just held on to it!
"Three senior executives including the company’s chief financial officer sold $1.8 million in shares three days after the company learned on July 29 hackers had breached personal data for up to 143 million Americans."
I guess I'm just getting jaded about the scale; when you reach a certain dollar amount, there don't seem to be consequences at all. I'm sure I would get busted for insider trading if I tried it, but my company's CEO damned sure wouldn't.
Not that it'd be easy since you have to schedule big sales like that with the feds in the first place, but I mean...come on. The sheer blatancy.
>"The Internal Revenue Service signed a $7.25 million contract with Equifax last month. The no-bid contract, first reported by Politico, is for Equifax to provide the IRS with taxpayer and personal identity verification services. The contract stated that Equifax (EFX, -1.34%) was the only company capable of providing these services to the IRS, and it was deemed a “critical” service that couldn’t lapse."
The IRS in the US needs Equifax to provide tax payer and verification services? Seriously what does that even mean? The IRS bas no other way to verify citizens?
AFAIK in the US, you're not required to check in with local authorities when you move to a new city (contrary to many European countries where you need to notify them, else you'll be fined), so there's no official register the IRS could use to find all taxpayers... maybe that's the background.
I'd guess it is just outsourcing of a government function, you know as a way to save taxpayers money and increase government efficiency ... like those private prisons, private torturers, private plutonium processors, etc.
This contract is a renewal of a previous contract with Equifax (which is why it was a "critical service that couldn't lapse"), and it involves Equifax giving data to the IRS, not the IRS giving your tax returns to Equifax.
Doesn't this require you to trust Equifax to enforce and honor the freeze? I think the solution is "I don't want my report or any of my data in any sort of control or possession of Equifax". Where is that solution?
What is "your data" exactly? And in the limit, how far does this go?
Here's a question: who owns your drivers license? Here's a hint: it isn't you. Can you "own" you mailing address? Copyright and trademark it, make everyone ask permission from you before they write it down? What about your salary? Should your employer have to ask every time they use your salary number in some way, say in aggregate statistics or reporting?
What about information about how you interact with your credit card company? Who owns that, you, or the credit card company? Do the two of you have some kind of joint ownership?
We've made some of these decisions about health data and it has far-reaching consequences, some of them undesirable. It's also been very difficult to enforce. Do you want to extend that kind of regime to every piece of information about a person? Society might grind to a halt, we would be inundated with virtual and physical pop-ups asking "your landlord wants access to your phone number to place a call to you, will you allow it?" And what process would mediate this access control anyway, and how would we trust it?
As far as copyright, small snippets of information or sentence fragments are not copyrightable, but collections of data are.
>Society might grind to a halt, we would be inundated with virtual and physical pop-ups asking "your landlord wants access to your phone number to place a call to you, will you allow it?"
That is how messaging works on many newer systems like Facebook or Instagram, and people appear to find that level of control desirable, not annoying. The only reason the phone system works with public numeric IDs that anyone can dial is that whole thing is a relic from 50 years ago.
If you're curious about the future of privacy, while flawed in some ways, the GDPR (General Data Protection Regulation) comes into effect in the EU next May. Here's their definition of personal data :
"Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. This can be a very wide definition depending on the circumstances."
And then we have this:
"Right to change or remove your details
If you discover that a data controller has details about you that are not factually correct, you can ask them to change or, in some cases, remove these details.
Similarly, if you feel that the organisation or person does not have a valid reason for holding your personal details or that they have taken these details in an unfair way, you can ask them to change or remove these details.
In both cases, you can write to the organisation or person, explaining your concerns or outlining which details are incorrect. Within 40 days, the organisation must do as you ask or explain why they will not do so."
It's true that enforcement is difficult -- I imagine it'll be more reactive than proactive. That said, a breach is handled quite well, assuming the law is enforced:
The issue is that I am responsible for people using this data, but don’t own it like you mentioned. If the banks were responsible for giving out fraudulent loans and there was an easier way to prove that they were fradualent without this PI, then I wouldn’t care. But I have to care right now.
Well, maybe it's more accurate to say that it's impossible to consent because no consent is required to take someone's picture in public. People generally exercise control by choosing not to be in public. You could say that having your picture taken is part of the terms of service of using public space. When you agree to something, you also agree to all of the consequences. Just because they are implicit doesn't make them invalid.
Don't get me wrong, I don't particularly like having my picture taken without my explicit consent. In the end, consent is all rather arbitrary because it's not like you can choose not to live in human society on Earth.
Only if you aren't willing to save the money for that up front. Of course most people prefer to get the stuff they want when they want it instead of when they can afford it (and going from renter to owner paying a mortgage does tend to be cheaper), but if you really wanted to, you could live without credit.
I submitted a complaint to the CFPB requiring  Equifax to remove my credit record, due to their proven incompetence at protecting that data (citing their breech, several congresspeople grilling their CEO on CSPAN, etc). Its been 9 days and I haven't heard back from the CFPB yet (Equifax has 15 days to respond and up to 60 days to provide a final response), but Equifax has my complaint and even if it goes nowhere, it gives me something to hand over to Elizabeth Warren's office to show I have no control over my personal data and I have no control over having it removed regardless of how incompetent Equifax is.
Fingers crossed someone with Equifax's data dump starts dumping the data of Equifax senior management.
 Hat tip to patio11 on the language; don't use "I demand", professionals use "I require"
As for verbiage, you may want try the phrase you later used in a follow up post. It's not really your personal data. After all, it was data from an interaction with another entity which makes it their data as well.
So, personally identifiable information (PII) is a less-debatable phrase and more legally defensible.
In the first case, if you do business with a bank then the data from that belongs to the bank as much as it belongs to you. They are reporting their information, namely that you interacted with them. Thus, that information would belong to them.
In the second case, it is personally identifiable information - which is something that's difficult to dispute. This also gives you interest in that data which is a stronger point to stand on.
As mentioned before, I am not a lawyer and this is not legal advice. However, I have extensive experience with the justice system due to my career and have taken quite a few classes concerning the law.
Also, the word 'shall' has stronger implications than 'will.' I am not sure why but it is handy to know. The defendant will comply vs. the defendant shall comply.
Complaint was with Equifax, Inc. I specified I required my credit file be removed, as Equifax has had several egregious security breaches and is incapable of properly securing my PII . They have 15 days to respond.
That's not quite how credit freezes work, if they pull Equifax and only that bureau is frozen then they will usually just pull from another credit bureau. People who churn credit cards use this to their advantage - they often freeze the report with the most recent inquiries (usually Experian) to spread out inquiries more evenly over the three bureaus. I've never heard of anyone getting flat out denied for credit (besides mortgages) because they had a single bureau frozen. Sometimes it requires a phone call but usually its just automatic.
You also can't prevent them from reporting information about you to Equifax.
Anyways, you aren't really hurting anyone by denying yourself the ability to get credit, you're only hurting yourself.
Remember, these companies are paying Equifax for your credit report.
The point isnt to prevent any credit reporting.. but to prevent equifax specifically from earning money.
And no one is "denying themselves the ability to get credit" by refusing to unfreeze an equifax report. If the lender doesn't want to use one of the other credit agencies, then most people can find another lender. Those businesses need to know they'll lose business as long as theyre loyal to equifax.
It is unfortunate we don't have more leverage... this does leave a lot of avenues open for Equifax to continue making money. But every bit helps.
> If the lender doesn't want to use one of the other credit agencies, then most people can find another lender. Those businesses need to know they'll lose business as long as theyre loyal to equifax
lol, yeah, good luck with that when you go to get a mortgage.
Mortgage lenders pull all 3 reports, not just one. There is a ton of laws around mortgage underwriting that need to be followed. They technically may be able to underwrite a mortgage with only two credit reports but I doubt any mortgage lender actually will or if they did they'd be charging outlandish interest rates. If you're hiding a report they will assume its because you're hiding something negative that's on the report.
Things don't work like you would like in the real world, only in theory. You are delusional if you believe Chase having to pull Experian instead of Equifax once every million credit applications is going to somehow effect Equifax's bottom line.
If your landlord uses a background checking service that uses Equifax and the background check service comes back with "frozen report" and you say "I demand you use a different background checking service that doesn't use Equifax" then your landlord is just going to say lol and rent to the person who isn't being extremely difficult, as its a sign you're going to be a difficult tenant.
For this new issue, the problem is that by the time you're even halfway through the sentence "part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware", 90% of people I have decided that it's over their head and stopped listening.
I agree that the situation is bad, but I do want to call out a technicality here. You don't have to work with them. Everyone around you chooses to work with them, because they believe that doing so is safer than not. And this impinges on you, because if they have bad info on you, it can hurt your interactions with people around you.
There is little that you personally can do to control the sources others use to gather information about you. That's something that's only within the power of a legal framework. The statement, "I don't want to work with Equifax because I don't trust them," is meaningless, because you do not work with Equifax.
This has nothing to do with punishment. This is the result of a broken system. Most fortune 500 companies pay the ransomware price and the public is never aware of any breach. The idea of storing information on a connected network is the problem. We need to return to the brick and mortar way of storing data, i.e. Tightly guarded central facilities. Nobody should be able to steal 148 million accounts with the click of a button.
> And the worst part is, I have no idea how I as a person could say "I don't want to do work with Equifax because I don't trust them."
A good start might be never employ anyone who has worked in Equifax IT. There should be some sort of professional repercussions for being involved with an organization as incompetent as this lot seem to be.
Why is that a good start? They are ex employees. Perhaps they are no longer there because they quit due to bad leadership, bad security, bad company ethics, or maybe they were fired for continually reporting their security flaws?
I get that some people like meting out punishment, but it seems like a good idea to limit it to the people responsible.
Your and other comments are good responses. My comment was mean-spirited and (worse) wouldn't solve the problem.
A lot of the problems we are seeing can be traced back to the fact that the leadership who make decisions suffer little or nothing in the way of personal consequences. It seems past time for us to change the law so that this is no longer the case. That's about the only way things will change. It's dispiriting to see security breaches and misuse of personal data happening again and again.
I'm sure there was some incompetance at the individual level, but I think it's more likely that the key issue was that the management de-prioritized security, which lead to the IT team either not having staff on hand to fix issues that came up, or being assigned tasks other than fixing the security issues.
In that case, ruining the career of a low-level employee seems misplaced, especially when they most likely weren't the cause of these issues.
1) If the value of the individual damages related to this breach are in excess of the market cap of the equifax company, all company stock should be seized and distributed equally among those affected by the breach.
2) In the future, if a company controls this amount of sensitive data, they should have mandatory breach insurance. This means that they are covered for a government mandated amount based on the legal liability if all their data was lost. This will mean that the insurers will do in-depth audits of the data security of the company, and they will be incentivized year-to-year to ensure their security practices are top notch. The present system incentivizes each CEO to have a head-in-the-sand approach to data security where a hack is considered a long-tail event unlikely to happen during the ceo's 3-5 year tenure and therefore is not really worth paying attention to. In addition, it would ensure that if the potential damage done if data is leaked exceeds the value of the business storing the data, the insurance will be prohibitively expensive and the company will not be able to continue with this line of business - as it should be.
1) stock siezure would kill the market. no one wants to invest in a company if the company stock can get yanked anytime. also, a share of stock is worth what someone will pay me for (ie when i want to convert that stock to cash). who will buy this from me if all of a sudden a bunch of people will take the JG wentworth option and cash out now.
2) i absolutely agree with the insurance companies being on the hook. They alone will drive insurance rates that are through the roof if the company cant prove pen-testing, employee background checks etc... Unfortunately teh key to making insurance company care, is setting a high standard for breach victim payouts. ie if it only ends up costing an average of $0.10 per individual victim, i dont need to insure equifax for that much?
I don’t understand how that would work, do you mean liquidate the company? If you mean actually take the shares from shareholders, wouldn’t the value of the stock go to near zero? Who would buy stock that could do that? But I agree with the general idea: they should go out of buisiness and whatever they have should be sold to reemburse people affected.
I wonder if the Feds could simply seize the company and issue treasury bonds to shareholders to cover the costs of their stake at the market's price. Eminent domain, or whatever legal term is latin for "we have the guns."
Then, yeah, liquidate everything and distribute the proceeds amongst the victims. It would be expensive, but...so what? The budget is $2T, and if the fine vastly outweighs the value of the company, then it is clearly a grave situation that demands an unusual response.
Maybe they could actually issue a realistic fine, and let the company deal with it. But the company would probably just distribute any remaining assets amongst their executives, fire everyone, and declare bankruptcy or something.
We're just getting into an era where everything is hackable. We haven't even begun to understand the ramifications...! Privacy has been dead for a long time (did it ever exist?), but we're only just now being confronted with what this means. We have a choice to make: make the world work for everyone, or perish!
I agree: I think we have been blessed with a long period of innocence concerning the security of our services and devices. A period that is now coming to an end with increased attacks by increasingly powerful entities.
The dot-com-bubble showed us that businesses should not be valued simply because they leverage hot new technology (hold your AI comparisons...). These high-profile hacks and security failures will hopefully show us that businesses should not be considered secure simply because they stack up to other measures of value.
I would hope that in the future, a fault in a company's infrastructure security is considered as seriously as a fault in its core business model.
> We're just getting into an era where everything is hackable
It's true, however there seems to be a pattern incompetence when it comes to Equifax. When the first hack happened, if my memory serves me well, they started blaming Apache struts for the security breach, which might or might not be true, however the security patch was available for month when the hack occurred.
Not exactly. Equifax has hardcoded references to an akamai cache of a domain (hints.netflame.cc) in their own pages.
That domain was owned by Fireclick (né Digital River) at one time, but changed ownership on November 15, 2016. The current owner is a Thai national using a personal Gmail address as the registration info.
Equifax should be responsible for what 3rd party domains it is referencing in their pages.
The script they hosted was legitimate. The Akamai content that it loaded, was legitimate. But Fireclick let the domain lapse, and someone else is now impersonating them and serving malware, and not just to Equifax, either. Why is the story "Equifax hacked again" instead of "Akamai serving content from known spammer site"?
I'm reasonably sure the whole Fireclick infrastructure was abandoned, probably years ago. So Equifax's part was not having some mechanism in place to remove 3rd party references for 3rd parties that aren't delivering anymore. I strongly suspect that predated the change in ownership of the domain, which was almost a year ago. The fireclick.com domain is gone. The parent company (Digital River) doesn't mention offering any kind of analytics service.
So, yes, technically the vector wasn't directly an Equifax server. But it was only a vector because nobody removed the reference.
Right now, they also reference crazyegg.com in their pages. If crazyegg goes belly up, the domain will be dormant, and when it expires, somebody might take it over. Does Equifax have an onus to deal with that, or can they blame someone else?
I don't know, how can you reasonably defend from that sort of domain hijacking/repurposing? We fundamentally have to trust DNS at some level, but domain names are somewhat transient in nature. Is it fair to single out Equifax here, or is this just an example of an unsolved problem in the industry?
Somebody used to log into the backend that showed them the statistics. Surely they noticed when it disappeared?
Security scans also usually include breakdowns of 3rd party stuff.
But yes, there's ways it could go wrong. On the other hand, Equifax is one of very few places that has so much important data. I'd expect them to be leaders in this space, not lackluster followers. Subresource integrity, perhaps more due diligence on partners...stick with bigger players for code that shows up on your site, etc.
>I would have thought that with the scale of the last breach a full and thorough audit of all existing systems would have been a major priority!
Why would you think that? Equifax hasn't suffered for its poor security - you have. Indeed, Equifax was rewarded with a massive IRS contract for its malfeasance. Its very much like what we see in the banking sector, where even when the banks get caught stealing, at worse they are fined only a fraction of what they stole, leaving them with a hefty profit. That's what crony-capitalism looks like. Why would Equifax or any other corporation change their very profitable business practices if they don't suffer any downside for their wrongdoing?
You can hire a good group of independent pen testers or security companies, and let them hammer your public facing sites. They don't lack the necessary financial resources. At least they would have discovered that type of problems. It's not difficult when there's a will.
The kind of licensing here would (or should) provide significant negative consequences for malpractice, possibly including revocation or suspension of the license (and therefore prohibition of working on projects requiring licensed engineers) and even civil or criminal penalties. It also carries credibility and protection: a licensed engineer has a duty to report employers' attempts to circumvent rules like Equifax hypothetically would have done, and legal protection for his livelihood when he does so.
It may not prevent truly unscrupulous or spineless engineers from capitulating, but it's better than the current situation.
> Licensing empowers the engineer to refuse to do something that violates sound engineering practice according to the license and have legal recourse against retaliation.
It would just put most legal liabilities on engineers vs the org. It's a great way to protect management, that's the only thing it's going to do. That's exactly how dumb traders end up being scapegoated with each financial scandal. Any engineer who would dare report any wrong doing would be blacklisted for life from the IT industry.
Business like Equifax already have legal requirements at the org level, let's not shift all responsibility onto engineers.
I'd be amazed if the average/combined skill level of engineers at any large company exceeds the average/combined skill level of the people trying to compromise its security.
And that's not taking into account the bureaucratic overhead necessary to make changes in such an environment. There are very good, and very bad, reasons why upgrading insecure software and fixing other security holes takes too much time and effort.
Equifax just happens to be a very attractive target. I don't know how any such target can stay truly safe.
(Having said that, they clearly screwed the pooch in a lot of ways, so I won't shed a tear if they're dismantled.)
Libraries, frameworks, and other security systems don't have to be developed in-house. It's just like basic data structures and algorithms: few ought to be rolling their own and should instead be using libraries.
All of those are insecure, so it's still a matter of staying ahead of attackers. And avoiding social engineering. And making certain the code that glues those libraries and frameworks together is secure. And making sure people don't accidentally leave an S3 bucket unsecured. And making sure every 3rd party contractor on-site doesn't take advantage of softer internal security. And making sure employees aren't bribed by competitors.
And making sure the business can still function while doing your best to limit functionality.
A professional license for what? CRUD apps? a CS education doesn't even make one a web security specialist. What's next? forcing corporations to use Microsoft technologies to stifle competition and innovation? like big vendors never release insecure products? like big consultancies never develop insecure apps?
I'm not sure requiring a license to practice software development is a good idea, but it does seem that we could use some rules around development and maintenance of important applications. Perhaps legally mandated security audits for anyone storing things like financial data would be useful.
The Web has gotten so much worse since we started putting serious stuff on it. It's kind of a population-terrorizing monster, at this point.
Could we, like... not do that? I seem to remember the world turning just fine when you couldn't push the right sequence of buttons and steal the personal data of half a country's citizens from the comfort of your home.
It's not "finance" per se. It's anyone granted a carte blanche privilege of some rent to exploit. This is almost always granted either directly or indirectly by the government.
How has finance made it possible? By getting the government to subsidize the industry for all existing entrants at the expense of people who may have better, more progressive ideas about how to manage the financial system. Also at the expense of people in general.
Having been in that system, the reality is so much more bizarre than that.
The actual reality I observed is that the government inspectors and regulators are lawyers and older industry people who simply don't understand technology. Since the US government has limited technical expertise they rely on FIs to adhere to standards and propose self-regulatory measures.
The finance industry as a whole spends a few billion dollars on lobbying. They spend the most on lobbying compared to every other sector. imo this is one of the things the tech industry hasn't fully optimized yet
You're kind of right. I misread the decimal as a comma in $248,785,615.00. Pharma / Health is the next highest spending industry at around $144,778,982, about $100 million less than finance. Finance is the top lobby. Tech lobbying is at $68,403,203 which isn't even half of what finance officially spends on lobbying.
The OpenSecrets lobbying data also doesn't include lobbying money that isn't officially lobbying money. A lot of politicians, at least in the US - including state level legislators, have non-profit foundations with sketchy ledgers. With many of these foundations, little of the money dontated actually goes towards their publicly stated causes. Most of it is spent on miscellaneous expenses such as trips and dinners or on political ads.
Genuine question, how are Equifax's services functionally different from the other credit bureaus? What is to stop the federal gov from shutting them down to protect national security forcing any business partners to move to the other providers.
My company would be really hampered if Equifax went bust. We do use two other credit bureaus, but some functions depend on data only Equifax provides.
We also use the different bureaus together for cross checking, often one bureaus file will be out of date or have errors, while the other is fine. So we'd have a much harder job of calculating risk if one of the big bureaus went out of business, simply because we'd be losing a major data source that drives our business.
I am very sure this case applies to other financial institutions as well.