Hacker News new | past | comments | ask | show | jobs | submit login
Equifax takes down web page after reports of new hack (reuters.com)
240 points by SirLJ on Oct 12, 2017 | hide | past | favorite | 136 comments



I feel like this has to do with Equifax basically not being punished in any major way over the last breach. Their stocks are still priced reasonably well, most of their board is still intact, and US citizens are still required to work with them for credit reasons.

And the worst part is, I have no idea how I as a person could say "I don't want to do work with Equifax because I don't trust them." And if anybody has suggestions on that, I'm totally open, because if Equifax was a dripping faucet, they'd be flooding the house by now.


> Their stocks are still priced reasonably well,

Exactly. And everyone is watching and learning a lesson from it - "If this goes unpunished, heck, we can get away with it too, screw all the security mumbo jumbo"

In an investing and finance forum I saw people were gearing up to buy Equifax after the breach was announced. The idea was that price would dip then it would go back up. Maybe enough people did that.


If that's the case, it seems like the executives at Equifax who were dumping stock after they learned of the breach (but before it was reported) were jumping the gun. They should have just held on to it!

"Three senior executives including the company’s chief financial officer sold $1.8 million in shares three days after the company learned on July 29 hackers had breached personal data for up to 143 million Americans."

http://fortune.com/2017/09/29/equifax-board-executive-stock-...


That's short sighted - how you make money is sell when high, buy when low.

So you sell right before the dip and then buy again at the bottom of the dip. They knew there was going to be a dip.


Unfortunately, the SEC might notice if those executives sold a bunch of shares on insider info, quit, and then bought more shares after the crash.

I guess they probably wouldn't do anything, but they might notice.


They absolutely should notice and investigate (and I think they are) even the initial sale, I don't see how that's not insider trading.


It pretty clearly is, I just mean that in reality that sort of thing isn't going to be prosecuted or pursued.


That is incorrect. The SEC regularly pursue people for insider trading [1]. It's one of the things that's normally pretty clear cut and hard for politicians to lean on.

1. https://www.sec.gov/news/pressrelease/2016-212.html


I guess I'm just getting jaded about the scale; when you reach a certain dollar amount, there don't seem to be consequences at all. I'm sure I would get busted for insider trading if I tried it, but my company's CEO damned sure wouldn't.

Not that it'd be easy since you have to schedule big sales like that with the feds in the first place, but I mean...come on. The sheer blatancy.


Stock price seems to be the driving factor for corporate change in America. Until that price dips, or tanks, companies appear to use that as a barometer of their behavior.


How are their stocks priced reasonably well? They lost almost 1/3 of their value after the hack.


Still over $100 a share.


Absolute price has nothing to do with company value. For example BRK.A is $279,383.00 a share.


> The idea was that price would dip then it would go back up. Maybe enough people did that.

It's always the idea, unfortunately you can never predict if it's going to bounce enough to go back up hard, or if it's going to bounce and go down again deep...


freeze your credit report with Equifax, and then if any company requests it, they'll be denied (because you have to request it be unfrozen for them to receive it).

If any company uses Equifax, you'll then be denied credit or they'll ask you to unfreeze it.. either way, you can complain to them, and make it clear you won't work with Equifax.

Of course, in practice, this will mean you'll get denied credit from any company that has a contract with Equifax.


Unfortunately you have no way to protect your tax returns from Equifax, which now has a contract with the IRS thanks to the infinite wisdom of our government.

http://fortune.com/2017/10/04/equifax-irs-contract-hackers/


From your link:

>"The Internal Revenue Service signed a $7.25 million contract with Equifax last month. The no-bid contract, first reported by Politico, is for Equifax to provide the IRS with taxpayer and personal identity verification services. The contract stated that Equifax (EFX, -1.34%) was the only company capable of providing these services to the IRS, and it was deemed a “critical” service that couldn’t lapse."

The IRS in the US needs Equifax to provide tax payer and verification services? Seriously what does that even mean? The IRS bas no other way to verify citizens?


AFAIK in the US, you're not required to check in with local authorities when you move to a new city (contrary to many European countries where you need to notify them, else you'll be fined), so there's no official register the IRS could use to find all taxpayers... maybe that's the background.


The IRS can use the previous year's filing address for all tax payers. They should be able to use the US Post Office to get address updates.

In the US people generally file a change of address when they move in order to automatically receive mail at their new address.

The fact that the IRS granted Equifax a 7 million dollar contract amounts to the US tax payer paying Equifax to put their identity at risk and cause them harm. It really boggles the mind.


USPS address forwarding is only good for six months.


The point is not how long mail forwarding is good for but rather the USPS already has up to date mailing address information for US citizens.

If the IRS is using Equifax for proper address verification as the OP states, then that information is already available via the USPS which is a government agency with real oversight.


I'd guess it is just outsourcing of a government function, you know as a way to save taxpayers money and increase government efficiency ... like those private prisons, private torturers, private plutonium processors, etc.


This is for something like the security questions when you reset your password except based on your financial records.

  - Do you recognize this street name?
  - Have you bought from this store?
  - How many mortgages did you co-sign?
Answering a set of these “knowledge” based questions is considered statistically probable proof that you’re you.


They’re derived from public records. Anyone who wants to hire the staff for legwork and pay all the individual municipalities for access can compile the same database.


But why would this any better or more effective than asking someone to verify information on their previous years tax filings such as specific line items etc?


This contract is a renewal of a previous contract with Equifax (which is why it was a "critical service that couldn't lapse"), and it involves Equifax giving data to the IRS, not the IRS giving your tax returns to Equifax.


The IRS is most certainly giving Equifax data or they wouldn't have sent inspectors there to verify the integrity of IRS data.

>Chief information officer Girza said the IRS sent inspectors to make sure no IRS data was compromised in the Equifax breach

http://www.snopes.com/2017/10/05/equifax-contract-irs/


That is nowhere close to evidence that Equifax had tax returns.


So I wonder what would happen if the IRS attempted to Eminent Domain-ify the data they needed.


Meanwhile, thanks to Equifax's amazing security, everybody else can get the same data for free ;-)


Doesn't this require you to trust Equifax to enforce and honor the freeze? I think the solution is "I don't want my report or any of my data in any sort of control or possession of Equifax". Where is that solution?


What is "your data" exactly? And in the limit, how far does this go?

Here's a question: who owns your drivers license? Here's a hint: it isn't you. Can you "own" you mailing address? Copyright and trademark it, make everyone ask permission from you before they write it down? What about your salary? Should your employer have to ask every time they use your salary number in some way, say in aggregate statistics or reporting?

What about information about how you interact with your credit card company? Who owns that, you, or the credit card company? Do the two of you have some kind of joint ownership?

We've made some of these decisions about health data and it has far-reaching consequences, some of them undesirable. It's also been very difficult to enforce. Do you want to extend that kind of regime to every piece of information about a person? Society might grind to a halt, we would be inundated with virtual and physical pop-ups asking "your landlord wants access to your phone number to place a call to you, will you allow it?" And what process would mediate this access control anyway, and how would we trust it?


>virtual and physical pop-ups asking "your landlord wants access to your phone number to place a call to you, will you allow it?"

I would grant the landlord access to contact me while I still have a business relationship with her.

This dire scenario you are trying to paint frankly doesn't sound that bad. I don't need a company to know my entire life's history to exploit my past to deliver a targeted ad.


As far as copyright, small snippets of information or sentence fragments are not copyrightable, but collections of data are.

>Society might grind to a halt, we would be inundated with virtual and physical pop-ups asking "your landlord wants access to your phone number to place a call to you, will you allow it?"

That is how messaging works on many newer systems like Facebook or Instagram, and people appear to find that level of control desirable, not annoying. The only reason the phone system works with public numeric IDs that anyone can dial is that whole thing is a relic from 50 years ago.


If you're curious about the future of privacy, while flawed in some ways, the GDPR (General Data Protection Regulation) comes into effect in the EU next May. Here's their definition of personal data [1]:

  "Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. This can be a very wide definition depending on the circumstances."
And then we have this:

  "Right to change or remove your details

  If you discover that a data controller has details about you that are not factually correct, you can ask them to change or, in some cases, remove these details.

  Similarly, if you feel that the organisation or person does not have a valid reason for holding your personal details or that they have taken these details in an unfair way, you can ask them to change or remove these details.

  In both cases, you can write to the organisation or person, explaining your concerns or outlining which details are incorrect. Within 40 days, the organisation must do as you ask or explain why they will not do so."
It's true that enforcement is difficult -- I imagine it'll be more reactive than proactive. That said, a breach is handled quite well, assuming the law is enforced:

https://www.dataprotection.ie/docs/Data-Security-Breach-Code...

The GDPR is a solid step in the right direction, and a model for a better approach to privacy.

[1] https://www.dataprotection.ie/docs/A-guide-to-your-rights-Pl...


The issue is that I am responsible for people using this data, but don’t own it like you mentioned. If the banks were responsible for giving out fraudulent loans and there was an easier way to prove that they were fradualent without this PI, then I wouldn’t care. But I have to care right now.


"My data" is data about me because without me it wouldn't exist.


And this is my comment, which wouldn't exist without me, and I don't give you permission to read, link to, or reproduce it.


Except you have a choice to leave a comment where I don't have a practical choice to not give my information to a credit agency.


You can essentially opt out. Just never apply for credit in your life. Good luck.

At the end of the day you do consent to this through participating in the banking/credit system.

While the data may not exist without you, you are not the one recording it. Why does it not make sense to assign ownership to the one recording/creating the data in the first place?


You consent to X when you do Y, where Y is not explicitly consenting to X, is not a valid argument.


It's valid if X is having your picture taken and Y is being in public.


I agree that people make themselves vulnerable to someone taking their picture by going outside, but I strongly disagree that people consent to having their picture taken.


Well, maybe it's more accurate to say that it's impossible to consent because no consent is required to take someone's picture in public. People generally exercise control by choosing not to be in public. You could say that having your picture taken is part of the terms of service of using public space. When you agree to something, you also agree to all of the consequences. Just because they are implicit doesn't make them invalid.

Don't get me wrong, I don't particularly like having my picture taken without my explicit consent. In the end, consent is all rather arbitrary because it's not like you can choose not to live in human society on Earth.


Because I am the one carrying the risk, not the people collecting the data.


Freezing your credit can come back to bite you if you'd like to buy a house, lease an apartment, buy a car, or open a new credit card within the next 6 months.


Only if you aren't willing to save the money for that up front. Of course most people prefer to get the stuff they want when they want it instead of when they can afford it (and going from renter to owner paying a mortgage does tend to be cheaper), but if you really wanted to, you could live without credit.


I submitted a complaint to the CFPB requiring [1] Equifax to remove my credit record, due to their proven incompetence at protecting that data (citing their breech, several congresspeople grilling their CEO on CSPAN, etc). Its been 9 days and I haven't heard back from the CFPB yet (Equifax has 15 days to respond and up to 60 days to provide a final response), but Equifax has my complaint and even if it goes nowhere, it gives me something to hand over to Elizabeth Warren's office to show I have no control over my personal data and I have no control over having it removed regardless of how incompetent Equifax is.

Fingers crossed someone with Equifax's data dump starts dumping the data of Equifax senior management.

[1] Hat tip to patio11 on the language; don't use "I demand", professionals use "I require"


As for verbiage, you may want try the phrase you later used in a follow up post. It's not really your personal data. After all, it was data from an interaction with another entity which makes it their data as well.

So, personally identifiable information (PII) is a less-debatable phrase and more legally defensible.

In the first case, if you do business with a bank then the data from that belongs to the bank as much as it belongs to you. They are reporting their information, namely that you interacted with them. Thus, that information would belong to them.

In the second case, it is personally identifiable information - which is something that's difficult to dispute. This also gives you interest in that data which is a stronger point to stand on.

As mentioned before, I am not a lawyer and this is not legal advice. However, I have extensive experience with the justice system due to my career and have taken quite a few classes concerning the law.

Also, the word 'shall' has stronger implications than 'will.' I am not sure why but it is handy to know. The defendant will comply vs. the defendant shall comply.

Best of luck.


Do you have more information on how to do this? I'm thinking that doing the same thing makes sense going forward.


https://www.consumerfinance.gov/complaint

Complaint was with Equifax, Inc. I specified I required my credit file be removed, as Equifax has had several egregious security breaches and is incapable of properly securing my PII [1]. They have 15 days to respond.

[1] https://en.wikipedia.org/wiki/Personally_identifiable_inform...


CFPB complaints are extremely easy to submit, you can do it right here: https://www.consumerfinance.gov/complaint/


That's not quite how credit freezes work, if they pull Equifax and only that bureau is frozen then they will usually just pull from another credit bureau. People who churn credit cards use this to their advantage - they often freeze the report with the most recent inquiries (usually Experian) to spread out inquiries more evenly over the three bureaus. I've never heard of anyone getting flat out denied for credit (besides mortgages) because they had a single bureau frozen. Sometimes it requires a phone call but usually its just automatic.

You also can't prevent them from reporting information about you to Equifax.

Anyways, you aren't really hurting anyone by denying yourself the ability to get credit, you're only hurting yourself.


Remember, these companies are paying Equifax for your credit report.

The point isnt to prevent any credit reporting.. but to prevent equifax specifically from earning money.

And no one is "denying themselves the ability to get credit" by refusing to unfreeze an equifax report. If the lender doesn't want to use one of the other credit agencies, then most people can find another lender. Those businesses need to know they'll lose business as long as theyre loyal to equifax.

It is unfortunate we don't have more leverage... this does leave a lot of avenues open for Equifax to continue making money. But every bit helps.


> If the lender doesn't want to use one of the other credit agencies, then most people can find another lender. Those businesses need to know they'll lose business as long as theyre loyal to equifax

lol, yeah, good luck with that when you go to get a mortgage.

Mortgage lenders pull all 3 reports, not just one. There is a ton of laws around mortgage underwriting that need to be followed. They technically may be able to underwrite a mortgage with only two credit reports but I doubt any mortgage lender actually will or if they did they'd be charging outlandish interest rates. If you're hiding a report they will assume its because you're hiding something negative that's on the report.

Things don't work like you would like in the real world, only in theory. You are delusional if you believe Chase having to pull Experian instead of Equifax once every million credit applications is going to somehow effect Equifax's bottom line.

If your landlord uses a background checking service that uses Equifax and the background check service comes back with "frozen report" and you say "I demand you use a different background checking service that doesn't use Equifax" then your landlord is just going to say lol and rent to the person who isn't being extremely difficult, as its a sign you're going to be a difficult tenant.


For this new issue, the problem is that by the time you're even halfway through the sentence "part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware", 90% of people I have decided that it's over their head and stopped listening.


I agree that the situation is bad, but I do want to call out a technicality here. You don't have to work with them. Everyone around you chooses to work with them, because they believe that doing so is safer than not. And this impinges on you, because if they have bad info on you, it can hurt your interactions with people around you.

There is little that you personally can do to control the sources others use to gather information about you. That's something that's only within the power of a legal framework. The statement, "I don't want to work with Equifax because I don't trust them," is meaningless, because you do not work with Equifax.


Comments like this are why people stop reading the comment section.


This has nothing to do with punishment. This is the result of a broken system. Most fortune 500 companies pay the ransomware price and the public is never aware of any breach. The idea of storing information on a connected network is the problem. We need to return to the brick and mortar way of storing data, i.e. Tightly guarded central facilities. Nobody should be able to steal 148 million accounts with the click of a button.


I would argue that having a single occurrence of a hack, isolated, seems unlikely.

If a site got hacked, chances are they suck at security - and then subsequent hacks are actually more likely to happen over the near future.

It takes time to turn corporate culture around, and security depends a lot on culture.

Would be great to see some statistics that would either support or disprove my assertion.


"Too big to fail"


> And the worst part is, I have no idea how I as a person could say "I don't want to do work with Equifax because I don't trust them."

Freeze your account and complain to the service that uses it.

Of course, you're not wrong—you have essentially zero leverage.


Freezing your account doesn't prevent you from data breaches, your account still exists in their database, they just say "its frozen" when someone requests it.


That's true, but that's also true of anywhere that uses social security numbers for identity verification (which is an atrocious pattern considering how poorly ssns are anonymized).


> And the worst part is, I have no idea how I as a person could say "I don't want to do work with Equifax because I don't trust them."

A good start might be never employ anyone who has worked in Equifax IT. There should be some sort of professional repercussions for being involved with an organization as incompetent as this lot seem to be.


Why is that a good start? They are ex employees. Perhaps they are no longer there because they quit due to bad leadership, bad security, bad company ethics, or maybe they were fired for continually reporting their security flaws?

I get that some people like meting out punishment, but it seems like a good idea to limit it to the people responsible.


Your and other comments are good responses. My comment was mean-spirited and (worse) wouldn't solve the problem.

A lot of the problems we are seeing can be traced back to the fact that the leadership who make decisions suffer little or nothing in the way of personal consequences. It seems past time for us to change the law so that this is no longer the case. That's about the only way things will change. It's dispiriting to see security breaches and misuse of personal data happening again and again.


I'm sure there was some incompetance at the individual level, but I think it's more likely that the key issue was that the management de-prioritized security, which lead to the IT team either not having staff on hand to fix issues that came up, or being assigned tasks other than fixing the security issues.

In that case, ruining the career of a low-level employee seems misplaced, especially when they most likely weren't the cause of these issues.


You can't see it, but I'm rolling my eyes fast at your comment.


More specifically their IT executive team. Odds are that the lower level tech staff are treated horribly


Solution to the Equifax debacle:

1) If the value of the individual damages related to this breach are in excess of the market cap of the equifax company, all company stock should be seized and distributed equally among those affected by the breach.

2) In the future, if a company controls this amount of sensitive data, they should have mandatory breach insurance. This means that they are covered for a government mandated amount based on the legal liability if all their data was lost. This will mean that the insurers will do in-depth audits of the data security of the company, and they will be incentivized year-to-year to ensure their security practices are top notch. The present system incentivizes each CEO to have a head-in-the-sand approach to data security where a hack is considered a long-tail event unlikely to happen during the ceo's 3-5 year tenure and therefore is not really worth paying attention to. In addition, it would ensure that if the potential damage done if data is leaked exceeds the value of the business storing the data, the insurance will be prohibitively expensive and the company will not be able to continue with this line of business - as it should be.


1) stock siezure would kill the market. no one wants to invest in a company if the company stock can get yanked anytime. also, a share of stock is worth what someone will pay me for (ie when i want to convert that stock to cash). who will buy this from me if all of a sudden a bunch of people will take the JG wentworth option and cash out now.

2) i absolutely agree with the insurance companies being on the hook. They alone will drive insurance rates that are through the roof if the company cant prove pen-testing, employee background checks etc... Unfortunately teh key to making insurance company care, is setting a high standard for breach victim payouts. ie if it only ends up costing an average of $0.10 per individual victim, i dont need to insure equifax for that much?


I don’t understand how that would work, do you mean liquidate the company? If you mean actually take the shares from shareholders, wouldn’t the value of the stock go to near zero? Who would buy stock that could do that? But I agree with the general idea: they should go out of buisiness and whatever they have should be sold to reemburse people affected.


I wonder if the Feds could simply seize the company and issue treasury bonds to shareholders to cover the costs of their stake at the market's price. Eminent domain, or whatever legal term is latin for "we have the guns."

Then, yeah, liquidate everything and distribute the proceeds amongst the victims. It would be expensive, but...so what? The budget is $2T, and if the fine vastly outweighs the value of the company, then it is clearly a grave situation that demands an unusual response.

Maybe they could actually issue a realistic fine, and let the company deal with it. But the company would probably just distribute any remaining assets amongst their executives, fire everyone, and declare bankruptcy or something.


> issue treasury bonds to shareholders

who aren't members of the board


There's really no reason to exclude board members other than spite. If you're going to fine them then just fine them.


Okay, their fine is the value of their stock/options in the company. I think companies would care more about security if the board members were the ones we make examples of in cases like this.


Yeah, they'd obviously have to issue a different sort of bonds for the board.


The situation would be massive liability, so you'd probably go into bankruptcy proceedings.


We're just getting into an era where everything is hackable. We haven't even begun to understand the ramifications...! Privacy has been dead for a long time (did it ever exist?), but we're only just now being confronted with what this means. We have a choice to make: make the world work for everyone, or perish!


I agree: I think we have been blessed with a long period of innocence concerning the security of our services and devices. A period that is now coming to an end with increased attacks by increasingly powerful entities.

The dot-com-bubble showed us that businesses should not be valued simply because they leverage hot new technology (hold your AI comparisons...). These high-profile hacks and security failures will hopefully show us that businesses should not be considered secure simply because they stack up to other measures of value.

I would hope that in the future, a fault in a company's infrastructure security is considered as seriously as a fault in its core business model.


> We're just getting into an era where everything is hackable

It's true, however there seems to be a pattern incompetence when it comes to Equifax. When the first hack happened, if my memory serves me well, they started blaming Apache struts for the security breach, which might or might not be true, however the security patch was available for month when the hack occurred.


Yes, this was discussed earlier today: https://news.ycombinator.com/item?id=15456221

And debunked...it wasn't a hack of the Equifax web site, but a malware package delivered by 3rd party analytics company, Fireclick.


Not exactly. Equifax has hardcoded references to an akamai cache of a domain (hints.netflame.cc) in their own pages[1].

That domain was owned by Fireclick (né Digital River) at one time, but changed ownership on November 15, 2016. The current owner is a Thai national using a personal Gmail address as the registration info.

Equifax should be responsible for what 3rd party domains it is referencing in their pages.

[1]https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js


That script was provided by Fireclick, so they're the ones that hardcoded it. It even specifically says "Please do not modify this code".


I'm not sure that bit matters, it's hosted on an Equifax server and served in their pages. And pulling in a script from a very sketchy domain.


The script they hosted was legitimate. The Akamai content that it loaded, was legitimate. But Fireclick let the domain lapse, and someone else is now impersonating them and serving malware, and not just to Equifax, either. Why is the story "Equifax hacked again" instead of "Akamai serving content from known spammer site"?


I'm reasonably sure the whole Fireclick infrastructure was abandoned, probably years ago. So Equifax's part was not having some mechanism in place to remove 3rd party references for 3rd parties that aren't delivering anymore. I strongly suspect that predated the change in ownership of the domain, which was almost a year ago. The fireclick.com domain is gone. The parent company (Digital River) doesn't mention offering any kind of analytics service.

So, yes, technically the vector wasn't directly an Equifax server. But it was only a vector because nobody removed the reference.

Right now, they also reference crazyegg.com in their pages. If crazyegg goes belly up, the domain will be dormant, and when it expires, somebody might take it over. Does Equifax have an onus to deal with that, or can they blame someone else?


I don't know, how can you reasonably defend from that sort of domain hijacking/repurposing? We fundamentally have to trust DNS at some level, but domain names are somewhat transient in nature. Is it fair to single out Equifax here, or is this just an example of an unsolved problem in the industry?


Somebody used to log into the backend that showed them the statistics. Surely they noticed when it disappeared?

Security scans also usually include breakdowns of 3rd party stuff.

But yes, there's ways it could go wrong. On the other hand, Equifax is one of very few places that has so much important data. I'd expect them to be leaders in this space, not lackluster followers. Subresource integrity, perhaps more due diligence on partners...stick with bigger players for code that shows up on your site, etc.


I'd have to guess that someone cancelled the analytics at the business level, but never bothered to write up a change request to tell the devs to take it out.


Don't worry, we only blindly pull in and execute "good" third-party code in your browser.


That's pretty interesting. Would users running ad blockers be protected from this kind of thing?


Only if they blocked an akamai url that was caching a netflame.cc url


Something's doesn't sound quite right over at Equifax, I would have thought that with the scale of the last breach a full and thorough audit of all existing systems would have been a major priority!


Why would you think that?

>Hack Will Lead to Little, if Any, Punishment for Equifax

https://www.nytimes.com/2017/09/20/business/equifax-hack-pen...


>I would have thought that with the scale of the last breach a full and thorough audit of all existing systems would have been a major priority!

Why would you think that? Equifax hasn't suffered for its poor security - you have. Indeed, Equifax was rewarded with a massive IRS contract for its malfeasance. Its very much like what we see in the banking sector, where even when the banks get caught stealing, at worse they are fined only a fraction of what they stole, leaving them with a hefty profit. That's what crony-capitalism looks like. Why would Equifax or any other corporation change their very profitable business practices if they don't suffer any downside for their wrongdoing?


Just a normal, slow moving, bureaucratic corporation.

But even if they were faster, I'm sure an audit of all existing systems is not as simple as making sure all the doors and windows are locked around the house.


You can hire a good group of independent pen testers or security companies, and let them hammer your public facing sites. They don't lack the necessary financial resources. At least they would have discovered that type of problems. It's not difficult when there's a will.


Knowing your vulnerabilities, fixing them, and caring about them at all are all different things.


The incompetence is mindblowing. Could this be a good argument for software engineers to get their professional license?


It seems abundantly clear that Equifax's incompetence is _systemic_. Under the presumption that they could have hired better engineers, I fully believe they would have managed them into submission.


The kind of licensing here would (or should) provide significant negative consequences for malpractice, possibly including revocation or suspension of the license (and therefore prohibition of working on projects requiring licensed engineers) and even civil or criminal penalties. It also carries credibility and protection: a licensed engineer has a duty to report employers' attempts to circumvent rules like Equifax hypothetically would have done, and legal protection for his livelihood when he does so.

It may not prevent truly unscrupulous or spineless engineers from capitulating, but it's better than the current situation.


Or you know punish the managers for once instead of the footsoldiers...

When Wells Fargo had their credit scandal the salesmen shouldn't have been punished, their managers should've.

These things start at the top. When deadlines are pushed onto you, you don't have time to write unit tests, refactor, update dependencies.


Licensing empowers the engineer to refuse to do something that violates sound engineering practice according to the license and have legal recourse against retaliation.

It isn't perfect, and the imbalance of power will certainly still be an issue. But that doesn't mean we shouldn't try.


> Licensing empowers the engineer to refuse to do something that violates sound engineering practice according to the license and have legal recourse against retaliation.

It would just put most legal liabilities on engineers vs the org. It's a great way to protect management, that's the only thing it's going to do. That's exactly how dumb traders end up being scapegoated with each financial scandal. Any engineer who would dare report any wrong doing would be blacklisted for life from the IT industry.

Business like Equifax already have legal requirements at the org level, let's not shift all responsibility onto engineers.


I'd be amazed if the average/combined skill level of engineers at any large company exceeds the average/combined skill level of the people trying to compromise its security.

And that's not taking into account the bureaucratic overhead necessary to make changes in such an environment. There are very good, and very bad, reasons why upgrading insecure software and fixing other security holes takes too much time and effort.

Equifax just happens to be a very attractive target. I don't know how any such target can stay truly safe.

(Having said that, they clearly screwed the pooch in a lot of ways, so I won't shed a tear if they're dismantled.)


Libraries, frameworks, and other security systems don't have to be developed in-house. It's just like basic data structures and algorithms: few ought to be rolling their own and should instead be using libraries.


All of those are insecure, so it's still a matter of staying ahead of attackers. And avoiding social engineering. And making certain the code that glues those libraries and frameworks together is secure. And making sure people don't accidentally leave an S3 bucket unsecured. And making sure every 3rd party contractor on-site doesn't take advantage of softer internal security. And making sure employees aren't bribed by competitors.

And making sure the business can still function while doing your best to limit functionality.


Yes and no; it was Apache code that was exploited. The failure tho' wasn't technical really; it was the lack of urgency in patching once the flaw was known, which is 100% on management


Or managed into finding another job, most likely.


This particular site looks like it might not have been touched for a decade or more.

So there is also the argument of "any engineers at all" vs "better engineers".


A professional license for what? CRUD apps? a CS education doesn't even make one a web security specialist. What's next? forcing corporations to use Microsoft technologies to stifle competition and innovation? like big vendors never release insecure products? like big consultancies never develop insecure apps?


No, because then you get things like this happening:

https://www.clickondetroit.com/news/fake-architect-sentenced...

Also, consider how much of the software you use on a regular basis would not exist, if mandatory licensing were in place.


I'm not sure requiring a license to practice software development is a good idea, but it does seem that we could use some rules around development and maintenance of important applications. Perhaps legally mandated security audits for anyone storing things like financial data would be useful.


What % of Fortune 500 companies are already paying ransomware fees unbeknownst to their users/customers?


The Web has gotten so much worse since we started putting serious stuff on it. It's kind of a population-terrorizing monster, at this point.

Could we, like... not do that? I seem to remember the world turning just fine when you couldn't push the right sequence of buttons and steal the personal data of half a country's citizens from the comfort of your home.


Is Equifax particularly bad for a credit bureau, or are the other guys just as bad? This is cause for worry towards all of these organizations.


After recently freezing credit at all three bureaus...Transunion does it right. Free acct can toggle a freeze anytime. They show a little ad when logging in, but that is fine.

Experian has no free acct login. Equifax will next year.


Where is the action from the federal government? Are any representatives working on legislation for better data protection / handling regulations?


Someone must not be having a good day over at Equifax. Where is the breaking point for a company like this?


The credit services seem like a good candidate for nationalization or high levels of regulation.


it's amazing how much the finance industry can get away with. like honest-to-goodness amazing.

it's really impressive how these people can have such a death-grip on society. honestly, i'm more curious than mad. how is such a thing even possible? i mean, wow.


It's not "finance" per se. It's anyone granted a carte blanche privilege of some rent to exploit. This is almost always granted either directly or indirectly by the government.

How has finance made it possible? By getting the government to subsidize the industry for all existing entrants at the expense of people who may have better, more progressive ideas about how to manage the financial system. Also at the expense of people in general.


The big moneybags are always above the law.

This seems to become one of the biggest problems of modern civilization. Until it's fixed, all sorts of issues like this, and bigger, will continue to occur.


Avoiding repercussions for bad security is pretty much consistent across all industries.


Because of our corrupt banking system and the politicians in bed with them.


Having been in that system, the reality is so much more bizarre than that.

The actual reality I observed is that the government inspectors and regulators are lawyers and older industry people who simply don't understand technology. Since the US government has limited technical expertise they rely on FIs to adhere to standards and propose self-regulatory measures.


The finance industry as a whole spends a few billion dollars on lobbying. They spend the most on lobbying compared to every other sector. imo this is one of the things the tech industry hasn't fully optimized yet


Neither of your first two sentences seem to be true:

- [Lobbying Spending Database | OpenSecrets](https://www.opensecrets.org/lobby/top.php?showYear=2017&inde...)

And note that "Education" isn't spending that much less!

> imo this is one of the things the tech industry hasn't fully optimized yet

How would the tech industry "optimize" lobbying? Or even just lobbying by finance?


You're kind of right. I misread the decimal as a comma in $248,785,615.00. Pharma / Health is the next highest spending industry at around $144,778,982, about $100 million less than finance. Finance is the top lobby. Tech lobbying is at $68,403,203 which isn't even half of what finance officially spends on lobbying.

The OpenSecrets lobbying data also doesn't include lobbying money that isn't officially lobbying money. A lot of politicians, at least in the US - including state level legislators, have non-profit foundations with sketchy ledgers. With many of these foundations, little of the money dontated actually goes towards their publicly stated causes. Most of it is spent on miscellaneous expenses such as trips and dinners or on political ads.

https://nonprofitquarterly.org/2015/02/09/politics-and-the-u...

https://www.bostonglobe.com/opinion/2013/08/03/how-end-polit...

https://www.publicintegrity.org/2013/06/12/12794/state-legis... - oversight doesn't usually happen when it's not public funds being directed into the non-profits

If you include the finance industry's donations to sketcy non-profits that are closely tied to politicians, then I'm guessing it would dwarf what we're seeing compared to just official lobbying money

Tech would 'optimize' not just by spending more, but also in offering benefits that finance can't offer such as better data for say elections as an example


Well, these guys are simply too big to fail. Equifax cannot go bust, otherwise loads of consumer credit (mortgages, car loans etc) would freeze up, causing huge harm to the economy.

The market likely knows this, hence the stable stock price.


Genuine question, how are Equifax's services functionally different from the other credit bureaus? What is to stop the federal gov from shutting them down to protect national security forcing any business partners to move to the other providers.


Equifax cannot go bust, otherwise loads of consumer credit (mortgages, car loans etc) would freeze up

Nope - there are two others who will gladly take up the slack.


My company would be really hampered if Equifax went bust. We do use two other credit bureaus, but some functions depend on data only Equifax provides.

We also use the different bureaus together for cross checking, often one bureaus file will be out of date or have errors, while the other is fine. So we'd have a much harder job of calculating risk if one of the big bureaus went out of business, simply because we'd be losing a major data source that drives our business.

I am very sure this case applies to other financial institutions as well.


Pretty sure this is just how it is now.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: