Yeah, that's why I bought Equifax call options a little bit after the breach was announced. Made good money on those options, and it pisses me off. It pisses me off that after an event that should bankrupt a company such as Equifax, I lay hard-earned on the table knowing that I have an extremely good chance of a healthy ROI simply because of vested interests and status quo.
Like other political hot topics, this is one of those things that causes me to ask, "okay, then, how bad does it have to get before populist outrage brings about change?" Something worse happens, and this is the time, right? Nope. And so on from one event to the next.
OTOH, in this case maybe the invalidation of vast amounts of data will alone bring about changes out of necessity. There will probably be a rough patch of lawsuits, debate, and perhaps a new law or two, but perhaps it will eventually shake out something better.
> how bad does it have to get before populist outrage brings about change?
We had a bill in the New York State Senate after the Equifax breach [1]. It was dead on arrival. Practically nobody called in to offer support. It was apparent that nobody's political career would be made nor broken by this bill. When it died, there was no press; nobody noticed nor cared.
I'm guessing most people didn't know about it to offer support? Seems like a failure of the press if they didn't monitor bills and bring awareness...
That said, I'm not sure how much of a fix timely disclosure is. Maybe people thought it wouldn't go even remotely far enough to help a significant number of people and hence wouldn't be worth it. (I could even see it being harmful if it makes it less likely to get more serious legislation passed.)
> I'm guessing most people didn't know about it to offer support?
A bit of this, a bit of that. I was excited about the bill and offered to help. When it came to selling it, however, people were more animated by Trump, affordable housing and the MTA. Despite our obsession with privacy on Hacker News, it hasn't been properly sold to the public.
> I'm not sure how much of a fix timely disclosure is
It was to allow the Attorney General to investigate these crimes. Right now, there is no disclosure requirement. Unless the company reports its breach and co-operates with state Attorneys General, they basically can't be held accountable at the state level. So, naturally, they refuse to co-operate.
Is it the job of the press to notify state senators of bills on their own floor? I don’t want to undermine the value of public awareness and activism, but I think blaming this one on the press is a stretch.
Partisanship. There are no electoral consequences to moving on. So long as corporate interests have us focused on voting eligibility and who can have sex with whom, and whether there can be an abortion afterwards, no one is gonna vote based on this.
As far as anyone can tell, the data from the breach hasn't been used yet. When that happens, it'll probably be the largest identify theft fraud ever, and if it's traced to Equifax, we may see an "adjustment".
Not a chance. There have been too many other breaches, I don't see how there would be any way to tie a particular instance of potential identity theft back to a particular breach. And besides, how many more breaches will the be in the next 6 months? 12 months? Take a look at this: https://www.identityforce.com/blog/2017-data-breaches. That was last year...you think 2018 will be any better?
I believe people have a very rational reason not to support this because of the extremely dangerous slippery slope precedent it would cause. This would dramatically increase costs on consumers (they will have to pay for the risk of total anhilation of a company by being online), hamper innovation, create incentives for rogue nations to cripple our legal system by targeting large companies and watching them get fed to the American public. Who wants that?
Consumers already pay a huge cost. They just don't pay it up front -- they pay it later after the breach. And worse, the people who pay in many cases are people who were victims of the breached entity, but not customers of it (see Equifax, whose customers are other businesses, not the people whose data they gathered).
Pricing this into the service from the beginning might well cause disruption to a number of industries, but that isn't automatically a bad thing. And "innovation" that consists of involuntarily inflicting risk and suffering and ruin on third parties is perhaps not the kind of "innovation" we need -- one might just as easily argue that laws against involuntary human medical experimentation "hamper innovation".
That's a ludicrous thought. They were the victims of a crime, not the criminals.
This is in no way similar to Target or HD, other than data were taken. The whole system upon which Equifax was built relied on a semi-secret number that cannot be changed. Those numbers, or at least the majority of them, are out in the open. There was a certain degree of trust that the person sitting across from you at the auto dealer finance desk was who they say they were, and that the report stating that they're good for a loan was accurate. That was not 100% true for a number of years, and it's potentially wildly inaccurate now.
IOW, Equifax's sloppy work resulted in a broken system from where I sit. If you're thinking I'm wishing bankruptcy upon Equifax, well, I didn't write that, sorry. But if the shaky foundation upon which your business model rests collapses, I would expect severe financial penalties. But, hell, Moody's is still in business.
You mean "which the credit industry was built"...not Equifax. Equifax is just one of the big 3 CRAs. Singling out Equifax in this context is taking a very narrow view.
Equifax is more than just a company in this business. It is part of cartel with just two other participants. It is not completely inaccurate to single out Equifax as a controller of this industry.
I don’t disagree. However, when I’m buying call options for a particular incident, I’m picking Equifax in this case, which was the context, and hence the singling out of one company amongst the three.
The Target and HD breaches were of customer data. You can choose not to shop at those stores and be safe. You can't keep Equifax from handling your data without disconnecting from society.
Not mention I just saw yet another commercial where Equifax was selling a service to protect your data "on the dark web". Which they allowed go there. It's like a bank losing your money and then for a fee offering to keep other people from using it.
I bought EFX after the incident and made a bundle on it too, but I don't share your outrage.
Does the breach call for some punitive response? Definitely. Does it justify destroying a $14B company? No. That's an overly emotional, witch-hunting type of response.
HN of all places should be sympathetic to what happened to Equifax; they neglected to update a framework which had a vulnerability granting full remote code execution. That's game over from an info sec standpoint, and how many developers here can state, with 100% confidence, that every library and every framework and piece of application code in their own work is totally bulletproof and will never fall victim to something similar?
The breach should be used by everyone as a lesson, and as I stated earlier Equifax should receive some punitive action (arguably already delivered by the hit to their stock price and the public floggings from the congressional hearings). But saying that Equifax should be bankrupted by it, or that the executives or developers should be thrown in jail? Be careful what you wish for. Today Equifax, tomorrow you.
I think the key part of the outrage against Equifax, and part of why it is more outrageous than most breaches, is not only was customer data revealed, but also data about people who want nothing to do with Equifax. There is no action victims could have taken to avoid this breach.
In most serious breaches, there is a certain amount of "well, you have to be careful who you give your information to..." even though it's not the victims fault. This factor is not present in the Equifax situation. Equifax is allowed to hold and market a product based on data of individuals who never gave consent, but has no responsibility to protect that data or repercussions when they fail.
Arguably this breach has put the final nail in the coffin for using SSN's as secure identifiers. Granted, it was a horrible and mostly-already-broken system to begin with. But I think that this flawed system was still worth in excess of $14B - and Equifax's negligence effectively destroyed that value. I agree bankrupting Equifax would be heavy-handed, but it would be nice to at least see some punitive action that would discourage such negligence in the future and provide an economic disincentive to possessing vast quantities of private data.
I'm not an American, so I don't know. How much of Equifax's business and value was driven by credit checks and anything else having to do with SSNs? Because if the whole SSN system had a $14 billion value, which was then destroyed by Equifax's negligence, and Equifax had the majority of its business doing this stuff, wouldn't that make Equifax bankrupt? So either Equifax makes a lot of money doing other stuff, or the $14 billion in value wasn't destroyed by Equifax's negligence. I imagine it's the latter, that SSN is still being used for everything because oil tankers can't change their momentum so quickly. If you meant that SSNs can safely be predicted to be not used for identification a decade or two from now, who's to say this was the catalyst? Any system eventually gets revamped, even government systems, especially if they were already broken in the first place. There are many examples worldwide of ID systems and laws changing all the time. In fact, I just read that majority of states are supposed to require Americans to use a passport for flying now. The Real ID Act? Just a bunch of states were too slow to get it done, so they've been given an extension, but even in the US, there's work being done to revamp identification in some areas. I'm not saying that it's good or bad, I'm saying that it seems to happen eventually. Why wouldn't SSN also change up even if Equifax never happened?
What hit to their stock price? It’s the same price it was a year ago.
We’ve all made computer mistakes like this, but the stakes are different. If I forget to update a framework and as a result a bunch of cat pictures leak, that’s not a big deal. If I do the exact same thing and leak important private info with financial consequences for nearly every American, that’s a much bigger deal. They data they collected needed to be stored in a bulletproof fashion. You could argue that this is impossible, but that just means the data should not have been collected at all.
The calls to destroy the company seem pretty reasonable to me. This is a classic case of an externality. Equifax cost a shitload of people a bunch of money, and they’re bearing very little of the cost. Arguably they’re actually profiting from it by selling fraud protection services.
The only question to me is: just how much did they cost the American people? Whatever it is, they should bear the entire cost. And I bet that cost is more than the company is worth.
We're deep enough in that I don't know who the parent of who anymore, but to be clear I bought in-the-money calls at around $93 (the hit to their stock price), and sold the contracts when it hit around $111 (seemed to have leveled off).
But you're probably not talking about me, as I'm the one pissed off that those calls made money, not thinking they've been punished. It should have hit $93 and stayed there.
Heh! To clarify, my bit about the stock price being the same as a year ago is in reference to cloakandswagger stating "Equifax should receive some punitive action (arguably already delivered by the hit to their stock price and the public floggings from the congressional hearings)."
This logic makes no sense to me. You have a company that stores, without consent, highly personal data for almost every American. There was an implied responsibility to protect that information. For such a company, security should be pretty high on the priority list. All of the following is negligence:
1) Store all this information, unencrypted
2) They were told of the vulnerability in March and had 2 months to update the software.
3) Afterwards, set up a broken website with a DV certificate to accept SSN numbers.
4) The website, even though was a vulnerability disclosure, tried to _sell_ an Equifax identity monitoring package.
5) Redirect your own customers to a phishing website set up by a white hat hacker
6) Allow employees to have usernames/pws like 'admin/admin' on edge servers
The circumstances that led to the vulnerability, and the actions that Equifax took afterwards absolutely warrant outrage. And this is not even taking into account the original point - this is a pattern of incompetence and failure - but to add to the fire, Equifax was a company that was tasked with storing highly sensitive personal data for millions of Americans and did not take the appropriate security steps to do so; in fact, they ignored even the most basic security measures. They should have had at least bank-level security with such a responsibility. There is no excuse.
This shows how the USA is completely hostile to its own people: not only nothing has been done to punish Equifax, but the government will block any move to regulate the activity of this incompetent and borderline criminal company.
Equifax should not exist because the credit system causes so much harm spread out over many individuals. That problem existed before the breach, and it is just as much a problem with Equifax's competitors as with Equifax. The breach only serves to highlight what malignant parasites the credit agencies are.
Right now it's "Today you, never Equifax." Too-big-to-fail institutions do fail do fulfill their obligations, and if they're not substantially gutted and rebuilt they will only fail to fulfill obligations to an even worse degree.
Their stock price was temporarily damaged, and they had to have an awkward hearing in front of congress - that seems light when compared to their negligence which handed over financial and personal information for most of the country to hackers unknown. On top of this, they delayed telling the public, they admitted they only encrypt "some" of their data at rest, and a few of their executives sold stock between the time the company knew about the attack and the public didn't.
Your argument is wise to consider the "let he who is without sin" perspective, but I don't find it that compelling. They had a hoard of valuable information which they carelessly stored and they paid essentially zero consequences. If I had to choose between this world, and the world where Equifax was just liquidated with the proceeds going to people affected, I'd prefer the latter. "Won't somebody think of the shareholders?" I have, but I've also contemplated the tens of millions harmed by their incompetence.
"HN of all places should be sympathetic to what happened to Equifax"
Why should I be sympathetic to them, especially after how they handled it? And especially given that they make loads of money off MY DATA, and want to turn around and have the gall to charge me to see it, to make sure it's accurate?
In other words, there will have to be a bigger, more painful incident before anything gets done. In part, because a large committee composed mostly of lawyers is not probably the right group to even determine what needs to be done, in this particular case.
> ... there will have to be a bigger, more painful incident before anything gets done.
I'm not sure how that happens. Equifax basically exposed everyone in the US with any credit to identity theft and scams. If those thefts trickle out bit by bit over a few years, there will be no single, shocking crime wave, and nothing will happen. It doesn't take genius-level criminals to avoid creating a big enough incident.
On the other hand, I would be curious what would happen if some public-minded hacker stole ~150m people's data from one of the other two CRAs, then publicly released 538 specific records...
The generalized GOP party line is that this kind of thing is better left to private enterprise and the federal government shouldn't spend time and money coming up with some sort of identification strategy.
So what business has the motivation to spend that kind of effort? Google or Facebook?
It's kind of a perfect storm of sorts, there isn't any pressure to fix it, anywhere. The public has even lost interest in it, for the most part.
I think we need to see very large scale attacks based on this data, before anything gets done. Something like in the tune of a trillion dollars exchanging hands in a few hours, that would probably bankrupt a few large companies and make them force the government to do something about it.
If it were possible for all of the affected to individually sue Equifax, many of them already would have.
But the US civil-legal system requires "standing", which in turn requires proof of "damages". The sad fact is that loss of sensitive information is not quantifiable as "damages" for this purpose, even though that same information is worth well north of $millions when the FEC looks at the same kind of information transaction in election campaigns.
"The markets" that fiscal conservatives love to talk about don't work when our civil system doesn't recognize that there is value and a market there.
If the data breach had resulted in masses of data being traded on the black market, the Equifax breach may have ended in prosecutions and massive lawsuits. Because it didn't, it likely won't end in much.
Hell, not even the banks, retailers, and ID security services that did business with Equifax bothered to make a big deal about cancelling their contracts+relationships. The sad fact is that there's a tiny pool of companies with this data and cutting off one company gives the other players (who aren't much better at securing their networks) massive leverage.
True, in regards to laws, but in some cases their expertise helps. For example, tort reform might be an issue where a bunch of lawyers do have relevant expertise that the rest of us lack, to see possible unintended consequences, and also what is possible given the rest of the system.
But, in the case of IT security, their experience and expertise is, at best, not helpful.
However, what if keeping customer information secure was a contractual obligation as part of offering products for sale, or services for hire? Isn't a generic concept like that well-understood for lawyers and other people familiar with law?
> However, what if keeping customer information secure was a contractual obligation as part of offering products for sale, or services for hire?
"keeping customer information secure" is not a binary. Most companies that are breached don't know about it until their dat hits the black market. Yahoo! revised their data brach estimates upwards half a dozen times from 100million+ to ~3billion+. The plaintiffs would have to affirmatively prove that a breach happened to the defendant when most defendants don't even know that it happened.
It is even harder to contractually enforce when the victim claims it was a nation-state-actor/APT since no company could hold out against a determined APT indefinitely.
I'm hopeful that cybersecurity insurance policies will move the needle towards accountability and increased prevention (insurance policies will require good-faith efforts at security policies+procedures+tools+employee actions or they won't pay out).
OK, what about: If a company storing private customer information gets breached (sufficient evidence is found of said breach), then the company must make itself fully available for a third-party investigation to confirm the existence of said breach. If the third-party investigator finds evidence of a breach, then said breach happened. If not, then there was no breach. If one third-party investigator is an insufficiently reliable number, then what about the best two out of three?
It's pretty amazing just how much data Equifax has on consumers. They also own TheWorkNumber which contains data from HR/payroll of any company using the service (everything from pay, title, insurance info, union affiliation etc). I'm not sure what hackers got away with but potentially much more than just some SSNs.
Then there are countless other credit analytics companies hoarding all kinds of other specialized data. It's scary to think about.
As a PSA: check out the list [1] of credit reporting companies that the CFPB puts out. It has the names and contact info for most and you can get copies of your full reports from them upon request (most are either required or do so voluntarily). It's a lot of effort to hit all of them but pretty eye opening and, frankly crazy, to see just how much is tracked. There are databases for how often, and where, you return items to stores/businesses as one example.
That is because they are attempting to solve the wrong problem
Congress needs to do 3 things
1. Find away to limit and prohibit SSN from being used for Identity.
2. Give People Ownership over their PII, end the concept of "who collects it owns it"
3. Make companies liable for damages when they lose control over PII that is collected
Congress does NOT, should not, and likely can not create rules and regulations to govern data storage, security, etc. They should stop trying as that is not a problem they need to solve nor is it a problem that should be "fixed" in law
Given how technically inept and thoroughly entrenched the major institutions of our financial system are, I'm almost at the point where I'm waiting until Russia or North Korea reveals that they've been planting malware for years in all of our major banks and that they're going to go ahead and push a big red button and just take all our money. Or maybe that's already happening and they're being smart by not talking about it.
> go ahead and push a big red button and just take all our money
This would result in a twenty-four hour recession. The U.S. banking system can be shut down [1] while records are analyzed and fraudulent transactions reversed. Presumably a digital hack would result in digital dollars being stolen and subsequently frozen. Whatever couldn't be recovered would probably be, in large part and at least at the retail level, re-imbursed with new money.
But you can't spend any Bitcoin unless you possess some wallet's secret key. Explain to me how that poses a comparable risk to the egg baskets that are today's financial institutions. If your secret key isn't compromised, there's just no way your coins can be transferred. Furthermore, in the event that any kind of mass fraud takes place which exploits some flaw in the protocol itself (contrasted with a flaw in an exchange platform or something similar), the ledger could be hard-forked. It was done after Ethereum's DAO debacle with /relatively/ little consequence.
Bear in mind we’re at an odd time politically where the GOP controls the White House, the House and the Senate.
There is a very small window to essentially pass legislation unchecked and that hasn’t been easy with a 52-48 (with a tie breaker) majority in the Senate. We saw several failed attempts at repealing Obamacare.
What’s more that majority is about to shrink to 51-49.
My point here is the GOP currently has no time for anything bipartisan. That doesn’t mean they’ll address this of course. But it’s just not as important as the donor class agenda is right now.
Once Doug Jones is seated and we start to approach the midterms expect to see more unifying issues instead of, say, hugely unpopular tax bills for billionaires.
IMHO this issue is already dead and buried on capitol hill. The window to act has already passed. There's no hope of seeing action on this until another 300M Americans have had their data stolen.
I would see it differently: The current logic and trajectory of McConnell's several Congresses as a leader would suggest the exact opposite. That if he believes his time as leader is short that he will push through more nominations and other policies as he can under reconciliation in service of his donor class and long standing political beliefs, it doesn't help him to give the other party any policy wins. Bipartisan achievements are likely to come only as conditions for Democratic votes necessary to maintain operation of government funding.
What would that breach look like? I'm asking sincerely, because I can't fathom what kind of data breach that would be that wouldn't be able to be "smoothed" in a mater of days.
- Black card number stolen? Card frozen.
- FDIC insured account attempted to be flushed. Banks flag and or fraud protected.
Because it won't pop up right away. It will show up when that line of credit taken out in your name goes into collections 90 days from opening.
You should read up on the havoc that is caused with stolen identity. I'm not talking stolen credit cards, more like unknown judgements taken out against you and wage (in extreme cases, wage garnishments).
FDIC has a per-person insurance liability limit of $250,000 per bank. It's possible you could find an idiot with more than that in a single bank, presumably in CDs, with no other insurance coverage on it. You need some sort of strange reverse Nigerian Prince scheme to cash that out without a paper trail ("I'm executing his will and he explicitly stated to hand out all of his assets, damn the losses, as $20 bills and fresh turkeys to orphans and other passersby on Christmas Day." Maybe call it a "Christmas Carol scheme"?). It's unlikely to be worth the time investment in terms of being a useful bank robbery, but it certainly would send a weird message to someone.
It's worth pointing out, the reason why data breach notification laws exist is because one time the relative of a California state congressman had their identity stolen because of a data breach.
> the reason why data breach notification laws exist is because one time the relative of a California state congressman had their identity stolen because of a data breach
Search for section heading "California as precedent?"
My memory was imperfect, the real story is even more direct: The data breach was the Stephen Teal Data Center, which houses payroll for state employees, including legislators and staff.
> The data breach was the Stephen Teal Data Center, which houses payroll for state employees, including legislators and staff
Sounds comparable to the June 2015 OPM breach [1], which leaked 4 million federal background check records. The root of the problem is in something other than connecting the powerful to the problem. (The Equifax breach almost certainly inconvenienced powerful people at least as much as most average Joes.)
The Alteryx leak[0,1] also didn't cause action to be taken. GAAP rules ought to be modified to treat data like a raw material - like a pile of stainless steel or lumber - which must be guarded and maintained, lest the asset depreciate into a liability.
The Panama/Paradise papers, maybe? Not that legislation to penalize the exposure of tax shelters is likely to happen, but that seems like the relevant type of breach.
Is it known how many people have actually gotten their identities stolen so far as a result of this attack? I would imagine it would not end up high on Congress's priority list if the number is still low.
Known? As of now, 0. Some people are blaming the Equifax breach for identity theft, but it's highly unlikely that was the case, they're just picking the easiest target.
How about "known" in the sense of "there's a significant uptick of ID theft cases here after the breach statistically that sure suggests it was the cause, but we obviously can't necessarily pin down any individual cases on any individual breach"?
a.k.a.: how much evidence is there of actual harm having resulted from the breach?
It's too early to tell. They may be still sitting on the stolen data for multiple reasons:
- the 1 free year of identity protection to expire
- if there's a surge, it will definitely be on the radar, it will be more publicized and more and more people will take defensive actions (like buying extended identity protection and/or freezing credit). As we can see, it kinda blew over.
I mean, that's what I'd do if I'd be in the 'stolen data' business.
Like other political hot topics, this is one of those things that causes me to ask, "okay, then, how bad does it have to get before populist outrage brings about change?" Something worse happens, and this is the time, right? Nope. And so on from one event to the next.
OTOH, in this case maybe the invalidation of vast amounts of data will alone bring about changes out of necessity. There will probably be a rough patch of lawsuits, debate, and perhaps a new law or two, but perhaps it will eventually shake out something better.