
Moody’s downgraded Equifax from “stable” to “negative” due to cybersecurity - hsnewman
https://gizmodo.com/equifax-is-finally-getting-kicked-in-the-money-bags-due-1834976747
======
duxup
I recall someone who was a security director at Panera Bread (a US based fast
casual restaurant). Was confused and upset when a security researcher
contacted them and asked to exchange a PGP key ... I suspect he straight up
didn't understand what the request for a key meant or possibly even the issue
as it was a very obvious issue and they did nothing about it until it hit the
press.

His previous job... at Equifax.

Oh I found the story:

[https://medium.com/@djhoulihan/no-panera-bread-doesnt-
take-s...](https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-
security-seriously-bf078027f815)

~~~
ufo
The initial email exchange is indeed a sight to see, so I transcribed the text
in the image:

\---------

Hello Mike et al

Thank you for making yourself available. There is a security vulnerability on
the delivery.panerabread.com website that exposes sensitive information
belonging to every customer who has signed for an account to order Panera
Bread once. This shows the customer's full name, email address, phone number
and the last four digits of their saved credit card number. Moreover, the
users are easily enumerable which means an attacker can crawl through the
records.

I can provide the specific details of the vulnerability over email once you
respond, but if you prefer (for more security), I can also encrypt the
information with a PGP key you provide me. Alternatively we can hop on a phone
call.

Best Regards, Dylan Houlihan

\--------------

Dylan

My team received your emails however it was very suspicious and appeared scam
in nature therefore was ignored. If this is a sales tactic I would highly
recommend a better approach as demanding a PGP key would not be a good way to
start off. As a security professional you should be aware that any
organization that has a security practice would never respond to a request
like the one you sent. I am willing to discuss whatever vulnerabilities you
believe you have found but I will not be duped, demanded for
restitution/bounty or listen to a sales pitch.

Regards, Mike

~~~
siffland
reminds me of the time Oklahoma City was threatening CentoOS with calling the
FBI because there website was down and they thought CentOS hacked it:

[https://www.theregister.co.uk/2006/03/24/tuttle_centos/](https://www.theregister.co.uk/2006/03/24/tuttle_centos/)

If you are in a position where you don't understand the e-mail then ASK
someone who does. Or a quick google search with "PGP e-mail", wow was that so
hard. The guy was probably late for a golf game or something (ok now i am
being mean). Idiots.

~~~
Rafuino
Not Oklahoma City, an Oklahoma city (lower case 'c'!). Actually, it's more of
a tiny town... Tuttle has ~6000 people and OKC has >100x that.

------
SethTro
> Moody’s downgraded Equifax from a “stable” to a “negative” outlook

> Lawsuits and investigations have cost $690 million in the first quarter of
> 2019 alone

> And the lawsuits will keep coming: In January, an Atlanta judge denied
> Equifax’s attempts to dismiss class-actions filed against the company.

Looks like there are real consequences to losing data on half of all Americans

~~~
AdmiralAsshat
But not because of anything Congress did.

~~~
Wowfunhappy
I would have liked Congress to do more too, but is this relevant here?

~~~
Someone1234
In a thread discussing Equifax's data breach, costs, and liabilities? Where
would it be more relevant?

~~~
Wowfunhappy
I think I overreacted somewhat, sorry for that.

But, ideally it should have been a direct comment on this story. You replied
to an unrelated statement.

------
_bxg1
It sounds like most of these costs are just from having to finally _do_ the
things they skimped on in the first place. If so, it's not really a loss
compared to if they had taken the right steps at the beginning. So it may not
really disincentivize them from cutting corners again in the future.

It'd be like if the only punishment for getting caught cheating on a test was
"well now you have to take the test without cheating". You're probably going
to give it a try every time.

I'm seeing a pattern with these "Congressional hearings" where politicians
bring in CEOs, let off a few zingers to really stick it to 'em, score some
points with their constituents, and then... do absolutely nothing of
substance.

~~~
jiveturkey
> It sounds like most of these costs are just from having to finally do the
> things they skimped on in the first place.

Source? It's not TFA. TFA only talks about legal costs in the past, and
doesn't state it but implies future projections are also for legal costs.

With $700MM of legal costs in 1 quarter, if that is 49% of the total (51%
--most-- going to finally do the things) expenditure, that's $1.4bn in one
quarter. Their entire 2018 revenue was just $3.4bn ($835MM in Q4).

~~~
_bxg1
The article placed a general emphasis on "cybersecurity costs"; I guess it
didn't really indicate what percentage was that vs. litigation, but any
"cybersecurity costs" are as I described above: costs that should've already
been spent before the breach and are just being forced now. Only the
litigation is a true "penalty".

~~~
jiveturkey
Absolutely, only the litigation is a penalty. The article specifically and
explicitly stated, $700MM in legal costs.

> Lawsuits and investigations have cost $690 million in the first quarter of
> 2019 alone,

------
lkrubner
EquiFax outsourced its network monitoring to ReliaQuest, and I have friend who
works at ReliaQuest, so I've followed this with some interest. There is a
general issue here too. Back in 2017 I wrote:

"But I don’t mean to only focus on EquiFax. I’ve seen many small companies
where computer security was considered the exclusive job of the tech team. I
recall a jewelry manufacturer in Richmond, Virginia, which had about 100
people, including a tech team of 3. Top management of such a company has the
option to educate everyone about the importance of security, or they can just
leave the task to the tech team. The tech team is often happy to gain the
power granted by being in charge of such an important function. And then they
implement silly rules, like forcing all passwords to change each week — minor
rituals that annoy a lot while offering little real security. Real security
could only come from educating the staff about the open nature of email, the
importance of using encrypted communications, the importance of protecting the
intellectual property of the firm. A company with 97 ignorant people and 3
security minded people can never be as secure as a company with 100 security
minded people."

[http://www.smashcompany.com/business/if-a-company-is-
serious...](http://www.smashcompany.com/business/if-a-company-is-serious-
about-security-then-who-in-the-company-is-serious-about-security)

------
sna1l
Their stock price has recovered a lot of the losses they experienced after the
hack.

[https://finance.yahoo.com/chart/EFX#eyJpbnRlcnZhbCI6ImRheSIs...](https://finance.yahoo.com/chart/EFX#eyJpbnRlcnZhbCI6ImRheSIsInBlcmlvZGljaXR5IjoxLCJ0aW1lVW5pdCI6bnVsbCwiY2FuZGxlV2lkdGgiOjUuNTU1NTU1NTU1NTU1NTU1LCJ2b2x1bWVVbmRlcmxheSI6dHJ1ZSwiYWRqIjp0cnVlLCJjcm9zc2hhaXIiOnRydWUsImNoYXJ0VHlwZSI6ImxpbmUiLCJleHRlbmRlZCI6ZmFsc2UsIm1hcmtldFNlc3Npb25zIjp7fSwiYWdncmVnYXRpb25UeXBlIjoib2hsYyIsImNoYXJ0U2NhbGUiOiJsaW5lYXIiLCJwYW5lbHMiOnsiY2hhcnQiOnsicGVyY2VudCI6MSwiZGlzcGxheSI6IkVGWCIsImNoYXJ0TmFtZSI6ImNoYXJ0IiwidG9wIjowfX0sInNldFNwYW4iOnsibXVsdGlwbGllciI6MSwiYmFzZSI6InllYXIiLCJwZXJpb2RpY2l0eSI6eyJwZXJpb2QiOjEsImludGVydmFsIjoiZGF5In19LCJsaW5lV2lkdGgiOjIsInN0cmlwZWRCYWNrZ3JvdWQiOnRydWUsImV2ZW50cyI6dHJ1ZSwiY29sb3IiOiIjMDA4MWYyIiwiZXZlbnRNYXAiOnsiY29ycG9yYXRlIjp7ImRpdnMiOnRydWUsInNwbGl0cyI6dHJ1ZX0sInNpZ0RldiI6e319LCJjdXN0b21SYW5nZSI6bnVsbCwic3ltYm9scyI6W3sic3ltYm9sIjoiRUZYIiwic3ltYm9sT2JqZWN0Ijp7InN5bWJvbCI6IkVGWCJ9LCJwZXJpb2RpY2l0eSI6MSwiaW50ZXJ2YWwiOiJkYXkiLCJ0aW1lVW5pdCI6bnVsbCwic2V0U3BhbiI6eyJtdWx0aXBsaWVyIjoxLCJiYXNlIjoieWVhciIsInBlcmlvZGljaXR5Ijp7InBlcmlvZCI6MSwiaW50ZXJ2YWwiOiJkYXkifX19XSwic3R1ZGllcyI6eyJ2b2wgdW5kciI6eyJ0eXBlIjoidm9sIHVuZHIiLCJpbnB1dHMiOnsiaWQiOiJ2b2wgdW5kciIsImRpc3BsYXkiOiJ2b2wgdW5kciJ9LCJvdXRwdXRzIjp7IlVwIFZvbHVtZSI6IiMwMGIwNjEiLCJEb3duIFZvbHVtZSI6IiNGRjMzM0EifSwicGFuZWwiOiJjaGFydCIsInBhcmFtZXRlcnMiOnsid2lkdGhGYWN0b3IiOjAuNDUsImNoYXJ0TmFtZSI6ImNoYXJ0In19fX0%3D)

------
motohagiography
What gizmodo overlooks is that a Moody's rating is usually related to company
debt, which means that a ratings downgrade increases the interest rate they
have to pay to roll over existing debt or issue new debt.

Seems like a company with a large debt/income ratio could be crippled pretty
fast by a ratings downgrade because it increases the percentage of revenue
they pay in debt interest. If they have a high debt load and their profit
margins are single digit, they risk ceasing to be profitable, which will tank
the stock. It's a spiral.

If they have catastrophic cybersecurity exposure that opens them up to fines,
settlements, and customer attrition as a result of an incident like the one
that affected Equifax, well that's a target for a fire sale.

It's practically inviting hackers to target companies with high debt/income
ratios on behalf of short sellers for that reason. It would be a slow motion
car crash that would be hard to time correctly, but the confluence of
debt/leverage and security risk seems like a perfect storm.

------
donclark
Another situation of too big to fail? I sure hope not. Why are they still in
business? Any worthy regulation of any type would have shut them down already
no?

~~~
JumpCrisscross
> _Why are they still in business?_

Lawsuits are progressing. It's possible legal costs (plus the accompanying
reputational damage) will eventually force Equifax into bankruptcy. (I, for
example, refuse to open credit lines if they require an Equifax credit check.)

At the end of the day, you can't just kill companies because you don't like
them. We don't have general data protection laws with heavy penalties in the
United States. The only way to extract a pound of flesh is to show damages,
which has been difficult given how little we know about who stole the data and
what they did with it. Nevertheless, the lawsuits progress.

~~~
0xDEFC0DE
Going to enjoy the inevitable dumpster fires because of Equifax suddenly
becoming unreachable.

------
W-Stool
How these guys are still in business and still collecting financial data on US
citizens frankly baffles me.

~~~
papito
It is really, _really_ hard to get in trouble in the United States if you have
a lot of money and some friends in Washington.

~~~
thfuran
And all it takes to have friends in Washington is some money.

------
dotnetdemon
Equifax: where you’re a customer whether you wanted to be or not.

~~~
larkost
Not quite right, rather "Equifax: where you're our product whether you wanted
to be or not."

~~~
dotnetdemon
I stand corrected :)

------
pgrote
It will never mean a thing and will never change until those in leadership
positions in corporations suffer criminal penalties for lack of oversight and
protection of data.

Unfortunately, the federal government has no appetite for holding corporations
criminally responsible for actions in this day and age. The belief in too big
to fail and campaign donations are monumentally hard to overcome.

------
burtonator
I was thinking holding cash in ESCROW for these companies might be a way to
get them to take this shit seriously.

The idea is to lock up your payment in escrow for 12 months.

50% of it would be in escrow and 50% is sent to the recipient.

You then use a multi-sig transaction for the escrow.

If your customers find out you did something shady they can all revoke their
payment to you and you lose 50% of your revenue for that year.

All it would take is for the N of the M wallet signatures to agree that what
you did was a breach of contract.

This could be done optionally too. Companies that enable this type of payment
would see more customers so the free market dynamics would take over.

It could also be legally required too of course.

------
toomuchtodo
Anyone have a current status on how to effectively sue Equifax for data
exposed?

~~~
hello_newman
Last year, I tried to sue them in Small Claims court (in California) using
this as a guide: [https://blog.legalist.com/i-won-8-000-from-equifax-in-
small-...](https://blog.legalist.com/i-won-8-000-from-equifax-in-small-claims-
court-heres-how-you-can-too-f0ce6925c079) .

For me, it was unsuccessful. They sent out a representative and we argued away
from a judge (forget the term used) and I decided not to see the judge because
if I argued before him and lost, I would be "unable" to bring it before a
judge again.

I've heard of this tactic working for certain consumers (like in the article
above) but for me what was hard to establish via small claims court, was how
exactly I was facing monetary damages. Most lawsuits allow punitive damages,
but small claims court does not, so you have to prove exactly how you were
monetarily damaged.

That being said, I would definitely be down to sue them in small claims court
again using a better strategy. I would also join a class action lawsuit.

~~~
drewmol
I'm planning to do this (small claims court). When I looked into it a year ago
I did not have confirmation that Equifax did business in the juristiction,
which was a requirent. My previous employer (I'm still on their payroll as a
part time employee) recently notified me that they are now participating in
Equifax's "The Work Number" so I'm going to request my data in a month or so
as confirmation of Equifax operating in this jurisdiction. I plan to claim
damages as the service cost of enhanced credit monitoring service in
perpetuity, at least up to the limit of $6,500. Any thoughts on this approach?
What did you declare as damages and what was the representatives rebuttal?

------
Simulacra
In the long run I don't think anything will change at Equifax. At worst, it
will get absorbed by another company, re-branded, and no one will know where
the former Equifax has gone. At best, it will get disbanded and its executives
put in prison.

------
bikeshed
Honestly, Equifax should’ve folded after that breach. Any company that loses
all its customer data should cease to exist.

~~~
eppsilon
None of us are Equifax's customers - we're their product.

------
dba7dba
Few weeks before the news of Equifax hack broke, I specifically remember
seeing job postings for DevOps engineer at Equifax.

------
victorkab
Hey Hacker News,

I am Victor, the CTO of Truework
([https://www.truework.com](https://www.truework.com)), a startup providing an
alternative to Equifax / TheWorkNumber.

We are working to change the way employment & income information is shared by
employers with a more privacy focused approach where you, as an employee,
decide if you want to give the information with the requester.

I started this company after I found out that Equifax shared my employment and
income information without my consent when I was working at LinkedIn...

AMA

Also we're recruiting:
[https://www.truework.com/careers/](https://www.truework.com/careers/) !

~~~
itswednesday
Does Equifax actually have my employment and income information? I thought it
was just credit reports, etc

~~~
victorkab
Yes Equifax has accumulated employment and income information through their
purchase of The Work Number
([https://en.wikipedia.org/wiki/The_Work_Number](https://en.wikipedia.org/wiki/The_Work_Number))
in 2007. They have 200 million of employment records and likely a higher
multiple of paychecks.

They have a large share of the fortune 500 companies in the US. If you have
worked for a large firm in the past, it's likely that every single one of your
paycheck is somewhere in their database.

~~~
sjg007
Huh.. that sounds illegal.

------
xvector
Those in charge of grossly mishandling customer data need to be arrested.

------
ga-vu
$1.4 billion in expected losses from the hack. That's quite the loss.

------
cascom
Where is my check?

------
jhare
Watch out Equifax, here come those collection calls.

If owing thousands as a US peasant earns you harassment and dozens of calls a
week, I'd love to see the Experian leadership get thousands a second if we're
staying proportional.

Corporations are people and all.

