
Equifax under pressure after data breach update - yawz
http://www.bbc.co.uk/news/technology-43033202
======
dasil003
Given the way they handled this, I assume Equifax actually has _no idea_ what
was leaked. The CEO publicly throwing a single sysadmin under the bus for lack
of patches indicates they are probably operating in the security stone ages
and have insufficient logging to reconstruct what happened in any capacity.
Just my guess.

~~~
rotrux
> I assume Equifax actually has no idea what was leaked...

Agree. But not necessarily due to ineptitude.

> "...throwing a single sysadmin under the bus for lack of patches indicates
> they are probably operating in the security stone ages..."

Disagree about the conclusiveness of the indication. Disagree Strongly.
Equifax, Experian, & TransUnion are all high-value targets for state-level-
actors who are prly pretty good at breaking into things.

If we ever find out that 8-year-old Jimmy from New Jersey broke into Equifax
instead of...say...Russia, I'll owe you a dollar.

------
ahelwer
Data about people needs to become a huge liability for corporations. If they
want to (massively) profit off information about me, there must be incentives
to keep that information safe beyond bad PR when it leaks. There's a
legislative idea I like, undeniably a pipe dream at this moment, which in
broad strokes is this:

If a corporation holds data records about people, and those records are leaked
in any way, a fine of $100-1000 (depending on severity) _per record_ must
immediately be paid to a supervising government agency. The impacted people
can then receive their share of the fine upon request.

You can Socrates this whole thing to death (what is a record? what is a leak?)
but our legal system is, if nothing else, extremely well-practiced at creating
robust definitions for abstract things. The solution presented seems extreme
within our current paradigm, but it (or something like it) _must_ come to pass
if we are to have any hope of avoiding information dystopia.

~~~
rasjani
GDBR hopefully will be what you are asking.

------
ideonexus
Others on HN have recommended this before and I finally went ahead and froze
my credit reports with the credit agencies. I haven't missed it in the last
six-months. If I ever need a car load or credit card, I can temporarily
unfreeze with specific agencies to grant access to the creditor. Here's the
numbers:

Equifax — 1-800-349-9960

Experian — 1-888-397-3742

TransUnion — 1-888-909-8872

Innovis — 1-800-540-2505

A lawyer friend of mine who specializes in identity theft told me this was too
extreme a way to go and that I should sign up for Credit Karma. But isn't that
just opening up yet another access point to thieves? Plus, I feel that
freezing my credit denies these reporting agencies the value of data.

~~~
tombrossman
I'd love to freeze my credit but as one of the millions of Americans living
overseas I have learned that this is flat out impossible for us. I've even
written to my Senators and they can't get it done either (One positive note,
it was surprisingly easy to reach them and they seemed genuinely eager to
help).

Fortunately 'identity theft' is an imaginary concept, you cannot have your
identity stolen - you are still you and no one can ever change that. It's the
financial institutions' problem to fix at the end of the day, but there is
this expectation that you are obliged to help them understand how they fell
for a scam, and you are expected to do this for free or they make your life
more difficult.

We do need a better system for expats.

~~~
_asummers
The entire term "identity theft" is designed to offload blame from the
companies themselves. Should be called "criminally negligent data loss" in
many cases.

~~~
nathan_long
Yes. A negligent bank blames you because they didn't bother verifying a
criminal's claim to be you.

Someone on another HN thread suggested the term "bank slander".

------
mabufo
They should be shut down permanently. Full stop.

Furthermore, the very existence of these credit agencies should be sincerely
alarming to most normal people, and probably already is. These databases
should not exist.

~~~
mgleason_3
Agreed. We don’t wait for a bomb to go off before arresting a terrorist. We
arrest them for having the bomb.

Equifax, TransUnion and the others are clearly bombs waiting to explode.

Arrest the bastards and shut them down before they go off!

------
jimnotgym
I find the comments here fascinating. The consensus seems to be very much that
Equifax were negligent and shouldn't be able to run operations like this.

Meanwhile we have this[0] thread (also on the front page of HN as I write)
about how the EU is cracking down on US tech firms data collection activities
and the GDPR which is seeking to restrict it. There is much less of a
consensus on there that it is a Good Thing. There are accusations that this is
a restriction on US trade, or some kind of EU tech envy.

I find it hard to reconcile these two positions? The EU seem to be doing
exactly what people on this thread are asking for? The GDPR would enable
regulators to impose crippling fines (4% global turnover) if Equifax were to
lose EU citizens data after May this year. Do people want similar law in the
US or not?

[0][https://news.ycombinator.com/item?id=16361614](https://news.ycombinator.com/item?id=16361614)

~~~
JshWright
> I find it hard to reconcile these two positions?

I would assume (but can't be bothered to verify) that those positions are
being held by different people.

------
paul7986
As independent voter we need more congress people like Elizabeth Warren!

It's disgusting that the majority of congress are letting this slide.

~~~
ams6110
The majority of their constituents are letting it slide. Data breaches are a
yawn to most of the American public. They don't really understand what it
means, they think the problem is "hackers" and not poor security practices,
and few are ever directly victimized.

~~~
craftyguy
How do we combat this behavior? How do you convince the general populous that
this is a big deal? I can't think of any way that isn't absolutely
catastrophic... which would lead to a hurried, half-baked reactionary attempt
to 'fix' the problem. Sigh.

~~~
lawl
Start fining companies when user data is lost. News would report on companies
getting fined for shitty security practices, which also makes it clear that
the problem isn't hackers. Plus companies have an incentive to spend money on
securing their data.

~~~
kevin_b_er
They tried. The Republican Party leadership suspended all investigation of
Equifax. Equifax is part of the finance industry and the finance industry are
major sponsors of the Republican Party.

~~~
bzbarsky
They're major sponsors of both parties. According to
[http://fortune.com/2017/03/08/wall-street-2016-election-
spen...](http://fortune.com/2017/03/08/wall-street-2016-election-spending/)
their donations in 2016 split about 45-55 Democrat-Republican. In 2012,
according to [http://www.businessinsider.com/wall-street-responsible-
for-o...](http://www.businessinsider.com/wall-street-responsible-for-one-
third-of-obamas-campaign-funds-2011-7) they contributed significantly to
Obama's re-election campaign.

If you really think the "finance industry" as a whole is what's pushing for
the Equifax investigation to be shelved, then I expect the same would have
happened under Democratic leadership.

------
FLUX-YOU
"We'll get right on that"

[https://www.reuters.com/article/us-usa-equifax-
cfpb/exclusiv...](https://www.reuters.com/article/us-usa-equifax-
cfpb/exclusive-u-s-consumer-protection-official-puts-equifax-probe-on-ice-
sources-idUSKBN1FP0IZ)

------
ams6110
It was everybody. The breach was total. No point in assuming anything less.

~~~
briffle
For breaches involving PII like this, I think the default should be to assume
everything was stolen, and it be the burden of the company to prove the breach
was smaller.

------
rotrux
This is just about as delicate an information-security problem as the world
has faced.

It'd be one thing if you got a letter in the mail re: your personal exposure,
but there's a very serious assumption that everyone is glossing over:

Do you want EVERYONE to know more about what Equifax lost about EVERYONE &,
more importantly, you want it RIGHT NOW?

Well I guess so do I; the easier for me to ruin you and all your friends'
credit & then get me a new-new sweeeet new yacht 4 to cruise around in some
tropical country without an extradition treaty.

Mass disclosure before adequate protection or remediation measures (assuming
any are possible) is IRRESPONSIBLE BC INFORMATION IS REALLY POWERFUL...this
includes more metadata about what Equifax lost. You don't know what disclosure
right-now will expose you to. This seems pretty clearly like an "err on the
side of caution" situation.

~~~
mratzloff
It's been five months since it was publicly announced.

~~~
rotrux
5 months is prly not enough time to fix whatever hell this would unleash. I'll
stop short of saying Equifax doesn't need to be scared of bad press, but I
will say the silence around this is at least partially to protect the people
whose data was stolen.

------
coldcode
I wonder if the personal financial information on everyone in congress and the
executive branch are in the data. You'd think they would get right on it given
that they are equally at risk.

~~~
mikeash
If I were Equifax, I’d have a group dedicated to monitoring the records of
such people and ensuring that fraud got shut down very quickly with no cost or
hassle to the target.

~~~
macintux
That would imply a level of concern and corporate maturity that seems absent.

~~~
mikeash
You misunderstand. It’s not about concern, but rather about insulating
powerful people from the consequences of your fuckups so they’ll let you get
on with the business of screwing over everybody else.

If your business is built on causing problems for essentially every American
adult, you’ll get away with a lot more if you can exclude lawmakers from that
set.

------
mancerayder
As a potential total tangent:

I wonder how much MORE this problem has become / is becoming as we replace sys
admins / systems people with developers who play with infrastructure APIs like
as with AWS, producing complex infrastructure under deadlines and with self-
assurance. I say this because for years sys admins were the bad guys, even
slowing down progress because security concerns, stability and best practices
were to be considered before speed of delivery and features.

And I say all this because I'm a hybrid sysadmin/developer ("DevOps")
consultant with a stronger leaning on the systems side historically; I can
tell you that almost no one techs me out on the systems side of things
anymore. By systems I mean core Linux and the typical ecosystem around it
(including redundancy, performance and infra monitoring), infrastucture
architecture and yes, security. There is wisdom and experience that's required
here, and no 'bootcamps' can exist to replace that.

With a push to the cloud, is it possible that security has gone out the
window? I'm 75% I know the answer, but I admit this would make a great
research article.

Edit: although in this Equifax case perhaps that is a bad example. Unpatched
systems?

------
jmulho
Equifax competitor Experian offers a free "dark web scan" to find out if your
identity has been compromised. It should be easy for Equifax to compete. All
they have to do is query their own database.

------
Nelson69
And their stock is up a a couple bucks today. Go figure.

~~~
CobrastanJorji
Equifax did something bad, and Congress responded by making sure consumers
would be unable to sue Equifax as a class.

The investors are probably correct in assuming that nothing bad will happen to
Equifax over this.

------
zitterbewegung
Does anyone else think that Equifax will suffer long term consequences and be
acquired by another reporting agency ?

~~~
dougmany
No, they will benefit financial from this breech.

------
adamnemecek
Shut it down. They provide no value to anyone.

~~~
Spivak
Yep, absolutely no value. That's why all those banks and businesses pay them
for their reports.

~~~
tzakrajs
Yep, and they have no competitors so getting rid of Equifax means getting rid
of the entire industry.

~~~
swarnie_
When did Experian and TransUnion stop trading??

~~~
tzakrajs
I was using sarcasm in response to sarcasm.

