
Equifax C.E.O. Richard Smith Retires After Huge Data Breach - yanowitz
https://www.nytimes.com/2017/09/26/business/equifax-ceo.html
======
cletus
So if I design a car with a faulty steering mechanism that fails under unusual
circumstances but, when it does, can cause a possibly fatal accident, I have a
huge liability problem. Product liability as a whole is a pretty big deal. And
that can be in spite of countless hours of testing where there is no evidence
of malfeasance, negligence or even incompetence.

Why haven't product liability laws caught up with information services? The
Equifax breach here was caused by, at the very least, reckless negligence in
that they failed to patch a published vulnerability for MONTHS after it was
disclosed.

Now I'm not talking about the BS class actions you get where the class gets
nothing (except for the named plaintiffs who, for some reason, make out like
bandits) and the lawyers make a ton of money.

What I'm talking about is having the same expectations, requirements and civil
and criminal punishments that product liability would have with a physical
product, at least when it comes to willful negligence of this sort.

The VW emissions scandal (rightly) is resulting in criminal prosecutions for
fraud.

But the makers of routers, IoT light bulbs and the like seem to suffer no
consequences for (and thus have no incentive to improve) the security of their
products.

I just don't get it.

~~~
blowski
If we start screaming "something must be done!", we'll be very unhappy with
what actually gets done.

There are so many people who are at least partly to blame when something like
this happens. Bob the engineering manager who committed a quick but insecure
fix years ago, Shirley the intern who didn't know what she was doing, Joe the
manager who hired Bob and Shirley in the first place, Mike the manager at the
company supplying third party software that ends up being exploited, etc.

The worst outcome is that companies outsource all their IT security and
therefore responsibility to companies that disappear as soon as there is a
problem. But if we rush too quickly to impose criminal sanctions, that will be
the likely outcome.

The better solution is to work this one out as a society. Stop relying on
things like SSNs and maiden name as "security", and stop building enormous
silos of unnecessary data.

~~~
ak217
Equifax must be dismantled and driven into bankruptcy.

You present a fallacy. No, a rational company with accountability for its data
doesn't outsource their IT security or let the intern access production. They
take their job seriously and prevent something like this from happening by
building security into their architecture.

I have worked for companies that recognize they are liable for protecting the
data they hold, and that it only takes one breach for trust to be destroyed.
We spent countless hours hardening, compartmentalizing, and monitoring our
infrastructure. The nihilistic implication that nothing can be done is
maddening.

~~~
bogomipz
>"Equifax must be dismantled and driven into bankruptcy."

I don't disagree with that sentiment but you have to deal with the whole
triumvirate - Equifax, Experian and Transunion.

~~~
larvaetron
Innovis as well.

~~~
bogomipz
Interesting. I was unfamiliar with Innovis until last week where an article I
read mentioned freezing your credit profile with the big 3 agencies and
mentioned that it wouldn't hurt to contact Innovis as well.

Are they a distant 4th then?

If you put a security alert on on your profile with one of the big 3 agencies
it automatically propagates to the other 2. I wonder why it doesn't propagate
to this agency as well.

~~~
astura
FWIW, the only major company that I know of that uses Innovis is US Bank.

~~~
bogomipz
Interesting, it's tempting to not be concerned about them then although if
we've learned anything there is zero correlation between doing business with
someone and them collecting data about you.

------
bedhead
Equifax has existed since 1899. It's in an oligopoly business that is
completely unassailable, for better or worse. It would be fine with or without
Richard Smith, who has been CEO for the last 11 years. He will have made
something like a minimum of ~$145 million over that time. (If you factor in
the value of his options since the grants it's more like $300 million) It's
unconscionable. Entrepreneurial reward for managerial duty. People give hedge
fund managers a hard time but at least those guys founded their companies and
built them up...it's these hired-hand CEO's that are the real problem.

~~~
quickpost
> Entrepreneurial reward for managerial duty.

That is such a perfect way to sum up the pay disparities in large corporations
these days. I have no problem whatsoever with someone making $300MM from the
sale of the business they created, but making the same amount for manning a
desk? Seems like madness.

~~~
ScottBev
Depends on what they accomplish during their tenure.

I've seen non-founder CEOs take a $100M business to $4B, and others take a $4B
to $500M. $100M to $4B deserves the reward.

~~~
MrBuddyCasino
The whole problem is that CEO pay is not correlated to performance, and
performance metrics can be gamed if they are not long-term.

~~~
zymhan
That's not true, CEOs are increasingly compensated in stock options, which are
at least theoretically correlated with performance.

[https://www.washingtonpost.com/news/on-
leadership/wp/2014/02...](https://www.washingtonpost.com/news/on-
leadership/wp/2014/02/11/how-stock-options-lead-ceos-to-put-their-own-
interests-first/)

[https://www.bloomberg.com/news/articles/2017-09-21/key-
quest...](https://www.bloomberg.com/news/articles/2017-09-21/key-question-on-
equifax-options-trade-is-who-initiated-the-order)

~~~
jgamman
share buy backs...

------
Multicomp
Hmmm let me get this straight: 143,000,000+ people have to pay Equifax $3-20+
to get their credit frozen, and you get to just walk away and retire with
oodles of money from your illicit stock selling and severance packages? There
is no justice sometimes.

That's around ~430,000,000 USD for Equifax alone [edit: if] 143M people got
their credit frozen at $3 per freeze. (Obviously back of napkin math, and not
everybody pays the same or even freezes their credit)

~~~
gk1
> you get to just walk away and retire with oodles of money from your illicit
> stock selling and severance packages? There is no justice sometimes.

Retiring is not protection against criminal charges.

Also, there would be oodles of money involved in the case of firing,
resignation, or staying on anyway.

~~~
Overtonwindow
True, but I guarantee you there's something in that golden parachute that the
company will cover all legal costs resulting from any non-illegal decisions
made by the CEO.

~~~
maxerickson
Isn't that how a corporation should work?

Not the big pile of money for leaving/getting fired, the accepting of
consequences for legal actions taken while working for the corporation.

~~~
toomuchtodo
> Isn't that how a corporation should work?

Not when gross negligence occurs.

EDIT: Gross negligence in the legal sense.

~~~
maxerickson
Do you mean negligence in a legal sense or are you talking about something
else?

Because my comment is clearly scoped to "legal actions".

------
genzoman
Anyone else think how convenient it was that no news agency broke this news
prior to the Friday before September 11th? News cycle dies on the weekend, and
on Monday you have the anniversary of the deadliest attack in 70 years on US
soil.

No political figure has talked about making these companies disclose this
information as soon as possible, and no political figure is furthering any
type of bill to make it illegal to know about a data breach and not tell
anyone for months.

American obsession and addiction to media is what caused Trump to win, and
it's why egregious failures of trust such as this will continue to go
relatively unpunished.

We are constantly pumping out the equivalent of crude oil into your culture at
the rate of millions of gallons a second. It's all trash, and it pollutes
discussion and any sort of cooperation.

Left/Right is the new religious battle, and the new holy books are blogs and
twitter feeds. The media is under no obligation to tell you the truth, and in
this case the lie is omission.

------
rothbardrand
This is not enough. We need a reform to legislation to make these companies
liable both for data breaches and for false information. Too often the CRAs
are used effectively as extortion mechanisms whereby your credit rating his
held hostage to extract money you don't owe for collection agencies.

------
Overtonwindow
They're all jumping ship now. I hope congress, or the FBI, hold some of these
people responsible for the mess they've created, and take Equifax to the
woodshed.

~~~
KGIII
We must first establish what laws we believe we they have broken and that are
likely to be provable beyond reasonable doubt in court. I'd rather due process
than revenge without due process.

~~~
avs733
I'd rather they be treated as many American's are when they have their first
encounter with police who believe they committed a crime...that is rarely
aligned with a presumption of innocence.

You aren't wrong in a theoretical sense, but I am all for equality before the
law as a precursor to due process. Due process without equitable treatment
means very little except to those at the top.

~~~
Spivak
So you would rather people be treated shitty like everyone else than treat
everyone else better?

~~~
lurker456
Selective enforcement of a shitty law is arguably worse for society then
across the bar even enforcement of that law. In the latter case, there are
less groups that will prevent change.

------
UnoriginalGuy
If I drive my vehicle recklessly, even if nobody is injured (or no property),
I can receive a citation, risk having my license revoked, and risk being
arrested.

Why is it that American corporations and their leadership have less oversight
than your average 15 year old driver? They keep reminding us of corporate
personhood when it is convenient, but where is the personhood responsibility?

Companies aren't going to spend money on security until the potential costs
impact them rather than others (in this case all of us). That's something that
urgently needs to change. As you can see by Equifax's stock, nobody in the
stock market thinks that the governments are going to punish or collapse
Equifax, and the worst part is that they're likely right (see BP for example).

This too big to fail, too big to jail, too big to punish thing is really
starting to get on my nerves. Even if we aren't ready to send corporate
executives to prison, let's at least fine Equifax so much they go out of
business, and it sends a shot across every other business's bow about what
will happen if they mishandle sensitive information.

------
FussyZeus
> Speaking for everyone on the Board, I sincerely apologize. We have formed a
> Special Committee of the Board to focus on the issues arising from the
> incident and to ensure that all appropriate actions are taken.”

> Now if you'll excuse me, this golden parachute isn't going to pull it's own
> rip cord. Have fun fixing all your credit reports and enjoy Equifax's "free"
> data protection services, your contributions and patience (or short
> attention span, whichever you prefer) will be thoroughly appreciated by my
> successor, until he too fails too hard and has to endure a life of permanent
> financial security and nonstop leisure.

------
whataretensors
Let him retire in prison with the rest of the C-levels.

------
aaroninsf
In other large countries of note, responsibility for a billion dollar crisis
and abuse of private data would result in life-ending jail time.

They have a point. This ass hat enriched himself at the expense of customers
held at gun point, and didn't even oversee due diligence in the execution of a
bullshit monopoly.

Retiring to ride horses and pensively stare at the far horizon of one of his
ranches and come back with think piece hagiography in 4 years on the lessons
learned...

...there should be bigger consequences.

------
FilterSweep
Is there a way to tell if you are impacted without having to enter your SSN on
suspicious websites?

Its scary how little information the media is providing on this. Equifax does
not provide an FAQ over what conditions you may be affected. I don't have a
line of credit, and I have never used their services personally, _HOWEVER_ ,
if a prior employer used them through a background check, or if they used a
3rd party who sends my data to equifax without me knowing, I'm pwned and
didn't even know it.

~~~
tyingq
They say that overall, 143 million people were affected.

There are about 250 million adults in the US.

I would take that to mean that if you're a US adult, with any sort of credit
history, you're affected. The affected data for the larger 143 million was: _"
Most of the consumer information accessed includes names, Social Security
numbers, birth dates, addresses, and in some instances, driver’s license
numbers."_

There's also a smaller set that had even more data exposed:

 _" In addition, credit card numbers for approximately 209,000 consumers and
certain dispute documents, which included personal identifying information,
for approximately 182,000 consumers were accessed."_

~~~
stordoff
Are the affected people limited to the US? I know Equifax exists as a brand
elsewhere, but I'm not sure how they are structured/which parts of the
business the breach affected.

~~~
tchadwick
I've heard Canada was affected as well. As a Canadian living in the US, I'm
doubly fucked.

------
vkou
There is a solution to this problem - the Freedom from Equifax Exploitation
Act, drafted by senators Elizabeth Warren and Brian Schatz.

Naturally, not a single republican supports this legislature.

------
walshemj
Interesting that all the senior Equifax who have left have "retired" and not
resigned ;-)

Resigning is a known way of avoiding more serious penalties and loss of
pension etc a lot of UK Police when facing serious charges suddenly resign due
to stress.

Its telling that when found guilty or far less serious offences the CEO of
shell resigned giving up a lot of !$

------
bogomipz
>"The chairman and chief executive of Equifax, Richard F. Smith, retired on
Tuesday ..."

>"“Speaking for everyone on the board, I sincerely apologize,” Mark Feidler,
the Equifax board’s new chairman"

Where is the apology from the CEO?

~~~
technofiend
He's sorry he couldn't make it to the conference and apologize but the only
flights to Gstaad left this morning and what's the point of renting a ski
chalet if you're not going to stay there?

~~~
bogomipz
Yeah, if you listen closely you can hear the sound of golden parachute
opening.

------
pfarnsworth
Retirement isn't good enough, he should have his money clawed back. It's
unfair that he gets to walk away scot free when hundreds of millions of people
are fucked.

------
rdiddly
Retirement is a bad word choice. In this case maybe it's better to blur the
subtle distinction between retiring and resigning. At least appear contrite.

------
ibejoeb
"Pack it up boys, our work here is done."

------
SubiculumCode
Cowards with golden parachutes: Modern Capitalism.

~~~
Lapsed
I see you didn't read the article.

~~~
SubiculumCode
I stand corrected. Thanks.

------
FilterSweep
May he land gracefully from a proper golden parachute deployment

------
politician
Does he get to avoid testifying before Congress by resigning?

------
CodeSheikh
He is conveniently retiring to cash in severance packages and bonuses. He
should be fired and brought in front of a judicial committee to answer
questions for risking identity info of millions of consumers.

------
Animats
With $18.4 million in pension benefits.

------
wnevets
So he gets to retire with a golden parachute made with diamonds, how nice.

------
yarsk
Well is a good idea to retire when your age and energy is exulted.

------
VirtualAirwaves
This is one issue our President should take some executive action on, if at
all possible. At the very least, people should not be charged for credit
freezes for the next few years, and existing laws should be reviewed. Taking
action against Equifax would be supported by the vast majority of Americans.

~~~
g051051
Not something for a president...it's a congressional thing.

~~~
dsfyu404ed
He can direct the FBI and justice department to interpret the law with regard
to equifax the way they would interpret it for a small business or individual.

(obviously under the table because above the table would acknowledge the
double standard)

------
katastic
I wish I could "retire" after selling out over half of the workers in the USA.

~~~
busterarm
Actually, if you want to limit it to workers, it's around 95%, based on our
last good data on this.

------
adekok
Their security head was a _music_ major, with little or no experience in the
field.

[https://www.nbcnews.com/business/consumer/equifax-
executives...](https://www.nbcnews.com/business/consumer/equifax-executives-
step-down-scrutiny-intensifies-credit-bureaus-n801706)

~~~
ceejayoz
Many of us don't have formal credentials in computer science or security.
There are plenty of reasons to go after Equifax, but someone's college major
from decades ago isn't one of them.

[https://www.washingtonpost.com/news/the-
switch/wp/2017/09/19...](https://www.washingtonpost.com/news/the-
switch/wp/2017/09/19/equifaxs-top-security-exec-made-some-big-mistakes-
studying-music-wasnt-one-of-them/)

~~~
woranl
I don't have formal credentials in medicine, but I know how to hold a knife.
Will you trust me to do a surgery on you?

~~~
dredmorbius
Thirty years ago not only did modern computer security concepts not exist, and
not only were there no programmes in them, but odds are good that "computer
science" was part of the maths department.

The first computer science department dates to 1962 at Purdue University (home
of Eugene "Spaff" Spafford). Others formed generally during the 1970s and
1980s.

~~~
woranl
Last I checked, the leak was not thirty years ago.

~~~
dredmorbius
The degree was. And on-the-job experience is a thing.

Your responses strongly suggest a failure to grant charitable consideration:

 _Please respond to the strongest plausible interpretation of what someone
says, not a weaker one that 's easier to criticize._

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
woranl
This is negligence. Public safety should always be paramount. One cannot claim
to be a professional without credentials. People lives are at risk because of
mind set like yours. If the Equifax security head truly is qualified, then why
delete info on LinkedIn? What is there to hide?

------
WillReplyfFood
I take full responsibility for those breaches, and thus decided to step back,
and for the remainder of my life work in customer support of a banke to fix
those whose accounts are targeted.

No CEO ever

Aye, the noble folks must upheld to diffent standards. Onwards, to bigger and
better things they grow- they are a diffrent people, not bound to clean up
after themselves. All that outdated respons-hillbillity just holds the
innovation of scams back.

------
yarsk
Well that is a nice idea for him, retirement in a necessary when your age is
up to it.

------
wehadfun
How does everyone feel about Susan Mauldin(Equifax Chief Security Officer)
having a music degree?

~~~
phlakaton
I hold a music degree and I'm probably a better engineer than you. :-P

