
A year later, Equifax has faced little fallout from losing data - sahin-boydas
https://techcrunch.com/2018/09/08/equifax-one-year-later-unscathed/
======
the_unknown
I'm most disappointed in the Canadian gov't and their lack of action. This
would have been the perfect opportunity to mandate change - We don't have to
send data on all of our people and their credit history to this American
company. Or at least without actual legislation and rules around governance,
security, and actual penalties for breaches.

Instead we let them get away with - no more than a handful of Canadians were
affected - followed by - oops, yup lots of Canadians - followed by - holy
heck, how many Canadians are there way up there?

We don't need to go along with this. Yet it never seems to get better.

~~~
3pt14159
Did you write to your MP?

Did you meet with them?

These things only get fixed when people speak up.

I met with my MP over the weaponization of autonomous systems. I've put a ton
of work into understanding where all this is headed. I spoke up[0] at the
hearing on electoral reform about the cybersecurity risks of computerized
elections, but I'm only one man. I've been able to get some things through,
like pressuring the Liberal Government to put up more resources[1] but
political will lags public outcry. If you want something changed you can't
just complain online in your little bubble.

[0] I was one of only two people that spoke up about it and it was added to
the final report. The world is changeable. What it takes is showing up and
pushing hard.

[1] [https://www.cbc.ca/news/politics/budget-billion-cyber-
securi...](https://www.cbc.ca/news/politics/budget-billion-cyber-
security-1.4547685)

~~~
TallGuyShort
"Write your representative" is the standard response in the US too, and I'm
honestly done with it. I've written many, many letters to senators. I've
placed phone calls. I've donated to candidates I support. I've taken a day off
work to attend what was supposed to be a town hall but that ended up just
being propaganda and thinly veiled hints at donating to related election
campaigns, with so little time for public comment that I never got a word in.

And yet I've only ever received token replies and seen zero change. No one I
ever really wanted to vote in to a major seat has won. And Congress really
can't see what's wrong with the Equifax breach on their own?

Fuck all of them. I've given up on our political system maintaining much more
than panem et circenses.

~~~
rdm_blackhole
I am not from the US but it's the same thing everywhere.

The only place where citizens seem to have an impact is Switzerland where with
enough signatures you can request a referendum. Good luck implementing that in
other countries.

Somebody one day told me this little bit of wisdom:

In a dictatorship, the government wants you to shut the hell up but in a
democracy they let you keep talking because they don't listen and do not give
a single fuck about you.

The world's political systems are broken.

I for one do not bother to vote anymore and the cynicism transpires in my
daily life where on many issues I find myself thinking that if nobody cares,
why should I?

That's progress apparently.

~~~
TallGuyShort
I struggle a lot with the idea of the tyranny of the 51%, though. I don't like
Jeremy Clarkson's politics, but I really like a point he frequently makes in
his columns: everyone loves the idea of a jury of one's own peers until they
realize that their peers are all idiots. Same goes for democracy. It sounds
great, until 51% of people start making dumb decisions about how you should
run your life.

Example: a slightly larger majority of my town than that wanted a slightly
better deal of waste management, so they voted for a town-wide contract. Now
I'm forced to pay for a recycling program that is so inconvenient I pay to use
a different one anyway. Enough people (that it will probably happen) are now
pushing for a measure to make it as convenient as it used to be, but raise
taxes to pay for all the abuse that ruined things. I don't want better voting,
I want the ability to opt out and be left alone.

~~~
Proziam
This isn't actually that complex a problem. 51% don't get to make decisions,
66% do. The correct answer is almost always "no" so making it more difficult
to get to a "yes" from the decision making body is (within reason) a good
thing. This has the added benefit of forcing people to take a good hard look
at what they propose because it has to make sense to everyone to have a chance
to pass.

~~~
TallGuyShort
Yeah I absolutely love the solution of requiring a supermajority. I wish it
was required in most instances and that we _actually_ required it when it is
already required by the Constitution in practice. In the US Constitution it's
only used to convict, override or expel people who were elected by simple
majority (or in some case,s less, though I like the idea of the electoral
college not giving all power to a couple of states), and for ratifying
treaties and constitutional amendments. Of course, even though alcohol
prohibition required a constitutional amendment, you can apparently prohibit
anything else by having it "scheduled". And when was the last time the
President waited for Congress's permission for our foreign relations, be they
treaties or war?

------
ARothfusz
The correct response should have been for credit card holders to sue their
credit card companies. We have a relationship with the card companies, and
they chose to share data with a third party, so the credit card companies are
responsible. This class action suit did not happen as far as I know. Why not?

If we're so outraged and thus there's a market for it, why didn't banks start
offering their own credit cards with guarantees not to share your data with
any third parties?

Also, why should it be risky for someone to know your name, address, and
social security number? Yes, I agree it is risky, but it shouldn't be. Those
things are not me. They're not even secrets. Knowing those things should not
give you superpowers.

~~~
maxsilver
> The correct response should have been for credit card holders to sue their
> credit card companies

Why? Why should it be the victims job to find and prosecute criminals?

Should victims also be responsible for breaking up monopolies? Or cleaning up
oil spills? Or to keep hospital patient records private? How much time and
money should victims be required to invest in lawsuits, to bring justice
against illegal mistakes made by entities with thousands of people and
million/billions of dollars?

Wouldn't it be better if we had government agencies draft _and strictly
enforce_ regulations to prevent this. Like say, an EPA for environment, or
HIPAA for healthcare, or GDPR for consumer/business data?

~~~
wpietri
Whether it would be better is a really interesting question.

For this specific case, I think energetically enforced regulation would be
clearly better. But in general, I'm not so sure. The American system of "let
people do what they want; if there's harm, they can sue" allows a lot more
room for innovation than a system of up-front regulation.

I think the difference for me lies in the extent to which an issue is a) in a
stable context, b) causes significant harm, and c) is unlikely to be fixed
through market mechanisms or self regulation.

Here, since consumer privacy is basically an externality to these companies
and the market is an oligopoly, I think stronger regulation is a pretty good
bet. But in general I think private right of action is underappreciated.
Especially class action suits, which aren't burdensome for most plaintiffs.

~~~
Aeolun
I think the problem with that strategy is that harm is generally done on a
large scale until someone prevents it from continuing.

~~~
wpietri
Well, generally it isn't. Most businesses go along doing good things for their
customers and getting paid in return. Really, given the way that the Internet
has changed everything, we've had surprisingly few major problems.

As a tiny example, look at phone calls. They used to be absurdly expensive. In
college I remember having phone bills costing ~30 hours of (minimum-wage)
labor. Now it would be hard to explain to an 18-year-old what a long-distance
call even was. These days I have effectively unlimited calling from anywhere
to anywhere via a handheld device that costs ~7 hours of (minimum-wage)
labor/month, and I see lower-cost vendors that provide it for ~4 hours/month.

If we had taken a regulation-first approach, where each new service had to get
regulatory approval, I could imagine us still being stuck in the old paradigm,
where each phone call had to go through a monopoly operator, and things like
Skype were illegal. Or maybe we'd be part-way along the curve, but with
incumbents pushing to increase regulatory burden and hobble startups.

So I agree the problem with a default-permit model is that you have more
problems to fix, and some can be big. But the problem with a default-deny
model is that you miss out a lot of gains. And those, being hypothetical, are
easy to underweight against the benefits of the status quo.

------
seangrant
It upsets me a lot how these financial institutions have complete power over
us. God forbid a bank writes a loan to a scammer in your name, cause to them
it's your fault. Absurd!

~~~
mrhappyunhappy
All the more reason to move to block chain identities.

~~~
orthecreedence
Fuck the blockchain.

Just issue public/private keys to citizens. They sign with their private key,
banks verify with their public key. Anyone can request your public key from
the Social Security Administration via API. Done.

The SSN acting both as the identifier and the password is the real problem,
and throwing the blockchain into the mix just complicates things more.

We still need a central agency. It's the authentication method that is
pathetically worthless.

~~~
shawn
Terrible idea. If you try to force users to do key management, you've lost.

Keybase is the only one getting this right, and people are now claiming
they're ignoring security in order to do it. It would be a dumpster fire to
trust government agencies to get the design requirements right.

~~~
plankers
Really? It seems to be working fantastically in Estonia:

[https://e-estonia.com/solutions/e-identity/id-
card/](https://e-estonia.com/solutions/e-identity/id-card/)

~~~
shawn
That’s very cool! Thank you for pointing out the counterexample.

~~~
jkaplowitz
Belgium also uses decent crypto, software, and hardware for their electronic
identity system:

[https://eid.belgium.be/en/what-eid](https://eid.belgium.be/en/what-eid)

For the last several decades, many of us Americans have become too skeptical
about what government can do in terms of technology, even while it's
completely true that government often gets it wrong.

~~~
plankers
That skepticism may have something to do with many of us Americans watching
our government spectacularly fail to keep pace with changing technology over
the past few decades. Not sure there's any real solution for a nation of
federated states who don't like to coordinate with one another. Please prove
me wrong, politicians.

~~~
jkaplowitz
It's definitely tricky, not disagreeing there. But Belgium is also a
federation of multiple language regions who don't like to coordinate with each
other. Way smaller and way fewer regions, sure, but equally with more
hostilities between them.

There are very few government officials worldwide who truly know technology or
how to effectively engage the real experts in an agile way rather than just
government contractors. That seems to be the main problem to me.

Even in the US, the US Digital Service and 18F have done great work. And
Canada has at least one backbencher MP who's a Linux and free software geek,
asking legitimately knowledgeable questions in committees on topics like IPv6,
copyright, and plenty of unrelated topics too.

Of course I realize those organizations and people are exceptions. But they,
and the Belgian and Estonian examples, indicate what can be.

Maybe we can figure out how better to make technologists interested in serving
in government, or working closely with it from the outside.

~~~
plankers
I'm paraphrasing from this article in the New Yorker [1] that I read some
months ago, but it seems the trick to getting bona fide technologists to work
in government is to offer competitive pay and benefits, as well as making the
job "sexy" by offering a chance to work on a truly revolutionary project that
will make life better for your countrymen. That's what's working in Estonia,
at least.

I'm holding out some hope that Estonia will be able convince their fellow EU
member states to pick their game up now that they have the rotating presidency
of the EU council [2].

But one thing Estonia has going for it (or working against it, depending on
perspective) is its close proximity to a technologically advanced hostile
nation. Estonia's rapid progress has been spurred in large part by the
necessity of protecting itself from Russian cyberattacks, a Big Issue if I'm
remembering the New Yorker article correctly.

[1] [https://www.newyorker.com/magazine/2017/12/18/estonia-the-
di...](https://www.newyorker.com/magazine/2017/12/18/estonia-the-digital-
republic)

[2] [https://www.visitestonia.com/en/why-estonia/estonia-is-
takin...](https://www.visitestonia.com/en/why-estonia/estonia-is-taking-over-
the-eu-council-presidency)

------
jimnotgym
Ok I will be the one to start it.

This it's why we needed GDPR. The courts have been totally unwilling to combat
this kind of corporate malpractice, assessing the costs of a breach to be
puny.

My opinion is, if your business is sensitive data then being careless with it
should be an existential threat to that business.

~~~
kodablah
> This it's why we needed GDPR. The courts have been totally unwilling to
> combat this kind of corporate malpractice

It should come as no surprise that the legislative enforcement arm is
unwilling to also. I know you dream of laws like the GDPR working, but it
doesn't and neither did its predecessor. Instead of asking for new laws, why
are you not asking for enforcement of existing ones? And what makes you think
a new law will be magically enforced where current ones aren't?

~~~
icebraining
_I know you dream of laws like the GDPR working, but it doesn 't and neither
did its predecessor_

Didn't it? Maybe I'm biased, but I don't remember breaches like Equifax's or
Target's in the EU. I also don't remember the records of 154 million EU voters
being exposed.

According to this report[1], the "U.S. accounted for 728 of the 974 incidents
around the globe in the first half of 2016." They do say part of the
difference may be the disclosure laws, but is that all?

[1] [https://blog.gemalto.com/security/2016/09/20/data-breach-
sta...](https://blog.gemalto.com/security/2016/09/20/data-breach-
statistics-2016-first-half-results/)

~~~
kodablah
> Didn't it? Maybe I'm biased, but I don't remember breaches like Equifax's or
> Target's in the EU.

So if you don't remember it ever happening, what did the laws curb again? I'm
talking about the effectiveness of adding laws... going from 0 to 0
demonstrates no effectiveness much less the effectiveness required to overcome
the societal cost of compliance.

If anything, your argument explains the embedded big business cultural
differences and laws like the GDPR added nothing wrt data breach
enforcement/prevention.

~~~
toxik
I see this self-assured attitude often with users from the US. Do you honestly
not think GDPR had any effect? If it only served to remind businesses user
privacy is protected by law, then that was an effect. The EU has taken legal
action against US companies before, and it has made a difference in this
world. Why do you think it won't happen again, apart from your deep-rooted
revulsion to mostly all forms of market regulation?

This idea that the US is the breadwinner of the world and a paragon for all to
strive for is such a tired old misconception born from not-so-subtle
nationalism. The US is not a utopia of happy, well-fed people with homes. You
got a big army though, that's for sure.

~~~
kodablah
> Do you honestly not think GDPR had any effect?

Of course I think it had an effect. I just believe it was/is a net negative
effect. When I say doesn't/didn't work, I mean what I perceive the intended
goal is vs societal costs. Akin to saying anti-drug laws don't work and are
ineffective... nobody is saying they have no effect. I believe, if reasonably
drafted and incrementally applied, data protection laws could have a positive
effect.

> Why do you think it won't happen again, apart from your deep-rooted
> revulsion to mostly all forms of market regulation?

I'm talking about data protection regulation. Based on my research, many
companies were violating existing data protection statues and the regulatory
bodies were not punishing them out of apathy and limited resources.

Why do you assume I have an issue with all forms of market regulation? That's
false and I'm not sure where I said that. All of the rest of your post is
attacking some other kind of argument that I never presented.

~~~
toxik
I think narcotics legislation has worked fine for most nations. Only one
declared war on drugs though, which has not panned out super well I'd say. It
has amounted to kicking extra hard on those lying down in many ways.

Attacking this and attacking that, I'm describing a mentality that I come
across as a European on HN a lot. It has a little bit to do with you, as I
said, I'm picking up on this same sense of "lol look at those dumb Europeans,
they don't know what's best for the market," I think you'd agree that this
mentality is fairly strong in the US. The US is many things, but humble is not
a word I'd use.

~~~
kodablah
You shouldn't pick up that sense, you shouldn't assume people are calling
entire peoples dumb, etc. I think that mentality you assume is absolutely not
very strong. In many cases, envy and embarrassment is much stronger. By
arguing from your assumed perspective you are not doing so in good faith and
disappointing.

------
mjevans
At least the US, and probably other countries as well, have the issue of no
reliable means of /authentication/. I feel like this won't be solved until a
proper national ID replaces the thing that __everyone__ is forced to use as
one even though it isn't supposed to be; 'social security' numbers. That
method would need to be secure, reliable, and traceable.

All contracts / inquiries that require use of the identity signature would
also need to register that use; ideally the government would run an
observation oracle that mirrors the publicly published signatures each agency
hosts on their own (which would be a defacto place to check for use/abuse of
the signatures).

This would also oblivate the need for services like equifax to exist at all.

~~~
tonysdg
> That method would need to be secure, reliable, and traceable.

And that's why it will never happen. This is one of my biggest complaints
about the Hacker News community: so many of us are engineers who see a problem
and immediately think "here's a solution, technical or otherwise."

We can't "solve" humanity -- it's pure hubris to think otherwise. Any national
ID will run the same risks the befall SSNs, passports, licenses, passwords, or
any other form of identification. Which, simply put, is that the weakest link
is _always_ the person behind them. All it takes is one screw-up -- your
passport falls out of your bag on a busy street, a thief breaks into your home
and steals the safe with your SSN card inside, someone accidentally makes a
list of password hashes public -- and the "secure, reliable, traceable" goes
out the window.

I don't have a solution. But I think those of us who are engineers owe it to
the general public to stop kidding ourselves into thinking we can come up with
"solutions" \-- technical or otherwise -- that aren't (1) flawed in some other
fashion, (2) unacceptable due to societal norms, or (3) require the
elimination of personal freedoms and liberties that at least we in the
U.S./Canada/Europe seem to enjoy.

~~~
sydd
Yeah, but you can make it hard to fake someones identity. In the US you just
need some Google skills and their SSN number.

In the EU you need to fake a plastic card that has your photo, has holograms
and whatnot. If its lost I get a new one with anew number. For anything
serious like opening a back account, applying for credit you need to show this
card in person.

This is why identity theft crimes are more than 10 times higher in the US.

------
reilly3000
It is so damn difficult to prove substantial damages to be directly
attributable to a specific data leak. It isn't right, but it also isn't
reasonable to attribute a specific identity theft incident to a specific leak.
My data has been compromised by at least 1 dozen corporations in the past 3
years. Whom is to be held accountable if my identity is compromised or my
opinion influenced maliciously as a result of a breach?

It isn't as it this data has some chain of custody that can show which actor
sold it to another and whom used it for a spearfishing campaign. Our secrets
are laid bare to whomever has the will to partake of them.

Sometimes I wonder why it is considered immutable that human malice is an
unstoppable force. I want my kids to live in a world where those who leak data
and those that use it to malign others are rare and held accountable in a
manner that is truly commensurate with their cost.

~~~
Aeolun
It _is_ rare. But that doesn’t mean those who let your data leak should go
unpunished.

You don’t need to figure out who was the cause of a specific misuse, you just
punish the data being leaked in the first place.

Though I guess you need to figure out a way for companies not to hide the leak
then.

------
harryh
Revised headline: A year later, the vast majority of people have faced little
fallout from having data about them inadvertently made public.

Nearly all of the dire predictions made at the time of the breach have been
wrong to date.

~~~
darkerside
Tell that to my coworker who spent all day on the phone last week fighting
identify fraud with his bank. The impacts will be intermittent lightning
strikes on random people at random times. To everyone else, business as usual.

~~~
g051051
Can your coworker trace the identity fraud to the Equifax breach? As opposed
to all of the identity fraud that happened throughout the years before the
breach?

~~~
yebyen
Are you implying that, when a hurricane strikes, no one drop of water can be
responsible for the resulting devastation?

(When in this case, to stretch the metaphor, the droplets all had strong
profit incentives related to storing and making decisions based on peoples'
data, and that they were pretty demonstrably negligent at protecting their
charge?)

All I'm really saying is, these breaches won't ever stop if the cost of a
response remains substantially lower for these companies, than the
profitability of being the (ir)responsible ones and maintaining the data in a
negligent state.

~~~
g051051
> > Nearly all of the dire predictions made at the time of the breach have
> been wrong to date.

> Tell that to my coworker who spent all day on the phone last week fighting
> identify fraud with his bank.

I'm saying that identity theft happened before the Equifax breach, and the
Target breach, and the Yahoo! breach, etc. It will continue to happen. What we
need is some sort of reform, like a national ID system with stronger ways to
identify people (like fingerprints) and strong penalties for the _criminals_ ,
not the organizations that get victimized. Note that anything like this will
probably result in restricting access to credit or raising the cost of it.

People like to blame the CRAs for this, but it's the businesses that don't do
due diligence in verifying identity that are at fault.

~~~
yebyen
> It will continue to happen.

I would like, if you are one of the entities with control over this situation,
if you bet against this. How much will it cost me to get you, as a service
provider, to start betting against this?

~~~
yebyen
I know this sounds crazy, but ... entities cannot secure their relationship
with you if they cannot maintain some detail as private. (Until we all have
PKI and use it?)

------
delinka
"little fallout"

Pfft. They've been _required_ to offer credit account locking and unlocking
services without charging individuals for the privilege. That's a serious blow
to executive bonuses. Surely they'll all have moved on to other companies with
a more encouraging compensation structure, leaving Equifax a shell of its
former self.

~~~
godelski
That's not really that big of a blow. Unless I'm greatly misunderstanding
their business, in which case I'd appreciate it if you enlightened me.

~~~
delinka
+= "/s"

------
cryptozeus
This is the same case like big banks during financial crisis. I can’t believe
they are still a running company after such a big blunder. Worst part is I as
an individual never wanted my social security and personal data be mined by
such companies let alone have it hacked. We have no say in this.

------
cperciva
They didn't _lose_ anyone's data. They just made accidental public backups.

(Seriously though, the use of the same word to describe data loss and data
theft is problematic; depending on the nature of the data, one well typically
be far more serious than the other.)

~~~
paulddraper
_released_ or _leaked_

~~~
solarkraft
I like leaked more than the other suggestions, but it still sounds so ... not
reckless. There needs to be way more judgement.

~~~
fragmede
How about "discharge"? Yes it's gross but that's the point.

------
tarr11
Have there been any studies about the actual consequences of these data
breaches on victims (in terms of fiscal, social or even emotional impact)?

------
dwd
What I don't see anyone actually asking is who was behind the breach given the
sophistication of the attack and the measures they went to to avoid detection.
This wasn't the case of a database just sitting in the open that they could
access.

The actual report makes for better reading than Tech Crunch.

[https://www.warren.senate.gov/imo/media/doc/2018.09.06%20GAO...](https://www.warren.senate.gov/imo/media/doc/2018.09.06%20GAO%20Equifax%20report.pdf)

------
tomohawk
This will really only end when the credit rating agencies become irrelevant.
Large purchases should be based on ability to pay, which is different than
credit rating.

You can have a credit rating of zero just because you don't use credit - even
though you have plenty of money in the bank.

If you are running a business, why not avoid equifax and other credit raters
and use a different mechanism?

If you are looking to startup a business - doesn't this look like an area that
needs disruption?

~~~
paulddraper
Most loans require both: (1) an ability to pay (payer stubs, tax returns) and
(2) a history of paying back loans in the past.

------
sebazzz
Or how corporate USA get unpunished over and over again.

------
cheriot
A Trump appointee ended the investigation into Equifax

[https://www.reuters.com/article/us-usa-equifax-
cfpb/exclusiv...](https://www.reuters.com/article/us-usa-equifax-
cfpb/exclusive-u-s-consumer-protection-official-puts-equifax-probe-on-ice-
sources-idUSKBN1FP0IZ)

Wikipedia has more of this guy's greatest hits. I especially love this one:
"In January 2018, Mulvaney canceled an investigation into a South Carolina
payday lender that had previously donated to his congressional campaigns."

[https://en.wikipedia.org/wiki/Mick_Mulvaney#Tenure_2](https://en.wikipedia.org/wiki/Mick_Mulvaney#Tenure_2)

~~~
andirk
Great find! I like the "Mulvaney submitted a quarterly budget request for the
[Consumer Financial Protection Bureau] to the Federal Reserve for $0."

And after trying to shut down the database of consumer complaints, turns out
"8 of the 10 firms with the most complaints about them had contributed to
Mulvaney's campaigns."

------
blondie9x
It's interesting there is more concern and discussion regarding social media
privacy but very little discussion of this PII information that consumers are
not able to control at the moment. Why should consumers not be able to control
who can access this PII data and when they can request it be deleted? They can
do so with social media data, so why not this? If they do choose to delete it
with a given company another company can retain it who has exercised more
fiduciary responsibility by keeping consumers secure. If the company changes
and fixes the holes then consumers should be able to start sharing data again
with that company from that point forward.

------
amarand
This is disturbing, but, really, is it surprising? The GOP is in control of
all three branches of government in America, and they're always very pro-
corporate power. Equifax's data breaches were caused by criminally-
insufficient security controls, by a company large enough to know better. They
could have secured the data and chose not to. They could have brought in
third-party auditors, yet chose to not spend the money. So it's on them.
Hopefully, we can hold Equifax accountable at some point, when the politics
become a little more consumer-friendly again. Right now, it's almost 100% on
the side of corporate rights.

------
b0rsuk
I suppose users are just "getting used to" data breaches? Like clicking your
way through pop-up windows asking for permission to install?

------
goshx
And if you need to set a fraud alert with them you have to do by mail. FML.

~~~
abawany
Hmm, I was able to lock my credit history with all 3 bureaus without using
mail; TransUnion was the highest touch in that it required phone confirmation.
Prior to that, I had been using the 90-day fraud alert, which I always set
online every 90 days.

~~~
goshx
For some reason they don’t allow me to do it online. Probably because they
were the ones providing my data to whoever is using it.

------
mrnobody_67
Socialize the losses, capitalize on the gains.

Just like all the big banks in 2008.

------
darepublic
The problem is that I have no choice but to use equifax when I need to do
anything involving my credit rating. They have a bizarre monopoly on this
vital aspect of life. When I go to the banks asking for them to give me my
credit score that they have on file they defiantly refuse me.

------
pasbesoin
Further evidence of the lack of any effective competition in this space.

And of wholesale regulatory capture.

So, U.S. public, what are you going to do about it? Bolster organizations who
can effectively mitigate (public or private, to put that agnostically), or let
the wave carry you under?

------
alexnewman
[https://clark.com/personal-finance-credit/equifax-
lawsuits-s...](https://clark.com/personal-finance-credit/equifax-lawsuits-
small-claims-court/)

~~~
solarkraft
> West sued Equifax for nearly $5,000, but the judge agreed to give her $690
> ($90 of which was for court fees)

Come on.

> Going toe to toe with Equifax’s representative in front of a judge, Haigh
> won $8,000.

That's better. But you could still argue that it's not adequate.

~~~
siphor
anyone know why there hasn't been a class action lawsuit around this?

If individuals could win....

------
RickJWagner
Data is like 'electronic IP' such as videos, music and computer programs in
that it's a precious resource that's easily stolen.

The problem is that it's not easy to secure. Physical things can be stuck in a
vault or watched over by armed guards. Electronic IP can be swiped in the
blink of an eye and replicated many times once obtained.

It's a hard problem. To date, only ham-fisted excessive financial fines have
been used to scare the general public. That technique isn't viable for the
long term-- we need something better.

------
vipulved
A more positive implication is that downstream security has gotten good enough
that large breaches like this can’t be systematically exploited for financial
gain. Two factor auth seems to be more pervasive, and there’s a host of
retrospective security tools in the industry.

That said, I have no doubt there’s a vibrant underground market for all this
data, and its likely being used in more surgical attacks already, and could,
one day, be the basis of a broad attack (once an appropriate attack vector
becomes available).

------
duxup
Heck one of the former Equifax guys went to work for Panera Bread (of all
places) and didn't even know what a security researcher was telling him when
he identified an API that was wide open....

[https://www.csoonline.com/article/3268025/security/panera-
br...](https://www.csoonline.com/article/3268025/security/panera-bread-blew-
off-breach-report-for-8-months-leaked-millions-of-customer-records.html)

------
dv_dt
A more interesting question is if costs of fighting financial fraud and or
identity theft using the stolen credentials has noticeably increased in the
past year. I suspect the costs of this are being borne systemically with
consumers paying in slightly higher interest rates on loans/credit cards, etc.

------
siruncledrew
Equifax has been heavily marketing to banks this new product called
InstaTouch, which they want to be a credit card application handler. The
feature they advertise the most is "security and risk management for banks".

Uhh, no.... clearly they didn't learn from their mistakes and don't care.

------
daveheq
Yet we'll keep thinking this is an Equifax problem without realizing it's a
systemic problem with companies we rely on ubiquitously with hardly enough
regulation above them to prevent them from maximizing exploitation.

------
spullara
They didn't lose your data they shared it.

~~~
paulddraper
It'd have been nicer if they had lost it.

------
mlthoughts2018
I see so many comments on HN arguing that being outraged about this type of
thing and pedantically hammering on it even unto the detriment of your
personal life is not worth it. Comments arguing the opposite get
sanctimoniously downvoted, whether it’s prolonged outrage about police
brutality, abuses of political power, unpunished fraud or privacy breaches,
and so on.

But truly it just seems like sustained outrage is just not high enough to
bring about justice.

~~~
whatshisface
A politician could probably sweep the board picking up all of this unresolved
outrage laying around, I don't understand why nobody is trying to do it.

~~~
darkmighty
It's about balances of power. There's unfortunately a strong tendency for
corporate power to overwhelm all other institutions, given how centrally
organized, self-optimizing, evolving it is. Government ideally should offer a
balancing power, an equally intelligent, evolving structure safeguarding
individuals (and humanity vs economics). The problem is corporations have
found ways to control governments and will use their power to terminate
impacts on their productivity, which will inevitably include human rights,
quality of life, human values.

The only solution I can see is through legislation, strictly forbidding and
creating institutions to prevent corporate interferance in government.

Some measures:

1) Outlawing lobbying more broadly, improving campaign financing, etc.

2) Reforming the government to promote greater adaptability and efficiency,
mimicking how companies improve themselves through competition.

There are quite a few examples of countries with good control over
corporations (Japan I think is quite strict at least in terms of election
financing and advertising), and good alignment of government and human values.
But many others, notably by the US, turn more and more the opposite way
towards corporate/economic absolutism.

It's been said before, but people put a little too much fear into AI takeover
when gigantic, scalable, self-improving systems with trivial values (economic
output) are already _almost taking over the world_.

Fear The Corporation.

------
usermac
Nothing is going to happen to them in the future as well.

------
adiusmus
People who don’t interact with politicians and often don’t vote can’t have an
opinion about anything political. They are not in the game. Fortunately this
is easy to fix.

------
spaceribs
Equifax and what they do is the epitome of uselessness
[[https://www.vox.com/2018/5/8/17308744/bullshit-jobs-book-
dav...](https://www.vox.com/2018/5/8/17308744/bullshit-jobs-book-david-
graeber-occupy-wall-street-karl-marx)]

They are a company whose sole purpose is to track how reputable a consumer is,
which is entirely extrajudicial and arbitrary. How do you fine/hurt/stop
something which is pure made up bullshit and had no purpose to begin with?

~~~
tboyd47
It's also blatantly unconstitutional because it discriminates against the
sects of Islam that don't allow loans with interest (and that's the only way
to build "credit").

~~~
UncleEntity
Out of pure curiosity: why would someone who has no desire to obtain credit
care if a _credit rating_ agency hampered their ability to build credit?

~~~
g051051
CRA information gets used in any situation where there are payments over time,
even if they aren't "credit" situations. Renting, getting utilities, etc.

~~~
UncleEntity
All the places I've rented only cared if there was an eviction on your record
and I've never had an issue getting utilities -- sure, they usually want a
deposit since I have a bad credit rating because I'm horrible at paying bills
on time but they always give me service.

The last place I rented started the eviction process the very same afternoon
the "grace period" ended -- think I was off doing reserve stuff that weekend
or simply forgot -- and that caused me to not be able to move into a fancy
apartment complex once upon a time (though, mostly, they were using it as an
excuse to discriminate against a "dirty truck driver" who didn't fit the kind
of people they wanted in their yuppie complex, which they basically told me)
but my current landlord could care less, as long as you pay your rent (not
necessarily on time) and don't cause any problems you're golden.

~~~
lotsofpulp
You’re the perfect use case for the utility of credit reporting agencies by
people who care about getting paid on time, which is almost everyone.

~~~
spaceribs
If you define the grace period in your contract, and they are a little late
with a payment, punishing them for what you agreed to seems counter to the
contract.

If they fall outside of the grace period, you should have a legal means to
arbitrate and make it public record.

~~~
lotsofpulp
Yes of course. But when someone says they’re late, I assume it’s after the
agreed upon deadline which includes a grace period (since that is the real
deadline).

~~~
UncleEntity
Not that it matters too much but IIRC they said you had until the 2nd to pay
and the eviction notice was on the door at something like 4pm on the 2nd when
I came home. I thought it was absurdly early and went and paid but didn't
realize they went to all the trouble of filing with the courts until I was
looking for an apartment a year or so later.

They were also kind of sketchy when I had to break my lease because my reserve
unit got called up to active duty, apparently they were trying to say I had to
keep paying until my mom (who was handling my finances while I was gone)
threatened to get the army lawyers after them which made them change their
tune real quick.

------
_Codemonkeyism
And VW has excellent sales.

------
noobermin
Is this really a surprise? The Trump administration's Justice Department is
too busy trying to get voter registration records from NC to investigate voter
fraud. They don't have time or interest in things like this.

