
After Equifax breach, anger but no action in Congress - tareqak
https://www.politico.com/story/2018/01/01/equifax-data-breach-congress-action-319631
======
mikestew
Yeah, that's why I bought Equifax call options a little bit after the breach
was announced. Made good money on those options, and it pisses me off. It
pisses me off that after an event that should bankrupt a company such as
Equifax, I lay hard-earned on the table knowing that I have an extremely good
chance of a healthy ROI simply because of vested interests and status quo.

Like other political hot topics, this is one of those things that causes me to
ask, "okay, then, how bad _does_ it have to get before populist outrage brings
about change?" Something worse happens, and this is the time, right? Nope. And
so on from one event to the next.

OTOH, in this case maybe the invalidation of vast amounts of data will alone
bring about changes out of necessity. There will probably be a rough patch of
lawsuits, debate, and perhaps a new law or two, but perhaps it will eventually
shake out something better.

~~~
cloakandswagger
I bought EFX after the incident and made a bundle on it too, but I don't share
your outrage.

Does the breach call for some punitive response? Definitely. Does it justify
destroying a $14B company? No. That's an overly emotional, witch-hunting type
of response.

HN of all places should be sympathetic to what happened to Equifax; they
neglected to update a framework which had a vulnerability granting full remote
code execution. That's game over from an info sec standpoint, and how many
developers here can state, with 100% confidence, that every library and every
framework and piece of application code in their own work is totally
bulletproof and will never fall victim to something similar?

The breach should be used by everyone as a lesson, and as I stated earlier
Equifax should receive some punitive action (arguably already delivered by the
hit to their stock price and the public floggings from the congressional
hearings). But saying that Equifax should be bankrupted by it, or that the
executives or developers should be thrown in jail? Be careful what you wish
for. Today Equifax, tomorrow you.

~~~
cwkoss
I think the key part of the outrage against Equifax, and part of why it is
more outrageous than most breaches, is not only was customer data revealed,
but also data about people who want nothing to do with Equifax. There is no
action victims could have taken to avoid this breach.

In most serious breaches, there is a certain amount of "well, you have to be
careful who you give your information to..." even though it's not the victims
fault. This factor is not present in the Equifax situation. Equifax is allowed
to hold and market a product based on data of individuals who never gave
consent, but has no responsibility to protect that data or repercussions when
they fail.

Arguably this breach has put the final nail in the coffin for using SSN's as
secure identifiers. Granted, it was a horrible and mostly-already-broken
system to begin with. But I think that this flawed system was still worth in
excess of $14B - and Equifax's negligence effectively destroyed that value. I
agree bankrupting Equifax would be heavy-handed, but it would be nice to at
least see some punitive action that would discourage such negligence in the
future and provide an economic disincentive to possessing vast quantities of
private data.

~~~
PakG1
I'm not an American, so I don't know. How much of Equifax's business and value
was driven by credit checks and anything else having to do with SSNs? Because
if the whole SSN system had a $14 billion value, which was then destroyed by
Equifax's negligence, and Equifax had the majority of its business doing this
stuff, wouldn't that make Equifax bankrupt? So either Equifax makes a lot of
money doing other stuff, or the $14 billion in value wasn't destroyed by
Equifax's negligence. I imagine it's the latter, that SSN is still being used
for everything because oil tankers can't change their momentum so quickly. If
you meant that SSNs can safely be predicted to be not used for identification
a decade or two from now, who's to say this was the catalyst? Any system
eventually gets revamped, even government systems, especially if they were
already broken in the first place. There are many examples worldwide of ID
systems and laws changing all the time. In fact, I just read that majority of
states are supposed to require Americans to use a passport for flying now. The
Real ID Act? Just a bunch of states were too slow to get it done, so they've
been given an extension, but even in the US, there's work being done to revamp
identification in some areas. I'm not saying that it's good or bad, I'm saying
that it seems to happen eventually. Why wouldn't SSN also change up even if
Equifax never happened?

------
rossdavidh
In other words, there will have to be a bigger, more painful incident before
anything gets done. In part, because a large committee composed mostly of
lawyers is not probably the right group to even determine what needs to be
done, in this particular case.

~~~
wmeredith
> a large committee composed mostly of lawyers is not probably the right group
> to even determine what needs to be done, in this particular case

Whelp... this is who is deciding what gets done in pretty much all cases.

~~~
rossdavidh
True, in regards to laws, but in some cases their expertise helps. For
example, tort reform might be an issue where a bunch of lawyers do have
relevant expertise that the rest of us lack, to see possible unintended
consequences, and also what is possible given the rest of the system.

But, in the case of IT security, their experience and expertise is, at best,
not helpful.

~~~
tareqak
However, what if keeping customer information secure was a contractual
obligation as part of offering products for sale, or services for hire? Isn't
a generic concept like that well-understood for lawyers and other people
familiar with law?

~~~
thephyber
> However, what if keeping customer information secure was a contractual
> obligation as part of offering products for sale, or services for hire?

"keeping customer information secure" is not a binary. Most companies that are
breached don't know about it until their dat hits the black market. Yahoo!
revised their data brach estimates upwards half a dozen times from 100million+
to ~3billion+. The plaintiffs would have to affirmatively prove that a breach
happened to the defendant when most defendants don't even know that it
happened.

It is even harder to contractually enforce when the victim claims it was a
nation-state-actor/APT since no company could hold out against a determined
APT indefinitely.

I'm hopeful that cybersecurity insurance policies will move the needle towards
accountability and increased prevention (insurance policies will require good-
faith efforts at security policies+procedures+tools+employee actions or they
won't pay out).

~~~
tareqak
OK, what about: If a company storing private customer information gets
breached (sufficient evidence is found of said breach), then the company must
make itself fully available for a third-party investigation to confirm the
existence of said breach. If the third-party investigator finds evidence of a
breach, then said breach happened. If not, then there was no breach. If one
third-party investigator is an insufficiently reliable number, then what about
the best two out of three?

------
gehwartzen
It's pretty amazing just how much data Equifax has on consumers. They also own
TheWorkNumber which contains data from HR/payroll of any company using the
service (everything from pay, title, insurance info, union affiliation etc).
I'm not sure what hackers got away with but potentially much more than just
some SSNs.

Then there are countless other credit analytics companies hoarding all kinds
of other specialized data. It's scary to think about.

As a PSA: check out the list [1] of credit reporting companies that the CFPB
puts out. It has the names and contact info for most and you can get copies of
your full reports from them upon request (most are either required or do so
voluntarily). It's a lot of effort to hit all of them but pretty eye opening
and, frankly crazy, to see just how much is tracked. There are databases for
how often, and where, you return items to stores/businesses as one example.

[1]([http://files.consumerfinance.gov/f/201604_cfpb_list-of-
consu...](http://files.consumerfinance.gov/f/201604_cfpb_list-of-consumer-
reporting-companies.pdf)) List Of Consumer Reporting Companies

------
MollyR
Infuriating. We need digital consumer protection laws to put increased
pressure on companies to take cyber security seriously.

~~~
g051051
True, but we mainly need a better way to validate identities than information
that is easily stolen.

------
syshum
That is because they are attempting to solve the wrong problem

Congress needs to do 3 things

1\. Find away to limit and prohibit SSN from being used for Identity.

2\. Give People Ownership over their PII, end the concept of "who collects it
owns it"

3\. Make companies liable for damages when they lose control over PII that is
collected

Congress does NOT, should not, and likely can not create rules and regulations
to govern data storage, security, etc. They should stop trying as that is not
a problem they need to solve nor is it a problem that should be "fixed" in law

------
davesque
Given how technically inept and thoroughly entrenched the major institutions
of our financial system are, I'm almost at the point where I'm waiting until
Russia or North Korea reveals that they've been planting malware for years in
all of our major banks and that they're going to go ahead and push a big red
button and just take all our money. Or maybe that's already happening and
they're being smart by not talking about it.

~~~
greenleafjacob
Thankfully since we aren’t all using Bitcoin, all such transactions can be
reversed.

~~~
davesque
But you can't spend any Bitcoin unless you possess some wallet's secret key.
Explain to me how that poses a comparable risk to the egg baskets that are
today's financial institutions. If your secret key isn't compromised, there's
just no way your coins can be transferred. Furthermore, in the event that any
kind of mass fraud takes place which exploits some flaw in the protocol itself
(contrasted with a flaw in an exchange platform or something similar), the
ledger could be hard-forked. It was done after Ethereum's DAO debacle with
/relatively/ little consequence.

------
cletus
Bear in mind we’re at an odd time politically where the GOP controls the White
House, the House and the Senate.

There is a very small window to essentially pass legislation unchecked and
that hasn’t been easy with a 52-48 (with a tie breaker) majority in the
Senate. We saw several failed attempts at repealing Obamacare.

What’s more that majority is about to shrink to 51-49.

My point here is the GOP currently has no time for anything bipartisan. That
doesn’t mean they’ll address this of course. But it’s just not as important as
the donor class agenda is right now.

Once Doug Jones is seated and we start to approach the midterms expect to see
more unifying issues instead of, say, hugely unpopular tax bills for
billionaires.

~~~
rossdavidh
Also, eventually, a data breach that inconveniences or outrages a bunch of
millionaires will happen.

~~~
lbotos
What would that breach look like? I'm asking sincerely, because I can't fathom
what kind of data breach that would be that wouldn't be able to be "smoothed"
in a mater of days.

\- Black card number stolen? Card frozen.

\- FDIC insured account attempted to be flushed. Banks flag and or fraud
protected.

~~~
WorldMaker
FDIC has a per-person insurance liability limit of $250,000 per bank. It's
_possible_ you could find an idiot with more than that in a single bank,
presumably in CDs, with no other insurance coverage on it. You need some sort
of strange reverse Nigerian Prince scheme to cash that out without a paper
trail ("I'm executing his will and he explicitly stated to hand out all of his
assets, damn the losses, as $20 bills and fresh turkeys to orphans and other
passersby on Christmas Day." Maybe call it a "Christmas Carol scheme"?). It's
unlikely to be worth the time investment in terms of being a useful bank
robbery, but it certainly would send a weird message to someone.

~~~
foobarbazetc
No rich person is keeping money unprotected like that. Most banks offer FDIC
maximization solutions.

~~~
WorldMaker
Hence the emphasis on "possible". But yes, an exceedingly unlikely
confederation of dunces.

------
mehrdadn
Is it known how many people have actually gotten their identities stolen so
far as a result of this attack? I would imagine it would not end up high on
Congress's priority list if the number is still low.

~~~
g051051
Known? As of now, 0. Some people are blaming the Equifax breach for identity
theft, but it's highly unlikely that was the case, they're just picking the
easiest target.

~~~
mehrdadn
How about "known" in the sense of "there's a significant uptick of ID theft
cases here after the breach statistically that sure suggests it was the cause,
but we obviously can't necessarily pin down any individual cases on any
individual breach"?

a.k.a.: how much evidence is there of actual harm having resulted from the
breach?

~~~
g051051
Again, pretty much 0. I haven't seen a single reputable report of any
statistically significant increases in ID Theft.

------
jedikv
Did anyone manage to successfully obtain a police report number as a result of
this fuck up by equifax?

