Hacker News new | past | comments | ask | show | jobs | submit login
Equifax C.E.O. Richard Smith Retires After Huge Data Breach (nytimes.com)
350 points by yanowitz on Sept 26, 2017 | hide | past | web | favorite | 264 comments



So if I design a car with a faulty steering mechanism that fails under unusual circumstances but, when it does, can cause a possibly fatal accident, I have a huge liability problem. Product liability as a whole is a pretty big deal. And that can be in spite of countless hours of testing where there is no evidence of malfeasance, negligence or even incompetence.

Why haven't product liability laws caught up with information services? The Equifax breach here was caused by, at the very least, reckless negligence in that they failed to patch a published vulnerability for MONTHS after it was disclosed.

Now I'm not talking about the BS class actions you get where the class gets nothing (except for the named plaintiffs who, for some reason, make out like bandits) and the lawyers make a ton of money.

What I'm talking about is having the same expectations, requirements and civil and criminal punishments that product liability would have with a physical product, at least when it comes to willful negligence of this sort.

The VW emissions scandal (rightly) is resulting in criminal prosecutions for fraud.

But the makers of routers, IoT light bulbs and the like seem to suffer no consequences for (and thus have no incentive to improve) the security of their products.

I just don't get it.


The major purpose of class actions is as a deterrent for the company. If I cause $10 in harm to a 10 million people, it's not financially viable for them each to sue me, but someone should still be motivated to go after me civilly for that.

Why do lawyers get so much? In the above hypothetical scenario,

- No plaintiff is going to be adequately motivated to sue, so the lawyer has to have incentive.

- No plaintiff has an incentive to pay a lawyer, so he or she has to operate on a contingency basis. This is a significant risk.

- Finding and organizing a large number of plaintiffs (some percent of 10 million), and suing a large corporation, is an expensive process.

- The cost of the suit is incurred before the payoff, which may be years later given the appeal process.

I agree that class actions are often inappropriately used, but that lawyers make much more than the individual plaintiffs is not a priori a bad thing.


> but someone should still be motivated to go after me civilly for that.

In most (all?) other developed nations it is the role of the executive branch of the elected government to regulate and punish businesses so as to prevent defuse harms. This business with the civil justice system being distorted to create self appointed, profit seeking, ad hoc regulators is not the only way to skin the cat.


Seconding this here.

If the state isn't going to prosecute big businesses for misbehaving, say goodbye to _any_ public support for business at all, small or bit.

There was a philosophy that said, 'markets are important, so when a big player misbehaves, make sure the state his them HARD, otherwise people will lose faith in the markets'

Now the prevailing attitude is 'these people can't be allowed to fail or the whole system will fall down.' And then, to nobody's surprise, they misbehave.


There are lawyers that actively search for businesses misbehavior in order to bring forward class action suits. In this scenario, the bigger the misbehavior (financially) the greater the incentive, independent of the magnitude of harm on the individual scale, i.e. you’re not dependent on someone being harmed enough to want to report to authorities. That strikes me as a market behavior that’s fairly well-aligned with the optimal behavior.

As to the question of criminal prosecution or harsher penalties (e.g. dissolving the corporation): to my knowledge, these suits actually draw AG attention to areas of civil misbehavior which often borders criminal misbehavior. They even surface which citizens were harmed and bring forth information gained by discovery, etc. Thus class action lawsuits actually make it easier for the government to act — that they should prosecute but do not is an independent problem.


> They even surface which citizens were harmed and bring forth information gained by discovery, etc.

I'm not sure, but is civil disclosure readily accessible to prosecutors? I thought normally it was kept confidential, and thus would only be available in the case of an active criminal case. I would expect that prosecutors wouldn't be able to trawl through it searching for evidence of wrongdoing, and there's some procedure around that in parallel construction, but I'm not a lawyer and I can't find any specific discussion of that matter particularly.


> If the state isn't going to prosecute big businesses for misbehaving

Under what law?

If there's some specific law they violated, then by all means, prosecute them. But you can't post-facto say "that seems like it was wrong" and prosecute; you can only say "we should pass laws to make that wrong in the future" and prosecute further offenders.

(For instance, they clearly violated insider trading laws. But what other laws, actually written and on the books, did they violate?)


> But you can't post-facto say "that seems like it was wrong" and prosecute

We can and we have. There are a few justification loopholes that have been used in the past, but we can say something is so wrong that laws can be passed after the fact to punish people engaging in it. This power is dangerous, but so is many other government powers currently used.


> We can and we have.

Perhaps in another jurisdiction, but not in the US you can't. https://en.wikipedia.org/wiki/Ex_post_facto_law

It's a fundamental premise that you can't decide something formerly legal is illegal after the fact and go after someone retroactively. (Now, if they're still doing it, you can, which is also deeply abusable, but marginally less so.)


>Perhaps in another jurisdiction, but not in the US you can't.

Yes you can. Even if there are rules banning it, like any system made by humans, exceptions are made when they are popular enough (or when the target is unpopular enough). In the US in particular, the way exceptions are made is to consider the punishments not being punishments. So while this does mean that extra prison time can't be used, things like indefinite involuntary commitment or extensions of no punishment actions are allowed. One example is extensions of time on the SOR, which has been ruled to not violate ex post facto even when the extension happens after the sentence has been given.

As I said, we can and we do. We just play creatively at it so we can pretend we don't violate ex post facto.


Regardless of whether it is the optimal system for encouraging liability minimizing practices, other developed countries have found a perfect mechanism either.

American owners of diesel VWs might have their cars bought back from them and be offered up to $10k in additional compensation. Furthermore VW has portrayed this as an obvious decision they made because they love their customers and want to make things right again.

The same customers in Germany might get a free "upgrade" at the dealership which reduces airflow so that the car is compliant with pollution regulations, but less powerful.


You don't need American style, lawyer dominated, opt-out class actions in order to right a wrong that caused $10k in damages to each consumer. You could use regular old joinder.


How does joinder solve the problem? You still need to motivate all those individual plaintiffs to hire a lawyer and sue, then get a court to join each one (with, presumably, opposition from the defendant every time), and then you don't have the benefit of the streamlined class action procedural rules (streamlined relative to a case with several thousand individual plaintiffs, that is). And you still have to pay the lawyers!

I'm not here to say that class actions are the best, or even a good way of regulating, but I really don't see how the joinder rules offer a useful solution.


I don't think the situation described by rz2k is a problem of regulating. The problem he points out is not that Germany didn't sufficiently punish Volkswagen -- though it might not have -- but that the hurt German consumers were not made whole.

In terms of being made whole for a substantial tort (on the order of $10k) I don't think standard american tort litigation with joinder is perfect, but I think it is a better base to build upon than rule 23 litigation. With injuries of that size I think it is practical and desirable for cases to be client driven rather than hoping a judge reviewing a settlement will adequately protect the interest of the class as against those of class counsel.


great summary!


If we start screaming "something must be done!", we'll be very unhappy with what actually gets done.

There are so many people who are at least partly to blame when something like this happens. Bob the engineering manager who committed a quick but insecure fix years ago, Shirley the intern who didn't know what she was doing, Joe the manager who hired Bob and Shirley in the first place, Mike the manager at the company supplying third party software that ends up being exploited, etc.

The worst outcome is that companies outsource all their IT security and therefore responsibility to companies that disappear as soon as there is a problem. But if we rush too quickly to impose criminal sanctions, that will be the likely outcome.

The better solution is to work this one out as a society. Stop relying on things like SSNs and maiden name as "security", and stop building enormous silos of unnecessary data.


Equifax must be dismantled and driven into bankruptcy.

You present a fallacy. No, a rational company with accountability for its data doesn't outsource their IT security or let the intern access production. They take their job seriously and prevent something like this from happening by building security into their architecture.

I have worked for companies that recognize they are liable for protecting the data they hold, and that it only takes one breach for trust to be destroyed. We spent countless hours hardening, compartmentalizing, and monitoring our infrastructure. The nihilistic implication that nothing can be done is maddening.


>"Equifax must be dismantled and driven into bankruptcy."

I don't disagree with that sentiment but you have to deal with the whole triumvirate - Equifax, Experian and Transunion.


As well as ChexSystems which contains just as must personal data about deposit accounts instead of credit accounts. Also Lexis which collects from a wide range of private sources and has exclusive special arrangements with public sources.


I guess I am not as familiar with CheckSystems, is that pay roll data?

Does Lexis Nexus collect financial data on individuals? I thought it's focus was research


ChexSystem is bank accounts and contains very, very little information compared to credit bureaus. Just accounts you've opened (and attempted to open) recently and any negative information. You can (and should) request your report here: https://www.chexsystems.com/web/chexsystems/consumerdebit/pa...

Early Warning, however, contains way, way more information about bank accounts. It lists most of your accounts plus dates opened, dates closed, and other stuff. (I don't have my report on hand, so I'm going from memory) You can (and should) request your report here: https://www.earlywarning.com/consumer-information.html#instr...

I request both every year. (Because I churn bank account bonuses)

LexisNexis has a whole crapload of consumer reports. The big one is the CLUE report on insurance claims. They have employment databases as well and probably others, I'm not as familiar with them. You can request a copy of your CLUE report here: https://personalreports.lexisnexis.com/fact_act_disclosure.j...

I have to admit, I've never requested my CLUE report.

I've mentioned this in another comment but there's actually two more credit bureaus, SageStream (request report here: https://www.sagestreamllc.com/consumer-report/) and Innovis (request report here: https://www.innovis.com/personal/creditReport) I've never requested either myself but I am in the process of requesting both right now.


I have requested my CLUE report from LN. It contained basically no information.


The report I got had inaccurate information. Mostly about previous residents at this address.


It wouldn't unless you've had recent (<5 years) insurance claims.

That's a good thing to know that people aren't making insurance claims in your name.


ChexSystems does not have salary information. They contain information on bank accounts that have been overdrawn, bad checks, and checkbook orders. They also contain information on accounts in good standing, and the usual information like aliases, addresses, SSNs, and driver license numbers.

Lexis Nexis long since moved beyond newspaper and courthouse archiving. They have dozens of intelligence products and databases aimed at marketing, debt collection, private investigators, and law enforcement. They collect massive personal consumer (and business) data, including retail purchases and returns, and salaries, and associate it in a Facebook-style graph, loosely associated with SSN and DL#.


Interesting about both, thanks. I suppose it's just a matter of time before both of these are compromised. In fact is surprising that they haven't. I wonder if this is just because they aren't as well known as the big 3?


Lexis sells access to everything although some of the databases are pricey. I have not heard of a ChexSystems breach yet. They are integrated with most banks.

Even with normal use and no breaches, all these cross-referenced databases are hell for those of us who went through a gender transition. It is practically impossible to get rid of references to my old name. It outs me anytime I open a bank/credit account or arrange new insurance.


Lexis Nexis suffered a breach in 2013.


I only learned last week that there is also Innovis. I'd bet there are smaller firms doing the same thing, as well.


Innovis as well.


Sagestream is another (rarely used) credit bureau: https://www.sagestreamllc.com

Notably it's used by Bank of America

More information: http://www.latimes.com/business/lazarus/la-fi-lazarus-credit...


Interesting. I was unfamiliar with Innovis until last week where an article I read mentioned freezing your credit profile with the big 3 agencies and mentioned that it wouldn't hurt to contact Innovis as well.

Are they a distant 4th then?

If you put a security alert on on your profile with one of the big 3 agencies it automatically propagates to the other 2. I wonder why it doesn't propagate to this agency as well.


FWIW, the only major company that I know of that uses Innovis is US Bank.


Interesting, it's tempting to not be concerned about them then although if we've learned anything there is zero correlation between doing business with someone and them collecting data about you.


Companies that take this sort of thing seriously ALSO have breaches occur. They just do a better job of mitigating them, and messaging them.


Breaches occur. Negligent security, networking, and auditing missed or ignored network segmentation. I can forgive a small company dealing with my email when they lose it. Equifax is't a small company. They didn't just lose my email. They should be disbanded and their CTO, CIO, and CEO should be held personally responsible.


And Equifax's handling and messaging was truly abysmal. Security professionals are going to write songs about this and pass the knowledge on to their (older) children as scary camp fire stories.


Then perhaps the risk of allowing this kind of business - period - is too great.


The alternative is higher interest rates, reduced unsecured credit, pay-in-advance for housing, and shutting "the masses" out of access to capital.


Correct, all companies face breaches, it's the management and response that should determine the course of action. This is where an independent investigation is crucial for determining basic failures vs systemic disregard. The harder part would be weighing it.


> The nihilistic implication that nothing can be done is maddening.

THIS. And in this case we have blatant evidence of negligence- There is absolutely zero excuse in this day and age to not keep operating systems patched up with security patches. There is no financial excuse, there is no logistical excuse, and given the sensitivity of the data, there is no ethical excuse. Take the responsibility seriously, or please just go off and die in a fire. (Or, if you're an Equifax executive, retire at the height of your incompetence.)

Which is why I shamelessly say: Fuck Richard Smith, fuck Equifax, fuck Susan Mauldin, and fuck their entire IT management staff. What the fuck is wrong with you people?

Disclaimer: I was recently hacked/had my identity stolen, and although I was fortunate to only have to wait 2 weeks to get back access to everything, I may be a little sore about stuff like this.


I agree that seeing Equifax go bankrupt over this would be great. But do you honestly believe your data will be safe? All that time you spent hardening your architecture makes it safer, but not 100% safe. If it's hacked because of one mistake that one person made, would it be right to hold you criminally responsible?


There should be no avenue for single points of failure to result in catastrophic data breach. Neither architecture nor procedures should allow a single person to compromise the system, willingly or accidentally.


If you can't guarantee that the data can be kept safe, then you shouldn't rely your business on it.


I don't disagree, either, but whatever data Equifax has collected would be part of the bankruptcy sale.

Equifax needs to wipe its data and all extant backups. Then it can be sold (for maybe ten dollars).


Were the companies you worked for dealing with data at the scale of Equifax? Were they under the kind of unceasing attack that the Equifax systems are? Do you think you could have withstood that kind of assault on your systems?

All the CRAs endure attacks at a scale that are difficult to comprehend. It's frankly a surprise that something like this hasn't happened before to any one of the big 3.


It's only surprising because we now know how terribly fast and loose Equifax was operating. I certainly assumed they knew their job and were operating more akin to a bank in terms of data protection.

Then again, I once did work for a bank, and witnessed an event where user PINs were discovered to be publicly available if one happened to know the magic URL. This discovery was made through the process of a pen-test team sharing their findings back to development, who in turn extended their findings based on what developers knew about the system. Forensics done after the discovery revealed no cases of anyone actually finding the magic URL, which was a big relief for the company. So maybe the banks aren't as strong as we think, either. We have quite a few payment breaches to look back to as evidence.


> It's only surprising because we now know how terribly fast and loose Equifax was operating. I certainly assumed they knew their job and were operating more akin to a bank in terms of data protection.

Can you cite a source for how we "now know how terribly fast and loose Equifax was operating"?

Equifax is a CRA and is treated as a financial institution under the applicable laws, like banks are.

> Then again, I once did work for a bank, and witnessed an event where user PINs were discovered to be publicly available

Then you should know better than to simply claim that a company that suffers a breach is somehow inherently incompetent or uncaring about security.


A banking company operating in 1999 is an entirely different context than Equifax operating in 2017. The web and its risks aren't new any more. Equifax's database being one webapp away from disclosure is entirely irresponsible - and if there is no alternative, then they'd need a kick-ass pen-testing, bug bounty, patching, WAF deploying, internal security program. If they had such a program, it would have caught this issue in multiple ways. If they weren't going to deploy the patch, they could have asserted rules in the WAF, for example. We can only assume, then, that this effort was either underfunded, poorly managed, or both.

Furthering their incompetence by linking to phishing sites in the aftermath, not offering data protection automatically, and suggesting US persons should pay them for protection (!) all point to the deeper corporate problem that is at the root of this issue, which is that they see US persons as suckers and don't really care about data privacy or information security. Otherwise, they'd have staff trained on response and they'd have social outreach folks validating URLs before posting as the company representatives.

It's totally appropriate for the CEO to resign.


> We can only assume, then, that this effort was either underfunded, poorly managed, or both.

Pure conjecture on your part. You have no insight into their security program. The only thing you can accurately infer is that they missed this one.

The phishing site thing was pretty stupid, though, I agree.


> Equifax was negligent to spill all that data, but a business model that requires all that data in one place is itself a form of negligence. - Matt Blaze

http://thehill.com/opinion/technology/350197-equifax-breach-...


I'm not sure how this opinion piece figures in to anything. He's entitled to his opinion like anyone else, but his saying it's negligence, without any legal basis for the claim, is just puffery.


You disagree that the business model itself is a form of negligence?


Of course. You don't?


> No, a rational company with accountability for its data doesn't outsource their IT security

There are a lot of irrational companies in the world by that standard.


>Bob the engineering manager who committed a quick but insecure fix years ago

Unacceptable. Software development needs to be treated as engineering. We need to finally rid ourselves of the concept of "quick and dirty". If that means all the people who live off of that style of development leave the industry, fantastic! It would be great if every manager who told his devs "I don't need it to be perfect, it just needs to kind of function and be ready by EOB today" could end up financially liable.

>Shirley the intern who didn't know what she was doing

What was she doing working on a production system unsupervised? A plumber-in-training may get to work with the pipes on his own a bit but you can be sure the certified plumber will inspect everything before signing off.

The IT industry needs a shakeup and if it takes something like this to accomplish it, good.


I think it's rarely that straightforward. Think about how all the different ways software evolves: one way is, code is written when the company is first getting going, and before you have users or revenue or any kind of product/market fit, it really makes very little sense to be writing bulletproof code. "Quick and dirty" is a rational decision at the early stages of a company.

A small subset of these kinds of systems end up at big companies, because they're acquired, or because the company grows, etc etc. How do you draw a line in the sand where everyone stops the world and re-implements all the "quick and dirty" stuff?

I briefly worked in construction and I've seen plenty of "quick and dirty" there, also, particularly in suburban renovations. Time is money in these projects, and corners are often cut. I'm not saying all engineering works this way, clearly building bridges is a different matter, but I am pointing out that there is a spectrum.


> A small subset of these kinds of systems end up at big companies, because they're acquired, or because the company grows, etc etc. How do you draw a line in the sand where everyone stops the world and re-implements all the "quick and dirty" stuff?

Quite frankly, it seems like you nailed the point when someone should be re-implementing the quick and dirty stuff; the moment it gets acquired and integrated. I do understand what you're saying, but I cannot agreed that just because something is difficult to do means that one can hand-wave responsibility. In the case of large companies that have been subject to breaches recently, the only reason they get by after the fact is because they can afford to; if it were to happen to any of the small shops running in "Quick and Dirty" mode and something happened, the shop would more or less take a hit it could not recover from.

I see this in action and hear the same excuse every single day with my clients, and it doesn't matter if they're a multi-national whose infrastructure spans continents or some dude with a pirated hyper v host in his room, the excuse is always the same: "Oh we had to do it that way, and didn't have time to fix it."

Quite frankly, it's non-sense, infinitely moreso in virtual environments. The workflow and technology available for patch-testing, deployment, and rollback has never been faster, safer, or easier than it currently is; companies just aren't doing it, and no one is holding people accountable for negligence. If the aforementioned construction workers who did a quick and dirty job cause major damage to the house as a result, they would be liable for damages due to their negligence. I'm not sure why we in the Tech community somehow think we're above responsibility for our negligence.

I understand that money is on the line - I deal with clients where every minute of down-time has a substantial dollar figure attached, and there's always the attitude of "we'll deal with it later"; and yet, this attitude always ends up causing more trouble in the end, and naturally costing far more.

Edit: Changed "...responsibility for our own negligence" to remove "own"


> The IT industry needs a shakeup and if it takes something like this to accomplish it, good.

How would you propose doing this, though?

In other branches of engineering, there's licensing and certification processes - but only after you have gone thru and passed an accredited course (ie - university engineering degree).

This is fine for the majority of engineering, because most of it is fairly settled knowledge, and doesn't change on a nearly weekly or faster basis; unlike what we call "software engineering".

We could say that current university computer science or similar degrees could be the initial thing to allow you to get certified and/or licensed - but how would that translate into the testing for certification/licensing?

Especially when "best practices" might (will) change almost literally overnight? How could any company know that Bob Jones MSE (Masters in Software Engineering) has and knows everything there is to know and is 100% up-to-date with the latest software engineering, security, database, etc practices needed for his craft (especially those items that changed last week)?

With other engineering fields, such change doesn't happen anywhere near as quickly (and in some, it may be years or decades between new updates).

Also - how would propose "grandfathering" in existing software engineers and other similar professionals? While on the surface I would like to see such a change to a more professional attitude, I don't want to see myself personally "left out in the cold": I don't have a degree in the field; my knowledge is self-taught and/or learned on the job over the past 25+ years.

I don't know anywhere near everything, and in many cases I am always learning something new (or learning the name of some "pattern" that was something I had been taught years or decades ago before it had a name). I honestly find the learning aspect to be one of the things I immensely enjoy about my software engineering career.

But I don't want to find myself tossed aside because I don't have a degree, or find that I have to go back to school just to keep my career (indeed, going back to school for this reason would likely leave me without a job in the end because of many businesses balking at hiring older developers like myself - which is also why I tend to always stay abreast in my skills and knowledge).

I'm not expecting any answers - just wanting to throw out some food for thought.


I also don't have a degree. One thing that could be done would be something closer to how doctors are handled in most (?) countries: you need to pass some kind of certification and you need to recertify on a regular basis. A doctor, additionally, needs a PhD but I don't think that's needed for software development. We just need proof that the person produces safe systems, based on the most recent understandings of how to do that.

And I wouldn't expect someone to need this certification before a compiler would run. I would envision something more along the lines of: a company cannot have a "badge of software engineering" or some such unless all the developers working on their production systems have these certifications. If it's a small company running a PHP website then they probably don't need certified people and probably their clients won't (initially) care that they're missing the saftey badge.


The idea that the only possible solution is to start over is unrealistic, unhelpful and also wrong, and is so despite your attempt to caricature anyone thinking otherwise. With proper policies, technical measures can be taken to greatly improve security over the clusterfuck that is Equifax (and probably the other agencies as well.) With proper regulation, the company (and so, indirectly, its shareholders) and its officers could be held responsible, whether or not they choose to outsource the implementation. For a start, every regulation that Equifax was lobbying to be weakened could be strengthened.

In the 18th and 19th century, Britain transported many petty criminals to penal colonies in Australia. Putting aside the brutality of that policy, there was at least some concern over the number of deaths on the voyage. After other attempts failed, one simple policy brought about considerable improvement: shipowners were paid by the number of live transportees arriving. They complained mightily that it would not work, but it did.

Frankly, your post looks like a self-serving defense of business-as-usual mediocrity in IT.


In a previous discussion on HN, a pretty convincing argument was made that all the government needs to do is legislate any loss of information that includes a SSN is an automatic $100 penalty per SSN. Companies will need to buy insurance to cover this and the insurers will take care of the rest.


That might move the needle forward a bit. But if the lawsuit for the fine can be tied up in court, delaying penalty long enough for the executive bonuses to hit, it would not be very effective, I think.


Who pays the $100? The parent company or the subsidiary that can go bankrupt, and transfer its assets to another subsidiary for $1?


Hiding behind bankruptcy only works if the subsidiary has no assets. Patent trolls work this to their advantage by creating a company whose only asset is the patent. If they lose / the patent is invalidated the company's only asset is worthless. They therefore have no assets to pay their debts.


That's not how bankruptcy works. Assets are used to pay debts including legal debts.


The insurer.


Whichever party the consumer gave the info too. If X gets fined then it's their job to sue someone else if they think that someone else is responsible.


For the big credit agencies, how do you tell where the info came from? If you pay your rent and you make payments on a credit card both entities may file a credit report including your SSN, name, address, etc... If the credit agency loses track of their database, how do you determine which submitter should be responsible?

It makes more sense to assign all the blame on whatever entity lost control of the data. They get a big fine and as long as they were following best practices (as outlined by their insurance company), then their insurance company will pay the fine and the business keeps chugging along.

If the company was negligent, the fine is likely a death sentence.


Hold the directors and/or executive team personally responsible if the company folds without paying?


Your describing an unfortunate series of events. Were talking about a company who had "admin" as a user name and password on a database with consumer data on it.

> The better solution is to work this one out as a society. Stop relying on things like SSNs and maiden name as "security", and stop building enormous silos of unnecessary data.

This doesn't stop aggregators from forming, the data has value someone will collect and sell it.


The only place this issue ends up, if pushed hard enough in the Congress, is mandatory licensing (with fees, of course) for software engineers. Best case: you limit such licensing requirements to certain domains.


I agree. It's very difficult to get a government to pass a 'common sense law' given the myriad influences of different alliances, lobbyists, special interests, etc. that seem to corrupt just about any bill that goes before Congress, no matter how well-founded it may be at the very beginning.

I'd also much rather have government under-react than over-react. (The former has a lot more flexibility)

EDIT: Fixed words


This is only an issue because everyone has the "not my problem, it will never come back to me" attitude. Ideally by the time this case is fully fleshed out the blame will trickle down from the top and many people will be implicated. Either their reputation in the industry being tarnished or contracting companies getting sued by Equifax for making them liable.


I'd add that the vitriol against Equifax partly arises from everyone's distaste of CRA's (credit reporting agencies) owing to their magic 8 ball scheme of ranking credit. There may also be some reserved anti-sub-prime sentiment that lingers from 2008.

At the very least, I hope this will cause lenders and credit reporters to take data security very seriously.


"There's plenty of blame to go around" and its equivalents are semantically null.


> Why haven't product liability laws caught up with information services?

I fear that the simple answer is because we no longer live in a country (or political climate, if you prefer something more optimistic) where regulatory and legal structures like product liability are thought of being the role of government. The neoliberal response to this is "the market will punish Equifax and other, more responsible competitors will take their place or force them to change their ways." The very concept of human beings exerting political will to make a company do something is almost unfathomable these days.


I'm curious what you mean by "neoliberal" here. It's not a term I'm very familiar with. It is especially confusing to me because what you went on to describe is traditional Conservative reasoning.


'neoliberal' is not directly related to 'liberal' (in the sense that, in the US, 'liberal' basically refers to democrats). many of both republicans and democrats can be considered neoliberal.

neoliberalism is notionally centered on things like free markets, globalization, free-trade, privatization, deregulation, etc. and can be seen as a sort of pro-business or pro-corporate philosophy.

i'd say 'conservative' is really a question of preferring the status-quo, or perhaps traditionalism. consider that 'conservative' can imply potentially very different views if you contrast US and EU conservatives (or elsewhere). a conservative is better contrasted with a 'progressive' who enthusiastically seeks (perceived) beneficial changes to the status-quo or traditions.


> neoliberalism is notionally centered on things like free markets, globalization, free-trade, privatization, deregulation, etc. and can be seen as a sort of pro-business or corporatist philosophy

“pro-corporate”, perhaps, but corporatism is a different thing and opposed to neoliberalism. (It doesn't come from “corporation” in the sense of the business enterprise, but from the same root referring to a body, in this case referring to the whole of society as a single body.)


ah, right, my mistake. thanks!


Kind of a buzzword these days, but the Wikipedia describes the term pretty effectively.

https://en.wikipedia.org/wiki/Neoliberalism


It is, in my opinion, designed to be confusing.

Neo-Liberalism is the ideology of the discovery of law through economics (which is held to be a sort of axiomatic "scientific" given). Basically if corporations were people -- and hey look here, they are -- and were to get together and dream up an ideology for themselves -- you know, corporations of the world, unite!! -- they would task some of their human lackies to manipulate their institutions to install Neo-Liberalism as the world wide political-economical regime.

Any other questions?


From what I can tell, "neoliberal" is a way of saying "crazy libertarian" without raising the hackles of libertarians.


> From what I can tell, "neoliberal" is a way of saying "crazy libertarian" without raising the hackles of libertarians.

While neoliberalism and libertarianism are in the same direction, they aren't the same thing. Neoliberals are generally fine with government restricting what can be bought and sold, they just want most legal goods and services to generally be provided by private enterprise with limited regulation, and with only very limited barriers to international trade in goods and services that are legal in both the source and destination jurisdiction.


Not really, the traditional conservative answer would be more along the lines of companies should be allowed to do whatever they want because ultimately that's better for the individual. The neoliberal argument is closer to one of the inevitability of markets, both in the negative in the positive: the invisible hand will solve this, and the invisible hand is inexorable so it's futile and wrong to try and do anything except let it do its work.


Speaking to class action lawsuits:

My credit score was 800 and I had a mortgage for $409,000 I put $80,000 down in cash.

I never missed a payment and was never late.

I went to pay my mortgage and the website looked the same, but the payment button was removed.

I called and was told that my mortgage was sold and that I'll get a welcome packet in the mail explaining to whom I should pay my mortgage...

It never came.

I called daily for months.

Finally I got something in the mail. A foreclosure notice for not paying my mortgage...

I got in touch with them and they told me "don't do anything, Obamas going to fix this" (literally that's what they said)

Then I got another notice.

Then they said they would refi me... then they said I made "too much money to qualify for a refi, and that I needed to pay $52,000 right then to not get foreclosed.

I got foreclosed upon. They came one day and changed the locks when I was at work.

I contacted the person who left a sticker on my door and told him I would come to his house and shoot him in the face if he didn't come open my house within two hours.

He showed up.

I filed suit, class action, and I won.

I won $1,008.00

My credit is ruined


Exact same thing happened to my ex in Denver just over a year ago. She was able to fix it after 9 months of calls, paperwork, and lawyers. She then sold. Almost put her in the hospital. I've since heard of it happening to several other people. Their mortgage gets sold, they aren't given the ability to keep paying on it, their home goes into foreclosure. More common than a lot of people realize.


It is an extremely embarrassing thing to have happen to oneself, so I assume, others like myself do not go telling anyone.

The issue is that while the credit rating system is utter bullshit - there is a LOT attached to it WRT life...

Basically if you have shitty credit, people look down on you.

I make 228K per year, but due to that issue, and regular life circumstances (divorce, etc) my credit is poor - and I just got denied a card from Chase, due to Equifax saying I owe Comcast $128 (for a device I returned to them - but they still are dogging my credit)

Credit industry needs to get ITS CREDIT up.


I've tried to return Comcast equipment that I'm not using, and then they ship me a new one a few days later. I think part of their business model is forcing you to buy equipment they decide you must have lost.


You filed a "class action lawsuit?" More details, please. Who was the class? Why a "class action" when you were personally harmed in a major way?


I can't recall the details and maybe that was poorly worded... I was contacted and told my story and there were others who had the same thing happen to them, thousands, actually, and I was supposedly a prime case, so they asked if I would submit some info on my situation, and I did... and the case was won and I got a check for a thousand bucks and no changes to my credit report in my favor...


> I contacted the person who left a sticker on my door and told him I would come to his house and shoot him in the face if he didn't come open my house within two hours.

I get the feeling you're not telling us the whole story because if you did this you're a) stupid and b) would have gone to jail.


Welp - when you have $489,000 stolen from you in the manner it was stolen from me, you tend to make rash decisions. I literally did do this - and I have zero qualms about telling him such.

So I couldn't care less of your opinion of the situation - but you were not there. I have no issues. They are scum opportunists and its amazing how the whole freaking country just let this happen...


> when you have $489,000 stolen from you in the manner it was stolen from me, you tend to make rash decisions

Did you at any point contact your state financial services regulator or the Consumer Financial Protection Bureau or any other federal or state regulator?


Was your mortgage initially underwritten by a credit union? What did your personal attorney try to mitigate this situation, and what were the outcomes? Are you under a gag order, or can you publish details and name names?


Wow. Wow. Wow.

When was this? Did they sell your house or do you still have it?


2009 they sold my house, ruined my credit, the mortgage companies in question went out of business and I have no recourse...


> I just don't get it.

It's not supposed to make sense. This is how Corporate America works these days (or more precisely, since the late 80s).

He ( C.E.O ) is gracefully landing on his retirement pad in his Golden Parachute of at least 18 MILLION, and there's no mention of any of this in most mainstream media stories. The senate is also preparing to Grant Equifax Immunity from consumer lawsuits

> Disgraced Equifax CEO Richard Smith runs for the hills – toting $18 million in retirement benefits – with 143 million consumers still left in the lurch.

Source: => https://www.commondreams.org/newswire/2017/09/26/not-another...


uhhhhh. Do you have a second citation for "> The senate is also preparing to Grant Equifax Immunity from consumer lawsuits". A quick google search didn't reveal anything, and the website you linked to has a radical left bias.

[edit1] The closet thing I can find is that senate republicans aren't co-signing bills to add more regulation. Not that they're trying to grant immunity to Equifax. http://www.pbs.org/newshour/rundown/equifax-breach-congress-...

[edit2] And at the end of the article:

> Even if the Equifax breach fails to bring about the passage of new legislation, it has scuttled one bill in the works. On the day of Equifax’s announcement, a House subcommittee examined legislation that would have decreased the potential consequences when consumer reporting agencies falsely malign someone. Such mistakes can haunt consumers for years.

> The bill would have eliminated punitive damages for violations of the Fair Credit Reporting Act. The bill’s sponsor, Rep Barry Loudermilk, R-Ga., said the legislation was aimed at curbing frivolous lawsuits and would not have granted any immunity to Equifax for the data breach. “Nevertheless, given the unfounded attacks on me and the rampant misinformation circulating about this legislation, the Financial Services Committee has not scheduled further action on any bill at this time.”

So I suppose there was bill that could have done that, but it's dead now.


> Do you have a second citation for "> The senate is also preparing to Grant Equifax Immunity from consumer lawsuits"

Here you go: Ga. lawmaker defends bill curtailing class actions after Equifax hack => http://politics.blog.myajc.com/2017/09/16/ga-lawmaker-defend...

> Georgia Congressman Barry Loudermilk is shooting back at consumer protection groups and other critics who have slammed his bill to curb the use of class action lawsuits in the aftermath of Equifax’s mammoth data breach.

Note the Congressman is from Georgia and Equifax is HQ-ed in Atlanta, Georgia.


Welp I'm angry about that!


> The Equifax breach here was caused by, at the very least, reckless negligence in that they failed to patch a published vulnerability for MONTHS after it was disclosed

Managed by a security VP who had no relevant experience?

I posted this in another comment, and got massively downvoted. Not sure why...


Because you're trying to instigate a credentialist witch hunt. It's a business role, not a technical one. You don't need to be an accountant to be CFO either. You just need to make domain-specific business decisions that keep the CEO in power and be the public face of failure in his stead.

The internal culture there is such that revenue is prioritized over responsibility. Said culture is driven from the top. EFX stock had been rising steadily for years under Smith's direction, and we're now seeing at what cost.

Concern yourself all you want with the CISO's music degrees. I'm just glad to see the person actually responsible for this toxic culture has finally taken the knife.


I actually haven't seen their experience posted anywhere.

I have seen their degree, but that's meaningless as most of the truly talented developers and technical people I know have a degree that is not directly specific to their current role.

What was their experience before Equifax? Do you have links?


http://www.marketwatch.com/story/equifax-ceo-hired-a-music-m...

Equifax “Chief Security Officer” Susan Mauldin has a bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia. Her LinkedIn professional profile lists no education related to technology or security.

Her LinkedIn profile has since been removed entirely.

A copy is shown here:

https://www.hollywoodlanews.com/equifax-chief-security-offic...

She was previously Senior Vice President and Chief Security Officer at First Data Corporation, until July 2013.

The snippet posted there shows her previous jobs as "professional".

No security person I know has zero security experience on their resume.


it's not like a c-level at a large corp is personally handling technical implementation details. outside of a small startup, an exec is not a 'security person' in the sense you say.

it's one thing to say it happened on mauldin's watch and as the senior person in charge of security they bear responsibility (as any leader does).

this degree stuff, however, is mostly security theater and very weak argumentation.


The point is nothing in her resume shows she has any experience in the field.

While I don't expect an exec to be at the same level as current researchers, they should know something about the field.

Her music degree is not completely relevant, tho it is concerning. The rest of her resume (and total lack of relevant experience) is more damning.

Look, I personally know someone who's a C level in a tech company, with a political science degree. But his resume shows 15 years of full-time employment in his current field, plus summer jobs in university, and going back to high school. So with 20 years of experience in the field, his degree doesn't matter so much.

Your counter position seems to say that execs can manage a division while knowing nothing about what the division does. There's just no way that's true. The exec must know something in order to be able to prioritize projects, set goals, mediate disagreements, etc.

Or would you say that someone who has no education in a field, and no experience in a field, is qualified to be an executive-level manager for that field?

That's just hard to believe.


https://www.washingtonpost.com/news/the-switch/wp/2017/09/19...

Alice Goldfuss @alicegoldfuss Hi, I'm a Site Reliability Engineer at a large tech company.

I have a BFA in Film.

Steaknap Sleepchew @treelzebub Android Tech Lead here. Was a Religious Studies major, then a cook/chef for 12 years. #unqualifiedfortech

Richard Bejtlich @taosecurity Undergrad degrees in history, pol sci, French, German. Masters in public policy. Wrote 4 #cybersecurity books, was CISO. #unqualifiedfortech

Twitter Ads info and privacy (Bejtlich is the former chief information security officer at Mandiant, a cyber forensics firm that has investigated data breaches at many companies, including Equifax.)

Joe Uchill @JoeUchill Peter Thiel majored in 20th centrury philosophy. Now he harvests the blood of the young.#unqualifiedfortech

About 85 percent of Duo Security's hires do not have a formal background in information security,

Wendy Nather @wendynather I don't have a degree; if I'd gotten one, it would have been in liberal arts. But I've been in tech for 30 years, so their logic is flawed. https://twitter.com/alicegoldfuss/status/908430394529259520 … Follow Derek Robson @asinine_net_nz I know several people in infosec wth a music degree.

And a CISO is as much about risk management as CS and tech.


That's nice.

Do these people have any competence in the field before they're hired into an executive position?

> Steaknap Sleepchew @treelzebub Android Tech Lead here. Was a Religious Studies major, then a cook/chef for 12 years.

Not relevant.

> Richard Bejtlich @taosecurity Undergrad degrees in history, pol sci, French, German. Masters in public policy. Wrote 4 #cybersecurity books, was CISO.

Not relevant.

> Joe Uchill @JoeUchill Peter Thiel majored in 20th centrury philosophy. Now he harvests the blood of the young.

Not relevant.

> About 85 percent of Duo Security's hires do not have a formal background in information security,

Do they have experience in information security?

a) yes, therefore they have some qualifications, and the comparison is not relevant

b) no, therefore the employers are hiring people who are manifestly incompetent at their jobs

> Wendy Nather @wendynather I don't have a degree; if I'd gotten one, it would have been in liberal arts. But I've been in tech for 30 years, so their logic is flawed.

i.e. she has experience, and the comparison is not relevant.

> And a CISO is as much about risk management as CS and tech

So you're honestly saying that a widget company can hire a VP of widget manufacturing, who knows nothing about widgets or manufacturing? This is not just false, it's patently absurd.

The point isn't "OMFG she has a music degree". It's that there is no reason to believe she has any experience or competence in the field.


The idea that a management specialist can effectively lead divisions and companies in fields that they have no concrete experience in is a popular one in MBA circles (very conveniently, because it means MBAs have many more opportunities). It's also a crock.


That LinkedIn profile doesn't support your argument other than she's worked at some very high profile companies as a "Professional" for ~15 years.

If you have more insight, please do share, but there is none in those links.

So basically you're posting about the degree nonsense and non-story.


> That LinkedIn profile doesn't support

Any argument.

So far as any evidence goes, she has zero experience in the field.

So basically you're trying to nit-pick at me for saying that there's no evidence she has any experience... while not showing any evidence that she has experience.


> So far as any evidence goes, she has zero experience in the field.

Er.. no. As far as evidence goes there is not enough evidence to draw a conclusion. Saying she has zero experience is not the default - it's a position.

So basically, again, I ask for any evidence of the original statement. So far there has been none (this might be why there were downvotes before btw).


Again: nothing in her resume shows she has any experience in the field.

It is entirely reasonable, therefore, to suggest she has no relevant experience.

Likewise, it is entirely reasonable to suggest she might have some relevant experience, but is unwilling to state more than "Professional" on her resume.


In response I will be nice and just say: You would fare very poorly in a high-school debate forum.


Because you can't prove damages. If you suffer loss that you can directly link back to Equifax, and you manage to get your day in court, you'd get damages just like if you had a faulty steering wheel.

The problem for the law is that things are much more indirect in this case.


Somehow difficulty of proving damages is not so problematic when someone is prosecuted for downloading movies.


You don't have to prove damages with movie downloads, the high punitive fine is written into the statute.

Now if you wanted to sue for $1 million per copy instead of $10,000 or so, then you'd have to take it to court and prove those damages.


It would be good to have such standardized fines for breaches of private data.


Yes, yes it would. I've been saying the same since at least the Target breach.

Not that I'm anybody, but the idea is out there.


Very few of those cases make it to court for good reason.


This is the correct answer. The tort system is designed to make people whole. If you haven't suffered damages then there's nothing to sue about. Copyright infringement is a red herring, IP is an entirely separate area of law from torts.

If you've been harmed by Equifax but it is difficult for you to legally prove the chain of causation, that's a problem that tort law needs to solve. The law is flexible enough to come up with such solutions, albeit slowly. See for example the doctrine of market share liability.


> so if I design a car with a faulty steering mechanism that fails under unusual circumstances but, when it does, can cause a possibly fatal accident

What was the faulty product in this case? Struts? Why is Equifax liable?

> The Equifax breach here was caused by, at the very least, reckless negligence in that they failed to patch a published vulnerability for MONTHS after it was disclosed.

You have no knowledge of their internal security practices, or what the status of knowledge of the vulnerability was. Did they make a mistake? Absolutely. But no security is perfect. You have zero basis to make such a claim.

> What I'm talking about is having the same expectations, requirements and civil and criminal punishments that product liability would have with a physical product, at least when it comes to willful negligence of this sort.

There are already laws on the books that cover this, as well as the CFPB. I expect significant fines and additional oversight for Equifax in the coming months.

> The VW emissions scandal (rightly) is resulting in criminal prosecutions for fraud.

Because that was a real, provable, honest to goodness fraud, where there was provable criminal intent. Just like Enron. Where's the criminal intent with Equifax?


As to the first point, Equifax could be liable as they are the one operating the system (for profit), and they're the one processing personal information using it.

If they had been using commercial software they might have been able to shift the liability (if it existed) to the vendor based on it being not fit for purpose, but as they were using open source, no such option would be open to them.


How is that a "product liability" issue, as put forth by OP? What faulty product did they sell to consumers?


Well they sold services which made use of a vulnerable version of struts.... You can argue services != products, but It could be argued a similar approach could apply.

The fact that they didn't sell those services to consumers but that consumers are the ones impacted is actually a big part of the problem.

There's an externality here in that the people who suffer the loss have no part in the transaction (they are neither buyer no seller) so have no way to, in an economic sense, impact Equifax's behaviour, which does lead to the idea that regulation could be an appropriate approach.


> The fact that they didn't sell those services to consumers but that consumers are the ones impacted is actually a big part of the problem.

Perhaps, but it's a different problem that product liability.

> which does lead to the idea that regulation could be an appropriate approach.

CRAs are already regulated.


If I can jump ahead a little, are you saying that bad (e.g. fraudulently-inserted) CRA data cannot rise to the level of actual damages?


Who's doing the fraud? Is it Equifax, which is in good faith recording the information provided by its customers (credit companies, banks, etc)? The credit company that is reporting in good faith to Equifax (or another CRA), but is tying it to the wrong person because an account was fraudulently opened? Is it the person who used stolen ID data to open the account? Is it the thief who originally stole the data?


The US doesn't have a data-protection law, but how can you say their recording of the information is in good faith if they allow unauthorized people to make spurious changes via their systems and security practices?


> allow unauthorized people to make spurious changes via their systems and security practices?

I don't follow. Who's the unauthorized party that's "allowed" to make spurious changes via their systems and security practices?


Those who use the holes in their infrastructure, did you see the story about a database being accessible with default credentials? There is some question of scope for that particular issue, but it bodes duplication in the company's practices elsewhere.


You mean the web site that didn't have any non-public data, and was actually not in active use for 3 years? I agree that was sloppy, but the site didn't have the level of security requirements that one of the main sites or their internal network had. Do you put a $100 lock on a $5 bike?

And how was this "allow[ing] unauthorized people to make spurious changes"? No data was changed in the breach.


> What was the faulty product in this case? Struts? Why is Equifax liable?

Struts had provided a remedy for the fault, months prior. Equifax had _failed_ to implement that remedy, because it was 'difficult', 'complex' (due to its own application / deployment / infrastructure), for several months, on a highly sensitive service.


> Equifax had _failed_ to implement that remedy, because it was 'difficult', 'complex' (due to its own application / deployment / infrastructure), for several months, on a highly sensitive service.

Can you cite your source for these claims?


I don't work for Equifax, so I can't give you any inside information which confirms why they didn't patch Struts. However it is common knowledge among security professionals that it was the unpatched Struts vulnerability that lead to the data compromise. [0]

[0] https://krebsonsecurity.com/2017/09/equifax-hackers-stole-20...


It was also announced by Equifax themselves so of course it's common knowledge. I'm not sure of your point here.

https://investor.equifax.com/news-and-events/news/2017/09-15...

"Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online."


He already made his point: "Struts had provided a remedy for the fault, months prior."

According to your quote, they patched only after they were the victims of a breach; they should have been pro-active and dealt with the issue as soon as the vulnerability was made public.


You're assuming that they took no action, as opposed to not being 100% effective in their detection and coverage. There's no evidence that they simply ignored it. If they're using Struts, all they had to do is miss one instance of the wrong jar somewhere in their software ecosystem.


On one hand you have the tech sector who likes to run things "fast and dirty". Regulation? Something made to disrupt! Lot's of homemade hackers outside the "established order" doing great things.

On the other hand you have rigorous protocol with professional regulated engineers held responsible for their actions and the consequences of design.

I've always been a bit of a proponent for bringing these regulations into tech jobs when it matters on public safety but the tech groups can swing wildly in pro/anti favor of such direction on a day to day basis. You definitely lose a bit of the "do it quick and break things" attitude which is responsible for a lot of great product but the stability and rigor is what benefits imo.


This is because laws are slower to make than technology in general. Since the other laws were made with blood or money I would assume the same holds now. Once we have enough of these data breaches where people are fed up with it the laws will follow.


Computerized consumer data warehousing has been going on for 50 years now. In that time span we've gotten all sorts of mandated safety and emissions features on cars.


In the Equifax case you aren't really the customer and didn't provide that data to them for their safe keeping. They are actually in the business of exposing the data they collect to 3rd parties.


"Why haven't product liability laws caught up with information services?"

We all know the drill. If you're not sure what the product is then you're the product. This "information services" aren't for the advantage of the masses. They exist for the elites. Think about. You're being tracked and there's no provision to opt out of that.

We're not protected because in the eyes of the powers that be we're the product. We're not in danger. We're what's being sold.


Should developers who introduce security vulnerabilities go to jail?


If it can be shown they did it with intent, then maybe. If they did it from incompetence or simple error then their employer should be responsible for not providing adequate training and review of work product, inadequate QA, etc.

In general I think civil penalties will be more appropriate for this sort of thing than throwing people in jail. Jail time when there was criminal intent could be reasonable, though.


No, unless its proven that they were wilfully negligent, then yes.


The argument is, according to the OP, that the entity responsible for designing/administering/maintaining software services/software/IT systems is liable. But it seems like they would like to punish the employer, and not the employees.


> Why haven't product liability laws caught up with information services?

Data breaches seldom result in fatalities or physical injury.


At this point it should be a criminal fraud investigation.


Equifax has existed since 1899. It's in an oligopoly business that is completely unassailable, for better or worse. It would be fine with or without Richard Smith, who has been CEO for the last 11 years. He will have made something like a minimum of ~$145 million over that time. (If you factor in the value of his options since the grants it's more like $300 million) It's unconscionable. Entrepreneurial reward for managerial duty. People give hedge fund managers a hard time but at least those guys founded their companies and built them up...it's these hired-hand CEO's that are the real problem.


> Entrepreneurial reward for managerial duty.

That is such a perfect way to sum up the pay disparities in large corporations these days. I have no problem whatsoever with someone making $300MM from the sale of the business they created, but making the same amount for manning a desk? Seems like madness.


I think part of the reason for extravagant compensation (especially stock options) for executives is that it ensures that the incentives of the executives are aligned with the stockholders and not the employees.

From time to time, a CEO will have to choose between increasing employee compensation and benefits or increasing profits or dividends. The CEO works with employees all the time and most normal human beings would naturally tend to side with the employees because they're the ones that are working hard to generate the profits that the shareholders receive. Stock options create a financial incentive to override that tendency, so that the CEO will side with shareholders more often.

An interesting thought experiment is to consider: what would happen to a CEO if he or she refused to accept stock options and would only agree to a modest salary? What would the board of directors do? Would they be happy that the CEO is being a responsible steward of the company's finite resources, or would they regard the CEO as untrustworthy and remove him/her at the first opportunity?

Perhaps stock options aren't a "reward" for services rendered, but in fact one of the necessary qualifications for holding the office.


>From time to time, a CEO will have to choose between increasing employee compensation and benefits or increasing profits or dividends. The CEO works with employees all the time and most normal human beings would naturally tend to side with the employees because they're the ones that are working hard to generate the profits that the shareholders receive.

Do we live in the same world? In all seriousness, not meaning to be a jerk - this is not how corporations or CEOs think. They don't "work with the employees all the time". They don't choose employee compensation/benefits over increasing profits. We're lucky that they _sometimes_ choose "minimizing deaths" over profit, and even that track record is spotty at best.


What I meant by "work with" is that CEOs work in proximity to and interact with employees pretty much every work day. I didn't mean to imply that their interests were aligned.

I assume most CEOs don't talk to their board of directors every day. Most normal people will empathize with and want to please the people they work with to achieve some common goal (i.e. create a good product, grow the business, and beat their competitors). To the stockholders, that would be an undesirable trait, and so the board of directors gives the CEO stock options to encourage the CEO's self-interest to override his or her innate desire (if it exists) to treat employees well at the expense of profits and dividends.


The right person manning that desk is worth a lot to the business. It's a huge gamble from the business's point of view, so they pay more to make sure that the right person is there. Bad management has cost the last company I worked for millions of dollars this year.

I don't know why it's SO disparate, but it's way more than manning a desk.


Doesn't this case prove that this is faulty thinking? The company loses but the CEO makes out with hundreds of millions.


Depends on what they accomplish during their tenure.

I've seen non-founder CEOs take a $100M business to $4B, and others take a $4B to $500M. $100M to $4B deserves the reward.


The whole problem is that CEO pay is not correlated to performance, and performance metrics can be gamed if they are not long-term.


That's not true, CEOs are increasingly compensated in stock options, which are at least theoretically correlated with performance.

https://www.washingtonpost.com/news/on-leadership/wp/2014/02...

https://www.bloomberg.com/news/articles/2017-09-21/key-quest...


share buy backs...


That's where stock instead of cash makes sense. If you are solely responsible for the direction of the company and overseeing the execution of that direction like a c-level executive, you should get paid in stock. If you do your job right, your stock value goes up and you become richer as a reward for doing a good job. If you do poorly, you lose money as a punishment.

If a CEO is making $100m per year in cash, there is no incentive to do a good job. Especially if they do so poorly they get fired, which means they get a $500m bonus as a reward for being fired.


Yeah, so CEO just single-handedly drove company from $100M business to $4B and the rest of company workers had nothing to do with it? Or did they all received multi-million compensation for that? Nobody denies that CEOs have huge impact on company as they make strategical decisions, but their compensation is vastly exaggerated just because they are first in the line after money, can see how much company really makes and accurately measure their actions in monetary value imho. The last part is especially important, because every time I've asked for a raise the first question is: "what did you do for a company and what positive impact it has had?". Answering that question in lines of: "oh, I made that decision which increased every worker's efficiency by 300% doing this operation thus saving company X millions, here's a chart to prove it" is much stronger than saying: "I wrote a tool that saves my co-workers extra few clicks, nothing fancy actually", even though when talking about the same thing.


There are exceptions, but even then they're not only few and far between, but also occupy a vague area where it's all one big counterfactual argument about whether someone else could've done the same thing and whether the die was largely cast anyway.


To be fair, Elon Musk has done a lot while 'manning the desk' for Tesla (he wasn't involved until after he led their Series A round).

It's tough to distinguish who 'created' a company in situations like those — do we define it by the original incorporation papers, or by who had the largest effect on turning the company into what it is today? Where do we draw that line?


Although I disagree about the value of hedge fund managers, it is true that the rise of these "supermanagers" is a huge component in income inequality trends in the US. Here's a thoughtful and spooky comparison with the corporate structure of Nazi Germany, where I first heard this term: https://lareviewofbooks.org/article/the-supermanagerial-reic...


You have no data to back the claim that ‘hired-hand’ CEOs are the ‘real problem’. This is just your personal bias speaking. I wouldn’t say that the situation is the polar opposite of what you’re suggesting, however I’m pretty sure management performance cannot be evaluated in a binary fashion.


Hmmm let me get this straight: 143,000,000+ people have to pay Equifax $3-20+ to get their credit frozen, and you get to just walk away and retire with oodles of money from your illicit stock selling and severance packages? There is no justice sometimes.

That's around ~430,000,000 USD for Equifax alone [edit: if] 143M people got their credit frozen at $3 per freeze. (Obviously back of napkin math, and not everybody pays the same or even freezes their credit)


> you get to just walk away and retire with oodles of money from your illicit stock selling and severance packages? There is no justice sometimes.

Retiring is not protection against criminal charges.

Also, there would be oodles of money involved in the case of firing, resignation, or staying on anyway.


True, but I guarantee you there's something in that golden parachute that the company will cover all legal costs resulting from any non-illegal decisions made by the CEO.


Isn't that how a corporation should work?

Not the big pile of money for leaving/getting fired, the accepting of consequences for legal actions taken while working for the corporation.


> Isn't that how a corporation should work?

Not when gross negligence occurs.

EDIT: Gross negligence in the legal sense.


Do you mean negligence in a legal sense or are you talking about something else?

Because my comment is clearly scoped to "legal actions".


It isn't formally protection against criminal charges. But I'd bet it makes charges significantly less likely.


>Retiring is not protection against criminal charges.

It is, however, protection against a for-cause firing.


Equifax itself isn't charging for freezes right now.

edit: ceejayoz has pointed out that they are free for 30 days only (and we're in that time window already).


Thanks for the tip, I've been waiting for the free Equifax credit monitoring (I haven't been able to log in, though they keep telling me I have a account). A free freeze is good enough. Here's the link for everyone else: https://www.freeze.equifax.com/


Sure, but they're free for only 30 days.

You still need to freeze with the other two agencies, and in a few weeks it'll cost money to lift your Equifax freeze if you want to open a new account.


I've been told by multiple sources that freezing with one agency is enough - other agencies automatically pick up that freeze.


Every article I've read on this, including the New York Times article [1] that I think was posted here, says you must freeze at EACH agency. It's a big racket, they have no interest in making it easier for us.

[1] https://www.nytimes.com/2017/09/08/your-money/identity-theft...


No, that's the 90 day fraud report.

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...

> How do I place a freeze on my credit reports? Contact each of the nationwide credit reporting companies.

https://www.consumer.ftc.gov/articles/0275-place-fraud-alert

> Ask 1 of the 3 credit reporting companies to put a fraud alert on your credit report. They must tell the other 2 companies.

http://money.cnn.com/2017/09/12/pf/what-is-a-credit-freeze/i...

> In response to public outcry, Equifax announced that fees to freeze your credit will be waived for the next 30 days. But even that doesn't totally protect your information since your data isn't fully frozen until it is on ice at all three credit bureaus. The other bureaus have their own fees. It's also unclear whether Equifax would still charge you a fee to lift the freeze. The company did not immediately respond to request for comment.


Really? Thanks for letting me know. I'll have to call and confirm the refund.


FYI you can (theoretically) setup a "Fraud Alert" which is free, and lasts for 90 days. I set this up shortly after the news broke, however failed to enroll my wife as their (all 3) phone systems were f*cked.


I assure you, your SSN, and date of birth are unlikely to change in the next 90 days.


Uh what now? I'm not following...


He's saying after the 90 days is up, you'll still be vulnerable (because your SSN/DOB won't change). Better to just freeze indefinitely and lift when necessary unless you know you're going to be opening a new account soon.


I get that - I was just sharing the information about a Fraud Alert, which unlike a "freeze" is free and allows you to still apply for credit without lifting the alert.


I think vkou is implying you need to do this every 90 days (which from my understanding, is what Life Lock does).


I don't think that anyone has accused the now former CEO of selling stock. It was always going to be the case that this would happen.


It's $10 in Florida.


Anyone else think how convenient it was that no news agency broke this news prior to the Friday before September 11th? News cycle dies on the weekend, and on Monday you have the anniversary of the deadliest attack in 70 years on US soil.

No political figure has talked about making these companies disclose this information as soon as possible, and no political figure is furthering any type of bill to make it illegal to know about a data breach and not tell anyone for months.

American obsession and addiction to media is what caused Trump to win, and it's why egregious failures of trust such as this will continue to go relatively unpunished.

We are constantly pumping out the equivalent of crude oil into your culture at the rate of millions of gallons a second. It's all trash, and it pollutes discussion and any sort of cooperation.

Left/Right is the new religious battle, and the new holy books are blogs and twitter feeds. The media is under no obligation to tell you the truth, and in this case the lie is omission.


This is not enough. We need a reform to legislation to make these companies liable both for data breaches and for false information. Too often the CRAs are used effectively as extortion mechanisms whereby your credit rating his held hostage to extract money you don't owe for collection agencies.


They're all jumping ship now. I hope congress, or the FBI, hold some of these people responsible for the mess they've created, and take Equifax to the woodshed.


We must first establish what laws we believe we they have broken and that are likely to be provable beyond reasonable doubt in court. I'd rather due process than revenge without due process.


I'd rather they be treated as many American's are when they have their first encounter with police who believe they committed a crime...that is rarely aligned with a presumption of innocence.

You aren't wrong in a theoretical sense, but I am all for equality before the law as a precursor to due process. Due process without equitable treatment means very little except to those at the top.


So you would rather people be treated shitty like everyone else than treat everyone else better?


Selective enforcement of a shitty law is arguably worse for society then across the bar even enforcement of that law. In the latter case, there are less groups that will prevent change.


no...I very intentionally did not say that. I said that until everyone is treated with some reasonable equity the distinction between shitty and better is academic because the better never trickles down.


New regulation can impact them significantly without violating due process.

Just deciding that they aren't operating in the public interest and revoking their charters probably wouldn't violate due process. Not in fashion though.


The reasonable doubt burden is high but don't worry about the company, we don't even get there when there isn't any criminal liability for what looks like the reckless disclosure of vast quantities of private info.


"or the FBI, hold some of these people responsible"

Hopefully, this then will create a different culture in other companies. Things did change after Enron (though SOX is such a pain).


I'm pessimistic we'll see anything even close to Enron. When the big banks collapsed, none of the executives went to jail. I doubt we'll see that here, but it would send a powerful message if the inept VP of IT at Equifax was paraded in front of the cameras in handcuffs, and the CEO held personally responsible. There's a corporate shell enjoyed by major American companies. At this point I wonder: What would have to happen for the CEO of a major company to go to jail?


If I drive my vehicle recklessly, even if nobody is injured (or no property), I can receive a citation, risk having my license revoked, and risk being arrested.

Why is it that American corporations and their leadership have less oversight than your average 15 year old driver? They keep reminding us of corporate personhood when it is convenient, but where is the personhood responsibility?

Companies aren't going to spend money on security until the potential costs impact them rather than others (in this case all of us). That's something that urgently needs to change. As you can see by Equifax's stock, nobody in the stock market thinks that the governments are going to punish or collapse Equifax, and the worst part is that they're likely right (see BP for example).

This too big to fail, too big to jail, too big to punish thing is really starting to get on my nerves. Even if we aren't ready to send corporate executives to prison, let's at least fine Equifax so much they go out of business, and it sends a shot across every other business's bow about what will happen if they mishandle sensitive information.


> Speaking for everyone on the Board, I sincerely apologize. We have formed a Special Committee of the Board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken.”

> Now if you'll excuse me, this golden parachute isn't going to pull it's own rip cord. Have fun fixing all your credit reports and enjoy Equifax's "free" data protection services, your contributions and patience (or short attention span, whichever you prefer) will be thoroughly appreciated by my successor, until he too fails too hard and has to endure a life of permanent financial security and nonstop leisure.


Let him retire in prison with the rest of the C-levels.


In other large countries of note, responsibility for a billion dollar crisis and abuse of private data would result in life-ending jail time.

They have a point. This ass hat enriched himself at the expense of customers held at gun point, and didn't even oversee due diligence in the execution of a bullshit monopoly.

Retiring to ride horses and pensively stare at the far horizon of one of his ranches and come back with think piece hagiography in 4 years on the lessons learned...

...there should be bigger consequences.


Is there a way to tell if you are impacted without having to enter your SSN on suspicious websites?

Its scary how little information the media is providing on this. Equifax does not provide an FAQ over what conditions you may be affected. I don't have a line of credit, and I have never used their services personally, HOWEVER, if a prior employer used them through a background check, or if they used a 3rd party who sends my data to equifax without me knowing, I'm pwned and didn't even know it.


They say that overall, 143 million people were affected.

There are about 250 million adults in the US.

I would take that to mean that if you're a US adult, with any sort of credit history, you're affected. The affected data for the larger 143 million was: "Most of the consumer information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers."

There's also a smaller set that had even more data exposed:

"In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed."


I don't have a "credit history" as I've never established a line of credit.

However Equifax offers other services such as Background Checks which more americans are passing off their SSN to, generally unintentionally (its mandatory for work).

This leads me to believe even young people are affected if theyve taken an internship or anywhere (AT ALL) that uses Equifax.


Are the affected people limited to the US? I know Equifax exists as a brand elsewhere, but I'm not sure how they are structured/which parts of the business the breach affected.


I've heard Canada was affected as well. As a Canadian living in the US, I'm doubly fucked.


There is a solution to this problem - the Freedom from Equifax Exploitation Act, drafted by senators Elizabeth Warren and Brian Schatz.

Naturally, not a single republican supports this legislature.


Interesting that all the senior Equifax who have left have "retired" and not resigned ;-)

Resigning is a known way of avoiding more serious penalties and loss of pension etc a lot of UK Police when facing serious charges suddenly resign due to stress.

Its telling that when found guilty or far less serious offences the CEO of shell resigned giving up a lot of !$


>"The chairman and chief executive of Equifax, Richard F. Smith, retired on Tuesday ..."

>"“Speaking for everyone on the board, I sincerely apologize,” Mark Feidler, the Equifax board’s new chairman"

Where is the apology from the CEO?


He's sorry he couldn't make it to the conference and apologize but the only flights to Gstaad left this morning and what's the point of renting a ski chalet if you're not going to stay there?


Yeah, if you listen closely you can hear the sound of golden parachute opening.


He already apologized in the early days of the incident. At this point, after getting notified that he was canned, I doubt he gives a damn enough to comment further.


He was unable to make a statement from his private jet en route to Europe...


Retirement isn't good enough, he should have his money clawed back. It's unfair that he gets to walk away scot free when hundreds of millions of people are fucked.


Retirement is a bad word choice. In this case maybe it's better to blur the subtle distinction between retiring and resigning. At least appear contrite.


"Pack it up boys, our work here is done."


Cowards with golden parachutes: Modern Capitalism.


I see you didn't read the article.


I stand corrected. Thanks.


May he land gracefully from a proper golden parachute deployment


Does he get to avoid testifying before Congress by resigning?


He is conveniently retiring to cash in severance packages and bonuses. He should be fired and brought in front of a judicial committee to answer questions for risking identity info of millions of consumers.


With $18.4 million in pension benefits.


So he gets to retire with a golden parachute made with diamonds, how nice.


Well is a good idea to retire when your age and energy is exulted.


This is one issue our President should take some executive action on, if at all possible. At the very least, people should not be charged for credit freezes for the next few years, and existing laws should be reviewed. Taking action against Equifax would be supported by the vast majority of Americans.


Not something for a president...it's a congressional thing.


He can direct the FBI and justice department to interpret the law with regard to equifax the way they would interpret it for a small business or individual.

(obviously under the table because above the table would acknowledge the double standard)


I wish I could "retire" after selling out over half of the workers in the USA.


Actually, if you want to limit it to workers, it's around 95%, based on our last good data on this.


Their security head was a music major, with little or no experience in the field.

https://www.nbcnews.com/business/consumer/equifax-executives...


Many of us don't have formal credentials in computer science or security. There are plenty of reasons to go after Equifax, but someone's college major from decades ago isn't one of them.

https://www.washingtonpost.com/news/the-switch/wp/2017/09/19...


I agree that having an unrelated background doesn't entirely disqualify a person from a position, but when the consequences of failure are high and more money is at stake, then selection should be much more stringent. She probably would be a great fit for that position at 99% of the companies in the country, but with Equifax's position and data, someone with a more extensive background in security would be preferable.


My understanding is her past roles included security work at HP, First Data, and Sun Trust. Equifax doesn't appear to have wandered into an orchestra practice and said "anyone wanna help run security?"

Yeah, she fucked up. No, it wasn't because of her college major.


Her LinkedIn profile, before it was scrubbed, showed her as an employee of those companies, but her job title for each was listed as "Professional". It's not entirely clear what her previous roles were and exactly how relevant they were to the role of Chief Security Officer.

It's the same divide between self taught developers and developers with a formal computer science background. If I'm hiring someone to make a website, then it may not make much of a difference, but if I need them to write kernel device drivers, more often than not your best bet is going to be with someone with a formal background who has had to demonstrate at school that they have certain knowledge prerequisites in a standardized setting.

I can't speak for the cybersecurity at HP, Sun Trust, and First Data. It's possible they have great records, or it's possible they've made mistakes and gotten away with them, and these experiences led Mauldin to believe Equifax was more secure than it was.

Edit: I found that she was Group VP at SunTrust from 07-09 and Senior VP and Chief Security Officer at First Data from 09-13. Her experience at First Data is relevant to the discussion and it's strange that the Washington Post article you linked to didn't mention that.


several people i've worked with graduated from respected CS programs yet could barely program their way out of wet paper bag.

the best people (engineering-wise) i've worked with are people who had a passion for the subject, were generally inquisitive sorts, and engaged in a lot of self-directed learning and research because they simply wanted to... some had degrees, and some were high-school dropouts.


> several people i've worked with graduated from respected CS programs yet could barely program their way out of wet paper bag

How do you reconcile the fact that the individual could barely program, but they graduated from what you consider respected CS programs? Or are you saying that the programs have a public perception of respect that you personally don't believe they deserve? If the person passed that institution's examinations, then it seems to me that you're indicating either the institution has low standards compared to your industry or that they erroneously passed someone who did not meet their standards (either through incompetence or deception). I think it's relevant to note if the individuals graduated with a high GPA or if they barely scraped by.

Of course autodidactism exists, but it can be very difficult to judge an individual's abilities based on one interview alone. A degree from a university at least indicates that the individual was exposed to the subject matter for a number of years, tested by individuals in the field who themselves have advanced credentials in the field, and passed the institution's examinations of knowledge. This isn't to say they're better qualified, but it gives you information that's more difficult for an individual to mislead you with. I can safely assume that a university has taken the expected precautions to ensure an individual's grades and credentials are reflective of their own work, as opposed to a self taught developer showing me a portfolio that may or may not be their original work entirely.


i would say that cs is a category of degree that some people can skate through. i would even say that undergrad degrees in general are like this, hence their ubiquity.

that isn't to say that undergrad schooling doesn't have utility - it can have plenty for the sufficiently motivated.


I don't think it was the college major, true, but it appears she enjoyed a large scale of "falling up" into that position that most people in our industry aren't afforded.


"It appears"? From what, her LinkedIn?

What concrete information do we have to make that conclusion?


The total mismanagement of customers and expectations after the hack.

It would be naive to say the just the clear oversights in management were solely to blame - you can do everything right and still have data breaches. Far more intricate attacks could be perfected had the current vulnerabilities been resolved.

You can argue "its a big company" all you want and that the responsibility shifted. However, at that position, setting up a shoddy website where customers can see if they were impacted, then request/pay for their own credit freeze, is NOT SUFFICIENT handling of the situation and betrays a long historied past of never having to had handle a situation so grave.

Lives and livelihoods are at stake here. This isn't just a senior software engineer or technical director job where messups only breach trust. A crappy application developer could release buggy software, but one can "delete the app" at the end of the day. You can't uncork this bottle. This is a security position over some of the most personal data available on US citizens.

If there is ANY belief that this person "fell up" through a security role, that needs to be identified.


I don't have formal credentials in medicine, but I know how to hold a knife. Will you trust me to do a surgery on you?


Thirty years ago not only did modern computer security concepts not exist, and not only were there no programmes in them, but odds are good that "computer science" was part of the maths department.

The first computer science department dates to 1962 at Purdue University (home of Eugene "Spaff" Spafford). Others formed generally during the 1970s and 1980s.


Last I checked, the leak was not thirty years ago.


The degree was. And on-the-job experience is a thing.

Your responses strongly suggest a failure to grant charitable consideration:

Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize.

https://news.ycombinator.com/newsguidelines.html


This is negligence. Public safety should always be paramount. One cannot claim to be a professional without credentials. People lives are at risk because of mind set like yours. If the Equifax security head truly is qualified, then why delete info on LinkedIn? What is there to hide?


There are plenty of doctors who majored in music.


Those doctors have formal credentials. Does Equifax security head have the equivalent formal credentials? Anyone can get to top position if they know who and how to suck up.


What are these "equivalent" formal credentials for security?


FWIW, it's well known that high/surprising numbers of computer scientists have a music background. Some people think it's because the subjects are fundamentally similar.

Do you know the story about the famous actress Hedy Lamarr, who invented a channel switching anti-jamming system for torpedos with a friend? Both were musicians with little or no experience, and their invention, aside from being patented and used by the military, is now credited as part of the basis for Wi-Fi and Bluetooth. https://en.m.wikipedia.org/wiki/Hedy_Lamarr#Inventor


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: