And the worst part is, I have no idea how I as a person could say "I don't want to do work with Equifax because I don't trust them." And if anybody has suggestions on that, I'm totally open, because if Equifax was a dripping faucet, they'd be flooding the house by now.
Exactly. And everyone is watching and learning a lesson from it - "If this goes unpunished, heck, we can get away with it too, screw all the security mumbo jumbo"
In an investing and finance forum I saw people were gearing up to buy Equifax after the breach was announced. The idea was that price would dip then it would go back up. Maybe enough people did that.
"Three senior executives including the company’s chief financial officer sold $1.8 million in shares three days after the company learned on July 29 hackers had breached personal data for up to 143 million Americans."
So you sell right before the dip and then buy again at the bottom of the dip. They knew there was going to be a dip.
I guess they probably wouldn't do anything, but they might notice.
Not that it'd be easy since you have to schedule big sales like that with the feds in the first place, but I mean...come on. The sheer blatancy.
It's always the idea, unfortunately you can never predict if it's going to bounce enough to go back up hard, or if it's going to bounce and go down again deep...
If any company uses Equifax, you'll then be denied credit or they'll ask you to unfreeze it.. either way, you can complain to them, and make it clear you won't work with Equifax.
Of course, in practice, this will mean you'll get denied credit from any company that has a contract with Equifax.
>"The Internal Revenue Service signed a $7.25 million contract with Equifax last month. The no-bid contract, first reported by Politico, is for Equifax to provide the IRS with taxpayer and personal identity verification services. The contract stated that Equifax (EFX, -1.34%) was the only company capable of providing these services to the IRS, and it was deemed a “critical” service that couldn’t lapse."
The IRS in the US needs Equifax to provide tax payer and verification services? Seriously what does that even mean? The IRS bas no other way to verify citizens?
In the US people generally file a change of address when they move in order to automatically receive mail at their new address.
The fact that the IRS granted Equifax a 7 million dollar contract amounts to the US tax payer paying Equifax to put their identity at risk and cause them harm. It really boggles the mind.
If the IRS is using Equifax for proper address verification as the OP states, then that information is already available via the USPS which is a government agency with real oversight.
- Do you recognize this street name?
- Have you bought from this store?
- How many mortgages did you co-sign?
>Chief information officer Girza said the IRS sent inspectors to make sure no IRS data was compromised in the Equifax breach
Here's a question: who owns your drivers license? Here's a hint: it isn't you. Can you "own" you mailing address? Copyright and trademark it, make everyone ask permission from you before they write it down? What about your salary? Should your employer have to ask every time they use your salary number in some way, say in aggregate statistics or reporting?
What about information about how you interact with your credit card company? Who owns that, you, or the credit card company? Do the two of you have some kind of joint ownership?
We've made some of these decisions about health data and it has far-reaching consequences, some of them undesirable. It's also been very difficult to enforce. Do you want to extend that kind of regime to every piece of information about a person? Society might grind to a halt, we would be inundated with virtual and physical pop-ups asking "your landlord wants access to your phone number to place a call to you, will you allow it?" And what process would mediate this access control anyway, and how would we trust it?
I would grant the landlord access to contact me while I still have a business relationship with her.
This dire scenario you are trying to paint frankly doesn't sound that bad. I don't need a company to know my entire life's history to exploit my past to deliver a targeted ad.
>Society might grind to a halt, we would be inundated with virtual and physical pop-ups asking "your landlord wants access to your phone number to place a call to you, will you allow it?"
That is how messaging works on many newer systems like Facebook or Instagram, and people appear to find that level of control desirable, not annoying. The only reason the phone system works with public numeric IDs that anyone can dial is that whole thing is a relic from 50 years ago.
"Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. This can be a very wide definition depending on the circumstances."
"Right to change or remove your details
If you discover that a data controller has details about you that are not factually correct, you can ask them to change or, in some cases, remove these details.
Similarly, if you feel that the organisation or person does not have a valid reason for holding your personal details or that they have taken these details in an unfair way, you can ask them to change or remove these details.
In both cases, you can write to the organisation or person, explaining your concerns or outlining which details are incorrect. Within 40 days, the organisation must do as you ask or explain why they will not do so."
The GDPR is a solid step in the right direction, and a model for a better approach to privacy.
At the end of the day you do consent to this through participating in the banking/credit system.
While the data may not exist without you, you are not the one recording it. Why does it not make sense to assign ownership to the one recording/creating the data in the first place?
Don't get me wrong, I don't particularly like having my picture taken without my explicit consent. In the end, consent is all rather arbitrary because it's not like you can choose not to live in human society on Earth.
Fingers crossed someone with Equifax's data dump starts dumping the data of Equifax senior management.
 Hat tip to patio11 on the language; don't use "I demand", professionals use "I require"
So, personally identifiable information (PII) is a less-debatable phrase and more legally defensible.
In the first case, if you do business with a bank then the data from that belongs to the bank as much as it belongs to you. They are reporting their information, namely that you interacted with them. Thus, that information would belong to them.
In the second case, it is personally identifiable information - which is something that's difficult to dispute. This also gives you interest in that data which is a stronger point to stand on.
As mentioned before, I am not a lawyer and this is not legal advice. However, I have extensive experience with the justice system due to my career and have taken quite a few classes concerning the law.
Also, the word 'shall' has stronger implications than 'will.' I am not sure why but it is handy to know. The defendant will comply vs. the defendant shall comply.
Best of luck.
Complaint was with Equifax, Inc. I specified I required my credit file be removed, as Equifax has had several egregious security breaches and is incapable of properly securing my PII . They have 15 days to respond.
You also can't prevent them from reporting information about you to Equifax.
Anyways, you aren't really hurting anyone by denying yourself the ability to get credit, you're only hurting yourself.
The point isnt to prevent any credit reporting.. but to prevent equifax specifically from earning money.
And no one is "denying themselves the ability to get credit" by refusing to unfreeze an equifax report. If the lender doesn't want to use one of the other credit agencies, then most people can find another lender. Those businesses need to know they'll lose business as long as theyre loyal to equifax.
It is unfortunate we don't have more leverage... this does leave a lot of avenues open for Equifax to continue making money. But every bit helps.
lol, yeah, good luck with that when you go to get a mortgage.
Mortgage lenders pull all 3 reports, not just one. There is a ton of laws around mortgage underwriting that need to be followed. They technically may be able to underwrite a mortgage with only two credit reports but I doubt any mortgage lender actually will or if they did they'd be charging outlandish interest rates. If you're hiding a report they will assume its because you're hiding something negative that's on the report.
Things don't work like you would like in the real world, only in theory. You are delusional if you believe Chase having to pull Experian instead of Equifax once every million credit applications is going to somehow effect Equifax's bottom line.
If your landlord uses a background checking service that uses Equifax and the background check service comes back with "frozen report" and you say "I demand you use a different background checking service that doesn't use Equifax" then your landlord is just going to say lol and rent to the person who isn't being extremely difficult, as its a sign you're going to be a difficult tenant.
There is little that you personally can do to control the sources others use to gather information about you. That's something that's only within the power of a legal framework. The statement, "I don't want to work with Equifax because I don't trust them," is meaningless, because you do not work with Equifax.
If a site got hacked, chances are they suck at security - and then subsequent hacks are actually more likely to happen over the near future.
It takes time to turn corporate culture around, and security depends a lot on culture.
Would be great to see some statistics that would either support or disprove my assertion.
Freeze your account and complain to the service that uses it.
Of course, you're not wrong—you have essentially zero leverage.
A good start might be never employ anyone who has worked in Equifax IT. There should be some sort of professional repercussions for being involved with an organization as incompetent as this lot seem to be.
I get that some people like meting out punishment, but it seems like a good idea to limit it to the people responsible.
A lot of the problems we are seeing can be traced back to the fact that the leadership who make decisions suffer little or nothing in the way of personal consequences. It seems past time for us to change the law so that this is no longer the case. That's about the only way things will change. It's dispiriting to see security breaches and misuse of personal data happening again and again.
In that case, ruining the career of a low-level employee seems misplaced, especially when they most likely weren't the cause of these issues.
1) If the value of the individual damages related to this breach are in excess of the market cap of the equifax company, all company stock should be seized and distributed equally among those affected by the breach.
2) In the future, if a company controls this amount of sensitive data, they should have mandatory breach insurance. This means that they are covered for a government mandated amount based on the legal liability if all their data was lost. This will mean that the insurers will do in-depth audits of the data security of the company, and they will be incentivized year-to-year to ensure their security practices are top notch. The present system incentivizes each CEO to have a head-in-the-sand approach to data security where a hack is considered a long-tail event unlikely to happen during the ceo's 3-5 year tenure and therefore is not really worth paying attention to. In addition, it would ensure that if the potential damage done if data is leaked exceeds the value of the business storing the data, the insurance will be prohibitively expensive and the company will not be able to continue with this line of business - as it should be.
2) i absolutely agree with the insurance companies being on the hook. They alone will drive insurance rates that are through the roof if the company cant prove pen-testing, employee background checks etc... Unfortunately teh key to making insurance company care, is setting a high standard for breach victim payouts. ie if it only ends up costing an average of $0.10 per individual victim, i dont need to insure equifax for that much?
Then, yeah, liquidate everything and distribute the proceeds amongst the victims. It would be expensive, but...so what? The budget is $2T, and if the fine vastly outweighs the value of the company, then it is clearly a grave situation that demands an unusual response.
Maybe they could actually issue a realistic fine, and let the company deal with it. But the company would probably just distribute any remaining assets amongst their executives, fire everyone, and declare bankruptcy or something.
who aren't members of the board
The dot-com-bubble showed us that businesses should not be valued simply because they leverage hot new technology (hold your AI comparisons...). These high-profile hacks and security failures will hopefully show us that businesses should not be considered secure simply because they stack up to other measures of value.
I would hope that in the future, a fault in a company's infrastructure security is considered as seriously as a fault in its core business model.
It's true, however there seems to be a pattern incompetence when it comes to Equifax. When the first hack happened, if my memory serves me well, they started blaming Apache struts for the security breach, which might or might not be true, however the security patch was available for month when the hack occurred.
And debunked...it wasn't a hack of the Equifax web site, but a malware package delivered by 3rd party analytics company, Fireclick.
That domain was owned by Fireclick (né Digital River) at one time, but changed ownership on November 15, 2016. The current owner is a Thai national using a personal Gmail address as the registration info.
Equifax should be responsible for what 3rd party domains it is referencing in their pages.
So, yes, technically the vector wasn't directly an Equifax server. But it was only a vector because nobody removed the reference.
Right now, they also reference crazyegg.com in their pages. If crazyegg goes belly up, the domain will be dormant, and when it expires, somebody might take it over. Does Equifax have an onus to deal with that, or can they blame someone else?
Security scans also usually include breakdowns of 3rd party stuff.
But yes, there's ways it could go wrong. On the other hand, Equifax is one of very few places that has so much important data. I'd expect them to be leaders in this space, not lackluster followers. Subresource integrity, perhaps more due diligence on partners...stick with bigger players for code that shows up on your site, etc.
>Hack Will Lead to Little, if Any, Punishment for Equifax
Why would you think that? Equifax hasn't suffered for its poor security - you have. Indeed, Equifax was rewarded with a massive IRS contract for its malfeasance. Its very much like what we see in the banking sector, where even when the banks get caught stealing, at worse they are fined only a fraction of what they stole, leaving them with a hefty profit. That's what crony-capitalism looks like. Why would Equifax or any other corporation change their very profitable business practices if they don't suffer any downside for their wrongdoing?
But even if they were faster, I'm sure an audit of all existing systems is not as simple as making sure all the doors and windows are locked around the house.
It may not prevent truly unscrupulous or spineless engineers from capitulating, but it's better than the current situation.
When Wells Fargo had their credit scandal the salesmen shouldn't have been punished, their managers should've.
These things start at the top. When deadlines are pushed onto you, you don't have time to write unit tests, refactor, update dependencies.
It isn't perfect, and the imbalance of power will certainly still be an issue. But that doesn't mean we shouldn't try.
It would just put most legal liabilities on engineers vs the org. It's a great way to protect management, that's the only thing it's going to do. That's exactly how dumb traders end up being scapegoated with each financial scandal. Any engineer who would dare report any wrong doing would be blacklisted for life from the IT industry.
Business like Equifax already have legal requirements at the org level, let's not shift all responsibility onto engineers.
And that's not taking into account the bureaucratic overhead necessary to make changes in such an environment. There are very good, and very bad, reasons why upgrading insecure software and fixing other security holes takes too much time and effort.
Equifax just happens to be a very attractive target. I don't know how any such target can stay truly safe.
(Having said that, they clearly screwed the pooch in a lot of ways, so I won't shed a tear if they're dismantled.)
And making sure the business can still function while doing your best to limit functionality.
So there is also the argument of "any engineers at all" vs "better engineers".
Also, consider how much of the software you use on a regular basis would not exist, if mandatory licensing were in place.
Could we, like... not do that? I seem to remember the world turning just fine when you couldn't push the right sequence of buttons and steal the personal data of half a country's citizens from the comfort of your home.
Experian has no free acct login. Equifax will next year.
it's really impressive how these people can have such a death-grip on society. honestly, i'm more curious than mad. how is such a thing even possible? i mean, wow.
How has finance made it possible? By getting the government to subsidize the industry for all existing entrants at the expense of people who may have better, more progressive ideas about how to manage the financial system. Also at the expense of people in general.
This seems to become one of the biggest problems of modern civilization. Until it's fixed, all sorts of issues like this, and bigger, will continue to occur.
The actual reality I observed is that the government inspectors and regulators are lawyers and older industry people who simply don't understand technology. Since the US government has limited technical expertise they rely on FIs to adhere to standards and propose self-regulatory measures.
- [Lobbying Spending Database | OpenSecrets](https://www.opensecrets.org/lobby/top.php?showYear=2017&inde...)
And note that "Education" isn't spending that much less!
> imo this is one of the things the tech industry hasn't fully optimized yet
How would the tech industry "optimize" lobbying? Or even just lobbying by finance?
The OpenSecrets lobbying data also doesn't include lobbying money that isn't officially lobbying money. A lot of politicians, at least in the US - including state level legislators, have non-profit foundations with sketchy ledgers. With many of these foundations, little of the money dontated actually goes towards their publicly stated causes. Most of it is spent on miscellaneous expenses such as trips and dinners or on political ads.
https://www.publicintegrity.org/2013/06/12/12794/state-legis... - oversight doesn't usually happen when it's not public funds being directed into the non-profits
If you include the finance industry's donations to sketcy non-profits that are closely tied to politicians, then I'm guessing it would dwarf what we're seeing compared to just official lobbying money
Tech would 'optimize' not just by spending more, but also in offering benefits that finance can't offer such as better data for say elections as an example
The market likely knows this, hence the stable stock price.
Nope - there are two others who will gladly take up the slack.
We also use the different bureaus together for cross checking, often one bureaus file will be out of date or have errors, while the other is fine. So we'd have a much harder job of calculating risk if one of the big bureaus went out of business, simply because we'd be losing a major data source that drives our business.
I am very sure this case applies to other financial institutions as well.