back to article Tech security at Equifax was so diabolical, senators want to pass US laws making its incompetence illegal

Credit-rating monitor Equifax ignored years of warnings and red flags before it was thoroughly ransacked in 2017 by hackers, who made off with the personal information of roughly 150 million Americans, Brits, and Canadians, according to another congressional probe. An investigation [PDF] by the US Senate Committee on Homeland …

  1. ThatOne Silver badge
    Devil

    Why would they do anything?

    Equifax did what's best for their bottom line: Good security is expensive, and it's not like being hacked damaged them in any way: They are still in charge of peoples' fates, just like before. So? Why bother?

    1. TReko

      Re: Why would they do anything?

      Exactly, the guilty executives left with multi-million dollar bonuses.

      It was reported on at the time of the hack, that Susan Mauldin, the woman in charge of the Equifax's data security, has a bachelor's degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin's LinkedIn profile lists no education related to technology or security.

      If that wasn't enough, news outlet MarketWatch reported hat Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.

      So ignorance was followed by cover-up, and payouts to the guilty. The 120 million affected people in the hacked files are the victims, but will get zero relief.

      1. John Brown (no body) Silver badge
        Facepalm

        Re: Why would they do anything?

        "The 120 million affected people in the hacked files are the victims, but will get zero relief."

        Wrong! They all get free identity theft monitoring free for a whole free year (before being auto-enrolled in the most expensive platinum grade programmes, unless they remember to opt-out with 6 months notice). All provided by, for FREEEE,......Equifax!!!!

      2. Anonymous Coward
        Anonymous Coward

        Re: Why would they do anything?

        Ms Mauldin had been in senior security roles with HP and First Data, and as she was at retirement age, there would not have been a cyber security degree available in the 1960s/70s when she gained her music degree.

        Male CISOs at breached organisations aren't subject to the same criticism based on their early education choices.

        1. LucreLout Silver badge

          Re: Why would they do anything?

          there would not have been a cyber security degree available in the 1960s/70s when she gained her music degree.

          If she wanted to be in charge of security at an important organisation thens he should have done one in her spare time at the point they became available. Or completed sufficient professional training in regards to security rather than restringing guitars.

          Male CISOs at breached organisations aren't subject to the same criticism based on their early education choices.

          Utter rot. I don't care about the divserity boxes the top snout ticks or not, I care that they have the professional competence to keep my data secure - especially where I have no choice but to provide it to them.

          There's simply no excuse for not having an related technical degree in a field for which you hold a senior technical position. No excuse at all.

    2. Doctor Syntax Silver badge

      Re: Why would they do anything?

      "Why bother?"

      Because it's a regulatory requirement to operate. Or at least it should be. The article suggests that the message is finally getting through to legislators.

      1. ThatOne Silver badge

        Re: Why would they do anything?

        > Because it's a regulatory requirement to operate

        In theory yes, but in practice there is absolutely no drawback in ignoring those regulations.

        One could say the whole thing is only based on the offenders' sense of morality. A little like saying "Please don't steal/murder, because it's forbidden to do so". Some deterrent indeed...

        As for the legislators deciding on something more compelling (despite lobbying and general calls for "self-regulation"), I definitely wish that would result in something efficient, but I don't hold my breath. I don't know what's beyond that thin layer of "let's surf on the wave of popular outrage", and if it is strong enough to stir the molasses of habits, entitlements and old boy networks. Only time will tell.

      2. uccsoundman

        Re: Why would they do anything?

        Increased regulations will NEVER pass! Why? First, security is expensive. Second, lobbyists from the companies will spread $$$$$$ around Congress. Third, we are a country run by a businessman's party, for business, and the ONLY rule our government recognizes since the 1990's is "Enhancing Shareholder Returns".

      3. John Brown (no body) Silver badge

        Re: Why would they do anything?

        "Because it's a regulatory requirement to operate. Or at least it should be. The article suggests that the message is finally getting through to legislators."

        Yes, despite the initial hand-wringing and cries of "socialism!!!", the US is slowing coming around to the GDPR way of thinking, one security breach at a time :-)

    3. Version 1.0 Silver badge

      Re: Why would they do anything?

      Just look at what's happened since the hack, big bonuses and retirement for the executives, they fired a few of the low paid techs and now it's business as usual - their share price is rising again.

      No need to worry, it wasn't their data that was lost was it? These companies make money by selling information about third-party entities so security was always relatively insignificant - what they really worked hard at was making people pay to access the credit profiles.

      1. MachDiamond Silver badge

        Re: Why would they do anything?

        The big problem is nobody in charge faces jail time. Handling PII is a huge responsibility since it can affect so many people's lives that there should be severe penalties including jail time for management if they are found to be negligent. It may convince some companies that collecting and storing PII is too much of a liability and doesn't contribute enough to their bottom line to do it. As it stands, there is so little downside to gathering, storing and selling the information that many companies see it as an asset.

        1. don't you hate it when you lose your account

          Re: Why would they do anything?

          Most of them actually see it as there god given right and it seems that it's getting worse. I recently had two shops try to get personal details from me, for a cheap pair of shoes and an over the counter medicine (anti stink foot powder). Both times they were shocked at my refusal, both times I explained they had no legal right to take my details and were in fact breaking the law by doing so. While I got my cheapo shoes at the pharmacy the manager was called and after i explain the situation to her she threatened to call security to arest me. So this is what they want and most of the time get away with. Also the reason I have none of these points cards for the big chains

      2. John Brown (no body) Silver badge

        Re: Why would they do anything?

        "what they really worked hard at was making people pay to access the credit profiles."

        Not hard enough, obviously, since someone walked away with 160 million peoples records , ie the company "product" and didn't pay a single dime for any of them.

    4. jelabarre59 Silver badge

      Re: Why would they do anything?

      I've though if those same hackers started providing a service of *cleaning up* people's credit records, purging out bad reports and replacing them with good ones (thereby boosting the credit score of whomever employs that hacker for the clean-up job) you'd start seeing the security being shored up right quick. Once it got out that Equifax's (and the other reporting agencies') data had been invalidated by hackers, their bottom line would plummet.

      Now *there's* your incentive for you. Granted, I wouldn't be trusting the hackers to fix my credit *without* taking advantage of the information for themselves, but the possibility of bad-actors being able to manipulate the very data that is the lifeblood of a company *should* be enough to scare them into locking their systems down. But that would necessitate the MBAs running these companies to be able to see past the BMW sales catalogue their nose is jammed into.

  2. This post has been deleted by its author

  3. cozappz
    Mushroom

    GDPR down the throat

    Because of these m'rons we got the GDPR down on our throats. Now, we canot read quarter of global sites because of the gdpr-blaming-walls.

    1. Anonymous Coward
      Anonymous Coward

      Re: GDPR down the throat

      and that's a bad thing? You do realise the websites you can't read are the ones tracking and profiling you to sell you shit that can't be arsed paying for security or actually asking you if that's ok.

      1. Dacarlo

        Re: GDPR down the throat

        Not with the correct plugins and VPN they dont.

        1. Anonymous Coward
          Anonymous Coward

          Re: GDPR down the throat

          For news websites there's also outline.com which can also get you past some paywalls.

      2. DougS Silver badge

        Re: GDPR down the throat

        More likely that they don't get enough revenue from EU people to make it worth the potential risk of a fine, even if they believe they are doing everything right. If I had a site that mostly US focused but happened to have 5-10% of traffic from the EU, I'd do the same.

        The GDPR fines are a giant hammer that may be needed with big sites like Google and Facebook but has the same potentially devastating impact on everyone. The big sites where it is really needed are the ones who can afford fancy lawyers that will no doubt get them off with a slap on the wrist, while being a death penalty for the rest.

        1. A.P. Veening

          Re: GDPR down the throat

          "If I had a site that mostly US focused but happened to have 5-10% of traffic from the EU, I'd do the same."

          Would you cut of traffic from California as well? California is copying the European GDPR. The major difference is that California doesn't levy such enormous fines yet.

          1. DougS Silver badge

            Re: GDPR down the throat

            If they copy the GDPR, but not the fines, then it isn't an existential business risk the way the EU's is.

        2. Doctor Syntax Silver badge

          Re: GDPR down the throat

          "More likely that they don't get enough revenue from EU people to make it worth the potential risk of a fine, even if they believe they are doing everything right."

          Well, as the article shows, the light's even starting to dawn on your Federal government and some states are ahead of the curve. Such sites need to start thinking about how much revenue they're prepared to cut off as more and more governments wake up to the fact that abusing privacy and lax security aren't desirable.

          There's also a network effect. It depends on the sort of site but even if it's not the sort that has user participation the site that allows traffic from the EU is likely to get talked about in other forums than one that doesn't. Positive feedback will then draw more and more traffic away from the refusenik until it gets regarded as a backwater.

          1. DougS Silver badge

            Re: GDPR down the throat

            Don't get me wrong, I want to see the US support better privacy and data handling. I'm just saying it totally makes sense for the way US sites are treating it now.

            Even if the US gets better protection, to the extent the GDPR differs it might STILL make sense for US sites to block EU users, because the risk of running afoul of the letter of their law is still very significant.

            If they were more reasonable about the fines, and fined based on a percentage of the EU derived revenue rather than overall revenue, it wouldn't be so scary. But if you make 5% of your revenue in the US and run the risk of being fined 5% of your revenue I hope you can see why many sites are taking the easy way out.

            If the US did the same stupid thing then pretty soon a company would run the risk of being fined over 100% of their revenue, if they had an Equifax like breach that hit in a bunch of states/countries, all taking their own 5% cut...

            If the goal is to make it painful, then fine them a higher percentage, but base it on their in region revenue only. It makes no sense that if you violate GDPR in both 2018 and 2019, and your EU revenue is flat but your US revenue doubles, that the EU should collect a bigger fine based on that increased US revenue.

            1. Mark 110 Silver badge

              Re: GDPR down the throat

              I am with the EU on this one. Take reasonable measures to secure your users data or go fuck!!

            2. MachDiamond Silver badge

              Re: GDPR down the throat

              There has to be a real downside. Fines are usually very low in comparison to the offense and companies just figure them in as a cost of doing business. If the allegations that Equifax was running fast and loose with security either to save money or just gross incompetence, they should be in danger of being fined out of existence. At that point, companies may take a more serious stance on how they manage security. Not only could a CEO not get their "bonuses", they would have a huge black mark on their resumé by being at the helm of a company that F'd up so bad that The Man fined them a whole year's gross income (with employee's being guaranteed their final checks and unused holiday pay).

              1. Charles 9 Silver badge

                Re: GDPR down the throat

                But then there's a downside to the downside: it could make those big transnationals resort to the bag of tricks: bribery, legal chicanery, or as a last resort, political campaigning and threatening to take a much-demanded service (or worse, their tax payments) out of their reach.

    2. N2 Silver badge

      Re: GDPR down the throat

      Absolutely fine by me

  4. Anonymous Coward
    Anonymous Coward

    What a coincidence

    I just received a postcard informing me of possible unlawful use of my personal information due to a data breach from another company with little to no regard for privacy/security...

    Experian

  5. Mark 85 Silver badge
    Devil

    So Congress will fix it by passing a law that won't be specific or enforceable.... But dammit...Congresscritter will shout that "WE DID SOMETHING!!!!!" Er.. maybe. Depends if the two parties can agree on how to write it, shape of the table, the color of the room where they will meet and what snack items will be available.

    Icon: Closest I could find to a sarcasm icon.

  6. Alister Silver badge

    We don't need more regulation

    What we need is for actual real consequences for companies who are shown to be negligent.

    Equifax has shown such an appalling lack of basic security that they should be closed down, and have their licence to act as a credit-reference agency revoked.

    They hold information which impacts on everybody's lives, and other companies make decisions based on the data Equifax hold which can literally have life-changing consequences.

    1. Teiwaz Silver badge

      Re: We don't need more regulation

      Equifax has shown such an appalling lack of basic security that they should be closed down, and have their licence to act as a credit-reference agency revoked.

      I expect some real people work there.

      Responsibility should fall where on those responsible. Senior Management of companies like this should not be able to slither away to take up roles elsewhere.

      It's the only way (or at least should be) to ensure money gets spent on security.

      1. Charles 9 Silver badge

        Re: We don't need more regulation

        How when those senior execs possess the money and lawyers to shirk off the blame? Even campaign for a wholesale change of government in the extreme case?

    2. Doctor Syntax Silver badge

      Re: We don't need more regulation

      "What we need is for actual real consequences for companies who are shown to be negligent."

      Yes. It's called regulation.

      For a company so removed from any situation where they don't interact directly with the people whose data they are collecting there's no chance for market forces to operate on them. In that case the only consequences that can happen are legal sanctions. You don't have legal sanctions imposed out of thin air just because it becomes obvious that someone did something bad or was negligent in some way, at least not in a free society. It requires that they have breached some specific legal restriction.

      It makes no sense to call for "real consequences" and then say we don't need more regulation. If there are currently no real consequences for breaches like this it's a clear indication that more regulation is needed.

      Sadly the continued existence of Facebook and the like shows that that market forces don't seem to have much influence even when there is direct interaction.

      1. A.P. Veening

        Re: We don't need more regulation

        I agree with most of your post, but you are overlooking existing regulation which already applies and got teeth: GDPR. It is applicable as information about Brits is involved.

        1. PTW

          Re: We don't need more regulation - GDPR not applicable

          for the Brits as it happened before GDPR was in place.

        2. Doctor Syntax Silver badge

          Re: We don't need more regulation

          "It is applicable as information about Brits is involved."

          Article 32 says ‘Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.

          Rightly or wrongly the sort of management thinking illustrated here is likely to look at the mention of costs and decide they've got a let out.

          In any case, I'd have thought US citizens required something better than 2nd hand protection. A business that carries data of this sensitivity and volume should in any case be subject to more active regulation than GDPR which is passive and part self-regulatory. GDPR depends on either an aggrieved individual making a complaint or the organisation itself reporting issues to the regulator. An active regulation would be a requirement for a license and annual audits of which the security aspect would include ensuring systems were patched and maybe some penetration testing. Without that there's a likelihood that management will adopt a wait and see approach and try to trade the cost of being caught against the probability of being caught.

          With a license and audit approach things change from fines as a cost of doing business to doing the job right as a cost of staying in business. It's a difference that can focus the managerial mind amazingly well.

      2. MachDiamond Silver badge

        Re: We don't need more regulation

        There are some regulations but they are so vague and have such small teeth that it's less money to pay the fine than upgrade software across several server farms. If a multi-billion dollar company is fined one million which then gets reduced to five hundred thousand and a stern look, there is no motivation to overhaul anything (at a much higher cost).

        There does need to be more specific regulations with better defined fines that will impact any company that must pay them. Obviously, a small company being fined 1 mil would put them straight out of business and a larger company would just have somebody in accounting cut a check without a backward glance or diminution of executive bonuses. Pain is one of the best teachers. If you were lucky enough to get spanked as a child for misbehaving, you may appreciate that concept. If there were never any consequences for acting up, nobody would ever learn right from wrong. Look at Elon Musk. He keeps yanking the tail of the Securities Exchange Commission like a squeaky toy and has been getting away with it for a while with just one paltry set of fines. $20 million dollars isn't all that much for somebody that buys 5 mansions in California at a time for much more. Maybe he would have bought a sixth. Take away his ability to be CEO for 5 years and receive no salary or payouts of any kind other than what any other stockholder would get and maybe he'll feel some pain.

    3. phuzz Silver badge

      Re: We don't need more regulation

      have their licence to act as a credit-reference agency revoked

      As far as I can tell, they don't have any kind of a license, because there is no requirement for such a thing. They do have to comply with something called the "Fair Credit Reporting Act", none of which has anything to say about them allowing private information to be stolen (it's mainly concerned with making sure an individual can access their own credit report).

      Perhaps you do need more regulation? Like, I dunno, maybe licenses?

      1. MachDiamond Silver badge

        Re: We don't need more regulation

        "As far as I can tell, they don't have any kind of a license, because there is no requirement for such a thing."

        In the US, companies that report on the credit of customers have to operate under a specific set of laws regarding accuracy. Apparently, privacy and data security aren't covered.

        Companies that collect and sell a whole array of personal information but not credit information are totally unregulated. In another decade or so maybe there will be some weak effort to seal that up. I expect that if a database containing PII on the entire US Senate is pilfered and winds up as part of the offerings of one of these Big Data companies openly, things might move a bit faster.

  7. Picky
    Unhappy

    licence to act

    and have their licence to act as a credit-reference agency revoked. -= do they need one?

    1. Alister Silver badge

      Re: licence to act

      do they need one?

      Good point. Maybe some regulation to require licensing of credit reference agencies would be good... :)

      1. ciaran

        Re: licence to act

        Yes, with an obligatory insurance that pays out when anyone is subject of a data breach. That would mean the company is policed by the insurance company. The US is supposed to like a free market, I'm always amazed that they don't just inflate the insurance requirements of any strategic/sensitive industries...

        1. Charles 9 Silver badge

          Re: licence to act

          Simple. At that point it becomes cheaper to bribe.

          1. A.P. Veening

            Re: licence to act

            "Simple. At that point it becomes cheaper to bribe."

            The solution to bribery is nine grams of lead, payable by the receiver before delivery into the brain (for both briber and bribee).

            1. Charles 9 Silver badge
              Devil

              Re: licence to act

              Shooters can be bribed, too. ANYONE can be bribed if the price is right and if the price is lower than the price of compliance...

              1. Mark 110 Silver badge

                Re: licence to act

                I've always wanted a gun!!!

                Probably a good thing I live in the UK and I couldn't justify one (I'm not a farmer).

                1. Charles 9 Silver badge
                  Devil

                  Re: licence to act

                  It may just simply be a matter of knowing who to contact and whose palm to grease.

  8. JLV Silver badge

    Outrageous!

    >legislation that establishes a national uniform standard requiring private entities that collect and store PII [personally identifiable information] to take reasonable and appropriate steps to prevent cyber-attacks and data breaches

    This type of governmental overreach and overregulation is what’s KASA (Keeping America Small, Always). Credit scoring companies bring a much-appreciated vital service to the public and self-regulation is best at promoting the continuing innovation that is vital to developing cross-sector financial synergies. A vote for this is a vote for China and the hippy next door.

    Besides, what are you going to do? Jail us? For not looking after some pretty basic data on just a few people that fully consented to being in our systems. What’s going to happen to those poor little folk? They’re going to be ID thefted, you say? Hah! They’ve probably put the same data on Facebook anyway.

    If a fine must be levied, purely for appearance sake, it should be 100M $ One Million Dollars!!!

    Our campaign contributions IT security specialists will contact your congressional staffs to establish the best practices for security theatre safeguarding the public interest.

    Might we also suggest that credit reporting agencies be “regulated” by the FCC since the honorable Ajit Pai has, wisely, devolved telecom telecommunication information service oversight to the FTC? After all, we did our best to communicate private sensitive data to unknown external parties so that makes us telecommunication companies.

    1. John Brown (no body) Silver badge

      Re: Outrageous!

      "Credit scoring companies bring a much-appreciated vital service to the public"

      Eh, what? They are just the recipients of outsourcing. I very much doubt any of the "public" even think about them, let alone "appreciate" them. They are middle-men who have insinuated themselves between borrows and lenders.

  9. Anonymous Coward
    Anonymous Coward

    Surely we (UK/US) already have laws about criminal negligence ?

    Why not use those ?

    How come we don't need to come up with new laws when someone is killed with a gun for the first time, rather than a knife, but introduce a computer and everyones immune ?

    1. Charles 9 Silver badge

      Re: Surely we (UK/US) already have laws about criminal negligence ?

      Degrees of separation. I suspect you'll have a similar problem trying to nail someone who engineered a plague.

  10. jchevali

    It looks like the managers (manipulators) + the stooges (failed hackers) underneath were too busy looking after themselves --their own careers and, while they were earning money, economy of time/effort-- to bother about protecting their customers. But why single out Equifax? Doesn't that happen in every company that reaches a certain size + a certain notoriety? I.e., institutionalized mediocrity and complacency?

  11. Anonymous Coward
    Anonymous Coward

    The Irony

    Congress inacting laws making incompetence illegal

  12. Anonymous Coward
    Anonymous Coward

    I want to write a rant, but it just seems rather pointless.

  13. pyhoff@gmail.com

    Come on Europe

    Can you fine these bastards into oblivion.

    1. Charles 9 Silver badge

      Re: Come on Europe

      Anyone who tries would just find these firms move out of their sovereign reach, unless someone ups and becomes ruler of the entire world. And even then, they may take the Sprawl route and declare themselves sovereign.

  14. Cederic

    being contrary

    Of course Equifax had thousands of unpatched vulnerabilities. I defy any company that size to run a competent vulnerability scan and not get hundreds of thousands of the fuckers. Patching software take time, costs money, incurs risks. Not patching software also incurs risks.

    Security isn't simple and securing data at that scale is bloody difficult. I mean, complaining that the struts admin wasn't on the security mail list? So fucking what? If they had been they'd have auto-deleted all of the emails anyway because they'd also need to be on 48 other mail lists and they can't reasonably read, absorb and respond to that volume of email.

    It's very easy to make accusatory statements following a breach like this but ignorant fools proposing legislation without understanding the domain (informed by idiots that only think they understand the domain) can only cause more issues than they resolve.

    Which on reflection is jolly nice for all of us outside of America. Nice boost to our IT industries, this.

  15. FozzyBear Silver badge
    Devil

    Until the executives are personally held liable for the actions or inaction's of the company, this behaviour will continue. If I remember correctly it was a lone IT admin that was given the boot and served up as a scapegoat early in this whole fiasco.

    1. Charles 9 Silver badge

      Good luck trying that. Transnationals are already tough for governments to handle, seeing as how they're designed to play sovereignties against each other.

  16. shawnfromnh

    This should have been a law a long time ago and all online businesses should have this in place for everything. Hell a manditory pen testing with a minimum of tests to be done.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019