I don't think it's necessarily a bad thing that existing laws and civil structures are capable of dealing with this without new laws having to be passed explicitly for this case.
If the system works as-is, does Congress need to do anything?
Ideally, I think that we'd want the federal Congress and the individual state legislatures being reflective, making prospective decisions which anticipate future events and impose the correct structure to deal with them, rather than retrospectively doing something in order to be seen to do something.
But no-one ever got elected on a platform of 'my predecessors did a great job; I'm going to play some golf!'
Will any of the individuals responsible face direct consequences for their actions? Or, will the cost of their mistakes be borne entirely by shareholders?
Here in Canada you basically must go to them to do anything credit related ie get a car or home loan. I don't see how they have any incentive to do better because they are a monopoly. And I cannot get my credit score from the bank as it's illegal I must go through this joke of a credit agency.
It sounds like most of these costs are just from having to finally do the things they skimped on in the first place. If so, it's not really a loss compared to if they had taken the right steps at the beginning. So it may not really disincentivize them from cutting corners again in the future.
It'd be like if the only punishment for getting caught cheating on a test was "well now you have to take the test without cheating". You're probably going to give it a try every time.
I'm seeing a pattern with these "Congressional hearings" where politicians bring in CEOs, let off a few zingers to really stick it to 'em, score some points with their constituents, and then... do absolutely nothing of substance.
> It sounds like most of these costs are just from having to finally do the things they skimped on in the first place.
Source? It's not TFA. TFA only talks about legal costs in the past, and doesn't state it but implies future projections are also for legal costs.
With $700MM of legal costs in 1 quarter, if that is 49% of the total (51% --most-- going to finally do the things) expenditure, that's $1.4bn in one quarter. Their entire 2018 revenue was just $3.4bn ($835MM in Q4).
The article placed a general emphasis on "cybersecurity costs"; I guess it didn't really indicate what percentage was that vs. litigation, but any "cybersecurity costs" are as I described above: costs that should've already been spent before the breach and are just being forced now. Only the litigation is a true "penalty".
It’s more like if you got caught cheating during a test you had to stop cheating but kept taking the same test and got credit for all of your previous answers. Equifax still has its past profits.
I recall someone who was a security director at Panera Bread (a US based fast casual restaurant). Was confused and upset when a security researcher contacted them and asked to exchange a PGP key ... I suspect he straight up didn't understand what the request for a key meant or possibly even the issue as it was a very obvious issue and they did nothing about it until it hit the press.
Something similar happened to me years ago. In the process I sent a tar-ball. He replied with, "Please resend the attachment as industry standard ZIPFILE."
I would hope that any security person, even Windows based, understands what a .tar (or .tar.gz) is. If they don't, I'd be very worried for what else they haven't been paying attention to.
No one in their right mind would use anything but 7zip... especially trailware like WinZip and WinRar. Windows has built in Zip support if you're not in-the-know but to go out of your way to use WinZip/WinRar implies a certial level of out of date knowledge.
By default Windows handles Zip files in Explorer. Ostensibly it's fair to assume that "I don't run non-standard apps when I can avoid it" is a reasonable (if limiting) premise.
One day, my son was ranting about some guy who, in my son's opinion, was the death of multiple cool projects. He was like "I don't know how he keeps getting hired! He destroys everything he touches!"
And I told him "His resume lists multiple cool projects that he worked on."
We are perhaps being too cynical, it isn't quite that straight forward. I hear you also need to wear the right tie and buy the correct pair of expensive shoes.
I think it's the same everywhere. I work in finance, after 5 years of working out of college in almost convinced that incompetence is a requirement for senior management positions. That and ass kissing and the ability to twist facts
The initial email exchange is indeed a sight to see, so I transcribed the text in the image:
---------
Hello Mike et al
Thank you for making yourself available. There is a security vulnerability on the delivery.panerabread.com website that exposes sensitive information belonging to every customer who has signed for an account to order Panera Bread once. This shows the customer's full name, email address, phone number and the last four digits of their saved credit card number. Moreover, the users are easily enumerable which means an attacker can crawl through the records.
I can provide the specific details of the vulnerability over email once you respond, but if you prefer (for more security), I can also encrypt the information with a PGP key you provide me. Alternatively we can hop on a phone call.
Best Regards,
Dylan Houlihan
--------------
Dylan
My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.
In a followup this person makes some excuse about how many emails they get because they're a big company. Why even have the email address then, if you're just going to disregard everything right off the bat? The initial email was rather specific with regard to the issue, but even if it wasn't, send them the fucking PGP key and see what they send! If it's nothing worthwhile, oh well, no big deal.
If you are in a position where you don't understand the e-mail then ASK someone who does. Or a quick google search with "PGP e-mail", wow was that so hard. The guy was probably late for a golf game or something (ok now i am being mean). Idiots.
In my last job I was responsible for onboarding b2b clients to send us hr data through sftp with key authentication. We also recommended they encrypt with our public pgp key and sign with their private key.
Trying to explain the difference between ssh keys and pgp/gpg keys took up a good 20% of my time some weeks. Often, I was talking to tech companies, or companies with a reputation for technology... I don't think the majority of Windows admins understand public/private keys.
CCPA -- the California Consumer Privacy Act -- has real penalties for data breaches [0]. When there is pure negligence in play and the business doesn't cure with 30 days notice, the law seems to explicitly provide for a minimum $100 / person penalty. And up to $750. There are amendments in play to remove the 30 day cure grace period; whether they pass this year or not, we'll have them within 5 years (personal bet).
Basically, breaches can be an extinction event for a company in California starting 1 January 2020. A couple companies are gonna take one for the team, and shortly thereafter, boards will be very interested in security postures.
In a world where even Rudy Giuliani is able to become a renowned 'cyber security' expert with his own consulting firm, job titles can obviously be misleading.
Another situation of too big to fail? I sure hope not.
Why are they still in business? Any worthy regulation of any type would have shut them down already no?
Lawsuits are progressing. It's possible legal costs (plus the accompanying reputational damage) will eventually force Equifax into bankruptcy. (I, for example, refuse to open credit lines if they require an Equifax credit check.)
At the end of the day, you can't just kill companies because you don't like them. We don't have general data protection laws with heavy penalties in the United States. The only way to extract a pound of flesh is to show damages, which has been difficult given how little we know about who stole the data and what they did with it. Nevertheless, the lawsuits progress.
Watch out Equifax, here come those collection calls.
If owing thousands as a US peasant earns you harassment and dozens of calls a week, I'd love to see the Experian leadership get thousands a second if we're staying proportional.
For me, it was unsuccessful. They sent out a representative and we argued away from a judge (forget the term used) and I decided not to see the judge because if I argued before him and lost, I would be "unable" to bring it before a judge again.
I've heard of this tactic working for certain consumers (like in the article above) but for me what was hard to establish via small claims court, was how exactly I was facing monetary damages. Most lawsuits allow punitive damages, but small claims court does not, so you have to prove exactly how you were monetarily damaged.
That being said, I would definitely be down to sue them in small claims court again using a better strategy. I would also join a class action lawsuit.
I'm planning to do this (small claims court). When I looked into it a year ago I did not have confirmation that Equifax did business in the juristiction, which was a requirent. My previous employer (I'm still on their payroll as a part time employee) recently notified me that they are now participating in Equifax's "The Work Number" so I'm going to request my data in a month or so as confirmation of Equifax operating in this jurisdiction. I plan to claim damages as the service cost of enhanced credit monitoring service in perpetuity, at least up to the limit of $6,500. Any thoughts on this approach? What did you declare as damages and what was the representatives rebuttal?
Usually in front of the judge in small claims nobody is allowed a lawyer. You could argue that you now need unlimited credit monitoring on all credit reporting agencies. The most likely outcome is that they would agree to this. Honestly, I think Congress should just mandate that they be required to have free monitoring, free locks, free reports... basically any personal inquiry should be free.
It will never mean a thing and will never change until those in leadership positions in corporations suffer criminal penalties for lack of oversight and protection of data.
Unfortunately, the federal government has no appetite for holding corporations criminally responsible for actions in this day and age. The belief in too big to fail and campaign donations are monumentally hard to overcome.
I am Victor, the CTO of Truework (https://www.truework.com), a startup providing an alternative to Equifax / TheWorkNumber.
We are working to change the way employment & income information is shared by employers with a more privacy focused approach where you, as an employee, decide if you want to give the information with the requester.
I started this company after I found out that Equifax shared my employment and income information without my consent when I was working at LinkedIn...
Yes Equifax has accumulated employment and income information through their purchase of The Work Number (https://en.wikipedia.org/wiki/The_Work_Number) in 2007. They have 200 million of employment records and likely a higher multiple of paychecks.
They have a large share of the fortune 500 companies in the US. If you have worked for a large firm in the past, it's likely that every single one of your paycheck is somewhere in their database.
You're not wrong, companies can add as much security as they like but there will still be breaches, root cause is them having the data in the first place.
EquiFax outsourced its network monitoring to ReliaQuest, and I have friend who works at ReliaQuest, so I've followed this with some interest. There is a general issue here too. Back in 2017 I wrote:
"But I don’t mean to only focus on EquiFax. I’ve seen many small companies where computer security was considered the exclusive job of the tech team. I recall a jewelry manufacturer in Richmond, Virginia, which had about 100 people, including a tech team of 3. Top management of such a company has the option to educate everyone about the importance of security, or they can just leave the task to the tech team. The tech team is often happy to gain the power granted by being in charge of such an important function. And then they implement silly rules, like forcing all passwords to change each week — minor rituals that annoy a lot while offering little real security. Real security could only come from educating the staff about the open nature of email, the importance of using encrypted communications, the importance of protecting the intellectual property of the firm. A company with 97 ignorant people and 3 security minded people can never be as secure as a company with 100 security minded people."
What gizmodo overlooks is that a Moody's rating is usually related to company debt, which means that a ratings downgrade increases the interest rate they have to pay to roll over existing debt or issue new debt.
Seems like a company with a large debt/income ratio could be crippled pretty fast by a ratings downgrade because it increases the percentage of revenue they pay in debt interest. If they have a high debt load and their profit margins are single digit, they risk ceasing to be profitable, which will tank the stock. It's a spiral.
If they have catastrophic cybersecurity exposure that opens them up to fines, settlements, and customer attrition as a result of an incident like the one that affected Equifax, well that's a target for a fire sale.
It's practically inviting hackers to target companies with high debt/income ratios on behalf of short sellers for that reason. It would be a slow motion car crash that would be hard to time correctly, but the confluence of debt/leverage and security risk seems like a perfect storm.
In the long run I don't think anything will change at Equifax. At worst, it will get absorbed by another company, re-branded, and no one will know where the former Equifax has gone. At best, it will get disbanded and its executives put in prison.
I saw so many good review about this great hacker and I just can't stop sharing the Gospel of this hacker (CREDIT WIZARD ) until other people enjoy his amazing service. He's one of a kind. He hacks anything and everything.I was looking to repair my credit, but I have went through more than a few individuals whom stated that they could and have my funds without a outcome.I got a review from a forum about CREDI WIZARD and was wondering if this could be possible until i see my credit score increased to 800. He offers many other hacking services like credit repair and score boost, website hack, university database hack and grade change, erasing criminal records, bank accounts infiltration, GPS tracking, retrieval of lost documents, tracking stolen funds, spy your cheating spouse and so many other services I cant mention them all. Contact CREDIT WIZARD for more details at cyberwizard1995@gmail.com/ +1 662 727 5740
98 comments
[ 138 ms ] story [ 376 ms ] thread> Lawsuits and investigations have cost $690 million in the first quarter of 2019 alone
> And the lawsuits will keep coming: In January, an Atlanta judge denied Equifax’s attempts to dismiss class-actions filed against the company.
Looks like there are real consequences to losing data on half of all Americans
But, ideally it should have been a direct comment on this story. You replied to an unrelated statement.
Doing it more quickly would have been nice, sure.
Ideally, I think that we'd want the federal Congress and the individual state legislatures being reflective, making prospective decisions which anticipate future events and impose the correct structure to deal with them, rather than retrospectively doing something in order to be seen to do something.
But no-one ever got elected on a platform of 'my predecessors did a great job; I'm going to play some golf!'
Everyone is simply using them and there is no good popular alternative.
It'd be like if the only punishment for getting caught cheating on a test was "well now you have to take the test without cheating". You're probably going to give it a try every time.
I'm seeing a pattern with these "Congressional hearings" where politicians bring in CEOs, let off a few zingers to really stick it to 'em, score some points with their constituents, and then... do absolutely nothing of substance.
Source? It's not TFA. TFA only talks about legal costs in the past, and doesn't state it but implies future projections are also for legal costs.
With $700MM of legal costs in 1 quarter, if that is 49% of the total (51% --most-- going to finally do the things) expenditure, that's $1.4bn in one quarter. Their entire 2018 revenue was just $3.4bn ($835MM in Q4).
> Lawsuits and investigations have cost $690 million in the first quarter of 2019 alone,
His previous job... at Equifax.
Oh I found the story:
https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-s...
But a security director being suspicious of PGP encryption is a sign of a know-nothing in a position of power.
I mean, come on - do they also ask strangers to hold their wallet?
Edit: My question and the replies are incredibly depressing as an infosec practitioner.
And I told him "His resume lists multiple cool projects that he worked on."
(Facepalming ensued.)
---------
Hello Mike et al
Thank you for making yourself available. There is a security vulnerability on the delivery.panerabread.com website that exposes sensitive information belonging to every customer who has signed for an account to order Panera Bread once. This shows the customer's full name, email address, phone number and the last four digits of their saved credit card number. Moreover, the users are easily enumerable which means an attacker can crawl through the records.
I can provide the specific details of the vulnerability over email once you respond, but if you prefer (for more security), I can also encrypt the information with a PGP key you provide me. Alternatively we can hop on a phone call.
Best Regards, Dylan Houlihan
--------------
Dylan
My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.
Regards, Mike
I am certainly not authorized to give away the public key but I have a private one that I would share if necessary.
In a followup this person makes some excuse about how many emails they get because they're a big company. Why even have the email address then, if you're just going to disregard everything right off the bat? The initial email was rather specific with regard to the issue, but even if it wasn't, send them the fucking PGP key and see what they send! If it's nothing worthwhile, oh well, no big deal.
https://www.theregister.co.uk/2006/03/24/tuttle_centos/
If you are in a position where you don't understand the e-mail then ASK someone who does. Or a quick google search with "PGP e-mail", wow was that so hard. The guy was probably late for a golf game or something (ok now i am being mean). Idiots.
Linus Torvalds on idiots (more specifically: people who read things one byte at a time, with system calls for each byte.)
Perhaps a contributing factor to the Peter Principle?
> demanding a PGP key would not be a good way to start off.
Oh dear god...
That's a very nasty response to an incredibly polite email.
https://www.linkedin.com/in/mike-gustavison-b020426/
CCPA -- the California Consumer Privacy Act -- has real penalties for data breaches [0]. When there is pure negligence in play and the business doesn't cure with 30 days notice, the law seems to explicitly provide for a minimum $100 / person penalty. And up to $750. There are amendments in play to remove the 30 day cure grace period; whether they pass this year or not, we'll have them within 5 years (personal bet).
Basically, breaches can be an extinction event for a company in California starting 1 January 2020. A couple companies are gonna take one for the team, and shortly thereafter, boards will be very interested in security postures.
[0] https://iapp.org/resources/article/california-consumer-priva...
Lawsuits are progressing. It's possible legal costs (plus the accompanying reputational damage) will eventually force Equifax into bankruptcy. (I, for example, refuse to open credit lines if they require an Equifax credit check.)
At the end of the day, you can't just kill companies because you don't like them. We don't have general data protection laws with heavy penalties in the United States. The only way to extract a pound of flesh is to show damages, which has been difficult given how little we know about who stole the data and what they did with it. Nevertheless, the lawsuits progress.
How do you know who the credit lines are going to check your credit through?
If owing thousands as a US peasant earns you harassment and dozens of calls a week, I'd love to see the Experian leadership get thousands a second if we're staying proportional.
Corporations are people and all.
For me, it was unsuccessful. They sent out a representative and we argued away from a judge (forget the term used) and I decided not to see the judge because if I argued before him and lost, I would be "unable" to bring it before a judge again.
I've heard of this tactic working for certain consumers (like in the article above) but for me what was hard to establish via small claims court, was how exactly I was facing monetary damages. Most lawsuits allow punitive damages, but small claims court does not, so you have to prove exactly how you were monetarily damaged.
That being said, I would definitely be down to sue them in small claims court again using a better strategy. I would also join a class action lawsuit.
https://finance.yahoo.com/chart/EFX#eyJpbnRlcnZhbCI6ImRheSIs...
Unfortunately, the federal government has no appetite for holding corporations criminally responsible for actions in this day and age. The belief in too big to fail and campaign donations are monumentally hard to overcome.
The idea is to lock up your payment in escrow for 12 months.
50% of it would be in escrow and 50% is sent to the recipient.
You then use a multi-sig transaction for the escrow.
If your customers find out you did something shady they can all revoke their payment to you and you lose 50% of your revenue for that year.
All it would take is for the N of the M wallet signatures to agree that what you did was a breach of contract.
This could be done optionally too. Companies that enable this type of payment would see more customers so the free market dynamics would take over.
It could also be legally required too of course.
I am Victor, the CTO of Truework (https://www.truework.com), a startup providing an alternative to Equifax / TheWorkNumber.
We are working to change the way employment & income information is shared by employers with a more privacy focused approach where you, as an employee, decide if you want to give the information with the requester.
I started this company after I found out that Equifax shared my employment and income information without my consent when I was working at LinkedIn...
AMA
Also we're recruiting: https://www.truework.com/careers/ !
https://twocents.lifehacker.com/how-to-review-and-dispute-th...
They have a large share of the fortune 500 companies in the US. If you have worked for a large firm in the past, it's likely that every single one of your paycheck is somewhere in their database.
"But I don’t mean to only focus on EquiFax. I’ve seen many small companies where computer security was considered the exclusive job of the tech team. I recall a jewelry manufacturer in Richmond, Virginia, which had about 100 people, including a tech team of 3. Top management of such a company has the option to educate everyone about the importance of security, or they can just leave the task to the tech team. The tech team is often happy to gain the power granted by being in charge of such an important function. And then they implement silly rules, like forcing all passwords to change each week — minor rituals that annoy a lot while offering little real security. Real security could only come from educating the staff about the open nature of email, the importance of using encrypted communications, the importance of protecting the intellectual property of the firm. A company with 97 ignorant people and 3 security minded people can never be as secure as a company with 100 security minded people."
http://www.smashcompany.com/business/if-a-company-is-serious...
Seems like a company with a large debt/income ratio could be crippled pretty fast by a ratings downgrade because it increases the percentage of revenue they pay in debt interest. If they have a high debt load and their profit margins are single digit, they risk ceasing to be profitable, which will tank the stock. It's a spiral.
If they have catastrophic cybersecurity exposure that opens them up to fines, settlements, and customer attrition as a result of an incident like the one that affected Equifax, well that's a target for a fire sale.
It's practically inviting hackers to target companies with high debt/income ratios on behalf of short sellers for that reason. It would be a slow motion car crash that would be hard to time correctly, but the confluence of debt/leverage and security risk seems like a perfect storm.