Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Businesses The Almighty Buck Politics

Equifax Lobbied For Easier Regulation Before Data Breach (wsj.com) 104

WSJ reports: Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies. That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans. Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.
This discussion has been archived. No new comments can be posted.

Equifax Lobbied For Easier Regulation Before Data Breach

Comments Filter:
  • They knew (Score:5, Insightful)

    by Calydor ( 739835 ) on Tuesday September 12, 2017 @03:04PM (#55183303)

    They knew about the breach when they started lobbying for that. LONG before the poor schmucks were allowed to know about it.

    • by Anonymous Coward

      It sure looks that way. They need to be made an example of by Congress, regardless of who they have in their pocket already.

      • They need to be made an example of by Congress,

        That's always the wrong approach. It makes the mob of people feel good, even if they get the wrong person, but it doesn't cause any long-term change. What we need is a change in laws so this thing doesn't happen in the future. For one thing, they could have done a better job on security.

        • Comment removed based on user account deletion
          • The only thing people like this care about is money. If they can take an illegal action that nets them $1 billion and, if caught, pay a $1 million fine, they'll do it. If they can, they might even do it first and use some of the money to paying off... I mean lobbying politicians to make the action legal (or, at least, hard to prosecute).

            Something along the lines of an Equifax breach should mean that the executives in charge of the company are fined 10 years' worth of their compensation package (including, b

          • I would disagree with that. Nothing is going to change unless the crooks who are running that company are made examples out of. In person. In public.

            You're the kind of person who crucifies the innocent in public, then goes on with your day feeling good, while the real crooks continue what they are doing. But at least you did something, right?

            There's a reason vigilante justice is bad, and it's because of people like you.

    • They knew about the breach when they started lobbying for that.

      How do we even know if this was a "breach" at all . . . ? Maybe some folks at Equifax were just following the Facebook and Google business model, and were just selling "information services" on the side . . . ?

      Hey, the old, time-tested methods work best: You want something? Bribe or blackmail someone. It works all the time.

    • by mi ( 197448 )

      Maybe. But what we can claim with certainty is that the existing regulations did not help prevent the breach...

      • by HiThere ( 15173 )

        No. We can claim that they did not prevent the breach, but they may well have delayed it or made it more difficult.

        That said, they clearly don't suffice. The executives and management should be held personally responsible for the time, effort, and financial damages that this breach caused to every single individual affected, including only those who had to spend time figuring out how to try to deal with it. At a reasonable hourly rate, say the average hourly rate of the corporation management (figured fr

        • by mi ( 197448 )

          No. We can claim that they did not prevent the breach, but they may well have delayed it or made it more difficult.

          We have no idea...

          That said, they clearly don't suffice.

          Not "clear" at all. When a tank's hull is breached by an enemy's shell, is it because the armor was too weak, or because it was too heavy for the tank to move faster? Which of the aspects should be improved — at the expense of the other?

          The executives and management should be held personally responsible

          Though I agree in this case, th

          • Re:They knew (Score:5, Insightful)

            by MickyTheIdiot ( 1032226 ) on Tuesday September 12, 2017 @05:34PM (#55184597) Homepage Journal

            The executives and management should be held personally responsible

            Though I agree in this case, this is a dangerous line of thinking — not entirely unlike blaming a rape victim for wearing too short a skirt...

            This is the worst simile I have EVER seen on Slashdot. That's saying a lot.

            The corporate CxOs are NOT the victim in this scenario. The corporate worshipers on /. and the Internet love to tell us that the executives deserve huge pay packets because they are responsible. However in *every case* when something happens that hurts thousands of people they are always don't know what happened. Executives hold responsibility and deserve what they are paid or they don't know what is going on and they are overpaid. You can't have it both ways.

            The CxOs were the benefactors of the malfeasance. Calling them rape victim is idiotic.

            • by mi ( 197448 )

              The corporate CxOs are NOT the victim in this scenario.

              The point I fully agreed — and continue to agree — with. In this case.

              Executives hold responsibility and deserve what they are paid or they don't know what is going on and they are overpaid.

              You've prevailed over a strawman you yourself erected. Congratulations.

              The CxOs were the benefactors of the malfeasance.

              What malfeasance? The only indication we have of them having done anything wrong so far is the fact, their database was stolen. You may

          • Re: (Score:1, Insightful)

            by Anonymous Coward

            Though I agree in this case, this is a dangerous line of thinking — not entirely unlike blaming a rape victim for wearing too short a skirt...

            I think your analogy is a bit flawed. Let me expand...

            EquiFax isn't the one wearing the short skirt. EquiFax is the pimp that forced their entire involuntary stable (those who's credit is checked) to wear short skirts as to be more attractive to the johns (those doing credit checks). The rapists (hackers) are certainly in the wrong but rape or no rape of the stable, the pimp is still in the wrong. The pimp forced the short skirts specifically to entice johns not as a fashion choice. Remember - nobody i

        • If you wanted to hold the responsible parties accountable, you'd be going after sysadmins and developers who incorrectly configured / executed their tasks. Which reader here is ready to go to jail for making a mistake in their day to day duties?
          • by HiThere ( 15173 )

            That may be reasonable ALSO. But many sysadmins don't have the right to control what they work on, so I can't be sure. It's definitely the case that the executives claimed responsibility while everything was (apparently) working well, and it appears that it was the executives who started selling their stock when the problem was detected. But even though the problem was detected, it wasn't fixed, so I suspect the sysadmins didn't have the right to fix it.

            Of course, it might be quite reasonable to charge t

            • by GuiRoo ( 562566 )
              Those execs sold a small percentage of their holdings, and they know this stuff is public record. The total amount sold is less than any one of them makes in a given year (also public record). If this was malicious, or their golden parachute, why not sell all of it? Or even most of it? None of this makes any sense. It was either their financial advisors executing on their behalf (who wouldn't have known), or they didn't know. Nothing else makes any logical sense.
              • by HiThere ( 15173 )

                You are right that I should be less definite that they had advance knowledge and took criminal advantage of it. Possibly the trades were scheduled ahead of time. Possibly they can be shown to not have known. (Though I'd be dubious about that. Gossip spreads in ways that aren't officially recorded.)

                However it was their *JOB* to know that things were being managed well. That's how they justify their fancy salaries. I'm not going to let them off the hook for this, unless I consider them criminally neglige

    • Really?

      I didn't read the article - but was their request for deregulation regarding security standards or in something else.

      If it's something else then the request is irrelevant,
    • by Xest ( 935314 )

      Really? This sounds like stuff I'd expect vested interests to be lobbying for all the time regardless of the breach.

      Is there any reason to think a firm like this wouldn't want to be deregulated regardless of whether the breach happened or not?

      I'm not sure these two things are related, I think they were lobbying because they lobby for this sort of stuff all the time anyway. Is there any reason to think that lobbying for reduced regulation isn't the norm in this particular area of financial services as oppose

      • by Calydor ( 739835 )

        The Summary wrote:

        While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.

    • I doubt they knew about that specific breach that long ago (or that it happened that long ago), otherwise why announce it now?

      It is more likely that they knew their security was a joke, and that they were very vulnerable and it was only a matter of time before something really bad happened.

      The worst part is that they spend millions lobbying government to limit their breach liability when they could have been spending that money on some security folks to do an audit of their systems and fix their actual prob

  • cyberattack? (Score:4, Insightful)

    by Anonymous Coward on Tuesday September 12, 2017 @03:13PM (#55183381)

    Equifax disclosed the cyberattack

    Welcome to the age of "cyber war", where every crap system connected to the internet can hide under the umbrella of an "attack" rather than face the consequences of a complete disregard for properly designed information security.

  • by sandbagger ( 654585 ) on Tuesday September 12, 2017 @03:17PM (#55183423)

    If only they could have been freed from the yoke of these onerous, confusing regulations, this never would have happened!

    • Dont forget "job killing". Every focus group research done by them have shown the value of that adjective. Always say job killling
    • It's possible. What are their retention requirements? Do they have to be able to interface that data with other companies / government / people in a regulated determined time-frame?

      Adding more laws is not always the best way and it's just a knee-jerk reaction. Did they already break any laws or regulation? It needs to be determined if the existing rules don't work because of how it's enforced before adding on top of those. There are already so many regulations regarding this industry that no newcomer w

      • Because your cell phone is a critical part of the financial infrastructure of the country you live in. Or is that an incorrect conclusion.
  • Just think... (Score:5, Insightful)

    by Gravis Zero ( 934156 ) on Tuesday September 12, 2017 @03:30PM (#55183573)

    Your data wouldn't have been given to criminals if they had invested that $500K in security.

    • by Anonymous Coward

      Your data wouldn't have been given to criminals if they had invested that $500K in security.

      you are beyond-redemption-stupid if you think they would have spent money on security

    • Sorry, but they are the criminals. What they call a "breach", I would call a sale. Why should we believe this was an accident?

    • Re:Just think... (Score:5, Insightful)

      by markdavis ( 642305 ) on Tuesday September 12, 2017 @03:40PM (#55183653)

      >"Your data wouldn't have been given to criminals if they had invested that $500K in security."

      Actually, according to the summary, they spent at least $2.6 MILLION dollars in just the last 2.75 years, alone. Imagine how much that money COULD have done if they had used it to hire a few good security engineers and made meaningful changes.

      • Re:Just think... (Score:5, Interesting)

        by tlhIngan ( 30335 ) <slashdot@worf . n et> on Tuesday September 12, 2017 @05:21PM (#55184511)

        Actually, according to the summary, they spent at least $2.6 MILLION dollars in just the last 2.75 years, alone. Imagine how much that money COULD have done if they had used it to hire a few good security engineers and made meaningful changes.

        You guys are looking at it the wrong way. You're looking at it as a victim, you should look at it as what it brought them.

        With this one breach, that $2.6M is now completely wasted - in fact, it's even worse since it's now achieving the opposite effect - instead of trying to buy reduced scrutiny, their failure to spend on security is working against their campaigning. Even worse, it's brought government scrutiny on all the credit reporting agencies, with increased regulation likely the result.

        By failing to spend on security, Equifax has basically made life in their industry much harder for everyone. Ezperian and TransUnion should be applying peer pressure for making it much more expensive to do business now.because any law that comes down, any scrutiny that happens will apply equally to all three of them.

        And financial institutions HATE government oversight.; When "too big to fail" banks started having government oversight as required by their bailout packages, they couldn't get rid of them fast enough.

        That's how you're supposed to frame it. Protecting your data? You're not worth that much to them. But ensuring their future is free of government oversight and extra regulation? That's something that does affect them directly and the cost of doing business

        • by Zxern ( 766543 )

          Awww you're so optimistic. Considering the stupidly short attention span of the average American, this will be long forgotten before any kind of law or regulation can even be written let alone brought up for a vote.

      • by Cederic ( 9623 )

        I think it's reasonable to assume that Equifax spend significantly more than that on security professional employees, more than that on security consultants and service providers, substantially more than that on security infrastructure and probably around that much on audit for all of the above.

    • Well said.

      Security will not be historical subject until after serious litigation.

  • Sounds familiar (Score:5, Insightful)

    by smooth wombat ( 796938 ) on Tuesday September 12, 2017 @03:39PM (#55183641) Journal

    I clearly remember the banks and Wall Street firms lobbying Bush and Congress not to implement any new regulations back in 2006. Their words were, more or less, any new regulations would kill their competitive nature on the world market. Trust us, we know what we're doing.

    The following year we know what happened.

    Now here we are again, with a very similar situation. Regulations are evil! Don't kill us with regulations, bro!

    I can guarantee not a single executive at Equifax will go to jail or pay a fine. Further, every excuse imaginable will be given why requiring such breaches to be announced immediately should not be done.

    In a few years, this will happen again and everyone will look around and ask, "How did this happen?"

    • by Tablizer ( 95088 )

      The USA is mostly a bribocracy at the federal level, plain and simple. Both parties are culprits. If you don't kiss up to those who give campaign donations, you get less campaign money and lose elections. It's legalized political prostitution and Americans should be ashamed of such a system.

      • The people who run our economy act like meth freaks with rabies where meth == money and rabies == corporate greed.

        Until there is a general understanding that big business is not a noble pursuit, but a socially sanctioned form of criminal activity, we will continue to suffer this kind of crap. The basic assumption should be that corporations always become corrupt and that the law exists to root out that corruption.

        There must be accountability for organizations and the people in charge of those organization

  • by Rick Schumann ( 4662797 ) on Tuesday September 12, 2017 @03:40PM (#55183649) Journal
    You think maybe Equifax is exemplar of all the other credit reporting agencies? I think they might be. I think there needs to be some corporate nutsacks put on the congressional anvil, with liberal application of the judicial sledgehammer over this, to ALL of them. It's bad enough that jackass businesses like Facebook and Google and ISPs are invading our privacy, but companies like these credit reporting agencies MUST BE ABOVE REPROACH AT ALL TIMES OR THEY ARE WORSE THAN USELESS. It is totally, completely unacceptable that this happened at all and it has to STOP.
    • by Anonymous Coward

      If the govt. will not do it, I just hope they get sued into Chapter 7 liquidation. No more Equifax. It's the only solution that will result in real change.

      • In the mean time, everyone should freeze their credit information at all 4 credit reporting companies (Equifax, Experian, Transunion and Innovis which is more for fraud detection), and when they need to unfreeze their credit information, only unfreeze it at the other companies and never unfreeze it at Equifax. Between lawsuits and being unable to provide credit information to lenders, they'll lose money.
  • by Revek ( 133289 ) on Tuesday September 12, 2017 @03:44PM (#55183673)

    Its normally quite good for the public, though you couldn't convince them of that since they get their swill from big media.

  • by Anonymous Coward

    These clowns want access to our data, with which broad reaching decisions about our lives will be made ... but they want to do it in such a way that they have no responsibilities or liabilities in the event they prove to be incompetent morons. Oh wait, they've just been proven to be incompetent morons.

    Capitalism is inherently broken, because it assumes people aren't lying, greedy bastards; the problem is time and time again we see that isn't true. You can't have capitalism without regulation, because the

    • The credit bureaus are regulated just like a bank. And how do you think they get their data? Your bank sends it to them. And the way the laws and regulations are currently written, it's not YOUR data. It may be data about you, but you do not own it. If you want to change something, change that.
  • by xxxJonBoyxxx ( 565205 ) on Tuesday September 12, 2017 @03:49PM (#55183713)
    Until at least late 2016, there was this hardcoded into their mobile app (http://www.apkmonk.com/app/com.equifax/):

    UtilitiesHandler.java
                    static final String masterKey = "EqUiFaX2468";

    Not quite "1...1!...2....2!..." but it's pretty darn close.

    To be fair, I couldn't tell if it's actually ever used in the mobile app. It seems like the kind of intentionally stupid/obvious password-but-not-really-a-password string you'd leave hanging around in a file on the network if you were tuning your DLP. (The full Zip code of the company is 30309-2468 so the "plus 4" is probably where the ending came from.)
    • by Xyrus ( 755017 )

      It's all a plot. Cause a massive leak and that forces everyone to freeze their credit reports. Charge $60 a pop to lock and unlock them. Bam, instant profit.

  • We should just accept that the more of your information is stored on servers the higher the risk of it being harvested. Doesn't help that these companies withhold breeches for such a long time before even notifying anyone including the people affected. I won't take much action now, its too late to bail out a ship already sinking.

  • Comment removed based on user account deletion
    • They said this data breach took place from May through July. How exactly does one miss terabytes, possibly petabytes of data being transferred to an IP address outside of your network for 3 months? I mean to me this sounds like either the hackers were god like in their ability to hide what they were doing, or the people whose job it was to prevent these things from happening, simply didn't give a shit.

      Hiring people to monitor this stuff costs money, and why punish the shareholders with a cost cernter? This will all self correct anyhow, amirite?

  • Well duh! (Score:4, Funny)

    by Ol Olsoc ( 1175323 ) on Tuesday September 12, 2017 @05:49PM (#55184697)
    Regulations are bad and regressive! Business always self polices itself better, and the invisible hand of the free market is never wrong, and always self correcting.

    If there were no regulations, this would never have happened, and we would all enjoy perfect internet security.

  • Laying off Credit Bureaus is part of a larger bill in hearings right now to reduce regulations and “make American business competitive”. Check it out.
  • Sorry that this is a bit of a tangential question to the OP...

    I notice that the amount of "lobbying" being reported in the media seems to be on the rise again, perhaps after a bit of a post-2008 lull.

    However, it really isn't clear what is permitted as "legal" lobbying and what is considered "illegal"? Is this in-person requests for meetings to put forward a case? Is this industry-funded "research" offered up as candidate for government policy? Is this the offer of all-expenses-paid "junkets" to take l
    • There should be no lobbying where money changes hands (like Boehner did when handing out checks from the tobacco lobby on the House floor) and all and every lobbying activity has to be publicly announced at least a week before it takes place. Can't have democracy without transparency.
      • by ytene ( 4376651 )
        I think we can agree on that. However, let me give you a different scenario. Suppose you are a Senator or Congressperson and I come to you and say, "Look, there is a small trade association meeting taking place in a couple of months. All in the public eye and nothing behind closed doors. We'd like you to come along given your role on [such and such] committee. We're going to be based at the Florida Disney resort, in the main resort hotel. We're happy to cover the cost of your flights and because this takes
  • They should have spent the 500,000$ on system security instead of lobbying. We all would be better off.
  • They'd rather spend half a million dollars on lobbying versus spending it on InfoSec? Talk about perverted priorities.
    • They were quite obviously trying to shut the barn door after the horse bolted. No point spending money of infosec when all the info has already been stolen.

FORTH IF HONK THEN

Working...