You are here

Fury as Equifax gets $4.76-per-victim slap on wrist

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

Equifax has agreed to a penalty of up to $700 million for 2017’s huge data leak. It was one of the worst security failures ever, affecting 147 million Americans—and millions more in other countries.

But when you think about it, $700 million is a pitiful drop in the ocean, on a per-victim basis: Less than five bucks each, according to CALC.EXE.

How do the execs sleep? In this week’s Security Blogwatch, we do the math.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Faces.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

How about jail time?

What’s the craic? Tony Romm reads and remembers—Equifax to pay up to $700 million:

Equifax has agreed to pay as much as $700 million to settle a series of state and federal investigations into a massive 2017 data breach that left more than 147 million Americans’ … sensitive information exposed. … Social Security numbers, credit-card details … names, home addresses and birth dates were left exposed, and in some cases … driver’s license numbers.

Government officials said [they] faulted Equifax for putting more than half of all U.S. adults at risk for identity theft and fraud. … “This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population,” said New York Attorney General Letitia James.

Equifax will set aside up to $425 million to reimburse victims … and pay $175 million to the states themselves. … Equifax also has agreed to pay an additional $100 million to settle a federal investigation at the Consumer Financial Protection Bureau.

The Federal Trade Commission, meanwhile, is requiring the company to implement a new security program and submit to 20 years of regular, third-party checkups. … In response, Mark W. Begor, the chief executive of Equifax, touted cybersecurity improvements it made after the breach.

And Shaun Nichols puts words in Equifax’s mouth—can you pleeeeease stop suing us about that mega-hack thing?:

Data-spaffing consumer credit biz Equifax is offering [the cash] to kill off lawsuits regarding its 2017 super-cyber-heist. [It] has yet to be accepted by judges in the cases, though the [FTC], [CFPB], and attorneys general of the 50 states and territories suing Equifax have all signed off on it.

$700m … basically amounts to about four or five bucks per [victim]. … Sen. Ron Wyden (D-OR) [blasted] the proposals … arguing that company execs should have been personally prosecuted: … "Equifax leaders knew its security was pitifully weak and yet did nothing to correct it.

"In a just world, these executives would be going to jail. [It was] a predictable, easily avoidable hack."

So, on the one hand, it was one of the worst security failures ever. On the other hand, Equifax CEO Mark W. Begor minimizes it to a mere Incident:

This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company. … The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their dataand reflects the seriousness with which we take this matter.

We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program. We are focused on the future of Equifax and returning to market leadership and growth.

Yeah, good luck with that. Stacy Cowley points out an Interesting twist:

Affected consumers can be reimbursed, at $25/hr, for the time they spent dealing with it on things like phone calls to banks, credit agencies, etc.

But the credit issuers have your backs, right? Jason Levine shares their experience:

When my identity was stolen and used to open a Capital One card, Capital One didn't notice any red flags (getting my mother's maiden name wrong on the application, immediate change of address to another state, a woman claiming to represent "me" calling asking for a cash advance before card activation, etc). Thanks to a quirk, the ID thieves' rush delivery was processed before the change of address and the card came to me.

They first insisted that my wife likely opened it without telling me. (She was right next to me freaking out.) Then, they admitted that it was fraudulent but refused to give me any information because … "If we tell you the address on the account and you go there and shoot them, we'll be liable."

Capital One instead insisted that all communications be from the police and the police had to use a special line. One that always went to voicemail that was never answered.

The ID thieves were never captured or punished in any way for stealing my identity and opening an account in my name. For all I know, they're still doing it today. Meanwhile, my credit file needs to be frozen for the rest of my life.

The credit companies don't care about fraud. To them, it's a minor write off.

So why can’t we prosecute the C-suite? We can, says eldakka:

There are criminal liabilities for these actions. Negligence, fraud and many other crimes could be seen to have been committed.

However, it is up to … the DoJ, or state AG's, etc., to choose to file and then prosecute criminal charges. The executive has absolute, sole, discretion, and absolute immunity, on whether or not to file criminal charges.

There is nothing anyone can do, legally, to force [them] to do so.

Lock ’em up, as 0laf seems to cry:

I'd be happier with jail time. … It's a huge figure but per individual it's barely a coffee. Even 100x that fine doesn't really add up to a whole heap per individual and it'll probably end up in the pocket of some law firm anyway.

I'd much rather forgo any payout personally and see the executives do some time. That will make my information much more secure for much longer.

If executives think their penny pinching might make them end up as 2 yrs of fresh meat … they might choose to protect my stuff a bit better.

Surely a credit freeze is the best defense? Solandri disagrees:

If the identity thief has enough information as you, they can still get around a freeze. They just call up the credit agency, and claim "you" lost the code to lift the freeze. The agency then ask those stupid "I had a recent mortgage for $xxx,000" questions to confirm your identity.

Unfortunately this is the very information which has often been leaked. And when the thief answers correctly, they lift the freeze thinking that it's you.

Meanwhile, this Anonymous Coward is hilariously sarcastic:

I for one am completely satisfied. [It] reinforces my belief in the fundamental fair and equitable treatment that individuals receive under the legal system … and the sense that the lawyers involved earned every million of the dollars that they were paid to negotiate this most honorable and hurtful of punishments.

Equifax's credit rating will now go up because the uncertainty of this issue is resolved, and that they will be able to get lower interest rates on their corporate car loans and qualify for cheaper mortgages on their facilities.

Please sir, may I have some more
porridge, punch in the face, feces smeared on me, whatever.

The moral of the story?

Try to avoid being inept and negligent, okay?

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

And finally

“My experiments into ‘What constitutes theft?’”


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Tumisi (Pixabay)

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]