Equifax Scores $13.6 Million Slap on Wrist Over 2017 Mega Breach 25
The UK's Financial Conduct Authority (FCA) has fined Equifax a smidge over $13.6 million for severe failings that put millions of consumers at risk of financial crime. From a report: The regulator branded the entire debacle "entirely preventable" -- from Equifax's failure to promptly notify regulators to the way in which it misled the public over the severity of a security breach back in 2017. The original fine should have been greater; the true sum was $19,428,836 but the company received a 30 percent discount for agreeing to the penalty early into the proceedings. It also received a 15 percent credit for good behavior during the investigation.
After first opening the investigation in 2017, the FCA's fine comes after the ICO wasted less time imposing a penalty of $609,092 in 2018. "Cybersecurity and data protection are of growing importance to the security and stability of financial services," said Jessica Rusu, FCA chief data, information, and intelligence officer. "Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards."
After first opening the investigation in 2017, the FCA's fine comes after the ICO wasted less time imposing a penalty of $609,092 in 2018. "Cybersecurity and data protection are of growing importance to the security and stability of financial services," said Jessica Rusu, FCA chief data, information, and intelligence officer. "Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards."
Cost of doing business (Score:5, Insightful)
... just a line item in the annual accounts. No significant penalty, no change to how they behave.
Re: (Score:2)
Zippo for those affected (Score:2)
Re: (Score:1)
Sounds fair to me. Sheesh, what a joke.
They got free "account surveillance for identity theft".
You make it sound like you did not get that. Did you remember to sign up for it when you got the emails about it? If you didn't get an email, did you contact them about it? It was all over the news, if I remember.
For those that actually had their data stolen AND used in an identity theft/fraud crime - yeah, they got nuthin.
Re: (Score:2)
Re: (Score:2)
At this point I feel like these companies ought to just offer this monitoring for free and be done with it. I think I have three different credit monitoring services I'm getting for free due to various breaches and compromises. And I've had them for years without ever paying for them because it seems like every couple years there's another breach of something where they throw in monitoring for a year. Equifax, T-Mobile more than once, a previous company of mine's employee database, Xfinity breaches more tha
Re: (Score:2)
Yeah but if they give them away for free then when they have a massive data loss they’ll need to come up with a new song and dance to pretend to be sorry. These monitoring services are all a joke anyhow.
Re: (Score:2)
I said I didn't want the surveillance because I already have that from other breaches so they sent me a check for $5.21. It was suppose to be higher, but apparently they didn't expect so many people to select that option
Private companies owning public data? (Score:3)
Re:Private companies owning public data? (Score:5, Interesting)
No no no! We certainly don't want the government to have credit data they can just use a leak to their political allies.
The thing is nobody *needs* this data, they just want it because it is a good way to make credit decisions. Its cheaper than managing it or sharing it securely with partners themselves (in the case of big banks and financial) and more inclusive to have a shared third party handle it all.
The fix is to make personal data the toxic product it is. We simply need to make it possible for individuals to recoup losses easily. Make a anti-defamation law that specifically lowers the proof of injury requirement for any organization that servers as a data broker. Ie if you can show that your credit report contained factually incorrect information and that it was utilized by anyone else such as a lender in a credit, rate, employment, etc decision - you should be able to get compensated without having to show the false report impacted the result of that decision.
Similarly if an organization has records that contain PII, beyond Name, and address, and active payment info for more than N persons they should be subject to an escalated schedule of fines in the event of a data breach.
Make holding this data expensive, Equifax will still do it of course, but maybe they will be more careful, to protect their bottom line. Additionally they will probably have to charge more - which might have the effect of reducing cases where credit information is used as a proxy for other things like, is this person a good hire..
Re: (Score:2)
Better yet, leaks of identity-theft level data should be punishable by a simple fine. [slashdot.org]
$100/head feels about right to me,
Re: (Score:2)
No no no! We certainly don't want the government to have credit data they can just use a leak to their political allies.
What are you talking about they already have access!
On top of that on most of these data broking platforms they carve out special exemptions that various individuals affiliated with the government get special care with way their data is handled and also that the government still gets access to data that would normally be hidden from normal skiptracers, banks, etc.
Re: (Score:2)
This breach should have been the straw to break the camels back with a private company owning public data. Government should be the gate keepers of the info and only provide access to these scummy companies based on specific requirements. Until that happens, companies will keep having big security breaches.
No, no, it's all by design - punishment is proportional to the damage - little guys lost little, so the corp is punished a little, once on the other hand a little guy shares a movie, the potential losses for the corp are immense (nobody bothers to actually check the decrease in earnings), it's just assessed how many people were potentially able to download it multiplied by the cost. The workers have to be kept on a verge of financial independence otherwise they might do something unthinkable, like e.g. aski
Per capita? (Score:4, Insightful)
Is that even a dollar a person? 50 cents? Less?
Yep, I'm sure they learned their lesson.
Re: (Score:2)
Is that even a dollar a person? 50 cents? Less?
Yep, I'm sure they learned their lesson.
140 million Social Security numbers leaked, as I recall. So, closer to $0.10 apiece. That’ll teach them.
That is the reason why things are going downhill (Score:4, Insightful)
Shoddy work, praying to the quick buck, doing things cheaper than possible ... and no consequences to speak off. That cannot work and will not work.
oversight (Score:3)
Companies should not be fined like this, they should have to pay for 10 years of technical oversight by a specialist security company and publish weekly reports openly that are independently audited on the state of their security under thread of dissolution. And while they are at it, they should convince a judge monthly that they are in compliance and that their business is a boon to mankind
They should be made to pay whatever is necessary to maintain the scrutiny and highest current standards of security
Don't bring me another $0.50 check regarding a class action, bring me an improved system
STOP CHEATING SPOUSE (Score:1)
Corporate Death Penalty (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Learn? They already knew. Their data security was actually the topic of internal jokes. Somehow they passed all their industry and regulatory audits. Knowing all this they still promoted a nontechnical auditing and compliance pencil pusher with a masters in music to a CISO position. Instead of treating it like a big deal they used it as a grooming position for up and coming C-suite.
So in that kind of culture where are you ever going to get learning or improvement? They already know, don’t care,
Equifax had a problem long before (Score:2)
Such BS. As bad as Europe. (Score:2)