Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Equifax Scores $13.6 Million Slap on Wrist Over 2017 Mega Breach 25

The UK's Financial Conduct Authority (FCA) has fined Equifax a smidge over $13.6 million for severe failings that put millions of consumers at risk of financial crime. From a report: The regulator branded the entire debacle "entirely preventable" -- from Equifax's failure to promptly notify regulators to the way in which it misled the public over the severity of a security breach back in 2017. The original fine should have been greater; the true sum was $19,428,836 but the company received a 30 percent discount for agreeing to the penalty early into the proceedings. It also received a 15 percent credit for good behavior during the investigation.

After first opening the investigation in 2017, the FCA's fine comes after the ICO wasted less time imposing a penalty of $609,092 in 2018. "Cybersecurity and data protection are of growing importance to the security and stability of financial services," said Jessica Rusu, FCA chief data, information, and intelligence officer. "Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards."
This discussion has been archived. No new comments can be posted.

Equifax Scores $13.6 Million Slap on Wrist Over 2017 Mega Breach

Comments Filter:
  • by nicolaiplum ( 169077 ) on Friday October 13, 2023 @11:05AM (#63922889)

    ... just a line item in the annual accounts. No significant penalty, no change to how they behave.

    • by jmccue ( 834797 )
      True, I hope many Congress, Lawyers and Judges Families get burned by this. Seems that is the only way Companies will be forced to be responsible.
  • Sounds fair to me. Sheesh, what a joke.
    • Sounds fair to me. Sheesh, what a joke.

      They got free "account surveillance for identity theft".

      You make it sound like you did not get that. Did you remember to sign up for it when you got the emails about it? If you didn't get an email, did you contact them about it? It was all over the news, if I remember.

      For those that actually had their data stolen AND used in an identity theft/fraud crime - yeah, they got nuthin.

      • I did sign up for account surveillance and no malicious activity yet. I assume my data and most everyone else's is still "out there". So maybe we are all still going to be victims of identity theft/fraud crime. I'll try to be more patient.
      • by Scoth ( 879800 )

        At this point I feel like these companies ought to just offer this monitoring for free and be done with it. I think I have three different credit monitoring services I'm getting for free due to various breaches and compromises. And I've had them for years without ever paying for them because it seems like every couple years there's another breach of something where they throw in monitoring for a year. Equifax, T-Mobile more than once, a previous company of mine's employee database, Xfinity breaches more tha

        • Yeah but if they give them away for free then when they have a massive data loss they’ll need to come up with a new song and dance to pretend to be sorry. These monitoring services are all a joke anyhow.

      • by Ksevio ( 865461 )

        I said I didn't want the surveillance because I already have that from other breaches so they sent me a check for $5.21. It was suppose to be higher, but apparently they didn't expect so many people to select that option

  • by klipclop ( 6724090 ) on Friday October 13, 2023 @11:53AM (#63922973)
    This breach should have been the straw to break the camels back with a private company owning public data. Government should be the gate keepers of the info and only provide access to these scummy companies based on specific requirements. Until that happens, companies will keep having big security breaches.
    • by DarkOx ( 621550 ) on Friday October 13, 2023 @12:33PM (#63923073) Journal

      No no no! We certainly don't want the government to have credit data they can just use a leak to their political allies.

      The thing is nobody *needs* this data, they just want it because it is a good way to make credit decisions. Its cheaper than managing it or sharing it securely with partners themselves (in the case of big banks and financial) and more inclusive to have a shared third party handle it all.

      The fix is to make personal data the toxic product it is. We simply need to make it possible for individuals to recoup losses easily. Make a anti-defamation law that specifically lowers the proof of injury requirement for any organization that servers as a data broker. Ie if you can show that your credit report contained factually incorrect information and that it was utilized by anyone else such as a lender in a credit, rate, employment, etc decision - you should be able to get compensated without having to show the false report impacted the result of that decision.

      Similarly if an organization has records that contain PII, beyond Name, and address, and active payment info for more than N persons they should be subject to an escalated schedule of fines in the event of a data breach.

      Make holding this data expensive, Equifax will still do it of course, but maybe they will be more careful, to protect their bottom line. Additionally they will probably have to charge more - which might have the effect of reducing cases where credit information is used as a proxy for other things like, is this person a good hire..

      • Better yet, leaks of identity-theft level data should be punishable by a simple fine. [slashdot.org]

        $100/head feels about right to me,

      • No no no! We certainly don't want the government to have credit data they can just use a leak to their political allies.

        What are you talking about they already have access!

        On top of that on most of these data broking platforms they carve out special exemptions that various individuals affiliated with the government get special care with way their data is handled and also that the government still gets access to data that would normally be hidden from normal skiptracers, banks, etc.

    • This breach should have been the straw to break the camels back with a private company owning public data. Government should be the gate keepers of the info and only provide access to these scummy companies based on specific requirements. Until that happens, companies will keep having big security breaches.

      No, no, it's all by design - punishment is proportional to the damage - little guys lost little, so the corp is punished a little, once on the other hand a little guy shares a movie, the potential losses for the corp are immense (nobody bothers to actually check the decrease in earnings), it's just assessed how many people were potentially able to download it multiplied by the cost. The workers have to be kept on a verge of financial independence otherwise they might do something unthinkable, like e.g. aski

  • Per capita? (Score:4, Insightful)

    by LatencyKills ( 1213908 ) on Friday October 13, 2023 @11:55AM (#63922981)

    Is that even a dollar a person? 50 cents? Less?
    Yep, I'm sure they learned their lesson.

    • Is that even a dollar a person? 50 cents? Less?
      Yep, I'm sure they learned their lesson.

      140 million Social Security numbers leaked, as I recall. So, closer to $0.10 apiece. That’ll teach them.

  • by gweihir ( 88907 ) on Friday October 13, 2023 @12:07PM (#63923007)

    Shoddy work, praying to the quick buck, doing things cheaper than possible ... and no consequences to speak off. That cannot work and will not work.

  • by bugs2squash ( 1132591 ) on Friday October 13, 2023 @12:07PM (#63923011)

    Companies should not be fined like this, they should have to pay for 10 years of technical oversight by a specialist security company and publish weekly reports openly that are independently audited on the state of their security under thread of dissolution. And while they are at it, they should convince a judge monthly that they are in compliance and that their business is a boon to mankind

    They should be made to pay whatever is necessary to maintain the scrutiny and highest current standards of security

    Don't bring me another $0.50 check regarding a class action, bring me an improved system

    • I just wanted to share this just incase anyone is in a situation where they don’t trust their partners anymore. There is no harm in wanting to know what your second half is into, it saves you from wasting more years of your life with people who do not deserve you. I will leave the hacker’s contacts below just incase anyone needs his services and assistance. Just a mail to spyhackelite @gmail com.
  • by AnthonyCastanza ( 2881747 ) on Friday October 13, 2023 @12:16PM (#63923037)
    The penalty for these kinds of egregious violations of their legal responsibilities should be nothing less than complete liquidation of the company with all proceeds going to those affected by their negligence, and a permanent ban from holding executive positions for all C-suite level execs and members of the board. Without those kinds of harsh penalties, this kind of crap will just keep happening.
    • At the very least, Americans should be provided the ability to require Equifax to purge all existing data they have about you and ban them from collecting any of your data in the future. There are multiple credit bureaus, so if a creditor wants to see my creditworthiness, they can check the other ones. That is, of course, until they suffer their own data breaches and then we're back to where we started.
      • There has to be a mechanism to learn and improve. I don't want the industry dominated by 1 year old companies that are as bad or worse but just haven't failed yet.
        • Learn? They already knew. Their data security was actually the topic of internal jokes. Somehow they passed all their industry and regulatory audits. Knowing all this they still promoted a nontechnical auditing and compliance pencil pusher with a masters in music to a CISO position. Instead of treating it like a big deal they used it as a grooming position for up and coming C-suite.

          So in that kind of culture where are you ever going to get learning or improvement? They already know, don’t care,

  • word of the breach came out. I registered my email as "equifax@(mydomain).com" along with experian@(mydomain).com and transunion@(mydomain).com. I started getting spam email to the Equifax address two years before the breach became public. I still have the emails. When I sent a note to their security department, they responded saying they hadn't sent it. Uhh... I know. So I sent another note to my state's attorney general and cc'ed Equifax. No response on any corner. Probably should have taken it f
  • Europe has nailed American tech companies with massive fines, while hitting their own with fraction of these. We nailed VW with similar massive fines, but hit our own with minor ones. This fine is less than the money they saved by cutting corners. This fine should have been over a billion at least. As long as these companies have fines smaller than what the issue saved, these companies will continue to cheat/cut corners.

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Working...