Equifax to pay $575M for data breach, promises to protect data next time

The company promises free credit monitoring and not to screw up with security.

Read the whole story

 

[balazer]

Equifax can die in a fire. Whenever I need to apply for credit for something like a car or a house, if the lender uses Equifax and gives me no other bureau options for checking my credit, I will take my business elsewhere. They failed at, one could argue, their most important job. This should have been an extinction level event for this company.

It's a nice sentiment, but you can't realistically avoid Equifax if you want a mortgage. Nearly all mortgage lenders use all three credit bureaus.

If you want to deny Equifax business based on your information, you can permanently opt yourself out of pre-approved credit offers. That prevents them from selling your information to marketers.

Of course you should also freeze your credit report whenever you're not seeking credit.

You can try to shop around to avoid companies that use Equifax, but that will only work in certain situations where you actually have a choice.

 

[hymie!]

So that's, what, $4 - $5 per person?

 

[dogwitch]

right... them fixing the issue..... my ass could do a better job.

 

[Daily Revolution]

It's still not enough for a company with a market cap in excess of $16B. For a crime of this scope, there must be more pain in the punishment, or corporations will continue to screw the public.

That's an order of magnitude more than I expected, but that's more a reflection of my cynicism re: regulatory fines than an informed opinion on the 'correct' amount for said fines.

 

[lewax00]

^^ My score changed from 800+ to 750 and I literally didn't do anything to precipitate that. No new credit, everything paid on time. The verbose credit report is accurate. There is nothing unusual going on. But the score went down....

There are parts of that score that are somewhat out of your control - for example, if you pay off an account, it stays on your report and is a factor in your score, but after some number of years it falls off, and something like that could negatively impact your score (by affecting how many accounts you have, average account age, etc.).

Also, check that it's the same scoring method, there are multiple and they get updated over time (e.g. FICO 8 vs FICO 9).

 

[bjf182]

Since Citizens United declared corporations people, Equifax should receive the death penalty.

 

[Random John Smith Guy]

So. The value of not losing all your financial records to Chinese intelligence is apparently $4. That's fun. Should have demolished the entire company as a menace to national security, not given them a pittance of a fine.

 

[godel]

According to this report, Equifax's revenue for Q1 2017 was $832.2 million. So the fine is equal to a little over two months of revenue.

It's stupid relating fines to revenue in the first place. What matters is how the fines relate as a percentage of annual profit.

Remember that old joke, "We're making a loss on every sale but we'll make it up in volume."

 

[siliconaddict]

575M

Just to give you guys some perspective to go back even further than the article.

Revenue for the twelve months ending March 31, 2019 was $3.393B
-Revenue for 2018 was $3.412B
-Revenue for 2017 was $3.362B
Equifax annual Revenue for 2016 was $3.145B


So at minimum every year they are making 3 BILLION.

This would be like fining me $15 for going 40MPH over the speed limit. Who gives a shit. I'll do it again as there are no practical consequences. And Equifax has a captive audience. The big 3 aren't going anywhere so boo hoo.

This company should have lost a solid 1/3 to 1/2 of its yearly revenue. These audits should have monetary penalties attached to them as well. (Didn't see any mention of that.) Something like $250 million for each quarter you don't pass the audits. This needs to be felt. The vast majority of Americans have been fucked by this. And no credit monitoring BS is going to fix it as a SSN out in the wild allow massive damage. At this point in time Equifax should be assisting every American to help put a freeze on everyone's credit report and help promoting getting off this obsession of using SSNs to authenticate people.
IMHO the fines being collected should be used to push banking security reform.

 

[Fatesrider]

"We want to make sure we don't bankrupt the company or have them go out of business," said Maneesha Mithal, a data and privacy subject matter expert with the FTC. "We want to make sure they have the funds and resources to protect consumers going forward."

If Equifax went bankrupt, nothing of any value would be lost. Just liquidate the company's assets, give them to the other two credit agencies with the warning that if they don't safeguard their data, the same will happen to them.

Then as breaches continue to happen to credit agencies, they'll all be put out of business, and again, nothing of any value will be lost.

Look at you with your lawful world view, and placing people's interests ahead of the corporations.

Cute, isn't it.

I'm at the point where there needs to be ongoing evaluations of companies for the "too big to fail" threshold. If they breach it, break them up, no ifs, and or buts. Shareholders lose nothing. Growth happens faster with smaller companies, and with less collateral damage.

The cocksuckers who run these conglomerates capturing our regulatory and political process, and remaining above the law, would probably think you are sooo cuuute <pinches cheek> unironically. They think they are doing good work.

To be fair, it's their job.

The ones fucking it up are the boards of directors not holding these CEOs accountable for responsible behavior.

Personally, I'd prefer it if all of the C-level folks were held personally responsible for the bad things that happen to their companies. If it could have been prevented, and wasn't because "profits", then make the decision-makers personally responsible for the penalty. If they did their due diligence, but still got nailed (hey, that can happen), then let the company take the hit.

Considering the apparent greed of these folks, this would amount to enlightened self interest. The carrot is that they get to keep their things if they follow the best practices rules (which shouldn't be made up by the corporation, but by experts who are motivated to make the best decisions in what they are), and an enormous stick that takes away everything in their lives that money bought them, and leaves them with little more than an old suit from Goodwill and enough bus fare to get to the gates of hell.

That's the kind of profit/loss benefit calculus that shouldn't be too hard to figure out.

 

[AegisKleais]

killerhurtalot[/url]"]Credit monitoring services are absolutely useless.

At best they kind of warn you about random shit, at worst they run a lot of checks and lower your credit score.

$575M fine affecting 144M users. Approximately $4/person. Of which, consumers get $0, and after 1 year of monitoring, are left to fend for themselves.

You can't really call any semblance of this "Consumer Protection".

 

[tygorn]

At least $300 million goes into a fund to pay for credit monitoring services for "affected customers

So this may be a dumb question, but I also thought the credit monitoring service was offered by the same credit score companies such as Equifax, so what exactly does this fund mean? Do customers get free credit monitoring if they ask?

Sounds like Equifax is about to line their pockets with $300 million, while providing a worthless credit monitoring service.

 

[Oz7]

Facebook is fined $5B for using data that we gave them.
Equifax is fined $575M for data that nobody said they could have.

Something is bad at the FTC and probably with US privacy laws.

Any companies screwing up this badly need to be liquidated, since they cannot serve jail time.

It's called regulatory capture- or more blatantly, corruption of government. It's more flagrant with the current admin, but unfortunately, the same shenanigans happen when the establishment Dems are in charge (cf 2008 crash); they're just quieter about it.

There might be some hope if Warren et al get elected- but don't hold your breath when it comes to the Obama/Biden/Clinton/Pelosi wing of the party.

 

[breze]

What legal requirement do we have to proactively play defense this system? If I don't plan on going any deeper into debt, and I decide not to monitor anything, and a bunch of fraudulent credit cards are opened in my name... what happens to me? Like, obviously they can give me a very low credit score, but if I wasn't planning on using my credit score, it seems like they are just playing with themselves. What am I missing?

You never get any job interviews and nobody will rent you an apartment. Other than that, no problemo.

You forgot car insurance, home/renters insurance, buying a new car (i've seen used car lots that still want to run a credit check even if you're paying cash), getting a cell phone, pretty much anything.

I also think this is entirely wrong, but that's just how the US works. The current mentality is "Good Credit = trustworthy person"

The employer stuff depends on your state, it is banned in:

California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont, and Washington (also Washington DC).

Insurance and rental would be an issue I guess.

Why would they run a credit check if you are paying up front for the car? Of course, I wouldn't expect to be able to get a car loan with no credit. But taking out a loan for a depreciating asset seems pretty silly...

 

[Ziltoid the Omniscient]

What legal requirement do we have to proactively play defense this system? If I don't plan on going any deeper into debt, and I decide not to monitor anything, and a bunch of fraudulent credit cards are opened in my name... what happens to me? Like, obviously they can give me a very low credit score, but if I wasn't planning on using my credit score, it seems like they are just playing with themselves. What am I missing?

You never get any job interviews and nobody will rent you an apartment. Other than that, no problemo.

You forgot car insurance, home/renters insurance, buying a new car (i've seen used car lots that still want to run a credit check even if you're paying cash), getting a cell phone, pretty much anything.

I also think this is entirely wrong, but that's just how the US works. The current mentality is "Good Credit = trustworthy person"

The employer stuff depends on your state, it is banned in:

California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont, and Washington (also Washington DC).

Insurance and rental would be an issue I guess.

Why would they run a credit check if you are paying up front for the car? Of course, I wouldn't expect to be able to get a car loan with no credit. But taking out a loan for a depreciating asset seems pretty silly...

The excuse i was given was "So we can know if your check will bounce". I went and bought a car from a private seller. Nonsense avoided.

Side note: i really miss the 92 camaro that I had purchased that day

 

[Seraphiel]

So when (not if) they cause another breach, we get to dissolve the company?

Maybe we should just do that right now.

 

[mjeffer]

Equifax will pay another $175 million in fines to be split up among the 50 attorneys general who filed suit, representing 48 states,, Washington DC, and Puerto Rico, and $100 million in penalties to the Consumer Financial Protection Bureau.

Which two states decided against filing suit?

Not sure if someone has answered this yet. But in another article they were identified as MA and IN and they're sueing Equifax on their own. They just decided against joining with the other states.

 

[RoninX]

"We want to make sure we don't bankrupt the company or have them go out of business," said Maneesha Mithal, a data and privacy subject matter expert with the FTC. "We want to make sure they have the funds and resources to protect consumers going forward."

Given that Transunion and Experian exist and seem at least marginally more competent than Equifax, I don't see what would be lost by letting Equifax go bankrupt.

At minimum it would remind shareholders that they have a financial incentive to make sure the companies they invest in aren't run by idiots.

 

[rwxatc]

If the decision makers and the board seers don’t get any jail time, it will happen again.

This is just a parking ticket cost of doing business.

The customer gets some recovery but the long term win is questionable. And the deterrent effect on other players is weak.

 

[Ceiling_Fan]

Equifax to affected Canadians: hahahaha get fucked, buddy!

Exactly! And we are unfortunately at the whims of this flimsy credit system, standard practice for our banks to use this.. Equifax got off easy, and the cynic in me is not surprised.

 

[MatisyahuNZ]

Given the scope of what happened, they should have been the corporate death penalty but I'd take it one step further, there needs to be a top to bottom rethink of how credit ratings are generated in the United States. I had a friend from the US come over to New Zealand and was amazed that you don't need to keep multiple credit cards open and juggling balances to keep a good score - everyone starts off at the same starting point and you build up a good reputation by paying bills on time, keeping ones bank account in good standing etc.

 

[SyfirSto]

"We're sorry, our bad. We won't do it again, we swear!".

Yeah ok.

 

[SomeOtherName]

^^ My score changed from 800+ to 750 and I literally didn't do anything to precipitate that. No new credit, everything paid on time. The verbose credit report is accurate. There is nothing unusual going on. But the score went down....

My guess...you're a credit risk now that your identity has been compromised.

 

[Dzov]

^^ My score changed from 800+ to 750 and I literally didn't do anything to precipitate that. No new credit, everything paid on time. The verbose credit report is accurate. There is nothing unusual going on. But the score went down....

My guess...you're a credit risk now that your identity has been compromised.

Wouldn't that be hilarious. They should just treat everyone in america as a credit risk now.

 

[graylshaped]

Cute, isn't it.

I'm at the point where there needs to be ongoing evaluations of companies for the "too big to fail" threshold. If they breach it, break them up, no ifs, and or buts. Shareholders lose nothing. Growth happens faster with smaller companies, and with less collateral damage.

The cocksuckers who run these conglomerates capturing our regulatory and political process, and remaining above the law, would probably think you are sooo cuuute <pinches cheek> unironically. They think they are doing good work.

To be fair, it's their job.

The ones fucking it up are the boards of directors not holding these CEOs accountable for responsible behavior.

Personally, I'd prefer it if all of the C-level folks were held personally responsible for the bad things that happen to their companies. If it could have been prevented, and wasn't because "profits", then make the decision-makers personally responsible for the penalty. If they did their due diligence, but still got nailed (hey, that can happen), then let the company take the hit.

Considering the apparent greed of these folks, this would amount to enlightened self interest. The carrot is that they get to keep their things if they follow the best practices rules (which shouldn't be made up by the corporation, but by experts who are motivated to make the best decisions in what they are), and an enormous stick that takes away everything in their lives that money bought them, and leaves them with little more than an old suit from Goodwill and enough bus fare to get to the gates of hell.

That's the kind of profit/loss benefit calculus that shouldn't be too hard to figure out.

It is worth noting the CEO has turned over at least twice since Smith left (with his $90 million retirement package), following the breach. I"m all for accountability and would prefer not to see steps taken to "save" bad acting companies like this, but indiscriminate calls for random heads on spikes are misplaced.

 

[eggie]

<The FTC> does not have the authority to fine companies for violations of the FTC Act

And the system continues to function exactly as intended.

 

[eggie]

Some details on what the AGs for the the lower 48, DC, and PR will do with the $175mil would be nice. I mean, does this money go towards providing coverage for more consumer protection litigation?

<snort> $3.5M each probably won't even cover the investigations.

 

[Cryptoraptor]

Not a single mention of the real cause of the breach. Yes an unpatched flaw is what allowed it to happen, but the individual that was the CSO at the time had exactly ZERO experience in the security field.

Her linkedIn profile and resume, at the time, had no security-related experience, qualifications or job history.

Having said all that, it still wasn't her fault. You don't know what you don't know, but the powers that be that offered her the position should have known better, and now they are paying the price. It's not steep enough though.

 

[dorkbert]

Since Citizens United declared corporations people, Equifax should receive the death penalty.

However I would settle for lining up their officers against a wall before a firing squad.

 

[Onigato]

Cute, isn't it.

I'm at the point where there needs to be ongoing evaluations of companies for the "too big to fail" threshold. If they breach it, break them up, no ifs, and or buts. Shareholders lose nothing. Growth happens faster with smaller companies, and with less collateral damage.

The cocksuckers who run these conglomerates capturing our regulatory and political process, and remaining above the law, would probably think you are sooo cuuute <pinches cheek> unironically. They think they are doing good work.

To be fair, it's their job.

The ones fucking it up are the boards of directors not holding these CEOs accountable for responsible behavior.

Personally, I'd prefer it if all of the C-level folks were held personally responsible for the bad things that happen to their companies. If it could have been prevented, and wasn't because "profits", then make the decision-makers personally responsible for the penalty. If they did their due diligence, but still got nailed (hey, that can happen), then let the company take the hit.

Considering the apparent greed of these folks, this would amount to enlightened self interest. The carrot is that they get to keep their things if they follow the best practices rules (which shouldn't be made up by the corporation, but by experts who are motivated to make the best decisions in what they are), and an enormous stick that takes away everything in their lives that money bought them, and leaves them with little more than an old suit from Goodwill and enough bus fare to get to the gates of hell.

That's the kind of profit/loss benefit calculus that shouldn't be too hard to figure out.

It is worth noting the CEO has turned over at least twice since Smith left (with his $90 million retirement package), following the breach. I"m all for accountability and would prefer not to see steps taken to "save" bad acting companies like this, but indiscriminate calls for random heads on spikes are misplaced.

Respectfully disagree. Investigate everyone at the C- and P/VP-level, REGARDLESS of title. If they didn't have anything to do with the past events, they walk away, free and clear. If they DID, some time in Club Fed would do nicely. And criminal investigations don't care if they aren't NOW associated with the company at fault, so long as the statute of limitations hasn't kicked in, you're on the hook, and this whole mess happened recently enough that statute of limitations isn't a concern. Investigate them ALL, anyone who truly didn't have anything to do with this fiasco will find another job, anyone who did gets to face down 144 million different charges of criminal negligence, and Equifax becomes no more.

 

[Git-stompa]

Isn’t it possible that with the information collected someone could fraudulently acquire more than 575 million by significant magnitudes?

I feel like there isn’t justice here not just for the people who could be disrupted by identity theft but for society as a whole - considering how much we may spend in tax revenue on combating or prosecuting would be identity thieves until the impacted peoples die.

 

[Tribune_of_the_Plebs]

Equifax can die in a fire. Whenever I need to apply for credit for something like a car or a house, if the lender uses Equifax and gives me no other bureau options for checking my credit, I will take my business elsewhere. They failed at, one could argue, their most important job. This should have been an extinction level event for this company.

We froze our Equifax files in October 2017 and told all our correspondent accounts to use TransUnion or Experian instead. (We were prepared for them to go pound sand instead. But under the circumstances, everyone was happy to agree that this was a prudent and reasonable request).

At the time, we took a small degree of satisfaction in knowing that, isolated and atomized involuntary 'consumers' though we are, we'd done our miniscule part to limit Equifax's future negligence .. and their profits.

Today, we're even happier to have saved the receipts from the freeze.

 

[Matthew J.]

I would say ... maybe you should put them out of business.