Great news if you're a...
... Mercedes dealer.
Less than 24 hours after credit monitors Equifax revealed it had lost the personal data of more than 130 million Americans, two class action suits have been filed. The suits, separately filed in the Portland, Oregon and North Georgia US District Courts, accuse the credit reporting company of negligence and violations of the US …
Sorry, but you're going to see a judge quash that. But that's another story. Judges have started to push back on class actions which only enrich the lawyers but do nothing for the harmed party.
I suspect at the end of this, Equifax will start to freeze customer's credit reports and only releases them when supplied with a 4 digit pin or some two factor authentication.
The larger issue issue is that there has to be an audit of their entire IT operations. The problem with most of these financial companies is that they choose the lowest cost provider and have off shored their IT operations.
Mistakes happen, sure, however, when dealing with PII and PCI compliance and other regs, extra care has to happen and security has to be high on the list.
One can only hope that Business Schools start teaching their MBA students that offshoring is not a good idea. In the IT industry, not all CS programs are the same. Assuming that the developer or Ops guy has any IT related degree in the first place.
Posted Anon because I'm not PC.
"The problem with most of these financial companies is that they choose the lowest cost provider and have off shored their IT operations."
No, the problem with these companies is that their primary business is making consumers' private financial data accessible to anyone who wants it.
So when a hacker stumbles into their system, the data packages are already nicely gift wrapped for them.
The laws are going to have to change so that only the consumer can approve a release of information, and only ever on an individual basis, never as part of a large, amorphous class of consumers.
Even in "contract is king" USA, those T&Cs have to be illegal, ie an "unfair contract" since you can only check if you are affected by agreeing not to sue if you are affected. Here in the UK (and probably most of the EU), any attempt to defend those T&Cs would be laughed out of court because your only choice is to do nothing and possibly be a crime victim, or accept the onerous terms. That's pretty much the textbook definition of an unfair contract. Especially since a lot of the people affected are not actually customers.
I've personally had no dealings whatsoever with Equifax, but that doesn't mean that they don't have PII records of me and my right to sue trumps their right to not tell me if they lost data related to me with onerous conditions.
You can do the following:
1) Pay $10 per credit bureau and 'freeze' your credit reporting. (Meaning no one can pull a credit report without your approval)
2) Join the class action.
There are a couple of ways they can easily improve security. It may mean removing a source of revenue.
The PCI compliance rules need to be updated. However depending on how the systems were breached, the company could have already been out of compliance.
"1) Pay $10 per credit bureau and 'freeze' your credit reporting. (Meaning no one can pull a credit report without your approval)"
This is done on a per agency basis. So you'll need to lock Equifax, Experian and TransUnion records individually. But then never unlock your Equifax account. If a bank or lender wants your credit info, tell them to use one of the other two. Or take your business elsewhere.
Have to add some gratuitous commentary here altho the facts of the matter are clear to any rational being.
Of course they aren't obvious to any legal parasites making $$$$s on the backs of real people.
Of course these parasites aren't reading these comments except to figure out how to suck more money out of the non-corporatists.
Sucks being a lawyer.
I think a number in the low 300s would be sufficient. (Just ask anyone with a 500 score how hard it is to get credit. Hint: next to impossible.)
A lifetime limited to _one_ "secured" credit card with a $250 limit. A checking account (you lot call it a current account) with a balance of $437.73 with $20 per month in fees. And a 1986 Ford Fiesta with 300K miles on it that burns oil and needs a clutch.
I presume you lot on your side of the pond are familiar with what a secured credit card is.
"I presume you lot on your side of the pond are familiar with what a secured credit card is."
Nope but I would guess that you have to lodge the equivalent of the credit limit beforehand or something similar.
Please don't knock the Mk 1 Fester - my first car. To be honest I doubt it is possible to get 300k miles on one. Mine fell to pieces way before that. The second engine blew two cylinders eventually and there were too many rust holes to count. They don't last long on the A38 racetrack between Plymouth and Exeter 8)
"To be honest I doubt it is possible to get 300k miles on one."
This may be apocryphal but I was once told by someone who supplied Ford that the gearbox on those cars was only rated for 75000 miles, which still meant it would wear out after the engine.
What is it about the 21st century that means that cars have previously unheard of reliability, safety and mpg while anything involving Big Data turns to shit? It couldn't be anything to do with commercial pressure and effective regulation, could it?
What is it about the 21st century that means that cars have previously unheard of reliability, safety and mpg
Computer aided design, mainly. If you think about a 1996 Fizzy, it was essentially much the same as the original 1976 Fiesta with a few trim and drivetrain changes. Development of the Mk 1 Fiesta started in 1972. So although Ford would have had some access to mainframe computing, its actual application to any detail would be minimal, experience of CAD would be non-existent. So everything was engineered by guesswork, fag packet and a slide rule if you were lucky.
Now take any modern car, and chances are that there's no important components more than eight years old, so in addition to much tighter regulatory standards, every aspect will have been developed on digital systems. Along with much more advanced automated production methods, this means cars are far better optimised in the design stage, the whole vehicle can be computer tested before it has even been prototyped, and the actual production is better and more consistently built to much higher tolerances. Optimisation goes right down to levels of R&D and testing like the flow and combustion of fuel in the cylinder. Back in the days of the Mk 1 Fizzy, it was a case of letting the engine suck a rough mix of fuel and air through a carburettor (remember them? What a piece of sh1t technology), hoping that the mechanical distributor caused the spark plug to fire at roughly the right time, and that would do.
"To be honest I doubt it is possible to get 300k miles on one."
Not sure about the Mk1 but certainly the 3 and 4 it's tricky to tell just how far it's gone without a study of the MOT history since the odometer only goes to 99999 then resets back to 0. I don't think Ford expected people to be driving 300K miles.
First, you can't just make up a credit rating.
These individuals will be charged with violating trading laws by the SEC. Its a no brainer. What happens next would be interesting.
The issue though is why they sold and how much of their shares they sold.
If they can provide legitimate reasons for the sale... they won't be charged or be found guilty.
If they can't... boom. They will be forced to pay a fine that will exceed the proceeds, pay their legal costs which may initially be paid for by the company, and could face jail time, and lose the ability to be a corporate officer of a publicly traded company. It all depends on the dollar amount and the severity of the situation.
To give you an example... a sale could have been done as part of diversification, meaning their broker may have found a good deal and he or she sold to move in to the deal. It could have been done to pay off debts, or to get money ready for college tuition or something... we don't know.
The other problem... Rule FD.
They could argue that the minute they went 'public' aka notified the authorities... they were allowed to sell.
(IANAL so I don't know if that argument would hold up in court. )
Since they seem to want to outdo Crap-ita and Con-cast/Scum-cast in the corporate incompetence Olympics.
Please feel free to vote or suggest alternatives!
(BTW, The Telegraph is reporting that Equifax holds credit/ID info on 44 million Britons. Ugh.)
by me and by many others commenting herein, this crap will continue unabated until executives start going to jail for it. Maybe the CEO but most certainly the CIO and probably a few others. Until specific people within <breached corporation du jour> are held personally and legally accountable, this will continue to happen.
No, jail isn't at all appropriate. Garnishing their personal income and assets to cover the costs of the 130+ million impacted people will incur would be a good start. I'm sure we can find an old Ford Pinto for them to drive to work once the Jaguar has been sold.
While jail is appropriate for truly criminal conduct, if it is used for simple negligence then CEOs will spend all their time butt covering and consult their personal lawyer before any decision.
Making them pay out settlements is more appropriate. Take all the money they've made from their job beyond the 90% percentile of all the company's employees - hypothetically they might have to give back every penny they made over $190K or thereabouts. They wouldn't be left destitute, but they'd think twice about a scheme to cut corners and make the quarterly numbers so they earn their bonus if it meant they might have to give back all the millions they made over the last decade since they took the job.
"While jail is appropriate for truly criminal conduct, if it is used for simple negligence then CEOs will spend all their time butt covering and consult their personal lawyer before any decision."
The law has a concept of criminal negligence for situations where simple negligence is an inadequate description of conduct.
What sort of subhuman f****** c*** comes up with those T & C's in a situation like this?
Aside, from jail time and asset confiscation for the data leak, they should suffer further punishment (having their privates steamed daily, maybe) for the T & C's malarkey. Talk of kicking people when they're down.
Interestingly, if you read the whole of the TrustedID agreement, there is this paragraph tucked away at the bottom:
If, however, the class action waiver provisions in the “Arbitration” section are found to be illegal or unenforceable, then the entire arbitration provision in the “Arbitration” section will be unenforceable, and any Claims (as defined in the “Arbitration” section) will instead be decided by a court.
and any Claims (as defined in the “Arbitration” section) will instead be decided by a court.
Translation: "we've got deeper pockets than you, so if we can't have arbitration on our utterly one-sided terms, then you can all fuck off and try and sue us"
Equifax: What a bunch of utter arsewipes.
The UK Government's identity assurance scheme, GOV.UK Verify (RIP), has contracts with seven "identity providers" whose job it is to verify our identity.
Equifax's business activity is currently interrupted.
Without Equifax, those three "identity providers" can't do their job. GOV.UK Verify (RIP) can't work.
There has been no comment yet from the Government Digital Service. There never is. GOV.UK Verify? RIP.
the terms of service include foregoing any involvement in a class action lawsuit. These EquiScum are evil ++. So, their offer of "free" 1 year service is a honeytrap.
Equifax, Experian, Call Credit et al, as far as I'm concerned they can all sod off. These parasites gather information on individuals and addresses whether you consent or not. This is what happens when you allow them to do so. I'm frankly surprised it took this long.
It was Equifax or Experian - I can't remember - but one of them sent my credit report to my address, with some greek woman's name instead of my own.
I complained, to the agency and also the ICO, and got no response, not even an apology. They have all the power and none of the accountability. Our government allows them to do this. One error like mine could be disastrous to my life. It isn't even a 10^-6 rounding error for them, and they treat it as such. They get what they deserve. I would prefer a not-for-profit regulated organisation and the removal of these predatory credit agencies.
I would make everyone who profited responsible for paying the losses to the effected individuals, none of the sharks cared where the profits came from or the fate of people they were abusing.
No more countries just shrugging shoulders and failing to punishing the people to blame.
They need to send a message that choosing not to protect customers data is far too expensive to consider i.e. everything the "responsible" people, who chose not to protect it, have got and more.
None of these data breaches were accidental, each time they decided that protection was too expensive to bother with when the result of breach was just a slap on the wrist.
It's about time we all wake up and start getting on our local and federal legislatures to reign in credit agencies. It seems every other month a new credit agency pops up. Why not.. it's HUGE business.
If you're worried about the typical PII items being released... this is nothing.
Consider everything a credit agency knows and collects about you, your family and lifestyle trends.. under the guise they use it to determine risk. This isn't information for the past 1-5 years, this is lifetime:
- Properties purchased, location, and type (2 bedroom, 3 bath, 2100 sq feet etc).
- Vehicles purchased, make, model, year etc. They can also interpolate your average mileage per year.
- Organizations you belong to.
- Donations, amount, etc.
- Registered to vote, elections participated in
- Income, investments (type, to whom, active/passive, 401K, etc.)
- Insurance coverage, what you cover, specialty items covered
- Nearly every single monetary transaction monitored, classified into various things; i.e. from where, location, etc.
- Tax information
- Employment information
- Household expenses, gas/electric/heat bills... etc.
----On and on and on. These databases know you better than your mother, best friend and spouse.
With all of this, they can interpolate many of your lifestyle and professional choices and to what degree.
This isn't just a credit company... it's a FOR PROFIT INTELLIGENCE ORGANIZATION.
With all of this information, they sell it to those who gather it all in and sell it to businesses.
Places such as: InfoGroup, InfoUSA, YesMail, etc. Sell this information for big bucks and nearly every Fortune 500 company subscribes to MANY of these (not just one) for direct marketing and other overt/covert corporate greed schemes. It can also be used against you in court or by organizations like Scientology to discredit or publicly humiliate.
It's a nice thought and I want to sign up to sue Equifax. But I know from past experience that the government will not penalize Equifax with a penalty large enough to give everyone hurt by Equifax any kind of real money. Only the lawyers will get money and in huge chunks and we the injured will get a free credit report or a few cents each. I want the CEO, and president, and the Equifax board of directors fire and imprisoned for life as that is how long my credit information will be out there for anyone to use. What Equifax has done is paramount to setting off a nuclear bomb in every household they had credit information for.
Rather than notional damages, the result of the lawsuit ought to be a refund of 2x the cost of freezing/unfreezing the credit reports each time the credit report is frozen or unfrozen for every agency. For a yearly count that is at least 2 standards of deviation beyond the median of what a typical person does each year (that is, of the population that even uses freeze/unfreeze, otherwise, the value approaches 0).
The obvious response for Equifax is to make the cost 0-- so 2x0 is 0-- but the competitors might go to say 1000 just to eliminate the competition. A virtuous solution.
Oh rats. I just woke up.
Biting the hand that feeds IT © 1998–2020