Re: GDPR can't Fix this
What on earth are you on about.
The UK's privacy watchdog wants to fine Equifax £500,000 ($660,000) after hackers siphoned off 15 million Brits' info from the credit-score agency's databases. Or in other words, three pence for each of the affected British citizens. The fine could have been much larger had it fallen under Europe's GDPR. However, the security …
This post has been deleted by its author
From the Bloomberg article you linked to:
"convicted the ringleader of the effort to rig the Libor index, initiated criminal proceedings against Barclays Plc and its former chief executive officer for actions in the 2008 financial crisis"'
I saw an interesting bit of code named:"Barclays Corporate brand safety" in a websites source that had numerous keywords in it. Some of the usual words that could get someone on a "watch list" and some that were just possible "trigger" words that could be considered not "politically correct" depending on their usage and context.
But one of the "trigger" words that caught my attention in that list was: "Libor".
(Protecting that "corporate brand" I suppose.)
Would GDPR fines apply in this case?
It wasn't that they were deliberately selling customer information - they got hacked.
We don't fine banks when they get robbed (ok. we don't fine them when they deliberately mislead and rob customers either but that's a different story)
They were obviously incompetent, but imagine - if you get hacked because of a zero-day exploit in Windows should you get fined 4% of your turnover, or should Microsoft be fined? If your AWS bucket is hacked does the Eu get 4% of Amazon book sales?
But if you aren't responsible when your cloud provider gets hacked - what stop Equifax setting up "Equifax data processing Europe Inc", a subcontractor with no assets.
This post has been deleted by its author
15 Million victims, £500k fineThat's not £30 per victim - it's thruppence.
And a massive 0.1% of profits. That'll teach 'em not to mess with the ICO.
With the supercharging of these sort of fines post GDPR, I imagine there was a big sigh of relief in the executive board room that the hack didn't happen later than it did.
The corollary is that we'll now see a small industry of trying to backdate hacks. "they hacked into our system years ago and were still using those credentials, so last week's hack was really years old", "The dog ate our latest log files, but we've still got the ones from two years ago", etc.
...it's thruppence...
Isn't that a term from pre-decimal currency, when thruppence was a quarter of a bob.
I can remember just before "D" (decimal) day a pint in the local cost 1/9. That should have become 9p after "D" day but it became 9.5p.
(Where's the Boring Old Fart icon)
Though in some regions of the country (including my own flattened North Country vowel sounds) it is pronounced thruppence, it is spelt threepence.
The threepenny bit - or Joey as it was called - also doubles as a bit of rhyming slang for certain bodily functions. No similarity to Equifax should be inferred.
I've been giving my representatives hell about this every since it happened. Slowly it seems congress is finally realizing just how spitting mad the public is about this. As far as I'm concerned, I'd take free credit locking to a fine any day - THAT would really hurt them, but TOO FRICKN BAD!!
'So, the credit history and ID of the Cockney is worth about a tuppence. '
In another lifetime I was a customer of TalkTalk and had a line fault reported to them.
After this data was nicked I had no written notification from TalkTalk. I did have regular calls from them telling me my modem was showing faults and I needed to do Windows R to get them to fix it. (quoting my address and TT account no to prove it was TT) In the last week this has escalated to 2 calls a day. I know how much my details are now worth in India. Sweet FA.
"...IT staff failed for months to renew a digital certificate for the device..."
Actually, it's more likely that IT staff completed the required paperwork for renewal in plenty of time, but said paperwork probably just got bogged down in accounts payable bureaucracy. A company the size of Equifax probably doesn't pay it's bills particularly frequently, and likely has many hoops to jump through to get money spent.
"I agree, but the fine is as large as it could be under the old rules."
As the article says but maybe some don't read beyond the headlines.
What businesses should be taking note of it that the regulator has no qualms about setting maximum fines for the really big offences. A business such as Equifax might be able to shrug off £500k but 4% of global turnover will get their attention and this is a signal that it's not a remote probability in such circumstances. It really is worth while spending money on security.
Presumably other EU regulators will be looking at whether any of their citizens were affected and issuing their own fines. And if the US continues to be tardy getting round to issuing penalties then that should be taken into account when the Security Figleaf gets looked at again.
"the regulator has no qualms about setting maximum fines for the really big offences" - I don't think that is what is going on here. I think what happened is that GDPR has upgraded the scale for fines like this. In other words the regulator thought about what fine they would levy if GDPR applied, and then capped it at what the DPA allowed.
I would be surprised if they would hand out a maximum fine under GDPR for this; but of course, even 0.4% of global turnover would get the attention of the boards of the other credit agencies.
I would be surprised if they would hand out a maximum fine under GDPR for this; but of course, even 0.4% of global turnover would get the attention of the boards of the other credit agencies.
If the ICO had any spine, they'd have done a "counterfactual" exercise to establish what a similar breach would be worth GDPR, and stated that sum in the press release, and then we could all conclude whether GDPR will have any teeth in practice.
Even so, looking at the vast and frequent fines and subsequent behaviours in the financial services sector (of which Equifax are part), I'm sure that the evidence is that substantial fines do not change values and behaviours, they merely close off a particular format of transgression. And since Equifax net income/turnover is 17.4%, I'm unconvinced that a 0.4% of turnover fine would actually scare the board.
"a 0.4% of turnover fine could actually scare the board."
Depends. If it's paid from company funds, it'll be a while before company behaviour changes.
If the penalty was payable by the individuals on the board (same way as megabonuses are payable to the individuals on the board) they might start to think about changing the way they do business.
Strangely enough, the ICO has recently been talking about similar kinds of thing (e.g. companies going bust rather than paying a corporate penalty).
"Makes me wonder why this country is in trillion pound debt"
Gross financial mismanagement not directly connected to
"and we are handing out poxy finds to corps"
Read the article and note that this was the maximum fine under the legislation at the time. Would you be happy if a regulator could just make up penalties at whim? (Think carefully what you ask for before you answer: "Mr Wibble, you were found parking on a double yellow line for the second time. You clearly have disregard for the law. Your car will be taken and crushed and you will serve 3 years in prison.")
That won't change until there is a credible deterrent
Which is why GDPR allows fines of up to 4% of GLOBAL turnover (of the group where it's a subsiduary and so on) - so no fudging things to make profits appear negative, or putting turnover through the books of a partner company, or other tricks.
So Equifax UK could be fined up to 4% of turnover of the whole group, not just of the UK company. What's more, it can continue (daily fines) indefinitely if the company refuses to fix the problem.
If that's not a deterrent, I don't know what is.
So Equifax UK could be fined up to 4% of turnover of the whole group, not just of the UK company. What's more, it can continue (daily fines) indefinitely if the company refuses to fix the problem.
If that's not a deterrent, I don't know what is.
That won't be a deterrent. There's all manner of things companies can be fined stupid, arbitrary, picked-from-a-bureaucrat's-arse percentages of turnover, but all concerned know that is window dressing. Take Ofgem - probably Britain's most aggressive, combative, regulator. E.ON failed to install AMR devices for business customers by a given deadline, and could have been fined up to 10% of turnover. With turnover of £9 billion, that would be a £900m penalty, right? That'll show the dirty German rotters! Dream on. The company were fined TWO QUID by the regulator, plus a £7m payment to OIfgem's Waifs & Orphans fund. Yes, including the £7m slush fund payment, not even 0.08% of turnover.
Now, how much do you think Equifax would have been fined under GDPR?
Ok, I might be being a bit thick here, but why is this shit being held on servers connected to the internet anyway? this and societal infrastructures like nuclear power stations, power grids, NSA snooping et al don't need to google what perversions the latest celebrity has been up to, they should be in company servers not connected to the internet. If they're a world wide organisation have some kind of (oh, I don't know, let's call it a) world wide intranet that can only be accessed physically within the company - they have the money. Nearly unhackable - short of an inside job.
"It's being held on machines accessible from the internet so you can make credit reference enquiries over the internet."
Not wholly true - I can't make a credit reference check over the internet (even of my account) to the the depth that other 'trusted' organisations can. It's held on servers connected to the internet so that Equifax can sell the data to third party organisations for credit checking, identity checking etc. - that's their business.
As they get a fee for each check, a fee that I'm sure is greater than 3 pence, then the fine is just pure noise and in no way forces them to improve their systems.
Lets face it in the scale of things it's simper to pay the odd fine of £500,000 than spend that much on additional staff, consultants, servers and SW upgrades to rectify poor IT security.
I'm sure the CFO will report it to the board as "The cost of doing business"
I would hope given how important credit ratings are to many citizens' lives, that they would be regulated like banks. This amount of data loss would ideally result in them losing a "licence" to store sensitive personal data.
It makes be reluctant to given them my information even just to check my credit file.
It is surprising no legal action can be take for gross negligence? I suppose if you can't prove you've lost out, what they did is not an offence which would result in compensation for the victims.
Credit rating agencies already are regulated, both in the US and EU, on account of their incompetence in the run up to the 2008 financial crisis. But that is sector focused on how they do the job of credit ratings.
Data protection remains with the "relevant competent authorities" so in the UK the ICO, and the paltry fine reflects the failure of national politicians to update local laws, partly because GRPR was coming along, partly because the likes of Google and Facebook were very effective in lobbying for trivial penalties to continue.
"20,000 records included people's names, dates of birth, telephone numbers, and driving license numbers"
What in seven hells¹ were they doing with driver numbers? More to the point, how did they get them? DVLA being mercenary again? With that, a date of birth and a national insurance number they can pry into all manner of things that are none of their sodding business. So can script kiddies now.
Time these bastards were brought to heel.
¹ obligatory GoT outburst
What in seven hells¹ were they doing with driver numbers? More to the point, how did they get them?
I'd very much like to know that as well.
I'd also like to know how an American ID checking company, used by Air B&B, are able to use your UK Driving License number to confirm your ID - "just send us a hi res photo of both sides of your license and we will confirm your ID to Air B&B so your rental booking can proceed"
Credit agencies share data - how did they get your drivers licence number - did you pay with a credit card by any chance? You gave them your address and birthday and they cross referenced that to your bank details ... and on and on.
In the Louisiana all you need is the first and last name, zip code and birth date and you can determine each voters political party from a public web-site. The credit agencies gather all this information and then sell it ...
Can't we at least use the GDPR individually to have any data they do have on us deleted. OK in the absence of a gigantic data breach you could argue Equifax has a right to hold credit data the banks have asked for the right to transfer to them; but following such an egregious breach it ought to be fair reason to demand Equifax delete everything they have on you (because they can't be trusted to keep it secure) under the GDPR and without any "necessary for business" exclusions.
You probably can do that. But then you'll have no credit record at all and will have an entertaining time if you want a mortgage, say.
Yeah, you'd be kind of a 'blank Reg'*
* Max Headroom : 20 Minutes into the Future
I think we're heading in that direction anyway, a world where credit fraud is considered worse than murder....
Congress has been threatening more regulations for years, but they kept promising they'd do it without regulation. Well they obviously failed, and pubic uproar finally has the voters asking questions. I've contacted my legislators demanding I be allowed a free credit BLOCK anytime I want it, and that would effectively fix the problem, and also punish the reporting agencies as well. I'll believe it when I see it happen though!!
Maybe Equifax should have a 'trust rating', held by some company that measures the level of trust you can have in companies who deal with sensitive data. And anyone can check the rating of said companies, who must display their rating in any and all correspondence and advertising.
Such a rating should determine how much data they can hold and for how long, subject to GDPR rules. And these companies may not ask to have their rating altered, unless they can prove beyond doubt that their rating is wrong.
Almost like... a credit rating. How coincidental....
I worked for a company a few years ago whose call centre cold called people with their own business.
I absolutely loathe cold callers so when I, the lowly IT guy, found out, I asked the sales director how this was allowed.
'Equifax sold us the details, they're business owners, it's alright.' I took a look, and yep, a spreadsheet of customers, their phone numbers, and credit scores. And this scumbag company was targeting the higher credit score ones.
I resigned and took a contract role elsewhere.
This post has been deleted by its author
"As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect."
Maybe at the moment the ICO looked at it, but will it stay this way?
Security is not something you bolt-on nor patch-over afterwards. Security-by-design is a key requirement of the design of networks, systems, software and usage procedures.
or at least it should be.
...the information leaked is the same information political campaigns purchase on all of us so they can better target the public for contributions.
You'll probably never see politicians outlaw the collection of certain data, since they themselves profit from it. Every habit you have, each item you purchase is collected and added to your own little private database for a company to sell. Trends, movements, purchases, etc. Is all bought/sold.
Human metadata is the new gold, and politicians can't get enough of it.