[scarmig]

Equifax can handle its internal management and operations however it wants.

Externally, though, I want Equifax to have to pay a fine for every individual whose information was compromised. Identity theft can easily cause five figures worth of damage, so $10k per individual would be fair. Maybe as a warning shot we could lower this to... $1k? $100?

That's the only way to properly align incentives so companies will proactively defend against attacks like this.

[tombrossman]

This thing called "Identity Theft" does cause damage, but it's important to remember that if fraudsters trick a bank into thinking they are you, it is the bank's fault for failing to properly verify it was actually you. Doing so would cost them more money and it is much easier to do cursory checks instead.

No doubt fraudsters impersonating you is a hassle and you must spend some time and money dealing with it if you are targeted, but do not lose sight of why it happens and who is ultimately responsible.

[damnfine]

But you still pay the fees from the banks failings, so it really does hurt everyone even when the bank eats it.

[dmurray]

It hurts everyone foolish enough to still do business with the bank after they jack up their fees to pay for it. Or in jurisdictions where a small number of banks are given a monopoly, or competition is otherwise discouraged, it hurts everyone.

[alexanderstears]

Yes and no.

If a "Too Big to Fail Bank" fails, we all pay. If a credit union in Utah messes up, their customers pay. Let banks compete on operational excellence.

[losteric]

I expect managers to go to jail, in addition to a financial kneecap that forces other companies to vigilantly pressure their management for security.

Well, maybe not expect. This is America... I expect infuriating golden parachutes. But I certainly hope for criminal charges and jail time.

[hysan]

$1k, $100, that's far too low in my opinion even for a warning shot.

As someone who has had their info leaked by two universities before, both of whom subsequently paid for multiple years of credit/fraud protection, the sheer pain and stress of having random credit cards frozen and need to be replaced is worth far more than that dollar amount of my time. This is potentially messing with people's livelihoods with long term lasting effects.

If monetary sums are given out, then I hope a fair amount is given out instead of a warning shot. Those tiny figures won't help at all and effectively send the message that companies are more important than the people they serve.

[scarmig]

$100 per each individual would be 14 billion dollars... Which would definitely put Equifax out of business.

[seanp2k2]

Perfect. If they're in the business of selling access to sensitive information and cannot keep said sensitive information safe, they should not be allowed to continue to leak that sensitive information.

[ceejayoz]

$1k would mean a $146 billion fine in this case. Hardly a "tiny figure".

[toomuchtodo]

I would not doubt a class action lawsuit results from this, and I'd be very surprised if Elizabeth Warren didn't pursue congressional action against them (although not officers of the company unfortunately).

[scarmig]

And then I'll get six months of free credit monitoring from Equifax? Oh boy!!1!

More seriously, this is a breach big enough that Equifax should honestly no longer exist as a company. So call it $100/incident, and I'm happy. Other agencies would still exist, and, although they're just as terrible, it might get them to kick their asses into high gear to fix their security.

[jlcummings]

Maybe, the suggested demise of Equifax, the extreme perpetrator of neglect in this particular case, should lose the ability to print money, much like Symantec and other ssl cert issuers (identity certifies) for their recklessness; perhaps that doesn't go far enough.

Maybe the whole commercial enterprise of credit reporting (and identity verification) needs to be dramatically reworked in a more modern, sane design, with different governance and oversight.

[abawany]

The NYT story states that they are already offering this to affected consumers: https://www.equifaxsecurity2017.com/potential-impact/ .

[stormcode]

I went there and used the site and guess what? It doesn't work. It just said 'Thank You!' and gave me an enrollment date. It gave me no info as to if I was one of the people affected.

[sdenton4]

The number of affected people was 143MM, which I think is numerical shorthand for "everyone we've ever known about."

[icelancer]

Likewise, WTF. I thought you were joking but nope, it returns this text:

-----

Thank You Your enrollment date for TrustedID Premier is: 09/13/2017 Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process.

For more information visit the FAQ page.

[tony101]

That means you are affected. If you enter a non-existent name and SSN, it will say that you are not affected.

[jlev]

Even better, they ask for your last name and the last six digits of your SSN to even check your potential impact. The problem is that the first three digits of your SSN are derived from your state of birth, so the last six give up basically the entire thing. http://www.ssofficelocation.com/social-security-number-prefi...

This whole system is so fucked.

[trapperkeeper74]

The content of the landing page (since it appears broken, here's the content from Reader View):

Equifax Announces Cybersecurity Incident Involving Consumer Information

[Equifax CEO statement] https://youtu.be/bh1gzJFVFLc

No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases

Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Read More

[aptwebapps]

Did that https work for you? For me it redirects to plain http and then OpenDNS blocks it as a phishing site. Why are they using such a scammy looking domain, anyway? Why not just host it on their main site?

Edit: I'm abroad and just tried through a VPN and it worked. Don't know why I tried without it ...

[Scoundreller]

Domain name was registered on August 22nd 2017...