[ad_1]
The US General Accounting Office (GAO) today released a comprehensive report examining the reasons for the massive violation of Equifax personal information a year ago today. The report covers the violation and the actions of the company and the government in response since.
It does not innovate much, but summarizes a series of internal company errors, largely related to the lack of good security practices and lack of internal controls and routine security reviews.
The predictions following the breach were that regulators and consumer outrage would bring about major changes in the credit reporting sector. Instead, almost nothing substantial has occurred since the unprecedented violation. The Equifax share suffered a first blow, but it largely recovered. He continued to receive important government contracts.
Union of Consumers, editors Consumer reports noted in an editorial published today on its website, "Americans remain largely unaware of the practices of the credit information sector and, more generally, are largely unable to control the business. use of their personal information. Equifax itself has suffered minimal consequences and continues to do business more or less as before. "
On September 7, 2017, Equifax revealed that unlawful access for several months to its credit reporting databases had resulted in the violation of identifiable personal information of more than 143 million people, almost all of them in the United States. 148 million affected.
The company waited six weeks to disclose the violation.
The files included various elements: credit card, driver's license and social security numbers, date of birth, telephone numbers and e-mail addresses.
The GAO report confirms that a single web server connected to the Internet with outdated software has led to the violation, which has not been detected for 76 days. Attackers made 9,000 unnoticed requests due to the inability to maintain an up-to-date network data inspection system. It did not work for 10 months before the staff noticed it. And the attackers accessed a database containing unencrypted credentials that they used to access other internal databases.
The company today announced plans to spend an additional $ 200 million this year on security and technology, although it has not provided a context for past or current spending. In a statement, Equifax said it had made complete changes.
Eight state banking regulators imposed a consent order on Equifax in June, demanding improved security, audits and reports. California passed legislation earlier this year that imposes disclosures on the collection of personal data and imposes significant fines for data breach – up to $ 750 per violation. It comes into force on January 1, 2020.
Alabama and North Dakota have passed laws obliging to notify breaches with penalties for delays. In Alabama, an offense must be reported within 60 days or an enterprise is fined up to $ 10,000 per violation. in North Dakota it's 45 days and up to $ 5,000 each.
At the federal level, the President signed a bill in May that includes a freeze of credit and free thaw in the three largest credit reporting agencies: TransUnion and Experian, in addition to Equifax . The freeze prevents access to a credit file, which deters identity thieves from opening new accounts on behalf of someone else. Fees previously varied by state and in cases where fees were allowed, this could range from $ 5 to $ 10 per freeze or thaw for each credit bureau.
The law also allows consumers to report potential fraud to a credit bureau, which is required to share it with the other two. The alert now lasts a year instead of 90 days. With the alert in effect, the office must take additional steps to verify an identity.
Two criminal charges were laid, and Chief Information Officer Jun Ying and a company software developer for allegedly selling shares while knowing the violation before it was made public.
The Consumer Financial Protection Bureau, an agency created in part to protect consumer data, received more than 20,000 violation-related complaints in April 2018. However, the CFPB was emptied of its form thanks Trump administration. (The CFPB is now officially known as BCFP: same words, different order.) No enforcement action has been taken against Equifax. The Federal Trade Commission also has a supervisory role and has made no move either.
In January, Senator Elizabeth Warren co-sponsored a bill with Mark Warner that would give the FTC more direct supervisory authority over credit reporting agencies like Equifax and impose the possibility of imposing fines. . These fines amounted to $ 1.5 billion in the case of this violation. That's important in terms of revenues and profits: Equifax took $ 877 million in its last quarter and earned $ 145 million.
In a comedy of blame following the violation, Equifax sent the chief executive at the time of the offense, Richard Smith, to testify before Congress as of October 3, 2017. At its first of four hearings distinct, employee who has failed to update the software on a server. No other person in charge of the company testified.
During this hearing, Warren said, "At best, you are incompetent; at worst you were an accomplice. Anyway, you should be fired. Smith had already resigned the previous week and was soon joined by the company's chief information and security officers.
By not dismissing Smith, the Board authorized the CEO to retain compensation in excess of $ 90 million in 2017 and over the next several years for salaries, stock options and other options. actions and other benefits. He had to give up a potential bonus of $ 3 million for 2017. If he had been fired, he could have been forced to give up much of his stock and cash.
Four members of the US Congress commissioned the GAO report: Senators Elizabeth Warren and Ron Wyden, and Elijah Cummings and Trey Gowdy. Gowdy was the only Republican, and he retired from Congress after this session. Warren's legal research and advocacy led to the creation of the Consumer Financial Protection Bureau in 2011. She was dismissed to head the office, but was elected to the Senate in 2013.
Source link
