Question. Can't we just let this company die? Do we really need a new law created by congress (EG HIPAA 2.0). Wont this just destroy the ability to create startups quickly? I understand it will help lawyers get fat and happy, but enforcing 'privacy' laws would be a trolling circus.
Do I really want a startup doing this stuff? Iterate fast and break things? I would rather just have a heavily regulated industry with a lot of checks and balances handle very important data like this. Why could you even access the core databases from the front end? Why isn't the data on completely separate server where all queries are completely scrubbed and verified?
I don't think it will be long until the data is sold, then some group figures out you can program with the data + curl + facebook and automate applying for loans and tax refunds in mass. There could be millions of erroneous loan applications, tax refunds, business filings, car applications. Then! Law suites, government inquiries, etc. They don't sell oil - money will run out.
Our understanding is data retained by EFX primarily generated through consumer interactions was breached via the Apache Struts flaw (i.e., core databases not believed to have been
breached).
This is complete and utter garbage. There is no solid evidence to back this theory of the breach. It is still too early to tell exactly what data was leaked and how. We simply won't know until the security consultants auditing Equifax's systems publish a report (or otherwise publicize their results).
I also find it pretty hard to believe that a company like Equifax didn't just have everything hooked up to one big database, but I still don't think it's likely the breach is going to take the whole company down.
Most people aren't going to be tuned into the leak the same way that we are on HN, they've still got their special place in a government-sponsored near-monopoly, and big companies have the resources to deflect blame and hunker down to weather the storm.
Remember the Deepwater Horizon spill and how angry people were at the time? These days, a large majority probably don't remember the details or even the name of the bigco responsible.
Where do you think the analyst got their information? Companies routinely share such things so that the analysts can get updated guidance out and prevent excessive panic from investors.
The management of the firm has already been selling shares while keeping the data breach covered up, so let's assume for now that any information coming out of their without a subpoena is a pack of lies. They've blown any claim they had to the benefit of the doubt.
A silly and baseless claim. The executives didn't know about the breach at the time of sale, and it wasn't "covered up". It's standard industry procedure to first stop an intrusion, investigate the scope, contact law enforcement and regulatory agencies, and prepare a consumer response, before publishing a breach. This wasn't something that was dug up by an investigation, so calling it a cover-up is simply wrong.
Sure, I always dump stock in companies I manage while sticking to standard industry procedure after not sticking to any industry procedures until I had a massive failure. Sorry, I am not into business people the benefit of the doubt when all the facts point the other way.
Could it be that the executives will get in more trouble for selling the shares - i.e. insider trading - than for managing the company with such a massive data breach?
Equifax is not a monopoly. Furthermore, the root cause of this problem does not lie in any quasi-monopolistic feature of the industry. Appropriate regulation should not be ruled out, as a possible remedial action, on the basis of non-sequiturs.
Could argue that industries with low startup costs are much less likely to suffer a proliferation of Apache Struts.
Increased competitive pressure to improve an information product might bring the side effect of more modern technology, but who knows the overall impact it would have on security.
Maybe, but the underlying problem is not a particular technology, or even technological in general; it lies in having a system built on false assumptions about the confidentiality of SSNs and other data.
Suppose we have a solution to the underlying problems. It would undoubtedly be difficult and costly for the financial industry to adopt it, and a startup that implements it will not be in a position to force its adoption. About the only thing that could would be regulation - but I'm not holding my breath.
