I recall someone who was a security director at Panera Bread (a US based fast casual restaurant). Was confused and upset when a security researcher contacted them and asked to exchange a PGP key ... I suspect he straight up didn't understand what the request for a key meant or possibly even the issue as it was a very obvious issue and they did nothing about it until it hit the press.
The initial email exchange is indeed a sight to see, so I transcribed the text in the image:
---------
Hello Mike et al
Thank you for making yourself available. There is a security vulnerability on the delivery.panerabread.com website that exposes sensitive information belonging to every customer who has signed for an account to order Panera Bread once. This shows the customer's full name, email address, phone number and the last four digits of their saved credit card number. Moreover, the users are easily enumerable which means an attacker can crawl through the records.
I can provide the specific details of the vulnerability over email once you respond, but if you prefer (for more security), I can also encrypt the information with a PGP key you provide me. Alternatively we can hop on a phone call.
Best Regards,
Dylan Houlihan
--------------
Dylan
My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.
Will any of the individuals responsible face direct consequences for their actions? Or, will the cost of their mistakes be borne entirely by shareholders?
It sounds like most of these costs are just from having to finally do the things they skimped on in the first place. If so, it's not really a loss compared to if they had taken the right steps at the beginning. So it may not really disincentivize them from cutting corners again in the future.
It'd be like if the only punishment for getting caught cheating on a test was "well now you have to take the test without cheating". You're probably going to give it a try every time.
I'm seeing a pattern with these "Congressional hearings" where politicians bring in CEOs, let off a few zingers to really stick it to 'em, score some points with their constituents, and then... do absolutely nothing of substance.
It’s more like if you got caught cheating during a test you had to stop cheating but kept taking the same test and got credit for all of your previous answers. Equifax still has its past profits.
> It sounds like most of these costs are just from having to finally do the things they skimped on in the first place.
Source? It's not TFA. TFA only talks about legal costs in the past, and doesn't state it but implies future projections are also for legal costs.
With $700MM of legal costs in 1 quarter, if that is 49% of the total (51% --most-- going to finally do the things) expenditure, that's $1.4bn in one quarter. Their entire 2018 revenue was just $3.4bn ($835MM in Q4).
EquiFax outsourced its network monitoring to ReliaQuest, and I have friend who works at ReliaQuest, so I've followed this with some interest. There is a general issue here too. Back in 2017 I wrote:
"But I don’t mean to only focus on EquiFax. I’ve seen many small companies where computer security was considered the exclusive job of the tech team. I recall a jewelry manufacturer in Richmond, Virginia, which had about 100 people, including a tech team of 3. Top management of such a company has the option to educate everyone about the importance of security, or they can just leave the task to the tech team. The tech team is often happy to gain the power granted by being in charge of such an important function. And then they implement silly rules, like forcing all passwords to change each week — minor rituals that annoy a lot while offering little real security. Real security could only come from educating the staff about the open nature of email, the importance of using encrypted communications, the importance of protecting the intellectual property of the firm. A company with 97 ignorant people and 3 security minded people can never be as secure as a company with 100 security minded people."
What gizmodo overlooks is that a Moody's rating is usually related to company debt, which means that a ratings downgrade increases the interest rate they have to pay to roll over existing debt or issue new debt.
Seems like a company with a large debt/income ratio could be crippled pretty fast by a ratings downgrade because it increases the percentage of revenue they pay in debt interest. If they have a high debt load and their profit margins are single digit, they risk ceasing to be profitable, which will tank the stock. It's a spiral.
If they have catastrophic cybersecurity exposure that opens them up to fines, settlements, and customer attrition as a result of an incident like the one that affected Equifax, well that's a target for a fire sale.
It's practically inviting hackers to target companies with high debt/income ratios on behalf of short sellers for that reason. It would be a slow motion car crash that would be hard to time correctly, but the confluence of debt/leverage and security risk seems like a perfect storm.
Another situation of too big to fail? I sure hope not.
Why are they still in business? Any worthy regulation of any type would have shut them down already no?
Lawsuits are progressing. It's possible legal costs (plus the accompanying reputational damage) will eventually force Equifax into bankruptcy. (I, for example, refuse to open credit lines if they require an Equifax credit check.)
At the end of the day, you can't just kill companies because you don't like them. We don't have general data protection laws with heavy penalties in the United States. The only way to extract a pound of flesh is to show damages, which has been difficult given how little we know about who stole the data and what they did with it. Nevertheless, the lawsuits progress.
Here in Canada you basically must go to them to do anything credit related ie get a car or home loan. I don't see how they have any incentive to do better because they are a monopoly. And I cannot get my credit score from the bank as it's illegal I must go through this joke of a credit agency.
It will never mean a thing and will never change until those in leadership positions in corporations suffer criminal penalties for lack of oversight and protection of data.
Unfortunately, the federal government has no appetite for holding corporations criminally responsible for actions in this day and age. The belief in too big to fail and campaign donations are monumentally hard to overcome.
For me, it was unsuccessful. They sent out a representative and we argued away from a judge (forget the term used) and I decided not to see the judge because if I argued before him and lost, I would be "unable" to bring it before a judge again.
I've heard of this tactic working for certain consumers (like in the article above) but for me what was hard to establish via small claims court, was how exactly I was facing monetary damages. Most lawsuits allow punitive damages, but small claims court does not, so you have to prove exactly how you were monetarily damaged.
That being said, I would definitely be down to sue them in small claims court again using a better strategy. I would also join a class action lawsuit.
In the long run I don't think anything will change at Equifax. At worst, it will get absorbed by another company, re-branded, and no one will know where the former Equifax has gone. At best, it will get disbanded and its executives put in prison.
I am Victor, the CTO of Truework (https://www.truework.com), a startup providing an alternative to Equifax / TheWorkNumber.
We are working to change the way employment & income information is shared by employers with a more privacy focused approach where you, as an employee, decide if you want to give the information with the requester.
I started this company after I found out that Equifax shared my employment and income information without my consent when I was working at LinkedIn...
[+] [-] duxup|6 years ago|reply
His previous job... at Equifax.
Oh I found the story:
https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-s...
[+] [-] ufo|6 years ago|reply
---------
Hello Mike et al
Thank you for making yourself available. There is a security vulnerability on the delivery.panerabread.com website that exposes sensitive information belonging to every customer who has signed for an account to order Panera Bread once. This shows the customer's full name, email address, phone number and the last four digits of their saved credit card number. Moreover, the users are easily enumerable which means an attacker can crawl through the records.
I can provide the specific details of the vulnerability over email once you respond, but if you prefer (for more security), I can also encrypt the information with a PGP key you provide me. Alternatively we can hop on a phone call.
Best Regards, Dylan Houlihan
--------------
Dylan
My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.
Regards, Mike
[+] [-] SethTro|6 years ago|reply
> Lawsuits and investigations have cost $690 million in the first quarter of 2019 alone
> And the lawsuits will keep coming: In January, an Atlanta judge denied Equifax’s attempts to dismiss class-actions filed against the company.
Looks like there are real consequences to losing data on half of all Americans
[+] [-] _iyig|6 years ago|reply
[+] [-] AdmiralAsshat|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] _bxg1|6 years ago|reply
It'd be like if the only punishment for getting caught cheating on a test was "well now you have to take the test without cheating". You're probably going to give it a try every time.
I'm seeing a pattern with these "Congressional hearings" where politicians bring in CEOs, let off a few zingers to really stick it to 'em, score some points with their constituents, and then... do absolutely nothing of substance.
[+] [-] travisjungroth|6 years ago|reply
[+] [-] jiveturkey|6 years ago|reply
Source? It's not TFA. TFA only talks about legal costs in the past, and doesn't state it but implies future projections are also for legal costs.
With $700MM of legal costs in 1 quarter, if that is 49% of the total (51% --most-- going to finally do the things) expenditure, that's $1.4bn in one quarter. Their entire 2018 revenue was just $3.4bn ($835MM in Q4).
[+] [-] lkrubner|6 years ago|reply
"But I don’t mean to only focus on EquiFax. I’ve seen many small companies where computer security was considered the exclusive job of the tech team. I recall a jewelry manufacturer in Richmond, Virginia, which had about 100 people, including a tech team of 3. Top management of such a company has the option to educate everyone about the importance of security, or they can just leave the task to the tech team. The tech team is often happy to gain the power granted by being in charge of such an important function. And then they implement silly rules, like forcing all passwords to change each week — minor rituals that annoy a lot while offering little real security. Real security could only come from educating the staff about the open nature of email, the importance of using encrypted communications, the importance of protecting the intellectual property of the firm. A company with 97 ignorant people and 3 security minded people can never be as secure as a company with 100 security minded people."
http://www.smashcompany.com/business/if-a-company-is-serious...
[+] [-] sna1l|6 years ago|reply
https://finance.yahoo.com/chart/EFX#eyJpbnRlcnZhbCI6ImRheSIs...
[+] [-] motohagiography|6 years ago|reply
Seems like a company with a large debt/income ratio could be crippled pretty fast by a ratings downgrade because it increases the percentage of revenue they pay in debt interest. If they have a high debt load and their profit margins are single digit, they risk ceasing to be profitable, which will tank the stock. It's a spiral.
If they have catastrophic cybersecurity exposure that opens them up to fines, settlements, and customer attrition as a result of an incident like the one that affected Equifax, well that's a target for a fire sale.
It's practically inviting hackers to target companies with high debt/income ratios on behalf of short sellers for that reason. It would be a slow motion car crash that would be hard to time correctly, but the confluence of debt/leverage and security risk seems like a perfect storm.
[+] [-] donclark|6 years ago|reply
[+] [-] JumpCrisscross|6 years ago|reply
Lawsuits are progressing. It's possible legal costs (plus the accompanying reputational damage) will eventually force Equifax into bankruptcy. (I, for example, refuse to open credit lines if they require an Equifax credit check.)
At the end of the day, you can't just kill companies because you don't like them. We don't have general data protection laws with heavy penalties in the United States. The only way to extract a pound of flesh is to show damages, which has been difficult given how little we know about who stole the data and what they did with it. Nevertheless, the lawsuits progress.
[+] [-] W-Stool|6 years ago|reply
[+] [-] papito|6 years ago|reply
[+] [-] darepublic|6 years ago|reply
[+] [-] saltyshake|6 years ago|reply
Everyone is simply using them and there is no good popular alternative.
[+] [-] dotnetdemon|6 years ago|reply
[+] [-] larkost|6 years ago|reply
[+] [-] pgrote|6 years ago|reply
Unfortunately, the federal government has no appetite for holding corporations criminally responsible for actions in this day and age. The belief in too big to fail and campaign donations are monumentally hard to overcome.
[+] [-] burtonator|6 years ago|reply
The idea is to lock up your payment in escrow for 12 months.
50% of it would be in escrow and 50% is sent to the recipient.
You then use a multi-sig transaction for the escrow.
If your customers find out you did something shady they can all revoke their payment to you and you lose 50% of your revenue for that year.
All it would take is for the N of the M wallet signatures to agree that what you did was a breach of contract.
This could be done optionally too. Companies that enable this type of payment would see more customers so the free market dynamics would take over.
It could also be legally required too of course.
[+] [-] toomuchtodo|6 years ago|reply
[+] [-] hello_newman|6 years ago|reply
For me, it was unsuccessful. They sent out a representative and we argued away from a judge (forget the term used) and I decided not to see the judge because if I argued before him and lost, I would be "unable" to bring it before a judge again.
I've heard of this tactic working for certain consumers (like in the article above) but for me what was hard to establish via small claims court, was how exactly I was facing monetary damages. Most lawsuits allow punitive damages, but small claims court does not, so you have to prove exactly how you were monetarily damaged.
That being said, I would definitely be down to sue them in small claims court again using a better strategy. I would also join a class action lawsuit.
[+] [-] Simulacra|6 years ago|reply
[+] [-] bikeshed|6 years ago|reply
[+] [-] eppsilon|6 years ago|reply
[+] [-] dba7dba|6 years ago|reply
[+] [-] victorkab|6 years ago|reply
I am Victor, the CTO of Truework (https://www.truework.com), a startup providing an alternative to Equifax / TheWorkNumber.
We are working to change the way employment & income information is shared by employers with a more privacy focused approach where you, as an employee, decide if you want to give the information with the requester.
I started this company after I found out that Equifax shared my employment and income information without my consent when I was working at LinkedIn...
AMA
Also we're recruiting: https://www.truework.com/careers/ !
[+] [-] craftyguy|6 years ago|reply
[+] [-] itswednesday|6 years ago|reply
[+] [-] xvector|6 years ago|reply
[+] [-] ga-vu|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] cascom|6 years ago|reply
[+] [-] oneluv1464|6 years ago|reply
[deleted]