https://www.darkreading.com/attacks-breaches/equifax-gets-slammed-removes-forced-arbitration-clause-from-credit-monitoring-offer-/d/d-id/1329847 ? https://www.darkreading.com/attacks-breaches/equifax-gets-slammed-removes-forced-arbitration-clause-from-credit-monitoring-offer-/d/d-id/1329847 ? http://w1.darkreading.com/chunks/header.asp? Equifax Gets Slammed, Removes Forced Arbitration ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

https://www.darkreading.com/attacks-breaches/equifax-gets-slammed-removes-forced-arbitration-clause-from-credit-monitoring-offer-/d/d-id/1329847 ? https://www.darkreading.com/attacks-breaches/equifax-gets-slammed-removes-forced-arbitration-clause-from-credit-monitoring-offer-/d/d-id/1329847 ?
9/11/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Equifax Gets Slammed, Removes Forced Arbitration Clause from Credit Monitoring Offer

Company's initial requirement that breach victims sign away their legal rights to get complimentary offer was one of several mistakes.

Equifax Monday announced changes to its free credit-monitoring offer for victims of the massive data breach it disclosed last week, after getting slammed for originally attempting to force people to sign over their rights to legal recourse in order to enroll.

In a breach update, Equifax said it has removed certain language from the Terms of Use on the third-party website victims have to use to sign up for the credit monitoring service. It has also added a FAQ to its own website to confirm that enrolling in the complimentary credit monitoring offer does not waive any rights to take legal action against the company.

Earlier, consumer advocacy groups such as Public Citizen, New York Attorney General Eric Schneiderman, the Consumer Financial Protection Bureau, and Sen. Sherrod Brown (D-Ohio) were among many who had demanded that Equifax remove the forced arbitration clause in its original credit monitoring offer. The clause basically prohibited people who signed up for the offer from later suing the company in court.

"The wounds were totally self-inflicted," says Bob Ackerman, a managing director at cybersecurity venture firm Allegis Capital. "The debacle of perceived release of liability, if you opted in to their credit-watch services was just pure stupidity."

In addition to acquiescing to the demand to remove the clause, Equifax said it would also not require a consumers' credit card information when they sign up for the offer. Neither will consumers be automatically enrolled or charged at the end of the free period, the company said. There had been some concern over both requirements when Equifax originally announced the complimentary credit-monitoring offer — particularly over the prospect that the company could actually end up making money over the breach.

"We are listening to issues consumers have experienced and their suggestions. These are helping to further inform our actions," the company noted in Monday's update.

Equifax's moves to soothe frayed tempers, while some might see as a positive development, is unlikely to do much to mitigate the fallout from the breach.

In the four days since Equifax announced the breach, the company's shares have fallen by over 20%, erasing billions of dollars in market value in the process. From around $142.70 last Thursday, Equifax's share price had tumbled to around $111.30 about 90 minutes before market close Monday. Some financial experts expect prices will fall even further to around $100 by mid-October.

Schneiderman, and attorneys general from Connecticut, Illinois, Pennsylvania, Massachusetts, and other states already have launched investigations or have announced their intention to do so soon.

It is almost a sure bet that Equifax will need to respond to similar investigations from every single state AG. Among the issues they will probe is the 40-day delay between when Equifax first discovered the breach and when it first publicly disclosed the incident and whether the post-breach measures it is taking to protect consumers are adequate.

News that three senior Equifax executives sold nearly $2 million worth of their shares in the company in the days immediately following breach discovery has added to concerns about the company's commitment to addressing what went wrong.

Multiple lawsuits already have been filed over the breach, including one in Portland, Oregon, which seeks a mind-boggling $70 billion in damages nationwide.

On Monday two high-ranking lawmakers—Senators Orrin Hatch (R-Utah) and Ron Wyden (D-Oregon)—announced the first of what is sure to be multiple inquiries into the impact of the incident on U.S. agency records. The two Senators also wanted to know when exactly the three Equifax executives who sold their stock were first informed of the breach.

"Equifax has made a number of critical missteps, which have caused the public to question whether or not they truly have the best interests of their customers at heart," says Michael Sutton, CISO of ZScaler. "Whether it's the Equifax executives selling shares days after the discovery of the breach…or profiting from the breach by pushing a credit monitoring service that they own, the optics have been horrible."

Equifax had plenty of time to prepare a better response, Sutton says. The company should have known there would be a tsunami of concern following the breach disclosure and put in place measures for handling questions from concerned consumers.

"Equifax badly bungled the release of the website meant to provide answers. There were initially connectivity problems, and once it came online, it provided limited and sometimes contradictory information, even responding to nonsense requests," Sutton notes. The website was a critical component of the communication strategy and should have been thoroughly vetted before it went live.

Chris Pogue, global head of security at Nuix, predicts that the data compromise will likely result in the biggest class-action lawsuit in data breach history. "They'll probably debate the defensible position of reasonableness, which asks, 'Did Equifax do what was reasonable to protect this data?'" Pogue says. "In my opinion, they would be hard-pressed to find a security expert who says they took those steps." 

All of the public statements that Equifax has made about the breach so far are likely carefully vetted by lawyers because the company knows it is going to court over this. So, when the full details emerge, things are going to get far worse for Equifax, Pogue predicts.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
https://www.darkreading.com/attacks-breaches/equifax-gets-slammed-removes-forced-arbitration-clause-from-credit-monitoring-offer-/d/d-id/1329847 ? Newest First  |  Oldest First  |  Threaded View
https://www.darkreading.com/attacks-breaches/equifax-gets-slammed-removes-forced-arbitration-clause-from-credit-monitoring-offer-/d/d-id/1329847 ?
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/13/2017 | 2:52:04 PM
Too stupid to believe
I have found an article on linkedin indicative that an Equifax website based in Argentina (and limited thereto) was secured by the highly innovative user-password combination of ...... sitting down security professionals?  Have a strong drink at the side???

Here: admin / admin

True.
http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=644
http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=644 http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=6447
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=644 http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=6443
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=644 http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=6443
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=644 http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=644 http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=644 http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=644 http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=644 http://w1.darkreading.com/chunks/right_column.asp?the_page=right%5Fdefault%5Fbottom&tag_id=644
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.
http://w1.darkreading.com/chunks/footer.asp?