Consumer anger over Equifax, but Washington stands still

he Consumer Financial Protection Bureau has received over 20,000 complaints about Equifax since the colossal data breach that impacted roughly 148 million Americans, according to a new reportissued Monday by a group of Democratic senators.

The examination from Sens. Elizabeth Warren, Brian Schatz and Bob Menendez also found that despite consumers contacting the agency “at nearly twice the rate they did before the recent data breach,” the CFPB has taken no action against the credit score giant. The lawmaker trio also sent a letter to CFPB leaders detailing their findings.

“The bottom-line is simple: Consumers are reaching out to the CFPB to help them deal with Equifax-related problems,” the report states. “As part of its duty to consumers, the CFPB must continue a full-throated investigation into the Equifax breach.” Menendez said the report “confirms our worst fears — that the breadth and depth of the Equifax breach has had and continues to have a devastating impact on the financial well-being of millions of Americans.”

Despite the report and urging of some lawmakers, however, Capitol Hill has also done nothing legislatively about the unprecedented breach. As Martin reported several months ago, a working group focused on developing data breach legislation is effectively on hold, falling victim to jurisdictional issues.

The inaction stands in contrast to the ongoing movement at the state level. In June, Alabama will become the 50th state to enact its own data breach notification law. The statute, which was approved in late March, will require organizations and agencies, or “covered entities,” to notify data breach victims within 45 days, while so-called “third-party agents” must notify such entities within 10 days of discovery of a breach of security. An organization must notify the Alabama Attorney General and credit reporting agencies of a breach involving more than 1,000 state residents.

HAPPY TUESDAY and welcome to Morning Cybersecurity! We’re MC-ing by committee while Tim is out sick. Send your thoughts, feedback and especially tips to, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

POLITICO’s Ben White is bringing Morning Money to the Milken Institute Global Conference to provide coverage of the day’s events and evening happenings. The newsletter is running April 29 – May 2. Sign up to keep up with your daily conference coverage.

DNC OFFERS CYBER SHOPPING GUIDE — The Democratic National Committee on Monday launched a new tech pilot program designed to help political campaigns sort through myriad offerings from the private sector, including on cybersecurity. “Over the last year, so many new innovators have emerged to help provide tools to our Democratic candidates,” wrote Sally Marx, tech program manager at DNC, on Medium. “However, we’ve heard repeatedly from candidates and campaign staff that they are unsure what tools are out there, and simultaneously feel as if they are being fed too much information by vendors.” The first two security vendors picked for the “I Will Run” marketplace are the encrypted apps Wickr and Signal. Others are expected to be added later under the pilot program that begins in seven states.

THE TELEGRAM SAGA CONTINUES — A coalition of human rights and internet freedom groups banded together Monday to “strongly condemn” the Russian government’s decision to block the secure messaging app Telegram from operating in the country. The Kremlin barred Telegram after it refused a telecom regulator’s demands to decrypt messages for the government. “We call on Russia to stop blocking Telegram and cease its relentless attacks on Internet freedom more broadly,” the groups — which include Amnesty International, Human Rights Watch, the Committee to Protect Journals, the Electronic Frontier Foundation and Reporters Without Borders — said in their letter. The move has also sparked large rallies in Moscow in recent weeks.

Roskomnadzor, the telecom regulator, made its demand under the 2016 “Yarovaya Law,” which requires companies to turn over plain-text communications data to the government as part of counterterrorism efforts. According to the human rights groups’ letter, a provision of the law taking effect in July will require companies to retain all user communications for six months and turn it over to authorities without the currently required court order. “Such attempts by the Russian authorities to control online communications and invade privacy go far beyond what can be considered necessary and proportionate to countering terrorism and violate international law,” the letter said.

The civil society groups also urged international organizations like the United Nations and the European Union to “scrutinise and publicly challenge Russia’s actions in order to uphold the fundamental rights to freedom of expression and privacy both online and-offline.” And they demanded that tech companies “resist orders that violate international human rights law.” Around the same time that the groups released their letter, Iran joined Russia in blockingTelegram.

MAKING WATCHING SAFER — An Atlanta company became the first to move into the final phase of a Homeland Security Department research and development initiative, with a method of securing internet-connected video surveillance systems, DHS announced Monday. Under a nearly $200,000 grant for the fourth and final phase, the company, Ionic, will move from prototype testing to pilot deployment. “We look forward to the ways this technology could provide enhanced options for critical infrastructure security,” said Melissa Ho, managing director of the initiative, known as the Silicon Valley Innovation Program and located in DHS’s science and technology wing.

IN OVER THEIR HEADS? — An anecdote from a New Yorker article about hacking back illustrates the dangers of letting companies take the fight to the hackers battering their networks. According to the new story, former Israeli intelligence officer Eran Reshef co-founded an anti-spam company, Blue Security, that angered a Russian spam kingpin suspected of having ties to the mob. When the spammer demanded that Reshef shut down the service — which automatically returned spam messages to their senders and overloaded the spammers’ systems — he refused. Soon, Reshef received an email from the Russian spammer with an attached photo “showing a Blue Security executive’s children playing outside.” This finally convinced Reshef to shut down his company.

The anecdote reflects the perils of companies meddling in the activities of powerful cyber criminals, some of whom have government links, cyber experts said. “F/ing with organized crime, especially when it’s backed up by a government, is not for the faint of heart,” tweeted Aaron Weisburd, a senior fellow at the George Washington University Center for Cyber and Homeland Security. “Outside of outright negligence of your security,” tweeted Scott Radcliffe, who leads the public relations firm FleishmanHillard’s privacy and cyber risk practice, “this would probably be the best way to actually put a target on your back — not to mention chances you hit your intended target are very low.”

PLANS ON PLANS ON PLANS — Rhode Island election officials hosted a public forum Monday to discuss how the state could spend its $3 million in election security funding from Congress. The heads of the state’s elections department and election board “presented a series of recommendations with a special emphasis on cybersecurity and securing elections administration,” according to a statement from the office of Rhode Island Secretary of State Nellie Gorbea. The state officials discussed options including updating the voting registration database, deploying digital tools like “asset management and database activity monitoring” on state networks, using risk-limiting audits, and setting up online training sessions for poll workers.

RELITIGATING THE SONY HACK — “Honestly, I really don’t think North Korea hacked Sony,” actor Seth Rogen says in a new interview with New York magazine. Rogan starred in and co-directed the “The Interview” — a movie about a plot to assassinate North Korean leader Kim Jong Un — that is widely believed to have spurred Pyongyang to melt Sony Picture’s networks and release the company’s internal documents. But Rogen isn’t so sure, telling the magazine that Sony had told him months before the public hacking incident that it thought the isolated regime had already infiltrated the company, seen the film and releasedhyperbolic statements in response.

“Then, months later, when the movie itself finally came out, all this hacking shit happened,” he said. “This was months after North Korea had probably already seen the movie. Why would they wait? And they never did anything like that before and haven’t done anything like it since.” His theory? “I’ve heard that it was a disgruntled Sony employee. I’ve also heard people say that they think someone was hired to do the hack as a way of getting [head of Sony’s film division] Amy Pascal fired,” Rogen said. “I don’t know if I subscribe to those theories, but I kind of don’t think it was North Korea.”

WHATSAPP CLASHING WITH FACEBOOK? — WhatsApp CEO Jan Koum said Monday night that he is leaving the secure messaging company that he co-founded “to do things I enjoy outside of technology, such as collecting rare air-cooled Porsches, working on my cars and playing ultimate frisbee.”

But there might be more to it than burnout, The Washington Post reported. Koum, the Post said, “is planning to leave the company after clashing with its parent, Facebook, over the popular messaging service’s strategy and Facebook’s attempts to use its personal data and weaken its encryption, according to people familiar with internal discussions.” For his part, Facebook CEO Mark Zuckerbg praised Koum in a Facebook comment, specifically lauding the departed leader for his work on encryption.

Consumer privacy advocates have long expressed concerns about Facebook’s ownership of WhatsApp. The fears spurred the Federal Trade Commission to issue a stern warning to Facebook when it was contemplating purchasing the company. And since the acquisition, privacy watchdog groups have filed formal complaints with the FTC over Facebook’s collection of certain data from WhatsApp.

This article originally appeared on