Credit Reporting Firm Equifax Announces 'Cybersecurity Incident Impacting Approximately 143 Million US Consumers'

Equifax, which supplies credit information and other information services, said Thursday that a cybersecurity incident discovered on July 29 could have potentially affected 143 million consumers in the U.S. "The leaked data includes names, birth dates, social security numbers, addresses and potentially drivers licenses," reports CNBC. "209,000 U.S. credit card numbers were also obtained, in addition to 'certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."

Chairman and Chief Executive Officer, Richard F. Smith said in a statement: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident." Equifax is now alerting customers whose information was included in the breach via mail, and is working with state and federal authorities.

UPDATE (9/7/17): According to Bloomberg, "three Equifax senior executives sold shares worth almost $1.8 million" in the days after the company discovered the security breach. Regulatory filings show that three days after the breach was discovered on July 29th, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099." Meanwhile, "Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2."

Free Credit Reporting?

[Lothsahn]

Do I get free credit reporting for this? Is it from Equifax?

Re:Free Credit Reporting?

Do I get free credit reporting for this? Is it from Equifax?

Good lord this is nothing short of a spectacle, if not for so many similar mishaps by less ironic companies.

Re:Free Credit Reporting?

Yes (www.equifaxsecurity2017.com)

Re:Free Credit Reporting?

[MrLogic17]

You probably know this already, but you already get one free per year from each of the 3 credit reporting agencies. (Thanks Uncle Sam!)

If you time it right, you can pull one every 4 months (rotating agencies, using each one yearly)

https://www.annualcreditreport...

Re:Free Credit Reporting?

[slew]

You probably know this already, but you already get one free per year from each of the 3 credit reporting agencies. (Thanks Uncle Sam!)

If you time it right, you can pull one every 4 months (rotating agencies, using each one yearly)

https://www.annualcreditreport...

Free credit report != Free fraud alert/monitoring.
Lots of fraud can happen in a 4 month time...

Re:Free Credit Reporting?

[Lothsahn]

Very helpful information, but yes I already knew this. I was just being funny. :)

Re:Free Credit Reporting?

[Applehu+Akbar]

No, Equifax is going to treat the breach as a "hard pull" on everyone's account and ding your score for it.

Re:Free Credit Reporting?

[amicusNYCL]

Don't worry, you'll figure it out when someone uses your personal data that they stole from Equifax to open accounts in your name, which causes your credit rating to go down, which will show up on your credit report. From Equifax.

Anyone want to place wagers on whether or not Equifax will drop your score because people stole your identity with the data they got from Equifax?

Re:Free Credit Reporting?

[Nethemas+the+Great]

You mean it in humor, but I fear it as fact. 143 million of us just became higher risk.

Re: Free Credit Reporting?

Yeah..it does... as soon as your stolen details are used ro empty your accounts... you'll be alerted the moment you use your CC...and get declined!

Re:Free Credit Reporting?

[Cederic]

I read (but can't verify) that enrolling through this site requires you to agree no to sue Equifax.

Read the T&Cs carefully.

Disclaimer: I have monetary interests here, so don't trust me.

Re:Free Credit Reporting?

[kuhnto]

Locking your credit reports will go a long way to prevent fraud. It's a pain to do and costs money, but has worked well for me so far.

Re:Free Credit Reporting?

[david_thornley]

I look over my statements, just in case.

Re:Free Credit Reporting?

[slew]

I look over my statements, just in case.

Reading many of the comments, I don't think most people understand the threat of identity theft.

They usually don't use your information to access/empty your existing bank accounts, or charge up your current credit accounts, they attempt create new credit accounts using your stolen information but with bogus addresses, phone numbers and emails, so you don't know that they did it until the account is so delinquent that goes into collection (and you get a call from a collection agency trying to track you down).

Although you aren't technically liable for these things, clearing up your credit can take years (and a significant amount of your spare time) and you will have to deal with the hassle for quite a while.

Freezing your credit, will let you know when they *apply* for the fraudulent credit. Even minimally putting a fraud alert on your credit will alert the business to be extra vigilant before extending credit using those credentials.

Simply looking over statements sent to you for existing accounts and getting a credit report every 4 months, is a piss poor substitute for fraud alert/monitoring. Equifax should be offering to freeze everyone's credit for free that has been effected (instead of giving out free samples of their product for a year in exchange for not sueing them).

Re:Free Credit Reporting?

I just locked all three of mine earlier, and it didn't cost me anything. This is because of state law. YMMV.

Public Info?

[nealric]

At this point, is there anybody left in the U.S. who has not had their names, addresses, and socials stolen in from a hack somewhere?

Re:Public Info?

Illegal Aliens.....

Re:Public Info?

Nope.

If you are an American and have ever shopped online, its incredibly probable you've had your data stolen, and I do mean personal information, name, address, SSN, CC#, Employer, phone number, etc. This story alone puts it at 50/50 and if the young'uns think they're safe, they're most at risk, as having student loans and cell phones means you are in the Credit database for all 3 reporting agencies, even if you haven't had to make a payment yet.

Anyone else think Social Security is gonna need a lot more than 9 numbers soon?

Re:Public Info?

[Lab+Rat+Jason]

NOW can we stop using SS# as a national identifier? Jeez!

Re:Public Info?

Why? It's public knowledge already! Wasn't transparency a good thing?

Re:Public Info?

Being affected by a data breach doesn't entitle you to have your SSN changed. VERY few people can ever get it changed, no matter how much it gets abused by fraudsters. Victims are normally just expected to be diligent about disputing any accounts opened in their name they didn't authorize. No way half the population will get a new SSN.

Re:Public Info?

Iris scans and PKI for everyone!!! Actually, I'm okay with it.

Re:Public Info?

At this point, is there anybody left in the U.S. who has not had their names, addresses, and socials stolen in from a hack somewhere?

Little Bobby Tables.

Re:Public Info?

[networkBoy]

Why?
It *is* a national identifier. It needs to stop being used as an authenticator.
SSN and Name first, Name last, Name middle should be interchangeable from a data and security standpoint.

The problem is that SSNs have been used as authenticators for the name and that's not what they were designed for.

Re:Public Info?

[fustakrakich]

Name first, Name last, Name middle

Usually you fill out the form: Last Name First Name Middle Name Last...

Re:Public Info?

Student loans, yes. Mobile phones, not really. My mobile phone carrier doesn't even know my name.

Re:Public Info?

[Lab+Rat+Jason]

It is an imperfect national identifier because not everyone in the nation has one. It is an imperfect national identifier because you cannot change it when compromised. It is an imperfect national identifier because the nation allowed it to be hijacked as a commercial identifier. Banks and creditors in general should have to fend for themselves if they want to properly identify a debtor, rather than relying on a number that was issued for a completely different purpose.

Re:Public Info?

> It *is* a national identifier.

No, it is not since it is not unique. You sound like the type of jerk that would make it a unique key in a relational database.

My father received his SSN from the railroad he worked for, and they gave the same number to someone else too. This happened a lot since they were originally given-out by individual local post offices and a lot of companies. There's tons of duplicates because of either poor communication or typos. Yes, typos since all of the original cards were typed by hand. My father had trouble all of his life with your kind that spews the lie that SSNs are an identifier. They are not since they are not unique.

Re:Public Info?

I had a great-aunt that had a duplicated number. She was beaten and raped by a group of black boys that then followed her around terrorizing her for weeks. They also stole her SSN card. She got a protective order from a judge, and she used that to get the Social Security Administration to issue her a new number. That problem can be fixed. Your father might have to lie about a threat to his life. They won't give it for civil reasons like identify theft, but will do it for more serious reasons.

Worked for a bank for thirty-one years now, and it's just amazing to me how many stupid angry kids tell the lie that SSN are unique. They are not, but that doesn't stop them from their stubborn stupid assumption that they just can't give-up on. The bank I work for won't do business with a new customer that has the same SSN as an existing customer. We decided it was cheaper to screw over that person even though the problem wasn't their fault than fix our broken software. It's sad that we punish people for something they can't control.

It's going to be amusing when we start reusing numbers. We've already exhausted about 460 million of the 988.9 numbers available. We we start recycling them, it will be amusing to watch those angry children react to that. They keep spewing the unique lie. That lie will be shoved back in their faces then.

Re:Public Info?

[vux984]

It is an imperfect national identifier because not everyone in the nation has one.

All identifiers are imperfect.

. It is an imperfect national identifier because you cannot change it when compromised.

An identifier can't be 'compromised'; it's not really supposed to be a 'secret'. It's flawed to use it as a secret. Its fine as an identifier.

It is an imperfect national identifier because the nation allowed it to be hijacked as a commercial identifier

How does that have any bearing on its suitability to be an identifier?

r. Banks and creditors in general should have to fend for themselves if they want to properly identify a debtor, rather than relying on a number that was issued for a completely different purpose.

Um... what should they use? And even if they came up with something, it would be a matter of hours before a table of new_bank_id to ssn's was created, and a few hours more before it was leaked, making it a moot point.

Re:Public Info?

[Sloppy]

It still sounds fine as an identifier. But if anyone is thinking of it as a secret, they probably need to change the combo on their luggage.

Re:Public Info?

[Sloppy]

"143 million U.S. customers" sounds a whole lot like someone's guess as to how many adults live in USA. I don't know if it's correct, but it's gotta be in the ballpark.

I suspect this means that Equifax leaked their entire database.

Re:Public Info?

[Jarik+C-Bol]

This breach is nearly half of the US. At this point, I assume with total confidence that my data is in the hands of someone it should not be.

Re: Public Info?

Come on it's most likely just some fake bullshit post. Black boys don't even like old white women.

Re: Public Info?

It reinforces the truism that blacks can't help but rape white women, which is valuable since with this knowledge white women will be more careful to avoid black men. And thereby avoid making the black men into rapists. Win-win.

Re: Public Info?

Government issued key generators. But then again, people will stupidly hand out the serial number for the generator (the seed usually), lose it, etc. leading to much the same problem.

Re:Public Info?

Name first, Name last, Name middle

Usually you fill out the form: Last Name First Name Middle Name Last...

Usually you fill out a form in whatever layout it has, unless you're a rebel. This may surprise you but other country do things differently. Dates can be particularly tricky.

Also, that was in no way the point of the OP.

Re:Public Info?

[NicknameUnavailable]

Iris scans and PKI for everyone!!! Actually, I'm okay with it.

More likely it will be an excuse to give everyone chips.

And the second beast required all people small and great, rich and poor, free and slave, to receive a mark on their right hand or on their forehead, so that no one could buy or sell unless he had the mark

Re:Public Info?

[thomst]

NicknameUnavailable predicted:,/p>

More likely it will be an excuse to give everyone chips.

I like the wavy kind ...

Re: Public Info?

[networkBoy]

A SSN-PIN.

You are issued a public credential (your SSN) and a private validation token (PIN). PIN can be changed and is offered as a secure authenticated lookup service from the Social Security Administration.

Still not perfect, sure, but a hell of a lot better.

Re:Public Info?

[saccade.com]

Probably not. Given a total US population of 320M, leaking data on 143M probably covers most every adult with a credit card.

Re:Public Info?

[thomst]

Y'know, given that TFS states that 209,000 credit card numbers were compromised, I tend to think that the whole "potentially exposing the data of 143 million customers" hyperventilation is an invention of TFA's author, and that the actual number of customers whose data was exposed was 209,000 or fewer (because of the 182,000 customers' dispute data specifically mentioned thereafter, and assuming that 27,000 of those customers had two credit cards listed in their dispute files).

I'm just sayin' ...

Re:Public Info?

[reboot246]

My Social Security card is old enough to have this printed on it: "Not to be used as identification."

But everybody and his brother will ask for it every time you try to do business with them - the doctor, the phone company, the cable company, etc. etc. etc.

I always ask why they need it and they can never come up with a good answer. I also don't have my SS# on my driver's license.

Re:Public Info?

I'm sorry facts are racist.

Re:Public Info?

[CaptainDork]

Illegal aliens are those who have been deported and returned.

The way we know they returned is that they were documented when we deported them.

The phrase you were looking for is "undocumented non-US citizens."

Re:Public Info?

[KingMotley]

No, it is not since it is not unique

Ah, but it absolutely IS unique. There may be someone else incorrectly claiming that number was assigned to them, and it does happen, but the number absolutely is unique. Your father may "share" a number with someone else, but only one of them is correct.

The SSA attempted a few times to correct these errors, but were shut down by immigration lobbyists. That needs to change. If immigrants want to work here, fine, and if they want or need a SSN, then they should get one rather than just "borrowing" someone elses.

And stop being an anonymous coward. If you are going make incorrect statements like an idiot, then please, put your name to it, or don't post.

Re:Public Info?

[Nethemas+the+Great]

No. States rights; invasion of privacy; {...}; get off my lawn!

Re:Public Info?

[Nethemas+the+Great]

At this point, I assume with total confidence that my data is in the hands of someone it should not be.

It took you this long...

Re:Public Info?

When I went to college in the 1980s our social security numbers were used as a student ID number.

Re:Public Info?

[jmccue]

NOW can we stop using SS# as a national identifier? Jeez!

Well many years ago companies and government was told/encouraged/waned NOT to use the SSN for Id purposes and my original card had something like that printed on it. Of course everyone and their brother ignored that. So here we are.

Re: Public Info?

You are a scumbag of the highest order, far worse than the millions of illegal aliens in this country. They only broke the law trying to get better lives. You try to cover up their 11 millioncrimes.

Re: Public Info?

It has everything to do with it.

How many gangs of white, Asian, hispanic, Indian, or anything else raped her? None.

Duh. SJW are so stupid.

Re:Public Info?

Is your name Will Stockdale by any chance?

Re: Public Info?

[Trondheim]

You make it sound like it was a just, valiant cause for them, coming to this country and breaking our laws. Just so they can have a better life. And then many of them turn to identity theft to be able to get the benefits of being a citizen. Sorry, that just doesn't fly.

Re:Public Info?

No, they're not unique.

Once a death certificate is issued and the SSA gets notice of it, the SSA puts that SSN into a short timeout queue and then dumps it back into the available pool. From what I remember, that timeout is about 6 months.

Re:Public Info?

Are you familiar with the pigeonhole principle? At some point the numbers will run out and they'll have to start reusing old ones. And then there will be people who have the same number as somebody who died decades earlier.

On the other hand, maybe they'll decide that the pain of expanding the field from 9 digits to something else will be less than that of reusing numbers, but we won't know how we'll cross that bridge until we get to it.

dom

Re: Public Info?

You clearly don't understand the situations a lot of these people are fleeing. In many instances it is about trying to actually live a life instead of getting killed for various ethnic or religious reasons. Additionally, there are over 800,000 people that didn't break any laws but are still not documented. They had no choice because their parents literally carried them here. Now they will be forced to leave the only place they knew, and abandon any dreams or goals they had been working towards.

You also use the word laws, in most instances it is just one law. If we didn't force them to break others they wouldn't.

Re:Public Info?

[jezwel]

It's going to be amusing when we start reusing numbers. We've already exhausted about 460 million of the 988.9 numbers available.

Can you not change it to alphanumeric?

If you started that process now, everything used everywhere would have time to be replaced with updated software that can handle that format - even those places running COBOL or FORTRAN or whatever the flavor was 40 years ago.

Re:Public Info?

But my duplicated social security number means I can vote twice in different areas. (yeah, I had to put the politics into it, because well, yeah.. politics suck)

Re:Public Info?

[DarkMagician07]

Mine has that on it, as well, as do my kids' SSN cards. To my knowledge, it's on all SSN cards, though I haven't seen any that are newer than 11 years ago.

Re:Public Info?

[dgatwood]

Victims are normally just expected to be diligent about disputing any accounts opened in their name they didn't authorize. No way half the population will get a new SSN.

You see, I think that victims being diligent is just as much the wrong answer as getting a new SSN. It isn't our responsibility to catch bad guys in the act when they use our name and SSNs to obtain credit. It is the credit reporting agencies' responsibility to exercise due diligence in determining whether or not someone should extend credit in my name, and in determining whether claims of failure to pay back said credit are legitimate or the result of fraud. That's literally what companies are paying them to do!

More to the point, calling anything "identity theft" is, in fact, a lie. It isn't identity theft, because you can't steal someone's identity. We should just cut all the politically correct crap and call it what it is: libel arising out of gross negligence.

When a company makes false claims about an individual, that's libel. It is illegal. So when a credit bureau claims in writing that you obtained credit that you did not, they are violating the law, and you can sue them. If every victim of so-called identity theft—every victim of gross negligence by credit bureaus to exercise due diligence—were to sue the credit reporting agencies for libel, they would have two choices: go out of business or start doing their [expletive deleted] jobs.

More to the point, because it occurs en masse, one could argue that it rises to the level of criminal libel, at least in states where such laws still exist (including California, as of last year).

Of course, libel is just the beginning of the laws that the credit bureaus are breaking. If I were an attorney general, I would have long ago prosecuted the heads of the major credit reporting bureaus under RICO statutes, because they're quite literally profiting from every side of identity theft:

• They profit from not having to incur the cost of due diligence to ensure that requests for credit are legitimate.
• They profit from selling the potentially libelous credit reports to companies.
• They profit from selling "credit watch" services to protect people's credit from future fraudulent credit requests and the libel arising out of those requests. (That's a nice credit score you have there. It would be a shame if something... happened to it.)

Literally, these credit watch services do nothing but protect the consumers from libel by the credit bureaus that sell the credit watch services. That's the textbook definition of racketeering! How are these people not in jail yet? Because they have money? Because they're hiding behind the corporate veil? These companies should simply be RICOed out of existence.

I've said for years that the only thing that would ever force these clowns to clean up their act would be if every SSN in the U.S. got compromised, and that it was only a matter of time before the entire credit bureau industry came crashing down like a house of cards. With this one incident, our country got most of the way there. That 143 million people is almost everyone who has applied for credit or bought cable TV service or phone service or really just about anything else in the past ten years. It includes nearly the entire working population of the U.S. Clearly, SSNs are not even slightly useful as a "secret" anymore, and any credit bureau claiming otherwise is peddling libel and fraud.

So what remains is for the credit bureaus to pull their heads out of their collective a**es and implement a proper callback-based verification scheme in which a reasonable attempt is made to verify every request for

Re:Public Info?

[thegarbz]

It is an imperfect national identifier because you cannot change it when compromised

You're doing exactly what the GP said not to do. An SSN is an identifier, not an Authenticator. It is not possible to compromise an identifier any more than another person who has the same name as you "compromises" your name.

Or should I "compromise" your Slashdot account by going over to soylent news and signing up as Lab Rat Jason?

Re: Public Info?

[Jesus+H+Rolle]

Ruffles have ridges!

Re: Public Info?

No, but mine is. What can I do you for?

Re: Public Info?

[Jesus+H+Rolle]

Same at least as late as the early 00s. It was printed on every student ID.

Re: Public Info?

Your reasoning is false, naive and child like and you have no understanding of the facts.

Less than 2% of illegal immigrants in the EU are refugees. Less than 0.5% are financially backed migrants. The vast majority of the remaining 98% ish are economic migrants. That means they move to get free money, housing and healthcare at the expense of the native population. Every economic migrant coming to the EU takes on average 29k euros out of the local tax payer funds in the first year alone! In Europe this has destroyed healthcare, policing, local community funding and more.

The US situation is the same give or take a couple of percent. Now go and apply that to your 800k illegal dreamers and figure out what it costs. Now apply it to all illegal immigration and you can see the cost will take decades to recover from even if it all magically stopped now and everyone went home.

That all ignores the community and financial cost of their crime which is so high it's got pretty much incalculable.

Re: Public Info?

Yes it does, it gets that's from the people you Communicate with

Re:Public Info?

[AmiMoJo]

We need to accept that there will never, ever be a unique, permanent identifier for every person. As useful as such an identifier would be, it can't exist.

Government issued IDs don't get issued to everyone, and due to errors sometimes get duplicated or associated with the wrong person. Names are not unique, even combined with dates of birth and the like. Names change over time, e.g. due to marriage. People are recorded as dead and then turn up alive and well more often than you might think, most often due to the clerk paper-murdering the wrong person.

This means that the banking system and a lot of other stuff needs to change.

Re: Public Info?

[cyber-vandal]

[citation needed]

Re:Public Info?

It had everything to do with white people wanting to NOT live around other races. But nice try at silencing those of us who refuse to go along with our own genocide...
Quick, scream "racist" again, that will make white people start buying houses in majority non-white areas...
You aren't sorry that she was hurt, otherwise you wouldn't be trying to silence victims of genocide, so that the genocide can continue...

You seem to believe that non-whites are inferior to whites and HAVE to live around white people to 'get a better life'. Care to explain?

Re:Public Info?

Yes!

But only the illegal immigrants who came within the last four days.

Everyon else is f****ed already.

Re:Public Info?

No, they're not unique.

Once a death certificate is issued and the SSA gets notice of it, the SSA puts that SSN into a short timeout queue and then dumps it back into the available pool. From what I remember, that timeout is about 6 months.

And shouldn't that (supposedly) be unique for each (alive) person? You are too literal on the meaning of the word "unique".

Re:Public Info?

Flambait

Hmm, another couple of asshole moderators that don't understand the English language or are carrying a grudge. Eh, whaddya gonna do? I guess we're always going to bump into that occasionally. Idiots!

Re:Public Info?

different A/C here, you sound deranged

Re: Public Info?

That's a good story. I've known plenty of illegals, and only one was anything other than a good person who just wanted to go to work and get paid for it. The other was a criminal. Extreme poverty creates those. Let's work on reducing extreme poverty in immigrants.

Re:Public Info?

Or "Democrats" for shorthand.

Re:Public Info?

There were 25 million numbers issued within three months starting in 1936 from over a thousand different post offices and several private companies. Do you really think there were no mistakes made in coordinating numbers given to different locations to type the cards and paperwork? And, no typos made?

There are a lot of duplicate SSN numbers. It's the racist Republicans that claim they exist because they want to create BS stats about how many SSNs are being used by illegals. No. Having duplicates is just how it be.

Re:Public Info?

[Jarik+C-Bol]

Correction: "At this point, I've long assumed"

Re:Public Info?

[nealric]

Probably not even most of them. If they've been using a fake SSN (which they need unless they are only making cash under the table), that SSN has probably been associated with them for credit reporting purposes. Even the ones who are 100% cash under the table probably have some identifying information out there that has been hacked- ID numbers from their country of origin, etc.

I have one thing to say

[gerald.edward.butler]

CLASS ACTION LAWSUIT! These companies that want to collect all this personal data of people and fail to protect it need to be sued into non-existence!

Re:I have one thing to say

If you did that, there would be no companies left.

Re:I have one thing to say

I don't see a problem with that.

Re:I have one thing to say

[ichimunki]

If that doesn't work, perhaps a law stating that the person who is the subject of a credit check gets to designate which credit reporting agency is to be used by their potential creditors.

Re:I have one thing to say

My designated agency would be nullptr in that case.

Re:I have one thing to say

[burtosis]

The problems are billion dollar companies are first class citizens with rights. Plebs don't get any rights above them. Hell we plebs are lucky to have any rights, they only exist at the pleasure of these giants among men.

Re:I have one thing to say

[AmiMoJo]

This could be a lawsuit goldmine. Not just for the beech, but for errors people will now be able to discover in their reports.

Re:I have one thing to say

[BitterOak]

CLASS ACTION LAWSUIT! These companies that want to collect all this personal data of people and fail to protect it need to be sued into non-existence!

What would be the basis for such a suit? In most cases there's no business relationship between the consumer and Equifax, so there is no implied trust here. Equifax never promised, either directly or implicitly, to the consumer to keep their data secure, so there's no real breach of trust here. I don't see how the consumers have any standing to sue. Perhaps the retailers who supplied the data to Equifax may have some standing to sue as there may have been an implied expectation of privacy, but I don't see how the consumers can sue Equifax directly.

Re:I have one thing to say

[Dutch+Gun]

It's funny you mention "gold". During the great California and Alaska gold rushes, do you know who really struck it rich? It was the folks selling mining hardware and other supplies to the miners. The vast majority of miners didn't make much at all.

I think it's an appropriate comparison for modern-day class action suits. These types of lawsuits make lawyers rich, and everyone else gets enough for a free latte or two.

Re:I have one thing to say

If Equifax throws a rock through my window, I can sue them even though I did not establish a business relationship with them entrusting them with my rock.
 
Likewise, if Equifax, through gross negligence, causes me serious harm by giving my personal information to a fraudster who then steals my identity, I can sue even though I never entrusted Equifax with my personally identifying information.

Re: I have one thing to say

FYI lawyers don't get rich from class actions. Investors get rich from class actions. Law firms have to borrow large sums to cover payroll during class action litigation and investors extract a heavy price from both sides both sides (to ensure a more reliable return on investment-- not unlike matched betting).

Re: I have one thing to say

You would have to prove they did it negligently (very hard to prove especially since they prob were exceeding industry standards and still got hacked)

Re: I have one thing to say

In order to get loans, you need a credit score to check. The trust is implied in the forced nature of the relationship. Just because it was mandatory and unprompted on one end doesn't make it less of a business relationship.

Re:I have one thing to say

DONT USE THE LOOKUP TOOL. READ TOS!

K caps off

You waive your right to class action and agree to arbitration. Anytime you signup for an equifax product you do. Now I get to send them registered letters.

Re:I have one thing to say

[CaptainDork]

Preach it!

I'm a retired IT guy for some law firms. Management asked me for years, stuff like: WHEN is this spam going to stop?

My reply, for over 20 years was, "Maybe after you use your goddam talents and sue the mother fuckers."

Litigation cures a lot of ills.

Companies will not address security until it falls outside the cost of doing business.

For reference, see litigation regarding fire codes.

Re:I have one thing to say

[HeckRuler]

There would certainly be company-sized HOLES that other companies could fill. There would be void and vacuums for periods of time, and there's a real risk that corporate espionage would be a big tool for corporations to simply kill each other. But I don't think any business should be "too big to fail". If they screw up, they should pay. If that brings them under, so be it. Have a fire-sale and let some younger company pick up the pieces and start anew. Hopefully with something that doesn't pollute cyberspace with all of our info.

Re: I have one thing to say

Industry standards... voluntary standards you mean? Regulate the hell out of these scumbags. Warren 2020!

Re:I have one thing to say

[pnutjam]

I'd like a free latte.

Re: I have one thing to say

FYI lawyers don't get rich from class actions. Investors get rich from class actions. Law firms have to borrow large sums to cover payroll during class action litigation and investors extract a heavy price from both sides both sides (to ensure a more reliable return on investment-- not unlike matched betting).

Then the law firm (or the managing partner) you are talking about is stupid if they have to borrow a huge lump sum money for a class action. There should not be a "pay roll" on a class action case, but it should be "legal fees" which are being paid "per hour of work". However, law firms usually abuse it by putting more hours than they do to extract more reward money if they win the case. Also, they usually assess a class action case BEFORE they decide whether they will take the case. All in all, they will get rich but may not be as rich as they want to in some cases.

Re:I have one thing to say

[Cederic]

Well, in the UK there's a metric fuckload of regulation to which they must adhere.

There's also something fun coming down the track: GDPR. Equifax are very very lucky that this happened in May 2017 and not May 2018.

Re:I have one thing to say

What would be the basis for such a suit? In most cases there's no business relationship between the consumer and Equifax, so there is no implied trust here. Equifax never promised, either directly or implicitly, to the consumer to keep their data secure, so there's no real breach of trust here.

Ok...

Is there a position of trust and expectation of competence, or are they just the biggest stalkers in history? You know, spying on and collecting data on one or more persons by an individual would get you in some pretty hot water.

Do you think corporations are special people that are above the law? This bullshit of having different sets of rules for the rich vs everyone else makes revolution much more likely.

Re:I have one thing to say

[BitterOak]

Likewise, if Equifax, through gross negligence, causes me serious harm

Negligence implies a duty of care. I don't know that Equifax has a duty of care to these consumers in this case. Unless there's some regulation I'm not aware of. Perhaps as a result of this, some new regulations will be passed, but they can't apply retroactively. So again, I don't think there's standing to sue in this case.

Opt out?

I have never trusted these credit companies, and now I can point to why.

I don't want any more credit cards. I have no need for asking for more credit.
I don't recall ever being asked by my bank for permission to share information with Equifax or Transunion.

Would it really break the US banking system, if there was a way for us to opt out of having our spending history sent to 3rd parties?
(Equifax is third party between me and my bank)

Why is there this assumption of agreement for this sharing of information?
I don't recall any newspaper articles about a national discussion and debate on this decision?
When did it happen? Who decided that this was okay?
In the 1940s - did Equifax exist then? At some point the banks decided to share this?

Re:Opt out?

[MightyMartian]

I'm fairly certain if you have applied for credit of any kind, somewhere on the dizzying array of forms in the small print you did indeed consent to sharing your financial information with Equifax. In fact, I doubt there's any kind of main street lender anywhere in the US or Canada that would loan you so much as a penny without consenting to this, so about the only way you could have borrowed money without this consent if it was from a guy in a trenchcoat in a dark alley who went by the name "Vinny the Knife".

Re:Opt out?

Neat! I didn't consent to sharing with some Ukrainian hackers!

Re:Opt out?

[MightyMartian]

Neither did Equifax, I'm sure. They're crime is not securing their systems, which would obviously be a very attractive fruit for any hacker to try to pluck, and in a perfect world Equifax would be fined billions of dollars and its management would rot in prison cells for a very long time. As it is, I'm sure the FCC will do some shoddy little investigation that amounts to a few million dollars in fines, there will be a class action lawsuit that probably will see some small fraction of the victims get some measly payout sometime before the heat death of the Universe.

I'll tell you whose clinking their champagne glasses right now, it's the lawyers. No matter who loses, they always win.

Re:Opt out?

[Dutch+Gun]

Company-destroying fines or jail sentences will probably just mean said companies will do anything to cover up this sort of breach. Moreover, these sorts of breaches can occur even when everything is done as correctly as possible due to things like targeted spear-phishing or rogue employees. We want companies to be able to disclose these sorts of things responsibly, even if it was their lack of proper oversight that caused the problem in the first place (and yes, most of the time it DOES seem to be their fault)

Perhaps a different approach is needed. Say we pass a law that requires companies which store personal data to divert a small percentage of profits into some sort of escrow fund which grows proportionally to the amount and sensitivity of the personal information they're storing. If a breach occurs, that escrow fund is drained and distributed to the victims, and the company has to start re-filling a new fund.

This gives an immediate, tangible incentive to protecting that data, and not only that, gives the data an unambiguous monetary value, which creates a strong incentive to protect it just like any other asset. This also creates a disincentive for companies to collect personal information "just because". They immediately are subjected to much more government regulation and oversight, and such data becomes a potential financial drain if not properly managed.

Re:Opt out?

[jeff4747]

I don't recall ever being asked by my bank for permission to share information with Equifax or Transunion.

It's buried in the boilerplate you signed when opening your account(s).

The company names may or may not be there. If they are not there, the paperwork uses something vague like "credit reporting agencies" or even "third parties".

Would it really break the US banking system, if there was a way for us to opt out of having our spending history sent to 3rd parties?

Only in as much as you'd never be able to get a loan, rent a house/apartment or open a new bank account ever again.

Why is there this assumption of agreement for this sharing of information?

Because 1) you agreed to it, and 2) centralized reporting is very handy for creditors.

I don't recall any newspaper articles about a national discussion and debate on this decision?

It's not a law, so there was no national debate. Theoretically, banks do not have to use credit reporting agencies. However, they all do.

In the 1940s - did Equifax exist then?

Nope. And it was much, much harder for any but the wealthy to get loans.

Re:Opt out?

[Comrade+Ogilvy]

I once had an identity theft incident, nearly 25 years ago, where a couple credit cards were taken over (mailing address changed, and new copies of credit cards shipped) and a few new credit card accounts opened. I caught the problem early enough that the damage was minor, more nuisance than financial.

But a little digging and simple deduction led me to this conclusion: someone gained access to my full name, mailing address, SSI, mother's maiden name, and multiple open credit card account numbers. Now where in the universe can this entire array of data be found in one place? My bank? Nope. University? Nope. Employer? Nope. Any one credit card company? Nope.

You guessed it! Credit reporting agencies.

Now it is theoretically possible that an energetic fraudster could gain a few tidbits and build from there. But the dirty little secret sitting in plain sight is the financial institutions themselves, particularly anyone and everyone who deals with credit card data, are the most likely places to leak. That has been true since forever, and it has not changed and will not change, until the laws are very different.

From my POV, most credit protection services are really a sick joke: "As your personal bank or personal credit card company, we would be happy to collect a monthly fee to mitigate the risks you bear due to our incompetence."

Re: Opt out?

[easyTree]

Yes, most lenders appear to believe in the ability of these credit agencies to securely store and correctly interpret your data to predict future creditworthiness.

Equifax et al should pivot to focusing on their core strength which is persuading others of their ability to do the impossible - that is pure gold squared (10% to me for suggesting it: P )

Re:Opt out?

[pnutjam]

Don't forget chexsystem, I guess they are falling under the free credit report law now, good.
Free report here.

Re:Opt out?

[pnutjam]

No policy that creates a pool of unassigned growing money is a good one. Someone will figure out how to tap it and it will probably be damaging.

Re:Opt out?

You probably meant FTC, not FCC.
Although either one would do the same shoddy job on this. I wonder how much those executives used from the stock sale to but politicians before this hack was disclosed.

Re:Opt out?

So why do they get information from cable and utility companies? They aren't creditors,
and I never signed a contract with my electric company.

http://blog.credit.com/2015/04/new-fico-score-factors-in-utilities-how-often-you-move-113098/

The beating will continue..

[WolfgangVL]

Until accountability is found.

Re: The beating will continue..

This makes me laugh and laugh because it is true.

Re:The beating will continue..

It's called the blockchain.

How to fix the broken system?

[gerf]

Obviously having a lifelong single password (SS#) is not enough anymore. But we still want identification that is relatively quickly accessed and verified. Could we reissue with a public and private key pair for each citizen? Could we trust the certs? What options can the slashdot crowd think of?

Re:How to fix the broken system?

[Anubis+IV]

Social Security numbers are fine. The problem is that organizations have foolishly been using them for authentication ("Prove you are you!"), rather than merely identification ("Who are we talking about?"), which was all they were ever designed to do. As a means for identification, it generally still works just as well today as it did when it began. As a method for authentication, it was lousy from the start and has been getting worse by the day.

Re:How to fix the broken system?

[fahrbot-bot]

Social Security numbers are fine. The problem is that organizations have foolishly been using them for authentication ("Prove you are you!"), rather than merely identification ("Who are we talking about?"), which was all they were ever designed to do.

Even more narrowly than that. It's original purpose was to track workers solely for use in determining SS benefits - that's it. From The Story of the Social Security Number

The Social Security number (SSN) was created in 1936 for the sole purpose of tracking the earnings histories of U.S. workers, for use in determining Social Security benefit entitlement and computing benefit levels.

Re:How to fix the broken system?

The root of much of this mess is that people think a social security number is a password. It is not. It never has been.

A social security number is an _identifier_ -- if there are two people named John Smith, then you can tell them apart in your database by having a ssn column, because they will have different ssns.

It is not, has never been, and never will be, a form of authentication. If I come up to you and say "I'm John Smith!" and you ask for proof, me saying "John Smith's social security number is 123-45-6789!" should never be taken as proof that I am John Smith. As soon as I say that, now you know John Smith's ssn, and can prove that you are John Smith to anyone else dumb enough to believe it is a password. At a minimum, every employer that you have had and every bank you have ever worked with know you ssn, so there will be lots of people with access to that information, even if none of those employers or banks ever hands it out to hackers.

A physical biometric identifier is at least a start, insofar as it is a lot more difficult for you to start looking like me than to just repeat a number, though it is by no means unbreakable. A public key setup as you propose would be good, provided you could pound into everyone's head that they should never hand their private key to someone else (and you're still vulnerable if I store my private key on my iphone and someone steals it, or hackers manage to install software that steals it). I've met enough stupid people that I'm dubious you could train everyone to keep their private keys secure. Fundamentally, authentications is a hard problem, and a convenient easy-to-use authentication mechanism that can't be stolen or forged is pretty much impossible.

Re: How to fix the broken system?

[gerf]

Or if the private key is a number/letter matrix and the authentication includes only sending a subset of data for authentication. If one subset is compromised, such as 8 random character positions out of a 40x40 matrix, then the whole is not known. Plus a personal changeable pin to salt it each time. New cards would have to be able to be certifiably re-released as well... Maybe only with biometrics.

Re:How to fix the broken system?

[AHuxley]

Encryption per request? Everyone who wants access gets logged in and has to provide that weeks per session key, token?
Every data request session has to match up with a real computer in an office with a real human requesting data at a human rate of data access?

Why not?
From a used car sale to a gov/mil contractor seeing if the person's data been reviewed has data on them in their own state database.
The problem with that is then a huge new database exists of who went searching for exactly what, when and why.
Who gets to review all the new access logs and see who is looking for what?
That a person wanted to work for the gov/mil and the review search was stopped after a shorter than average time? Why was the person rejected and what exact database was accessed to stop the mil/gov review?
Thats powerful information been kept on who is looking and who looked and for how long.
Better just to log in a trusted customer and let them search. As long as they have access data is just readable. Data in a format the customer expects.
Customers wont trust a system that logs their searches.
Powerful encryption and logs is not always that the customer wants. They may want access, fast speeds that offers data thats readable from any database. To know that their search terms are secure.

Re: How to fix the broken system?

Maybe all this trump immigration nonsense can have a positive outcome. Let's fix this shit and get everyone identified and on boarded into this chaotic mess we call a country.

They sat on this?

[djembe2k]

Wait. TFA says they discovered this on July 29, and that their "private investigation into the breach is complete." Only now are they going public with this? How much damage could have already been done in the month of August? The breach alone creates a huge liability for them. This delay makes it worse, because they can't blame that on some other bad actor.

Re:They sat on this?

[Zxern]

They had to wait for a few execs to complete share sell offs yesterday before releasing the public statement.

Re:They sat on this?

[thegarbz]

This is a good thing. A privacy breach generally goes unpunished. Insider trading on the other hand...

Re:They sat on this?

Why wouldn't this qualify as "Insider Trading"?

They've sold shares based on knowledge something that could have a significant impact on the share price on the company before it was public knowledge. Hopefully the SEC will be all over them like a rash!

Re:They sat on this?

They had to wait for a few execs to complete share sell offs yesterday before releasing the public statement.

Hopefully they took their money and went off to Barbuda...

Re:They sat on this?

[Mr.+Spock]

Insider trading on the other hand...

Also goes unpunished. Just don't lie to the FBI, because then you're going to jail.

Re: They sat on this?

[maple_shaft]

Which is illegal because it is trading securities on insider information. Hope the SEC fries these clowns.

Re:They sat on this?

[thegarbz]

Also goes unpunished

Errr no. Its the one kind of financial fraud that is actually very actively policed and punished. People are getting jailed for it constantly.

That's it...

[Thelasko]

...society is over. Back to subsistence living and bartering.

Resignations by Monday Morning!!!

David Webb, Equifax CIO, and Richard F. Smith, Equifax Chairman and CEO should both resign.
They should also forfeit any severance/golden parachutes due to the negligence that occurred on their watch.

Re:Resignations by Monday Morning!!!

[Narcocide]

If you don't fire all the DBAs, slipshod sysadmins and 3rd world indentured contract web monkeys too, this type of accountability will be an ultimately futile gesture.

Re:Resignations by Monday Morning!!!

[Cederic]

Why? Which of them had any opportunity at all to prevent this?

Some of them will have worked on the breached system, but again, why would a company like Equifax ever trust them to properly secure it?

Surely the people running the company should be mandating, funding and auditing adequate security processes, including providing the right tools and skilled people to execute them.

You don't sack a DBA for failing to secure a database, you teach them how to secure the next one. You spot that it isn't secure, fix it and then wrap it in monitoring, logging, intrusion detection and all the other goodness that means that even if it does have a vulnerability you didn't spot, you can detect and respond to the breach in seconds or minutes, no two fucking months.

"This is clearly disappointing"

Between this and the Anthem hack, it is statistically likely your SSN is no longer private information.

Most of their customers have no recourse

[misnohmer]

Typically when a company screws its clients, they risk clients no longer using their service, so usual market forces apply. This is not the case here. Most of their customers never chose to use Equifax or even given any explicit permission for them to collect their data. Yet, they do collect it and sell credit scores. The problem is that market forces don't work here, i.e. those customers who got hurt are not really paying, or even willing, customers and have no choice to opt out of the service, and those who buy credit scores are not really affected much.

As much as I am generally against regulation, this is one area I think they should be held fully liable, including compensating any affected customers for ALL of their expenses, including their time at some reasonable rate at or above what that customer usually makes per hour - that includes any waiting on hold while calling any of the companies to clear things out. Maybe this would cost Equifax its life, so be it, the next company will be much more careful what they do with the data. This would be no different than an airline being held liable for damaging property of killing people because their planes are shedding parts - the people hurt are not airline customers, they are the homeowners who had an aircraft parts crash through their roof into their living room.

Re:Most of their customers have no recourse

[Fly+Swatter]

The breach only effects consumer data, which is not really a client or customer of Equifax. Those would be the banks and lenders that use their data conglomeration services.

The thing about this that bugs me is why in the hell were public facing computers holding access to basically everything someone needs to completely take your identity. Why is that company even allowed to hold anything other than your address, ss# and reporting history ? They shouldn't have credit card or even bank account number info imho. If that makes it tough for them to do business, well that is their problem. Ok now I'm ranting, but the whole idea that credit cards have become the way people do business just annoys me. Earn the money, then spend it. Credit cards should be a last resort.

Re:Most of their customers have no recourse

[burtosis]

Reminds me of when Experian basically let all thier data be stolen too. The purchased a company that then stole the data. Or when all 3 credit agencies had a breach. But they sure got thier due when the hundred billion dollar fines rolled in!!! Just kidding of course, barely a slap on the Wrist. Nothing is going to happen and Equifax will promise not to do it again - until it happens again in about 18 months.

Re:Most of their customers have no recourse

To be fair, credit reporting agencies were kind of created by the government - specifically the "fair credit reporting act". AS MUCH as I hate the ideology, a true libertarian would argue that government-sanctioned companies like this shouldn't have existed in the first place.

Also, their purpose is to help lenders and banks make informed decisions about who to do business with, not to help consumers. You are the product, not the customer, so it'd be up to the banks to not do business with these companies. And I doubt banks care much about their breach, so I don't think the free market will fix this problem. You are just a tragedy of the commons.

Re:Most of their customers have no recourse

[BitterOak]

As much as I am generally against regulation, this is one area I think they should be held fully liable, including compensating any affected customers for ALL of their expenses

The problem is, I'm not sure under what grounds Equifax could be held liable here. When a retailer (such as Target or Home Depot) is hacked, exposing customer data, the customers were able to successfully sue on the grounds that these retailers breached their trust. When a customer hands a credit card over to the retailer, there's an implied trust here: the customer is trusting the retailer not to leak their private info, and when a retailer accepts a customer's credit card, there is an implication that their data will be protected. When the retailers where hacked and customer data stolen, the retailers were liable for breaching that implied trust. There is, however, no implied trust between Equifax and the consumers whose data was leaked. In fact, in most cases, there's no business relationship between the customer and Equifax at all. Since there is no implied trust, there can't be a breach of that trust. So, I really don't see how Equifax can be held liable here. You are suggesting regulation, but what form would this regulation take, exactly? How can you regulate a business relationship which doesn't exist?

Re:Most of their customers have no recourse

The thing about this that bugs me is why in the hell were public facing computers holding access to basically everything someone needs to completely take your identity.

Because credit reporting companies buy, sell, and judge that information. It's their business model, why they exist.

Re:Most of their customers have no recourse

You mistake the relationship you have with Equifax. You are not their customer. Their customer is the lender from which you are trying to secure credit, or the employer from which you are trying to secure a job, or the insurance company from which you are trying to secure an insurance policy. You are the product.

Unfortunately in the case of Equifax, Experian, and Trans Union, you get nothing in return but bent over and fucked. They are essentially allowed to fuck you with no compensation or recourse.

Re:Most of their customers have no recourse

[misnohmer]

Follow my example of an airplane shedding parts causing properties below. There is no implied trust between an air transport company and a homeowner who had a piece of landing gear fall through his roof. There is no business relationship between the air transport company and the homeowner either. Yet, I bet if an engine fell off of a FedEx airplane and damaged someone's home, FedEx would be held liable. IANAL, so you tell me, what would be the grounds FedEx would be held liable for damage their engine caused to a home when if fell off their plane passing overhead - assume the homeowner never did ANY business with FedEx. Is it the the FAA regulation, or some other laws that kick in? My point was that we need similar regulation and laws that hold companies like Equifax liable for damages they cause, whether the damaged party is a customer or not.

Re:Most of their customers have no recourse

The information is considered Personally Identifying Information and there are already laws regarding how and when certain companies can share this information. I'm most familiar with HIPAA, which focuses on patient information, but as I understand it it's the same kind of information and often the same kind of no-implied-trust relationship (You share your information with a doctor, who shares it with a hospital, three other doctors, two insurance agencies, and Phil in accounting...)

Re:Most of their customers have no recourse

[xlsior]

The difference here is that you are not equifax's customer - you are their product.

Re:Most of their customers have no recourse

[slew]

The difference here is that you are not equifax's customer - you are their product.

You should remember the fact you are the product every time you do a search on the internet, or partake in a free email provider...

Re:Most of their customers have no recourse

[UnderCoverPenguin]

Except that FedEx will claim that they are not the ones liable, it's the responsibility of the aircraft maintenance company. The maintenance company will then deflect the liability on to the local contractor, who will file bankruptcy and go out of business. Meanwhile, the home owner's insurance company, knowing the preceding, will declare the incident an "act of God", therefore, not covered.

(For those who think this wouldn't happened, something similar did happen to one of my neighbors. The "bucket lift" of a service truck for the local cable company collapsed and smashed his car. My neighbor, refusing to take "no" for an answer, pushed forward with a string of lawsuits, anyway. The cable company and the lift-truck maintenance company both got their respective cases dismissed - and court orders for my neighbor to pay their legal costs. The local contractor appeared pro-se and told the judge the business was bankrupt, closed and the assets sold, leaving a little more than $500 left for a settlement (after giving the judge a copy of the bankruptcy papers). The judge told my neighbor "That's the best you're going to get" and ruled the case settled. In the end, my neighbor lost over $10k in legal fees. And the car insurance company claimed the incident wasn't covered, so he was out another $3000 for car repairs.)

Re:Most of their customers have no recourse

[xystren]

Until you read the fine print on all those forms that you had signed, pretty much allowing such sharing of said personally identifiable health information. Look through the fine print - odds are you've consented to (likely unknowingly) to that sharing. Sad I know.

Re:Most of their customers have no recourse

[Wrath0fb0b]

Consumers are not their customers. Their customers are banks and other entities that want to know whether a person is a good credit risk.

Insofar as they injured any other third parties, they should surely be held liable. But this has nothing to do with whether the individuals whose data was leaked are "customers" of the credit agency. They are clearly not, nor should such a designation even be relevant when assessing liability.

Re:Most of their customers have no recourse

[AHuxley]

Re public facing computers holding access to basically everything someone needs to completely take your identity.
The network and database is secure. Everyone with access is trusted. The data is a format that every one with access can read and have displayed in a useful way.

Re:Most of their customers have no recourse

[BitterOak]

Follow my example of an airplane shedding parts causing properties below.

That comparison isn't valid at all. In that case, the airplane parts are entering someone's property. Same as if I break into someone's house, it doesn't matter if I had a pre-existing business relationship with them or not, I've established a relationship of sorts by entering their property. Same if my plane drops parts on their property. But Equifax didn't trespass on anyone's property or have any interaction with these customers at all. Some information was leaked, but did Equifax have any obligation to keep that information secret in the first place? I would argue "no" since there was no implied agreement between Equifax and these consumers.

Re:Most of their customers have no recourse

There is a recourse but it is not lawful. Then again, without savings and without help, if the only remaining recourse is unlawful what are people going to do?

When are US people going to wake up and see the emperor has no clothes? Blind justice is a lie. It sees money.

Re:Most of their customers have no recourse

What if I have entered into an agreement with them to secure my information via the security freeze?

Re:Most of their customers have no recourse

That story, sadly, is the new reality of the American (in)Justice system.

Re:Most of their customers have no recourse

[Cederic]

If a company has through their action or inaction caused harm to an individual, that's surely a tort?

You don't have to be a customer of a chemical company to sue the living fuck out of them when their poor environmental control kills your children.

Re:Most of their customers have no recourse

Maybe we could treat personally identifiable information as something a person never loses control over just because they purchased something, and prevent companies from willy-nilly "sharing" this data.

The reason we have this issue, and Europe does not, is because your bank will go tell Equifax about every line of credit you have, every bank account you open, and every transaction. They should not be allowed to share that private information with someone else.

Re:Most of their customers have no recourse

[david_thornley]

Equifax has no business relationship with me. They are selling information about me to others, The others make the decisions that can harm me, and are doing so according to their standard practices, so they aren't liable. This could change, if there was a law about strict liability. Strict liability means that, if you caused a problem, no matter why, you're liable. Alternatively, if Equifax is lying about me, in some countries that would be libel. In the US, following standard and generally adequate procedures is a good defense against libel, so the laws would have to be changed.

Another problem is finding where Equifax's negligence has harmed me. Most decisions using credit scores do not supply me with detailed information about why they were made. If Equifax screws up my credit rating, and I try to rent an apartment, and I'm denied because of bad credit, how do I show in court that they harmed me?

Update your account info now...

Seems like now would be a good a time as any to update all online accounting info, passwords especiallly.

Be sure to do from a 'one off' browser session, and promptly delete afterwards.

Cookies are evil, remember? Browsers aren't much better, so that doesn't help...

Naturally, you can always move back to 'paper checks', which I contemplate every day...

Equifax doesn't want it, they REQUIRE it.

Equifax, Experian and TransUnion should be held to an even higher standard because they don't collect your information... you are pretty much required to give it to them to be able to function in the US economy. This isn't a Facebook situation where the consumer trades their soul so they can see their aunt's cat pics. If you want to buy a car, a house, get a credit card, etc you have to surrender your data to these clowns (who also have proven repeatedly they do a shitty job of tracking your credit history anyway).

Re:Equifax doesn't want it, they REQUIRE it.

Same logic applies with spam blackhole lists. Expirian, et al, don't block you from getting a loan. They just provide info, and other people make the decisions. However, the three score services do show if a person is worth hiring, worth a relationship or not. Basically, a FICO score is a score of one's win/fail in life.

Tips now that your credit info has been stolen

[Poisonous+Drool]

Someone filed a fraudulent return for me on March 30 of last year. They had their "refund" sent to a debit card. I've used the same CPA for 30 years, which gives you and idea of how well the IRS detects fraud. I have no idea how my information was stolen. A few points:

1. The best defense is to file early (e.g., February).
2. As a victim of id theft, you should qualify for a free credit freeze. Good luck. Out of six requests (3 each for me and my wife) only one was accepted. You can waste your time arguing or pay them $10 (each) to freeze it.
3. You can ask the IRS for a copy of the fraudulent return.
4. I've been a Bank of America customer for 20+ years. They couldn't handle a vehicle load with a credit freeze and I warned them my credit was frozen. Expect headaches.

Re:Tips now that your credit info has been stolen

[fahrbot-bot]

Regardless, in most states you can pay $10 -- to each credit bureau -- and freeze your account permanently anyway. I did just that in 2011. When getting a loan or new line of credit, you can ask the company which bureau it will use for the credit check, call the bureau and either (a) unconditionally unfreeze it or (b) unfreeze it with a password or PIN, which they will US mail you -- for a specific number of business days. It's actually fairly painless.

Re:Tips now that your credit info has been stolen

[AlanBDee]

Here is an article from the FTC on freezing your credit: https://www.consumer.ftc.gov/a.... I also recommend doing it.

Even though some banks can't process your car loan, or other credit. Your goal in personal finance should be to not need credit and to pay cash for everything. If you don't have the cash then you can't afford that car.

Re:Tips now that your credit info has been stolen

Or maybe one has the spare cash, the financing terms are acceptable (say 0% or even cash back when paid in full by x date) and one knows how to manage monthly cash flow. Please tell me what you perceive as the downside of utilizing such credit/loan?

Re:Tips now that your credit info has been stolen

Please tell me what you perceive as the downside of utilizing such credit/loan?

Increased risk of identity theft.

Re: Tips now that your credit info has been stolen

Vs increased personal liability.

Membership has its priveledges

Re:Tips now that your credit info has been stolen

[jezwel]

If you don't have the cash then you can't afford that car.

It costs me $20 a week to have that car now rather than save up a few years for it. The gas savings from having the more frugal car is around $15-18 per week, so to have this newer car 'on credit' is costing me less than a dollar a day.
Think I'll take that deal.

Next time it may be different as I won't be going from a gas guzzler to an econobox, but even so that $20 a week will be covered by a single year pay rise, let alone the other 4 years for when the car is paid off. Actually by then pay increases will cover a payments for a replacement car completely.

Re:Tips now that your credit info has been stolen

[DarkMagician07]

I've had my credit frozen for 2 years now and haven't had an issue getting a loan. I go to the site of the reporting agency they use, request a pin, give the pin to the lender, then done. Not sure where there'd be an issue. I highly recommend a freeze. It's been the most painless thing I've had to deal with in getting a refinance on my mortgage, 2 car loans, a personal loan, and a new credit card.

Granted, you won't be able to simply go to Best Buy and request a new card, but if you need to do that, then you should re-check your finances before getting a new gadget from them.

Re:Tips now that your credit info has been stolen

[thegarbz]

If you don't have the cash then you can't afford that car.

That is possibly the dumbest comment I've ever seen. The ability to afford is about balancing incoming and outgoing finances, not about accumulating mountains of cash.

If that was your criteria then as a well paid engineer I wouldn't have been able to "afford" my car for the first 6 months of my working life.

(I could and did afford it, along side holidays, other luxury spending and also house repayments).

Re: Tips now that your credit info has been stolen

That credit "freezing" system is purposefully designed to be difficult to do. You can't do it online and every time you need to freeze or unfreeze you have to pay a fine. It should be free.

There are more reasons than needing to get credit that will require unfreezing your report. Getting insurance for example if you change your auto, home, or renters. Renting a home, etc. It pops up more than you think and you're gonna get charged twice each time.

Re:Tips now that your credit info has been stolen

[pnutjam]

What's a "pay raise" did you switch companies?

Re:Tips now that your credit info has been stolen

Although I do this too it irks me that I have to pay the company that lost my data to keep it secure and pay them to unlock it when I need it. Really if they lose data of mine that can't be changed they should at least provide lifetime credit monitoring. A year is nearly worthless.

Re:Tips now that your credit info has been stolen

Sounds like extortion to me. Pay me a fee or I will make sure anyone who happens to get access to your data will be able to request credit on your name. They should offer this service for free.

Re: Tips now that your credit info has been stolen

Whether you have to pay or not depends on the laws of the state you live in.

Re:Tips now that your credit info has been stolen

As many others have argued, and I tend to agree, that is actually fairly painful for such a crappy "service" that nobody opted in to.
Why should we have to pay protection money to these fools?

Whew!

Lucky for me I don't have a bank account or any debt, or even a job! You can't even find me on Google. How many people can say that?

Re:Whew!

[93+Escort+Wagon]

Baloney. I just did a search for "Anonymous Coward" and got millions of results. Your info is all over the place.

Equifax

Equifax does a lot of "high assurance" identity checks. They collect detailed biographical information on everyone; employment, relatives, mortgages, car ownership... If they lost all of that there will be hell to pay.

Re:Equifax

[burtosis]

If only there were hell to pay. If they lost all that the punishment would be nothing at all.

Re:Equifax

If they lost all of that there will be hell to pay.

Oh you poor, naive person.

Re:Equifax

[Bob+the+Super+Hamste]

Yet if I collected that much information on just one person I would likely be in jail for stalking. If I did it to a dozen or so people I would likely never see the light of day again as I would be a serial stalker and would be serving many consecutive sentences. But given all of this detailed information these companies collected on every fucking person that is available for purchase I still get to deal with debt collectors who try to collect debts from people who haven't lived at my address in 15 years, or who's first matches mine but nothing else does.

This is Irony, right?

[burhop]

...if the bad guys use this stolen data and mess up your credit score.

Referencing, my primary "go to" grammar resource, it seems to case #2

http://theoatmeal.com/comics/i...

Would FUCKTARD cover it?

As in FUCKING RETARD?

Need an ethical hacker?

[paulina+james]

Should you need the services of a hacker, i implore you to visit http://www.hackerspod.com/inde... or you should contact liammoore015@usa.com. i hired him for personal exploits early december last year and that was the decision that lit up my christmas and got me set for 2017. try to hire certified veterans for your hacking needs. This guy surely works like an elite, he is efficient,reliable and provides lasting and permanent solutions. He got my DUI records cleared as though it never happened and my credit card fixed.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Jail time for the exec's?

To even make a dent in this problem the exec's need to spend time in jail. It will force them to do the work not just get the insurance.

HA HA! Jokes on them!!!

All my credit cards are maxed...

All my bank accounts are empty...

I am more than willing to let them have all my debts free of charge ;)

in UK and Canada too

[zm]

https://www.equifaxsecurity201...

As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps.

Re:in UK and Canada too

this site is a fucking scam it didn't tell me that i was hacked or anything just tried to fucking sign me up for some bullshit id theft service. like a week from now.

Re:in UK and Canada too

[coofercat]

Is this site real?

I mean, if it's really Equifax, then why can't it be on equifax.com? It's got a video about cyber security, and well, lesson 1 is to identify who a site really is before entering any data into it. I'm a techie, so know to look at certs and whatnot - I couldn't see anything in it to verify it actually was Equifax (all I got was a cloudflare cert). The 'normals' won't be able to do any of that, so apart from a logo at the top of the page, and it's 'https', most people have nothing to verify it's real.

Other comments talk about it being a scam - it might actually be.

Obligatory CGP Grey Video

[Daetrin]

"So how did Americans end up with a national ID number that isn't one and a card terribly unfit to identify?"

Social Security Cards Explained

.

You had one job....

Good job guys.... greeat work.

That's not what class action is for

[rsilvergun]

class action is so the companies can pay a token amount and get perpetual indemnity for all future legal action. The best part? With recent changes in law making mandatory arbitration legally binding at the federal level (thanks, Republican Congress and Blue Dog Dems!) you don't even get that anymore.

Folks need to start putting left wingers into Congress if they wanna see this crap happen, but nobody wants to pay the taxes for it. Nevermind that just ending the 7 wars we're running would cover it. But then I'm not so sure folks want to end those wars. Our president's largest bump in poll numbers came after he dropped a $20 million dollar bomb on a bunch of Afghani goat herders with soviet era weapons...

No MORE!

[Seranfall]

We DEMAND 72 hour mandatory reporting of security breaches that result in loss of customer data. Stop telling us nothing bad will happen to our data. You bastard companies are completely unable to protect almost anything and the government is even worse at it. At least we are learning about it now. I read something awhile back where a breach took them 14 years to discover...

Re:No MORE!

[Cederic]

GDPR mandates 72 hour notification in the EU from May 2018.

However: It's notification to a Government body, not to the impacted individuals. It'll be interesting to see how that plays out in reality - although it's also reasonable to assume that 72 hours is inadequate to fully explore and understand the extent of the breach and the individuals impacted.

In the UK I suspect Equifax have an obligation to notify the FCA. I'm not sure on the timescales for that.

Easy fix

[Ryanrule]

1 million per persons data lost. Start by draining the assets of the board and c suite. Put them on the street.

Insider Trading!

[chromaexcursion]

Let's see some federal charges. one count for each share of stock affected.
Make them pay!

Re:Insider Trading!

[bongey]

Yep they claim they didn't know about the breach. Sure I believe them , wink,wink.

It's going to get (much) worse

[Teckla]

Regarding computer and data security, it's going to get (much) worse before it gets better. We're currently in the Dark Ages of Computer Security... but we haven't hit bottom yet.

Company culture in this area is just totally, utterly, hopelessly broken. They value speed above all else, so you end up with developers pulling libraries/jars from all over the Internet (many or most with huge security holes), you have companies incentivizing employees to get things done as quickly and cheaply as possible, you have companies clamoring for the cheapest labor available, including offshoring critical business logic.

None of these things are good for customers. It's a dumpster fire. Identities stolen, lives destroyed, and ultimately, it's us consumers who pay higher prices for all this lack of security and the resulting fraud.

It seems obvious business cannot and will not properly manage themselves when it comes to the subject of computer and data security. This is where we really need the government to step in, and lay down some laws with some serious teeth.

Oh well, one can dream...

Re:It's going to get (much) worse

[mschwanke97402]

I agree with yor assessment. Capitalism at its finest. Lowest bidder, outsource as much as possible and cut any corner to save a few pence.

Actually a windfall for Equifax?

"[We] have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident."

Is this Equifax shilling its consumer protections services?

Will Equifax make huge profits because now 143 million of us will need these services for the rest of our lives?

Re:Actually a windfall for Equifax?

[DarkMagician07]

I agree. If you're a company such as the big 3 creditors, even without a breach, you should be required to provide these services free of charge to those whose data you hold. You have that data, it's your responsibility to ensure it is not misused. If you can't do that, then you shouldn't be a provider of a service that is as critical to life in the US as the air that is breathed by those that live there.

Do they meet PCI compliance?

[gregOfTheWeb]

https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Re:Do they meet PCI compliance?

[Bob+the+Super+Hamste]

Probably except for the part about not storing personal information but then they aren't card processors. The PCI standard while it is a standard is really the bare minimum that companies should be held to for them to not be found guilty of criminally negligence for breaches. The actual standard is here and having had to deal MBAs asking about our compliance makes it seems like it is something written for the MBA types to check off a bunch of stuff. There are much better standards and if you aren't an MBA you can figure out how to make them applicable to your business. Personally I like the NERC CIP standard with liberal utilization of the CIS benchmarks as a good starting point for securing a system. If you want others there is always the US government's set of security benchmarks, the DoE document Cybersecurity Procurement Language for Energy Delivery Systems, or a bunch of stuff at the SANS site that you could use as a guide.

"The List" == Economic Armageddon?

For the past few decades, the economy has been increasingly based on credit, and many people are so dependent on credit, that they cannot not survive without it. Our whole system is based on easily-obtained credit, and this has inflated the supply of money far beyond what would be the case if people depended on just the cash they had, or used debit cards.

We have already witnessed the global multi-year impact of one part of the credit industry failing.

What if someone or some group were to publicly post "The List" .. of everyone's info that is currently used to obtain credit. If creditors could no longer be relatively certain that a given request for credit is actually coming from the person or business requesting it, then after a sufficient amount of fraud happens, they would cease to offer credit.

The question we are heading towards answering next is what would happen to the economy if nobody can obtain credit? Sadly, we may find out, and it may be much worse than the last credit crisis.

DONT USE THE LOOKUP TOOL

It signs you up for a product. READ THEIR TOS. You just waived right to class action and agreed to arbitration...

Scumbag move!

Re:DONT USE THE LOOKUP TOOL

You expected better from people that thrive on bullshit?

Re: DONT USE THE LOOKUP TOOL

Only in the USA could a TOS be used to divest you from your natural rights to seek damages.

Fucking lawyers.

Re:DONT USE THE LOOKUP TOOL

It signs you up for a product. READ THEIR TOS. You just waived right to class action and agreed to arbitration...

Scumbag move!

I can't find a TOS associated with the lookup tool.
Can you provide a link, or tell us where you saw it?

Re: DONT USE THE LOOKUP TOOL

Only in the USA could a TOS be used to divest you from your natural rights to seek damages.

Fucking lawyers.

There is no TOS for the lookup tool.

DONT USE THAT LOOKUP TOOL! SCUMBAGS

read their TOS. You use their website to signup for a product, and you waive your right to Class action and trial and agree to arbitration.

Total scumbag move. This company...

DONT USE THIS LINK UNLESS YOU WANT TO WAIVE RIGHTS

Read their TOS. You use the lookup tool to determine if you are impacted it will register you for a product. When you signup for ANY product you waive the right to CLASS ACTION and TRIAL and agree to ARBITRATION

I can use caps more if needed /s

this lady doth not protect enough, methinks

[epine]

Wow, it's going to take a long damn time for Equifax to out this tiny blemish from their permanent spot record.

"O, but she'll keep her word."

Actually, sorry Hamlet, cat's entirely out of the bag now.

So much for all those "security" questions

[execthis]

This breach is why it ROYALLY pisses me off when some websites force me to answer "security" questions such as the name of the street I first lived on. The people responsible for such sites should be held accountable for gross negligence.

This is exactly why I now almost always answer the "security" questions with gibberish.

If my 20-length complex password of random digits, numbers, and special characters isn't enough for security then f it.

Also, it seems like it should be a basic civil right at this point to be allowed to change one's SSN. To be forced to deal for the rest of one's lifetime with the consequences of it having been stolen is outrageous.

Re:So much for all those "security" questions

This breach is why it ROYALLY pisses me off when some websites force me to answer "security" questions such as the name of the street I first lived on. The people responsible for such sites should be held accountable for gross negligence.

This is exactly why I now almost always answer the "security" questions with gibberish.

If my 20-length complex password of random digits, numbers, and special characters isn't enough for security then f it.

Also, it seems like it should be a basic civil right at this point to be allowed to change one's SSN. To be forced to deal for the rest of one's lifetime with the consequences of it having been stolen is outrageous.

https://faq.ssa.gov/link/portal/34011/34019/Article/3789/Can-I-change-my-Social-Security-number

Re:So much for all those "security" questions

Also, it seems like it should be a basic civil right at this point to be allowed to change one's SSN. To be forced to deal for the rest of one's lifetime with the consequences of it having been stolen is outrageous.

Or rather, the US Gov should make legislation making it illegal to use SS numbers for anything in the private sector. That's it. Your credit cards, banks, etc., have absolutely no reason to know your SSN, nor your hospital, nor your insurance company, etc. I find it amazing that even cable company and mobile phone carriers ask for SSN... for what purpose? This kind of thing should never have been used for identification purposes... it's not secure, everyone knows it, and it's just a bad identifier of individuals (just about everyone who cares will be able to dig up your name/address/ssn).

Re:So much for all those "security" questions

[david_thornley]

How about a certain financial institution that manages my stock from my ESPP, which has a max of eight alphanumeric characters?

Time to shut them down

[SnarkSide]

It's time we make an example and take away any authorization for Equifax to store or maintain any personal information. Not that the other agencies are better, but fuck, these people are fucking useless. 1) Shut them down - Equifax must be no more. 2) Rework with systems we use so that there is real authentication like maybe possessing a smart card / EMV that provides authentication. 3) Social security numbers need to be made invalid / illegal to use as a form of authentication. 4) Credit card account numbers must be made useless by themselves, EMV only protects you if others cannot execute non-EMV transactions on the account. (Yes I know CV1 CVV2 data is generally needed for transactions) 5) We must never again design systems where data that is shared with multiple third parties is used for authentication. 6) Maybe improve EMV with some OTP system in conjunction. 7) Credit agencies need to be completely reworked. Consumers must have reliable and responsive methods of fixing fraud and errors in the data within 45 days from the report date by law. 8) Consumers suffering data loss should have legal standing for class action suit, unauthorized disclosure is a form of harm even if it can't be linked to a monetary loss.

Criminal Negligence?

[mschwanke97402]

Chairman and Chief Executive Officer, Richard F. Smith said in a statement: "This is clearly a disappointing event for our company.”

So it’s all about his company. What about the havoc his company will wreak on millions of consumers via this data breach? These a**holes collect all manner of sensitive personal data, without our permission I might add, and let it get away from them because the lot of it is on an Internet facing server connected to a web app. I think it rises to criminal negligence.

Speaking of crimes, I expect to see criminal insider trading charges and jail time for those executives who scurried off to sell their shares when the breach was discovered but left us vulnerable for weeks.

Re:Criminal Negligence?

[Okind]

These a**holes collect all manner of sensitive personal data, without our permission I might add, [...]

This is the part where I think the US (and the rest of the world too, for that matter) needs a law like the upcoming GDPR in Europe. That would require anyone to obtain explicit & informed consent, protect data properly, and inform the public timely when this protection fails (the 'timely' bit was clearly not done here).

Re:Criminal Negligence?

[houghi]

You wish for those things. I expect that nothing will happen or change. Not for these people. Not for this company. Not for any others in the future.
People have chosen for the new feudal system. The CEO is the new King and his company is his castle.

What a joke

[LeftCoastThinker]

First off, the executives that sold their stocks while withholding negative information should have that money confiscated and be prosecuted for insider trading (seeing as how they were holding back negative news on purpose to profit.) The retiree pension fund should not take the hit that those assholes created in the first place...

Yet another example of the dire need for legal accountability at the federal level of companies that hold private, personal information. The three credit reporting agencies don't give a shit if your identity is stolen, either from them or from someone else, and they clearly didn't care enough to encrypt the information stolen in this breach, and all those people who are going to have to waste hundreds of hours filing police reports, fighting fraudulent credit cards taken out in their name and fraudulent loans are SOL.

It is long past time that we have a federal law holding the companies that lose private, personal data accountable to the tune of actual time lost at the billable rate for the person's profession and a fine paid to the individual harmed of not less than $1000. Once your identity has been stolen, a simple phone call or online form should permanently flag your identity and require all companies accessing your credit for a transaction must use two factor authentication to get validation of your identity.

Re:What a joke

Once your identity has been stolen, a simple phone call or online form should permanently flag your identity and require all companies accessing your credit for a transaction must use two factor authentication to get validation of your identity.

This already exists and is known as a Fraud Alert, although I don't believe it is permanent. Unfortunately it becomes worthless as soon as your phone number has been hijacked.

For a better and permanent solution, freeze your credit reports.

Don't worry...

[s.petry]

No executives will be fired for this incident.

Re:Don't worry...

three might get a lick on the wrist from uncle sam for insider trading, though.

Re: Don't worry...

Lick my temporary tattoo. You won't regret it.

Re:Don't worry...

[null+etc.]

No, but their information has been exposed all the same.

Re:Don't worry...

No executives will be fired for this incident.

Richard F. Smith said in a statement: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. "

At this point they should merge with Wells Fargo. Excrement synergy and all.

Re:Don't worry...

And their records will be purged of such incident (both the fact that they caused it though lax security, and any potential victimization that they may have felt personally.)

The real question is: Will any executives be shot for this incident?

You must be new here

[s.petry]

On planet Earth.

The people responsible for such sites should be held accountable for gross negligence.

You mean a lackey or two right? No executives are held accountable for their own decisions. In fact, the bigger the screw up the more jumps applied to the Peter Principle.

Also, it seems like it should be a basic civil right at this point to be allowed to change one's SSN. To be forced to deal for the rest of one's lifetime with the consequences of it having been stolen is outrageous.

I'm not sure you know what a civil right is. I would however support legislation which outlaws the use of one's SSN as identification to anyone other than the Government, and perhaps even more specifically the Social Security Agency.

Re:You must be new here

[Quirkz]

No, the SSN as identification is fine. Honestly, that's probably what everyone should use. What's wrong is using it as authentication. Nobody should use it for that, but despite that being obvious for decades, everyone continues to use it that way.

Re: You must be new here

SSN is not fine. RSA public key is.

It's time to write Congress demanding reform

[PeterM+from+Berkeley]

Right now, someone who has your information but no real proof of identity can borrow money as "you", and the creditor gets to libel you via the credit reporting agencies when they don't get paid.

This must stop. Please write Congress and demand that creditors no longer have the right to libel you as a non-payer unless they can prove it was actually YOU who borrowed their money and failed to repay as promised instead of just someone who had some information about you, that they didn't bother doing due diligence on to verify.

I've already written Congress about this several times, but now it's literally EVERYONE'S information that has been stolen, and the whole nation must face the fact that they are vulnerable to this sort of thing now.

--PeterM

Re:It's time to write Congress demanding reform

Please write Congress and demand ...

You've got a good point and all, but you're asking the fox guarding the hen house to stop eating the chickens. It won't work, but you can make a lot of noise if it makes you feel better.

Back in the real world, for those of us already forced out of middle class life into poverty, the answer is very simple. In fact, I can summarize the whole thing into the ending of War Games.

The only way to win is not to play.

The deck is stacked with the best laws money can buy. You simply cannot win no matter how hard you work, how smart you plan, and how careful you avoid mistakes or bad luck. The game is rigged and you will lose.

My children realized this before I did. Call them lazy millennials if you want, but the truth is they can see a rigged game and simply choose not to play it. Work hard for the American Dream? Sorry, but I taught them how to do math and it doesn't add up. The new dream is to work as little as possible, for a bare subsistence living, but one that is full of experiences from the list called "the best things in life are free".

Watch a sunrise.
Hike to the top of somewhere.
Sleep on the ground.
Spend time within the community, rather than drive straight into the garage completely exhausted after work.
Etc.

The fact that credit reporting agencies, living beyond our means through debt (the "Dream"), and the completely bogus federal reserve system have caused the national economy to be detached from the reality of basic individual fiscal responsibility isn't news. It is very enlightening seeing how this breach was not announced until after the execs cashed out significantly. At least they got well rewarded for screwing over millions of people, right?

Re:It's time to write Congress demanding reform

[geoscodin]

I found a lien from another state against me on my credit report several years ago. I disputed it and the courthouse did not respond, so the credit agency took immediate action on my behalf. They marked the negative item as paid... and told me it would roll off my credit report in 7 years. What?!? SInce the courthouse did not respond they said there were was nothing more they could do. Oh really? How about removing the false item from my credit! They said no, but I was welcome to travel across the country and research the item myself. Wrong! If the reporter can't provide -- or just can't be bothered to look for-- evidence against me then it should be removed immediately. I also had a false $480 phone bill on my credit report. At least I was able to dispute that one by proving my own identity and it came off quickly.

Re:It's time to write Congress demanding reform

[houghi]

Here is how it is done in Belgium
1) We have a national number YYMMDD-XXX-YY
2) We have an ID.
You need both to get a credit or a loan.

If you apply for a loan they will check if your ID is stolen or not https://www.checkdoc.be/
They check the BNB. On the BNB every credit and loan is mentions. What a company sees is for each credit/loan:
1) Time it started
2) The amount
3) If there are late payments

With the income and standard of how much you need to live, they will see if they are allowed to give you a loan. Late payments (on the black list) no loan. If the company would do that, they will not even NEED to pay back. Risk is then with the company.

The companies do NOT see what the companies are that have given the loan or credit, unless it is themselves (privacy, you know)

As an individual you can get these names, because it could happen that you have a credit open that has been paid in full.

So there is a short moment between the moment my ID is stolen and when I call in to block it that they could ask for a loan or buy something on credit. This happens, but in very low numbers as you would need to go into a store and it could be already blocked (takes just a call) and the ID is a photo ID.

Also no need for third party to verify the credit situation as it is already centralized and security is pretty tight. Only access if you are allowed to do so. Only information that you need. More info on https://www.nbb.be/en/about-na...

If I did not loan the money, I will not be held responsible and sometimes even if I DID loan the money, I am not responsible.

Re:It's time to write Congress demanding reform

This must stop. Please write Congress and demand that creditors no longer have the right to libel you as a non-payer unless they can prove it was actually YOU who borrowed their money and failed to repay as promised instead of just someone who had some information about you, that they didn't bother doing due diligence on to verify.

I like to phrase this as getting the government out of the credit reporting industry. The fair credit reporting act protects these companies from being sued for liable if they meet such and such a criteria. That law has failed. Just end that law and things will fix themselves very fast, but since there's an entire industry based on that law, you'll never be able to fight their lobbying power.

Re:It's time to write Congress demanding reform

Since you've invested thought-time into this, could you post a copy of the letter you sent? There's probably some non-obvious stuff that's worth it for others to include in their communications.

No

[s.petry]

An illegal alien is someone who enters the country illegally. Stop making up stories to make criminal acts appear non criminal because it fits a political agenda. By your logic, I can break into your house and it's not a crime unless I broke in before.

Re:No

[AmiMoJo]

The issue is that it's a matter of historical perspective. Most people in the US are illegal aliens from the point of view of native Americans who got there first.

Re:No

The issue is that it's a matter of historical perspective.

No, it isn't. It's about the law. Hence "illegal" is in the term.

Most people in the US are illegal aliens from the point of view of native Americans who got there first.

In the point of view of native Americans, they didn't have the same legal systems or same concepts on law, land ownership, borders, etc as us. You're committing the same mistake as Europeans of the past, who had conflicts with native Americans because they didn't understand that the two cultures had different value systems and way of doing things.

Re:No

[s.petry]

re-read your post, apology for skimming. My other post is true, but not really relevant to yours. Your claim is quite false in a broad sense, but like all good conspiracy theories contains a grain of truth. It's way too complex if an issue for such a gross over simplification. Most native Americans were nomadic imperialists themselves long before anyone else arrived, and tribe wars are extremely common. There were a few tribes who were less nomadic and less tied to war, but they were the targets of other tribes who wanted their stuff. Native Americans believed in survival of the fittest. Like you, I could grossly over simply and claim that conquering them honored their beliefs. Like your statement, I would be making a false statement and grossly over simplifying the history.

Re:No

[CaptainDork]

"Illegal," in any legal context has a component of "punishment."

Undocumented immigrants who are "first-timers," are simply given due process and deported.

There is a free ride, meals and accommodations prior to ejection, but there is no punishment.

Because the first-timer is identified and documented, subsequent entry is illegal.

Well? Is that everybody now?

[david.g.holt]

After, what, thirty years of companies losing our information. Don't the hackers have everyone by now? So why should we protect our information anymore? Tell the NSA to have at it. Put a bar code on my forehead, I'm done.

Banks. Schools. Health providers.

[execthis]

What's bad is that many of the offending organizations doing this are banks, educational institutions, and health providers. They must think "because we're a [bank|school|health provider] we need extra security" and then proceed to FORCE all users to answer these stupid questions.

Yes, make a law prohibiting use of SSN except by the SSA.

TLS Client Certificates

[u801e]

What would be nice is if more websites supported authentication via client certificates. Then we wouldn't have deal with passwords, two factor auth, or "security theater" questions when authenticating.

Re:TLS Client Certificates

[execthis]

I'm curious about how this would work. Would each person have one client cert that works with multiple sites? Or would each site require it's own cert? What happens if your phone or laptop with the cert(s) on it is stolen? Would use of the cert on the local device (phone, laptop) require something additional like a fingerprint swipe or iris scan?

Re: TLS Client Certificates

[guruevi]

You obviously haven't used certs as authentication, but they're to be handled just like regular passwords. You have a private and public key, no reason to keep the private key accessible to any sort of theft, you can encrypt them so that any use requires a password however the password doesn't traverse the network but without it the cert is useless. In most cases you can also revoke the cert, LetsEncrypt-style cert providers allow you to both instantly revoke and have a short enough lifespan.

Re: TLS Client Certificates

[execthis]

I have used certs in the form of pre-shared auth for SSH sessions but that is a different story than logging onto websites. Maybe the underlying core encryption concepts are the same but the practicalities involved are very different in terms of user interaction and required policies.

Re:TLS Client Certificates

[raymorris]

Typically your private key is encrypted with a passphrase. So an attacker would need to both have your device and know your passphrase.

Typically you have one key/certificate per role; I have a certificate for work, for ray@company.com, that is different from my personal cert.

You see this all the time when you authenticate the company you're talking to via https SSL - https://ebay.com/ has one cert, not a different cert for every user. Their cert identifies eBay's web server - same cert presented to everyone. On the other hand, they probably use a different cert for email and code signing than they use for their web server. The server authenticating you works almost exactly like you authenticating the server. The difference is that often the server cert has an empty passphrase so that an admin doesn't have to type in the passphrase on each reboot.

Insider trading laws?

No, but the SEC may go after them.

Simple solution

No need to get bent out of shape about this. The solution is trivial:

1. Free credit monitoring for everybody for life. Credit bureaus pay for it as a cost of doing business.

2. If you get breached, you must pay for credit repair for any affected person whose information gets used, including reimbursement for any losses.

3. Don't like the rules? Don't collect the info. You want a loan, you go to a third party notary to check IDs and documents, witness signatures and stamp the contract. I'd take fewer CRBs and more notaries any day, and twice on Sundays.

In the present case, get everybody with a credit report free monitoring for life (paid for by CRBs jointly) and make Equifax post a bond determined by actuaries to cover the likely fallout.

I will invoice Equifax directly for this valuable service. I recommend you enjoy calling the media inquiries number as much as I did.

Re:Simple solution

[Bob+the+Super+Hamste]

Unfortunately the credit monitoring you get when a breach happens is always from these reporting agencies. I think I have like 5 or 6 active ones across experian, equifax, and transunion. Now it looks like I and everyone else will get another year of free credit monitoring from these fuckers that really should be drawn and quartered instead.

The lookup site has been hacked...

https://www.equifaxsecurity2017.com/ is now reporting that it is unsecure.
So now they can't even provide the information on who's been hacked.

Oh... and when it does come back up... it's a 7 day wait to get your monitoring started. Have to give the bad guys a head start. Poor form to be proactive about security, after all.

You mean these guys?

[BarneyGuarder]

http://www.equifacks.com/

Answer == Protection

The EU is actually taking data protection much more seriously than the States with its upcoming regulations taking effect next year. The General Data Protection Regulation (GDPR) would backhand an organization like Equifax, who've experienced multiple breaches and are clearly showing signs of negligence. Money is the only thing that companies seem to understand, so this is the approach that we need to push for if we want anything to change.

GDPR emphasizes data minimization as well as hefty fines. If you don't want to pay 20million EUR or 4% of your annual revenue, then don't collect and manage any sensitive PII. It's really that simple.../sigh

Answer with a famous person's info

[raymorris]

I understand your frustration. The purpose of those questions is, of course, as a backup because people forget / lose their password.

> If my 20-length complex password of random digits, numbers, and special characters

Unless you're re-using the same password on all sites (bad idea) and never changing it (another bad idea) you're probably storing them somewhere rather than memorizing a dozen different sets of 20 random characters which means you could lose it. In which case you'll need to use the security questions to access your account.

So what to do? Entering gibberish means you may end up permanently locked out of your accounts, when you lose your passwords. What you can do is answer the questions will Bi CLINTON'S information, or Steve Jobs, or Mariah Carey. When it asks what city you were born in, enter the city Steve Jobs was born in. That way people can't break into your accounts by entering information about you; they'd have to know to instead enter information about Jobs or Mister Rogers or whoever you use info from.

Re:Answer with a famous person's info

[execthis]

I use LastPass. If any of my devices are stolen - which has happened several times - I immediately change the master password.

I know people will say this is not perfect - LastPass itself could be compromised, or someone could potentially access my system and keylog - but it seems to be by far the best practical solution and has been foolproof to date.

However I like the idea of client certificates mentioned by another commenter. Sounds like the way of the future.

Re: Answer with a famous person's info

Lol, are you serious dude?

  You trust you entire password and personal info to a company that has been compromised at least 3 times in the last 12 months alone and use a product that has such fundamental security issues that even it's owners and developers admit can not be fully secured....

Re:Answer with a famous person's info

[pnutjam]

Keepass is a better choice, keep your passwords under your own control.

Re:Answer with a famous person's info

[execthis]

Lastpass is better because it has a standalone desktop application, standalone Android app, and plugins for desktop and mobile versions of major web browsers. In other words it works seamlessly across all devices and apps which is an essential feature for a password manager.

Re: Answer with a famous person's info

[cyber-vandal]

I use Keepass with Resilio Sync. It's not as convenient but it means my passwords are only transmitted over my home network. I don't trust LastPass or any other cloud password provider.

Re:Answer with a famous person's info

"which means you could lose it."
I keep all my passwords in a password book, in my drawer, in my desk. Unless my house burns down, I can't lose it. Yes, I could be burgled, but that's less likely to happen (and a burglar is less likely to recognise it as a password book anyway, because it's in a drawer full of junk, along with other drawers of junk) than somebody finding out which street you really lived on. You should NEVER answer those stupid questions with the correct answer, always use a passphrase.
You are so wrong I can hardly comprehend it.
Nobody is remembering 20 character passwords that use random numbers, special characters (by the way, digits are numbers, or at least, all numbers use digits...)
so we have to write them down.

Re: Answer with a famous person's info

[execthis]

The whole point of using Lastpass is the browser integration.

Re: Answer with a famous person's info

[cyber-vandal]

Like I said it's not as convenient but you don't have to rely on a third party's servers to be secure. You can use copy and paste and Keepass will clear your clipboard after 10 seconds.

Re:Answer with a famous person's info

It shouldn't matter if LastPass is compromised; your credentials should be stored in encrypted form. And if you're using two-factor authentication (via authenticator-style app, not SMS), even a keylogger is ineffective against compromising your passwords.

Re:Answer with a famous person's info

[flink]

Codebook does this as well for Mac/Windows/iOS/Android - it also lets you choose what, if any, cloud provider you use to sync through. You can also just sync over WiFi or LAN if you don't want your password DB to pass trough someone else's system.

Re:Answer with a famous person's info

[pnutjam]

Keepass has this. You can use the same database across desktop, windows, linux, android, iphone, etc. You can even keep the database in the cloud.

Re:Answer with a famous person's info

[execthis]

That' s cool. I have been hoping to find something that works with Nextcloud.

Re:Answer with a famous person's info

[execthis]

Keepass doesn't have web browser plugins which account for 99% of the use cases of Lastpass.

Re:Answer with a famous person's info

[pnutjam]

Yeah, those are a security problem.

Re:Answer with a famous person's info

[execthis]

Do you have any evidence of there ever having been anyone's password data compromised as a result of a Lastpass browser plugin attack or exploit?

Re: Answer with a famous person's info

[Malc]

When I was a victim of identity theft a few years ago, they managed to convince my bank's telephone banking to change my mother's maiden name, locking me out of my accounts! You'd think alarm bells at the bank should have rung, but no. Social engineering is always the weakest point, and the amount of accurate information in this credit agency data breach can really enable bold criminals. So I agree with the other comments about providing inaccurate data for security questions where possible, but you have to have a scheme to work with it all because I can't even remember answers for dumb security questions like "who was your favourite teacher at primary school" or "what's your favourite colour" (I don't have favourites of either, so it's a crap shoot on how I'm feeling on the day how I answer)

Re:Answer with a famous person's info

[pnutjam]

There have been plenty of them, go ahead an google for yourself. You basically increasing your area of attack significantly when your using a plugin, browser, os, application in tandem. It's common sense that this is not best security practice.
You could make an argument that it's sufficiently secure, or better then the usual practice. You might be rigtht, but it's still not secure enough for the security conscious.

Re:Answer with a famous person's info

sorry. not able to find one incident of actual stolen passwords.

full of shit.

arbitration

check for arbitration agreements in the fine print

Re:arbitration

check for arbitration agreements in the fine print

What fine print are you talking about?
I'm gonna call bullshit. there is no fine print associated with the breach lookup tool.
you just made it up

It's almost as if...

[easyTree]

...organisations need to avoid making their (our) data a gigantic attractive target. If it were split up so attackers had to work hard for each small batch, this would be less attractive.

Translation

[easyTree]

We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.

Translation

We have failed to protect consumers but prefer to keep taking in cash, despite this clear demonstration that [y]our data is not guaranteed to be free from tampering and therefore any derived data is worthless.

143M customers is all of adults in USA and Canada

[misnohmer]

So basically Equifax just exposed all of the adults in USA and Canada to the danger of identify theft. Of course the victims can never prove their identity theft was caused by a specific breach, such as this one, so Equifax will never be found directly liable. HOWEVER, this is where the government should step in and impose massive fines for endangering the public. Those fines to be pooled into funds that help with identify theft. The fines should be in the billions, even if that means the company goes bankrupt. If it does, it will make other companies spend more money on securing their data and/or not holding onto data they don't need, simply to avoid being fined billions of dollars.

look on the bright side

[TimMD909]

At least it's only half of the entire country. Talk about a lot of glass is half empty comments...

Re:look on the bright side

[Mr.+Spock]

At least it's only half of the entire country. Talk about a lot of glass is half empty comments...

Too soon. It's the half of the country that has a credit history. Not comforting.

Insider trading goes unnoticed

And is quite common but untalked about. Crimes are for the poor.

bank fraud. not identity theft.

This is entirely correct. Put the blame where the blame lies. Why other countries don't have this identity theft obsession ? because

IT IS BANK FRAUD. Not "identity theft".

It should not be my problem that a third party managed to fool a bank into giving them money. Otherwise, if the tables were turned, why can't I make the bank pay me that zero-interest 100K loan their "representative" signed for me in that gas station ? He clearly showed me a Bank business card...

Why can't it never be "bank identity theft" and we make the banks pay all the promises other people make in their name ? Fair is fair.

Re: more Horse shit!

Ellis island was a tad later than the Indian slaughter that the parent was referring to.

Malicious JavaScript integration

[raymorris]

My company, a security company, is looking at password managers for internal use. The various security experts inside the company have been discussing LastPass.

The general consensus is that IF we use a cloud-based password manager, LastPass is a reasonable choice. However multiple co-workers and myself agree that the browser plug-in is a major risk. The browser is the #1 target not attacks, by far, and their browser plug-in is known to have security problems in the past. The browser, and therefore malicious JavaScript, should NOT have direct access to all of your passwords, in our opinion. Rather, we point out it is much more secure to copy/paste the one password you want to use at the moment from the password manager to the browser.

Additionally, if for some reason a user WAS going to use a password manager integrated with the browser, the password manager already built-inâ to Chromium / Chrome and other browsers has a better security record than LastPass.

Therefore, it is our opinion that there is more or less no use case for which the LastPass browser extension would be an appropriate solution.

Re:Malicious JavaScript integration

[execthis]

I cannot argue the details with you about browser extension security or isolation from possible attack vectors, however I will say that many, many people have used Lastpass for a long time and there have never to my knowledge been any compromises.

The second point I want to make is that what makes the password manager useful, it's primary reason for existence, is the fact that it works seamlessly across a desktop app and multiple web browsers. Yes you can use Chrome or Firefox's own password saving features and these may even sync with other instances of the same browsers, but still you do not get seamless synchronization across ALL devices. The primary thing about a password manager is that it will be used which means it needs to be available for all instances of use.

Ideally Lastpass would have a feature to locate it's data store on a location of your choice - such as your own Nextcloud instance - but remember that that would also present a risk because now you have to worry about the security of your data store - something that the company Lastpass takes care of on their own which is partially what they get paid to do.

STRUTS Vulnerability

http://nypost.com/2017/09/08/equifax-blames-giant-breach-on-vendor-software-flaw

Time to ban moderators

[s.petry]

Awesome moderation /.! A fact WITH A CITATION is now moderated a "troll"! More facts below this post which contain FACTS are also moderated "off topic" and down modded. Way to go!

One guy, in one month, found THREE vulnerabilities

[raymorris]

> cannot argue the details with you about browser extension security or isolation from possible attack vectors ... there have never to my knowledge been any compromises.

Tavis looked at LastPass in March and reported THREE different ways for web sites (malicious JavaScript and frames) to get at all of your LastPass passwords. That's what ONE guy found in just ONE month. The technical details may not be for you, but here's an article in the popular tech press about them:

http://arstechnica.com/informa...

I would bet my team will find at least one more if LastPass shows up on our 18-hour test we do four times per year. Basically, we get 18 hours to find as many vulnerabilities as we can in an array of software.

Re:One guy, in one month, found THREE vulnerabilit

[execthis]

I'm familiar with this research. But have you any evidence of an actual breach incident where data was stolen?

Also, do you expect that no technology will ever have some form of potential vulnerability? It's true that the ultimate security is simply to have a system that cannot be used. If something is so inconvenient or cumbersome to users it will never be used.. But we live in a real world where there are risks and drawbacks. As far as I can ascertain, the benefit of using Lastpass vastly exceeds the drawback in comparison with every other system.

Counter-productive approach, my friend

[raymorris]

There are basically two possible responses when someone, or a group of people, points out something you didn't think about.

Some people try to LOOK smart by continuing to argue and hope to convince readers that they know better than all of the experts. People take this to absurd extremes, to the point of arguing that it's a good idea to allow random JavaScript from any web site (or ad) to read all of your passwords.

Another type of response is to actually BE smart and learn something. These people respond with "that's a good point; I hadn't thought about that."

The thing about the first option, trying to look smarter than the experts, is that you end up trying to argue that you really want every ad on the web to have access to your bank password, and then you look dumb. Trying to look smarter just makes you look dumb. But not any ordinary dumb. The information has been presented to you and you've purposely refused to learn anything - intentional ignorance. That's extra dumb, when a person chooses, even fights, to avoid learning anything.

Re:Counter-productive approach, my friend

[execthis]

shove your ad hominem shit up your ass. you failed to answer my question.

So Open Source is secure?

Funny how everyone here, normally rabid about the security and superiority of Open Source software chooses to ignore the elephant in the room.

The hack was through the use of Apache Struts that allowed access to the data. If it were Microsoft software everyone here would be gleefully jumping u[p and down on them.

When will we admit that all computer systems are inherently insecure and start making it am priority to harden all systems. When will all programmers start considering computer security as an integral part of project design and implementation?

Certainly the first step needs to be the imposition of serious penalties for company managers whenever there is a data leak. Further breach reporting laws need to be implemented so that breaches are quickly reported.