Credit Reporting Firm Equifax Announces 'Cybersecurity Incident Impacting Approximately 143 Million US Consumers'

Equifax, which supplies credit information and other information services, said Thursday that a cybersecurity incident discovered on July 29 could have potentially affected 143 million consumers in the U.S. "The leaked data includes names, birth dates, social security numbers, addresses and potentially drivers licenses," reports CNBC. "209,000 U.S. credit card numbers were also obtained, in addition to 'certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."

Chairman and Chief Executive Officer, Richard F. Smith said in a statement: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident." Equifax is now alerting customers whose information was included in the breach via mail, and is working with state and federal authorities.

UPDATE (9/7/17): According to Bloomberg, "three Equifax senior executives sold shares worth almost $1.8 million" in the days after the company discovered the security breach. Regulatory filings show that three days after the breach was discovered on July 29th, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099." Meanwhile, "Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2."

Free Credit Reporting?

[Lothsahn]

Do I get free credit reporting for this? Is it from Equifax?

Re:Free Credit Reporting?

[MrLogic17]

You probably know this already, but you already get one free per year from each of the 3 credit reporting agencies. (Thanks Uncle Sam!)

If you time it right, you can pull one every 4 months (rotating agencies, using each one yearly)

https://www.annualcreditreport...

Re:Free Credit Reporting?

[slew]

You probably know this already, but you already get one free per year from each of the 3 credit reporting agencies. (Thanks Uncle Sam!)

If you time it right, you can pull one every 4 months (rotating agencies, using each one yearly)

https://www.annualcreditreport...

Free credit report != Free fraud alert/monitoring.
Lots of fraud can happen in a 4 month time...

Re:Free Credit Reporting?

[Lothsahn]

Very helpful information, but yes I already knew this. I was just being funny. :)

Re:Free Credit Reporting?

[Applehu+Akbar]

No, Equifax is going to treat the breach as a "hard pull" on everyone's account and ding your score for it.

Re:Free Credit Reporting?

[amicusNYCL]

Don't worry, you'll figure it out when someone uses your personal data that they stole from Equifax to open accounts in your name, which causes your credit rating to go down, which will show up on your credit report. From Equifax.

Anyone want to place wagers on whether or not Equifax will drop your score because people stole your identity with the data they got from Equifax?

Re:Free Credit Reporting?

[Nethemas+the+Great]

You mean it in humor, but I fear it as fact. 143 million of us just became higher risk.

Re:Free Credit Reporting?

[Cederic]

I read (but can't verify) that enrolling through this site requires you to agree no to sue Equifax.

Read the T&Cs carefully.

Disclaimer: I have monetary interests here, so don't trust me.

Re:Free Credit Reporting?

[kuhnto]

Locking your credit reports will go a long way to prevent fraud. It's a pain to do and costs money, but has worked well for me so far.

Re:Free Credit Reporting?

[david_thornley]

I look over my statements, just in case.

Re:Free Credit Reporting?

[slew]

I look over my statements, just in case.

Reading many of the comments, I don't think most people understand the threat of identity theft.

They usually don't use your information to access/empty your existing bank accounts, or charge up your current credit accounts, they attempt create new credit accounts using your stolen information but with bogus addresses, phone numbers and emails, so you don't know that they did it until the account is so delinquent that goes into collection (and you get a call from a collection agency trying to track you down).

Although you aren't technically liable for these things, clearing up your credit can take years (and a significant amount of your spare time) and you will have to deal with the hassle for quite a while.

Freezing your credit, will let you know when they *apply* for the fraudulent credit. Even minimally putting a fraud alert on your credit will alert the business to be extra vigilant before extending credit using those credentials.

Simply looking over statements sent to you for existing accounts and getting a credit report every 4 months, is a piss poor substitute for fraud alert/monitoring. Equifax should be offering to freeze everyone's credit for free that has been effected (instead of giving out free samples of their product for a year in exchange for not sueing them).

Public Info?

[nealric]

At this point, is there anybody left in the U.S. who has not had their names, addresses, and socials stolen in from a hack somewhere?

Re:Public Info?

Illegal Aliens.....

Re:Public Info?

[Lab+Rat+Jason]

NOW can we stop using SS# as a national identifier? Jeez!

Re:Public Info?

Being affected by a data breach doesn't entitle you to have your SSN changed. VERY few people can ever get it changed, no matter how much it gets abused by fraudsters. Victims are normally just expected to be diligent about disputing any accounts opened in their name they didn't authorize. No way half the population will get a new SSN.

Re:Public Info?

At this point, is there anybody left in the U.S. who has not had their names, addresses, and socials stolen in from a hack somewhere?

Little Bobby Tables.

Re:Public Info?

[networkBoy]

Why?
It *is* a national identifier. It needs to stop being used as an authenticator.
SSN and Name first, Name last, Name middle should be interchangeable from a data and security standpoint.

The problem is that SSNs have been used as authenticators for the name and that's not what they were designed for.

Re:Public Info?

[fustakrakich]

Name first, Name last, Name middle

Usually you fill out the form: Last Name First Name Middle Name Last...

Re:Public Info?

[Lab+Rat+Jason]

It is an imperfect national identifier because not everyone in the nation has one. It is an imperfect national identifier because you cannot change it when compromised. It is an imperfect national identifier because the nation allowed it to be hijacked as a commercial identifier. Banks and creditors in general should have to fend for themselves if they want to properly identify a debtor, rather than relying on a number that was issued for a completely different purpose.

Re:Public Info?

[vux984]

It is an imperfect national identifier because not everyone in the nation has one.

All identifiers are imperfect.

. It is an imperfect national identifier because you cannot change it when compromised.

An identifier can't be 'compromised'; it's not really supposed to be a 'secret'. It's flawed to use it as a secret. Its fine as an identifier.

It is an imperfect national identifier because the nation allowed it to be hijacked as a commercial identifier

How does that have any bearing on its suitability to be an identifier?

r. Banks and creditors in general should have to fend for themselves if they want to properly identify a debtor, rather than relying on a number that was issued for a completely different purpose.

Um... what should they use? And even if they came up with something, it would be a matter of hours before a table of new_bank_id to ssn's was created, and a few hours more before it was leaked, making it a moot point.

Re:Public Info?

[Sloppy]

It still sounds fine as an identifier. But if anyone is thinking of it as a secret, they probably need to change the combo on their luggage.

Re:Public Info?

[Sloppy]

"143 million U.S. customers" sounds a whole lot like someone's guess as to how many adults live in USA. I don't know if it's correct, but it's gotta be in the ballpark.

I suspect this means that Equifax leaked their entire database.

Re:Public Info?

[Jarik+C-Bol]

This breach is nearly half of the US. At this point, I assume with total confidence that my data is in the hands of someone it should not be.

Re:Public Info?

[NicknameUnavailable]

Iris scans and PKI for everyone!!! Actually, I'm okay with it.

More likely it will be an excuse to give everyone chips.

And the second beast required all people small and great, rich and poor, free and slave, to receive a mark on their right hand or on their forehead, so that no one could buy or sell unless he had the mark

Re:Public Info?

[thomst]

NicknameUnavailable predicted:,/p>

More likely it will be an excuse to give everyone chips.

I like the wavy kind ...

Re: Public Info?

[networkBoy]

A SSN-PIN.

You are issued a public credential (your SSN) and a private validation token (PIN). PIN can be changed and is offered as a secure authenticated lookup service from the Social Security Administration.

Still not perfect, sure, but a hell of a lot better.

Re:Public Info?

[saccade.com]

Probably not. Given a total US population of 320M, leaking data on 143M probably covers most every adult with a credit card.

Re:Public Info?

[thomst]

Y'know, given that TFS states that 209,000 credit card numbers were compromised, I tend to think that the whole "potentially exposing the data of 143 million customers" hyperventilation is an invention of TFA's author, and that the actual number of customers whose data was exposed was 209,000 or fewer (because of the 182,000 customers' dispute data specifically mentioned thereafter, and assuming that 27,000 of those customers had two credit cards listed in their dispute files).

I'm just sayin' ...

Re:Public Info?

[reboot246]

My Social Security card is old enough to have this printed on it: "Not to be used as identification."

But everybody and his brother will ask for it every time you try to do business with them - the doctor, the phone company, the cable company, etc. etc. etc.

I always ask why they need it and they can never come up with a good answer. I also don't have my SS# on my driver's license.

Re:Public Info?

[KingMotley]

No, it is not since it is not unique

Ah, but it absolutely IS unique. There may be someone else incorrectly claiming that number was assigned to them, and it does happen, but the number absolutely is unique. Your father may "share" a number with someone else, but only one of them is correct.

The SSA attempted a few times to correct these errors, but were shut down by immigration lobbyists. That needs to change. If immigrants want to work here, fine, and if they want or need a SSN, then they should get one rather than just "borrowing" someone elses.

And stop being an anonymous coward. If you are going make incorrect statements like an idiot, then please, put your name to it, or don't post.

Re:Public Info?

[Nethemas+the+Great]

No. States rights; invasion of privacy; {...}; get off my lawn!

Re:Public Info?

[Nethemas+the+Great]

At this point, I assume with total confidence that my data is in the hands of someone it should not be.

It took you this long...

Re:Public Info?

[jmccue]

NOW can we stop using SS# as a national identifier? Jeez!

Well many years ago companies and government was told/encouraged/waned NOT to use the SSN for Id purposes and my original card had something like that printed on it. Of course everyone and their brother ignored that. So here we are.

Re: Public Info?

[Trondheim]

You make it sound like it was a just, valiant cause for them, coming to this country and breaking our laws. Just so they can have a better life. And then many of them turn to identity theft to be able to get the benefits of being a citizen. Sorry, that just doesn't fly.

Re:Public Info?

[jezwel]

It's going to be amusing when we start reusing numbers. We've already exhausted about 460 million of the 988.9 numbers available.

Can you not change it to alphanumeric?

If you started that process now, everything used everywhere would have time to be replaced with updated software that can handle that format - even those places running COBOL or FORTRAN or whatever the flavor was 40 years ago.

Re:Public Info?

[DarkMagician07]

Mine has that on it, as well, as do my kids' SSN cards. To my knowledge, it's on all SSN cards, though I haven't seen any that are newer than 11 years ago.

Re:Public Info?

[dgatwood]

Victims are normally just expected to be diligent about disputing any accounts opened in their name they didn't authorize. No way half the population will get a new SSN.

You see, I think that victims being diligent is just as much the wrong answer as getting a new SSN. It isn't our responsibility to catch bad guys in the act when they use our name and SSNs to obtain credit. It is the credit reporting agencies' responsibility to exercise due diligence in determining whether or not someone should extend credit in my name, and in determining whether claims of failure to pay back said credit are legitimate or the result of fraud. That's literally what companies are paying them to do!

More to the point, calling anything "identity theft" is, in fact, a lie. It isn't identity theft, because you can't steal someone's identity. We should just cut all the politically correct crap and call it what it is: libel arising out of gross negligence.

When a company makes false claims about an individual, that's libel. It is illegal. So when a credit bureau claims in writing that you obtained credit that you did not, they are violating the law, and you can sue them. If every victim of so-called identity theft—every victim of gross negligence by credit bureaus to exercise due diligence—were to sue the credit reporting agencies for libel, they would have two choices: go out of business or start doing their [expletive deleted] jobs.

More to the point, because it occurs en masse, one could argue that it rises to the level of criminal libel, at least in states where such laws still exist (including California, as of last year).

Of course, libel is just the beginning of the laws that the credit bureaus are breaking. If I were an attorney general, I would have long ago prosecuted the heads of the major credit reporting bureaus under RICO statutes, because they're quite literally profiting from every side of identity theft:

• They profit from not having to incur the cost of due diligence to ensure that requests for credit are legitimate.
• They profit from selling the potentially libelous credit reports to companies.
• They profit from selling "credit watch" services to protect people's credit from future fraudulent credit requests and the libel arising out of those requests. (That's a nice credit score you have there. It would be a shame if something... happened to it.)

Literally, these credit watch services do nothing but protect the consumers from libel by the credit bureaus that sell the credit watch services. That's the textbook definition of racketeering! How are these people not in jail yet? Because they have money? Because they're hiding behind the corporate veil? These companies should simply be RICOed out of existence.

I've said for years that the only thing that would ever force these clowns to clean up their act would be if every SSN in the U.S. got compromised, and that it was only a matter of time before the entire credit bureau industry came crashing down like a house of cards. With this one incident, our country got most of the way there. That 143 million people is almost everyone who has applied for credit or bought cable TV service or phone service or really just about anything else in the past ten years. It includes nearly the entire working population of the U.S. Clearly, SSNs are not even slightly useful as a "secret" anymore, and any credit bureau claiming otherwise is peddling libel and fraud.

So what remains is for the credit bureaus to pull their heads out of their collective a**es and implement a proper callback-based verification scheme in which a reasonable attempt is made to verify every request for

Re:Public Info?

[thegarbz]

It is an imperfect national identifier because you cannot change it when compromised

You're doing exactly what the GP said not to do. An SSN is an identifier, not an Authenticator. It is not possible to compromise an identifier any more than another person who has the same name as you "compromises" your name.

Or should I "compromise" your Slashdot account by going over to soylent news and signing up as Lab Rat Jason?

Re: Public Info?

[Jesus+H+Rolle]

Ruffles have ridges!

Re: Public Info?

[Jesus+H+Rolle]

Same at least as late as the early 00s. It was printed on every student ID.

Re:Public Info?

[AmiMoJo]

We need to accept that there will never, ever be a unique, permanent identifier for every person. As useful as such an identifier would be, it can't exist.

Government issued IDs don't get issued to everyone, and due to errors sometimes get duplicated or associated with the wrong person. Names are not unique, even combined with dates of birth and the like. Names change over time, e.g. due to marriage. People are recorded as dead and then turn up alive and well more often than you might think, most often due to the clerk paper-murdering the wrong person.

This means that the banking system and a lot of other stuff needs to change.

Re: Public Info?

[cyber-vandal]

[citation needed]

Re:Public Info?

[Jarik+C-Bol]

Correction: "At this point, I've long assumed"

Re:Public Info?

[nealric]

Probably not even most of them. If they've been using a fake SSN (which they need unless they are only making cash under the table), that SSN has probably been associated with them for credit reporting purposes. Even the ones who are 100% cash under the table probably have some identifying information out there that has been hacked- ID numbers from their country of origin, etc.

I have one thing to say

[gerald.edward.butler]

CLASS ACTION LAWSUIT! These companies that want to collect all this personal data of people and fail to protect it need to be sued into non-existence!

Re:I have one thing to say

[ichimunki]

If that doesn't work, perhaps a law stating that the person who is the subject of a credit check gets to designate which credit reporting agency is to be used by their potential creditors.

Re:I have one thing to say

[burtosis]

The problems are billion dollar companies are first class citizens with rights. Plebs don't get any rights above them. Hell we plebs are lucky to have any rights, they only exist at the pleasure of these giants among men.

Re:I have one thing to say

[AmiMoJo]

This could be a lawsuit goldmine. Not just for the beech, but for errors people will now be able to discover in their reports.

Re:I have one thing to say

[BitterOak]

CLASS ACTION LAWSUIT! These companies that want to collect all this personal data of people and fail to protect it need to be sued into non-existence!

What would be the basis for such a suit? In most cases there's no business relationship between the consumer and Equifax, so there is no implied trust here. Equifax never promised, either directly or implicitly, to the consumer to keep their data secure, so there's no real breach of trust here. I don't see how the consumers have any standing to sue. Perhaps the retailers who supplied the data to Equifax may have some standing to sue as there may have been an implied expectation of privacy, but I don't see how the consumers can sue Equifax directly.

Re:I have one thing to say

[Dutch+Gun]

It's funny you mention "gold". During the great California and Alaska gold rushes, do you know who really struck it rich? It was the folks selling mining hardware and other supplies to the miners. The vast majority of miners didn't make much at all.

I think it's an appropriate comparison for modern-day class action suits. These types of lawsuits make lawyers rich, and everyone else gets enough for a free latte or two.

Re:I have one thing to say

[CaptainDork]

Preach it!

I'm a retired IT guy for some law firms. Management asked me for years, stuff like: WHEN is this spam going to stop?

My reply, for over 20 years was, "Maybe after you use your goddam talents and sue the mother fuckers."

Litigation cures a lot of ills.

Companies will not address security until it falls outside the cost of doing business.

For reference, see litigation regarding fire codes.

Re:I have one thing to say

[HeckRuler]

There would certainly be company-sized HOLES that other companies could fill. There would be void and vacuums for periods of time, and there's a real risk that corporate espionage would be a big tool for corporations to simply kill each other. But I don't think any business should be "too big to fail". If they screw up, they should pay. If that brings them under, so be it. Have a fire-sale and let some younger company pick up the pieces and start anew. Hopefully with something that doesn't pollute cyberspace with all of our info.

Re:I have one thing to say

[pnutjam]

I'd like a free latte.

Re:I have one thing to say

[Cederic]

Well, in the UK there's a metric fuckload of regulation to which they must adhere.

There's also something fun coming down the track: GDPR. Equifax are very very lucky that this happened in May 2017 and not May 2018.

Re:I have one thing to say

[BitterOak]

Likewise, if Equifax, through gross negligence, causes me serious harm

Negligence implies a duty of care. I don't know that Equifax has a duty of care to these consumers in this case. Unless there's some regulation I'm not aware of. Perhaps as a result of this, some new regulations will be passed, but they can't apply retroactively. So again, I don't think there's standing to sue in this case.

Opt out?

I have never trusted these credit companies, and now I can point to why.

I don't want any more credit cards. I have no need for asking for more credit.
I don't recall ever being asked by my bank for permission to share information with Equifax or Transunion.

Would it really break the US banking system, if there was a way for us to opt out of having our spending history sent to 3rd parties?
(Equifax is third party between me and my bank)

Why is there this assumption of agreement for this sharing of information?
I don't recall any newspaper articles about a national discussion and debate on this decision?
When did it happen? Who decided that this was okay?
In the 1940s - did Equifax exist then? At some point the banks decided to share this?

Re:Opt out?

[MightyMartian]

I'm fairly certain if you have applied for credit of any kind, somewhere on the dizzying array of forms in the small print you did indeed consent to sharing your financial information with Equifax. In fact, I doubt there's any kind of main street lender anywhere in the US or Canada that would loan you so much as a penny without consenting to this, so about the only way you could have borrowed money without this consent if it was from a guy in a trenchcoat in a dark alley who went by the name "Vinny the Knife".

Re:Opt out?

[MightyMartian]

Neither did Equifax, I'm sure. They're crime is not securing their systems, which would obviously be a very attractive fruit for any hacker to try to pluck, and in a perfect world Equifax would be fined billions of dollars and its management would rot in prison cells for a very long time. As it is, I'm sure the FCC will do some shoddy little investigation that amounts to a few million dollars in fines, there will be a class action lawsuit that probably will see some small fraction of the victims get some measly payout sometime before the heat death of the Universe.

I'll tell you whose clinking their champagne glasses right now, it's the lawyers. No matter who loses, they always win.

Re:Opt out?

[Dutch+Gun]

Company-destroying fines or jail sentences will probably just mean said companies will do anything to cover up this sort of breach. Moreover, these sorts of breaches can occur even when everything is done as correctly as possible due to things like targeted spear-phishing or rogue employees. We want companies to be able to disclose these sorts of things responsibly, even if it was their lack of proper oversight that caused the problem in the first place (and yes, most of the time it DOES seem to be their fault)

Perhaps a different approach is needed. Say we pass a law that requires companies which store personal data to divert a small percentage of profits into some sort of escrow fund which grows proportionally to the amount and sensitivity of the personal information they're storing. If a breach occurs, that escrow fund is drained and distributed to the victims, and the company has to start re-filling a new fund.

This gives an immediate, tangible incentive to protecting that data, and not only that, gives the data an unambiguous monetary value, which creates a strong incentive to protect it just like any other asset. This also creates a disincentive for companies to collect personal information "just because". They immediately are subjected to much more government regulation and oversight, and such data becomes a potential financial drain if not properly managed.

Re:Opt out?

[jeff4747]

I don't recall ever being asked by my bank for permission to share information with Equifax or Transunion.

It's buried in the boilerplate you signed when opening your account(s).

The company names may or may not be there. If they are not there, the paperwork uses something vague like "credit reporting agencies" or even "third parties".

Would it really break the US banking system, if there was a way for us to opt out of having our spending history sent to 3rd parties?

Only in as much as you'd never be able to get a loan, rent a house/apartment or open a new bank account ever again.

Why is there this assumption of agreement for this sharing of information?

Because 1) you agreed to it, and 2) centralized reporting is very handy for creditors.

I don't recall any newspaper articles about a national discussion and debate on this decision?

It's not a law, so there was no national debate. Theoretically, banks do not have to use credit reporting agencies. However, they all do.

In the 1940s - did Equifax exist then?

Nope. And it was much, much harder for any but the wealthy to get loans.

Re:Opt out?

[Comrade+Ogilvy]

I once had an identity theft incident, nearly 25 years ago, where a couple credit cards were taken over (mailing address changed, and new copies of credit cards shipped) and a few new credit card accounts opened. I caught the problem early enough that the damage was minor, more nuisance than financial.

But a little digging and simple deduction led me to this conclusion: someone gained access to my full name, mailing address, SSI, mother's maiden name, and multiple open credit card account numbers. Now where in the universe can this entire array of data be found in one place? My bank? Nope. University? Nope. Employer? Nope. Any one credit card company? Nope.

You guessed it! Credit reporting agencies.

Now it is theoretically possible that an energetic fraudster could gain a few tidbits and build from there. But the dirty little secret sitting in plain sight is the financial institutions themselves, particularly anyone and everyone who deals with credit card data, are the most likely places to leak. That has been true since forever, and it has not changed and will not change, until the laws are very different.

From my POV, most credit protection services are really a sick joke: "As your personal bank or personal credit card company, we would be happy to collect a monthly fee to mitigate the risks you bear due to our incompetence."

Re: Opt out?

[easyTree]

Yes, most lenders appear to believe in the ability of these credit agencies to securely store and correctly interpret your data to predict future creditworthiness.

Equifax et al should pivot to focusing on their core strength which is persuading others of their ability to do the impossible - that is pure gold squared (10% to me for suggesting it: P )

Re:Opt out?

[pnutjam]

Don't forget chexsystem, I guess they are falling under the free credit report law now, good.
Free report here.

Re:Opt out?

[pnutjam]

No policy that creates a pool of unassigned growing money is a good one. Someone will figure out how to tap it and it will probably be damaging.

The beating will continue..

[WolfgangVL]

Until accountability is found.

How to fix the broken system?

[gerf]

Obviously having a lifelong single password (SS#) is not enough anymore. But we still want identification that is relatively quickly accessed and verified. Could we reissue with a public and private key pair for each citizen? Could we trust the certs? What options can the slashdot crowd think of?

Re:How to fix the broken system?

[Anubis+IV]

Social Security numbers are fine. The problem is that organizations have foolishly been using them for authentication ("Prove you are you!"), rather than merely identification ("Who are we talking about?"), which was all they were ever designed to do. As a means for identification, it generally still works just as well today as it did when it began. As a method for authentication, it was lousy from the start and has been getting worse by the day.

Re:How to fix the broken system?

[fahrbot-bot]

Social Security numbers are fine. The problem is that organizations have foolishly been using them for authentication ("Prove you are you!"), rather than merely identification ("Who are we talking about?"), which was all they were ever designed to do.

Even more narrowly than that. It's original purpose was to track workers solely for use in determining SS benefits - that's it. From The Story of the Social Security Number

The Social Security number (SSN) was created in 1936 for the sole purpose of tracking the earnings histories of U.S. workers, for use in determining Social Security benefit entitlement and computing benefit levels.

Re: How to fix the broken system?

[gerf]

Or if the private key is a number/letter matrix and the authentication includes only sending a subset of data for authentication. If one subset is compromised, such as 8 random character positions out of a 40x40 matrix, then the whole is not known. Plus a personal changeable pin to salt it each time. New cards would have to be able to be certifiably re-released as well... Maybe only with biometrics.

Re:How to fix the broken system?

[AHuxley]

Encryption per request? Everyone who wants access gets logged in and has to provide that weeks per session key, token?
Every data request session has to match up with a real computer in an office with a real human requesting data at a human rate of data access?

Why not?
From a used car sale to a gov/mil contractor seeing if the person's data been reviewed has data on them in their own state database.
The problem with that is then a huge new database exists of who went searching for exactly what, when and why.
Who gets to review all the new access logs and see who is looking for what?
That a person wanted to work for the gov/mil and the review search was stopped after a shorter than average time? Why was the person rejected and what exact database was accessed to stop the mil/gov review?
Thats powerful information been kept on who is looking and who looked and for how long.
Better just to log in a trusted customer and let them search. As long as they have access data is just readable. Data in a format the customer expects.
Customers wont trust a system that logs their searches.
Powerful encryption and logs is not always that the customer wants. They may want access, fast speeds that offers data thats readable from any database. To know that their search terms are secure.

They sat on this?

[djembe2k]

Wait. TFA says they discovered this on July 29, and that their "private investigation into the breach is complete." Only now are they going public with this? How much damage could have already been done in the month of August? The breach alone creates a huge liability for them. This delay makes it worse, because they can't blame that on some other bad actor.

Re:They sat on this?

[Zxern]

They had to wait for a few execs to complete share sell offs yesterday before releasing the public statement.

Re:They sat on this?

[thegarbz]

This is a good thing. A privacy breach generally goes unpunished. Insider trading on the other hand...

Re:They sat on this?

[Mr.+Spock]

Insider trading on the other hand...

Also goes unpunished. Just don't lie to the FBI, because then you're going to jail.

Re: They sat on this?

[maple_shaft]

Which is illegal because it is trading securities on insider information. Hope the SEC fries these clowns.

Re:They sat on this?

[thegarbz]

Also goes unpunished

Errr no. Its the one kind of financial fraud that is actually very actively policed and punished. People are getting jailed for it constantly.

That's it...

[Thelasko]

...society is over. Back to subsistence living and bartering.

Most of their customers have no recourse

[misnohmer]

Typically when a company screws its clients, they risk clients no longer using their service, so usual market forces apply. This is not the case here. Most of their customers never chose to use Equifax or even given any explicit permission for them to collect their data. Yet, they do collect it and sell credit scores. The problem is that market forces don't work here, i.e. those customers who got hurt are not really paying, or even willing, customers and have no choice to opt out of the service, and those who buy credit scores are not really affected much.

As much as I am generally against regulation, this is one area I think they should be held fully liable, including compensating any affected customers for ALL of their expenses, including their time at some reasonable rate at or above what that customer usually makes per hour - that includes any waiting on hold while calling any of the companies to clear things out. Maybe this would cost Equifax its life, so be it, the next company will be much more careful what they do with the data. This would be no different than an airline being held liable for damaging property of killing people because their planes are shedding parts - the people hurt are not airline customers, they are the homeowners who had an aircraft parts crash through their roof into their living room.

Re:Most of their customers have no recourse

[Fly+Swatter]

The breach only effects consumer data, which is not really a client or customer of Equifax. Those would be the banks and lenders that use their data conglomeration services.

The thing about this that bugs me is why in the hell were public facing computers holding access to basically everything someone needs to completely take your identity. Why is that company even allowed to hold anything other than your address, ss# and reporting history ? They shouldn't have credit card or even bank account number info imho. If that makes it tough for them to do business, well that is their problem. Ok now I'm ranting, but the whole idea that credit cards have become the way people do business just annoys me. Earn the money, then spend it. Credit cards should be a last resort.

Re:Most of their customers have no recourse

[burtosis]

Reminds me of when Experian basically let all thier data be stolen too. The purchased a company that then stole the data. Or when all 3 credit agencies had a breach. But they sure got thier due when the hundred billion dollar fines rolled in!!! Just kidding of course, barely a slap on the Wrist. Nothing is going to happen and Equifax will promise not to do it again - until it happens again in about 18 months.

Re:Most of their customers have no recourse

[BitterOak]

As much as I am generally against regulation, this is one area I think they should be held fully liable, including compensating any affected customers for ALL of their expenses

The problem is, I'm not sure under what grounds Equifax could be held liable here. When a retailer (such as Target or Home Depot) is hacked, exposing customer data, the customers were able to successfully sue on the grounds that these retailers breached their trust. When a customer hands a credit card over to the retailer, there's an implied trust here: the customer is trusting the retailer not to leak their private info, and when a retailer accepts a customer's credit card, there is an implication that their data will be protected. When the retailers where hacked and customer data stolen, the retailers were liable for breaching that implied trust. There is, however, no implied trust between Equifax and the consumers whose data was leaked. In fact, in most cases, there's no business relationship between the customer and Equifax at all. Since there is no implied trust, there can't be a breach of that trust. So, I really don't see how Equifax can be held liable here. You are suggesting regulation, but what form would this regulation take, exactly? How can you regulate a business relationship which doesn't exist?

Re:Most of their customers have no recourse

You mistake the relationship you have with Equifax. You are not their customer. Their customer is the lender from which you are trying to secure credit, or the employer from which you are trying to secure a job, or the insurance company from which you are trying to secure an insurance policy. You are the product.

Unfortunately in the case of Equifax, Experian, and Trans Union, you get nothing in return but bent over and fucked. They are essentially allowed to fuck you with no compensation or recourse.

Re:Most of their customers have no recourse

[misnohmer]

Follow my example of an airplane shedding parts causing properties below. There is no implied trust between an air transport company and a homeowner who had a piece of landing gear fall through his roof. There is no business relationship between the air transport company and the homeowner either. Yet, I bet if an engine fell off of a FedEx airplane and damaged someone's home, FedEx would be held liable. IANAL, so you tell me, what would be the grounds FedEx would be held liable for damage their engine caused to a home when if fell off their plane passing overhead - assume the homeowner never did ANY business with FedEx. Is it the the FAA regulation, or some other laws that kick in? My point was that we need similar regulation and laws that hold companies like Equifax liable for damages they cause, whether the damaged party is a customer or not.

Re:Most of their customers have no recourse

[xlsior]

The difference here is that you are not equifax's customer - you are their product.

Re:Most of their customers have no recourse

[slew]

The difference here is that you are not equifax's customer - you are their product.

You should remember the fact you are the product every time you do a search on the internet, or partake in a free email provider...

Re:Most of their customers have no recourse

[UnderCoverPenguin]

Except that FedEx will claim that they are not the ones liable, it's the responsibility of the aircraft maintenance company. The maintenance company will then deflect the liability on to the local contractor, who will file bankruptcy and go out of business. Meanwhile, the home owner's insurance company, knowing the preceding, will declare the incident an "act of God", therefore, not covered.

(For those who think this wouldn't happened, something similar did happen to one of my neighbors. The "bucket lift" of a service truck for the local cable company collapsed and smashed his car. My neighbor, refusing to take "no" for an answer, pushed forward with a string of lawsuits, anyway. The cable company and the lift-truck maintenance company both got their respective cases dismissed - and court orders for my neighbor to pay their legal costs. The local contractor appeared pro-se and told the judge the business was bankrupt, closed and the assets sold, leaving a little more than $500 left for a settlement (after giving the judge a copy of the bankruptcy papers). The judge told my neighbor "That's the best you're going to get" and ruled the case settled. In the end, my neighbor lost over $10k in legal fees. And the car insurance company claimed the incident wasn't covered, so he was out another $3000 for car repairs.)

Re:Most of their customers have no recourse

[xystren]

Until you read the fine print on all those forms that you had signed, pretty much allowing such sharing of said personally identifiable health information. Look through the fine print - odds are you've consented to (likely unknowingly) to that sharing. Sad I know.

Re:Most of their customers have no recourse

[Wrath0fb0b]

Consumers are not their customers. Their customers are banks and other entities that want to know whether a person is a good credit risk.

Insofar as they injured any other third parties, they should surely be held liable. But this has nothing to do with whether the individuals whose data was leaked are "customers" of the credit agency. They are clearly not, nor should such a designation even be relevant when assessing liability.

Re:Most of their customers have no recourse

[AHuxley]

Re public facing computers holding access to basically everything someone needs to completely take your identity.
The network and database is secure. Everyone with access is trusted. The data is a format that every one with access can read and have displayed in a useful way.

Re:Most of their customers have no recourse

[BitterOak]

Follow my example of an airplane shedding parts causing properties below.

That comparison isn't valid at all. In that case, the airplane parts are entering someone's property. Same as if I break into someone's house, it doesn't matter if I had a pre-existing business relationship with them or not, I've established a relationship of sorts by entering their property. Same if my plane drops parts on their property. But Equifax didn't trespass on anyone's property or have any interaction with these customers at all. Some information was leaked, but did Equifax have any obligation to keep that information secret in the first place? I would argue "no" since there was no implied agreement between Equifax and these consumers.

Re:Most of their customers have no recourse

[Cederic]

If a company has through their action or inaction caused harm to an individual, that's surely a tort?

You don't have to be a customer of a chemical company to sue the living fuck out of them when their poor environmental control kills your children.

Re:Most of their customers have no recourse

[david_thornley]

Equifax has no business relationship with me. They are selling information about me to others, The others make the decisions that can harm me, and are doing so according to their standard practices, so they aren't liable. This could change, if there was a law about strict liability. Strict liability means that, if you caused a problem, no matter why, you're liable. Alternatively, if Equifax is lying about me, in some countries that would be libel. In the US, following standard and generally adequate procedures is a good defense against libel, so the laws would have to be changed.

Another problem is finding where Equifax's negligence has harmed me. Most decisions using credit scores do not supply me with detailed information about why they were made. If Equifax screws up my credit rating, and I try to rent an apartment, and I'm denied because of bad credit, how do I show in court that they harmed me?

Equifax doesn't want it, they REQUIRE it.

Equifax, Experian and TransUnion should be held to an even higher standard because they don't collect your information... you are pretty much required to give it to them to be able to function in the US economy. This isn't a Facebook situation where the consumer trades their soul so they can see their aunt's cat pics. If you want to buy a car, a house, get a credit card, etc you have to surrender your data to these clowns (who also have proven repeatedly they do a shitty job of tracking your credit history anyway).

Tips now that your credit info has been stolen

[Poisonous+Drool]

Someone filed a fraudulent return for me on March 30 of last year. They had their "refund" sent to a debit card. I've used the same CPA for 30 years, which gives you and idea of how well the IRS detects fraud. I have no idea how my information was stolen. A few points:

1. The best defense is to file early (e.g., February).
2. As a victim of id theft, you should qualify for a free credit freeze. Good luck. Out of six requests (3 each for me and my wife) only one was accepted. You can waste your time arguing or pay them $10 (each) to freeze it.
3. You can ask the IRS for a copy of the fraudulent return.
4. I've been a Bank of America customer for 20+ years. They couldn't handle a vehicle load with a credit freeze and I warned them my credit was frozen. Expect headaches.

Re:Tips now that your credit info has been stolen

[fahrbot-bot]

Regardless, in most states you can pay $10 -- to each credit bureau -- and freeze your account permanently anyway. I did just that in 2011. When getting a loan or new line of credit, you can ask the company which bureau it will use for the credit check, call the bureau and either (a) unconditionally unfreeze it or (b) unfreeze it with a password or PIN, which they will US mail you -- for a specific number of business days. It's actually fairly painless.

Re:Tips now that your credit info has been stolen

[AlanBDee]

Here is an article from the FTC on freezing your credit: https://www.consumer.ftc.gov/a.... I also recommend doing it.

Even though some banks can't process your car loan, or other credit. Your goal in personal finance should be to not need credit and to pay cash for everything. If you don't have the cash then you can't afford that car.

Re:Tips now that your credit info has been stolen

[jezwel]

If you don't have the cash then you can't afford that car.

It costs me $20 a week to have that car now rather than save up a few years for it. The gas savings from having the more frugal car is around $15-18 per week, so to have this newer car 'on credit' is costing me less than a dollar a day.
Think I'll take that deal.

Next time it may be different as I won't be going from a gas guzzler to an econobox, but even so that $20 a week will be covered by a single year pay rise, let alone the other 4 years for when the car is paid off. Actually by then pay increases will cover a payments for a replacement car completely.

Re:Tips now that your credit info has been stolen

[DarkMagician07]

I've had my credit frozen for 2 years now and haven't had an issue getting a loan. I go to the site of the reporting agency they use, request a pin, give the pin to the lender, then done. Not sure where there'd be an issue. I highly recommend a freeze. It's been the most painless thing I've had to deal with in getting a refinance on my mortgage, 2 car loans, a personal loan, and a new credit card.

Granted, you won't be able to simply go to Best Buy and request a new card, but if you need to do that, then you should re-check your finances before getting a new gadget from them.

Re:Tips now that your credit info has been stolen

[thegarbz]

If you don't have the cash then you can't afford that car.

That is possibly the dumbest comment I've ever seen. The ability to afford is about balancing incoming and outgoing finances, not about accumulating mountains of cash.

If that was your criteria then as a well paid engineer I wouldn't have been able to "afford" my car for the first 6 months of my working life.

(I could and did afford it, along side holidays, other luxury spending and also house repayments).

Re:Tips now that your credit info has been stolen

[pnutjam]

What's a "pay raise" did you switch companies?

Equifax

Equifax does a lot of "high assurance" identity checks. They collect detailed biographical information on everyone; employment, relatives, mortgages, car ownership... If they lost all of that there will be hell to pay.

Re:Equifax

[burtosis]

If only there were hell to pay. If they lost all that the punishment would be nothing at all.

Re:Equifax

[Bob+the+Super+Hamste]

Yet if I collected that much information on just one person I would likely be in jail for stalking. If I did it to a dozen or so people I would likely never see the light of day again as I would be a serial stalker and would be serving many consecutive sentences. But given all of this detailed information these companies collected on every fucking person that is available for purchase I still get to deal with debt collectors who try to collect debts from people who haven't lived at my address in 15 years, or who's first matches mine but nothing else does.

Re:Whew!

[93+Escort+Wagon]

Baloney. I just did a search for "Anonymous Coward" and got millions of results. Your info is all over the place.

This is Irony, right?

[burhop]

...if the bad guys use this stolen data and mess up your credit score.

Referencing, my primary "go to" grammar resource, it seems to case #2

http://theoatmeal.com/comics/i...

Need an ethical hacker?

[paulina+james]

Should you need the services of a hacker, i implore you to visit http://www.hackerspod.com/inde... or you should contact liammoore015@usa.com. i hired him for personal exploits early december last year and that was the decision that lit up my christmas and got me set for 2017. try to hire certified veterans for your hacking needs. This guy surely works like an elite, he is efficient,reliable and provides lasting and permanent solutions. He got my DUI records cleared as though it never happened and my credit card fixed.

Comment removed

[account_deleted]

Comment removed based on user account deletion

in UK and Canada too

[zm]

https://www.equifaxsecurity201...

As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps.

Re:in UK and Canada too

[coofercat]

Is this site real?

I mean, if it's really Equifax, then why can't it be on equifax.com? It's got a video about cyber security, and well, lesson 1 is to identify who a site really is before entering any data into it. I'm a techie, so know to look at certs and whatnot - I couldn't see anything in it to verify it actually was Equifax (all I got was a cloudflare cert). The 'normals' won't be able to do any of that, so apart from a logo at the top of the page, and it's 'https', most people have nothing to verify it's real.

Other comments talk about it being a scam - it might actually be.

Obligatory CGP Grey Video

[Daetrin]

"So how did Americans end up with a national ID number that isn't one and a card terribly unfit to identify?"

Social Security Cards Explained

.

That's not what class action is for

[rsilvergun]

class action is so the companies can pay a token amount and get perpetual indemnity for all future legal action. The best part? With recent changes in law making mandatory arbitration legally binding at the federal level (thanks, Republican Congress and Blue Dog Dems!) you don't even get that anymore.

Folks need to start putting left wingers into Congress if they wanna see this crap happen, but nobody wants to pay the taxes for it. Nevermind that just ending the 7 wars we're running would cover it. But then I'm not so sure folks want to end those wars. Our president's largest bump in poll numbers came after he dropped a $20 million dollar bomb on a bunch of Afghani goat herders with soviet era weapons...

No MORE!

[Seranfall]

We DEMAND 72 hour mandatory reporting of security breaches that result in loss of customer data. Stop telling us nothing bad will happen to our data. You bastard companies are completely unable to protect almost anything and the government is even worse at it. At least we are learning about it now. I read something awhile back where a breach took them 14 years to discover...

Re:No MORE!

[Cederic]

GDPR mandates 72 hour notification in the EU from May 2018.

However: It's notification to a Government body, not to the impacted individuals. It'll be interesting to see how that plays out in reality - although it's also reasonable to assume that 72 hours is inadequate to fully explore and understand the extent of the breach and the individuals impacted.

In the UK I suspect Equifax have an obligation to notify the FCA. I'm not sure on the timescales for that.

Easy fix

[Ryanrule]

1 million per persons data lost. Start by draining the assets of the board and c suite. Put them on the street.

Insider Trading!

[chromaexcursion]

Let's see some federal charges. one count for each share of stock affected.
Make them pay!

Re:Insider Trading!

[bongey]

Yep they claim they didn't know about the breach. Sure I believe them , wink,wink.

It's going to get (much) worse

[Teckla]

Regarding computer and data security, it's going to get (much) worse before it gets better. We're currently in the Dark Ages of Computer Security... but we haven't hit bottom yet.

Company culture in this area is just totally, utterly, hopelessly broken. They value speed above all else, so you end up with developers pulling libraries/jars from all over the Internet (many or most with huge security holes), you have companies incentivizing employees to get things done as quickly and cheaply as possible, you have companies clamoring for the cheapest labor available, including offshoring critical business logic.

None of these things are good for customers. It's a dumpster fire. Identities stolen, lives destroyed, and ultimately, it's us consumers who pay higher prices for all this lack of security and the resulting fraud.

It seems obvious business cannot and will not properly manage themselves when it comes to the subject of computer and data security. This is where we really need the government to step in, and lay down some laws with some serious teeth.

Oh well, one can dream...

Re:It's going to get (much) worse

[mschwanke97402]

I agree with yor assessment. Capitalism at its finest. Lowest bidder, outsource as much as possible and cut any corner to save a few pence.

Do they meet PCI compliance?

[gregOfTheWeb]

https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Re:Do they meet PCI compliance?

[Bob+the+Super+Hamste]

Probably except for the part about not storing personal information but then they aren't card processors. The PCI standard while it is a standard is really the bare minimum that companies should be held to for them to not be found guilty of criminally negligence for breaches. The actual standard is here and having had to deal MBAs asking about our compliance makes it seems like it is something written for the MBA types to check off a bunch of stuff. There are much better standards and if you aren't an MBA you can figure out how to make them applicable to your business. Personally I like the NERC CIP standard with liberal utilization of the CIS benchmarks as a good starting point for securing a system. If you want others there is always the US government's set of security benchmarks, the DoE document Cybersecurity Procurement Language for Energy Delivery Systems, or a bunch of stuff at the SANS site that you could use as a guide.

DONT USE THE LOOKUP TOOL

It signs you up for a product. READ THEIR TOS. You just waived right to class action and agreed to arbitration...

Scumbag move!

DONT USE THAT LOOKUP TOOL! SCUMBAGS

read their TOS. You use their website to signup for a product, and you waive your right to Class action and trial and agree to arbitration.

Total scumbag move. This company...

this lady doth not protect enough, methinks

[epine]

Wow, it's going to take a long damn time for Equifax to out this tiny blemish from their permanent spot record.

"O, but she'll keep her word."

Actually, sorry Hamlet, cat's entirely out of the bag now.

So much for all those "security" questions

[execthis]

This breach is why it ROYALLY pisses me off when some websites force me to answer "security" questions such as the name of the street I first lived on. The people responsible for such sites should be held accountable for gross negligence.

This is exactly why I now almost always answer the "security" questions with gibberish.

If my 20-length complex password of random digits, numbers, and special characters isn't enough for security then f it.

Also, it seems like it should be a basic civil right at this point to be allowed to change one's SSN. To be forced to deal for the rest of one's lifetime with the consequences of it having been stolen is outrageous.

Re:So much for all those "security" questions

[david_thornley]

How about a certain financial institution that manages my stock from my ESPP, which has a max of eight alphanumeric characters?

Time to shut them down

[SnarkSide]

It's time we make an example and take away any authorization for Equifax to store or maintain any personal information. Not that the other agencies are better, but fuck, these people are fucking useless. 1) Shut them down - Equifax must be no more. 2) Rework with systems we use so that there is real authentication like maybe possessing a smart card / EMV that provides authentication. 3) Social security numbers need to be made invalid / illegal to use as a form of authentication. 4) Credit card account numbers must be made useless by themselves, EMV only protects you if others cannot execute non-EMV transactions on the account. (Yes I know CV1 CVV2 data is generally needed for transactions) 5) We must never again design systems where data that is shared with multiple third parties is used for authentication. 6) Maybe improve EMV with some OTP system in conjunction. 7) Credit agencies need to be completely reworked. Consumers must have reliable and responsive methods of fixing fraud and errors in the data within 45 days from the report date by law. 8) Consumers suffering data loss should have legal standing for class action suit, unauthorized disclosure is a form of harm even if it can't be linked to a monetary loss.

Criminal Negligence?

[mschwanke97402]

Chairman and Chief Executive Officer, Richard F. Smith said in a statement: "This is clearly a disappointing event for our company.”

So it’s all about his company. What about the havoc his company will wreak on millions of consumers via this data breach? These a**holes collect all manner of sensitive personal data, without our permission I might add, and let it get away from them because the lot of it is on an Internet facing server connected to a web app. I think it rises to criminal negligence.

Speaking of crimes, I expect to see criminal insider trading charges and jail time for those executives who scurried off to sell their shares when the breach was discovered but left us vulnerable for weeks.

Re:Criminal Negligence?

[Okind]

These a**holes collect all manner of sensitive personal data, without our permission I might add, [...]

This is the part where I think the US (and the rest of the world too, for that matter) needs a law like the upcoming GDPR in Europe. That would require anyone to obtain explicit & informed consent, protect data properly, and inform the public timely when this protection fails (the 'timely' bit was clearly not done here).

Re:Criminal Negligence?

[houghi]

You wish for those things. I expect that nothing will happen or change. Not for these people. Not for this company. Not for any others in the future.
People have chosen for the new feudal system. The CEO is the new King and his company is his castle.

What a joke

[LeftCoastThinker]

First off, the executives that sold their stocks while withholding negative information should have that money confiscated and be prosecuted for insider trading (seeing as how they were holding back negative news on purpose to profit.) The retiree pension fund should not take the hit that those assholes created in the first place...

Yet another example of the dire need for legal accountability at the federal level of companies that hold private, personal information. The three credit reporting agencies don't give a shit if your identity is stolen, either from them or from someone else, and they clearly didn't care enough to encrypt the information stolen in this breach, and all those people who are going to have to waste hundreds of hours filing police reports, fighting fraudulent credit cards taken out in their name and fraudulent loans are SOL.

It is long past time that we have a federal law holding the companies that lose private, personal data accountable to the tune of actual time lost at the billable rate for the person's profession and a fine paid to the individual harmed of not less than $1000. Once your identity has been stolen, a simple phone call or online form should permanently flag your identity and require all companies accessing your credit for a transaction must use two factor authentication to get validation of your identity.

Don't worry...

[s.petry]

No executives will be fired for this incident.

Re:Don't worry...

[null+etc.]

No, but their information has been exposed all the same.

You must be new here

[s.petry]

On planet Earth.

The people responsible for such sites should be held accountable for gross negligence.

You mean a lackey or two right? No executives are held accountable for their own decisions. In fact, the bigger the screw up the more jumps applied to the Peter Principle.

Also, it seems like it should be a basic civil right at this point to be allowed to change one's SSN. To be forced to deal for the rest of one's lifetime with the consequences of it having been stolen is outrageous.

I'm not sure you know what a civil right is. I would however support legislation which outlaws the use of one's SSN as identification to anyone other than the Government, and perhaps even more specifically the Social Security Agency.

Re:You must be new here

[Quirkz]

No, the SSN as identification is fine. Honestly, that's probably what everyone should use. What's wrong is using it as authentication. Nobody should use it for that, but despite that being obvious for decades, everyone continues to use it that way.

It's time to write Congress demanding reform

[PeterM+from+Berkeley]

Right now, someone who has your information but no real proof of identity can borrow money as "you", and the creditor gets to libel you via the credit reporting agencies when they don't get paid.

This must stop. Please write Congress and demand that creditors no longer have the right to libel you as a non-payer unless they can prove it was actually YOU who borrowed their money and failed to repay as promised instead of just someone who had some information about you, that they didn't bother doing due diligence on to verify.

I've already written Congress about this several times, but now it's literally EVERYONE'S information that has been stolen, and the whole nation must face the fact that they are vulnerable to this sort of thing now.

--PeterM

Re:It's time to write Congress demanding reform

[geoscodin]

I found a lien from another state against me on my credit report several years ago. I disputed it and the courthouse did not respond, so the credit agency took immediate action on my behalf. They marked the negative item as paid... and told me it would roll off my credit report in 7 years. What?!? SInce the courthouse did not respond they said there were was nothing more they could do. Oh really? How about removing the false item from my credit! They said no, but I was welcome to travel across the country and research the item myself. Wrong! If the reporter can't provide -- or just can't be bothered to look for-- evidence against me then it should be removed immediately. I also had a false $480 phone bill on my credit report. At least I was able to dispute that one by proving my own identity and it came off quickly.

Re:It's time to write Congress demanding reform

[houghi]

Here is how it is done in Belgium
1) We have a national number YYMMDD-XXX-YY
2) We have an ID.
You need both to get a credit or a loan.

If you apply for a loan they will check if your ID is stolen or not https://www.checkdoc.be/
They check the BNB. On the BNB every credit and loan is mentions. What a company sees is for each credit/loan:
1) Time it started
2) The amount
3) If there are late payments

With the income and standard of how much you need to live, they will see if they are allowed to give you a loan. Late payments (on the black list) no loan. If the company would do that, they will not even NEED to pay back. Risk is then with the company.

The companies do NOT see what the companies are that have given the loan or credit, unless it is themselves (privacy, you know)

As an individual you can get these names, because it could happen that you have a credit open that has been paid in full.

So there is a short moment between the moment my ID is stolen and when I call in to block it that they could ask for a loan or buy something on credit. This happens, but in very low numbers as you would need to go into a store and it could be already blocked (takes just a call) and the ID is a photo ID.

Also no need for third party to verify the credit situation as it is already centralized and security is pretty tight. Only access if you are allowed to do so. Only information that you need. More info on https://www.nbb.be/en/about-na...

If I did not loan the money, I will not be held responsible and sometimes even if I DID loan the money, I am not responsible.

Banks. Schools. Health providers.

[execthis]

What's bad is that many of the offending organizations doing this are banks, educational institutions, and health providers. They must think "because we're a [bank|school|health provider] we need extra security" and then proceed to FORCE all users to answer these stupid questions.

Yes, make a law prohibiting use of SSN except by the SSA.

TLS Client Certificates

[u801e]

What would be nice is if more websites supported authentication via client certificates. Then we wouldn't have deal with passwords, two factor auth, or "security theater" questions when authenticating.

Re:TLS Client Certificates

[execthis]

I'm curious about how this would work. Would each person have one client cert that works with multiple sites? Or would each site require it's own cert? What happens if your phone or laptop with the cert(s) on it is stolen? Would use of the cert on the local device (phone, laptop) require something additional like a fingerprint swipe or iris scan?

Re: TLS Client Certificates

[guruevi]

You obviously haven't used certs as authentication, but they're to be handled just like regular passwords. You have a private and public key, no reason to keep the private key accessible to any sort of theft, you can encrypt them so that any use requires a password however the password doesn't traverse the network but without it the cert is useless. In most cases you can also revoke the cert, LetsEncrypt-style cert providers allow you to both instantly revoke and have a short enough lifespan.

Re: TLS Client Certificates

[execthis]

I have used certs in the form of pre-shared auth for SSH sessions but that is a different story than logging onto websites. Maybe the underlying core encryption concepts are the same but the practicalities involved are very different in terms of user interaction and required policies.

Re:TLS Client Certificates

[raymorris]

Typically your private key is encrypted with a passphrase. So an attacker would need to both have your device and know your passphrase.

Typically you have one key/certificate per role; I have a certificate for work, for ray@company.com, that is different from my personal cert.

You see this all the time when you authenticate the company you're talking to via https SSL - https://ebay.com/ has one cert, not a different cert for every user. Their cert identifies eBay's web server - same cert presented to everyone. On the other hand, they probably use a different cert for email and code signing than they use for their web server. The server authenticating you works almost exactly like you authenticating the server. The difference is that often the server cert has an empty passphrase so that an admin doesn't have to type in the passphrase on each reboot.

You mean these guys?

[BarneyGuarder]

http://www.equifacks.com/

Re:Actually a windfall for Equifax?

[DarkMagician07]

I agree. If you're a company such as the big 3 creditors, even without a breach, you should be required to provide these services free of charge to those whose data you hold. You have that data, it's your responsibility to ensure it is not misused. If you can't do that, then you shouldn't be a provider of a service that is as critical to life in the US as the air that is breathed by those that live there.

Answer with a famous person's info

[raymorris]

I understand your frustration. The purpose of those questions is, of course, as a backup because people forget / lose their password.

> If my 20-length complex password of random digits, numbers, and special characters

Unless you're re-using the same password on all sites (bad idea) and never changing it (another bad idea) you're probably storing them somewhere rather than memorizing a dozen different sets of 20 random characters which means you could lose it. In which case you'll need to use the security questions to access your account.

So what to do? Entering gibberish means you may end up permanently locked out of your accounts, when you lose your passwords. What you can do is answer the questions will Bi CLINTON'S information, or Steve Jobs, or Mariah Carey. When it asks what city you were born in, enter the city Steve Jobs was born in. That way people can't break into your accounts by entering information about you; they'd have to know to instead enter information about Jobs or Mister Rogers or whoever you use info from.

Re:Answer with a famous person's info

[execthis]

I use LastPass. If any of my devices are stolen - which has happened several times - I immediately change the master password.

I know people will say this is not perfect - LastPass itself could be compromised, or someone could potentially access my system and keylog - but it seems to be by far the best practical solution and has been foolproof to date.

However I like the idea of client certificates mentioned by another commenter. Sounds like the way of the future.

Re:Answer with a famous person's info

[pnutjam]

Keepass is a better choice, keep your passwords under your own control.

Re:Answer with a famous person's info

[execthis]

Lastpass is better because it has a standalone desktop application, standalone Android app, and plugins for desktop and mobile versions of major web browsers. In other words it works seamlessly across all devices and apps which is an essential feature for a password manager.

Re: Answer with a famous person's info

[cyber-vandal]

I use Keepass with Resilio Sync. It's not as convenient but it means my passwords are only transmitted over my home network. I don't trust LastPass or any other cloud password provider.

Re: Answer with a famous person's info

[execthis]

The whole point of using Lastpass is the browser integration.

Re: Answer with a famous person's info

[cyber-vandal]

Like I said it's not as convenient but you don't have to rely on a third party's servers to be secure. You can use copy and paste and Keepass will clear your clipboard after 10 seconds.

Re:Answer with a famous person's info

[flink]

Codebook does this as well for Mac/Windows/iOS/Android - it also lets you choose what, if any, cloud provider you use to sync through. You can also just sync over WiFi or LAN if you don't want your password DB to pass trough someone else's system.

Re:Answer with a famous person's info

[pnutjam]

Keepass has this. You can use the same database across desktop, windows, linux, android, iphone, etc. You can even keep the database in the cloud.

Re:Answer with a famous person's info

[execthis]

That' s cool. I have been hoping to find something that works with Nextcloud.

Re:Answer with a famous person's info

[execthis]

Keepass doesn't have web browser plugins which account for 99% of the use cases of Lastpass.

Re:Answer with a famous person's info

[pnutjam]

Yeah, those are a security problem.

Re:Answer with a famous person's info

[execthis]

Do you have any evidence of there ever having been anyone's password data compromised as a result of a Lastpass browser plugin attack or exploit?

Re: Answer with a famous person's info

[Malc]

When I was a victim of identity theft a few years ago, they managed to convince my bank's telephone banking to change my mother's maiden name, locking me out of my accounts! You'd think alarm bells at the bank should have rung, but no. Social engineering is always the weakest point, and the amount of accurate information in this credit agency data breach can really enable bold criminals. So I agree with the other comments about providing inaccurate data for security questions where possible, but you have to have a scheme to work with it all because I can't even remember answers for dumb security questions like "who was your favourite teacher at primary school" or "what's your favourite colour" (I don't have favourites of either, so it's a crap shoot on how I'm feeling on the day how I answer)

Re:Answer with a famous person's info

[pnutjam]

There have been plenty of them, go ahead an google for yourself. You basically increasing your area of attack significantly when your using a plugin, browser, os, application in tandem. It's common sense that this is not best security practice.
You could make an argument that it's sufficiently secure, or better then the usual practice. You might be rigtht, but it's still not secure enough for the security conscious.

It's almost as if...

[easyTree]

...organisations need to avoid making their (our) data a gigantic attractive target. If it were split up so attackers had to work hard for each small batch, this would be less attractive.

Translation

[easyTree]

We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.

Translation

We have failed to protect consumers but prefer to keep taking in cash, despite this clear demonstration that [y]our data is not guaranteed to be free from tampering and therefore any derived data is worthless.

143M customers is all of adults in USA and Canada

[misnohmer]

So basically Equifax just exposed all of the adults in USA and Canada to the danger of identify theft. Of course the victims can never prove their identity theft was caused by a specific breach, such as this one, so Equifax will never be found directly liable. HOWEVER, this is where the government should step in and impose massive fines for endangering the public. Those fines to be pooled into funds that help with identify theft. The fines should be in the billions, even if that means the company goes bankrupt. If it does, it will make other companies spend more money on securing their data and/or not holding onto data they don't need, simply to avoid being fined billions of dollars.

Re:No

[AmiMoJo]

The issue is that it's a matter of historical perspective. Most people in the US are illegal aliens from the point of view of native Americans who got there first.

Re:No

The issue is that it's a matter of historical perspective.

No, it isn't. It's about the law. Hence "illegal" is in the term.

Most people in the US are illegal aliens from the point of view of native Americans who got there first.

In the point of view of native Americans, they didn't have the same legal systems or same concepts on law, land ownership, borders, etc as us. You're committing the same mistake as Europeans of the past, who had conflicts with native Americans because they didn't understand that the two cultures had different value systems and way of doing things.

look on the bright side

[TimMD909]

At least it's only half of the entire country. Talk about a lot of glass is half empty comments...

Re:look on the bright side

[Mr.+Spock]

At least it's only half of the entire country. Talk about a lot of glass is half empty comments...

Too soon. It's the half of the country that has a credit history. Not comforting.

Re:Simple solution

[Bob+the+Super+Hamste]

Unfortunately the credit monitoring you get when a breach happens is always from these reporting agencies. I think I have like 5 or 6 active ones across experian, equifax, and transunion. Now it looks like I and everyone else will get another year of free credit monitoring from these fuckers that really should be drawn and quartered instead.

Re:Resignations by Monday Morning!!!

[Cederic]

Why? Which of them had any opportunity at all to prevent this?

Some of them will have worked on the breached system, but again, why would a company like Equifax ever trust them to properly secure it?

Surely the people running the company should be mandating, funding and auditing adequate security processes, including providing the right tools and skilled people to execute them.

You don't sack a DBA for failing to secure a database, you teach them how to secure the next one. You spot that it isn't secure, fix it and then wrap it in monitoring, logging, intrusion detection and all the other goodness that means that even if it does have a vulnerability you didn't spot, you can detect and respond to the breach in seconds or minutes, no two fucking months.

Malicious JavaScript integration

[raymorris]

My company, a security company, is looking at password managers for internal use. The various security experts inside the company have been discussing LastPass.

The general consensus is that IF we use a cloud-based password manager, LastPass is a reasonable choice. However multiple co-workers and myself agree that the browser plug-in is a major risk. The browser is the #1 target not attacks, by far, and their browser plug-in is known to have security problems in the past. The browser, and therefore malicious JavaScript, should NOT have direct access to all of your passwords, in our opinion. Rather, we point out it is much more secure to copy/paste the one password you want to use at the moment from the password manager to the browser.

Additionally, if for some reason a user WAS going to use a password manager integrated with the browser, the password manager already built-inâ to Chromium / Chrome and other browsers has a better security record than LastPass.

Therefore, it is our opinion that there is more or less no use case for which the LastPass browser extension would be an appropriate solution.

Re:Malicious JavaScript integration

[execthis]

I cannot argue the details with you about browser extension security or isolation from possible attack vectors, however I will say that many, many people have used Lastpass for a long time and there have never to my knowledge been any compromises.

The second point I want to make is that what makes the password manager useful, it's primary reason for existence, is the fact that it works seamlessly across a desktop app and multiple web browsers. Yes you can use Chrome or Firefox's own password saving features and these may even sync with other instances of the same browsers, but still you do not get seamless synchronization across ALL devices. The primary thing about a password manager is that it will be used which means it needs to be available for all instances of use.

Ideally Lastpass would have a feature to locate it's data store on a location of your choice - such as your own Nextcloud instance - but remember that that would also present a risk because now you have to worry about the security of your data store - something that the company Lastpass takes care of on their own which is partially what they get paid to do.

Re:No

[CaptainDork]

"Illegal," in any legal context has a component of "punishment."

Undocumented immigrants who are "first-timers," are simply given due process and deported.

There is a free ride, meals and accommodations prior to ejection, but there is no punishment.

Because the first-timer is identified and documented, subsequent entry is illegal.

Time to ban moderators

[s.petry]

Awesome moderation /.! A fact WITH A CITATION is now moderated a "troll"! More facts below this post which contain FACTS are also moderated "off topic" and down modded. Way to go!

One guy, in one month, found THREE vulnerabilities

[raymorris]

> cannot argue the details with you about browser extension security or isolation from possible attack vectors ... there have never to my knowledge been any compromises.

Tavis looked at LastPass in March and reported THREE different ways for web sites (malicious JavaScript and frames) to get at all of your LastPass passwords. That's what ONE guy found in just ONE month. The technical details may not be for you, but here's an article in the popular tech press about them:

http://arstechnica.com/informa...

I would bet my team will find at least one more if LastPass shows up on our 18-hour test we do four times per year. Basically, we get 18 hours to find as many vulnerabilities as we can in an array of software.

Re:One guy, in one month, found THREE vulnerabilit

[execthis]

I'm familiar with this research. But have you any evidence of an actual breach incident where data was stolen?

Also, do you expect that no technology will ever have some form of potential vulnerability? It's true that the ultimate security is simply to have a system that cannot be used. If something is so inconvenient or cumbersome to users it will never be used.. But we live in a real world where there are risks and drawbacks. As far as I can ascertain, the benefit of using Lastpass vastly exceeds the drawback in comparison with every other system.

Counter-productive approach, my friend

[raymorris]

There are basically two possible responses when someone, or a group of people, points out something you didn't think about.

Some people try to LOOK smart by continuing to argue and hope to convince readers that they know better than all of the experts. People take this to absurd extremes, to the point of arguing that it's a good idea to allow random JavaScript from any web site (or ad) to read all of your passwords.

Another type of response is to actually BE smart and learn something. These people respond with "that's a good point; I hadn't thought about that."

The thing about the first option, trying to look smarter than the experts, is that you end up trying to argue that you really want every ad on the web to have access to your bank password, and then you look dumb. Trying to look smarter just makes you look dumb. But not any ordinary dumb. The information has been presented to you and you've purposely refused to learn anything - intentional ignorance. That's extra dumb, when a person chooses, even fights, to avoid learning anything.

Re:Counter-productive approach, my friend

[execthis]

shove your ad hominem shit up your ass. you failed to answer my question.