Slashdot Mirror
Credit Reporting Firm Equifax Announces 'Cybersecurity Incident Impacting Approximately 143 Million US Consumers' (cnbc.com)
Equifax, which supplies credit information and other information services, said Thursday that a cybersecurity incident discovered on July 29 could have potentially affected 143 million consumers in the U.S. "The leaked data includes names, birth dates, social security numbers, addresses and potentially drivers licenses," reports CNBC. "209,000 U.S. credit card numbers were also obtained, in addition to 'certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."
Chairman and Chief Executive Officer, Richard F. Smith said in a statement: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident." Equifax is now alerting customers whose information was included in the breach via mail, and is working with state and federal authorities.
UPDATE (9/7/17): According to Bloomberg, "three Equifax senior executives sold shares worth almost $1.8 million" in the days after the company discovered the security breach. Regulatory filings show that three days after the breach was discovered on July 29th, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099." Meanwhile, "Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2."
Chairman and Chief Executive Officer, Richard F. Smith said in a statement: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident." Equifax is now alerting customers whose information was included in the breach via mail, and is working with state and federal authorities.
UPDATE (9/7/17): According to Bloomberg, "three Equifax senior executives sold shares worth almost $1.8 million" in the days after the company discovered the security breach. Regulatory filings show that three days after the breach was discovered on July 29th, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099." Meanwhile, "Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2."
Do I get free credit reporting for this? Is it from Equifax?
-=Lothsahn=-
At this point, is there anybody left in the U.S. who has not had their names, addresses, and socials stolen in from a hack somewhere?
CLASS ACTION LAWSUIT! These companies that want to collect all this personal data of people and fail to protect it need to be sued into non-existence!
Wait. TFA says they discovered this on July 29, and that their "private investigation into the breach is complete." Only now are they going public with this? How much damage could have already been done in the month of August? The breach alone creates a huge liability for them. This delay makes it worse, because they can't blame that on some other bad actor.
Typically when a company screws its clients, they risk clients no longer using their service, so usual market forces apply. This is not the case here. Most of their customers never chose to use Equifax or even given any explicit permission for them to collect their data. Yet, they do collect it and sell credit scores. The problem is that market forces don't work here, i.e. those customers who got hurt are not really paying, or even willing, customers and have no choice to opt out of the service, and those who buy credit scores are not really affected much.
As much as I am generally against regulation, this is one area I think they should be held fully liable, including compensating any affected customers for ALL of their expenses, including their time at some reasonable rate at or above what that customer usually makes per hour - that includes any waiting on hold while calling any of the companies to clear things out. Maybe this would cost Equifax its life, so be it, the next company will be much more careful what they do with the data. This would be no different than an airline being held liable for damaging property of killing people because their planes are shedding parts - the people hurt are not airline customers, they are the homeowners who had an aircraft parts crash through their roof into their living room.
Social Security numbers are fine. The problem is that organizations have foolishly been using them for authentication ("Prove you are you!"), rather than merely identification ("Who are we talking about?"), which was all they were ever designed to do. As a means for identification, it generally still works just as well today as it did when it began. As a method for authentication, it was lousy from the start and has been getting worse by the day.
Social Security numbers are fine. The problem is that organizations have foolishly been using them for authentication ("Prove you are you!"), rather than merely identification ("Who are we talking about?"), which was all they were ever designed to do.
Even more narrowly than that. It's original purpose was to track workers solely for use in determining SS benefits - that's it. From The Story of the Social Security Number
The Social Security number (SSN) was created in 1936 for the sole purpose of tracking the earnings histories of U.S. workers, for use in determining Social Security benefit entitlement and computing benefit levels.
It must have been something you assimilated. . . .
Regardless, in most states you can pay $10 -- to each credit bureau -- and freeze your account permanently anyway. I did just that in 2011. When getting a loan or new line of credit, you can ask the company which bureau it will use for the credit check, call the bureau and either (a) unconditionally unfreeze it or (b) unfreeze it with a password or PIN, which they will US mail you -- for a specific number of business days. It's actually fairly painless.
It must have been something you assimilated. . . .
Here is an article from the FTC on freezing your credit: https://www.consumer.ftc.gov/a.... I also recommend doing it.
Even though some banks can't process your car loan, or other credit. Your goal in personal finance should be to not need credit and to pay cash for everything. If you don't have the cash then you can't afford that car.
Should you need the services of a hacker, i implore you to visit http://www.hackerspod.com/inde... or you should contact liammoore015@usa.com. i hired him for personal exploits early december last year and that was the decision that lit up my christmas and got me set for 2017. try to hire certified veterans for your hacking needs. This guy surely works like an elite, he is efficient,reliable and provides lasting and permanent solutions. He got my DUI records cleared as though it never happened and my credit card fixed.
"So how did Americans end up with a national ID number that isn't one and a card terribly unfit to identify?"
Social Security Cards Explained
.
This Space Intentionally Left Blank
It signs you up for a product. READ THEIR TOS. You just waived right to class action and agreed to arbitration...
Scumbag move!
This breach is why it ROYALLY pisses me off when some websites force me to answer "security" questions such as the name of the street I first lived on. The people responsible for such sites should be held accountable for gross negligence.
This is exactly why I now almost always answer the "security" questions with gibberish.
If my 20-length complex password of random digits, numbers, and special characters isn't enough for security then f it.
Also, it seems like it should be a basic civil right at this point to be allowed to change one's SSN. To be forced to deal for the rest of one's lifetime with the consequences of it having been stolen is outrageous.
Chairman and Chief Executive Officer, Richard F. Smith said in a statement: "This is clearly a disappointing event for our company.”
So it’s all about his company. What about the havoc his company will wreak on millions of consumers via this data breach? These a**holes collect all manner of sensitive personal data, without our permission I might add, and let it get away from them because the lot of it is on an Internet facing server connected to a web app. I think it rises to criminal negligence.
Speaking of crimes, I expect to see criminal insider trading charges and jail time for those executives who scurried off to sell their shares when the breach was discovered but left us vulnerable for weeks.
No executives will be fired for this incident.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
On planet Earth.
The people responsible for such sites should be held accountable for gross negligence.
You mean a lackey or two right? No executives are held accountable for their own decisions. In fact, the bigger the screw up the more jumps applied to the Peter Principle.
Also, it seems like it should be a basic civil right at this point to be allowed to change one's SSN. To be forced to deal for the rest of one's lifetime with the consequences of it having been stolen is outrageous.
I'm not sure you know what a civil right is. I would however support legislation which outlaws the use of one's SSN as identification to anyone other than the Government, and perhaps even more specifically the Social Security Agency.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Right now, someone who has your information but no real proof of identity can borrow money as "you", and the creditor gets to libel you via the credit reporting agencies when they don't get paid.
This must stop. Please write Congress and demand that creditors no longer have the right to libel you as a non-payer unless they can prove it was actually YOU who borrowed their money and failed to repay as promised instead of just someone who had some information about you, that they didn't bother doing due diligence on to verify.
I've already written Congress about this several times, but now it's literally EVERYONE'S information that has been stolen, and the whole nation must face the fact that they are vulnerable to this sort of thing now.
--PeterM
What's bad is that many of the offending organizations doing this are banks, educational institutions, and health providers. They must think "because we're a [bank|school|health provider] we need extra security" and then proceed to FORCE all users to answer these stupid questions.
Yes, make a law prohibiting use of SSN except by the SSA.
I don't recall ever being asked by my bank for permission to share information with Equifax or Transunion.
It's buried in the boilerplate you signed when opening your account(s).
The company names may or may not be there. If they are not there, the paperwork uses something vague like "credit reporting agencies" or even "third parties".
Would it really break the US banking system, if there was a way for us to opt out of having our spending history sent to 3rd parties?
Only in as much as you'd never be able to get a loan, rent a house/apartment or open a new bank account ever again.
Why is there this assumption of agreement for this sharing of information?
Because 1) you agreed to it, and 2) centralized reporting is very handy for creditors.
I don't recall any newspaper articles about a national discussion and debate on this decision?
It's not a law, so there was no national debate. Theoretically, banks do not have to use credit reporting agencies. However, they all do.
In the 1940s - did Equifax exist then?
Nope. And it was much, much harder for any but the wealthy to get loans.
http://www.equifacks.com/
If you don't have the cash then you can't afford that car.
It costs me $20 a week to have that car now rather than save up a few years for it. The gas savings from having the more frugal car is around $15-18 per week, so to have this newer car 'on credit' is costing me less than a dollar a day.
Think I'll take that deal.
Next time it may be different as I won't be going from a gas guzzler to an econobox, but even so that $20 a week will be covered by a single year pay rise, let alone the other 4 years for when the car is paid off. Actually by then pay increases will cover a payments for a replacement car completely.
Keepass is a better choice, keep your passwords under your own control.
Cheap storage VM.
You obviously haven't used certs as authentication, but they're to be handled just like regular passwords. You have a private and public key, no reason to keep the private key accessible to any sort of theft, you can encrypt them so that any use requires a password however the password doesn't traverse the network but without it the cert is useless. In most cases you can also revoke the cert, LetsEncrypt-style cert providers allow you to both instantly revoke and have a short enough lifespan.
Custom electronics and digital signage for your business: www.evcircuits.com
"Illegal," in any legal context has a component of "punishment."
Undocumented immigrants who are "first-timers," are simply given due process and deported.
There is a free ride, meals and accommodations prior to ejection, but there is no punishment.
Because the first-timer is identified and documented, subsequent entry is illegal.
It little behooves the best of us to comment on the rest of us.