Slashdot Mirror
Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever (arstechnica.com)
The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely.
Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Meanwhile, if you accept Equifax's paltry "help" you forfeit the right to sue the company, it has said. In its policy, Equifax also states that it won't be helping its customers fix hack-related problems.
UPDATE (9/9/17): Equifax has now announced that "the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."
Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.
UPDATE (9/9/17): Equifax has now announced that "the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."
Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.
I was already affected by the US Office of Personnel Management hack, because I needed clearances to get my $55k job doing government IT support in Silicon Valley. It was a small price to pay.
Oh wait.
Sounds like a good idea, all things considered? It's supposedly a free process.
Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever so far.
The equifax executives apparently sold stock immediately after learning of the breach. Jail them all for incompetence _and_ insider trading.
That company is rotten to the core. They have far too much power over our lives and very near zero accountability for how they handle that power. Allowing those hacks to decide how credit worthy someone is could be one of the worst ideas of the 20th century, and we have unfortunately held on to that terrible idea into the 21st century as well.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I was already affected by the US Office of Personnel Management hack.
yeah there's only one criminal in the whole world!
In a just world this would be the end of Equifax. Cannibalize the corpse to compensate all those who will be victimized because of their incompetence over the coming years. We still have 2 other credit reporting agencies.
Won't happen though. Too big to jail.
they deserve to be put out of business.
We have PCI-DSS for companies that deal with credit card information. Why not for companies that store even more sensitive information that potentially allows a criminal to pretty much take over my life by essentially stealing my identity?
The damage here is way more serious than ANYTHING the loss of a million credit card numbers could mean. Could it be that it's just us that have to foot the bill instead of Visa and Mastercard?
No, that can't be. Government represents the people, right?
Fuckers, I hope some Supreme Court judge alongside of a few congresscritters get hit badly with this breach. I usually don't wish bad things to happen to anyone, but I really hope that one of them has their identity stolen, their credit rating trashed and their life basically ruined by this hack.
Because ONLY then we'll FINALLY see something happen.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Equifax is run by the government?
news flash. equifax is a private company.
Even if Equifax is found to have been careless with all that vital personal information, I doubt they'll get more than a slap on the wrist.
Why should corporations, government or the courts give a crap about people's privacy, when so many of the people themselves very obviously couldn't care less?
I've calculated my velocity with such exquisite precision that I have no idea where I am.
All organizations will learn from this, and something like this will never be allowed to happen again!
You put in your SSN & last name. It doesn't tell you Yes or Not affected instead it says come back on this day and enroll in credit monitoring.
Useless "check"
Equifax and the 2 other credit bureaus have a ton of non-credit related information on consumers as well. It will be interesting to see what else was not reported as part of the breach.
I'm going to sound like an old fart, but a lot of these "cyberattacks" end up being down to a very dumb misconfiguration like leaving FTP open, failure to patch security holes, and things like leaving data on unprotected public cloud storage. Part of my job is being a technical mentor to some of our more junior staff, and what I'm seeing is a lot of developers and CS people who really don't know the guts of how IT works. I'm not saying people should go back to punch cards and assembler, but having some clue about TCP/IP, DNS, what an open port on a server means, how a firewall works, etc. would go a long way to preventing some of the dumber things I've seen. Most of this is very much abstracted, and in a "cloud-first" world it's even more so. The network is just assumed to work underneath everything else, and i think this is where a lot of the misconfiguration problems get missed.
We may or may not see what actually happened. It could have been some state-sponsored hacking group planning a painstaking attack requiring intimate knowledge of everything. But knowing what I know about corporate IT, it was most likely some lowest-bidder contractor being forced to pull another 12-hour shift and missing something. Until companies have to actually pay for these issues, all we're going to get is "free credit monitoring" for a year, which costs them nothing, and _maybe_ we'll get a check for 11 cents from a class action lawsuit 20 years from now when it winds its way through the system.
"Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers." https://www.bloomberg.com/news...
Calvin:Do you believe in the devil? Hobbes:I'm not sure man needs the help.
Might as well be considering how big a screw up this is. Rest assured government incompetence is at the hart of this failure, like it is for EVERY big failure. We need more private industry and less big government incompetence.
That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come.
WRONG! The individuals are not at risk of fraud. Banks and other institutions are at risk of fraud. It is not your responsibility if some dipshit bankster or other idiot "Business" opens fraudulent loans etc. in your name because they don't do their due diligence. There is no such thing as "Identity Theft". There is "Fraud". Do not accept that it is your responsibility to deal with the fallout from this. Sue! Sue immediately if anyone tries to make it your problem. If something goes against your credit report that is not something you did, sue the CC agencies for libel for spreading lies about you without justification!
So, as a result, the US loan industry is going to end their grossly negligent practice of using my Social Security Number as the root password to my financial life, right?
Jail Them!
In what way is this a failure of big government?
I'd actually assert that this is a failure of small government - in Europe where the government is bigger, there's regulations about what information these companies can store, how they must store it, and what the penalty is if they fail to do so.
i keep hoping that every single SSN for every american will leak so that the SSN can no longer be used the way it is using now... i wish the breach would be much worse until enough SSNs are available to everyone and the SSN can no longer be used as a personal identifier
They hold too much power and should be held liable for all damages. A CC reissue does is not enough.
Before the breach went public, three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach.
https://www.bloomberg.com/news...
I'm sure nobody will be jailed. A fine will be issued, which will be passed off as increased fees to clients. A few buzzwords will probably be thrown around about how amazing their security is now, but probably little will change. 5-10 years from now this will happen again. Maybe not to Equifax, but to some other company that didn't learn from the mistakes of the past.
I suspect you're trolling.
Equifax is a private company whose executives engaged in insider trading right after they discovered the breach. It will be another proof that our regulation light government doesn't have any teeth to deal with this appropriately.
Are they too big to fail, though?
I mean; with the banks actual average citizens would have been poorer if the big banks were allowed to fail.
How much will it hurt citizens if this company no longer existed, if at all?
Those dirty Loonix hax0rz.
I realize the SSC is used as a primary key, but if you think about it, to do their job, they could have just stored a salted hash of the social security number along with a plain text full name and address. To find someone, you lookup anyone with a similar name in the database (maybe filtering by address, etc.) and then you take the given social security number and compute the hash for the maybe at most a dozen results until you find the one that matches. Now you still have the ability to uniquely find a record by a social security number, but you never need to store the actual social security number for hackers to steal.
"I have never let my schooling interfere with my education." - Mark Twain
I've had my CC hacked twice in the past year.
Maybe these types of incidents can break down reliance and acceptance of these credit agencies that have established themselves as critical and non-optional services that heavily effect major life events
But it won't because the institutions that rely on these agencies don't give a damn. They don't lose anything over it. Anything goes wrong and the government will bail them out and leave us holding the bag.
“He’s not deformed, he’s just drunk!”
The breach is annoying. It's also almost an inevitable thing.
Can we *now* start talking about moving beyond "a ten-digit number and some generally publicly-researchable information is enough to do almost anything as you"?
I mean, seriously. Next year will be the 40th anniversary of the publishing of the RSA algorithm. Secure smartcards have been around for 25 of those years, and some countries have been issuing them for 15+ years now. Bit of biometric, and Alice is your digitally-signed aunt.
No... we're still in a country minting pennies and shuffling 19th century bank-draft checks around, aren't we? Oh, and the exact same people who are freaking out about 'Voter ID protects the sanctity of the vote' simultaneously go bat-guano crazy if you propose an actually secure ID card system.
Plus which, I didn't consent to let these fuckers store my information in the first place. I can't opt out. It's one thing when, say, Amazon loses the credit card number that I chose to store in their system to simplify my transactions. It's something else when an organization that's actually hostile to me is storing my personal information against my wishes ALSO gives it away.
Proud neuron in the Slashdot hivemind since 2002.
The way to make them pay is to sign up for a bunch of credit but have your kid sign the forms. Run it up, default and claim it as fraud. The credit issuing companies will then go after equifax if done in volume
Anyone else on here a former employee of Equifax's IT side in Atlanta? They really are pretty rotten with how they treat their employees. I averaged 5 hours of sleep on a good night including Saturdays and Sundays. Work all night and be in by nine am every weekday. The level of processes to try and get anything done were insane. Everyone wanted to dump everything and claim no responsibility. Everyone waits till 4:30 PM to dump there needed changes on you, no time to review. Every night was a change window. Had a meeting once were they wanted to encourage ideas and instead it turned into six sigma. I could go on and on. Thank God I got out of there or I would have been in prison for losing it.
Make the board and c suite PERSONALY responsible for the break, to the tune of one million $ per persons info exposed. Take everything they have. Money, bank accounts, houses, all possessions, retirement accounts, children's college funds, trusts. All of it. Put them on the street.
In the short term - yes, lots of identity theft and fraud. Long term? The whole premise of there being such a thing as meaningful credit monitoring or useful/reliable credit checks is, arguably, already undermined - possibly for decades. They're saying over half of the credit-using US population are compromised. That means that businesses that extend credit now will have to either greatly curtail the amount of credit they extend, or else risk extending credit even to people whose credit ratings are tarnished by possible fraud. Either action could have substantial economic impact.
Seems like there's a new breach every couple hours.
It is time for companies to start paying dearly for when these breaches happen. I think Equifax should be the first to suffer massive consequences.
I'm talking on the order of a $1 million fine per victim.
"affect", not "effect". Thanks.
Given that the effects of the rating agencies' massive and corrupt dealing which led to the collapse of the world's banking system in 2010 were that, er, the rating agencies were allowed to continue exactly as before, I don't expect this will hurt Equifax too much. What will hit them harder, in all likelihood, is the possibility of insider-dealing pushing their share price low enough for Experian to buy them up and then ALL their data will be, once more, transfered to another party without any of the people the data relates to having any say whatsoever. And don't forget that these companies exist to sell your details to the highest bidder anyway. All they're really worried about, aside from PR, is that this client hasn't paid for the info.
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
I would say at least indirectly, yes.
The laws, rules and regulations that protect Equifax from those it is screwing is all done in collusion with big government. Big Corporations have access in the halls of power that an individual who has been wronged doesn't have. Even in a case like this, the ONLY way the affected individuals can have any influence is long after the damage is done, and only if they band together in a class action lawsuit. The laws won't change regardless.
And while all this is happening, the executives are making millions on the misery of others, untouchable by the legal system, because of the state sponsored incorporation laws says that the big wigs aren't responsible for the failures under their leadership. Which is why I support being able to criminally charge the CxOs and the Board of Directors for the negligence and malfeasance, and the Corporate Death Penalty.
Here is a solution, the government revoke the Corporation's Charter, and put them out of business, leaving the shareholders holding nothing.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
In the US, there's enough religious people who consider a national ID of that kind the "mark of the beast." It's why no Social Security number has the substring "666" in it.
It would work (and has worked) in European countries because people are generally on board with sane privacy rules that also allow for things like individual identification. You don't see too many European "preppers" stocking their doomsday forts against a perceived government crackdown that will happen real soon now.
Those institutions can't just slash the amount of credit they extend, because that's their bread and butter. If they just stop issuing credit for over half the population, their business model collapses.
Back in the 1980's/early 1990's I knew several people who hacked CBI (Credit Bureau Inc) We used to hack the X accounts because accounts that started with an X were admin accounts.
Back then when you got one, you could see everything! Bank account numbers, credit card numbers, etc, etc. You could even change the information reported on a persons account.
So, once we had them we would sell "Corrections" to peoples reports AND some would even use it to card stuff. (Buy stuff on someone eases credit card)
Those breaches were never reported, but admin control of the system is by far the worst breach you can imagine.
And people wonder why I dont do credit, credit cards, or loans. lol
They make money from using our information, provide little benefit to us...
I'll bite. I agree that, as individuals, it doesn't feel like they provide a benefit. But by providing somewhat-accurate financial history to lending institutions, those lending institutions can more precisely estimate the risk associated with each loan. In doing so, they're able to lend more money, and at lower interest rates, than they'd be able to do otherwise.
I'm not arguing that there aren't loads of ways that Equifax et al could improve their business habits. Of course there are. But without these agencies, lenders would have a more difficult time gauging credit-worthiness, and that would mean it would be harder and more expensive for each of us to get a loan. And that, my friend, is the "benefit" provided to us.
Support a few technologists in Washington.
Nope. It is a public company with $16B in market cap. $14B today, after the news
To make matters worse, all of these links to their "see if you're affected" site directs you to their credit monitoring site. You plug in your name and the last 6 digits of your SSN thinking that it's going to do what it says, and instead it begins the process of enrolling you into their credit monitoring program and, consequently, giving up your right to sue.
When I first visited this site I was connected to our campus VPN and the VPN service blocked the site, labeling it as "dangerous." At first, I thought this was a mistake but, as it turns out, I think the VPN was correct!
IMO, Congress should start an investigation into this. It's just WRONG!
665: The mark on the forehead of Satan's slightly less evil brother, Stan.
Everything I have has been hacked, leaked, stolen or compiled multiple times.
As an example of more (probably) sloppy security, I just put a freeze on my credit with Equifax (and the others). Equifax gives you a pin number that you need to unfreeze your credit at a later date. Imagine my surprise when my pin is almost exactly the same as the one they issued my wife. It appears that they use sequential pin numbers for each freeze. Either that or it is generated using our personal info which would make it reversible I imagine. Seems to me that the pin should be random or at least pseudo random. At least Experian allowed me to choose my own pin, which I let keepass pick.
So don't complain, it is the company you helped finance. And it would be a good idea to divest now, before it drops another 20% after the dust settles and lawsuits ensue.
What the hell is a "berocrat"?
This is a double kick in the nads to anyone who was part of the Home Depot breach, since they were all given a year of premium Equifax credit monitoring.
That this type of info is basically public domain at this point, and any company using it to verify identity is being negligent?
I'm glad we are imposing a $300 per person whose info leaked fine as well as free coverage of any resulting charges that result directly from this theft of information. Not to mention jail the people who sold stock on inside information. That outta teach them a lesson! /s
There use to be a time when all you needed was a firm handshake to get a loan. How society has decayed since then.
At least it wasn't just my life they stole. With 143M of us affected we can do something about it together if things go wrong on a large scale (like social security gets drained)
Nullius in verba
I used to work for these guys, in their loan origination software development branch before it was sold off. I can tell you that this is the outcome of their big push to outsource their IT operations. I'd like to think that they'd learn from this, but we all know that's not the case.
Posting anonymously for obvious reasons....
You are the product. The customers are the banks, companies, and landlords from whom you wish to borrow money or collateral (like a leased car or apartment).
And getting rid of the credit agencies won't have the effect most people seem to think it will. Lenders won't magically assume everyone is credit-worthy if there's no way to check people's credit. They're going to assume everyone is not credit-worthy. In other words, getting rid of credit reports won't make it easier for people with poor credit to borrow money. Nothing will change for people with poor credit. The only difference will be for people who had good credit - all the banks, companies, and landlords will assume everyone has bad credit, and everything will be priced accordingly.
Unless you can prove you have enough money in the bank to cover the loan or collateral. So only the 1% would be able to borrow cheaply. The 99% would have to pay the exorbitant interest rates formerly reserved only for people with poor credit. That is the benefit the credit agencies provide you - giving you (if you're fiscally responsible) access to cheap loans without you having to keep enough money in the bank to immediately pay back the entire loan at any instant. But because people don't like being denied a loan, somehow this default base state (unable to get a loan because the lender doesn't know if they can trust you) got twisted around in people's minds into being a negative. It's not a negative; it's the neutral state. And being able to get a loan after a credit check is not a neutral, it's a positive.
You're basically saying, "we should spend a lot of money having smart people plug a million different holes". That's the current strategy and it has failed at everything other than making cyber-security 'specialists' wealthy.
That strategy is the digital equivalent of storing your valuables scattered throughout a mall, and then hiring enough mall cops on Segways to cover all the doors. Unsurprisingly, the right strategy is the digital equivalent of storing your valuables in a good safe, with one door that has a time-lock on it and is guarded by people with guns.
The three steps of effective security are:
1. Identify the secrets
2. Get rid of as many as possible. For example, if you only need SSNs as an identify verification mechanism (like in the Equifax web case) then *only* store one-way encrypted versions (i.e., can't un-encrypt). Don't store credit card info, make the user re-enter their credit card info and only use it for that one transaction. Encourage things like Apple Pay for faster transactions.
3. For the tiny amount of remaining secrets, store them on an essentially air-gapped machine, with the only electronic access being through an extremely restricted transaction-based custom protocol, where every transaction is independently authorized, logged, the transaction rate is limited, and all secrets are stored encrypted with different encryption keys per customer.
"Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally."
As long as 99.9% of the settlement goes to those who were affected I can get behind this. Unfortunately I know that a huge chunk will go to the lawyers.
Those institutions can't just slash the amount of credit they extend
Who said they would? Not me. They don't have to worry about a thing. They have free insurance via the government.
“He’s not deformed, he’s just drunk!”
Just stop using basic pieces of information on people as some kind "proof of approval" for various financial documents, problem mostly solved. Maybe a few decades ago it made sense when that kind of information took physical research to find, but now with (idiotic) private/government agencies like these shoveling it all into one central database it makes about as much sense as using ones phone number as a passcode. Require physical visits for certain transactions, give one time passcode generators in the shape of a credit card to regular contacts, let people set up phone/email/certified mail notifications for major account changes and hold businesses/government accountable when THEY allow an unauthorized person to make transactions in your name.
By that reasoning, why would they bother using Equifax in the first place? Credit agencies like Equifax help lenders assess who is good risk and who isn't. If the government is going to bail them out any time they lose money, their "risk" is exactly zero.
Hackers aren't stealing identity, they are stealing credentials (so as so assume an identity, if the world makes this easy for them to pull off).
Institutions want to pretend that credentials = identity, so that if they give your money to the wrong person, it's your fault (your identity was stolen, what else could we do?) rather than their fault (their chosen system of credentials sprung a leak, causing them to misidentify some loser as the real customer).
Finally, a big enough leak that maybe some people will begin to comprehend the distinction here.
They do not hold personal biological data yet. I hope a class action law suit will destroy them. I believe it is an infringement of my rights for some third party to hold my personal information with no recourse to remove it from them. I do not wish to make my information available for loans ... ever!
I would say at least indirectly, yes.
Indirectly, you are responsible for this breach.
The laws, rules and regulations that protect Equifax from those it is screwing is all done in collusion with big government.
Yeah, laws against murder, against personal justice, against you
Big Corporations have access in the halls of power that an individual who has been wronged doesn't have.
Oh noes! We must crush them!
Even in a case like this, the ONLY way the affected individuals can have any influence is long after the damage is done, and only if they band together in a class action lawsuit. The laws won't change regardless.
Isn't that your problem, for not standing up and demanding government listen to you and change the laws?
And while all this is happening, the executives are making millions on the misery of others, untouchable by the legal system, because of the state sponsored incorporation laws says that the big wigs aren't responsible for the failures under their leadership. Which is why I support being able to criminally charge the CxOs and the Board of Directors for the negligence and malfeasance, and the Corporate Death Penalty.
Here is a solution, the government revoke the Corporation's Charter, and put them out of business, leaving the shareholders holding nothing.
How will that solve anything? I'll still be injured, and without recompense. You forgot that, in your needless focus on reprisal and punishment. It's almost as if you WANT them to get away with their ill-gotten gains, while pretending you've delivered justice.
You didn't. You failed again.
Social Security numbers were intended for one purpose only, to identify the Social Security retirement account of individual citizens.
The fundamental security model of Equifax and the other credit agencies has always been broken. In my opinion the very best thing that could happen would be if a complete database of the names, addresses, birthdates, and social security numbers of every single US citizen was published and updated quarterly. The clowns at these credit agencies need to stop building an identification model on government retirement accounts.
In short, if I was in possession of the Equifax leaked data, I would paste it all over the internet just to purposely screw Equifax's model.
If the government is going to bail them out any time they lose money, their "risk" is exactly zero.
Which is exactly what happens. What are you getting at? Equifax sells snake oil, and make a pretty penny for it. There are suckers at every level.
“He’s not deformed, he’s just drunk!”
Fuckers, I hope some Supreme Court judge alongside of a few congresscritters get hit badly with this breach.
And hopefully they are a bunch of Republicans, too, so maybe they'll understand why regulations exist.
I wonder how long it will take them to get this little snafu off their credit score?
(repost from https://news.slashdot.org/comments.pl?sid=11087515&cid=55156539)
For the past few decades, the economy has been increasingly based on credit, and many people are so dependent on credit, that they cannot not survive without it. Our whole system is based on easily-obtained credit, and this has inflated the supply of money far beyond what would be the case if people depended on just the cash they had, or used debit cards.
We have already witnessed the global multi-year impact of one part of the credit industry failing.
What if someone or some group were to publicly post "The List" .. of everyone's info that is currently used to obtain credit. If creditors could no longer be relatively certain that a given request for credit is actually coming from the person or business requesting it, then after a sufficient amount of fraud happens, they would cease to offer credit.
The question we are heading towards answering next is what would happen to the economy if nobody can obtain credit? Sadly, we may find out, and it may be much worse than the last credit crisis.
Key insiders were allowed to sell a good bit of their stock *before* publically announcing this. Et viola - no more risk that insider selling will drive their stock down!
those that have had their identity hacked, and those that don't know they have had their identity hacked.
I generally use a custom, unique address for each domain where I register, and did the same when I registered with Equifax to get my credit report through the free annual credit report that we are entitled to receive.
Two years later (2011), I started getting lots of spam for the address that I had used ONLY for Equifax and nowhere else. They've had crappy security (and most likely a customer data breach) since way back when.
I even emailed their customer service to report this at that time and their response was basically that I needed to contact my email provider to check my spam settings.
Fuck Equifax.
By now all that information has likely been copied a bunch of times, sent off to who knows where, and/or has been sold off to the highest bidder(s). Even if they determine who did the hack, the chances of the information being contained is essentially zero, especially considering the hack was done at least a month ago. It's all in the wind now and nothing will get it all back. It'll be months, or maybe years, before we find out the real extent of the damage.
One way to protect yourself (to a certain degree) is to put a lock on your personal information with each of the three credit-reporting companies (Experian, Equifax, and TransUnion.) That way, nobody can access your information unless you lift the lock, either selectively, or for a finite period of time. Some of the agencies charge money (typically $10) for such a lock, or to lift it temporarily, but it's worth it IMHO.
If it weren't for deadlines, nothing would be late.
Companies that store credit data / personal identification information should be required to airgap that information.
It won't prevent ALL attacks, but it sure as hell would prevent MOST of them.
If they didn't want it public, they shouldn't put it on the internet. Period.
so as compensation, they want to sell me one of their products!?
are they on drugs?!
WTF?!
Took the words right out of my mouth. Opening a line of credit should require a public notary as witness, with associated identity checks done in person. And the whole process should be video taped.
The current situation is made worse by the fact that as the identity theft victim, you're the one who needs to prove it was fraud, rather than the bank needing to prove it was you who opened it, meaning you need to cough up lawyer money exactly when you have the least control over your finances.
> Here is a solution, the government revoke the Corporation's Charter, and put them out of business, leaving the shareholders holding nothing.
More government coersion is not the answer to this kind of massive and sistemic government failure. The rite answer is to completely deregulate all industry and let the free market handle this like it would if we didn't have the stupid fucking government interfering all the time.
Experian, and TransUnion: Wait ... Hold my beer!
...Equifax shouldn't survive this.
And the board of directors should be* held responsible for the management practices that allowed this sort of error to happen.
Ultimately, the buck needs to stop somewhere, that's why they get the very big bucks. I believe their CEO was paid $13.4 million last year. Taking that, plus the lush salaries of their board and other c-levels, would be a start.
*OK I'm even laughing as I type, knowing how unlikely this is
-Styopa
...not perfectly, of course. A previous poster is correct that no system is perfect. But systems that are well-regulated can be pretty good. The airline industry used to drop planes as frequently as we hear about major data-breaches today: like every month. Now it's less than one per year, despite travel having increased over 10 fold.
We could be hearing about 1/100th as many data-breaches, as well. A bunch of financial services would get a little more expensive, but only a little, just like airline fares have not gone out of sight - they didn't even go out of sight after 9/11 when new regulations made flying more expensive. Just not much.
This company has NO reason to spend more money on security next year. Why would they? The actual financial consequences of this event are really quite minor for them. No fines, no lawsuits, and almost no compensation. (The "year of monitoring" will cost about as much as a coffee for each of the 1% that sign up for it.)
If Corporate Death Penalty were the consequence of an event like this, you'd see OpenBSD web sites with custom web servers written to only provide the application; you'd see humans paid to monitor the logs in real time, and more humans to watch them. You'd see the difference between how civilians do things and how the military do things, not caring that they spend a hundred dollars where a civilian would spend five. And you'd see some real results. Right now, failure is not just an option, its the cheaper one.
People prattling on about how "nothing could have prevented this" are exactly like those who said the same about the Titanic - until new regulations that were "utterly unaffordable" the day before Titanic were suddenly gospel: double-hulls were very expensive, watertight compartments that go 20ft above water line, enough lifeboats for everybody, 7x24 ice patrols, 7x24 wireless monitoring on every ship. All of that was "impossible" the day before Titanic. The security equivalent is still "impossible" here, because there is essentially no penalty for failure.
since who else has the power to call Equifax to task? But I think it's safe to say the body politic has spoken. The party that espouses deregulation the most has the House, Senate, Presidency, is on the way to taking the Judiciary and has virtually all the State Legislatures and governorships. If you want to see any meaningfull action taken we'll need big changes to our political makeup.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I disagree. I think that the federal domestic data collection programs constitute the worst leak of personal information ever.
PCI-DSS is an industry standard specifically meant to prevent the government from stepping in and regulating. Equifax I'm sure complies with it in all respects.
I think the trouble here is Equifax has virtually no penalty here (save a few million paid out to lawyers in the inevitable class action, assuming the recent laws regarding mandatory Arbitration don't kick in which depending on when the breach happened they might). When you say regulation what you really mean are fines bigger than cost of actually securing the data. Short of that and it's just a business decision. It costs X to secure the data and we lost Y in a breach. If X > Y you let the breach happen.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Next time:
SET credit_score = 740 WHERE credit_score <= 600;
Cybercriminals sure aren't the old-school hackers.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
"The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be."
Whaaaat? Full name? Public info. Social security number? Not private. Birth date? Addresses? Are you kidding me? And "driver license numbers"?! Why, that's *REAL* top-secret information...
"highly sensitive data"?! If banks or any company use this public/effortlessly obtained info to verify anything, they are highly dangerous dumbasses who need to be stripped off of all powers and not get to handle any kind of financial transactions or important anything of any kind.
From where does this idea come that somebody's public information is some kind of "root password" to their identity? It's like saying that the *public* PGP key can be used to sign messages, without the PRIVATE key. Absolutely idiocy.
And yes, it may be different in the US, but in many countries in Europe, any person can get all of this info without any effort. It isn't private, and even if it were, it'd be impossible to properly secure for numerous reasons. It's not meant to be, and wasn't designed as, some kind of "secret password". Just let me define such a thing in a secure manner and be done with it, and then it's up to me to keep it secure. I would never leak my "private key".
Between Wells Fargo committing identity theft, record low interest rates, and real thieves able to steal so much personal information about you, tell me again what the drawback is to just socking your money away under a mattress and paying cash for everything?
Credit freezing is the only real protection that a consumer has against identify theft, in my opinion. Not only is it much, much cheaper than the monthly cost for credit monitoring, it proactively makes it less likely that one's identity will be stolen rather than informing after the fact.
There is a marginal cost to doing this (around $10) unless one's identify has already been stolen, in which case its free. Since these major hacks and leaks are pretty much inevitable, it seems like in the fullness of time everyone will see their identity stolen at least once. When that happens, I guess everyone will just be able to freeze their credit for free.
It would sure be nice to just skip to the inevitable end and just let everyone freeze their credit for free, now. That would be a far more welcome outcome from Equifax, offering free credit freezes, than the credit monitoring that they'll offer in their inevitable settlement.
Wouldn't encryption of sensitive data be at least a first line of defense? It would be the first thing I would recommend if I was working with such information.
Where I work we encrypt dob, first name,last name, gender and any other identifiable information.
We have some algorithms which create tables indexed to userid and first letter of last name, for example, so we know where to start a last name search prior to decryption.
The database by itself would not compromise our users, the hackers would need to find the encryption keys, which is at least a minimal deterrent.
If people who check credit reports or grant credit verify the application is being sent in by the named party, this would go a long way to solving the problem.
For in-person applications this is a no-brainer: The bank or other credit-issuer would require that the store clerk check your driver's license or other hard-to-counterfeit government-issued ID that has a current address on it, and have the store be held responsible for mistakes or fraud committed by the clerk.
For online and over the phone applications it gets harder:
I see a big opportunity for banks and stores to join Notary Publics in providing "authentication" services: If I plan on applying for more than a small amount of credit online or over the phone or through the mail in the next few weeks, I'll need to visit someone in person, show them my ID, and be issued a number or signed digital token that I will be required to present to creditors. This number or token would expire after a few weeks or less and, optionally, would only be good for certain uses such as mail-order goods shipped to a certain address or for non-loan purposes such as giving permission for a prospective landlord who hasn't seen me in person to run a credit check.
In the case of a number or other non-self-authenticating token, the recipient would have to validate it with the issuer or a clearinghouse before accepting it. In the case of a signed digital token with a valid chain of trust, no further action is required.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The implant gets rid of the need for money and taxes. It will automatically be taken care of for you. Another benefit is only certified US citizens get heath services. All problems solved. A much smaller government will also be a side benefit...
in Comic Book Guy's voice.
Short version, fuck them. They can just not have access to government services or banking then. This crap is what pandering to the stupid gets us. And if that makes them all want to go hide in their bunkers, so much the better for the rest of us.
So long as any biometric data is not used for authentication. Something you HAVE and something you KNOW. Biometrics and a card are 2 things you HAVE. Unless an unhackable biometrics system is widely available, they won't do for authentication at this level. All the current ones are easily tricked into false positives.
...you know Arthur-Anderson was effectively killed by the government in 2002 - The company was found guilty obstructing justice, effectively putting an end to all its audit activities, and 80K people lost their jobs in a 12 month time-span. One could make the argument that this should happen again here.
Killing Equifax would send a message to the remaining players in the space that this laxity will not be tolerated. There is *nothing* ordinary people can do to put pressure on Equifax to not do this again. Only the government can do this, but it won't because the company spends ~$1M annually to keep everyone happy.
https://www.opensecrets.org/lobby/clientsum.php?id=D000025712
I had a Toshiba and was automatically added to the 999 class Toshiba 1action suit. The law firm that filed the suit got ALL the money and we who had actually had been wronged go a $100 off certificate if we bought a new Toshiba. Lets see what the sucker victims get out of this suit.
For those who might not be aware, you can direct the credit reporting companies to "freeze" your credit report. This will stop identity thieves from using your information to open new lines of credit under your name. (It also stops you from doing things that require a check of your credit score, like applying for a loan, etc.)
https://www.consumer.ftc.gov/a...
So does anyone know what's up with OpenDNS blocking the equifax security site (the one that all the news articles are pointing to) with a "blocked due to a phishing threat" message?
David Gould
main(i){putchar(340056100>>(i-1)*5&31|!!(i<6)<< 6)&&main(++i);}
I dont want your credit, I dont need your credit, gtfo!
Why was the system with everyone's SSNs connected to internet at all? Why was it not air gapped?! You don't need plaintext SSN included on anyone's credit report, it's only used for authentication (shouldn't be, but too late to change it now I guess). So why not treat it as passwords? As in, properly salted and hashed. And then you don't have to worry about it being stolen. Did they even hire any security experts when designing the system?!
One way to protect yourself (to a certain degree) is to put a lock on your personal information with each of the three credit-reporting companies (Experian, Equifax, and TransUnion.) That way, nobody can access your information unless you lift the lock, either selectively, or for a finite period of time. Some of the agencies charge money (typically $10) for such a lock, or to lift it temporarily, but it's worth it IMHO.
It was... If someone now has every piece of information that Equifax has for you, they can probably lift the lock, as well.
Finally! somebody gets it--there is no legitimate reason for this database to have any connection to the Internet whatsoever.
sorry nested the earlier comment in a thread.
Anyone else on here a former employee of Equifax's IT side in Atlanta? They really are pretty rotten with how they treat their employees. I averaged 5 hours of sleep on a good night including Saturdays and Sundays. Work all night and be in by nine am every weekday. The level of processes to try and get anything done were insane. Everyone wanted to dump everything and claim no responsibility. Everyone waits till 4:30 PM to dump there needed changes on you, no time to review. Every night was a change window. Had a meeting once were they wanted to encourage ideas and instead it turned into six sigma. I could go on and on. Thank God I got out of there or I would have been in prison for losing it.
we need more software QA as well.
Way to much ship now patch later. Hell new stuff comes out with things listed to be added at a later date.
purchases not purchaes. Thanks.
By that reasoning, why would they bother using Equifax in the first place?
Using a crappy "blind" service to charge you more shields them from repercussions of predatory lending practices.
The cesspool just got a check and balance.
The attack accessed certain files.
Does that mean all the data was available in a spreadsheet on a website ?
Looks like Equifax's Chief Security Officer Susan Mauldin is unqualified for her position. She doesn't seem to have the necessary education or experience.
You could go to her LinkedIn profile to check yourself. Only problem is she deleted it.
https://www.linkedin.com/in/susan-mauldin-93069a
Thankfully, someone did a screen capture: http://i.imgur.com/QiXX3it.jpg
Unless and until the FTC starts fining these companies large enough fines to cause the execs to take notice, these breaches will continue and only get worse. Security is a process and a breach like this usually required multiple lazy or sloppy decisions just to make the exploit possible. These breaches aren't national state actors writing custom exploits. These are script kiddies trolling for sloppy systems they can exploit. And those systems wouldn't be exploitable by those kiddies unless the engineers and IT folks were being so lazy and sloppy with security. There aren't even good risk reward decision making on these issues. The attitude is if I can save 1 dollar by doing less security, we will. Until fines and criminal charges start becoming a real risk, companies will continue to be breached over and over again.
"Those that start by burning books, will end by burning men."
Making sure someone can reasonably repay a loan based on cost of living would never work in the US. Debt makes the US economy go 'round.
My identity was stolen, but the crooks didn't touch my credit because that would have flagged alerts with the major credit agencies like Experian, Equifax etc. Instead they abused the banking system (which uses a different verification service few people know about called ChexSystems). They opened online bank accounts in my name from every major "open a checking account online today!" service (like Ally, etc.), and started trying to funnel money into the accounts from elsewhere... such as from selling fake items on ebay and other mule scams. Had one of the compromised banks not sent me "my new ATM card" thanking me for opening accounts, I would have never known... and worse yet, checking my credit yearly at the major bureaus wouldn't have shown anything either because they weren't applying for credit. Plain and simple, they were using my name for money laundering transfers in and out of the country. Just like with the major credit bureaus, you can put a "banking freeze" and "Fraud alerts" with ChexSystems to prevent people from opening savings and checking accounts in your name too. I suggest people do it. In my case it was free since I had my identity stolen, but it only costs a few bucks to freeze them too.
I guessing, but I bet if everybody puts the 90 day fraud lock on the credit, all of the banks, lending institutions, and money based businesses will really feel the squeeze.
I understand the 90 day fraud lock is free.....
You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
It varies by state, but in my state not only are you charged to lock, but also to unlock. So if you want to unlock for a purchase it costs you. And if you fully protect by locking all three credit monitoring companies, that can get expensive.
Equifax is toast, it will be gone in less than a year. Note that the personal information of Trump's cabinet members and staffs is doubtless being used as we speak not to mention Congress. Typically Equifax would spread a few bucks in bribes to squirm out from liability but if high government officials are affected that path is blocked. Sell the stock short before its too late.
The really annoying part is that this creates more business for them. To protect yourself, you need to freeze your credit, which of course involves a fee. Or you should continually monitor your credit report, which again costs money (the first taste is free, though).
So great, 143m people can give each of the credit rating agencies $10 or so each to protect themselves from their mistake.
Might as well be considering how big a screw up this is.
Nice pivot!
Nope. It is a public company with $16B in market cap. $14B today, after the news
But being publicly-traded does not make it a government organization.
And we have a winner for most stupid comment on this thread - possibly the entire day! (Private company fails miserably - Blame Government!)
How about free credit monitoring for life for all the people impacted! Will also be interesting to see how much jail time the managers get for insider trading.
I have never authorized equifax, or one of the other agencies to collect and store my info. I am in US on a visa and I am a EU citizen. Things like a dress, SSN, even name a private info and must not be stored and collected without explicit permission by me. How can I as a EU citizen have those "credit agencies" scrub that data that they have been collecting without authorization
I'm a small government conservative and favor deregulation over regulation *in general*.
However, I have no clue how what you're saying solves the problem.
I am glad to hear there is a multi billion dollar lawsuit. The impact of this breach will be significant and far reaching. The only way that companies are going to invest to do things right is if the cost for screwing up will put them out of business.
Yubikey supports more than U2F, and yes I have one.
Haha you wear a dress.
According to the FTC:
What is a credit freeze?
Also known as a security freeze, this tool lets you restrict access to your credit report...
I'm guessing a credit freeze is pretty useless now, since all the important data is out.
Not that this wasn't entirely predictable.
1. The clause that causes you to forfeit your right to sue is probably unenforceable and the NY att gen has already made statements about that. Talked to lawyer friend who concurs - probably unenforceable.
2. There were a number of Equifax employees (probably high level directors) who sold stock just before the announcement - trivially illegal insider trading.
3. The CSO (Chief Security Officer) of Equifax has NO IT experience and has degrees in Music!! This is so actionable and liability-laden it's mind-boggling.
Basically Equifax is a scum company run by scum people employing scum. It needs to be taken down and anyone in a position of power must never be allowed to run or be employed in upper management at any company ever again! Most should be in jail for a very long time.
... bring down the cashless economy? Internet commerce? Commercialism?
PlaynBass
We're number one! We're number one!
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
In what way is this a failure of big government?
I'd actually assert that this is a failure of small government - in Europe where the government is bigger, there's regulations about what information these companies can store, how they must store it, and what the penalty is if they fail to do so.
Its the cryptoconservative mantra. A problem? All problems are the fault of big government and liberals.
It's actually entertaining after a while, as noted in my sig line, some idiot in here actually blamed peanut allergies on liberals.
So while it is a remarkable exercise in tapdancing to stupid, but often laughable.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I suspect you're trolling.
Equifax is a private company whose executives engaged in insider trading right after they discovered the breach. It will be another proof that our regulation light government doesn't have any teeth to deal with this appropriately.
Ummmm - but her email?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Not correct. When you place a freeze on your credit report, you are given (or you create) a PIN, which is needed to unlock your report again. One problem with this, though, is that Equifax creates you PIN and sets it at the current time stamp (MMDDYYHHMM), so it's not impossible for someone sufficiently motivated to narrow your PIN down significantly.
I've been reluctant in purchasing this blank ATM card i heard about online because everything seems too good to be true, but i was convinced & shocked when my friend at my place of work got the card from ghost hackers & we both confirmed it really works, without delay i gave it a go. Ever since then I've been withdrawing $5000 daily from the card & the money has been in my own account. So glad i gave it a try at last & this card has really changed my life financially without getting caught, its real & truly works though its illegal but made me rich!! If you need this card from real hackers then here is their email: paulatmoffice@gmail.com
I think you misunderstand the purpose of credit bureaus. The point is: How much do we have to charge to make a decent profit? They don't give a tiny rats ass how badly you've screwed up, they only care about how much they should pad the bill.
Question of the day:
Over the weekend, did Equifax get shamed into doing something right: a) using random PINs, and b) not charging $5 per freeze?
We need more private industry and less big government incompetence.
Perhaps AC means we need more private industry incompetence?
Is the breach you never heard about. This breach is minor compared to the ones you don't know about
Grow up kids...you think this is the first? You are all naive Trump lovers.