Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever

The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely. Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Meanwhile, if you accept Equifax's paltry "help" you forfeit the right to sue the company, it has said. In its policy, Equifax also states that it won't be helping its customers fix hack-related problems.

UPDATE (9/9/17): Equifax has now announced that "the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.

Three executives sold 1.8 million in stock

[EnOne]

"Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers." https://www.bloomberg.com/news...

wish every single SSN would leak

i keep hoping that every single SSN for every american will leak so that the SSN can no longer be used the way it is using now... i wish the breach would be much worse until enough SSNs are available to everyone and the SSN can no longer be used as a personal identifier

Re:It's time for regulation. Sorry to say it.

[bluefoxlucid]

No regulation would stop this. Computers are enormous and complex; either Equifax writes in-house software or hires out for someone to write their software; and credit reporting agencies are dealing with a unique business situation requiring some kind of unique front-end to their clients. Even Windows, Linux, Oracle, Adobe, and Chrome have security bugs.

Regulation can't prevent them from putting forth all due diligence and still failing. Equifax was founded in 1899 and has been the front-line CRA for decades; they got the tech first, they got the Internet services first, they got the Web sites first, and now they got hacked first. It's been a long time coming and they've gotten hacked once. You can't stop that.

You want security against identity theft? Here it is: hardware identification. U2F devices--I hate them, rant in a minute--can identify a user without relinquishing a key. You want to know I'm who I say I am? Then I register with Equifax, I give them an identifying key, I authorize your credit check with my key. You can't hack that. It's unhackable, or else somebody has figured out how to break encryption that should not be breakable yet--in which case nothing is safe.

I would not be above passing legislation specifying that a person's credit history cannot be impacted by non-challenge-response, user-presence-based authentication in line with modern standards. That is: you have to have something that can be handled entirely in the open and still not allow impersonation, such as RSA or Ed25519 challenge-response exchange with a secure hardware device. These devices cost all of $20 at the lowest end.

If the banks want to go ahead and verify your ID by other means, that's fine; and when you have presented your case in dispute and filed for small bankruptcy, we bail you out of only those unauthenticated accounts, and don't mark it on your credit history, at all. They can validate your identity later and confirm those accounts only with your informed consent.

Lost your key? Call your bank; all banks are required to file a Lost Key hold for anyone with a credit account with them, which freezes all your credit. You have to show up to a bank, present valid ID (e.g. a real Driver's ID), and then prove you still have your key or provide a new key to re-establish a trust relationship between you and the CRA. No verbal verification; you physically come here and show me your ID, or you're full of shit and have a print-out of stolen Social Security numbers at your desk.

The states or the SSA could supply similar attestation, with those smart chips (they're actually miniature computers, in full) embedded into multi-layer polycarbonate Driver's IDs and Social Security cards functioning as U2F devices with a trust relationship to the Government agency. These cards are tamper-proof: your photograph is laser-etched into a mult-image across multiple polycarbonate layers. You're not going to clone someone's Driver's ID with a non-readable private key inside, not without stealing the original Driver's ID. If your state supplies this, you can easily attest to your bank that you are in fact holding a real Driver's ID, and they can verify who you are, and you can use your own personal security key device to set up a trust relationship to the CRA and not to the bank (again: the CRA is authenticating you; it's working on your behalf, not on the behalf of the bank).

As for why I hate U2F devices? Yubico built them right. They use secure hardware--specialized, physically-unhackable without some serious high-end equipment, and potentially impossible to get into without destroying it unless you can remove ceramic in atomic layers--and they accept a challenge, then issue a response. You have a parent key, which the device uses to create child keys, and then sends the certificate (public key) to whoever wants it. No exposure of the identity credential: you can only identify t

You are not the customer

[Solandri]

You are the product. The customers are the banks, companies, and landlords from whom you wish to borrow money or collateral (like a leased car or apartment).

And getting rid of the credit agencies won't have the effect most people seem to think it will. Lenders won't magically assume everyone is credit-worthy if there's no way to check people's credit. They're going to assume everyone is not credit-worthy. In other words, getting rid of credit reports won't make it easier for people with poor credit to borrow money. Nothing will change for people with poor credit. The only difference will be for people who had good credit - all the banks, companies, and landlords will assume everyone has bad credit, and everything will be priced accordingly.

Unless you can prove you have enough money in the bank to cover the loan or collateral. So only the 1% would be able to borrow cheaply. The 99% would have to pay the exorbitant interest rates formerly reserved only for people with poor credit. That is the benefit the credit agencies provide you - giving you (if you're fiscally responsible) access to cheap loans without you having to keep enough money in the bank to immediately pay back the entire loan at any instant. But because people don't like being denied a loan, somehow this default base state (unable to get a loan because the lender doesn't know if they can trust you) got twisted around in people's minds into being a negative. It's not a negative; it's the neutral state. And being able to get a loan after a credit check is not a neutral, it's a positive.

Equifax Chief Security Officer unqualified

[phalse+phace]

Looks like Equifax's Chief Security Officer Susan Mauldin is unqualified for her position. She doesn't seem to have the necessary education or experience.

You could go to her LinkedIn profile to check yourself. Only problem is she deleted it.

https://www.linkedin.com/in/susan-mauldin-93069a

Thankfully, someone did a screen capture: http://i.imgur.com/QiXX3it.jpg