Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever

The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely. Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Meanwhile, if you accept Equifax's paltry "help" you forfeit the right to sue the company, it has said. In its policy, Equifax also states that it won't be helping its customers fix hack-related problems.

UPDATE (9/9/17): Equifax has now announced that "the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.

That's it. I'm done with Equifax

Oh wait.

Re: That's it. I'm done with Equifax

Maybe these types of incidents can break down reliance and acceptance of these credit agencies that have established themselves as critical and non-optional services that heavily effect major life events (e.g., home purchaes).

They make money from using our information, provide little benefit to us, and hold almost no accountability when they're wrong but can and often do horribly effect consumers lives based on data they provide--even when it's inaccurate.

Give it time.

[penandpaper]

Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever so far.

Send 'em to jail

The equifax executives apparently sold stock immediately after learning of the breach. Jail them all for incompetence _and_ insider trading.

Hopefully this will be the end of equifax

[damn_registrars]

That company is rotten to the core. They have far too much power over our lives and very near zero accountability for how they handle that power. Allowing those hacks to decide how credit worthy someone is could be one of the worst ideas of the 20th century, and we have unfortunately held on to that terrible idea into the 21st century as well.

Re:Hopefully this will be the end of equifax

[dargaud]

I'd started to moderate this discussion but I'll lose it to answer your question:

how else would you propose preventing someone from running up a whole ton of debt, skipping out on it, and then doing it again at another creditor?

Like they do in every (?) other country: you go to a bank, show them your bank statements for the last few years, you tax statements, your job contracts, your current house mortgages and anything else they ask, and THEY decide on what kind of loan to give you based on that info. Oh, and yes, having a state-backed ID card helps against you running away and trying somewhere else. No centralization: too much power, too much risk and nothing to gain for the customer anyway.

Re:Hopefully this will be the end of equifax

[houghi]

I do not understand why they even exist. In Belgium we have the National Bank that has the database of all credits. Company has to check there to even be allowed to give a credit. They also need to add the credit they open. They do not see the other companies, just the number of loans and the amounts and all the rest, so they can calculate if there is enough margin to allow a credit.
If a person is on the black list (late payments) they will not be allowed ANY credit. If a company gives a credit where it was not allowed, the company becomes responsible and the person does not even need to pay back that loan. Yes, I have seen that happen. The company needs to take that loss. They asked nicely and they got a reply of "No" (OK, bit longer) from his lawyer and that was the end of it,
https://www.nbb.be/en/about-na...

It is pretty efficient and fast. You ask the customer how much he earns (pay slip and other official proof of income.), you deduct some standard cost of living for food and clothes. You deduct his other loans, if they exist. That is the amount he can spend on a new loan. Is that more than what it would be? Good, you have a loan? It isn't? No loan (or credit or what not).

e.g. income of 1500EUR netto per month (numbers pulled from a dark place)
Rend of 500 per month.
Being able to live 750 per month
Car loan of 250 per month.

That is 1500. No loan for you.
If he earn 1750, he could get a loan/credit where the maximum payment is 250.
The allow/deny a loan is instantaneously. Obviously done over SSL with several layers of security and signing.
What might take a bit of time is verification if the pay slip is real.

Obviously, it is a bit more complicated, but this is the basics. No need to go to a third party as all. The info is already available and required by law.

As a customer, I can ask what is there in my name and how much and what companies and what not.

It's time for regulation. Sorry to say it.

[Opportunist]

We have PCI-DSS for companies that deal with credit card information. Why not for companies that store even more sensitive information that potentially allows a criminal to pretty much take over my life by essentially stealing my identity?

The damage here is way more serious than ANYTHING the loss of a million credit card numbers could mean. Could it be that it's just us that have to foot the bill instead of Visa and Mastercard?

No, that can't be. Government represents the people, right?

Fuckers, I hope some Supreme Court judge alongside of a few congresscritters get hit badly with this breach. I usually don't wish bad things to happen to anyone, but I really hope that one of them has their identity stolen, their credit rating trashed and their life basically ruined by this hack.

Because ONLY then we'll FINALLY see something happen.

Re:It's time for regulation. Sorry to say it.

[bluefoxlucid]

No regulation would stop this. Computers are enormous and complex; either Equifax writes in-house software or hires out for someone to write their software; and credit reporting agencies are dealing with a unique business situation requiring some kind of unique front-end to their clients. Even Windows, Linux, Oracle, Adobe, and Chrome have security bugs.

Regulation can't prevent them from putting forth all due diligence and still failing. Equifax was founded in 1899 and has been the front-line CRA for decades; they got the tech first, they got the Internet services first, they got the Web sites first, and now they got hacked first. It's been a long time coming and they've gotten hacked once. You can't stop that.

You want security against identity theft? Here it is: hardware identification. U2F devices--I hate them, rant in a minute--can identify a user without relinquishing a key. You want to know I'm who I say I am? Then I register with Equifax, I give them an identifying key, I authorize your credit check with my key. You can't hack that. It's unhackable, or else somebody has figured out how to break encryption that should not be breakable yet--in which case nothing is safe.

I would not be above passing legislation specifying that a person's credit history cannot be impacted by non-challenge-response, user-presence-based authentication in line with modern standards. That is: you have to have something that can be handled entirely in the open and still not allow impersonation, such as RSA or Ed25519 challenge-response exchange with a secure hardware device. These devices cost all of $20 at the lowest end.

If the banks want to go ahead and verify your ID by other means, that's fine; and when you have presented your case in dispute and filed for small bankruptcy, we bail you out of only those unauthenticated accounts, and don't mark it on your credit history, at all. They can validate your identity later and confirm those accounts only with your informed consent.

Lost your key? Call your bank; all banks are required to file a Lost Key hold for anyone with a credit account with them, which freezes all your credit. You have to show up to a bank, present valid ID (e.g. a real Driver's ID), and then prove you still have your key or provide a new key to re-establish a trust relationship between you and the CRA. No verbal verification; you physically come here and show me your ID, or you're full of shit and have a print-out of stolen Social Security numbers at your desk.

The states or the SSA could supply similar attestation, with those smart chips (they're actually miniature computers, in full) embedded into multi-layer polycarbonate Driver's IDs and Social Security cards functioning as U2F devices with a trust relationship to the Government agency. These cards are tamper-proof: your photograph is laser-etched into a mult-image across multiple polycarbonate layers. You're not going to clone someone's Driver's ID with a non-readable private key inside, not without stealing the original Driver's ID. If your state supplies this, you can easily attest to your bank that you are in fact holding a real Driver's ID, and they can verify who you are, and you can use your own personal security key device to set up a trust relationship to the CRA and not to the bank (again: the CRA is authenticating you; it's working on your behalf, not on the behalf of the bank).

As for why I hate U2F devices? Yubico built them right. They use secure hardware--specialized, physically-unhackable without some serious high-end equipment, and potentially impossible to get into without destroying it unless you can remove ceramic in atomic layers--and they accept a challenge, then issue a response. You have a parent key, which the device uses to create child keys, and then sends the certificate (public key) to whoever wants it. No exposure of the identity credential: you can only identify t

Yay, more free credit monitoring fo rme. :-)

[ErichTheRed]

Equifax and the 2 other credit bureaus have a ton of non-credit related information on consumers as well. It will be interesting to see what else was not reported as part of the breach.

I'm going to sound like an old fart, but a lot of these "cyberattacks" end up being down to a very dumb misconfiguration like leaving FTP open, failure to patch security holes, and things like leaving data on unprotected public cloud storage. Part of my job is being a technical mentor to some of our more junior staff, and what I'm seeing is a lot of developers and CS people who really don't know the guts of how IT works. I'm not saying people should go back to punch cards and assembler, but having some clue about TCP/IP, DNS, what an open port on a server means, how a firewall works, etc. would go a long way to preventing some of the dumber things I've seen. Most of this is very much abstracted, and in a "cloud-first" world it's even more so. The network is just assumed to work underneath everything else, and i think this is where a lot of the misconfiguration problems get missed.

We may or may not see what actually happened. It could have been some state-sponsored hacking group planning a painstaking attack requiring intimate knowledge of everything. But knowing what I know about corporate IT, it was most likely some lowest-bidder contractor being forced to pull another 12-hour shift and missing something. Until companies have to actually pay for these issues, all we're going to get is "free credit monitoring" for a year, which costs them nothing, and _maybe_ we'll get a check for 11 cents from a class action lawsuit 20 years from now when it winds its way through the system.

Three executives sold 1.8 million in stock

[EnOne]

"Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers." https://www.bloomberg.com/news...

Re:Three executives sold 1.8 million in stock

[tsqr]

I'm not sure if that qualifies as insider trading

Of course it does. Any time an employee trades stock in the company he's employed by, that's insider trading because the employee is an "insider". Most of the time, it's perfectly legal.

From SEC.gov: "Illegal insider trading refers generally to buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence, while in possession of material, nonpublic information about the security." And that is what happened here, because the trading happened before the public was made aware of the breach.

Business as usual...

[wardrich86]

I'm sure nobody will be jailed. A fine will be issued, which will be passed off as increased fees to clients. A few buzzwords will probably be thrown around about how amazing their security is now, but probably little will change. 5-10 years from now this will happen again. Maybe not to Equifax, but to some other company that didn't learn from the mistakes of the past.

I'll push back

[stomv]

They make money from using our information, provide little benefit to us...

I'll bite. I agree that, as individuals, it doesn't feel like they provide a benefit. But by providing somewhat-accurate financial history to lending institutions, those lending institutions can more precisely estimate the risk associated with each loan. In doing so, they're able to lend more money, and at lower interest rates, than they'd be able to do otherwise.

I'm not arguing that there aren't loads of ways that Equifax et al could improve their business habits. Of course there are. But without these agencies, lenders would have a more difficult time gauging credit-worthiness, and that would mean it would be harder and more expensive for each of us to get a loan. And that, my friend, is the "benefit" provided to us.

credential theft

[epine]

It will be very hard to top this. In this case we have half of a population with personal info detailed enough to effectively steal identity in multiple ways ...

Hackers aren't stealing identity, they are stealing credentials (so as so assume an identity, if the world makes this easy for them to pull off).

Institutions want to pretend that credentials = identity, so that if they give your money to the wrong person, it's your fault (your identity was stolen, what else could we do?) rather than their fault (their chosen system of credentials sprung a leak, causing them to misidentify some loser as the real customer).

Finally, a big enough leak that maybe some people will begin to comprehend the distinction here.

Yes, regulation CAN solve this

[rbrander]

...not perfectly, of course. A previous poster is correct that no system is perfect. But systems that are well-regulated can be pretty good. The airline industry used to drop planes as frequently as we hear about major data-breaches today: like every month. Now it's less than one per year, despite travel having increased over 10 fold.

We could be hearing about 1/100th as many data-breaches, as well. A bunch of financial services would get a little more expensive, but only a little, just like airline fares have not gone out of sight - they didn't even go out of sight after 9/11 when new regulations made flying more expensive. Just not much.

This company has NO reason to spend more money on security next year. Why would they? The actual financial consequences of this event are really quite minor for them. No fines, no lawsuits, and almost no compensation. (The "year of monitoring" will cost about as much as a coffee for each of the 1% that sign up for it.)

If Corporate Death Penalty were the consequence of an event like this, you'd see OpenBSD web sites with custom web servers written to only provide the application; you'd see humans paid to monitor the logs in real time, and more humans to watch them. You'd see the difference between how civilians do things and how the military do things, not caring that they spend a hundred dollars where a civilian would spend five. And you'd see some real results. Right now, failure is not just an option, its the cheaper one.

People prattling on about how "nothing could have prevented this" are exactly like those who said the same about the Titanic - until new regulations that were "utterly unaffordable" the day before Titanic were suddenly gospel: double-hulls were very expensive, watertight compartments that go 20ft above water line, enough lifeboats for everybody, 7x24 ice patrols, 7x24 wireless monitoring on every ship. All of that was "impossible" the day before Titanic. The security equivalent is still "impossible" here, because there is essentially no penalty for failure.

Equifax Chief Security Officer unqualified

[phalse+phace]

Looks like Equifax's Chief Security Officer Susan Mauldin is unqualified for her position. She doesn't seem to have the necessary education or experience.

You could go to her LinkedIn profile to check yourself. Only problem is she deleted it.

https://www.linkedin.com/in/susan-mauldin-93069a

Thankfully, someone did a screen capture: http://i.imgur.com/QiXX3it.jpg