Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever (arstechnica.com)

Posted by msmash on from the massive-implications dept.

The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely. Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Meanwhile, if you accept Equifax's paltry "help" you forfeit the right to sue the company, it has said. In its policy, Equifax also states that it won't be helping its customers fix hack-related problems.

UPDATE (9/9/17): Equifax has now announced that "the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.

8 of 401 comments (clear)

  1. That's it. I'm done with Equifax by Anonymous Coward · · Score: 5, Funny

    Oh wait.

    1. Re: That's it. I'm done with Equifax by Anonymous Coward · · Score: 5, Insightful

      Maybe these types of incidents can break down reliance and acceptance of these credit agencies that have established themselves as critical and non-optional services that heavily effect major life events (e.g., home purchaes).

      They make money from using our information, provide little benefit to us, and hold almost no accountability when they're wrong but can and often do horribly effect consumers lives based on data they provide--even when it's inaccurate.

  2. Give it time. by penandpaper · · Score: 5, Insightful

    Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever so far.

  3. Send 'em to jail by Anonymous Coward · · Score: 5, Informative

    The equifax executives apparently sold stock immediately after learning of the breach. Jail them all for incompetence _and_ insider trading.

  4. Hopefully this will be the end of equifax by damn_registrars · · Score: 5, Insightful

    That company is rotten to the core. They have far too much power over our lives and very near zero accountability for how they handle that power. Allowing those hacks to decide how credit worthy someone is could be one of the worst ideas of the 20th century, and we have unfortunately held on to that terrible idea into the 21st century as well.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  5. It's time for regulation. Sorry to say it. by Opportunist · · Score: 5, Insightful

    We have PCI-DSS for companies that deal with credit card information. Why not for companies that store even more sensitive information that potentially allows a criminal to pretty much take over my life by essentially stealing my identity?

    The damage here is way more serious than ANYTHING the loss of a million credit card numbers could mean. Could it be that it's just us that have to foot the bill instead of Visa and Mastercard?

    No, that can't be. Government represents the people, right?

    Fuckers, I hope some Supreme Court judge alongside of a few congresscritters get hit badly with this breach. I usually don't wish bad things to happen to anyone, but I really hope that one of them has their identity stolen, their credit rating trashed and their life basically ruined by this hack.

    Because ONLY then we'll FINALLY see something happen.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Yay, more free credit monitoring fo rme. :-) by ErichTheRed · · Score: 5, Insightful

    Equifax and the 2 other credit bureaus have a ton of non-credit related information on consumers as well. It will be interesting to see what else was not reported as part of the breach.

    I'm going to sound like an old fart, but a lot of these "cyberattacks" end up being down to a very dumb misconfiguration like leaving FTP open, failure to patch security holes, and things like leaving data on unprotected public cloud storage. Part of my job is being a technical mentor to some of our more junior staff, and what I'm seeing is a lot of developers and CS people who really don't know the guts of how IT works. I'm not saying people should go back to punch cards and assembler, but having some clue about TCP/IP, DNS, what an open port on a server means, how a firewall works, etc. would go a long way to preventing some of the dumber things I've seen. Most of this is very much abstracted, and in a "cloud-first" world it's even more so. The network is just assumed to work underneath everything else, and i think this is where a lot of the misconfiguration problems get missed.

    We may or may not see what actually happened. It could have been some state-sponsored hacking group planning a painstaking attack requiring intimate knowledge of everything. But knowing what I know about corporate IT, it was most likely some lowest-bidder contractor being forced to pull another 12-hour shift and missing something. Until companies have to actually pay for these issues, all we're going to get is "free credit monitoring" for a year, which costs them nothing, and _maybe_ we'll get a check for 11 cents from a class action lawsuit 20 years from now when it winds its way through the system.

  7. credential theft by epine · · Score: 5, Insightful

    It will be very hard to top this. In this case we have half of a population with personal info detailed enough to effectively steal identity in multiple ways ...

    Hackers aren't stealing identity, they are stealing credentials (so as so assume an identity, if the world makes this easy for them to pull off).

    Institutions want to pretend that credentials = identity, so that if they give your money to the wrong person, it's your fault (your identity was stolen, what else could we do?) rather than their fault (their chosen system of credentials sprung a leak, causing them to misidentify some loser as the real customer).

    Finally, a big enough leak that maybe some people will begin to comprehend the distinction here.