Slashdot Mirror
Government Officials Begin Investigating Equifax Breach (thehill.com)
An anonymous reader quotes the Hill:
The massive breach of credit rating firm Equifax is attracting scrutiny from government officials across the country. Lawmakers from both parties have expressed concern over the hack, which could have left vulnerable sensitive personal information for as many as 143 million people. The New York, Pennsylvania and Illinois attorneys general have announced formal investigations into the hack...
The Senate Commerce Committee announced on Thursday that it sent a letter to Equifax seeking answers about the extent of the breach and what Equifax is doing to mitigate its impact. In the House, Financial Services Committee Chairman Jeb Hensarling (R-Texas) said that his committee would hold a hearing on the hacks at a to-be-determined date. Hensarling noted in a statement that such breaches are becoming "too common" and that consumers "deserve answers." House Energy and Commerce Committee Chairman Greg Walden (R-Ore.) said that his committee would hold a separate hearing on the matter as well.
The Senate Commerce Committee announced on Thursday that it sent a letter to Equifax seeking answers about the extent of the breach and what Equifax is doing to mitigate its impact. In the House, Financial Services Committee Chairman Jeb Hensarling (R-Texas) said that his committee would hold a hearing on the hacks at a to-be-determined date. Hensarling noted in a statement that such breaches are becoming "too common" and that consumers "deserve answers." House Energy and Commerce Committee Chairman Greg Walden (R-Ore.) said that his committee would hold a separate hearing on the matter as well.
that they will find something and some one (or group) who held accountable of the breach. Though, often times, this kind of investigation is just a political stunt to show constituents that they have done something. Nothing will be found, done, or changed according to the history...
Your elected officials in action, folks.
SJW: Someone who has run out of real oppression, and has to fake it.
Has anyone seen an explanation of what occurred? Was it a remote hack or inside job?
by big government!
So their breach just put the entire population at significantly increased risk of identify theft. There definitely should be consequences and the government is the only recourse the consumers have since they are not direct customers of Equifax, nor will anyone ever be able to prove their identify theft was directly due to Equifax's breach, so they cannot individually sue Equifax.
Maybe the fines should be whatever it costs to re-issue new social security (or social insurance in Canada) numbers to everyone, including costs of managing the transition. Yea, I know this may sink Equifax as a company, so be it - lesson for the other guys to secure the data or maybe to not collect it in the first place. Maybe there is such a thing as too dangerous to collect and keep in one company. Kind of like banks and companies that are too big to fail.
Let's hope some senators and congressmen are affected, then something might actually happen!
Of course, that means probably 90% or so of everyone reading this would be unemployable because they can't write secure code...
Are we sure it was ONLY US data/personal information that was leaked?
Personally I would not be in any way surprised, if it's uncovered in a few weeks time, that personal information from other countries was also in the leak.
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
I just click here and my banking is done. I just click here and I bought that new iPad. And I just click here and ... Hey! where'd all my money go?
Instead of going after people like Love and giving them sentences longer than murderers. Maybe a Computer Fraud Act for Companies where they get similar penalties where the board members really suffer instead of giving the company a slap on the wrist.
Yes, but they've promised to follow up with an extremely harshly worded letter, if necessary.
After that, they'll FINE them! And to figure out the fine, they take the budget for the toilet paper and use that. So, Equifax - a multibillion dollar company make get fined a *gasp* couple of million dollars, release some public statement - but admitting wrong doing - that they accept the judgement of whatever agency is repsonsible.
Or do what JP Morgan does every time they break the law and the CFPB fines them - "Yawn. Whatever. Our shareholders pay for it."
Because they are going to steal your identity. It will happen numerous times in your life. It may become a once a year thing. So fuck it. Let them have an identity no one would pay for. If you think about that for a moment, while fully understanding the big picture, you'll understand why this could be a potential permanent fix to the problem.
We read daily that the internet functions on our data. We hear constantly, "we are the products, our data is the product."
We are going to hear a million reasons why now this data isn't so valuable. We already see their attempt to flush everyone their "credit monitoring" sham. No one can sue the company in any meaningful way. There are no real remedies that exist for really anyone.
We all do a huge portion of our business online. This hack hits at the true heart of the internet, if we can't figure out who is who, you can not make a transaction. Our internet identities are a very real extension of our physical identities.
This reeks of every single issue that we all see today, from Terms of Service being forced onto folks, one sided contracts that only favor a large company we are forced to deal with whether you want to or not, companies using and selling our data that we have nothing to do with. We are just a commodity, and this really should make everyone feel exactly that.
At what point is having part of us sold and traded ok? Is this where we find out?
Hypocrisy is about to rain down hard. We will not see any meaningful change. We will see all of these folks tell us that in essence, while we can be arrested and profiled online, that our personal data that is essentially "who we are" online, doesn't have the same protections as our person.
...Is congress needs to pass legislation that gives a process to people that allows them to collect damages from lenders that lend to criminals. Such a process needs to burden the lender with proving a debtor owes this money, and that it was actually they who requested such a loan. If they cannot, then if they attempt to collect on such a debit, they can be liable for damages. Probably not a large sum, possibly just a (small) percentage of the loan they gave away to the crook. Of course more aggravated attempts might warrant larger sums. Much such a process require that the fiscal institution cannot collect and store. So that each application must be independently vetted, each time.
Some side effects: More stringent identification taken to link documents to people. Loan processes taking much longer, and people who cannot vet themselves to an institutions satisfaction not receiving loans. An entire new system or vendors and providers revolving around bio metric verification. Also, higher loan rates because they will pass these costs onto the consumer. Less loans in total.
"...whenever any Form of Government becomes destructive...it is the Right of the People to alter or to abolish it..."
Why does nothing on this fucking website work properly. What is this ridiculous "Load All Comments" and "3 full" and "97 abbreviated" ?
I'm just sayin this place used to be fun. Now *thumbsdown*
Then all my info would be irrelevant to be steal, unless they steal the phone, but you will notice it right away. Lets move to 21 century.
This is a real golden oportunity to finally rebalance the exposure to risk that amassing large data stores creates. Right now all of the risk is on the subject (you) of the data bases and there's almost no liability for the data base holder. Their only liablity comes from public good will not financial liability.
The best possible outcome in this case is to sue Equifax out of existence. This particular instance is a gift int he sense that equifax disappearing would not harm society at all since it's function are handled redunantly and competitively by two other companies. Anything short of annihilating the company is too little.
The reasons is those two other companies , and by extention all data base holders, need to be on notice that they will suffer financial liability not just good-will liability
To understand the status quo better, and to see why this case in particular makes extinction the ideal remedy look at how every data breach to date has been handled in the past.
there's two ways to deal with data breaches
1. Credit freeze. (prevents credit accounts from being opened by denying credit reports to inquiring creditors).
2. Credit monitoring (they let you know after the fact that tour credit just got robbed)
The latter is nearly free to implement but has almost no value to the injured consumer. The former, the credit freeze, actually fixes the problem, puts power in the hands of the consumer but has the downside that it costs lots of money to implement. (the reason one has to pay for this is because the data base companies make money when they hand over your credit report to an inquiring creditor. If they can't hand it over they can't make any money off your data. Ergo, you have to pay them instead.)
No one ever offers the Credit Freeze because it's expensive. In this particular case the company that would pay for the credit freeze is actually the one that makes money off these credit freezes and could not make any money if they had to freeze all of the accounts. They might as well not even exist as a company if 100% of their accounts had credit ffreezes
Thus the proper remedy here is to require them, via class action lawsuits, to require credit freezes on 100% of the accounts. Even without extracting damage payments, this would likely cut their profits massively. And if they had to also pay the other two credit agencies for your credit freeze then they would have negative earnings. They would cease to exist without any tort penalties.
This would be the perfect outcome for consumers and do no damage to our credit system.
Some drink at the fountain of knowledge. Others just gargle.
I toss this out for general discussion. Given the already reported class-action suits files against Equifax, is the company a walking dead entity? And this does not include untold individual lawsuits which will also be filed.
Conservative, mod down for violating
The breach happened end of July why is this investigation just now getting in gear?
It finally hit home and some congresscritters were affected by the fallout.
Good.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Then all my info would be irrelevant to be steal, unless they steal the phone, but you will notice it right away.
Lets move to 21 century.
Maybe you have your phone glued to your hand, but a lot of people don't, have no interest in being so phone-bound, and quite a few of them hate the problems with having phones that get lost, stolen, or otherwise non-functional being such an intrinsic part of their ID.
we are the VICTIMS here - stop saying "consumers" we are human beings who had all data scooped up and sold against our will and outside of our control - even Dave Ramsey, the "no debt, no loans, no credit cards ever" guy who claims to have had a "0 credit score with no activity" for 20 years was a victim according to his statements last week on his show.
shut the credit agencies down.
It would be nice to be able to issue an authorisation token with the credit agency and pass that to the institution that wants to search my file. Don't have the token? No search, go away.
"Everybody's naked underneath" -- The Doctor
Yet another example of a massive GOVERNMENT failure being "investigated" by the government! When will we learn that government interference in private industry is to blame for all of these kinds of problems? Let the free market sort this out and we'll never have any problems again. Guaranteed.
Most likely you will notice stolen phone immediately, while you have NO control what so ever on you identity as of now.
Would that be the Equifax breach from April 2013 to January 2014, or the Equifax breach from April 2016 to March 2017, or another one in May 2016, or another one from March 2016 to March 2017, or another one in January 2017, or the most recent one in July 2017?
Now, if SSN is unique, then why do they need all that other information? To protect against a fraudulent credit request or a request without enough information.
Bull. The reason they insist on all that other information is to increase the odds of matching a DB record when negative credit information is reported. It's entirely for the protection of their customers and not at all for the protection of their livestock .. uh, I mean 'consumers'.
It does my heart good to see that our flippant, do nothing congress is looking into this.
Nothing will happen. Fuck this world
plus the fact that there are areas of the country with no cells within range, as I discovered earlier this year while in New Mexico, and I'm using Verizon.
But everyone's equally at risk. So no one is more at risk than the rest.
The massive breach of [insert] is attracting scrutiny from government officials across the country. Lawmakers from both parties have expressed concern over the hack, which could have left vulnerable sensitive personal information for as many as [insert] million people. The [insert], [insert] and [insert] have announced formal investigations into the hack... The [insert] announced on [insert] that it sent a letter to [insert] seeking answers about the extent of the breach and what [insert] is doing to mitigate its impact. In the House, [insert] Committee Chairman [insert] ld a hearing on the hacks at a to-be-determined date. [insert] noted in a statement that such breaches are becoming "too common" and that [people] "deserve answers." House [insert] and [insert] Committee Chairman [insert] said that [his/her] committee would hold a separate hearing on the matter as well.
You'll notice if the phone is stolen, but not if the SIM is cloned. Attacks of this nature have been seen in the wild, which is why using a phone as the second factor in 2FA is no longer recommended procedure.
I am TheRaven on Soylent News
That is why they want to lend first and ask questions later. If we put the onus on the lenders to prove that they actually lent money to the right party before they can initiate collection proceedings, it would fix lots of problems. The lenders will have the incentive to make sure the borrowers are really what they claim to be. Else they lose money.
In USA banks can lend to any Tom Dick or Harry claiming to be 142Mandak262Jamuna. Now 142Mandak262Jamuna has to prove he/she did not borrow the money. This is not how lending is done anywhere else in the world. If banks come dunning for money, I should simply be able to say, "Prove it, prove you lent money to me." They have to produce actual documentation showing it was me who took the loan.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I don't care if I get a dime. If the lawyers get it all, but we succeed in anihilating Equifax then I will benefit. All future datebases will take into the account the finincial liability they face if they don't do security right. I win from that. It's not a $10 rebate I want.
Some drink at the fountain of knowledge. Others just gargle.
Credit freezes are hilarious when you think about what they mean.
When I have frozen credit, that means that you can't loan me money without first authenticating me and getting my authorization.
So.. what does unfrozen credit mean?
"Believe me!" -- Donald Trump
1. Immediately protect ALL customers by allowing users to lock and unlock their profiles across all the major credit bureaus at ZERO cost the user.
2. Provide lifelong monitoring of profiles and credit activity at ZERO cost.
3. Investigate the insider trading.
4. Remove protections for Equifax against class action lawsuits for any damages that result.
5. Figure out who the F allowed this happen. I am betting an insider did it.
Then, establish a CENTRAL system to coordinate credit activity (but, not have the profiles themselves) so that protection of one's credit is a very simple process.
So then I'm forced to business with big telecom to do something like buy a home or auto? They are not exactly top tier data guardians themselves.
The problem here is the massive amount of personal, sensitive, and unchangeable data being horded and sloppily housed. Leaking more data is not the answer.
Once you've tied identity to devices, it's on you to both provide, as well as secure those devices.
You don't hear from us much, but many of us choose to not play the mobile-phone data leak game at all. We've made a conscious decision to not do business with mobile carriers. We've decided our personal data is worth more than free email and flash-games. Big telecom is unabashedly evil far and wide, and rotten to the core. They get away with it because people like you are so addicted to your mobile phones that you see it as the answer to everything. You let these companies convince you that can't function without it.
I'm right in the middle of the home-buying process right now. If I can do this without a mobile, I can do anything without a mobile.
I spent 3 years cleaning up my credit in preparation. Equifax is the only one that fights me on removing inaccurate and expired info from my report. It's already cost me untold amounts of time and money, and over the next 30 years its going to cost me tens of thousands of dollars in additional interest. If I could just not do business with them, I would. Unfortunately, this is not an option. I hope they burn.
I buy a burner when I absolutely must have a phone number (legal trouble, moving, travelling) otherwise, Don't call me, I'll call you.
You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
You could have just not posted and remained invisible. Wouldn't that have been nice for all of us?
If you can't secure it, don't store it.
agreemment to resolve all disputes by binding arbitration. http://www.equifax.com/terms/
While Equifax has appeared to walk away from that statement via a FAQ --- the legal agreement, the one you agree to, still appears to require you to give up your right to sue if you use the service that checks whether or not you were affected by Equifax's security breach.
“We have this category that Equifax calls unhandled malware, [with] which traditional security approaches haven’t been very helpful. Putting in FireEye has really helped us detect this unhandled malware, then gives us the capability to take action to stay secure.” Tony Spinelli, SVP and CSO of Equifax
An email address that I used ONLY for Equifax started getting spammed in 2011. They were breached back then. I contacted their customer service to report it and their response was that I needed to contact my email provider to check my spam settings.
I found this email I got interesting - it points to some things about the Equifax breach.
---Email-----
Based upon the tremendous amount of publicity surrounding the recent data breach at Equifax, as stewards of the Central Repository we felt it was important to share our perspective on the matter:
Apache Struts: Apache Struts is a popular open-source and free Model-View-Controller (MVC) framework for Java. It is developed and maintained by an active and highly responsible community of volunteer contributors. The Apache Struts project has a long and well documented history of securing, hardening, and maintaining the software that it produces.
Struts Vulnerabilities: Last week the Apache Struts project team disclosed to the world two different critical vulnerabilities in Struts2 that would expose applications to remote execution of code and enable direct access to customer-critical data. In both cases, and in keeping with their long standing practice, the Apache Struts team made fixes available prior to publicly disclosing the vulnerabilities.
Equifax Breach Disclosed: Separately, Equifax announced last week that it had suffered a massive security breach that exposed sensitive information, such as Social Security numbers and addresses, of up to 143 million Americans. Equifax said the breach happened between mid-May and July 2017. It discovered the hack on July 29. It informed the public on September 7, and reports suggest that a security vulnerability in Apache Struts was the cause of the breach.
At Sonatype, we don't pretend to know for certain what happened at Equifax. We do know that Apache Struts has a tremendous track record for finding security vulnerabilities and making fixes available in a timely manner. Organizations such as Equifax who leverage open source to accelerate innovation are themselves responsible for practicing appropriate hygiene in a timely manner when fixes for vulnerabilities are made available. For far too long, businesses have relied on network-based cybersecurity tools to defend the perimeter of the organization. Recent events at Equifax serve as a stark reminder that perimeter defenses by themselves are insufficient to protect critical data when in fact hackers are increasingly attacking vulnerabilities that exist in the application layer. 80% to 90% of every modern application consists of open source components. Therefore, in order to avoid unnecessary risk, organizations MUST automatically and continuously govern the quality of open source components and third-party libraries within their software supply chains. To ignore this problem anymore is simply negligent.
Sincerely,
Team Sonatype
The Truth is a Virus!!!
Now, about those state databases containing information about everyone's prescription drugs -- will they have the same level of security that Equifax had?
My guess: no.
There's no time like the present. Well, the past used to be.
Honestly curious: why has this raised so much more ire than, for example, another recent huge leak of data on 200 million Americans by the RNC, which included âoemodeled voter ethnicities and religions"? https://www.upguard.com/breach...