Slashdot Mirror

← Back to Stories (view on slashdot.org)

Government Officials Begin Investigating Equifax Breach (thehill.com)

Posted by EditorDavid on from the beyond-PIN-numbers dept.

An anonymous reader quotes the Hill: The massive breach of credit rating firm Equifax is attracting scrutiny from government officials across the country. Lawmakers from both parties have expressed concern over the hack, which could have left vulnerable sensitive personal information for as many as 143 million people. The New York, Pennsylvania and Illinois attorneys general have announced formal investigations into the hack...

The Senate Commerce Committee announced on Thursday that it sent a letter to Equifax seeking answers about the extent of the breach and what Equifax is doing to mitigate its impact. In the House, Financial Services Committee Chairman Jeb Hensarling (R-Texas) said that his committee would hold a hearing on the hacks at a to-be-determined date. Hensarling noted in a statement that such breaches are becoming "too common" and that consumers "deserve answers." House Energy and Commerce Committee Chairman Greg Walden (R-Ore.) said that his committee would hold a separate hearing on the matter as well.

11 of 142 comments (clear)

  1. Re:And I hope but don't hold my breath by Anonymous Coward · · Score: 5, Funny

    Someone needs to get their hands on the dataset and start applying for credit cards for each and every member of congress. Repeatedly. It sure couldn't hurt things.

  2. Isn't 143M basically all adults in America? by misnohmer · · Score: 5, Insightful

    So their breach just put the entire population at significantly increased risk of identify theft. There definitely should be consequences and the government is the only recourse the consumers have since they are not direct customers of Equifax, nor will anyone ever be able to prove their identify theft was directly due to Equifax's breach, so they cannot individually sue Equifax.

    Maybe the fines should be whatever it costs to re-issue new social security (or social insurance in Canada) numbers to everyone, including costs of managing the transition. Yea, I know this may sink Equifax as a company, so be it - lesson for the other guys to secure the data or maybe to not collect it in the first place. Maybe there is such a thing as too dangerous to collect and keep in one company. Kind of like banks and companies that are too big to fail.

    1. Re:Isn't 143M basically all adults in America? by DarkOx · · Score: 5, Interesting

      I don't know that it has. Whoever stole the data isn't going to just dump it online they are going to sell it. Eventually it will all leak but not before much of it is quite stale.

      Most people STILL don't realize this but anyone who works for a company with a subscription to any of the private investigative services could pretty much get all this information inside of 30 seconds. Not everyone is in the pay-for-use-databases but most are. I don't know if I have ever had a search come back empty.

      The reality is this information was already out there on almost everyone one, this will be just one more source. Maybe a price a little more attractive to the ner'er do wells but I predict a minor blip in increased id theft at most.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:Isn't 143M basically all adults in America? by coofercat · · Score: 5, Interesting

      I worked for a financially-regulated place here in the UK and every once in a while you'd hear "that sort of f-up could see us lose our license" (and so stuff didn't happen) - exactly what the regulator intended (and for the most part, it seemed like a good outcome, from what I could tell).

      In the case of Equifax in the US - why do they need SSNs? I presume it's a way to differentiate Jim Kirk from New York and Jim Kirk from Boston. I don't imagine they ever actually have a need to use the SSN with someone else (right?). In which case, they could have simply hashed the SSN on receipt and stored the hash. Right now, they'd still be in a world of trouble, but a lot less than they actually are (and could arguably have been a smaller target).

      I guess what I'm asking is what could (really) cause such an incredible failure of judgement/execution on their part? Even the US's relatively slack laws on data protection would at least make hashing SSNs something you might at least think about, don't they?

      Whilst I agree that some major sanctions against companies doing this sort of thing is definitely in order (here, the US might do well to look to the EU or Singapore for some ideas), but will that actually solve the real, core, underlying issue that let this happen in the first place, or will it just throw a couple of extra firewalls on the network for "due diligence" and leave the same crappy implementation choices in the systems that actually run the show?

  3. Re:And I hope but don't hold my breath by hawkinspeter · · Score: 5, Interesting

    What about all the insider trading? The Execs dumped loads of their stock before worrying about contacting anyone that might be affected by this.

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  4. Re:Quick question... by richy+freeway · · Score: 5, Informative

    https://www.theregister.co.uk/...

  5. Re:Details of breach? by hord · · Score: 5, Informative

    From what few details I have gathered it was an attack on Apache Struts that allowed the attackers to siphon data slowly over a period of time. I haven't seen any verified information about encryption or what was actually copied. My own personal speculation is the attacker got plain-text personal data that leaked out of some API.

  6. Put them out of bussiness by goombah99 · · Score: 5, Informative

    This is a real golden oportunity to finally rebalance the exposure to risk that amassing large data stores creates. Right now all of the risk is on the subject (you) of the data bases and there's almost no liability for the data base holder. Their only liablity comes from public good will not financial liability.

    The best possible outcome in this case is to sue Equifax out of existence. This particular instance is a gift int he sense that equifax disappearing would not harm society at all since it's function are handled redunantly and competitively by two other companies. Anything short of annihilating the company is too little.

    The reasons is those two other companies , and by extention all data base holders, need to be on notice that they will suffer financial liability not just good-will liability

    To understand the status quo better, and to see why this case in particular makes extinction the ideal remedy look at how every data breach to date has been handled in the past.

    there's two ways to deal with data breaches
    1. Credit freeze. (prevents credit accounts from being opened by denying credit reports to inquiring creditors).
    2. Credit monitoring (they let you know after the fact that tour credit just got robbed)

    The latter is nearly free to implement but has almost no value to the injured consumer. The former, the credit freeze, actually fixes the problem, puts power in the hands of the consumer but has the downside that it costs lots of money to implement. (the reason one has to pay for this is because the data base companies make money when they hand over your credit report to an inquiring creditor. If they can't hand it over they can't make any money off your data. Ergo, you have to pay them instead.)

    No one ever offers the Credit Freeze because it's expensive. In this particular case the company that would pay for the credit freeze is actually the one that makes money off these credit freezes and could not make any money if they had to freeze all of the accounts. They might as well not even exist as a company if 100% of their accounts had credit ffreezes

    Thus the proper remedy here is to require them, via class action lawsuits, to require credit freezes on 100% of the accounts. Even without extracting damage payments, this would likely cut their profits massively. And if they had to also pay the other two credit agencies for your credit freeze then they would have negative earnings. They would cease to exist without any tort penalties.

    This would be the perfect outcome for consumers and do no damage to our credit system.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  7. Re:And I hope but don't hold my breath by MitchDev · · Score: 5, Insightful

    Don;t forget most of these government officials have had THEIR data exposed by the breach, otherwise they wouldn't give two sharts about the rest of us....

  8. Oh goodie... by CharlesAKAChuck · · Score: 5, Informative

    Would that be the Equifax breach from April 2013 to January 2014, or the Equifax breach from April 2016 to March 2017, or another one in May 2016, or another one from March 2016 to March 2017, or another one in January 2017, or the most recent one in July 2017?

  9. You still win either way by goombah99 · · Score: 5, Insightful

    I don't care if I get a dime. If the lawyers get it all, but we succeed in anihilating Equifax then I will benefit. All future datebases will take into the account the finincial liability they face if they don't do security right. I win from that. It's not a $10 rebate I want.

    --
    Some drink at the fountain of knowledge. Others just gargle.