Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed (bloomberg.com)

Posted by BeauHD on from the earlier-than-expected dept.

Bloomberg is reporting that Equifax, the credit reporting company that recently reported a cybersecurity incident impacting roughly 143 million U.S. consumers, learned about a breach of its computer systems in March -- almost five months before the date it has publicly disclosed. The company said the March breach was unrelated to the recent hack involving millions of U.S. consumers, but one of the people familiar with the situation said the breaches involve the same intruders. From the report: Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said. Equifax's hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The revelation of a March breach will complicate the company's efforts to explain a series of unusual stock sales by Equifax executives. If it's shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.

In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.

90 comments

  1. Silver Lining by Anonymous Coward · · Score: 2, Insightful

    Maybe this will make people stop being so dependent on debt. Then perhaps the price of things will go down since no one will finance them any longer. Then maybe we'll see the banksters starving in the gutter.

    1. Re:Silver Lining by newcastlejon · · Score: 4, Insightful

      Then maybe we'll see the banksters starving in the gutter.

      "When banks fail, it is seldom bankers who starve."

      --
      If God forks the Universe every time you roll a die, he'd better have a damned good memory.
    2. Re:Silver Lining by MichaelJamesBattagli · · Score: 3, Informative

      Yea... you must either be a millionaire or not own a home.

    3. Re:Silver Lining by Anonymous Coward · · Score: 0

      Uh huh. Since the average selling price of a house is over $200,000. I'm sure lots of folks have that cash lying around or will save up enough by the time they are dead.

      Or - were you selling one of those get out of debt schemes. Your profile is suspicious to me.

    4. Re:Silver Lining by bobbied · · Score: 3, Insightful

      Maybe this will make people stop being so dependent on debt. Then perhaps the price of things will go down since no one will finance them any longer. Then maybe we'll see the banksters starving in the gutter.

      You do realize that credit reporting is done for more life events than those related to debt right?

      You want a cell phone and don't use a prepaid one? Likely a credit check and monthly reports about your account...

      You open an account with the local electric company? Credit check, and likely ongoing reports..

      Open a checking or savings account? Brokerage account? 401k/IRA?

      You simply are NOT going to get away with not having your data show up at one of the big three unless you live a very unconventional life, only accept or spend cash and never do any one of the things we usually take for granted in today's world.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    5. Re: Silver Lining by Anonymous Coward · · Score: 1

      And are you aware that these companies prey on people through the use of 'credit' systems? No way to opt out, no way to protect yourself, and corporations have all the cards, as usual.

      This should be treated like a monopoly and completely broken up. Who cares that people can't buy $200k houses they can't afford? The market will adapt or it will die, plain and simple.

      Debt is modern slavery and only brings negative things to your life.

    6. Re:Silver Lining by Anonymous Coward · · Score: 0

      so true. our congress people will use the taxpayers checkbook to bail out the bankers over and over and over and over... because they all went to the same school and fraternity... or sorority ...

    7. Re: Silver Lining by orlanz · · Score: 3, Insightful

      Debt is modern slavery

      A 100 years ago, this was quite true, and it still is in many parts of the world. People always have needed loans. Savings are quite difficult to secure. The more you have the more bad actors target you. So people took loans for that cow, bike, education, or house. But back then, that debt passed on to your children. It wasn't unusual to have the grandfather build a house and the grandchildren pay it off.

      The interest you got charged was based on who you knew and what collateral you had. Gold, silver, daughters, etc. The lender many times basically owned your family. Those without connections or collateral had to beg or got no loans. They could never climb up in society.

      The modern Credit System, even with all its faults, is phenomenal and quite far from your statement. It allows strangers to partially assess the risk of an investment in the other. Additionally, the debt doesn't pass on to others. The failure of the investment is shared by only all parties to the deal. This allows for greater investments and returns in society. The only figurative chaines of slavery are the ones self-imposed.

      As for cheaper houses. Sure without lending, houses would be cheaper but they would be smaller too with less features. If you want, you can still build your own 1950's 1000 sqft ranch home on 1/2 an acre of unincorporated land in less than 6 months for under $50k.

    8. Re:Silver Lining by Anonymous Coward · · Score: 0

      Question for your congressman: Equifax is offering free credit monitoring for X months. Since social security numbers and birth dates do not expire, what is Equifax going to do to protect me for the 50+ years of my expected lifespan?

      Question 2: How can Equifax be allowed to remain in business after such as threat to the country's economy?

      Question 3: How can on of Equifax's competitors be allowed to buy the contaminated data of Equifax (or buy Equifax)?

      Question 4: Where is the law allowing persons with compromised credit data to individually sue and collect $2500.00 -plus attorney & court costs per occurrence of stolen credit data, SS#, medical data, ...?

    9. Re: Silver Lining by MightyMartian · · Score: 1

      Debt makes the world go around, and has for thousands of years.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    10. Re:Silver Lining by Anonymous Coward · · Score: 0

      "When banks fail, it is seldom bankers who starve."

      I'd settle for the CEOs that did massive stock sales just days before the reveal getting jail time now.

      If the hack happened 5 months before they disclosed it, and the stock selling happened right before they came clean about it, there's no WAY those fuckers sold millions of dollars of stock without former knowledge of what was going on. It's just not possible.

      Put another way, if they WERE ignorant of them investigating a hack of their systems for almost half a fucking year, thy are in no way shape or form fit for their jobs and should be fired immediately without their damned golden parachutes.

    11. Re: Silver Lining by Cederic · · Score: 1

      these companies prey on people through the use of 'credit' systems

      How, exactly?

      Seriously, I'm properly curious here. How do they prey on people?

    12. Re:Silver Lining by schleimkeim · · Score: 1

      Or you could just move to a country that isn't owned by corporations.

    13. Re:Silver Lining by nedlohs · · Score: 1

      "when banks fail" is using the term of art "bank failure" which is completely different from and unrelated to banks going out of business due to lack of buyers for their services.

    14. Re:Silver Lining by Anonymous Coward · · Score: 0

      You're aware the last bailouts were repaid with interest, right?

    15. Re:Silver Lining by bobbied · · Score: 1

      By all means move.... Enjoy living in the third world...

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    16. Re: Silver Lining by sdinfoserv · · Score: 1

      1/2 an acre of unincorporated land within driving distance of Seattle (within 40 miles - yes, 2 hours driving) is worth $500K-$1m, depending how close to water you are.

    17. Re:Silver Lining by Anonymous Coward · · Score: 0

      question 5: Why are there more than one credit rating organization?

    18. Re: Silver Lining by orlanz · · Score: 1

      And land within Seattle or New York or Washington DC are far far more than that... What is your point? There is a lot of demand for land close to most cities... let alone major ones like Seattle. Even places like Hyderabad, London, Sydney, Hong Kong, and Singapore are higher than that. You need to go much further out to places where the land is ~$10k per acre to build something for less than $50k.

    19. Re: Silver Lining by Anonymous Coward · · Score: 0

      Don't live in a shithole like that then.

    20. Re: Silver Lining by Anonymous Coward · · Score: 0

      Are you fucking kidding me? If it isn't obvious then please do some googleing. The credit business is ultra shady. The fact that you have 0 clue about it is very telling.

    21. Re: Silver Lining by sdinfoserv · · Score: 1

      sure thing bud, live where land is cheap because wages are minuscule. If you're a programmer making $40K per year in the Midwest vs a programmer making $130K on one of the coasts and you're saving 15%......
      At the end of the road - programmers on the coasts can afford to live anywhere while the one making jack wages is stuck exactly in nowhere , forever.

  2. Told you CSO was competent by Anonymous Coward · · Score: 0

    She spotted and stopped the first breach like a pro.

    1. Re:Told you CSO was competent by Anonymous Coward · · Score: 0

      Still not sure if not qualified. Need more info.

    2. Re: Told you CSO was competent by Anonymous Coward · · Score: 0

      Whoosh.

    3. Re: Told you CSO was competent by Anonymous Coward · · Score: 0

      Yeah, "bring some contractors in, we don't know what to do" that's the most professional response these days. As expected from Diversity CSO,

  3. Insider Trader It Is by Anonymous Coward · · Score: 0

    March breach -> Mandiant wrap up in May -> July breach -> August stock sales -> September public announcement

  4. Missing e-mails the next breaking story? by deviated_prevert · · Score: 0, Troll
    If the music major that they hired has any IT smarts the chain of e-mails about the hacks to the execs that are now under investigation for insider trading will somehow have been magically deleted by the hackers. If the antitrust investigation does not get immediate complete access to all the company records then we know that the whole investigation is a sham. I would not at all be surprised if equifux has enough political clout to pull off a white(house)wash job. Then again losing e-mails is a non event except that it can cause some to lose elections if the hacked group of e-mails are suddenly found and leaked. Wouldn't it be HILLARYous if Donald's real financial status and dealings were amongst the data stolen and then leaked from the equifax DB but the emails and communication chain of the execs were nowhere to be found?

    What is even more pertinent is who the hell hacked them and more to the point why? Stay tuned and get the pop corn ready slashdotters! The shit is about to hit the fan and most likely some people in Washington are going to be quacking loudly and swimming for cover.

    --
    This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
    1. Re: Missing e-mails the next breaking story? by Anonymous Coward · · Score: 0

      Never never never document your illegal behavior. You are just making someone else's job easier.

    2. Re:Missing e-mails the next breaking story? by Aighearach · · Score: 1

      No, that's just moronic. If you don't want the records to exist, you have to prevent them from being created. Deleting them afterwards is just another idiot thing that will get you in more trouble.

    3. Re:Missing e-mails the next breaking story? by phantomfive · · Score: 1

      What is even more pertinent is who the hell hacked them and more to the point why?

      It looks like it was just standard hacking that we see going on every time a new exploit gets released. When there's a new exploit, the whole internet gets probed.

      There is a market for this kind of user info, and that's probably where it will get dumped.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:Missing e-mails the next breaking story? by Dutch+Gun · · Score: 1

      If the music major had any IT smarts, Equifax wouldn't be in this mess to begin with.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  5. American Express requires Equifax by Anonymous Coward · · Score: 5, Interesting

    By an interesting coincidence, I ended finally applying for a credit card (after many years of debit card only) - and American Express wanted me to fill out a form that would have the US treasury make all of my tax records available to Equifax. I looked into it a bit more and apparently American Express has this rather heavy handed tactic of picking some of their customers more or less at random, suspending all their accounts, and then holding the accounts hostage until the customers agree to have the treasury release their tax forms to Equifax. In a perfect world, American Express would face some consequences for forcing their customers to give all kinds of detailed and unnecessary financial information to a firm as incompetent and malicious as Equifax.

    1. Re:American Express requires Equifax by Anonymous Coward · · Score: 1

      In a perfect world, nobody would be dumb enough to apply to American Express when credit cards can be obtained elsewhere for much better rates and/or no monthly fees.

    2. Re:American Express requires Equifax by Anonymous Coward · · Score: 0

      Is American Express even a credit card? Last I heard, it was just a "charge card", to be paid in full every month.

    3. Re: American Express requires Equifax by Anonymous Coward · · Score: 0

      You been sleeping since the 80s or something? AMEX has been a credit card for a long time now.

    4. Re:American Express requires Equifax by Anonymous Coward · · Score: 0

      RUN ! don't delay getting away from American Express. They suck.
      Had them many years, used card for business inventory.
      The interest wasn't great but averaged around 9 percent, the econmony tanked around 08 and what did they do to help small business?
      They increased interest from 9 to 15.25 percent then cut credit line alot.
      This was couple months before the xmas shopping season, I couldn't buy product to fill existing orders, had to cancel over 40 percent of existing customer orders.
      Thanks American fucken express... sales tanked over 60 percent that season, not that there wasn't orders,
      But wait... American Express had one more fuck-you-customer to deliver.
      Wanted to use card points for airline tickets but they wouldn't allow points to be used unless I paid off a large part of the existing balance. WTF !
      Never made a late payment in over 20 years, always paid off balance after shopping season, they just didn't give a fuck.

    5. Re:American Express requires Equifax by Cederic · · Score: 0

      The lesson here is: Don't use a credit card for short term business funding.

      I mean, really? That's fucking ludicrous.

    6. Re:American Express requires Equifax by coofercat · · Score: 1

      With those APR rates, you'd have to be seriously stupid to leave money on an amex card. So yeah, it's a charge-card.

    7. Re:American Express requires Equifax by Anonymous Coward · · Score: 0

      You've just described every credit card that's not in an intro APR.

  6. don't get it by kiviQr · · Score: 5, Insightful

    You hire a security firm and at the same time you don't bother to update critical security issue with the software? Did they have an audit or did they just pay $$ for a PCI compliance sticker? How did the audit go - how come it not revealed issues with too much data being accessible from public subnet? just too many questions....

    1. Re:don't get it by Anonymous Coward · · Score: 3, Informative

      Did they have an audit or did they just pay $$ for a PCI compliance sticker?

      Virtually every audit I've been a part of in over 20+ years in IT has been a sham. I've worked in hospitals, movie studios, etc. They're all bullshit.

    2. Re:don't get it by Anonymous Coward · · Score: 0

      My guess is that companies don't want to fail audits. So they hire a firm who does nothing except look important and says everything is OK.

    3. Re:don't get it by bravecanadian · · Score: 1

      Did they have an audit or did they just pay $$ for a PCI compliance sticker?

      Virtually every audit I've been a part of in over 20+ years in IT has been a sham. I've worked in hospitals, movie studios, etc. They're all bullshit.

      I agree with this.. it is all about checking off boxes with very little understanding of the big picture or implications.

      I mean, I think audits are better than no oversight at all but not by much.

    4. Re:don't get it by pjw2072 · · Score: 1

      PCI compliance is more about checking a few boxes and has little to do with true security. I recently spoke to the head of security for a fairly large financial company and he told me that PCI compliance created a lot of red tape, but enforced very little security. All of the major companies go through other testing outside of PCI to make sure they're secure. I have no doubt Equifax was fully PCI compliant.

  7. Insider trading, jail for life by Anonymous Coward · · Score: 0

    Personally I think public execution would be a better example for execs everywhere, but jail for life is an acceptable alternative.

    1. Re: Insider trading, jail for life by rholtzjr · · Score: 1

      NO. Life sentences means that we the taxpayers are still on the hook. And they get an all expense paid trip to club fed.

  8. SSN needs to be banned by Anonymous Coward · · Score: 0

    It's time to make it illegal to use Social Security numbers for any purpose other than government usage. The release of SSNs is the real Equifax damage here. There is no need for colleges, banks or hospitals to be using it. Colleges, banks and hospitals managed to function before SSNs came into existence; they can do so again.

    1. Re: SSN needs to be banned by Anonymous Coward · · Score: 0

      Banks need it to track and report your finances to the Federal government. But they could be restricted from using it for anything else.

    2. Re:SSN needs to be banned by jafiwam · · Score: 1

      It's time to make it illegal to use Social Security numbers for any purpose other than government usage. The release of SSNs is the real Equifax damage here. There is no need for colleges, banks or hospitals to be using it. Colleges, banks and hospitals managed to function before SSNs came into existence; they can do so again.

      There's nothing wrong with using the SSN to track who people are, that plus DOB avoids name collisions in data and lets everybody figure out who they are dealing with for sure. Which is a good thing.

      There is A LOT wrong with using the SSN like a password that has to be secret to be useful. Unfortunately there isn't a substitute for it at this time.

      We don't know who has the data yet. The OPM hack was probably chinese mob or chinese gov (like they are different) and "wreck some guy's credit by opening credit cards" wasn't the goal. (Strategic military and espionage was the goal.)

      If something similar happened with Equifax, then the data will never come out and instead will be used against a certain select few people.

      On the other hand, if it shows up on bittorrent or something, we'll get a fix to the SSN=password fuckup a lot faster.

      I don't care much. My shit is already out there and I already get free monitoring from the Feds over the OPM hack. I check it once a week.

  9. Has there been any fraud since the hack? by Streetlight · · Score: 3, Interesting

    If the hack was perpetrated five months ago and kept quiet, there has been plenty of time for a great use of the data to be used in enormous amounts of fraud. I haven't heard of such, but may not have listened carefully enough. So, is there really a problem?

    --
    In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
    1. Re:Has there been any fraud since the hack? by SlaveToTheGrind · · Score: 4, Insightful

      If the hack was perpetrated five months ago and kept quiet, there has been plenty of time for a great use of the data to be used in enormous amounts of fraud.

      A few thoughts about that:

      1. High-volume fraud gets you caught. Most criminals dealing in this kind of activities are smart enough to get that.

      2. With the pieces of data leaked here -- names, SSNs, addresses, etc. -- there's not much to go stale. There's actually less incentive for bad guys to use it in the short term, because that's when everyone will be the most vigilant. Better to wait for things to calm down and everyone to become complacent again.

      3. Even if someone disregarded point #1 and went ahead and engaged in some short-term low-volume fraud, it would be hard to separate that signal from the noise of the flow of already-existing fraud. See point #1.

    2. Re:Has there been any fraud since the hack? by Jason+Levine · · Score: 2

      I'd also add:

      4. The criminals who steal the personally identifying information rarely use it. It's too risky. Instead, they'll offer it on various black market sites to other people. So while the hackers might have 100 million+ identities to offer, they might be slowly releasing them for sale and the buyers might be taking their time using them. It's not like the hackers will suddenly open up 100 million credit cards under 100 million people's names.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  10. Credit Freeze by Anonymous Coward · · Score: 3, Interesting

    Tried to do a credit freeze with Equifax on two occasions last week, and got a 500 Error from their server. Credit freezes on the other two of the big three, Experian and Transunion, went well.

    1. Re:Credit Freeze by Anonymous Coward · · Score: 1

      Send a paper letter via USPS certified, return receipt requested. Sample letters from the California Attorney General can be found here:

      https://www.oag.ca.gov/idtheft/facts/freeze-your-credit

      Details may differ for your state.

    2. Re:Credit Freeze by Anonymous Coward · · Score: 0

      Are you afraid to use the phone? Jeez. It's automated, no human interaction.

    3. Re:Credit Freeze by Anonymous Coward · · Score: 0

      Yeah, how's that phone thing working out for you, Sparky?
      I'm sure Equifax is being totally responsive and letting you wrap up the whole thing in a few minutes, right?
      Idiot. There are reasons why grownups want a non-repudiatable paper trail.

  11. Watch out Mandiant by edi_guy · · Score: 2

    I am seeing the development of a narrative where you end up taking the blame. Sort of like BP tried to do with TransOcean.

    1. Re:Watch out Mandiant by zlives · · Score: 1

      it depends on if they gave a stamp of approval or not...

    2. Re: Watch out Mandiant by rholtzjr · · Score: 1

      I am kind of curious WHO was actually performing their day to day operational tasks. Was it their own in-house IT? Did they follow all procedures that SHOULD have prevented this? Was there anything else that could have been done to prevent this.

    3. Re:Watch out Mandiant by phantomfive · · Score: 1

      In fairness, Mandiant as a company probably sucks as badly as many corporate IT security services, and did little to actually help Equifax.

      --
      "First they came for the slanderers and i said nothing."
    4. Re: Watch out Mandiant by Bob+the+Super+Hamste · · Score: 1

      Depends on what procedures they adopted. If it was something like the PCI standard they likely could have followed everything, well except the part about not retaining sensitive information, and still gotten hacked. The PCI standard is the bare minimum that should be followed but is something written for MBA types so it has checkboxes that give you a warm fuzzy feeling. It does offer some protection but there are better standards but these are harder and require actual thought. Also if they were reasonably intelligent they would have implemented some well known system benchmarks but those can be inconvenient for people who want the keys to the kingdom. Given what has happened I would guess they implemented the parts of PCI that didn't deal with personal information and called it a day.

      Personally, even if they were using PCI, I would love to see them get browbeat because there are better standards, such as the US government's NIST Special Publication 800 and/or 1800 series, the NERC CIP standard, the Cybersecurity Procurement Language for Energy Delivery Systems document. If those weren't enough there are other well respected ones out there as well to choose from. If a business, especially a large one, isn't required to be covered by one I would suggest looking at all of them and make rational choices out of each of them. If a business is required to follow one fully implement that but then still pull from the others to go beyond and then get regulators to scrutinize competitors who are lacking.

      --
      Time to offend someone
    5. Re: Watch out Mandiant by rholtzjr · · Score: 1

      I have to agree with you on their approach. They did seem to stop at protecting the consumer information part. But this also points out a glaring deficiency in the US. Maybe they really should look at some regulation similar to HIPAA as this deals with a person's overall well-being, albeit financial and not medical.

  12. Typical unethical US Corporate by sentiblue · · Score: 4, Interesting

    Lies after lies... they simply refuse to do the right thing. My prediction is that lenders will stop using Equifax reports to make lending decisions and there will be a law/legislation to allow customers to request creditors not to report their information to Equifax.... or to any bureau for that purpose.

    1. Re:Typical unethical US Corporate by whoever57 · · Score: 2

      My prediction is that Equifax will heap all the blame on the now former execs and claim that all is now good. It won't be, but that will be the PR position.

      The only real issue now is how aggressive the SEC will be in investigating and prosecuting these former execs.

      I assume that there is some kind of agreement between the execs and Equifax, intended to shield both parties. Whether this works and whether one side decides to renege on the agreement may determine the outcome of any SEC investigation.

      --
      The real "Libtards" are the Libertarians!
    2. Re:Typical unethical US Corporate by Anonymous Coward · · Score: 0

      Posting anon because I've worked in IT in the credit industry and want to stay in the "Don't get any on you" safe space to which I've moved.

      "lenders will stop using Equifax "

      This is too narrow a view.

      There's a whole house of cards built upon the big three credit agencies. There's no scenario where all of the business (think car dealerships, credit card companies, point of sale credit card authorizations, etc.) suddenly decide to cancel multi-million dollar contracts with one of the big three. Sure, they may use it as a chance to bargain a better deal next contract negotiation, but that's all it'll be.

      The thing to keep clear in your minds is that the credit companies do not exist to help us, the consumers, manage or validate our good credit. They exist to help lending companies avoid bad lending scenarios. So they don't much care of people with good credit get shafted as long as the high credit worthiness ratings they give tend to work out for their business partners.

      Credit companies are not about consumer rights, it's about corporate risk limiting. When you realize they see customer efforts to manage their credit as a side-bar nuisance, you begin to understand. Fixing your credit, submitting corrections, cleaning up errors... these are all revenue negative activities that drain resources from selling the data. It costs money to staff and address consumer-rights-centric credit philosophies and they will lobby and dodge and make every effort to avoid those scenarios as much as humanly possible.

      They want to sell data. Private data with incredibly arcane formula. And they want to sell it over and over and over to increase profits. Helping individual consumers, security, infrastructure... these are costs to be avoided as they cut into the bottom line.

    3. Re:Typical unethical US Corporate by Cederic · · Score: 1

      credit companies do not exist to help us, the consumers, manage or validate our good credit. They exist to help lending companies avoid bad lending scenarios

      Turn that around though. A 'bad lending scenario' is one in which a consumer takes on debt that they can't afford, ending up in financial difficulties.

      That's not helping the consumer.

      Some people may be denied access to credit that they can afford but broadly the system benefits people that can't make good financial decisions by protecting them (and the institutions from which they're trying to borrow) from their own poor judgement.

      submitting corrections, cleaning up errors... these are all revenue negative activities that drain resources from selling the data.

      Without these the data being sold is less accurate and less valuable. Banks wont pay for a credit check if they can't trust the results.

      they will lobby and dodge and make every effort to avoid those scenarios as much as humanly possible

      Not very well in the UK, they're all now regulated by the Financial Conduct Authority. Anybody that's worked in the finance industry in the UK knows that the FCA are very big on consumer protections, and treating customer (and consumers) fairly.

      That means that the credit agencies in the UK must demonstrate that they're running the business properly, securing data and avoiding consumer detriment.

      The ICO are a bunch of muppets that hate holding businesses to account. The FCA are a professional bunch that see it as necessary. The US have comparable bodies, they just need the legislation to give them oversight of the credit industry. Focus there, not on demonising the credit agencies.

    4. Re:Typical unethical US Corporate by Anonymous Coward · · Score: 0

      That's not helping the consumer.

      Helping the consumer is not their goal.

      Some people may be denied access to credit that they can afford but broadly the system benefits people that can't make good financial decisions by protecting them (and the institutions from which they're trying to borrow) from their own poor judgement.

      Protecting consumers is not their goal. Just protecting the businesses.

      submitting corrections, cleaning up errors... these are all revenue negative activities that drain resources from selling the data.

      Without these the data being sold is less accurate and less valuable. Banks wont pay for a credit check if they can't trust the results.

      A denial because the data is bad is still the safe business decision. Risk avoidance.

      The thing is, providing services to clean up credit would only help a small percentage of people to slightly improve their credit. Why spent money to make it easy for a small group of people to improve credit when your goal is to just cull the best records from the masses to use for recommendations? Denying credit to someone marginal isn't a huge issue. Giving credit to someone who cannot repay is a huge issue because it will cost the lender money.

      There's a perception that it's about the consumers. It's not. The consumers are the product, much like Facebook makes your data the product. Using bulk collected data on consumers is cheaper than individually managed data and it's all about profit.

      If this were about consumer rights, everyone's credit would be locked by default and only available for use or review when the consumer allows it, prevent fraud and misuse. Sure you can get that, but it'll cost you money to do it. Another example of how the consumer is monetized.

  13. Good thing USA is not a capitalist country by WillAffleckUW · · Score: 3, Insightful

    If the US lived under capitalism, the corporation would be dissolved and its executives would be jailed.

    Luckily, we live in a Mercantilist society, where only the oligarchs make the rules, and our "elections" are fixed.

    --
    -- Tigger warning: This post may contain tiggers! --
    1. Re:Good thing USA is not a capitalist country by DNS-and-BIND · · Score: 1

      If oligarchs had fixed our election properly then Hillary would be president today. Mercantilism is the opposite of free trade and globalism.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    2. Re:Good thing USA is not a capitalist country by Anonymous Coward · · Score: 0

      Right. The company that leaked all our data because it made bank collecting and doling it out with no rules whatsoever would face justice if only there were...fewer rules...

      You're a fucking moron. We are the product, and their customers don't fucking care. What you're seeing here IS capitalism.

    3. Re:Good thing USA is not a capitalist country by Anonymous Coward · · Score: 0

      I think the problem was they tried to fix the election for both parties, but both were sick of it. Bernie wouldn't punch right so Hillary and crew got away with it. Trump had no problem punching left which is why so many of the academic right-wing hated him, and why he was successful.

    4. Re:Good thing USA is not a capitalist country by sentiblue · · Score: 1

      Here we go again... another person stating their political view on a completely irrelevant subject.

  14. Hire an anti-tech music major... by Anonymous Coward · · Score: 1

    get what you deserve.

    Our CIO has a psychology degree, and he is terrible. Security is an afterthought. Instead of designing things to be secure from the ground up (like UNIX), we play whack-a-mole (like Windows) when we find problems.

  15. lost of telemarketing calls by Anonymous Coward · · Score: 0

    I almost wonder if the earlier dates is the reason why I started to getting a lot more marketing calls even through I'm on the do not call list.

    1. Re: lost of telemarketing calls by rholtzjr · · Score: 1

      Those are the India based telemarketers spoofing their numbers.

  16. shut them down and liquidate assets by Anonymous Coward · · Score: 2, Interesting

    Why do we need three of these companies anyway? More is not better.

    Shut Equifax down. Liquidate assets, divide up cash to all 140+ million impacted people around the globe.

    And use that as example of what happens when company has data breach. No new laws necessary.

    The others will get the very clear message.

    Case closed.

  17. it just keeps gettign better. by Anonymous Coward · · Score: 0

    that earlier intrusion was probably just a soft test for what became the big score.

    equifax should be as fucked-over as the rest of us.. but nope, they'll emerge relatively unscathed instead. your trump administration at work.

  18. The worst thing.. by Anonymous Coward · · Score: 1

    ...I'll just state the obvious: no one ever voluntarily gave their info to Equifax.

  19. Breached in 2011 too, never reported anywhere by Optic7 · · Score: 3, Interesting

    As far as I know.

    In 2009 I used an email address unique to equifax only, never used anywhere else (I use a different email address to register at each website, usually in the form of websitedomainname@mydomain) to register at their website for the annual free credit report.

    In 2011, I start getting a bunch of spam at the equifax-specific address. Bad spam, as in it's very unlikely that the spammers obtained my address by just buying a mailing list from Equifax and more likely someone stole it from them.

    In other words, they've had poor security for years and years.

    1. Re:Breached in 2011 too, never reported anywhere by schleimkeim · · Score: 1

      What makes you think they didn't sell it to whoever wanted to have the information?

    2. Re:Breached in 2011 too, never reported anywhere by Jason+Levine · · Score: 2

      Honestly, it wouldn't surprise me if they sold access to your credit information (as they often do) and included your e-mail address in the mix. Then some company just has to hire a shady "e-mail marketing" company and your e-mail address is on a spammer list.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    3. Re:Breached in 2011 too, never reported anywhere by jafiwam · · Score: 1

      What makes you think they didn't sell it to whoever wanted to have the information?

      Or, just guessed it.

      If you tail spam blocker logs a few times, you figure out they are brute-forcing email addresses too.

    4. Re:Breached in 2011 too, never reported anywhere by Anonymous Coward · · Score: 0

      This is why you file the opt-out forms with the various credit agencies. Then they are prohibited from selling any of your data to anyone else.

    5. Re:Breached in 2011 too, never reported anywhere by Optic7 · · Score: 1

      The nature of the spam. If it had been for something even borderline legitimate, like "hey, we have xyz service or product you may be interested in", I would have figured they had definitely sold my address. But from what I recall it was really junky spam, like pharmaceuticals, pr0n, phishing, and scams. I highly doubt that Equifax would sell their customers' email addresses to purveyors of that crap, at least for a price that those people could afford to pay. Equifax had at least some reputation to protect.

      That's why I reached the conclusion that they had had some breach back then. Perhaps not to the extent of this new one, with SSNs etc, but at least perhaps a passwd file or other more exposed database.

    6. Re:Breached in 2011 too, never reported anywhere by Optic7 · · Score: 1

      Could be, but it didn't seem like it to me at the time. See my other reply with some further thoughts: https://slashdot.org/comments....

  20. Jail Time for Equifax Senior Execs! by Anonymous Coward · · Score: 2, Interesting

    A bunch of sniveling golden parachute cowards, miscreants, and incompetents! Jail them!!

  21. Open source vetting must be mandatorty by Anonymous Coward · · Score: 0

    If an enterprise company uses open source software, it has to commit resources internally to vet the source code to make sure that no vulnerabilities exist.

  22. Who else isn't talking? by ZNetracer · · Score: 1

    Does anyone really think that this ends with just Equifax? The other credit agencies have more than likely been breached at some point too. I would not bet against the probability that every US citizen has likely had some or all of their identity and financial information leaked, hacked, stolen or sold to other parties. We may all end up adding a credit watching/protection "service" to the list of our many, monthly paycheck leeches. First World Problems I guess...