Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed (bloomberg.com)

Posted by BeauHD on from the earlier-than-expected dept.

Bloomberg is reporting that Equifax, the credit reporting company that recently reported a cybersecurity incident impacting roughly 143 million U.S. consumers, learned about a breach of its computer systems in March -- almost five months before the date it has publicly disclosed. The company said the March breach was unrelated to the recent hack involving millions of U.S. consumers, but one of the people familiar with the situation said the breaches involve the same intruders. From the report: Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said. Equifax's hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The revelation of a March breach will complicate the company's efforts to explain a series of unusual stock sales by Equifax executives. If it's shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.

In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.

20 of 90 comments (clear)

  1. Silver Lining by Anonymous Coward · · Score: 2, Insightful

    Maybe this will make people stop being so dependent on debt. Then perhaps the price of things will go down since no one will finance them any longer. Then maybe we'll see the banksters starving in the gutter.

    1. Re:Silver Lining by newcastlejon · · Score: 4, Insightful

      Then maybe we'll see the banksters starving in the gutter.

      "When banks fail, it is seldom bankers who starve."

      --
      If God forks the Universe every time you roll a die, he'd better have a damned good memory.
    2. Re:Silver Lining by MichaelJamesBattagli · · Score: 3, Informative

      Yea... you must either be a millionaire or not own a home.

    3. Re:Silver Lining by bobbied · · Score: 3, Insightful

      Maybe this will make people stop being so dependent on debt. Then perhaps the price of things will go down since no one will finance them any longer. Then maybe we'll see the banksters starving in the gutter.

      You do realize that credit reporting is done for more life events than those related to debt right?

      You want a cell phone and don't use a prepaid one? Likely a credit check and monthly reports about your account...

      You open an account with the local electric company? Credit check, and likely ongoing reports..

      Open a checking or savings account? Brokerage account? 401k/IRA?

      You simply are NOT going to get away with not having your data show up at one of the big three unless you live a very unconventional life, only accept or spend cash and never do any one of the things we usually take for granted in today's world.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    4. Re: Silver Lining by orlanz · · Score: 3, Insightful

      Debt is modern slavery

      A 100 years ago, this was quite true, and it still is in many parts of the world. People always have needed loans. Savings are quite difficult to secure. The more you have the more bad actors target you. So people took loans for that cow, bike, education, or house. But back then, that debt passed on to your children. It wasn't unusual to have the grandfather build a house and the grandchildren pay it off.

      The interest you got charged was based on who you knew and what collateral you had. Gold, silver, daughters, etc. The lender many times basically owned your family. Those without connections or collateral had to beg or got no loans. They could never climb up in society.

      The modern Credit System, even with all its faults, is phenomenal and quite far from your statement. It allows strangers to partially assess the risk of an investment in the other. Additionally, the debt doesn't pass on to others. The failure of the investment is shared by only all parties to the deal. This allows for greater investments and returns in society. The only figurative chaines of slavery are the ones self-imposed.

      As for cheaper houses. Sure without lending, houses would be cheaper but they would be smaller too with less features. If you want, you can still build your own 1950's 1000 sqft ranch home on 1/2 an acre of unincorporated land in less than 6 months for under $50k.

  2. American Express requires Equifax by Anonymous Coward · · Score: 5, Interesting

    By an interesting coincidence, I ended finally applying for a credit card (after many years of debit card only) - and American Express wanted me to fill out a form that would have the US treasury make all of my tax records available to Equifax. I looked into it a bit more and apparently American Express has this rather heavy handed tactic of picking some of their customers more or less at random, suspending all their accounts, and then holding the accounts hostage until the customers agree to have the treasury release their tax forms to Equifax. In a perfect world, American Express would face some consequences for forcing their customers to give all kinds of detailed and unnecessary financial information to a firm as incompetent and malicious as Equifax.

  3. don't get it by kiviQr · · Score: 5, Insightful

    You hire a security firm and at the same time you don't bother to update critical security issue with the software? Did they have an audit or did they just pay $$ for a PCI compliance sticker? How did the audit go - how come it not revealed issues with too much data being accessible from public subnet? just too many questions....

    1. Re:don't get it by Anonymous Coward · · Score: 3, Informative

      Did they have an audit or did they just pay $$ for a PCI compliance sticker?

      Virtually every audit I've been a part of in over 20+ years in IT has been a sham. I've worked in hospitals, movie studios, etc. They're all bullshit.

  4. Has there been any fraud since the hack? by Streetlight · · Score: 3, Interesting

    If the hack was perpetrated five months ago and kept quiet, there has been plenty of time for a great use of the data to be used in enormous amounts of fraud. I haven't heard of such, but may not have listened carefully enough. So, is there really a problem?

    --
    In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
    1. Re:Has there been any fraud since the hack? by SlaveToTheGrind · · Score: 4, Insightful

      If the hack was perpetrated five months ago and kept quiet, there has been plenty of time for a great use of the data to be used in enormous amounts of fraud.

      A few thoughts about that:

      1. High-volume fraud gets you caught. Most criminals dealing in this kind of activities are smart enough to get that.

      2. With the pieces of data leaked here -- names, SSNs, addresses, etc. -- there's not much to go stale. There's actually less incentive for bad guys to use it in the short term, because that's when everyone will be the most vigilant. Better to wait for things to calm down and everyone to become complacent again.

      3. Even if someone disregarded point #1 and went ahead and engaged in some short-term low-volume fraud, it would be hard to separate that signal from the noise of the flow of already-existing fraud. See point #1.

    2. Re:Has there been any fraud since the hack? by Jason+Levine · · Score: 2

      I'd also add:

      4. The criminals who steal the personally identifying information rarely use it. It's too risky. Instead, they'll offer it on various black market sites to other people. So while the hackers might have 100 million+ identities to offer, they might be slowly releasing them for sale and the buyers might be taking their time using them. It's not like the hackers will suddenly open up 100 million credit cards under 100 million people's names.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  5. Credit Freeze by Anonymous Coward · · Score: 3, Interesting

    Tried to do a credit freeze with Equifax on two occasions last week, and got a 500 Error from their server. Credit freezes on the other two of the big three, Experian and Transunion, went well.

  6. Watch out Mandiant by edi_guy · · Score: 2

    I am seeing the development of a narrative where you end up taking the blame. Sort of like BP tried to do with TransOcean.

  7. Typical unethical US Corporate by sentiblue · · Score: 4, Interesting

    Lies after lies... they simply refuse to do the right thing. My prediction is that lenders will stop using Equifax reports to make lending decisions and there will be a law/legislation to allow customers to request creditors not to report their information to Equifax.... or to any bureau for that purpose.

    1. Re:Typical unethical US Corporate by whoever57 · · Score: 2

      My prediction is that Equifax will heap all the blame on the now former execs and claim that all is now good. It won't be, but that will be the PR position.

      The only real issue now is how aggressive the SEC will be in investigating and prosecuting these former execs.

      I assume that there is some kind of agreement between the execs and Equifax, intended to shield both parties. Whether this works and whether one side decides to renege on the agreement may determine the outcome of any SEC investigation.

      --
      The real "Libtards" are the Libertarians!
  8. Good thing USA is not a capitalist country by WillAffleckUW · · Score: 3, Insightful

    If the US lived under capitalism, the corporation would be dissolved and its executives would be jailed.

    Luckily, we live in a Mercantilist society, where only the oligarchs make the rules, and our "elections" are fixed.

    --
    -- Tigger warning: This post may contain tiggers! --
  9. shut them down and liquidate assets by Anonymous Coward · · Score: 2, Interesting

    Why do we need three of these companies anyway? More is not better.

    Shut Equifax down. Liquidate assets, divide up cash to all 140+ million impacted people around the globe.

    And use that as example of what happens when company has data breach. No new laws necessary.

    The others will get the very clear message.

    Case closed.

  10. Breached in 2011 too, never reported anywhere by Optic7 · · Score: 3, Interesting

    As far as I know.

    In 2009 I used an email address unique to equifax only, never used anywhere else (I use a different email address to register at each website, usually in the form of websitedomainname@mydomain) to register at their website for the annual free credit report.

    In 2011, I start getting a bunch of spam at the equifax-specific address. Bad spam, as in it's very unlikely that the spammers obtained my address by just buying a mailing list from Equifax and more likely someone stole it from them.

    In other words, they've had poor security for years and years.

    1. Re:Breached in 2011 too, never reported anywhere by Jason+Levine · · Score: 2

      Honestly, it wouldn't surprise me if they sold access to your credit information (as they often do) and included your e-mail address in the mix. Then some company just has to hire a shady "e-mail marketing" company and your e-mail address is on a spammer list.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  11. Jail Time for Equifax Senior Execs! by Anonymous Coward · · Score: 2, Interesting

    A bunch of sniveling golden parachute cowards, miscreants, and incompetents! Jail them!!