Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Says 2.5 Million More Americans May Be Affected By Hack (reuters.com)

Posted by BeauHD on from the there's-more-where-that-came-from dept.

According to Reuters, Equifax said about 2.5 million additional U.S. consumers may have been impacted by a cyber attack at the company last month. Last month, the company disclosed that personal details of up to 143 million U.S. consumers were accessed by hackers between mid-May and July.

As for what led to the breach, Ars Technica reports it was "a series of costly delays and crucial errors." From the report: Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.

78 comments

  1. Seriously, who hasn't been impacted? by rsilvergun · · Score: 0

    Tibetan monks here on sabbatical? Dogs? The flea's on said dogs?

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re: Seriously, who hasn't been impacted? by Anonymous Coward · · Score: 0

      Your broke ass

    2. Re: Seriously, who hasn't been impacted? by Anonymous Coward · · Score: 0

      Thank you for Correcting the Record(tm)! $0.05 has been deposited in your account. Keep up the good work, citizen.

    3. Re:Seriously, who hasn't been impacted? by schleimkeim · · Score: 1

      No one outside of the US. You're the only ones with that kind of problem.

    4. Re:Seriously, who hasn't been impacted? by Alain+Williams · · Score: 2

      People outside the USA were affected, eg: Equifax says 400,000 U.K. customers were affected by hack

    5. Re:Seriously, who hasn't been impacted? by TheCycoONE · · Score: 1

      In addition to Alain's comments about the UK customers, there was also 100K Canadians affected: http://www.cbc.ca/news/busines...

      Also, while no one was known to be affected, Argentina's Equifax employee portal was found to be gated by the username/password admin/admin: http://www.bbc.com/news/techno...

    6. Re:Seriously, who hasn't been impacted? by Anonymous Coward · · Score: 0

      It affects basically everyone in America with a credit history, plus some foreigners.

      So, if you're American, you're probably only unaffected if you're a child under 16 or live 100% outside "the system", like someone who has been homeless or living in the wilderness since childhood.

    7. Re:Seriously, who hasn't been impacted? by Anonymous Coward · · Score: 0

      Probably easier to publish a list of who hasn't been impacted by this. Here...let me help.

      People Not Impacted by Equifax:

      No one.

    8. Re:Seriously, who hasn't been impacted? by Anonymous Coward · · Score: 0

      Equifax says 400,000 U.K. customers were affected by hack

      That's newspeak from their PR department.

      Equifax doesn't have 400,000 UK customers, it has 400,000 UK products.

    9. Re:Seriously, who hasn't been impacted? by schleimkeim · · Score: 1

      Also, while no one was known to be affected, Argentina's Equifax employee portal was found to be gated by the username/password admin/admin

      Just beautiful.

  2. just stop right here by turkeydance · · Score: 1

    and say Everybody

    1. Re:just stop right here by green1 · · Score: 1

      When was the last time a hacker broke in to a system and copied only part of a database? If they took anything, you assume they took everything.

    2. Re:just stop right here by ThatsLoseNotLoose · · Score: 1

      Now can we all stop worrying about security and NPPI since it's all out there anyway?

  3. In the voice of Professor Farnsworth: by Anonymous Coward · · Score: 1

    Professor Farnsworth: "Good News Everyone! Equifax Says 2.5 Million More Americans May Be Affected By Hack"
    Leela: But that's worse than what it was before!!!
    Professor Farnsworth: "Huh, wuh?"

  4. Mail your creditors. by John+Meacham · · Score: 5, Interesting

    Your personal information is being shared by your creditors/bank with equifax. That is the only way they collect information.

    Write your creditors and say you no longer consent to your information being sent to equifax due to their ongoing security issues. There are two other reporting agencies they can use, tell them you only want information shared with experian and transunion until further notice. Even if they say no, say you will hold them legally responsible for information shared with equifax after equifax has been shown to be an immediate and clear security risk.

    It is pretty much the only way to hurt equifax. Gets companies to stop using them. Convince companies that no matter how strong their own privacy policies are, they don't work if they are not transitive to everyone they share your information with.

    Heck, make this idea popular enough that credit card companies start listing "wont share your information with equifax." as a selling point and it will hurt them bad and make everyone take security more seriously.

    --
    http://notanumber.net/
    1. Re:Mail your creditors. by Anonymous Coward · · Score: 0

      I'm not sure this would matter. If your credit cards, checking accounts, etc., are used by hackers the financial institutions will end up taking much of the hit when you protest a charge. It might get back to the merchants or other creditors who won't get paid. I'm guessing Equifax is toast anyway. If not, it should be toasted.

    2. Re:Mail your creditors. by fustakrakich · · Score: 2

      There are two other reporting agencies they can use...

      They have been breached also. We can stop with the denials. The entire system is wide open

      --
      “He’s not deformed, he’s just drunk!”
    3. Re:Mail your creditors. by Anonymous Coward · · Score: 0

      The entire system is wide open

      Why don't you bend over? I'll show you what wide open really means.

    4. Re:Mail your creditors. by rtb61 · · Score: 2

      Looking at the impact of the Breach of Equifax financially and how that benefits their competitors, you have to wander at major corporation level where income directly ties to bonus, how much would executives spend to knock out a competitor, perhaps a million dollars, probably, if say a $10 million bonus when a large chunk of a major competitors income suddenly shifts to your corporation. Corporate wars, really do happen now, psychopathic greed and giving them power was guaranteed to make it happen, there are many corporations who will kill for profit, so what is a little douche bag computer hackery compared to that.

      --
      Chaos - everything, everywhere, everywhen
    5. Re:Mail your creditors. by lucm · · Score: 1

      tell them you only want information shared with experian and transunion until further notice

      Here's the thing. Whenever you find yourself in a situation where someone has to check your credit, you're on the wrong side of the table to make demands.

      Anyways both of those agencies you mention are as crooked and incompetent as equifax. They both got caught in the same scandal of selling people fake credit scores while giving a different one to lenders.

      --
      lucm, indeed.
    6. Re: Mail your creditors. by Anonymous Coward · · Score: 0

      Hillary supporter detected!

    7. Re:Mail your creditors. by Anonymous Coward · · Score: 0

      Like signing up for electrical service, or cable? Yeah man, you need to evaluate what led you there....

    8. Re:Mail your creditors. by schleimkeim · · Score: 1

      Write your creditors and say you no longer consent to your information being sent to equifax due to their ongoing security issues.

      Yeah, like they'd care.

    9. Re:Mail your creditors. by arobatino · · Score: 1

      Write your creditors and say you no longer consent to your information being sent to equifax due to their ongoing security issues. There are two other reporting agencies they can use, tell them you only want information shared with experian and transunion until further notice.

      At this point there's no reason to believe the other bureaus are any less leaky than Equifax. Equifax may have just been the first bureau with a breach of this scale purely by chance. It would be different if there was a history of repeated breaches unique to them.

    10. Re:Mail your creditors. by Errol+backfiring · · Score: 1

      ... you no longer consent ...

      I don't think that anyone consented to share their data with Equifax in the first place.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    11. Re:Mail your creditors. by guruevi · · Score: 1

      It's not how it works minion. You cannot opt out of the credit check unless you never want credit. All three of the companies share information with each other (and there are more than the 3 big ones) regardless of your consent.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    12. Re:Mail your creditors. by Anonymous Coward · · Score: 0

      Your personal information is being shared by your creditors/bank with equifax. That is the only way they collect information.

      That is not entirely true. If you work for a company that uses TALX services (now rebranded as Equifax Workforce) for HR, tax, or payroll or the Work Number then your HR department is directly feeding your salary information to Equifax.

      FWIW, TALX lost control of their database starting in April of 2016.

  5. I understand I won't get a penny by Snotnose · · Score: 2

    But an we toss all the Cxx'x into prison for a few years, strip them of their assets, and make Equifax an example? They fucked up the rest of my life, one would hope the rest of their lives would be fucked as well.

    1. Re:I understand I won't get a penny by lucm · · Score: 5, Interesting

      They fucked up the rest of my life

      I work daily with credit reports and I will tell you this; even as a legitimate customer of credit agencies we are struggling to use their data. It's basically garbage.

      You would think they have a carefully crafted database with data integrity up the pooper, but in fact it feels more like they're having nonchalant clerks punch in notepad a boatload of data collected from forms submitted by gas station attendants.

      There's truncated fields, overlapping codes, conflicting date formats, unclear buckets with meaningless labels. Sometimes the street address and street name are in the same field, sometimes the creditor name and the amounts are in the same field but their phone number and area code are in two different fields. I've seen first name and last name concatenated in the first name field (with no space), or different spelling for the same financial institution appearing twice in the same customer report.

      So don't worry too much. Your credit file is basically "encrypted" by sheer indifference and lack of concern for data quality.

      --
      lucm, indeed.
    2. Re:I understand I won't get a penny by Anonymous Coward · · Score: 0

      Let's not forget the wonderful Date Of Birth value "A.G.E. 47'

    3. Re:I understand I won't get a penny by Anonymous Coward · · Score: 0

      > Your credit file is basically "encrypted" by sheer incompetence

      FTFY

    4. Re:I understand I won't get a penny by lucm · · Score: 1

      It has come to a point where we need AI to decipher careless garbage inserted into carelessly designed systems. Basically Skynet will be right to get rid of people.

      --
      lucm, indeed.
    5. Re:I understand I won't get a penny by bluefoxlucid · · Score: 1

      They've been around since 1899 and this is the first major breach. A huge legacy company that went to Internet-based services, and this is their first major breach. That's pretty amazing.

      You won't get perfect security. Everything that allows access into itself will get hacked.

      The solution is to not do it that way.

      Equifax gets hacked, but you have a hardware device which Equifax uses to identify you? That device doesn't share a secret, but instead accepts a challenge and returns a response signed using a non-revealed private key? Well, looks like the hacker got nothing they can use to positively identify themselves to you.

      Hacker may have changed the public keys associated with your account? Okay, drop all public keys, tell all users they can't open new credit accounts until they walk into their bank and physically present identification so the bank can re-associate their hardware FIDO device to Equifax, TransUnion, and Experian.

      Done. It'll get hacked to hell and it won't matter much. You have to hack the FIDO device, which has a much smaller attack surface, a narrow window of attack (only when it's plugged in), and is generally difficult to actually attack anyway. It's such a small amount of code you can actually make it provably-secure--you can make every interaction possible defined. Hacking or stealing the FIDO device gets you ONE person's key, and they can call in to their bank and have that canceled.

      The likelihood of an actual attack is near-zero, and the severity is near-zero because your contingency is you call your bank and cancel your trusts with the CRAs and then everything except opening new credit accounts works until you walk into a bank and re-establish trust.

      --
      Support my political activism on Patreon.
    6. Re:I understand I won't get a penny by Anonymous Coward · · Score: 0

      I have noticed the same thing.
      When I have looked at my credit reports, they have information on me, but it sure as hell isn't super accurate or exact.
      More like 'ballpark'...

      Why in the fuck do we allow these companies to have the power they do?
      Their entire C level staff should be fired and have all their golden parachutes donated to the Puerto Rico and Vegas.

    7. Re:I understand I won't get a penny by Anonymous Coward · · Score: 0

      >Your credit file is basically "encrypted" by sheer indifference and lack of concern for data quality

      HaaHaa oh man I hear you brother. Your laundry list of crappy data and their equally unfathomable headers/names sound just like the spreadsheets I receive from my customers. All of whom want their data geo-plotted on maps, printed as really long posters, or magically re-interpreted & fixed for them so they can colorize it again. crap in crap out!!!

    8. Re:I understand I won't get a penny by Anonymous Coward · · Score: 0

      A huge legacy company that went to Internet-based services, and this is their first major breach. That's pretty amazing.

      the only amazing thing here is how deeply idiotic you are

  6. Hacked turtles all the way down by Tablizer · · Score: 1

    They are the VW of credit agencies.

    --
    Table-ized A.I.
  7. bah by Blymie · · Score: 2

    an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded

    Yeah, right. Makes it sound like "equifax", eg some MBA, tried to get "admins" to patch it, but they refused.

    Almost certainly what happened was the "Equifax email" was from an IT guy, and some admin manager said "NO, we can't do it right now."

    I wonder what department the email was from, and to. And what conversation was had outside of an email stream. "Too costly", "Too busy", "No time", "Can't afford it".

    Now that all hell has broken loose, I'm sure everyone's trying to claim "I wanted to do it!". Lies!

  8. They appointed a music major as CIO... by Anonymous Coward · · Score: -1

    so nothing after that is surprising. Plus, they had a hiring freeze for males so again, no mistakes are surprising.

    1. Re:They appointed a music major as CIO... by Anonymous Coward · · Score: 0

      I work for a start-up in Seattle, and we've had a hiring-freeze against males for almost six years. Of course were so much in trouble now that we're working Seattle Hundreds (16 hours a day Mon-Thu and 12 hours a day Fri-Sun). It sucks since we can't take any time off to make-up for the subpar employees we've hired for the past six years.

    2. Re:They appointed a music major as CIO... by Anonymous Coward · · Score: 0

      > now that we're working Seattle Hundreds

      By this point everyone should know that if you take a job in the Seattle area, it's going to require hundred hour work weeks.

    3. Re:They appointed a music major as CIO... by Anonymous Coward · · Score: 0

      I work for a start-up in Seattle, and we've had a hiring-freeze against males for almost six years.

      Slow start, huh?

    4. Re:They appointed a music major as CIO... by bluefoxlucid · · Score: 2

      I'm actually a systems security engineer and their music major CISO was way, way above my level on infosec knowledge.

      --
      Support my political activism on Patreon.
    5. Re:They appointed a music major as CIO... by i286NiNJA · · Score: 1

      How? I think you're lying can I please see some evidence that she's competent beyond her lame PCI DSS cert?

      I really don't believe you at all.

    6. Re:They appointed a music major as CIO... by i286NiNJA · · Score: 1

      Never mind I googled you... yes as someone who has only been out of community college a few years most professionals know more than you this is not surprising.

    7. Re:They appointed a music major as CIO... by BronsCon · · Score: 1

      Yeah, I'm surprised they're still a start-up at least 6 years in, as well. I mean, with all the "diversity" you get by not hiring any men, you're sure to have the absolute brightest and best on your team. After all, no man has ever been good at anything; certainly never the best in their field.</sarc>

      I'm all for hiring a diverse team based solely on merit, if the pile of resumes representing the best-qualified candidates does, in fact, belong to a diverse team. Doing anything else (like, for example, not hiring men because "diversity") is going to have real world negative consequences. Sure, maybe you build a "good enough" team picking and choosing by gender or race; but your company doesn't exist in a vacuum and your competitors will be hiring the talent you've passed up. You will lose to competitors who were willing to hire solely on merit because they will inevitably build a more talented and capable team.

      And, when 90% of your qualified applicants are men, it's quite likely that 90% of your new hires will be. That's not sexism, that's statistics.

      If more women wanted to do this work enough to actually get good at it, we'd see more women in tech. It's pretty bad when you can walk into a room and tell which women were hired on merit and which were hired to fill seats for "diversity" before anyone even says a word, but there's really that much of a gap that you actually can tell. Sadly, most women I've encountered in this field were not hired on merit; the ones who were are absolutely amazing at what they do, while the ones who weren't tend to be more eyecandy than anything else. And we wonder why harassment is so prevelent -- maybe stop hiring women who bring nothing more than a pair of boobs with them to the office and focus on hiring women who can do the job, instead? If you can't find a qualified female candidate, don't just hire the first nice ass that walks through the door, you're only setting yourself up for a hostile work environment by doing that; either hire a man if you have an immediate need and no worthy female applicants, or keep looking if the need is not immediate, the qualified women are out there, they're just typically harder to find because there are insanely fewer of them and they tend to switch jobs less once they find a place that treats them like people rather than meat.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    8. Re:They appointed a music major as CIO... by bluefoxlucid · · Score: 1

      Mauldin kind of scrubbed herself from the Internet and made her Linked-In profile private after the breach. She has given interviews in which she discussed at length the evolution of the CISO role from a simple evolution of InfoSec engineering to a broad strategic role of organizational risk management.

      Thing is, I'm good on risk management—a lot better than most professionals in my field, because risk is a broad topic that doesn't just include things like security vulnerabilities and e-mail spoofing but rather an entire operational process of qualitative analysis from individual and organizational experience, identification of qualitatively-important risk, ranking of the probability (frequency of occurrence) and severity (cost) of those risks, and registering of risks and their mitigations and contingencies. Risk is a huge component of project management and even has its own business component (yes, you can have a Chief Risk Officer) which tracks risks such as market opportunities and threats to business operations.

      I'm also pretty decent with infosec stuff because I can take an adversarial position using both my technology background and my risk management background. I understand the practices and the products in place--firewalls, intrusion detection systems, things like CISCO AMP which track file movement through a network and look for anomalies, vulnerability management, patch management, password controls, encryption, the like--just fine. None of that bothers me.

      What I never got was theory.

      If you start talking about the deep computer science theory and the modeling structures behind risks, you lose me. Quickly. I understand role-based access control; I've also read the published standard for role-based access control, and the damned thing is full of discrete math and high-level mathematical concepts that I just don't grasp. You need a dual bachelor's in mathematics and compsci to be in that stuff. What I understand is simple: users should be attached to roles; roles should grant permissions; and the granting of roles as such assures that we don't grant you permissions which you don't need AND that you don't simultaneously have permissions which circumvent security controls (we can notate which combinations of roles create conflicts of interests).

      I'm like that with compsci in general. For example: modern compilers build programs such that anything with an on-stack buffer or an alloca() call gets a canary value generated from a random value (picked at process initialization) XOR against the return pointer on the stack, requiring a complicated read, compute, and rewrite of two pieces of data (you can't just start writing above the canary to avoid clobbering it) to pull off a stack-based buffer overflow. I don't fully-grasp how the random devices generate random data--there are data sources and algorithms, e.g. some shove it through a PRNG or through AES as a PRNG--and I sure as hell don't understand the compiler's parser or its optimizer (these days, optimizers operate on a static single assignment tree, which is at least approachable if you want to learn how they work).

      The stack is a protected area anyway: can't execute it as code. You can even achieve this on a 486-SX if you want: just mark the Read[=execute]-Write pages as SUPERVISOR and have the kernel force a DTLB load when something tries to read/write the page. When you continue the program, the MMU will check the data translation lookaside buffer and say, "Oh, this is data pointed at [physical page]." It doesn't cause a fault until you try to execute the page, or until it falls out of the DTLB cache. If you try to execute it, it's not in the ITLB (instruction TLB), and the kernel looks at the general protection fault and just kills the program for attempting to execute a non-executable page.

      ... I was more interested in computer innards and easy-to-follow logic than piles and piles of mathematics and complex theory. I'm more engineer than scientist.

      --
      Support my political activism on Patreon.
    9. Re:They appointed a music major as CIO... by i286NiNJA · · Score: 1

      Great response though it wandered a bit. Anyhow don't sell yourself short she's the pointy haired boss from dilbert and they user their CISO position to train a promising C level executive instead of rewarding a good hacker, engineer, or scientist and they got the results they deserved.

    10. Re:They appointed a music major as CIO... by bluefoxlucid · · Score: 2

      I don't buy it. She's been in technical positions for a long while and the only black spot on her record is she strongly-defended cloud computing by talking about both the new opportunities to offload many of the security concerns to the provider (who can do it better) and to institute new security controls (because cloud computing lets you fuck up royally if you really want to). What shot down Equifax? A simple, traditional failure to patch a vulnerable piece of software--cloud, local bare metal, or VM.

      If they had been using e.g. Edge Hosting in Baltimore to host their custom application, this would have never happened. Edge Hosting leverages AWS and all that in the back-end; they provide security in front of all that with a lot of Trend Micro stuff (IPS, firewalls, etc.) as well as good use of AWS infrastructure. You tell them what your custom application does, their engineers work with you to figure on how to make it run, they handle the administrative work of keeping it running, you give them code updates. They track security vulnerabilities, write automation scripts to deploy them across all assets for all of their clients, do rounds of test releases, and then push them out.

      A cloud hosting provider like that would have been proactive in moving to protect all customers from a threat--something Mauldin believed was a great new opportunity while everyone was decrying cloud computing as an enormous mistake for anyone who doesn't want to lose control over their data and their security.

      Instead, Equifax's own administrators were responsible for managing their own software. They got behind in patching. This isn't a CISO-level mistake; this is an operational problem. CISO-level mistakes are broad, overarching strategy problems, and apparently their broad, overarching strategy let them sail along happily while Home Depot, Target, Sony, and Ashley Madison got hacked repeatedly over the past decade. One tiny, tiny breach and their entire database gets sucked out the pinhole.

      What could Mauldin have done in the past three years to cause this kind of failure of security--the simplest kind of neglect way down at the administrative level, where somebody didn't get around to putting in a patch? I doubt she cut down the company's patching policy from "Patches must be deployed by $RULES" to "Whatever, patch when you get around to it." The smoking gun is apparently that she has a degree in music, and so must be incompetent.

      --
      Support my political activism on Patreon.
    11. Re:They appointed a music major as CIO... by i286NiNJA · · Score: 1

      My decades around hackers and nerds allows me to intuit that she is a manager and not a true technical person. Just from her stupid haircut.

      After the subsequent numerous extremely bad hacks and the statement from the CEO that the org has a culture of tenure and mediocrity... the smoking gun that she sucks is that she was working there to begin with. A good hacker would have had a difficult time with the culture there and quit out of frustration.

    12. Re:They appointed a music major as CIO... by bluefoxlucid · · Score: 1

      My decades around hackers and nerds allows me to intuit that she is a manager and not a true technical person. Just from her stupid haircut.

      You could also intuit that I'm a politician from my $800 suit. I'm also my Campaign Committee's chair, treasurer, accountant, chief technology officer, Web designer (could you tell?), content writer, speech writer, publicist, campaign strategist, information security officer, lawyer, and secretary.

      I happen to like train wrecks. Why work at a place that's well put together when you could be rebuilding a nation? I've pushed back against management, pointed out enormous operational flaws, and gotten myself counseled for saying unpleasant things about the state of an employer here and there when they'd rather I just do what they tell me. They eventually get back in line, and the organization straightens itself out--to miraculous effect. Sitting around and coasting is boring.

      Why wouldn't you want to work for a disaster employer?

      Perhaps the most attractive thing about being a Congressman is I get to tell all my coworkers--you know, Congress--exactly what's wrong and keep telling them long after they're tired of hearing it, and the only people who can actually fire me are the voters. Nobody can complain to HR that I'm "not a team player" because I'm annoying. Sure, you still need to play by the rules of human behavior and get buy-in, be diplomatic, and all that; but so does everyone else. In a corporation, the moment they get bored of the game, they start ignoring you, then realize you're impossible to ignore and start complaining to management; in Congress, they have to let you talk, then deal with the Media telling the whole goddamned country what you said, and then they have to deal with their own constituents. You can actually keep pushing on the issues that need to be pushed when doing so can get you buy-in, without worrying that one or two of the people you're never going to win over will call your manager to complain.

      If you want to do that but you aren't going for officer of some legislative body, go for officer of some hilariously fucked-up corporation. If you want to be boring, get a job somewhere that doesn't need you to straighten their shit out.

      --
      Support my political activism on Patreon.
    13. Re:They appointed a music major as CIO... by i286NiNJA · · Score: 1

      I'd much rather have a job that's low stress, high paying, and full of smart co-workers. Counter intuitively you don't actually learn much from untangling a messy clusterfuck of an IT workplace. You just get burned out. Top talent is an infosec wizard who can lead and manage, it's a rare person and she's probably going to expect a lot more than a "culture of mediocrity and tenure" to retain.

      So they had some chubby mom-looking bitch with a music degree. She did graduate summa cum lade and she did get a masters degree. She's just good at finishing things and that's the kinda person that's going to work for a place like equifax. She ended up where she was, the field had no calling to her.

    14. Re:They appointed a music major as CIO... by bluefoxlucid · · Score: 1

      Yeah, over three months when I got to my last job I started working 10 hour days, going home and working remotely, studying 5 new technologies, forgetting to eat until like 9pm, forgetting to shower, etc. Manager told me to slow down. Eventually, I came home, collapsed, cried for a while, then crawled into bed and slept 14 hours; I woke up feeling fantastic.

      I wonder what kind of infosec degree you could have gotten pre-2002.

      --
      Support my political activism on Patreon.
    15. Re:They appointed a music major as CIO... by i286NiNJA · · Score: 1

      EE, CS, Mathematics, Physics, CIS. I know everyone rags on her degree but a solid 1/3rd of infosec people are for all intents and purposes seat warming frauds. This is one of them. It's not her degree I have a problem with, it's her.

  9. Simplified by sit1963nz · · Score: 1

    Some clarification was required. 43 people in Delaware were not impacted. Thank you Ironically, the payouts made to management who are resigning, will on a per victim basis probably be greater than any of the victims will receive via any legal action taken.

  10. This would have no legal weight at all. by Anonymous Coward · · Score: 0

    1. You've already entered into a contract with your bank and creditors (aka "the fine print"). Typically the fine print allows them to change the terms of the contract under certain conditions but it does not allow you to change the terms of the contract. You can't just willy, nilly change a contract you don't like (unless it was stated in the original contract).

    2. Unless your letter is notarized and requires a signature on delivery, it's pretty much worthless as well. They have no way of verifying the letter is actually from you (hence the notary) and you have no proof that they received it.

    1. Re: This would have no legal weight at all. by Reverend+Green · · Score: 1

      One-sided contracts such as you describe have no moral authority, and are abhorrent to a free and democratic society. That American kangaroo courts regularly enforce them is prima facie evidence that the courts have no legitimacy, that they are nothing more than a tool for the shameless exploitation of the working people.

  11. shut them down by Reverend+Green · · Score: 0

    If an ordinary citizen did something this bad, we'd either get the death penalty or life in the gulag torture camps (living death). So this company needs to get the death penalty. Remember, corporations are people too!

    Revoke Equifax's charter, shut them down, seize their assets for the public coffers. The American people deserve to see the management of Equifax standing in an unemployment line.

    1. Re:shut them down by DarkOx · · Score: 1

      luckily we live in a nation of laws where we don't just seize your property and close your business because you annoyed some people!

      Equifax is victim. Yes they failed to take steps to prevent their victimization but that does not mean it was right for hackers/criminals to go in and steal their data; anymore than leaving your door unlocked entitles me to go into your house and take your stuff while you are at work today.

      Yes it greatly reduces the sympathy I have for the Equifax and their management who lost jobs, saw stock prices plummet, etc. It did not have to be this way they made it easy for the thieves via their own negligence. It does not change the face that they are still the victims here.

      As it stands today other than some states with disclosure laws, there really isn't a legal requirement to protect credit information. Maybe we ought to have such a law, like we have HIPPA for medical information, that places legal obligations on people/business that aggregate other forms of PII to store it securely and not be negligent about prevention of its disclosure. Right now we don't have that. I think if you ask yourself about the relative value of slapping Equifax around a bit now in terms of satisfaction you will gain, vs weakening our prohibitions on post facto law making you'd realize your proposal isn't a good idea!

      As far as taking their assets into the public coffers go; they are not really that valuable a business and they don't have all that much cash on hand, real estate etc. It would not likely amount to much of anything on an individualized basis. I for one would rather we preserve our liberty and property rights, thank you very much.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:shut them down by Anonymous Coward · · Score: 0

      Equifax is victim. Yes they failed to take steps to prevent their victimization but that does not mean it was right for hackers/criminals to go in and steal their data

      Idiot, it's not THEIR data, it's OUR data, and THEY promised us that they would do their best to keep it safe.

      for one would rather we preserve our liberty and property rights, thank you very much.

      That's just RICH, coming from someone who is defending people who have diminished the liberty and property rights of millions of people.

      Should I say it again? Yes I should. You are an IDIOT.

    3. Re:shut them down by DarkOx · · Score: 1

      Idiot, it's not THEIR data, it's OUR data

      Really, did I miss something is there some giant open source project that has aggregated credit reporting data on most of the public? Did you do it personally in your mothers basement. Give me break you, dip shat A/C, since we are name calling. It is their data, period full stop, that it happens to be about you does not magically change that.

      people who have diminished the liberty and property rights of millions of people

      Really, again how have they diminished your liberty or property rights? You mean how they made it easier and faster for your borrow money, and did not even charge you for the privilege? Or is your complaint they made it harder for you to welch on obligations and simply skip town and go on to take advantage of someone else, is that how they diminished your liberty?

      They credit reporting agencies are not run by angels watching out for your interests but neither are they your enemy. Grow up looser!

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    4. Re:shut them down by Anonymous Coward · · Score: 0

      Did you do it personally in your mothers basement.

      So Equifax entered into a contractual agreement to keep our credit data safe, failed to do so, and this is your response?

      neither are they your enemy.

      You really DO have a hard time understanding the nature of a contractual agreement, don't you.

      And YES, motherfucker, forcing people to take time from their lives to deal with this situation DIMINISHES OUR FREEDOM.

    5. Re:shut them down by DarkOx · · Score: 1

      So Equifax entered into a contractual agreement to keep our credit data safe

      Really, I am not away of being a direct party to a contract with Equifax anytime in recent memory. My bank might agreed to keep my personal information safe and failed in doing so by giving it to Equifax but than my beef should be with them. After all they are the ones who turned it over to a third party.

      And YES, motherfucker, forcing people to take time from their lives to deal with this situation DIMINISHES OUR FREEDOM.

      Who is forcing you to do anything? You don't even have to visit their website you are entirely free to proceed with your life as if everything is just fine. Which is probably what you should do moron because guess what; I can assure that information was already out there anyway just maybe a tiny bit harder to get. Really this mostly changes nothing.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    6. Re:shut them down by Reverend+Green · · Score: 1

      Yup, we're a nation with literally millions of laws, and literally millions of souls rotting in our gulag to show for it. Why can't Equifax's "corporate person" rot in the gulag too?

      Oh yeah... it's because we have "the best justice money can buy". Equifax has a whole lot of ill-gotten money, therefore they can buy a whole lot of "justice".

    7. Re:shut them down by DarkOx · · Score: 1

      I'll totally support a HIPPA like law that says if you aggregate any PII you have to take appropriate steps and precautions to protect it.

      So that in the future Equifax like incidents can be punished. All I am saying is that we don't have that law today. We have a Constitutional protection against post facto law making for good reason. Don't let that get eroded because you're mad at Equifax today. That will make a bad situation worse. Pass a new regulation and hold future persons/corporations to account.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    8. Re:shut them down by Reverend+Green · · Score: 1

      Since apparently you have the budget to purchase laws - alas, I do not - why be so modest? Credit bureaus snoop, spy, slander, and work tirelessly to make the poor stay poor and the rich stay rich. Let's just make them illegal.

      Ah, if only us plebs could afford to buy some laws...

  12. critical vulnerability in the open source Apache S by Anonymous Coward · · Score: 0

    says it all..

    open sores

  13. Everybody was affected. by EzInKy · · Score: 1

    Maybe some had more data to share than others, but I wouldn't bet on anyone's personal data escaping unscathed. It would take an act of Congress to protect citizens from the fallout of this breach, but I doubt the current "business friendly" environment will do much to protect the average American.

    --
    Time is what keeps everything from happening all at once.
    1. Re:Everybody was affected. by bluefoxlucid · · Score: 0

      Actually, the cost of the infrastructure to protect against this is likely under two million dollars if done correctly. The consumer devices would total $2.844 billion at $18 per consumer, although many of us like the $50 Yubikey 4 devices (these each store thousands of FIDO U2F credentials).

      It would take maybe 4 months of a single $120,000 programmer's time to integrate FIDO security with a CRA's Web-based authentication platform, or $40k per CRA (the change is something our own programming team here would implement in a couple days and spend a couple weeks testing). The banks literally need a $6 USB cable at each teller to connect to a FIDO device.

      With 94,725 bank branches and $6 USB cables at each of three teller stations, you're talking about $1,705,050 of cables. Each teller is sitting in front of a computer already, and they're using Web-based applications to navigate accounts these days. Add the $40k per CRA and you've got $1,825,050. That leaves $174,950, plus any bulk discounts the banks get on cables, to leverage additional programmer time for more QA on the back-end.

      Do note that the CRAs aren't the only ones who need software changes: the banks need their online banking forms and other automated software to pass the FIDO challenge through to the client as well, or else the CRAs need an app that lets you authorize a hard credit check via FIDO over a side channel (a likely initial transition). Still, we can get there with just changes to the CRA software on their end, and with an opt-in transition period where you can but aren't required to force each CRA to deny any hard credit check that doesn't get a FIDO authentication from you (the CRAs must do so if requested).

      Training for this takes about 15 minutes and, let's face it, we can fit that into the downtime the tellers have during the slow periods. We can make that zero cost.

      Identity theft cost $16,000,000,000 in 2016, versus $2,000,000 of one-time bare-minimum infrastructure costs and $2,844,000,000 of one-time consumer-end costs. The devices themselves are rugged and can last over a decade (because of their duty cycle--plugged in only when in use--they should be able to last longer than you), but let's say four years. That's $711,000,000 per year: identity theft costs 22.5 times as much. If people didn't lose their physical security devices or drop them in the toilet more-frequently than an average once per ten years, it'd be $284,000,000 per year or 1/56 the cost of identity theft.

      Note that these devices have practical use otherwise, as easy 2FA on your Google and Facebook accounts. They're a type of thing consumers might actually buy and use anyway (consumers DO actually buy and use them, just not on the scale I describe).

      So, yeah, I am preparing an act of Congress to hit the House floor the moment I begin my term. I've just been having a slight amount of trouble getting contributions to my campaign, and am running entirely on my own time and money--I estimate I can fund maybe half what I need in the extreme, but only am going in about 1/4 (and it's accounted as a loan, so if my campaign is far over-funded I can withdraw what I've contributed from whatever contributions remain at the end--so if people give me a million dollars, in the end, they're helping pay for my house as well as my Congressional victory. I make no apology for this; the campaign comes first).

      Well. I've been at this for a month, too, so there's that. It's not even election season.

      --
      Support my political activism on Patreon.
  14. yu0Y fail it by Anonymous Coward · · Score: -1

    Don't feel that [nero-online.org] do, or indded what

  15. Dropping PR after a distraction event... by Anonymous Coward · · Score: 0

    Yeah, dropping this press release just after a major national event that is consuming all the news cycles so it gets lost in the noise. How can the PR person who allowed this to get pushed out during such a situation look at themselves in the mirror and not think they are scum?

  16. Weeell, as Equifax says... by Anonymous Coward · · Score: 0

    ... everybody gets hacked, so it's not like all the information wasn't out there already. Business as usual.

  17. Rounding numbers by houghi · · Score: 1

    At this moment these are just rounding numbers. It is easier to say everybody was hacked. Then look at who was not.

    What I still find appalling is that the people that where hacked are "just" a few million people, but the real stink is how they dropped stock. It is like that douchebag with the inhalers. Screwing over a few million people for money is not an issue, but take some money from the rich and you are dead.

    I am not saying that they should not be prosecuted for that but the company should be offline till the investigations end at least. The only thing that should be available online is a static webpage telling that they are offline.
    Just as a precaution, the same should be done to their competitors till they show they are secure.
    But that would mean they can't make money and we can't have peoples lives interfere with that, now can we?

    --
    Don't fight for your country, if your country does not fight for you.
  18. Time to Lock All Three by Default by Anonymous Coward · · Score: 1

    FTC should now direct that ALL these types of organizations shall LOCK ALL CREDIT REPORTING unless requested to be opened by the OWNER of the accounts.

  19. Admin/admin by HalAtWork · · Score: 1

    Not just forgetting to patch but also allowing entrance via default admin/admin login/password, perhaps allowing attackers to discover other credentials and attack vectors to exploit elsewhere.

    --
    Twinstiq, game news
  20. At this volume - its everyone by Anonymous Coward · · Score: 0

    There are 326 million American citizens. Of those about 74.2 million are children (under age 18), and only about 127 million are employed full-time.

    This means that 326-(74.2 + 127) = 124 million are not employed full time. Equifax is more likely to have a file on a working adult, especially given how credit checks are part of modern employment screening, than a non-working adult. The breach is large enough that it covers every working adult in the US and then a very good chunk of the non-working ones.

    It is everyone. Everyone. There isn't a person whose identity isn't compromised here. If you work, the odds of being in this hacked list are more likely than not.

    So, credit just died, and nobody realized it. Wow. It is going to suck when that starts to hit home. This is the Craftsman-goes-to-China-gives-secret-sauce-to-everyone moment for the credit industry.

    -Engr Student

  21. Why are there only 3 Major Credit Bureaus by Ulfilas2000 · · Score: 1

    Has anyone bothered to ask why there are only 3 major credit bureaus?

  22. So... everyone? by bangular · · Score: 1

    So a quick google search shows there are about 250 million adults in the U.S.

    Subtract those that are older and haven't applied for credit in a very long time.
    Subtract the college students that have never applied for credit using a credit bureau.
    Subtract the tinfoil hat crowd.
    Subtract those in prison.

    It seems to me that every American actively participating in this nations credit system has been hacked. The way the number is reported, it seems like it was a partial database breach. But subtracting out those not currently participating in the credit system seems awfully close to the number reported.