Equifax Says 2.5 Million More Americans May Be Affected By Hack

According to Reuters, Equifax said about 2.5 million additional U.S. consumers may have been impacted by a cyber attack at the company last month. Last month, the company disclosed that personal details of up to 143 million U.S. consumers were accessed by hackers between mid-May and July.

As for what led to the breach, Ars Technica reports it was "a series of costly delays and crucial errors." From the report: Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.

Mail your creditors.

[John+Meacham]

Your personal information is being shared by your creditors/bank with equifax. That is the only way they collect information.

Write your creditors and say you no longer consent to your information being sent to equifax due to their ongoing security issues. There are two other reporting agencies they can use, tell them you only want information shared with experian and transunion until further notice. Even if they say no, say you will hold them legally responsible for information shared with equifax after equifax has been shown to be an immediate and clear security risk.

It is pretty much the only way to hurt equifax. Gets companies to stop using them. Convince companies that no matter how strong their own privacy policies are, they don't work if they are not transitive to everyone they share your information with.

Heck, make this idea popular enough that credit card companies start listing "wont share your information with equifax." as a selling point and it will hurt them bad and make everyone take security more seriously.

Re:Mail your creditors.

[fustakrakich]

There are two other reporting agencies they can use...

They have been breached also. We can stop with the denials. The entire system is wide open

Re:Mail your creditors.

[rtb61]

Looking at the impact of the Breach of Equifax financially and how that benefits their competitors, you have to wander at major corporation level where income directly ties to bonus, how much would executives spend to knock out a competitor, perhaps a million dollars, probably, if say a $10 million bonus when a large chunk of a major competitors income suddenly shifts to your corporation. Corporate wars, really do happen now, psychopathic greed and giving them power was guaranteed to make it happen, there are many corporations who will kill for profit, so what is a little douche bag computer hackery compared to that.

I understand I won't get a penny

[Snotnose]

But an we toss all the Cxx'x into prison for a few years, strip them of their assets, and make Equifax an example? They fucked up the rest of my life, one would hope the rest of their lives would be fucked as well.

Re:I understand I won't get a penny

[lucm]

They fucked up the rest of my life

I work daily with credit reports and I will tell you this; even as a legitimate customer of credit agencies we are struggling to use their data. It's basically garbage.

You would think they have a carefully crafted database with data integrity up the pooper, but in fact it feels more like they're having nonchalant clerks punch in notepad a boatload of data collected from forms submitted by gas station attendants.

There's truncated fields, overlapping codes, conflicting date formats, unclear buckets with meaningless labels. Sometimes the street address and street name are in the same field, sometimes the creditor name and the amounts are in the same field but their phone number and area code are in two different fields. I've seen first name and last name concatenated in the first name field (with no space), or different spelling for the same financial institution appearing twice in the same customer report.

So don't worry too much. Your credit file is basically "encrypted" by sheer indifference and lack of concern for data quality.

bah

[Blymie]

an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded

Yeah, right. Makes it sound like "equifax", eg some MBA, tried to get "admins" to patch it, but they refused.

Almost certainly what happened was the "Equifax email" was from an IT guy, and some admin manager said "NO, we can't do it right now."

I wonder what department the email was from, and to. And what conversation was had outside of an email stream. "Too costly", "Too busy", "No time", "Can't afford it".

Now that all hell has broken loose, I'm sure everyone's trying to claim "I wanted to do it!". Lies!

Re:Seriously, who hasn't been impacted?

[Alain+Williams]

People outside the USA were affected, eg: Equifax says 400,000 U.K. customers were affected by hack

Re:They appointed a music major as CIO...

[bluefoxlucid]

I'm actually a systems security engineer and their music major CISO was way, way above my level on infosec knowledge.

Re:They appointed a music major as CIO...

[bluefoxlucid]

I don't buy it. She's been in technical positions for a long while and the only black spot on her record is she strongly-defended cloud computing by talking about both the new opportunities to offload many of the security concerns to the provider (who can do it better) and to institute new security controls (because cloud computing lets you fuck up royally if you really want to). What shot down Equifax? A simple, traditional failure to patch a vulnerable piece of software--cloud, local bare metal, or VM.

If they had been using e.g. Edge Hosting in Baltimore to host their custom application, this would have never happened. Edge Hosting leverages AWS and all that in the back-end; they provide security in front of all that with a lot of Trend Micro stuff (IPS, firewalls, etc.) as well as good use of AWS infrastructure. You tell them what your custom application does, their engineers work with you to figure on how to make it run, they handle the administrative work of keeping it running, you give them code updates. They track security vulnerabilities, write automation scripts to deploy them across all assets for all of their clients, do rounds of test releases, and then push them out.

A cloud hosting provider like that would have been proactive in moving to protect all customers from a threat--something Mauldin believed was a great new opportunity while everyone was decrying cloud computing as an enormous mistake for anyone who doesn't want to lose control over their data and their security.

Instead, Equifax's own administrators were responsible for managing their own software. They got behind in patching. This isn't a CISO-level mistake; this is an operational problem. CISO-level mistakes are broad, overarching strategy problems, and apparently their broad, overarching strategy let them sail along happily while Home Depot, Target, Sony, and Ashley Madison got hacked repeatedly over the past decade. One tiny, tiny breach and their entire database gets sucked out the pinhole.

What could Mauldin have done in the past three years to cause this kind of failure of security--the simplest kind of neglect way down at the administrative level, where somebody didn't get around to putting in a patch? I doubt she cut down the company's patching policy from "Patches must be deployed by $RULES" to "Whatever, patch when you get around to it." The smoking gun is apparently that she has a degree in music, and so must be incompetent.