Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Breach Included 10 Million US Driving Licenses (engadget.com)

Posted by BeauHD on from the saga-continues dept.

An anonymous reader quotes a report from Engadget: 10.9 million U.S. driver's licenses were stolen in the massive breach that Equifax suffered in mid-May, according to a new report by The Wall Street Journal. In addition, WSJ has revealed that the attackers got a hold of 15.2 million UK customers' records, though only 693,665 among them had enough info in the system for the breach to be a real threat to their privacy. Affected customers provided most of the driver's licenses on file to verify their identities when they disputed their credit-report information through an Equifax web page. That page was one of the entry points the attackers used to gain entry into the credit reporting agency's system.

35 of 66 comments (clear)

  1. Sometimes... by TheZeitgeist · · Score: 1

    ...having a sub-500 credit score can be a good thing.

  2. Jail time by Major_Disorder · · Score: 2

    Someone needs to get handed a few decades of jail time for this. By somone, I mean someone with Director, or C_O after their name. Better yet a few someones.

    --
    First law of people: People are generally stupid.
    1. Re:Jail time by Teckla · · Score: 2

      Someone needs to get handed a few decades of jail time for this. By somone, I mean someone with Director, or C_O after their name. Better yet a few someones.

      So here's the thing. We are currently experiencing the Computer Security Dark Ages. The security situation at almost ALL companies is as crappy as Equifax (not that Equifax should be off the hook as a result).

      The first problem is that security is way too hard. When 99.9% of people can't get something right, you have to start wondering if humans and education aren't the problem, but instead, if the tools are. Things should be ultra-paranoid super secure by default, and it should be downright hard to "un-secure" them.

      The second problem is that when it comes to software development, management generally cares about three things most of all, I will list them in order here:

      1. Get it done fast

      2. Get it done fast

      3. Get it done fast

      Software development is shit these days because the only thing that matters is speed. Oh, they often give security, reliability, and correctness some token attention, especially after news of big hacking incidents, like the Equifax breach. But really, all they care about is getting work done fast, and it's costing all of us much more, big time, in the long run.

    2. Re:Jail time by Julz · · Score: 1

      Don't forget "Get it done cheap".

      That's why there's plenty of skilled developers (not toilet paper certifications, drop n drop, point n clickers) currently out of work or barely making a living.

      --
      When shit hits the fan get some of these https://youtu.be/pY-GncsZ-UE
  3. Punishment? by spaceman375 · · Score: 1

    Even if Equifax is completely disbanded and sold off, those responsible should spend time in jail and be fined into bankruptcy. Unfortunately, the right ones won't. There will be patsies and those who don't know enough or can't afford enough lawyers and time to defend themselves while the ones responsible will just take $$$ parachutes and waltz off.
          Our justice system is run by money, not justice. I wish I had a solution to propose.

    --
    On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
    1. Re:Punishment? by Anonymous Coward · · Score: 1

      It's almost like a country that is supposed to be by the people for the people really isn't.
      We could fix this, but I fear it wouldn't be pretty.

    2. Re:Punishment? by viperidaenz · · Score: 1

      It is by the people, for the people.

      No one really defined who "the people" are though.

    3. Re: Punishment? by Reverend+Green · · Score: 1

      FDR had the right idea when he threatened to reign in the Supreme Court. Really a shame he didn't do it.

      Our kangaroo courts are corrupt from top to bottom. The hands of every judge in the empire are soaked and dripping with blood. There can be no solution to any of today's deep political problems that does not include sweeping judicial reform.

  4. Customers? by Zocalo · · Score: 4, Informative

    You know, it's really starting to bug me that the media, including those that really ought to know better, keeps referring to the victims of the Equifax hack as their "customers". With the exception of those who actually signed up to Equifax's credit checking service of their own volition they, or more accurately the data Equifax has about them, are either victims or the *product*. Equifax's actual customers are the banks, employers, stores, and other companies that buy the data Equifax holds on the victims of the hack, most of whom have no direct business relationship with Equifax beyond an agreement with a third party to have their credit checked that probably didn't even make it clear that it would be Equifax doing the checks.

    --
    UNIX? They're not even circumcised! Savages!
    1. Re: Customers? by Reverend+Green · · Score: 1

      Really good point.

      What's a better term than "customers" for those on whom credit agencies collect slander data? "Victims" is true in many senses, but it sounds bad and lends itself to confusion in use. "Prey" makes it sound like there's a chance for escape, when there is not.

      "Marks" falsely implies they used trickery rather than coercion to get the data. "Slanderees" is basically correct, but it sounds weird.

      I really don't know the answer but I think it's an important question. Correct politics begins with correct language.

    2. Re: Customers? by TheCastro1689 · · Score: 1

      Marks would probably be best.

  5. Equifax; the gift that keeps giving.... by sizzlinkitty · · Score: 1

    I don't think any amount of identity monitoring can make up for this bullshit. Not only did my credit information get leaked, my salary and now my ID. This was bound to happen eventually, we need to really rethink about who gets our information, how long they can keep it, who is authorized to have it and hold them to a universal standard across the board for securing it. At which when a company falls out of compliance, they get 1 warning and after that they are permanently barred from storing this data.

    1. Re:Equifax; the gift that keeps giving.... by charliemerritt03 · · Score: 1

      Amen.

  6. Wouldn't it be quicker? by bob4u2c · · Score: 1

    At this point wouldn't it be quicker to list things that were not compromised by Equifax?

  7. That's just silly... by gatfirls · · Score: 1

    Yes there needs to be house cleaning (without parachutes but that will never happen) and yes the FTC needs to open a huge can of woopass on them and yes they should be sued into insolvency but jail time?

    Let's put the pitchforks away for a minute and realize it's not *if* a data breach happens it's when and no one is immune.

    The bad thing here is, like others, they are pussyfooting around with what/why/when/how and some of it may be to ignorance but a lot is probably damage control. In a sensible system there would be laws in place that any company with PII *must* cooperate 100% to publicly identify what was accessed and how as soon as they know. These things should be learning experiences not exercises in PR/damage control.

    1. Re:That's just silly... by Blymie · · Score: 2

      The law already handles this all over the spectrum. It's called 'negligence'. Fault is easy to assign.

      You don't patch shit? That's negligent. That's jail time.

      You get hit by a zero day, you have firewalls, and you catch it (because you're monitoring things!) fast? That's not your fault. You're not to blame.

      Equifax CxOs *do* deserve jail time. They were negligent. There needs to be criminal charges, and jail time served.

      Equating it to cars? You're driving down the road drunk. Or, you're on your phone not paying attention. You can be charged with various things at that point, which result in jail time (including dangerous driving here). But, you *hit* someone or something, and it's shown this is the case? EG, you were negligent?

      No sorries or excuses, you'll be seeing the inside of a jail cell...

  8. It's not just credit by Anonymous Coward · · Score: 3, Insightful

    The information can be used to file taxes. When one gets those "your taxes have already been filed" letters from the IRS is because someone used your SSN and other information and filed taxes to get a refund and other credits.

    That information is also used to get jobs. Illegal aliens use fake credentials to get jobs - and file taxes to get refunds and EIC, CTC, ACTC, AOTC or other credits.

    That information is also used for other nefarious reasons.

    And if that information is abused, it's up to the victim to correct it - if they can - and cover the costs.

    And most of the things that are done last forever. Even debt. Debt collectors are all unethical sacks of shit and they'll bully folks to pay to debt that isn't there's - including folks who have had their identities stolen. So, after having to deal with the identity theft, you will have to deal with assholes who will lie about the law to collect on debt that isn't yours.

    Suck it up my fellow peon.

    Equifax should be shut down, their C-level executives fired without pay, pensions or golden parachutes and the stockholders have their shares valued worthless - they shouldn't have invested in a company with an unethical business model and deserve the bad karma.

    I have been victim of Anthem's (lying cocksuckers) break-in, Equfax' (unethical lying fucks) and another one - I'm tired of getting letters that say my data was part of a data breech.

    We must have European regulations and laws regarding our data and privacy. Business is incapable of acting ethically, fairly and honestly.

    1. Re: It's not just credit by sabri · · Score: 2

      Equifax should be shut down, but the C-level executives should get the electric chair.

      You have to be realistic, and be fair. Read my comment and see if you still feel this way. And before I start: I am in no way affiliated with any credit reporting agency. I'm just a network engineer.

      1. Credit reporting agencies serve a purpose. They ensure that future creditors can make a responsible decision on whether or not you can handle credit, and are creditworthy.

      2. The information that they obtain, is provided to them by your creditors, and with your consent (you did read the terms and conditions, right?). Also, usually you will sign a waiver or permission slip of some kind, allowing a potential creditor to review your credit report when you apply for new credit.
      3. That said, I fully agree with you that this information should not have leaked. It is the company's responsibility to ensure that our data is safe and secure. However, let's be realistic. No system is secure. Hell, even the NSA got hacked. I would love to see the executives get some form of punishment, but primarily for the way they handled the hack. The hack itself: that's a risk of doing business.
      4. But my biggest thing: this should not be a problem. I should be able to have my social security number printed on the frontpage of the Wall Street Journal, without needing to be afraid of "identity theft". Why the F am I carrying ID? Banks and other creditors should always require and check my government issued ID prior to even talking to me. Having knowledge of a number does not constitute being me.

      And that my friend, is the real issue here, and that's not just the Equifax executives' fault.

      For example, my home country prints your SSN (well, it's tax-id equivalent) on your passport. Why? Because it also requires banks to have a copy of your ID on file, which they verified and checked for validity and authenticity. If someone is able to open an account in my name, I'll be suing the bank for failure to properly check ID.

      --
      I'm not a complete idiot... Some parts are missing.
    2. Re: It's not just credit by ShanghaiBill · · Score: 2

      Equifax should be shut down

      That will accomplish nothing. Equifax is already transitioning to different management. Shutting them down will just reduce competition even more and put 9500 people out of work.

    3. Re: It's not just credit by mschwanke97402 · · Score: 1

      You are clueless. These days people apply for loans and credit cards without ever seeing anyone face to face. Exactly how do you think they verify my ID? I tell them my SSN, Drivers License #, address and date of birth. Bamm, I get my loan, paid into the bank account I handily provide. Equifax has kindly provided all of this information and more to the criminals that accessed their unpatched web servers. Anyone with decent credit is at risk for Identity Theft going forward, forever.

    4. Re:It's not just credit by MoarSauce123 · · Score: 1

      "And if that information is abused, it's up to the victim to correct it - if they can - and cover the costs."

      Equifax should be forced to cover those costs and provide the services using a prime provider for life for anyone who was subject to that breach. The pathetic one year monitoring just doesn't cut it, especially when it is done by a obscure company with a shady track record. Anthem did the same thing, they offered monitoring for a year, but picked the worst vendor on the market to offer that service.

      "We must have European regulations and laws regarding our data and privacy. Business is incapable of acting ethically, fairly and honestly." Likewise, we need to have the laws changed that individuals can pick their own health insurance company with the employer paying the same subsidy as for the company plan. Sadly, we got the wrong president in power for any of that to happen. It is more likely that the few restrictions will get tossed as well.

    5. Re: It's not just credit by MoarSauce123 · · Score: 1

      "Why the F am I carrying ID?" - An ID that you can only obtain by providing your SSN. What makes matters worse, that ID is typically a driver's license and they come in so many forms that even officials might not be able to spot a counterfeit ID. What we need is a national ID that is also tied to a residence registry.

    6. Re: It's not just credit by evilRhino · · Score: 1

      The credit bureau's function is to make sure that an individual has a good credit rating so a bank or business can predict who would be a good risk to give credit. Did these companies prevent the "liar loans" which led to the financial collapse of 2008? It doesn't seem to me as though they are serving the public good to a capacity which offsets the risk in leaking private information.

    7. Re: It's not just credit by sabri · · Score: 1

      You are clueless.

      Thanks for your thorough assessment.

      people apply for loans and credit cards without ever seeing anyone face to face

      Yep. And don't you think this is the problem, rather than relying on a "secret" number?.

      Now you tell me what would be a smarter move:

      1. Keep relying on "intimate" knowledge to verify someones identity
      2. Mandate the verification of someones identity using government issued ID

      --
      I'm not a complete idiot... Some parts are missing.
  9. Throttle access to data by davidwr · · Score: 1

    Store your data behind a "skinny pipe" to the outside world.

    Make "skinny" just big enough for "normal" traffic for any given time of day plus a fudge-factor to allow for busy days.

    This way if someone wants to steal your data they will have to "sip it slowly" to avoid causing a noticeable slowdown.

    It won't stop wholesale data theft but it will reduce the amount of information they can steal in any given period of time.

    It also won't stop "selective" data theft..

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Throttle access to data by viperidaenz · · Score: 1

      Unless the amount of data you have is eclipsed by the number of times it's accessed.

    2. Re:Throttle access to data by Blymie · · Score: 2

      It apparently took the hackers months to get all the data. Why? They kept data transfers to a minimum, so it didn't show up on graphs.

    3. Re:Throttle access to data by DarkOx · · Score: 1

      Yes that is an element that isnt getting enough discussion in all this. How exactly did the attackers make off with quite so much data. We are talking 100TB plus at this point. I mean did they send small amounts of it to 10000000's of bots and than collate from there?

      How did they not have any correlation and event monitoring that could not spot a dataflow orders of magnitude larger than anything else that usually happens on their network?

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  10. Re: I still don't care by viperidaenz · · Score: 1

    What about Windows Defender? You're already running Microsoft software, a little more won't hurt much more.

  11. Re:Get's worse by the day by viperidaenz · · Score: 1

    Yet they're still in the system, because they got a mortgage.
    or rented a house/apartment
    or a power bill
    or a phone account
    or pretty much any service that runs as a "pay in arrears" service. They all run credit checks on their customers.

  12. Re:There is none by viperidaenz · · Score: 1

    You go AC! I have faith you're going to honor your statements!

  13. Civil Seizure by jmcharry · · Score: 1

    Why are they not subjected to civil seizure? I think we all know.

  14. It is Equifax's job to publish private information by aberglas · · Score: 1

    That is what they do. For a fee. So their customers (Banks etc.) will be really pissed that they are giving out this information to others for free.

    It amazes me that the USA allows these companies to exist.

  15. end Equifax now by Reverend+Green · · Score: 1

    End Equifax now. Company out of business. Assets seized by the State. Managers fined. Executives in the gulag. End Equifax now.

  16. Pretty sure they didn't steal the drivers licenses by zifn4b · · Score: 1

    It's a neat idea. Hackers breach Equifax and find wormholes to everyone's residences and steal all drivers licenses and pile them up in a warehouse on a deserted tropical island.

    However, they may have stolen the Drivers License numbers.

    --
    We'll make great pets