Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax's Data Breach By the Numbers: 146 Million Social Security Numbers, 99 Million Addresses, and More (theregister.co.uk)

Posted by BeauHD on from the take-a-deep-breath dept.

Several months after the data breach was first reported, Equifax has published the details on the personal records and sensitive information stolen in the cybersecurity incident. The good news: the number of individuals affected by the network intrusion hasn't increased from the 146.6 million Equifax previously announced, but extra types of records accessed by the hackers have turned up in Mandiant's ongoing audit of the security breach," reports The Register. From the report: Late last week, the company gave the numbers in letters to the various U.S. congressional committees investigating the network infiltration, and on Monday, it submitted a letter to the SEC, corporate America's financial watchdog. As well as the -- take a breath -- 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers' licenses and 3,200 passport details lifted, too.

The further details emerged after Mandiant's investigators helped "standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen." The extra data elements, the company said, didn't involve any individuals not already known to be part of the super-hack, so no additional consumer notifications are required.

30 of 69 comments (clear)

  1. US numbers are nice and all, but... by Anonymous Coward · · Score: 2, Interesting

    How many people from other countries got screwed by Equifax and to what degree? The stories reporting affected people seem to continually ignore the fact that there's more to the planet than the US and companies like Equifax have no qualms about screwing non-USians, too.

    1. Re:US numbers are nice and all, but... by Anonymous Coward · · Score: 2, Interesting

      In many other countries, you cannot take someone's money from the bank or take out a loan simply by having a semi-public information like DOB or some ID number or an address.

      That would be called fraud, and the bank would be liable for such lost since the bank is the victim.

      Only in American would allow the bank to pass the loss (due to their own fault) to their customer, and call that "identity theft".

    2. Re:US numbers are nice and all, but... by anegg · · Score: 1

      Bingo. This comment hits the nail on the head. The idea that Big Institution A wasn't stupid when they gave out cash, goods, or services to an individual who merely claimed someone elses identity without any proof is ridiculous. The fact that the legal system pins the problem on the innocent person who wasn't a party to the deal in the first place is criminal. Put the responsibility back where it belongs - in the hands of the Big Institution who is so eager to do business that they don't properly establish the identity of a person to whom they extend credit.

  2. Detterant by Anonymous Coward · · Score: 5, Insightful

    It's a good thing all those executives went to prison so corporations will start taking security seriously.

    Oh wait.

    1. Re:Detterant by ShanghaiBill · · Score: 4, Insightful

      It's a good thing all those executives went to prison so corporations will start taking security seriously.

      Sending people to prison for incompetence is silly. America already has far more people in prison than China, Russia or Iran, and four times the incarceration rate of the developed country average.

      Non-violent offenders do not belong in prison. For instance, Equifax executives could wear tracking anklets and spend 60 hours a week changing bedpans in nursing homes for the next 10 years. The cost to the taxpayers would be negligible, they would be doing useful work, and they may be back below their level of incompetence.

    2. Re:Detterant by Anonymous Coward · · Score: 2, Funny

      Yeah it'd be much better to do like China, Russia or Iran and just shoot them...

    3. Re:Detterant by rsborg · · Score: 1

      > Sending people to prison for incompetence is silly.

      Anything but time served is something the Corporation can just take as an "operating cost". Now how that time is served (either prison or community service) is debatable.

      At this level of disaster it doesn't matter whether the result was incompetence or malfeasance. According to Gray's Law [1] Any sufficiently advanced incompetence is indistinguishable from malice. At some point the Corporation's failure should result in tangible punishment regardless of why.

      http://wikidumper.blogspot.com...

      --
      Make sure everyone's vote counts: Verified Voting
    4. Re:Detterant by 140Mandak262Jamuna · · Score: 1

      Sending people to prison for incompetence is silly. .

      Sufficiently advanced incompetence is indistinguishable from malice.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    5. Re:Detterant by aquacrayfish · · Score: 1

      Sending people to prison for incompetence is silly.

      This is what pisses me off most when having technical discussions. Claiming something is hard when you signed up for a job doesn't fly. Let's ignore the fact that Equifax was aware of the security issues before this breach happened. Let's ignore the fact they're repeat offenders with handling data. They handle people's data that controls identity. It's borderline impossible to undo damage and prevent it once this information leaks.

      (And why our government is continuing to use them after this breach is... perhaps the dumbest thing I've seen in my life. But that's another story)

      When you handle data this sensitive, if you can't handle it and barely even attempt to lift a finger to fix the problem YOU SHOULD BE PUNISHED. Seriously, how bad of a fuck-up needs to happen before you decide someone should be punished? When does it *start* for you?

    6. Re:Detterant by Anonymous Coward · · Score: 1

      Sweety, the reason they buy from the criminals is because you and yours made it a crime.

      Legalise and regulate. Same as alcohol and tobacco. Add a tax that goes to hospitals or medical care for chronic abusers if you want. Spend the money you save on enforcement on support and watch your crime shrink, the cartels implode and the poorest and most vulnerable members of society start to do a bit better.

      Or is that last sentence the one that sticks in the craw?

    7. Re:Detterant by Anonymous Coward · · Score: 1

      The Chinese don't shoot them anymore. When a Chinese national commits a serious crime, they send the mobile execution van around and give them a lethal injection. This is what happened to the billionaire behind the melamine in baby formula scandal. The Chinese executed him in the van like any common criminal. His wealth did not save him. I have to say, there's something oddly satisfying about the Chinese way of dealing with these wealthy criminals who think that they're above the law.

    8. Re:Detterant by sjames · · Score: 2

      Prison may not be the right choice, community service probably fits better.

      As to why, THEY decided to spend more on marketing and less on security. They knew they had a problem and THEY decided to keep it covered up as long as possible (and so increased the damage). They choose to continue pretending that adverse credit reports are accurate even knowing that their own sloppy security introduced a great deal of doubt into that.

      And finally, THEY have done their damnedest ever since to make sure anyone and everyone but them bears the burden of cleaning up their mess.

      Incompetently leaking all that data was just the first in a chain of wrongs. Their actions afterward were fully under their control and the result of conscious decisions.

      Perhaps a few years of picking up trash on the weekend would re-adjust their attitude.

    9. Re:Detterant by ShanghaiBill · · Score: 1

      Yeah it'd be much better to do like China, Russia or Iran and just shoot them...

      Russia has not used the death penalty in more than 20 years. The last judicial execution was in 1996.

    10. Re:Detterant by ShanghaiBill · · Score: 1

      A compensation of $2,000 per person affected for a total of 292 billion dollars sounds like a good place to start.

      Equifax doesn't even have 1% of that amount, and never will.

      If they cannot pay, then all data held by Equifax should be seized in remission of the debt and permanently destroyed.

      So thousands of employees, who had nothing to do with the breach, would lose their jobs, and the credit reporting industry would switch from a tri-opoloy to a duopoly, making the situation worse for consumers.

      Perhaps you should think about this some more.

    11. Re:Detterant by AlwinBarni · · Score: 1

      Yeah it'd be much better to do like China, Russia or Iran and just shoot them...

      Russia has not used the death penalty in more than 20 years. The last judicial execution was in 1996.

      Of course, and still there was:
      - Sergei Magnitsky: Magnitsky had died from being beaten and tortured by several officers of the Russian Ministry of Interior
      - Anna Stepanovna Politkovskaya: tried to be poisoned, finally murdered
      - Maksim Borodin: died of injuries from falling out of a window
      - and many many others, either poisoned abroad or beaten to death, or just plainly murdered

      I assume, that by now everyone able to read have read Orwell's books, so people can differentiate between official statistics and reality in totalitarian countries.

  3. I don't recall ever giving my permission by Typingsux · · Score: 2

    For Equifax to be in charge of my personal information.

    Can anyone elaborate as to why they were put in charge, and what recourse do I have to punish this company for mishandling my information?

    --
    The above post is an editorial, the poster cannot and will not be held responsible for all or in part for it's contents
    1. Re:I don't recall ever giving my permission by Anonymous Coward · · Score: 1

      If you don't have anything to hide, then you have nothing to worry about.

  4. charge them for the privilege by supernova87a · · Score: 3, Interesting

    I keep saying, the following penalty scheme imposed on companies will clean up data breaches right quick:

    $1 per name, email, physical address
    $2 per phone number
    $3 per credit card number
    $4 per SSN

    And multiply for combinations thereof. You'll see how fast companies move to secure their data.

    1. Re:charge them for the privilege by AlwinBarni · · Score: 1

      I keep saying, the following penalty scheme imposed on companies will clean up data breaches right quick: $1 per name, email, physical address $2 per phone number $3 per credit card number $4 per SSN And multiply for combinations thereof. You'll see how fast companies move to secure their data.

      No, it will not work as long as people responsible are not held accountable.

      Most of the cases I know the CEO making decisions retires with multi-million golden parachute and all the penalty costs (if any) are passed on consumers or victims (as is the case of Equifax - people have to pay for locking their accounts, and one pays as long as one wants the lock be active) or ordinary workers.

      Top management don't give a damn about penalties, because they make up the rules of profits distribution and by the time anything is out in public, their pockets are usually full or/and their moved to another place if the screw-up was really big. Do you remember the shares selloff by Intel and Equifax executives?

  5. The IRS has news for you... by The+Fat+Bastard · · Score: 1

    I got a letter from the IRS that my SSN is being used by someone else to obtain employment. Again. Thanks, Equifax!

  6. Re:Just post every SSN by ShanghaiBill · · Score: 4, Funny

    Why do financial institutions seem to insist that Social Security numvers are a secret code? The government should just publish ALL of the SSNs

    That is the way it works in many countries: Your citizenship number is public information.

    Many have a separate changeable PIN for authentication.

    The American system of making the same number both semi-public and secret is unique.

    If 10% of the population went on record and disclosed their SSNs publicly it would shut down the SSN as a 'secret code.'

    Equifax has already done this as a public service. Good for them.

  7. Re:I am American by ELCouz · · Score: 1

    In fact this isn't only a problem with Americans but world wide. People globally just don't give a damn... Where are the pitchforks guys?!

    Disclaimer: I am not an American

  8. Percentage Perspective by psnyder · · Score: 1

    That's the names, dates of birth, and tax ID numbers of roughly 45% of the entire United States (population ~326 million). Subtract children who don't have credit yet (~74 million), that's roughly 58% of US adults.

    If "payment card" means credit card, that's 20% of all them in the US (1,041 million). Often you only need the number and expiration date to charge something to the card.

    Those addresses are for roughly 30% of the population (if an address was attached to one name), or more (if an address was attached to multiple names [ie: people living together]).

  9. Data used in mass Walmart.com CC applications by freak0fnature · · Score: 2

    While you won't find this info out there as it's been pretty hushed, but walmart.com took down their CC application site for over a week after a load of stolen IDs were used to apply for CC's there. There is some indication that the data came from this breach.

  10. The worst part by sjames · · Score: 2

    Their primary business is making sure adverse credit information follows people around, while making the assumption that the adverse reports are actually about the named person. Even while they know damned well that their own negligence has enabled ID fraud on a massive scale.

  11. Re:Just post every SSN by Sloppy · · Score: 1

    If 10% of the population went on record and disclosed their SSNs publicly it would shut down the SSN as a 'secret code.' It's time for it to happen.

    It has happened; that's what the story is about. 50-100% Americans already did, whether we wanted to or not.

    The information is no longer secret; we know for sure that it is definitely in the hands of ne'er-do-wells. Anyone who uses it for authentication is definitely, 100% being negligent without any possibility that they're trying to do the right thing or even slightly being diligent. If loans have been made based on this, we know that the loaning institution is almost certainly reporting their assets fraudulently.

    So.. post yours.

    Yeah, me neither. The problem is that even though the info is no longer secret, the government might still be pretending that it is... which makes it be sensitive.. sort of. So it's a government problem at this point.

    Maybe November's candidates should be talking about how they intend to deal with it.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  12. Re:Just post every SSN by Sloppy · · Score: 1

    "Unique."

    I nominate ShanghaiBill for the Politest Person of the Year award!

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  13. The most significant number: 0 zero zilch nada ni by 140Mandak262Jamuna · · Score: 1

    The number of top executives who went to jail : 0

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  14. Re:I am American by sjames · · Score: 1

    It does rub salt in the woulds a bit that Equifax has done nothing but make matters worse for people whose ID is used fraudulently, and now they have actually facilitated that same ID fraud on a massive scale.

  15. Re:Deterent by thomst · · Score: 1

    ShanghaiBill opined:

    Non-violent offenders do not belong in prison.

    Prompting a courageous Anonymous Coward to respond:

    Is that a reference to the poor persecuted drug users? At least when they are locked up, they are not pouring money into the Mexican drug cartels' pockets.

    You really, really need to read Pulitzer Prize-winning journalist Sam Quinones' book Dreamland: The True Story of America's Opioid Epidemic. It's essentially the story of how Perdue Pharmaceuticals created the opioid epidemic in the USA by misrepresenting to the FDA, Congress, and doctors across the country how "harmless" prescribing powerful opiod narcotics was, even for chronic pain.

    Based strictly on Perdue's bullshit, doctors - especially high school and college sports medicine doctors - prescribed amounts of Perdue's high-purity hydocodone medication high enough to guarantee addiction in athletes, housewives, and victims of trauma (auto accidents, falls, etc.) over long periods of time. When schools and insurance companies cut them off from those pharmaceutical sources, they turned in droves to Mexican brown heroin - which a whole new coop-style drug cartel operating out of the region around Xalisco supplied, using a fleet of drivers and a central dispatcher in each city they expanded into to bring the heroin to their customers with virtually zero risk of being caught making a deal.

    Those drug addicts whose lives you so casually dismiss were almost all created by Perdue's lies, and multi-billion-dollar, direct-to-physicians marketing campaign. They're junkies, yes. But most of them are victims of deliberate pharmaceutical industry malfeasance, not deliberate actors.

    Full disclosure: I have no affiliation with Sam Quinones, nor do I have any affiliate relationship with Amazon. If you buy his book via the above link, I get exactly zero dollars - or any other consideration - from the sale. (And you can get it from any other major bookseller, if you prefer not to make Jeff Bezos any richer, btw.) I simply believe it's essential reading for anyone who's interested in how the hell this country found itself in this mess to begin with, and who's responsible for getting us here ...

    --
    Check out my novel.