Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Stolen Equifax Data Has Never Been Found, Experts Suspect a Spy Scheme (cnbc.com)

Posted by BeauHD on from the to-be-continued dept.

An anonymous reader quotes a report from CNBC: On September 7, 2017, the world heard an alarming announcement from credit ratings giant Equifax: In a brazen cyber-attack, somebody had stolen sensitive personal information from more than 140 million people, nearly half the population of the U.S. It was the consumer data security scandal of the decade. The information included social security numbers, driver's license numbers, information from credit disputes and other personal details. CEO Richard Smith stepped down under fire. Lawmakers changed credit freeze laws and instilled new regulatory oversight of credit ratings agencies. Then, something unusual happened. The data disappeared. Completely.

CNBC talked to eight experts, including data "hunters" who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen. But none of them knows where the data is now. It's never appeared on any hundreds of underground websites selling stolen information. Security experts haven't seen the data used for in any of the ways they'd expect in a theft like this -- not for impersonating victims, not for accessing other websites, nothing. Most experts familiar with the case now believe that the thieves were working for a foreign government, and are using the information not for financial gain, but to try and identify and recruit spies.

43 of 86 comments (clear)

  1. Or they could just be using the Demographic data by rsilvergun · · Score: 2, Insightful

    to disrupt our political system. A DB like that would be a goldmine for that purpose, and we know just about every hostile nation is meddling in our politics.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  2. It's gone by Anonymous Coward · · Score: 1

    Maybe they saw how much media attention they got and deleted it out of fear?

    1. Re:It's gone by Lab+Rat+Jason · · Score: 2

      I came here to say this... a script kiddie who got in over their head and panicked. Or alternatively, a moderately talented hacker got in over their head trying to sell it to a superpower, and either pulled the rip-cord, or died trying.

      --
      Which has more power: the hammer, or the anvil?
  3. The guy died and took the password with him by registrations_suck · · Score: 1

    Maybe they encrypted it all and the guy with the password died, and now they're all fucked because they can't hack into it.

    1. Re:The guy died and took the password with him by Narcocide · · Score: 1

      LOL! Now that would be funny.

  4. Just waiting by chiefcrash · · Score: 4, Interesting

    Perhaps they're just waiting for the heat to die down and those free credit-monitoring programs to expire before using the data....

    --
    Show me on the 1st Amendment bobblehead where the moderator touched you...
  5. This data is not needed for recruiting spies by ffkom · · Score: 1, Insightful

    Foreign agencies only have to wait for the next ritual "shutdown" and make a friendly offer to any government employees no longer paid - e.g. at your locale garage sale or at public soup kitchen.

  6. It's OK by jetkust · · Score: 1

    They'll be able to recover your identity, in 7 years.

  7. Correct by WillAffleckUW · · Score: 5, Insightful

    Just a point, Social Security numbers and birthdates are not things you can easily change.

    It's time to realize the entire concept of credit ratings is deeply flawed and inherently insecure.

    --
    -- Tigger warning: This post may contain tiggers! --
    1. Re:Correct by Lab+Rat+Jason · · Score: 1

      Wish I had mod points for you... this is at the CORE of the issue. It's a rickety and decrepit system that needs to be ripped to shreds and something better and smarter put into place.

      --
      Which has more power: the hammer, or the anvil?
    2. Re:Correct by Luthair · · Score: 1

      Really there is no reason they shouldn't be easily changeable or perhaps unique per relationship (e.g. your bank gets a different # than the your employer). As implemented they shouldn't even be allowed to be collected or stored by anyone other than your employer and the government.

    3. Re:Correct by WillAffleckUW · · Score: 1

      Yes. For example, most schools used to use SSN or SIN for IDs and moved away to other IDs over time. The only reason you should have this ID is for taxes, and it should never be stored in your primary customer database, for any reason.

      Birthdates can also be problematic. To someone who's 20, they think it's not identifiiable, but someone who's in their 90s knows it's very identifiable.

      --
      -- Tigger warning: This post may contain tiggers! --
    4. Re:Correct by ceoyoyo · · Score: 1

      You're right! Should rebrand it. Maybe call it something like "social credit." Maybe work with China on implementing it.

    5. Re:Correct by apoc.famine · · Score: 1

      Easily changeable seems like a recipe for disaster. If fraud is an issue now, imagine if someone could change your SSN without you knowing.

      Unique per relationship seems much, much more useful. Still an issue if someone gets one for a relationship you don't have, but not as problematic since you only have one subset of your credit score, taxes, etc., that you have to untangle, not all of them.

      --
      Velociraptor = Distiraptor / Timeraptor
  8. Someone is building a US database by AHuxley · · Score: 1

    Of existing US workers.
    Of all US mil/gov workers/contractors.
    Of all US NGO, think tank, tourist and embassy workers with work globally.
    Anyone who ever held a US security clearance.
    International travel and hotel use.

    By sorting all of them any gov/mil created name placed into retroactive social media accounts, that fake resume can be more easy to detect.
    Contact by another nations officials with US spies to set up long term methods of spying.

    Who was really at a hotel in Macau years ago and what type of ID did they use with what created biography?
    Who else from the USA that that same pattern of missing and created ID data now?

    When creating a new ID did the US gov/mil/contractor consider all the database changes at a city, state and federal level?
    Someone has created a vast US database spanning generations of US gov datasets and has more data than most US city and state gov.
    Background checks are going to have to be much more creative and other nations gov/mil can do the same in real time.
    In the past the US gov and mil could remove/add mil service, college, type of education, level of education to provide a quality cover story.
    Now that created "name" has to match past database sets the USA cant alter in real time.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Someone is building a US database by Impy+the+Impiuos+Imp · · Score: 1

      An estimated 23 secret agents in Russia were executed because the CIA couldn't be bothered to wonder why one of its top officials was living in a house well beyond his means.

      So even if they had the will, they still can't scour personal data without a warrant, and General Warrants are forbidden by the Constitution.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    2. Re:Someone is building a US database by AHuxley · · Score: 1

      Considering all the database sets lost over the years? Thats a generations of US data that cant be altered, created, updated by the CIA.
      Work history, clearances, mil, education, insurance use, passports, decades of work, years of education and what type of education.
      Generations of US data now in use has to be consistent over generations and decades.
      How many people who can afford world travel/education with no digital past exist?
      A few people in cults and faith groups with not much state/federal ID to be given a fake/altered ID?
      That would hold as a person with no past.
      A passport that has to match an average life story? Languages and education? NGO charity work going back years?
      A average reason to be in another nation that fits in with wealth, when they got a passport, past work, education level.
      The problem for the CIA is another nation now has that years of US work history and that name/past cant be created/reused.
      In the past other nations had a quick social media search, hired a private detective in the USA for names that had to be looked into.
      Altered data would be ready and the CIA digital fiction would hold.
      Now nothing old can be changed for years. A new generation has to be created over a decade to allow for US spy pasts to be faked.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Someone is building a US database by AHuxley · · Score: 1

      The NSA and FBI would have seen all the database activity in real time.
      Expecting bad nations to stay online and attempt to use the vast and powerful search functions to:

      1. Put in names of dissidents of interest in the USA.
      2. Names used to create fake stories in the USA.
      3. Names of people expected to have a split loyalty to the USA in the second and third generation who would work for another nation when asked.
      4. Names on US passport they had seen but could not find much data on.

      The FBI and CIA wanted to see what US projects worked, what US names got matched, what US names worked and never got searched.
      Entire database sets got copied out while US gov/mil waited for real time database use.s

      --
      Domestic spying is now "Benign Information Gathering"
  9. Re:Or they could just be using the Demographic dat by Narcocide · · Score: 2

    No, it makes a ton of sense if you're thinking like someone who has billions of dollars and government supercomputer access. With this data, all they need is some purchasing history to feed into the simulator with it and they can make a full psychological profile on you and everyone you've ever met.

  10. Re:Or they could just be using the Demographic dat by viperidaenz · · Score: 1

    Why not do both?

  11. Re:Itâ(TM)s not lost by NickHydroxide · · Score: 1

    If there's one lesson I've learned about large organizations, it's Hanlon's Razor - never attribute to malice that which can be adequately explained by stupidity.

  12. Re:You believe what you're told by viperidaenz · · Score: 1

    The employees got paid.
    All the contractors got given a big fuck you.

  13. Re: Itâ(TM)s not lost by Narcocide · · Score: 1

    What's that you say, girl? The data is still in the building? It's trapped in the break room and trying to get out?! Quick girl, go tell Paw!

  14. How can equifax be in business with this fail? by Anonymous Coward · · Score: 1

    What's the economic cost given the name, birthdate, social security numbers can be used for DECADES to disrupt the US economy?

    How can Equifax still be in business?

    How can Wells Fargo, identify theft opening fraudulent financial accounts on a mass scale, still be in business?

    Is this the USA where you get a monetary fine paid by your errors and omissions insurer and stay in business?

    The data losses are like the worst chemical spill times 500.

    1. Re:How can equifax be in business with this fail? by ShanghaiBill · · Score: 1

      How can Equifax still be in business?

      Because the people responsible have already resigned or been fired. Destroying the company would serve no logical purpose, would harm thousands of innocent people, and reduce competition in the industry.

    2. Re:How can equifax be in business with this fail? by AmiMoJo · · Score: 1

      Make Equifax a non-profit for the next decade or two, with any money they make used to deal with identity theft and regulating the other credit reference agencies.

      Japan has jail for companies, basically they are not allowed to do any business for a number of days but have to pay staff. It's means tested to avoid making people unemployed and can't be used as an excuse for layoffs etc. Equifax could do a 4 day week for a while.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  15. Re:You believe what you're told by bobbied · · Score: 3, Insightful

    Not true.. IF you had a funded government contract, you got (or will) get paid for work done/hours worked.

    If you got sent home because there was no work to do, too bad you are a contractor but it was your choice. That's the risk of contracting, you can be let go at a moment's notice. Sucks to be you, but I'm not going to cry crocodile tears for your losing 4 weeks worth of work and if you don't have enough resources stashed away for such contract interruptions, you are crazy or inept. IF a contractor lives paycheck to paycheck how on earth will they survive when their contract is not renewed? Not a good idea.

    Actually, it's not a good idea to live paycheck to paycheck anyway, I don't care who you are. One should always have 3-6 months of living expenses (not income, minimum living expenses) on hand. Layoffs happen, contacts end, accidents happen and unemployment takes time to get. I can attest that it's not a matter of IF, but WHEN it will happen to you. Nearly all of us will lose a job one or more times in our careers. Be ready. Bankruptcy is a royal pain and ruins your live for a decade. Don't do it.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  16. Because they likely have addresses by rsilvergun · · Score: 4, Insightful

    to go with that, so they'd know where, based on financial data, people were in bad or good financial shape and therefore where they could foment anger, frustration and discontent leading to poor decision making.

    People in bad shape do not make good choices. Pressure does not make diamonds, it makes garbage more compact. Take somebody who's financially desperate and push the right buttons and they'll do stupid things. Do it to a large number of people in a country where political decisions are made by margins of less than half a percent and you can wreck shit.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  17. Re: China is making lists by liquid_schwartz · · Score: 1

    Yup. But when they come to take mine

    China isn't going to take your guns. Their fifth column is going to do that in advance of an invasion. That's what the West Coast Wall is about. Make damned sure that when they land there won't be a civilian resistance. And they will have a secure beachhead. The supporters of this need to be investigated for treason.

    Yeah, sure. The probability of a Chinese invasion is vanishingly small. But that doesn't excuse the activities of their advance guard.

    If you've been to LA you'd know that it would serve them right to be taken over by the Chinese. I might just root for this plan.

  18. Just wait by ArchieBunker · · Score: 3, Interesting

    Someone is trying to test the idea of changing his birth date. Now that you can change gender and race at any time he is claiming he feels much younger than his age. This is the world that social justice warriors wanted so now they have to accept it.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
    1. Re:Just wait by AmiMoJo · · Score: 1

      It was a guy in the Netherlands and he lost his case, although I think an appeal was possible.

      It's an interesting question. Being transgender is a well established and widely treated (in the developed world) medical condition. That guy just wanted to change his D.O.B. because he thought he was hot but not getting dates on Tinder because people were put off by his age...

      Seems like it would make more sense to argue against having to give your age at all, or at least give your actual age as opposed to the one you wished to display, since the only thing it is used for is to filter you out of search results. Not sure that the ageism protections would extend to not allowing people to filter by age range though.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  19. Re:Or they could just be using the Demographic dat by Narcocide · · Score: 2

    They use that SSN for a lot of important paperwork throughout your life, from jobs to schools to property ownership to insurance. If you take all these fatuous questions and assume this wasn't the only data breach ever, it really shouldn't take a huge imagination to figure out the types of things they could do by combining it with similar troves of data extracted from various social networks and advertising networks.

  20. Spies? Really? by aybiss · · Score: 1

    It couldn't possibly be a rival credit monitoring organisation could it?

    --
    It's OK Bender, there's no such thing as 2.
  21. Re:Propaganda Spin by pslytely+psycho · · Score: 1

    "Our propaganda campaign against China and Russia is in full swing at the moment"

    Hahaha, I suppose if 'at the moment' means since WWI...

    It's had peaks and valleys, but has remained rather constant since then. We used to call it the 'Red Scare.'

    China has risen in power since then of course, so they are a more recent addition, at least since Mao.

    Politics needs a big scary enemy to rally around. If they didn't have some ready made ones, they would just create one.

    In the absence of such agitators, we could just bomb Australia...

    --
    Donald Trump, on a crusade to make Nixon look respectable
  22. seems like perfect trove for coverup spies by AlwinBarni · · Score: 1

    Personal detail information including SSN seems like very good data to impersonate legitimate citizens. I am not security specialist, but with existing voting percentages (60% presidential, 40% midterm) seem to me like a very serious problem for the US, which should not be taken lightly.
    Considering just the sheer volume of data - all or almost all citizens - seems impossible to control.

  23. Stolen Equifax Data Has Never Been Found by grep+-v+'.*'+* · · Score: 1

    Really? So there's just one of them? -- one data? I guess I really WOULDN'T download a car, then.

    Don't worry: it's not the ACTUAL people, it's only some data about them -- y'know, METAdata. No big.

    Or is that metapeople? Nope. Datapeople? Maybe. Peopledata? Again, maybe.

    Just like all NICs have a unique MAC address*, let's just wait until an evil Russian spy corrupting FaceBook** appears in two different places at once. It should be easy to detect, I'm sure the NSA's computers will all immediately crash since it's never had to process data that way before. (New code path, dont-cha-know?)

    * I've heard a decade ago that Compaq? issued some NICs with burned-in duplicate MACs which made for a fine mess. And then supposedly, this.

    ** an evil Russian spy corrupting FaceBook. Y'know, I'm not sure who'd be corrupting whom.

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  24. Re:Or they could just be using the Demographic dat by rtb61 · · Score: 3, Insightful

    You got to be totally delusional, disrupt the US political system, it needs to be fucking disrupted it is entirely corrupt. It is so crooked, any disruption immediately makes it more honest than it currently is. Right now, the rest of the world is content to allow the US to SELF DESTRUCT as long as it leaves the rest of the world alone in the process and there is stops. Maybe just maybe a few countries are using their espionage services to disrupt the corruption by exposing the crimes in the US that the US government routinely ignores, especially high level crimes.

    When you disrupt corruption, you do not make it worse, you just reduce it's extent, so hopefully everyone across the globe will work hard at disrupting entirely corrupt US politics, so that it is less corrupt (which would as it fucking turns out, means disrupting the extremely negative, corrupt and very criminal influence of the UK government, the Israeli government and the Saudi government and their disruption of any attempts to make US elections actually democratic and start prosecuting high level corruption).

    --
    Chaos - everything, everywhere, everywhen
  25. What about state-level extortion? by sabbede · · Score: 1

    Say it was China that hacked Equifax. We're in trade negotiations with them right now. Maybe they try to demand favorable terms in exchange for not releasing all that data.

  26. Re:You can rule out Russia. It must be China. by apoc.famine · · Score: 1

    The puppet is temporary. The value of the data will extend far past 4 years. Granted, its value likely decreases as time goes on, but it doesn't have a hard stop.

    --
    Velociraptor = Distiraptor / Timeraptor
  27. Re:Or they could just be using the Demographic dat by AmiMoJo · · Score: 2

    How do you explain Trump then? He came in and disrupted the usual political landscape, a non-politician with no experience in office and few connections within the Republican party. Displaced a bunch of more mainstream, established candidates including Clinton and Cruz...

    And yet he is also one of the most corrupt Presidents ever, loves giving jobs to his family and friends, uses the position to enrich himself, and at the very least seems to have surrounded himself with convicted/confessed criminals.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  28. Thank God by Toxiz · · Score: 1

    Thank God we can do a free dark web scan at equifax dot com. Otherwise this could have been a disaster.

  29. Re:You believe what you're told by bobbied · · Score: 1

    Bravo... I applaud your life choices and financial self sufficiency. Everybody should be like you.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  30. Re: Or they could just be using the Demographic da by Narcocide · · Score: 1

    Checkmate.