Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security United States

Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever (arstechnica.com) 401

The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely. Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Meanwhile, if you accept Equifax's paltry "help" you forfeit the right to sue the company, it has said. In its policy, Equifax also states that it won't be helping its customers fix hack-related problems.

UPDATE (9/9/17): Equifax has now announced that "the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.
This discussion has been archived. No new comments can be posted.

Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever

Comments Filter:
  • by 110010001000 ( 697113 ) on Friday September 08, 2017 @09:07AM (#55158619) Homepage Journal
    I was already affected by the US Office of Personnel Management hack, because I needed clearances to get my $55k job doing government IT support in Silicon Valley. It was a small price to pay.
    • Yea. That one was worse because the potential to have finger print data as well.

    • Frankly, too late for most of us.
      However, the article kind of hints at the problem: these companies all revert to this as identification. And often, the same stupid security questions (seriously, you think someone couldn't figure out my mother's maiden name from a basic search of several sites? Or use most people's Facebook to figure out where they were born or the name of their high school?)

      While the proliferation of security bugs is worrisome, with it seems like a new security failure every couple months

    • I was already affected by the US Office of Personnel Management hack, because I needed clearances to get my $55k job doing government IT support in Silicon Valley.

      Ouch...man, you need to renegotiate....someone is getting WAAAAAY too much of your bill rate for federal IT work with a clearance.

      You should be pulling in 6 figures for that.

  • by Anonymous Coward on Friday September 08, 2017 @09:09AM (#55158627)

    Oh wait.

    • by Anonymous Coward on Friday September 08, 2017 @09:18AM (#55158687)

      Maybe these types of incidents can break down reliance and acceptance of these credit agencies that have established themselves as critical and non-optional services that heavily effect major life events (e.g., home purchaes).

      They make money from using our information, provide little benefit to us, and hold almost no accountability when they're wrong but can and often do horribly effect consumers lives based on data they provide--even when it's inaccurate.

      • Maybe these types of incidents can break down reliance and acceptance of these credit agencies that have established themselves as critical and non-optional services that heavily effect major life events

        But it won't because the institutions that rely on these agencies don't give a damn. They don't lose anything over it. Anything goes wrong and the government will bail them out and leave us holding the bag.

      • Re: (Score:2, Insightful)

        by nagora ( 177841 )
        Given that the effects of the rating agencies' massive and corrupt dealing which led to the collapse of the world's banking system in 2010 were that, er, the rating agencies were allowed to continue exactly as before, I don't expect this will hurt Equifax too much. What will hit them harder, in all likelihood, is the possibility of insider-dealing pushing their share price low enough for Experian to buy them up and then ALL their data will be, once more, transfered to another party without any of the people
      • I'll push back (Score:5, Insightful)

        by stomv ( 80392 ) on Friday September 08, 2017 @10:04AM (#55158985) Homepage

        They make money from using our information, provide little benefit to us...

        I'll bite. I agree that, as individuals, it doesn't feel like they provide a benefit. But by providing somewhat-accurate financial history to lending institutions, those lending institutions can more precisely estimate the risk associated with each loan. In doing so, they're able to lend more money, and at lower interest rates, than they'd be able to do otherwise.

        I'm not arguing that there aren't loads of ways that Equifax et al could improve their business habits. Of course there are. But without these agencies, lenders would have a more difficult time gauging credit-worthiness, and that would mean it would be harder and more expensive for each of us to get a loan. And that, my friend, is the "benefit" provided to us.

        • by sxpert ( 139117 )
          over here (france) this function is handled by a shared database only accessible by banks and managed by the central bank...
      • You are the product. The customers are the banks, companies, and landlords from whom you wish to borrow money or collateral (like a leased car or apartment).

        And getting rid of the credit agencies won't have the effect most people seem to think it will. Lenders won't magically assume everyone is credit-worthy if there's no way to check people's credit. They're going to assume everyone is not credit-worthy. In other words, getting rid of credit reports won't make it easier for people with poor credit t
        • by DarkOx ( 621550 )

          getting rid of the credit agencies won't have the effect most people seem to think it will.

          Correct, yourself included.

          Lenders won't magically assume everyone is credit-worthy if there's no way to check people's credit. They're going to assume everyone is not credit-worthy.

          No! Most lenders won't make any assumptions at all they will do what was traditionally done they will determine if you have connections in the community, check into your reputation with past lenders and maybe even your pastor, get documentation from you about your income, its sources, etc, maybe drive past your house to see what your expenses really look like...

          Slow, painful, and expensive as that process may be the would do because not lending means they don't make any money!

          Unless you can prove you have enough money in the bank to cover the loan or collateral.

          Ag

      • by ClickOnThis ( 137803 ) on Friday September 08, 2017 @11:14AM (#55159513) Journal

        One way to protect yourself (to a certain degree) is to put a lock on your personal information with each of the three credit-reporting companies (Experian, Equifax, and TransUnion.) That way, nobody can access your information unless you lift the lock, either selectively, or for a finite period of time. Some of the agencies charge money (typically $10) for such a lock, or to lift it temporarily, but it's worth it IMHO.

        • by eth1 ( 94901 )

          One way to protect yourself (to a certain degree) is to put a lock on your personal information with each of the three credit-reporting companies (Experian, Equifax, and TransUnion.) That way, nobody can access your information unless you lift the lock, either selectively, or for a finite period of time. Some of the agencies charge money (typically $10) for such a lock, or to lift it temporarily, but it's worth it IMHO.

          It was... If someone now has every piece of information that Equifax has for you, they can probably lift the lock, as well.

  • Give it time. (Score:5, Insightful)

    by penandpaper ( 2463226 ) on Friday September 08, 2017 @09:14AM (#55158653) Journal

    Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever so far.

    • Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever so far.

      It will be very hard to top this. In this case we have half of a population with personal info detailed enough to effectively steal identity in multiple ways, of a group of people who have no business with the company, and who may not know that their personal information is part of it. That is the real problem here. The sheer size and almost covert scope given that none of these people are customers of Equifax and I'm sure nearly all people have no idea who this company even is.

      About the only thing that cou

      • by sxpert ( 139117 )
        experian gets hacked and the entire database dumped on pastebin ?
      • credential theft (Score:5, Insightful)

        by epine ( 68316 ) on Friday September 08, 2017 @10:42AM (#55159289)

        It will be very hard to top this. In this case we have half of a population with personal info detailed enough to effectively steal identity in multiple ways ...

        Hackers aren't stealing identity, they are stealing credentials (so as so assume an identity, if the world makes this easy for them to pull off).

        Institutions want to pretend that credentials = identity, so that if they give your money to the wrong person, it's your fault (your identity was stolen, what else could we do?) rather than their fault (their chosen system of credentials sprung a leak, causing them to misidentify some loser as the real customer).

        Finally, a big enough leak that maybe some people will begin to comprehend the distinction here.

      • It will be very hard to top this.

        Challenge accepted!

    • Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever so far.

      I've spotted the time traveler.

  • Send 'em to jail (Score:5, Informative)

    by Anonymous Coward on Friday September 08, 2017 @09:15AM (#55158657)

    The equifax executives apparently sold stock immediately after learning of the breach. Jail them all for incompetence _and_ insider trading.

  • That company is rotten to the core. They have far too much power over our lives and very near zero accountability for how they handle that power. Allowing those hacks to decide how credit worthy someone is could be one of the worst ideas of the 20th century, and we have unfortunately held on to that terrible idea into the 21st century as well.
    • I'm not defending them, but how else would you propose preventing someone from running up a whole ton of debt, skipping out on it, and then doing it again at another creditor? The best way is to have some sort of equal-access clearinghouse of information on consumers.

      The problem is that people are sometimes irresponsible. It's not even just regular consumers...many business owners and wealthy people just go around starting companies, load them up with debt and bankrupt them. That's allowed under the current

      • by dargaud ( 518470 ) <slashdot2&gdargaud,net> on Friday September 08, 2017 @09:55AM (#55158909) Homepage
        I'd started to moderate this discussion but I'll lose it to answer your question:

        how else would you propose preventing someone from running up a whole ton of debt, skipping out on it, and then doing it again at another creditor?

        Like they do in every (?) other country: you go to a bank, show them your bank statements for the last few years, you tax statements, your job contracts, your current house mortgages and anything else they ask, and THEY decide on what kind of loan to give you based on that info. Oh, and yes, having a state-backed ID card helps against you running away and trying somewhere else. No centralization: too much power, too much risk and nothing to gain for the customer anyway.

    • Rotten and incompetent.
      The equifax main site sends users to https://www.equifaxsecurity201... [equifaxsecurity2017.com] which points to https://trustedidpremier.com/e... [trustedidpremier.com] which then asks for a last name and 6 digits of a social security number.
    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Friday September 08, 2017 @09:58AM (#55158939)
      Comment removed based on user account deletion
      • by djinn6 ( 1868030 )

        If a person is on the black list (late payments) they will not be allowed ANY credit.

        That's a bit harsh, no? I've been late on payments once or twice and I'm not even struggling financially. It's easy to forget the due date or mixup the amount. Can't imagine how bad it would be for someone who has several credit cards.

      • Re: (Score:2, Informative)

        by ichimunki ( 194887 )
        In the US would raise the hackles of religious people who think being forced to go through a government owned/operated central bank is like being forced to do business with the antichrist. Seriously. 40% of the US population believes in creationism. The Social Security Administration will not produce SSNs starting with 666 (https://www.ssa.gov/kc/SSAFactSheet--IssuingSSNs.pdf).
    • since who else has the power to call Equifax to task? But I think it's safe to say the body politic has spoken. The party that espouses deregulation the most has the House, Senate, Presidency, is on the way to taking the Judiciary and has virtually all the State Legislatures and governorships. If you want to see any meaningfull action taken we'll need big changes to our political makeup.
  • by Opportunist ( 166417 ) on Friday September 08, 2017 @09:18AM (#55158683)

    We have PCI-DSS for companies that deal with credit card information. Why not for companies that store even more sensitive information that potentially allows a criminal to pretty much take over my life by essentially stealing my identity?

    The damage here is way more serious than ANYTHING the loss of a million credit card numbers could mean. Could it be that it's just us that have to foot the bill instead of Visa and Mastercard?

    No, that can't be. Government represents the people, right?

    Fuckers, I hope some Supreme Court judge alongside of a few congresscritters get hit badly with this breach. I usually don't wish bad things to happen to anyone, but I really hope that one of them has their identity stolen, their credit rating trashed and their life basically ruined by this hack.

    Because ONLY then we'll FINALLY see something happen.

    • Government represents the people, right?

      97% reelection rates say, yes, the government does represent those who vote.

    • by GlennC ( 96879 )

      Government represents the people, right?

      In theory, yes. In reality, government represents their corporate owners.

    • We have PCI-DSS for companies that deal with credit card information.

      Yeah because *that* works so well. [crn.com]

      Relevant quote:
      "I'm not surprised to see another large credit card breach; they will continue to happen because the impact is not a large one to the business," Doten said. "Being PCI-compliant doesn't make you secure; it only protects you from the lawsuits."

    • by bluefoxlucid ( 723572 ) on Friday September 08, 2017 @10:20AM (#55159109) Homepage Journal

      No regulation would stop this. Computers are enormous and complex; either Equifax writes in-house software or hires out for someone to write their software; and credit reporting agencies are dealing with a unique business situation requiring some kind of unique front-end to their clients. Even Windows, Linux, Oracle, Adobe, and Chrome have security bugs.

      Regulation can't prevent them from putting forth all due diligence and still failing. Equifax was founded in 1899 and has been the front-line CRA for decades; they got the tech first, they got the Internet services first, they got the Web sites first, and now they got hacked first. It's been a long time coming and they've gotten hacked once. You can't stop that.

      You want security against identity theft? Here it is: hardware identification. U2F devices--I hate them, rant in a minute--can identify a user without relinquishing a key. You want to know I'm who I say I am? Then I register with Equifax, I give them an identifying key, I authorize your credit check with my key. You can't hack that. It's unhackable, or else somebody has figured out how to break encryption that should not be breakable yet--in which case nothing is safe.

      I would not be above passing legislation specifying that a person's credit history cannot be impacted by non-challenge-response, user-presence-based authentication in line with modern standards. That is: you have to have something that can be handled entirely in the open and still not allow impersonation, such as RSA or Ed25519 challenge-response exchange with a secure hardware device. These devices cost all of $20 at the lowest end.

      If the banks want to go ahead and verify your ID by other means, that's fine; and when you have presented your case in dispute and filed for small bankruptcy, we bail you out of only those unauthenticated accounts, and don't mark it on your credit history, at all. They can validate your identity later and confirm those accounts only with your informed consent.

      Lost your key? Call your bank; all banks are required to file a Lost Key hold for anyone with a credit account with them, which freezes all your credit. You have to show up to a bank, present valid ID (e.g. a real Driver's ID), and then prove you still have your key or provide a new key to re-establish a trust relationship between you and the CRA. No verbal verification; you physically come here and show me your ID, or you're full of shit and have a print-out of stolen Social Security numbers at your desk.

      The states or the SSA could supply similar attestation, with those smart chips (they're actually miniature computers, in full) embedded into multi-layer polycarbonate Driver's IDs and Social Security cards functioning as U2F devices with a trust relationship to the Government agency. These cards are tamper-proof: your photograph is laser-etched into a mult-image across multiple polycarbonate layers. You're not going to clone someone's Driver's ID with a non-readable private key inside, not without stealing the original Driver's ID. If your state supplies this, you can easily attest to your bank that you are in fact holding a real Driver's ID, and they can verify who you are, and you can use your own personal security key device to set up a trust relationship to the CRA and not to the bank (again: the CRA is authenticating you; it's working on your behalf, not on the behalf of the bank).

      As for why I hate U2F devices? Yubico built them right. They use secure hardware--specialized, physically-unhackable without some serious high-end equipment, and potentially impossible to get into without destroying it unless you can remove ceramic in atomic layers--and they accept a challenge, then issue a response. You have a parent key, which the device uses to create child keys, and then sends the certificate (public key) to whoever wants it. No exposure of the identity credential: you can only identify t

    • PCI-DSS is an industry standard specifically meant to prevent the government from stepping in and regulating. Equifax I'm sure complies with it in all respects.

      I think the trouble here is Equifax has virtually no penalty here (save a few million paid out to lawyers in the inevitable class action, assuming the recent laws regarding mandatory Arbitration don't kick in which depending on when the breach happened they might). When you say regulation what you really mean are fines bigger than cost of actuall
  • by hyades1 ( 1149581 ) <hyades1@hotmail.com> on Friday September 08, 2017 @09:20AM (#55158703)

    Even if Equifax is found to have been careless with all that vital personal information, I doubt they'll get more than a slap on the wrist.

    Why should corporations, government or the courts give a crap about people's privacy, when so many of the people themselves very obviously couldn't care less?

    • by Gilgaron ( 575091 ) on Friday September 08, 2017 @09:37AM (#55158817)
      This is a credit agency, though... more or less anyone that is capable of getting credit will be in there, so this undermines the whole way we borrow money if everyone can be faked easily. What other information can we give to identify ourselves, and if we come up with some other information to hand over, what when credit DB V2.0 gets hacked?
    • Why? Because this isn't Facebook or Twitter or some social media company that is datamining your cat picture posts and the inconsequential conversations you have with people for purposes of targeting ads at you; this is YOUR IDENTITY BEING STOLEN, EN MASSE, by who-knows-what criminal organization, and likely that information is being sold to the highest bidder(s) even as we speak. Your entire life could be RUINED, PERMANENTLY, depending on how that information is used. For all you or anyone else knows, it c
    • There's a big difference between 'ok, so the NSA knows who I've been having phone sex with and multiple people know what kind of porn I look at' and 'what do you mean I can't buy my dreamhouse? where the fuck did all these maxed out credit cards come from? I never opened those!'

      This isn't privacy, this is identity, and folks will care alot more when it starts to effect them negatively.

  • by ErichTheRed ( 39327 ) on Friday September 08, 2017 @09:22AM (#55158709)

    Equifax and the 2 other credit bureaus have a ton of non-credit related information on consumers as well. It will be interesting to see what else was not reported as part of the breach.

    I'm going to sound like an old fart, but a lot of these "cyberattacks" end up being down to a very dumb misconfiguration like leaving FTP open, failure to patch security holes, and things like leaving data on unprotected public cloud storage. Part of my job is being a technical mentor to some of our more junior staff, and what I'm seeing is a lot of developers and CS people who really don't know the guts of how IT works. I'm not saying people should go back to punch cards and assembler, but having some clue about TCP/IP, DNS, what an open port on a server means, how a firewall works, etc. would go a long way to preventing some of the dumber things I've seen. Most of this is very much abstracted, and in a "cloud-first" world it's even more so. The network is just assumed to work underneath everything else, and i think this is where a lot of the misconfiguration problems get missed.

    We may or may not see what actually happened. It could have been some state-sponsored hacking group planning a painstaking attack requiring intimate knowledge of everything. But knowing what I know about corporate IT, it was most likely some lowest-bidder contractor being forced to pull another 12-hour shift and missing something. Until companies have to actually pay for these issues, all we're going to get is "free credit monitoring" for a year, which costs them nothing, and _maybe_ we'll get a check for 11 cents from a class action lawsuit 20 years from now when it winds its way through the system.

    • They stored passwords in plaintext, and emailed them (as plaintext again) directly to people when they checked off the "I lost my password" box on the website...
    • You're basically saying, "we should spend a lot of money having smart people plug a million different holes". That's the current strategy and it has failed at everything other than making cyber-security 'specialists' wealthy.

      That strategy is the digital equivalent of storing your valuables scattered throughout a mall, and then hiring enough mall cops on Segways to cover all the doors. Unsurprisingly, the right strategy is the digital equivalent of storing your valuables in a good safe, with one door that
  • by EnOne ( 786812 ) on Friday September 08, 2017 @09:23AM (#55158713)
    "Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers." https://www.bloomberg.com/news... [bloomberg.com]
  • by Anonymous Coward on Friday September 08, 2017 @09:25AM (#55158731)

    So, as a result, the US loan industry is going to end their grossly negligent practice of using my Social Security Number as the root password to my financial life, right?

  • by Anonymous Coward

    i keep hoping that every single SSN for every american will leak so that the SSN can no longer be used the way it is using now... i wish the breach would be much worse until enough SSNs are available to everyone and the SSN can no longer be used as a personal identifier

  • by wardrich86 ( 4092007 ) on Friday September 08, 2017 @09:31AM (#55158773)
    I'm sure nobody will be jailed. A fine will be issued, which will be passed off as increased fees to clients. A few buzzwords will probably be thrown around about how amazing their security is now, but probably little will change. 5-10 years from now this will happen again. Maybe not to Equifax, but to some other company that didn't learn from the mistakes of the past.
    • I'm sure nobody will be jailed.

      I'm not. At least not for the data breach. The share sale on the other hand...

  • by RobinH ( 124750 ) on Friday September 08, 2017 @09:37AM (#55158815) Homepage
    I realize the SSC is used as a primary key, but if you think about it, to do their job, they could have just stored a salted hash of the social security number along with a plain text full name and address. To find someone, you lookup anyone with a similar name in the database (maybe filtering by address, etc.) and then you take the given social security number and compute the hash for the maybe at most a dozen results until you find the one that matches. Now you still have the ability to uniquely find a record by a social security number, but you never need to store the actual social security number for hackers to steal.
    • by arth1 ( 260657 )

      I realize the SSC is used as a primary key, but if you think about it, to do their job, they could have just stored a salted hash of the social security

      The SSN is only 9 digits long. It's trivial to crack a 30-bit keyspace.

      Use it as what it was meant to be - a public unique identifier, and not a secret. Its role is to separate John Doe from John Doe and John Doe, not anything else.

    • they could have just stored a salted hash of the social security number along with a plain text full name and address

      I have a better idea. Store it in plain text and start treating the SSN like what it is: a unique number, not a authenticator, not a piece of private information, and not something of importance, not something that certifies you are who you say you are, and certainly not something that if anyone got their hands on would make anyone else think that you are any more you than they did before.

  • by Average ( 648 ) on Friday September 08, 2017 @09:49AM (#55158869)

    The breach is annoying. It's also almost an inevitable thing.

    Can we *now* start talking about moving beyond "a ten-digit number and some generally publicly-researchable information is enough to do almost anything as you"?

    I mean, seriously. Next year will be the 40th anniversary of the publishing of the RSA algorithm. Secure smartcards have been around for 25 of those years, and some countries have been issuing them for 15+ years now. Bit of biometric, and Alice is your digitally-signed aunt.

    No... we're still in a country minting pennies and shuffling 19th century bank-draft checks around, aren't we? Oh, and the exact same people who are freaking out about 'Voter ID protects the sanctity of the vote' simultaneously go bat-guano crazy if you propose an actually secure ID card system.

    • by djinn6 ( 1868030 )
      Took the words right out of my mouth. Opening a line of credit should require a public notary as witness, with associated identity checks done in person. And the whole process should be video taped.

      The current situation is made worse by the fact that as the identity theft victim, you're the one who needs to prove it was fraud, rather than the bank needing to prove it was you who opened it, meaning you need to cough up lawyer money exactly when you have the least control over your finances.
  • Plus which, I didn't consent to let these fuckers store my information in the first place. I can't opt out. It's one thing when, say, Amazon loses the credit card number that I chose to store in their system to simplify my transactions. It's something else when an organization that's actually hostile to me is storing my personal information against my wishes ALSO gives it away.
  • Make the board and c suite PERSONALY responsible for the break, to the tune of one million $ per persons info exposed. Take everything they have. Money, bank accounts, houses, all possessions, retirement accounts, children's college funds, trusts. All of it. Put them on the street.
  • Back in the 1980's/early 1990's I knew several people who hacked CBI (Credit Bureau Inc) We used to hack the X accounts because accounts that started with an X were admin accounts.

    Back then when you got one, you could see everything! Bank account numbers, credit card numbers, etc, etc. You could even change the information reported on a persons account.

    So, once we had them we would sell "Corrections" to peoples reports AND some would even use it to card stuff. (Buy stuff on someone eases credit card)

    Those b

  • As an example of more (probably) sloppy security, I just put a freeze on my credit with Equifax (and the others). Equifax gives you a pin number that you need to unfreeze your credit at a later date. Imagine my surprise when my pin is almost exactly the same as the one they issued my wife. It appears that they use sequential pin numbers for each freeze. Either that or it is generated using our personal info which would make it reversible I imagine. Seems to me that the pin should be random or at least
  • Home Depot (Score:3, Insightful)

    by Chaldean42 ( 1346793 ) on Friday September 08, 2017 @10:17AM (#55159073)
    This is a double kick in the nads to anyone who was part of the Home Depot breach, since they were all given a year of premium Equifax credit monitoring.
  • That this type of info is basically public domain at this point, and any company using it to verify identity is being negligent?

  • I'm glad we are imposing a $300 per person whose info leaked fine as well as free coverage of any resulting charges that result directly from this theft of information. Not to mention jail the people who sold stock on inside information. That outta teach them a lesson! /s
  • At least it wasn't just my life they stole. With 143M of us affected we can do something about it together if things go wrong on a large scale (like social security gets drained)
  • "Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally."

    As long as 99.9% of the settlement goes to those who were affected I can get behind this. Unfortunately I know that a huge chun
  • Social Security numbers were intended for one purpose only, to identify the Social Security retirement account of individual citizens.

    The fundamental security model of Equifax and the other credit agencies has always been broken. In my opinion the very best thing that could happen would be if a complete database of the names, addresses, birthdates, and social security numbers of every single US citizen was published and updated quarterly. The clowns at these credit agencies need to stop building an identifi

  • I generally use a custom, unique address for each domain where I register, and did the same when I registered with Equifax to get my credit report through the free annual credit report that we are entitled to receive.

    Two years later (2011), I started getting lots of spam for the address that I had used ONLY for Equifax and nowhere else. They've had crappy security (and most likely a customer data breach) since way back when.

    I even emailed their customer service to report this at that time and their response

  • By now all that information has likely been copied a bunch of times, sent off to who knows where, and/or has been sold off to the highest bidder(s). Even if they determine who did the hack, the chances of the information being contained is essentially zero, especially considering the hack was done at least a month ago. It's all in the wind now and nothing will get it all back. It'll be months, or maybe years, before we find out the real extent of the damage.
  • ...Equifax shouldn't survive this.

    And the board of directors should be* held responsible for the management practices that allowed this sort of error to happen.

    Ultimately, the buck needs to stop somewhere, that's why they get the very big bucks. I believe their CEO was paid $13.4 million last year. Taking that, plus the lush salaries of their board and other c-levels, would be a start.

    *OK I'm even laughing as I type, knowing how unlikely this is

  • by rbrander ( 73222 ) on Friday September 08, 2017 @11:42AM (#55159703) Homepage

    ...not perfectly, of course. A previous poster is correct that no system is perfect. But systems that are well-regulated can be pretty good. The airline industry used to drop planes as frequently as we hear about major data-breaches today: like every month. Now it's less than one per year, despite travel having increased over 10 fold.

    We could be hearing about 1/100th as many data-breaches, as well. A bunch of financial services would get a little more expensive, but only a little, just like airline fares have not gone out of sight - they didn't even go out of sight after 9/11 when new regulations made flying more expensive. Just not much.

    This company has NO reason to spend more money on security next year. Why would they? The actual financial consequences of this event are really quite minor for them. No fines, no lawsuits, and almost no compensation. (The "year of monitoring" will cost about as much as a coffee for each of the 1% that sign up for it.)

    If Corporate Death Penalty were the consequence of an event like this, you'd see OpenBSD web sites with custom web servers written to only provide the application; you'd see humans paid to monitor the logs in real time, and more humans to watch them. You'd see the difference between how civilians do things and how the military do things, not caring that they spend a hundred dollars where a civilian would spend five. And you'd see some real results. Right now, failure is not just an option, its the cheaper one.

    People prattling on about how "nothing could have prevented this" are exactly like those who said the same about the Titanic - until new regulations that were "utterly unaffordable" the day before Titanic were suddenly gospel: double-hulls were very expensive, watertight compartments that go 20ft above water line, enough lifeboats for everybody, 7x24 ice patrols, 7x24 wireless monitoring on every ship. All of that was "impossible" the day before Titanic. The security equivalent is still "impossible" here, because there is essentially no penalty for failure.

  • The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals.

    I disagree. I think that the federal domestic data collection programs constitute the worst leak of personal information ever.

  • by wwalker ( 159341 ) on Friday September 08, 2017 @12:50PM (#55160105) Journal

    Why was the system with everyone's SSNs connected to internet at all? Why was it not air gapped?! You don't need plaintext SSN included on anyone's credit report, it's only used for authentication (shouldn't be, but too late to change it now I guess). So why not treat it as passwords? As in, properly salted and hashed. And then you don't have to worry about it being stolen. Did they even hire any security experts when designing the system?!

  • by phalse phace ( 454635 ) on Friday September 08, 2017 @01:21PM (#55160327)

    Looks like Equifax's Chief Security Officer Susan Mauldin is unqualified for her position. She doesn't seem to have the necessary education or experience.

    You could go to her LinkedIn profile to check yourself. Only problem is she deleted it.

    https://www.linkedin.com/in/susan-mauldin-93069a

    Thankfully, someone did a screen capture: http://i.imgur.com/QiXX3it.jpg

  • by sfcat ( 872532 ) on Friday September 08, 2017 @01:38PM (#55160425)
    I worked for a company that was quite similar to Equifax and had the same level of PII on about half as many people. When I started, they seemed to take security seriously. But there were several other large breaches at other companies while I was there and nothing happened to those companies. So I watched as the company took greater and greater risks with security (often to save days or weeks of work for a single engineer). By the time I left, its security was on par with a company I worked for before that sold products for new mothers and kept no PII at all.

    Unless and until the FTC starts fining these companies large enough fines to cause the execs to take notice, these breaches will continue and only get worse. Security is a process and a breach like this usually required multiple lazy or sloppy decisions just to make the exploit possible. These breaches aren't national state actors writing custom exploits. These are script kiddies trolling for sloppy systems they can exploit. And those systems wouldn't be exploitable by those kiddies unless the engineers and IT folks were being so lazy and sloppy with security. There aren't even good risk reward decision making on these issues. The attitude is if I can save 1 dollar by doing less security, we will. Until fines and criminal charges start becoming a real risk, companies will continue to be breached over and over again.

  • by WolfgangVL ( 3494585 ) on Friday September 08, 2017 @02:03PM (#55160583)

    I guessing, but I bet if everybody puts the 90 day fraud lock on the credit, all of the banks, lending institutions, and money based businesses will really feel the squeeze.

    I understand the 90 day fraud lock is free.....

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...