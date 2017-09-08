Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever (arstechnica.com) 78
The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely. Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Meanwhile, if you accept Equifax's paltry "help" you forfeit the right to sue the company, it has said. In its policy, Equifax also states that it won't be helping its customers fix hack-related problems.
Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.
Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.
Too late for me (Score:2)
Re: (Score:2)
Yea. That one was worse because the potential to have finger print data as well.
Re: (Score:2)
Re: Too late for me (Score:1)
Frankly, too late for most of us.
However, the article kind of hints at the problem: these companies all revert to this as identification. And often, the same stupid security questions (seriously, you think someone couldn't figure out my mother's maiden name from a basic search of several sites? Or use most people's Facebook to figure out where they were born or the name of their high school?)
While the proliferation of security bugs is worrisome, with it seems like a new security failure every couple months
Re: (Score:2)
Ouch...man, you need to renegotiate....someone is getting WAAAAAY too much of your bill rate for federal IT work with a clearance.
You should be pulling in 6 figures for that.
Re: (Score:2)
But russia hacked the DNC, so impeach Trump!!!!
Seriously, the reaction to these "hacks" is so imbalanced. The OPM hack, while not as large as Equifax, included much more detailed information on subjects. I consider at this point that the information that Equifax has on me is "public." Considering all of the letters I have gotten from the VA, OPM, Target, Home Depot, etc...
That's it. I'm done with Equifax (Score:3, Funny)
Oh wait.
Re: That's it. I'm done with Equifax (Score:4, Interesting)
Maybe these types of incidents can break down reliance and acceptance of these credit agencies that have established themselves as critical and non-optional services that heavily effect major life events (e.g., home purchaes).
They make money from using our information, provide little benefit to us, and hold almost no accountability when they're wrong but can and often do horribly effect consumers lives based on data they provide--even when it's inaccurate.
Re: (Score:1)
Maybe these types of incidents can break down reliance and acceptance of these credit agencies that have established themselves as critical and non-optional services that heavily effect major life events
But it won't because the institutions that rely on these agencies don't give a damn. They don't lose anything over it. Anything goes wrong and the government will bail them out and leave us holding the bag.
Re: (Score:1)
Re: (Score:2)
Give it time. (Score:5, Insightful)
Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever so far.
Re: (Score:1)
.. that we know of.
Send 'em to jail (Score:4, Informative)
The equifax executives apparently sold stock immediately after learning of the breach. Jail them all for incompetence _and_ insider trading.
Re: (Score:1)
Agreed! (Score:1)
Jail Them!
Hopefully this will be the end of equifax (Score:5, Insightful)
Re: (Score:2)
I'm not defending them, but how else would you propose preventing someone from running up a whole ton of debt, skipping out on it, and then doing it again at another creditor? The best way is to have some sort of equal-access clearinghouse of information on consumers.
The problem is that people are sometimes irresponsible. It's not even just regular consumers...many business owners and wealthy people just go around starting companies, load them up with debt and bankrupt them. That's allowed under the current
Re: (Score:2)
how else would you propose preventing someone from running up a whole ton of debt, skipping out on it, and then doing it again at another creditor?
Like they do in every (?) other country: you go to a bank, show them your bank statements for the last few years, you tax statements, your job contracts, your current house mortgages and anything else they ask, and THEY decide on what kind of loan to give you based on that info. Oh, and yes, having a state-backed ID card helps against you running away and trying somewhere else. No centralization: too much power, too much risk a
Re: (Score:2)
The equifax main site sends users to https://www.equifaxsecurity201... [equifaxsecurity2017.com] which points to https://trustedidpremier.com/e... [trustedidpremier.com] which then asks for a last name and 6 digits of a social security number.
Re: (Score:2)
I do not understand why they even exist. In Belgium we have the National Bank that has the database of all credits. Company has to check there to even be allowed to give a credit. They also need to add the credit they open. They do not see the other companies, just the number of loans and the amounts and all the rest, so they can calculate if there is enough margin to allow a credit.
If a person is on the black list (late payments) they will not be allowed ANY credit. If a company gives a credit where it was
In a just world this would be the end of Equifax (Score:1)
In a just world this would be the end of Equifax. Cannibalize the corpse to compensate all those who will be victimized because of their incompetence over the coming years. We still have 2 other credit reporting agencies.
Won't happen though. Too big to jail.
For this irresponsible behavior (Score:2)
they deserve to be put out of business.
Re: (Score:2)
Yep. Now, I will refuse to do business with them.... ohwait.
Re: (Score:2)
Re: (Score:2)
In what way is this a failure of big government?
I'd actually assert that this is a failure of small government - in Europe where the government is bigger, there's regulations about what information these companies can store, how they must store it, and what the penalty is if they fail to do so.
Re: (Score:1)
I would say at least indirectly, yes.
The laws, rules and regulations that protect Equifax from those it is screwing is all done in collusion with big government. Big Corporations have access in the halls of power that an individual who has been wronged doesn't have. Even in a case like this, the ONLY way the affected individuals can have any influence is long after the damage is done, and only if they band together in a class action lawsuit. The laws won't change regardless.
And while all this is happening,
It's time for regulation. Sorry to say it. (Score:5, Insightful)
We have PCI-DSS for companies that deal with credit card information. Why not for companies that store even more sensitive information that potentially allows a criminal to pretty much take over my life by essentially stealing my identity?
The damage here is way more serious than ANYTHING the loss of a million credit card numbers could mean. Could it be that it's just us that have to foot the bill instead of Visa and Mastercard?
No, that can't be. Government represents the people, right?
Fuckers, I hope some Supreme Court judge alongside of a few congresscritters get hit badly with this breach. I usually don't wish bad things to happen to anyone, but I really hope that one of them has their identity stolen, their credit rating trashed and their life basically ruined by this hack.
Because ONLY then we'll FINALLY see something happen.
Re: (Score:1)
Government represents the people, right?
97% reelection rates say, yes, the government does represent those who vote.
A lot of people don't care about privacy (Score:3)
Even if Equifax is found to have been careless with all that vital personal information, I doubt they'll get more than a slap on the wrist.
Why should corporations, government or the courts give a crap about people's privacy, when so many of the people themselves very obviously couldn't care less?
Re:A lot of people don't care about privacy (Score:4, Insightful)
Re: (Score:1)
I don't think it's quite right to say that most people "don't care" about privacy (implying that those people will never care). I think a more realistic way to put it is that most people don't have the capacity to envision disaster. When disaster strikes them personally, you can bet your house they will start caring about privacy. Until then, they fool themselves into thinking they have something to beat their chests about.
Yay, more free credit monitoring fo rme. :-) (Score:3)
Equifax and the 2 other credit bureaus have a ton of non-credit related information on consumers as well. It will be interesting to see what else was not reported as part of the breach.
I'm going to sound like an old fart, but a lot of these "cyberattacks" end up being down to a very dumb misconfiguration like leaving FTP open, failure to patch security holes, and things like leaving data on unprotected public cloud storage. Part of my job is being a technical mentor to some of our more junior staff, and what I'm seeing is a lot of developers and CS people who really don't know the guts of how IT works. I'm not saying people should go back to punch cards and assembler, but having some clue about TCP/IP, DNS, what an open port on a server means, how a firewall works, etc. would go a long way to preventing some of the dumber things I've seen. Most of this is very much abstracted, and in a "cloud-first" world it's even more so. The network is just assumed to work underneath everything else, and i think this is where a lot of the misconfiguration problems get missed.
We may or may not see what actually happened. It could have been some state-sponsored hacking group planning a painstaking attack requiring intimate knowledge of everything. But knowing what I know about corporate IT, it was most likely some lowest-bidder contractor being forced to pull another 12-hour shift and missing something. Until companies have to actually pay for these issues, all we're going to get is "free credit monitoring" for a year, which costs them nothing, and _maybe_ we'll get a check for 11 cents from a class action lawsuit 20 years from now when it winds its way through the system.
Three executives sold 1.8 million in stock (Score:2)
Re: (Score:3)
Re: (Score:3)
I'm not sure if that qualifies as insider trading
Of course it does. Any time an employee trades stock in the company he's employed by, that's insider trading because the employee is an "insider". Most of the time, it's perfectly legal.
From SEC.gov: [sec.gov] "Illegal insider trading refers generally to buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence, while in possession of material, nonpublic information about the security." And that is what happened here, because the trading happened before the public was m
WRONG! (Score:1)
That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come.
WRONG! The individuals are not at risk of fraud. Banks and other institutions are at risk of fraud. It is not your responsibility if some dipshit bankster or other idiot "Business" opens fraudulent loans etc. in your name because they don't do their due diligence. There is no such thing as "Identity Theft". There is "Fraud". Do not accept that it is your responsibility to deal with the fallout from this. Sue! Sue immediately if anyone tries to make it your problem. If something goes against your credit repo
Surely this marks the end of "SSN as passwords" (Score:1)
So, as a result, the US loan industry is going to end their grossly negligent practice of using my Social Security Number as the root password to my financial life, right?
Business as usual... (Score:3)
Re: (Score:2)
it's really sad that you are 100% right
:-(
Didn't really need to store all that data (Score:3)
Re: (Score:2)
I realize the SSC is used as a primary key, but if you think about it, to do their job, they could have just stored a salted hash of the social security
The SSN is only 9 digits long. It's trivial to crack a 30-bit keyspace.
Use it as what it was meant to be - a public unique identifier, and not a secret. Its role is to separate John Doe from John Doe and John Doe, not anything else.
So, is it yet time to talk about actual security? (Score:2)
The breach is annoying. It's also almost an inevitable thing.
Can we *now* start talking about moving beyond "a ten-digit number and some generally publicly-researchable information is enough to do almost anything as you"?
I mean, seriously. Next year will be the 40th anniversary of the publishing of the RSA algorithm. Secure smartcards have been around for 25 of those years, and some countries have been issuing them for 15+ years now. Bit of biometric, and Alice is your digitally-signed aunt.
No... we're
And don't forget: (Score:2)
anyone on here a former employee of Equifax IT? (Score:1)
Anyone else on here a former employee of Equifax's IT side in Atlanta? They really are pretty rotten with how they treat their employees. I averaged 5 hours of sleep on a good night including Saturdays and Sundays. Work all night and be in by nine am every weekday. The level of processes to try and get anything done were insane. Everyone wanted to dump everything and claim no responsibility. Everyone waits till 4:30 PM to dump there needed changes on you, no time to review. Every night was a change window.
Easy fix (Score:2)
Paradigm shift? (Score:1)
Not the worst breach (Score:2)
Back in the 1980's/early 1990's I knew several people who hacked CBI (Credit Bureau Inc) We used to hack the X accounts because accounts that started with an X were admin accounts.
Back then when you got one, you could see everything! Bank account numbers, credit card numbers, etc, etc. You could even change the information reported on a persons account.
So, once we had them we would sell "Corrections" to peoples reports AND some would even use it to card stuff. (Buy stuff on someone eases credit card)
Those b