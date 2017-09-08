Please create an account to participate in the Slashdot moderation system

 


Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever (arstechnica.com) 72

Posted by msmash from the massive-implications dept.
The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely. Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Meanwhile, if you accept Equifax's paltry "help" you forfeit the right to sue the company, it has said. In its policy, Equifax also states that it won't be helping its customers fix hack-related problems.

Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.

  • I was already affected by the US Office of Personnel Management hack, because I needed clearances to get my $55k job doing government IT support in Silicon Valley. It was a small price to pay.

    • Yea. That one was worse because the potential to have finger print data as well.

    • The same thing happened to me. Those bastards!

    • Frankly, too late for most of us.
      However, the article kind of hints at the problem: these companies all revert to this as identification. And often, the same stupid security questions (seriously, you think someone couldn't figure out my mother's maiden name from a basic search of several sites? Or use most people's Facebook to figure out where they were born or the name of their high school?)

      While the proliferation of security bugs is worrisome, with it seems like a new security failure every couple months

    • I was already affected by the US Office of Personnel Management hack, because I needed clearances to get my $55k job doing government IT support in Silicon Valley.

      Ouch...man, you need to renegotiate....someone is getting WAAAAAY too much of your bill rate for federal IT work with a clearance.

      You should be pulling in 6 figures for that.

    Oh wait.

      Maybe these types of incidents can break down reliance and acceptance of these credit agencies that have established themselves as critical and non-optional services that heavily effect major life events (e.g., home purchaes).

      They make money from using our information, provide little benefit to us, and hold almost no accountability when they're wrong but can and often do horribly effect consumers lives based on data they provide--even when it's inaccurate.

      • Maybe these types of incidents can break down reliance and acceptance of these credit agencies that have established themselves as critical and non-optional services that heavily effect major life events

        But it won't because the institutions that rely on these agencies don't give a damn. They don't lose anything over it. Anything goes wrong and the government will bail them out and leave us holding the bag.

        Given that the effects of the rating agencies' massive and corrupt dealing which led to the collapse of the world's banking system in 2010 were that, er, the rating agencies were allowed to continue exactly as before, I don't expect this will hurt Equifax too much. What will hit them harder, in all likelihood, is the possibility of insider-dealing pushing their share price low enough for Experian to buy them up and then ALL their data will be, once more, transfered to another party without any of the people

    Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever so far.

    The equifax executives apparently sold stock immediately after learning of the breach. Jail them all for incompetence _and_ insider trading.

  • That company is rotten to the core. They have far too much power over our lives and very near zero accountability for how they handle that power. Allowing those hacks to decide how credit worthy someone is could be one of the worst ideas of the 20th century, and we have unfortunately held on to that terrible idea into the 21st century as well.

    • I'm not defending them, but how else would you propose preventing someone from running up a whole ton of debt, skipping out on it, and then doing it again at another creditor? The best way is to have some sort of equal-access clearinghouse of information on consumers.

      The problem is that people are sometimes irresponsible. It's not even just regular consumers...many business owners and wealthy people just go around starting companies, load them up with debt and bankrupt them. That's allowed under the current

        I'd started to moderate this discussion but I'll lose it to answer your question:

        how else would you propose preventing someone from running up a whole ton of debt, skipping out on it, and then doing it again at another creditor?

        Like they do in every (?) other country: you go to a bank, show them your bank statements for the last few years, you tax statements, your job contracts, your current house mortgages and anything else they ask, and THEY decide on what kind of loan to give you based on that info. Oh, and yes, having a state-backed ID card helps against you running away and trying somewhere else. No centralization: too much power, too much risk a

    • Rotten and incompetent.
      The equifax main site sends users to https://www.equifaxsecurity201... [equifaxsecurity2017.com] which points to https://trustedidpremier.com/e... [trustedidpremier.com] which then asks for a last name and 6 digits of a social security number.

      I do not understand why they even exist. In Belgium we have the National Bank that has the database of all credits. Company has to check there to even be allowed to give a credit. They also need to add the credit they open. They do not see the other companies, just the number of loans and the amounts and all the rest, so they can calculate if there is enough margin to allow a credit.
      If a person is on the black list (late payments) they will not be allowed ANY credit. If a company gives a credit where it was

  • In a just world this would be the end of Equifax. Cannibalize the corpse to compensate all those who will be victimized because of their incompetence over the coming years. We still have 2 other credit reporting agencies.

    Won't happen though. Too big to jail.

  • they deserve to be put out of business.

    We have PCI-DSS for companies that deal with credit card information. Why not for companies that store even more sensitive information that potentially allows a criminal to pretty much take over my life by essentially stealing my identity?

    The damage here is way more serious than ANYTHING the loss of a million credit card numbers could mean. Could it be that it's just us that have to foot the bill instead of Visa and Mastercard?

    No, that can't be. Government represents the people, right?

    Fuckers, I hope some Supreme Court judge alongside of a few congresscritters get hit badly with this breach. I usually don't wish bad things to happen to anyone, but I really hope that one of them has their identity stolen, their credit rating trashed and their life basically ruined by this hack.

    Because ONLY then we'll FINALLY see something happen.

    Even if Equifax is found to have been careless with all that vital personal information, I doubt they'll get more than a slap on the wrist.

    Why should corporations, government or the courts give a crap about people's privacy, when so many of the people themselves very obviously couldn't care less?

      This is a credit agency, though... more or less anyone that is capable of getting credit will be in there, so this undermines the whole way we borrow money if everyone can be faked easily. What other information can we give to identify ourselves, and if we come up with some other information to hand over, what when credit DB V2.0 gets hacked?

      I don't think it's quite right to say that most people "don't care" about privacy (implying that those people will never care). I think a more realistic way to put it is that most people don't have the capacity to envision disaster. When disaster strikes them personally, you can bet your house they will start caring about privacy. Until then, they fool themselves into thinking they have something to beat their chests about.

    Equifax and the 2 other credit bureaus have a ton of non-credit related information on consumers as well. It will be interesting to see what else was not reported as part of the breach.

    I'm going to sound like an old fart, but a lot of these "cyberattacks" end up being down to a very dumb misconfiguration like leaving FTP open, failure to patch security holes, and things like leaving data on unprotected public cloud storage. Part of my job is being a technical mentor to some of our more junior staff, and what I'm seeing is a lot of developers and CS people who really don't know the guts of how IT works. I'm not saying people should go back to punch cards and assembler, but having some clue about TCP/IP, DNS, what an open port on a server means, how a firewall works, etc. would go a long way to preventing some of the dumber things I've seen. Most of this is very much abstracted, and in a "cloud-first" world it's even more so. The network is just assumed to work underneath everything else, and i think this is where a lot of the misconfiguration problems get missed.

    We may or may not see what actually happened. It could have been some state-sponsored hacking group planning a painstaking attack requiring intimate knowledge of everything. But knowing what I know about corporate IT, it was most likely some lowest-bidder contractor being forced to pull another 12-hour shift and missing something. Until companies have to actually pay for these issues, all we're going to get is "free credit monitoring" for a year, which costs them nothing, and _maybe_ we'll get a check for 11 cents from a class action lawsuit 20 years from now when it winds its way through the system.

  • "Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers." https://www.bloomberg.com/news... [bloomberg.com]

  • That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come.

    WRONG! The individuals are not at risk of fraud. Banks and other institutions are at risk of fraud. It is not your responsibility if some dipshit bankster or other idiot "Business" opens fraudulent loans etc. in your name because they don't do their due diligence. There is no such thing as "Identity Theft". There is "Fraud". Do not accept that it is your responsibility to deal with the fallout from this. Sue! Sue immediately if anyone tries to make it your problem. If something goes against your credit repo

  • So, as a result, the US loan industry is going to end their grossly negligent practice of using my Social Security Number as the root password to my financial life, right?

    I'm sure nobody will be jailed. A fine will be issued, which will be passed off as increased fees to clients. A few buzzwords will probably be thrown around about how amazing their security is now, but probably little will change. 5-10 years from now this will happen again. Maybe not to Equifax, but to some other company that didn't learn from the mistakes of the past.

    I realize the SSC is used as a primary key, but if you think about it, to do their job, they could have just stored a salted hash of the social security number along with a plain text full name and address. To find someone, you lookup anyone with a similar name in the database (maybe filtering by address, etc.) and then you take the given social security number and compute the hash for the maybe at most a dozen results until you find the one that matches. Now you still have the ability to uniquely find a record by a social security number, but you never need to store the actual social security number for hackers to steal.

  • The breach is annoying. It's also almost an inevitable thing.

    Can we *now* start talking about moving beyond "a ten-digit number and some generally publicly-researchable information is enough to do almost anything as you"?

    I mean, seriously. Next year will be the 40th anniversary of the publishing of the RSA algorithm. Secure smartcards have been around for 25 of those years, and some countries have been issuing them for 15+ years now. Bit of biometric, and Alice is your digitally-signed aunt.

    No... we're

  • Plus which, I didn't consent to let these fuckers store my information in the first place. I can't opt out. It's one thing when, say, Amazon loses the credit card number that I chose to store in their system to simplify my transactions. It's something else when an organization that's actually hostile to me is storing my personal information against my wishes ALSO gives it away.
  • Make the board and c suite PERSONALY responsible for the break, to the tune of one million $ per persons info exposed. Take everything they have. Money, bank accounts, houses, all possessions, retirement accounts, children's college funds, trusts. All of it. Put them on the street.
  • In the short term - yes, lots of identity theft and fraud. Long term? The whole premise of there being such a thing as meaningful credit monitoring or useful/reliable credit checks is, arguably, already undermined - possibly for decades. They're saying over half of the credit-using US population are compromised. That means that businesses that extend credit now will have to either greatly curtail the amount of credit they extend, or else risk extending credit even to people whose credit ratings are tarni

