Government Officials Begin Investigating Equifax Breach (thehill.com) 142
An anonymous reader quotes the Hill:
The massive breach of credit rating firm Equifax is attracting scrutiny from government officials across the country. Lawmakers from both parties have expressed concern over the hack, which could have left vulnerable sensitive personal information for as many as 143 million people. The New York, Pennsylvania and Illinois attorneys general have announced formal investigations into the hack...
The Senate Commerce Committee announced on Thursday that it sent a letter to Equifax seeking answers about the extent of the breach and what Equifax is doing to mitigate its impact. In the House, Financial Services Committee Chairman Jeb Hensarling (R-Texas) said that his committee would hold a hearing on the hacks at a to-be-determined date. Hensarling noted in a statement that such breaches are becoming "too common" and that consumers "deserve answers." House Energy and Commerce Committee Chairman Greg Walden (R-Ore.) said that his committee would hold a separate hearing on the matter as well.
The Senate Commerce Committee announced on Thursday that it sent a letter to Equifax seeking answers about the extent of the breach and what Equifax is doing to mitigate its impact. In the House, Financial Services Committee Chairman Jeb Hensarling (R-Texas) said that his committee would hold a hearing on the hacks at a to-be-determined date. Hensarling noted in a statement that such breaches are becoming "too common" and that consumers "deserve answers." House Energy and Commerce Committee Chairman Greg Walden (R-Ore.) said that his committee would hold a separate hearing on the matter as well.
And I hope but don't hold my breath (Score:5, Insightful)
that they will find something and some one (or group) who held accountable of the breach. Though, often times, this kind of investigation is just a political stunt to show constituents that they have done something. Nothing will be found, done, or changed according to the history...
Re:And I hope but don't hold my breath (Score:5, Funny)
Re: And I hope but don't hold my breath (Score:2)
Nah... When you gain some wealth, the first thing your financial advisor will do is have you freeze your credit.
Re:And I hope but don't hold my breath (Score:5, Interesting)
Put them out of bussiness (Score:5, Informative)
This is a real golden oportunity to finally rebalance the exposure to risk that amassing large data stores creates. Right now all of the risk is on the subject (you) of the data bases and there's almost no liability for the data base holder. Their only liablity comes from public good will not financial liability.
The best possible outcome in this case is to sue Equifax out of existence. This particular instance is a gift int he sense that equifax disappearing would not harm society at all since it's function are handled redunantly and competitively by two other companies. Anything short of annihilating the company is too little.
The reasons is those two other companies , and by extention all data base holders, need to be on notice that they will suffer financial liability not just good-will liability
To understand the status quo better, and to see why this case in particular makes extinction the ideal remedy look at how every data breach to date has been handled in the past.
there's two ways to deal with data breaches
1. Credit freeze. (prevents credit accounts from being opened by denying credit reports to inquiring creditors).
2. Credit monitoring (they let you know after the fact that tour credit just got robbed)
The latter is nearly free to implement but has almost no value to the injured consumer. The former, the credit freeze, actually fixes the problem, puts power in the hands of the consumer but has the downside that it costs lots of money to implement. (the reason one has to pay for this is because the data base companies make money when they hand over your credit report to an inquiring creditor. If they can't hand it over they can't make any money off your data. Ergo, you have to pay them instead.)
No one ever offers the Credit Freeze because it's expensive. In this particular case the company that would pay for the credit freeze is actually the one that makes money off these credit freezes and could not make any money if they had to freeze all of the accounts. They might as well not even exist as a company if 100% of their accounts had credit ffreezes
Thus the proper remedy here is to require them, via class action lawsuits, to require credit freezes on 100% of the accounts. Even without extracting damage payments, this would likely cut their profits massively. And if they had to also pay the other two credit agencies for your credit freeze then they would have negative earnings. They would cease to exist without any tort penalties.
This would be the perfect outcome for consumers and do no damage to our credit system.
Re: (Score:2, Informative)
This would be the perfect outcome for consumers and do no damage to our credit system.
Therefore, the chance of it happening is exactly 0%.
Re:Put them out of bussiness (Score:4, Informative)
I froze my credit with all 3 agencies without paying anyone. I think there's an Indiana requirement.
Re: (Score:2)
I froze my credit with all 3 agencies without paying anyone. I think there's an Indiana requirement.
Really? That's interesting!
Re: (Score:2)
I froze my credit with all 3 agencies without paying anyone. I think there's an Indiana requirement.
Really? That's interesting!
Not to reply to my own post; but...
GP is right! If you live in Indiana, Freezing/Thawing your Credit is FREE by law!
http://www.in.gov/attorneygene... [in.gov]
Re: (Score:2)
Re: (Score:2)
So 143 million people should move to Indiana?
So the three credit agencies have agreed to allow anyone to freeze their credit. When a state passes laws, those laws govern fees/etc. Indiana allows for free credit freezes by anyone, many states allow free credit freezes for identity theft victims, and most allow them for a small fee, like $10. Probably costs a lot more to move to Indiana than to just eat the $10 fee elsewhere.
Re:Put them out of bussiness (Score:4, Insightful)
You still win either way (Score:5, Insightful)
I don't care if I get a dime. If the lawyers get it all, but we succeed in anihilating Equifax then I will benefit. All future datebases will take into the account the finincial liability they face if they don't do security right. I win from that. It's not a $10 rebate I want.
Re: (Score:3)
Oh please, anyone affected already gets a free year of monitoring...with some hidden fine print that it also auto-enrolls them in PAID monitoring the following year unless they opt out at just the right time, etc.
It's actually egregiously bad behavior and hopefully something the courts use to bash them even harder.
Re: (Score:2)
anyone affected already gets a free year of monitoring
EXACTLY... and 5% discount off free is? The guys in finance went nuts when we proposed this!
Re: (Score:3)
Re: (Score:2)
Freezing is also not permanent.
A permanent freeze is permanent in all but a few states. In those states it expires after a few years. A security / fraud freeze automatically expires after a set amount of time. Placing a permanent freeze costs about $10 per bureau while a fraude freeze is usually free in certain circumstances -- like providing notification of a breach or a police report.
Not the real root cause of the mess (Score:2)
That is why they want to lend first and ask questions later. If we put the onus on the lenders to prove that they actually lent money to the right party before they can initiate collection proceedings, it would fix lots of problems. The lenders will have the incentive to make sure the borrowers are really what they claim to be. Else they lose money.
In USA banks can lend to any Tom
Funny thing about credit freezes... (Score:4, Insightful)
Credit freezes are hilarious when you think about what they mean.
When I have frozen credit, that means that you can't loan me money without first authenticating me and getting my authorization.
So.. what does unfrozen credit mean?
Re: (Score:2)
When I have frozen credit, that means that you can't loan me money without first authenticating me and getting my authorization.
A credit freeze only blocks access to your credit history. Technically, lenders can open new accounts in your name, but almost certainly won't, without a current credit report. Without a credit report they wouldn't know anything about your financial status.
Re: (Score:2)
Why? Because the US is an Oligarchy. Till "the people" take it back by campaign finance reform, the rich will continue to pillage at will with an occasional wrist slap the the "elect
Re: (Score:3)
If this is true and even somewhat provable, those execs have a good chance of winding up in jail.
Granted insider trading happens ALL THE FUCKING TIME but it's generally subtle or can be explained by other means. Something like a dumping shares days before announcing a company-wide disaster that you already knew about...is not something so easily overlooked. And TBH it's a perfect stick to bash them with while not actually taking or enforcing any corporate responsibility for the actual breach.
Nothing to se
Re: (Score:2)
Re:And I hope but don't hold my breath (Score:4, Interesting)
Re: And I hope but don't hold my breath (Score:1)
I could care less about holding someone accountable. I want Equifax to be held accountable for allowing it to happen.
Re:And I hope but don't hold my breath (Score:5, Insightful)
Don;t forget most of these government officials have had THEIR data exposed by the breach, otherwise they wouldn't give two sharts about the rest of us....
Re:And I hope but don't hold my breath (Score:4, Funny)
Re: (Score:2)
I could, but sharts is a more fun picture than shits.
Known what I fucken' mean?
(No, I'm not one of those squeamish-about-swearing babies)
Re: (Score:2)
Re: (Score:2)
... otherwise they wouldn't give two sharts about the rest of us....
Can you just say "shits"?
Stop whinging about his vocabulary. :-)
Re: (Score:2)
"Shits" and "sharts" are different—though related—things. The latter is a portmanteau of obvious origin.
Re: (Score:2)
To be truly classy it has to be non-rhotic - shaht, like they say at Hahvahd.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
And we know their Social Security numbers, etc?
Re: (Score:2)
We do now.
Re: (Score:1)
The Cheeto administration has made it entirely clear that rape and torture are A-OK, and that fucking over the little guy is just good business. Nothing will come of this, though he might give Equifax an award.
Re: (Score:2)
Register an account and log in. Aside from mitigating the things you're complaining about, you can direct your "thumbsdown" to ACs instead of the site.
A very harshly worded letter was sent! (Score:2)
Your elected officials in action, folks.
Re:A very harshly worded letter was sent! (Score:5, Funny)
Re: (Score:1)
And as a final "nuclear" option, the Deputy Sub-Prime Minister has already stated unequivocally that, should the extremely harshly worded letter fail to produce results, that he shall "look into the matter very closely." But surely Equifax wouldn't be so foolhardy as to let it escalate to that level.
Re: (Score:2)
I'm sure they will call SEVERAL meetings to discuss this. Probably in a very nice country club with catered food and high end champagne to toast a successful conclusion of the meeting.
Oh, sorry to interrupt. Your limo is here to take you to your chartered flight back home sir. Whenever you're ready. The plane is standing by and at your disposal of course.
Re: (Score:2)
I just love the idea of a "sub-prime minister". We should totally create that position, responsible for financial regulatory oversight.
Details of breach? (Score:2)
Re:Details of breach? (Score:5, Informative)
From what few details I have gathered it was an attack on Apache Struts that allowed the attackers to siphon data slowly over a period of time. I haven't seen any verified information about encryption or what was actually copied. My own personal speculation is the attacker got plain-text personal data that leaked out of some API.
Isn't 143M basically all adults in America? (Score:5, Insightful)
So their breach just put the entire population at significantly increased risk of identify theft. There definitely should be consequences and the government is the only recourse the consumers have since they are not direct customers of Equifax, nor will anyone ever be able to prove their identify theft was directly due to Equifax's breach, so they cannot individually sue Equifax.
Maybe the fines should be whatever it costs to re-issue new social security (or social insurance in Canada) numbers to everyone, including costs of managing the transition. Yea, I know this may sink Equifax as a company, so be it - lesson for the other guys to secure the data or maybe to not collect it in the first place. Maybe there is such a thing as too dangerous to collect and keep in one company. Kind of like banks and companies that are too big to fail.
Re:Isn't 143M basically all adults in America? (Score:5, Interesting)
I don't know that it has. Whoever stole the data isn't going to just dump it online they are going to sell it. Eventually it will all leak but not before much of it is quite stale.
Most people STILL don't realize this but anyone who works for a company with a subscription to any of the private investigative services could pretty much get all this information inside of 30 seconds. Not everyone is in the pay-for-use-databases but most are. I don't know if I have ever had a search come back empty.
The reality is this information was already out there on almost everyone one, this will be just one more source. Maybe a price a little more attractive to the ner'er do wells but I predict a minor blip in increased id theft at most.
Re: (Score:1)
The difference is that when you do a search, there's a record of it. If you try to dump the whole database? They'll know. If you try to get info on ten different people and later those ten di
Re: (Score:1)
Most people STILL don't realize this but anyone who works for a company with a subscription to any of the private investigative services could pretty much get all this information inside of 30 seconds. Not everyone is in the pay-for-use-databases but most are. I don't know if I have ever had a search come back empty.
And so does my HR department, but that doesn't somehow make this breach okay or any less impactful.
Re: (Score:2)
Lots of companies can pull credit reports on their customers (usually with customer permission). I mean, if you've ever tried to get a major loan, it's happened. Or even applying for certain jobs, the company could request a credit report from the three majors (Experian, Equifax, and TransUnion).
Re: (Score:3)
Eventually it will all leak but not before much of it is quite stale.
While I wish that was true...
- Birth dates never go stale
- SSNs VERY rarely go stale (I know they can be changed, but I've never actually heard of it being done)
- First names, rarely go stale
- Last names probably only go stale once or twice per lifetime on average
The stuff that actually will go stale (e.g. addresses, driver's license number, phone numbers, etc.) is the stuff that's least important.
That said, you are correct about this stuff already being available to people who knew to ask and who were will
Re: (Score:2)
I don't know that it has. Whoever stole the data isn't going to just dump it online they are going to sell it. Eventually it will all leak but not before much of it is quite stale.
Stale? I'm not sure about everyone else, but my real name, my date of birth, and my social security number are unlikely to go stale any time soon.
This SSN == credit thing is bullshit.
Re:Isn't 143M basically all adults in America? (Score:5, Interesting)
I worked for a financially-regulated place here in the UK and every once in a while you'd hear "that sort of f-up could see us lose our license" (and so stuff didn't happen) - exactly what the regulator intended (and for the most part, it seemed like a good outcome, from what I could tell).
In the case of Equifax in the US - why do they need SSNs? I presume it's a way to differentiate Jim Kirk from New York and Jim Kirk from Boston. I don't imagine they ever actually have a need to use the SSN with someone else (right?). In which case, they could have simply hashed the SSN on receipt and stored the hash. Right now, they'd still be in a world of trouble, but a lot less than they actually are (and could arguably have been a smaller target).
I guess what I'm asking is what could (really) cause such an incredible failure of judgement/execution on their part? Even the US's relatively slack laws on data protection would at least make hashing SSNs something you might at least think about, don't they?
Whilst I agree that some major sanctions against companies doing this sort of thing is definitely in order (here, the US might do well to look to the EU or Singapore for some ideas), but will that actually solve the real, core, underlying issue that let this happen in the first place, or will it just throw a couple of extra firewalls on the network for "due diligence" and leave the same crappy implementation choices in the systems that actually run the show?
Re: (Score:2)
Think most institutions now are using SSN's as a "uniquely identifying" index.
So it's a quick and dirty way for EquiFax to check multiple sources to see what pops up rather than waste time sending "name, location, DoB, Last known addresses, current address" etc...etc... when grabbing data from different sources (then you get into the bother of typos and slightly wrong data entered giving wrong results causing more manpower to find and fix those errors, or just ignore it and give the person a sub 100 credit
Re:Isn't 143M basically all adults in America? (Score:4, Interesting)
They typically use a number of 'attributes' to positively identify someone. SSN is one. But they also use first name, last name, DOB, etc.
Now, if SSN is unique, then why do they need all that other information? To protect against a fraudulent credit request or a request without enough information.
So, you send the credit request to whatever company.... odds are you're not directly asking the three majors (Experian, Equifax, TransUnion), for the information. But regardless, you send the request off. Let's say you have the right name, and the right SSN, but whoever handled the data entry on the DOB had a typo in there.
It _should_ come back with a response that your identifying information doesn't match anyone. But that all depends on which service you're using. Some are much more on the ball about this sort of thing. Hell, some of the services won't let you pull a credit report UNLESS you have all that info and more, just to cut down on requests.
Re: (Score:2)
Re: (Score:1)
Well, up to a point in time, the SSN was not to be used for identification purposes. My father's Social Security card actually says that. Mine doesn't.
But let's look at what you need versus what you get. From my experience, you need, at a minimum, a person's first and last name, their DOB, their SSN, and a primary address. Okay, sure, depending on which service you use, the DOB or the address might be optional.
What you get back (assuming the credit report request was successful), are credit scores (ranging
Re: (Score:2)
SSNs are 9-digit numbers. So even if you hash them, it only takes a rainbow table with 1 billion entries (8 GB using 2 billion long ints) to reverse it. That's small enough to fit in RAM on a modern computer. Salting would help, but I imagine whatever info was stolen during this hack was what would've been used to generate the salt as well. SSNs were never designed to be used as secure personal identification numbers,
Re:Isn't 143M basically all adults in America? (Score:5, Interesting)
Maybe the fines should be whatever it costs to re-issue new social security (or social insurance in Canada) numbers to everyone, including costs of managing the transition.
I think it's pretty clear that the US needs to move away from the social security number being both a confidential number and a unique key that is shared to verify your identity. Those two uses are mutually exclusive.
The government either needs to give the individual the ability to authorize specific identity checks though a tokencard or some other means.
Congress doesn't want to do this because big business wants to be able to check your background details for free and at will, but it needs to stop. Unfortunately, the amount of traction that the private citizen has with congress is pretty small compared to big business' lobby.
Re: (Score:2)
I think it's pretty clear that the US needs to move away from the social security number being both a confidential number and a unique key that is shared to verify your identity. Those two uses are mutually exclusive.
I keep reading this so apologies that it's your comment that I've decided to challenge.
It's totally fucking irrelevant. What got leaked is PII, and if SSN wasn't widely used then other elements of PII would be, and the leak would've still compromised those.
So you're fucked from this breach whether you use SSN or not.
Equifax equalized! (Score:2)
But everyone's equally at risk. So no one is more at risk than the rest.
Re: (Score:2)
What's that you say? The profits from all these new credit freeze fees are going to dwarf any sanctions imposed by federal regulators? Hmmmm.
Unless the feds force Equifax to provide *free* credit freezes to all affected parties for a number of years, and perhaps forces them to pay the going rate for fre
Re: (Score:2)
What said a one time fee (IF APPLICABLE) makes up for not being able to make money providing info on people that have a freeze in place?
Re: (Score:2)
Honestly, using SSN in the US is a horribly broken and insecure system.
It's fairly trivial to get the information on anyone (name, DOB, SSN, address) and even additional info isn't all that hard to come by (DL, passport, etc.) either. There's so little security built into the system that it's laughable. What we need is a better system as a whole. 'Which of these 4 addresses were yours in the past' is really a horrible security check in the modern age of FB, google, and data collection.
Re: (Score:3)
I'm pretty sure there have. Why else should there be an investigation?
Re: Senators (Score:2)
I bet that the accounts of congressmen and major celebrities are not only flagged to throw an alert if touched, but that such accounts are stored separately from the hoi polloi.
Quick question... (Score:3)
Are we sure it was ONLY US data/personal information that was leaked?
Personally I would not be in any way surprised, if it's uncovered in a few weeks time, that personal information from other countries was also in the leak.
Re:Quick question... (Score:5, Informative)
https://www.theregister.co.uk/... [theregister.co.uk]
Re: (Score:2)
Thanks.
Re: (Score:2)
great.. :( ;)
If that's proved to be the case... Just need to find out where we register for the class action...
But it's so damn easy (Score:2)
How About (Score:2)
Instead of going after people like Love [slashdot.org] and giving them sentences longer than murderers. Maybe a Computer Fraud Act [wikipedia.org] for Companies where they get similar penalties where the board members really suffer instead of giving the company a slap on the wrist.
Re: (Score:3)
If it was at least a slap. Usually what they get is a pat on the hand and a "there, there..."
Create a Credit Level No One Wants (Score:1)
Because they are going to steal your identity. It will happen numerous times in your life. It may become a once a year thing. So fuck it. Let them have an identity no one would pay for. If you think about that for a moment, while fully understanding the big picture, you'll understand why this could be a potential permanent fix to the problem.
Information Circle Jerk (Score:4, Insightful)
We read daily that the internet functions on our data. We hear constantly, "we are the products, our data is the product."
We are going to hear a million reasons why now this data isn't so valuable. We already see their attempt to flush everyone their "credit monitoring" sham. No one can sue the company in any meaningful way. There are no real remedies that exist for really anyone.
We all do a huge portion of our business online. This hack hits at the true heart of the internet, if we can't figure out who is who, you can not make a transaction. Our internet identities are a very real extension of our physical identities.
This reeks of every single issue that we all see today, from Terms of Service being forced onto folks, one sided contracts that only favor a large company we are forced to deal with whether you want to or not, companies using and selling our data that we have nothing to do with. We are just a commodity, and this really should make everyone feel exactly that.
At what point is having part of us sold and traded ok? Is this where we find out?
Hypocrisy is about to rain down hard. We will not see any meaningful change. We will see all of these folks tell us that in essence, while we can be arrested and profiled online, that our personal data that is essentially "who we are" online, doesn't have the same protections as our person.
What needs to happen... (Score:4, Interesting)
...Is congress needs to pass legislation that gives a process to people that allows them to collect damages from lenders that lend to criminals. Such a process needs to burden the lender with proving a debtor owes this money, and that it was actually they who requested such a loan. If they cannot, then if they attempt to collect on such a debit, they can be liable for damages. Probably not a large sum, possibly just a (small) percentage of the loan they gave away to the crook. Of course more aggravated attempts might warrant larger sums. Much such a process require that the fiscal institution cannot collect and store. So that each application must be independently vetted, each time.
Some side effects: More stringent identification taken to link documents to people. Loan processes taking much longer, and people who cannot vet themselves to an institutions satisfaction not receiving loans. An entire new system or vendors and providers revolving around bio metric verification. Also, higher loan rates because they will pass these costs onto the consumer. Less loans in total.
Why could we use phone for identity confirmation? (Score:1)
Re: (Score:2)
Re: (Score:2)
So then I'm forced to business with big telecom to do something like buy a home or auto? They are not exactly top tier data guardians themselves.
The problem here is the massive amount of personal, sensitive, and unchangeable data being horded and sloppily housed. Leaking more data is not the answer.
Once you've tied identity to devices, it's on you to both provide, as well as secure those devices.
You don't hear from us much, but many of us choose to not play the mobile-phone data leak game at all. We've mad
Re: (Score:1)
Is Equifax walking dead ?? (Score:2)
Translation (Score:4, Interesting)
It finally hit home and some congresscritters were affected by the fallout.
Good.
stop calling us CONSUMERS (Score:1)
we are the VICTIMS here - stop saying "consumers" we are human beings who had all data scooped up and sold against our will and outside of our control - even Dave Ramsey, the "no debt, no loans, no credit cards ever" guy who claims to have had a "0 credit score with no activity" for 20 years was a victim according to his statements last week on his show.
shut the credit agencies down.
Would like an authorisation token for searches (Score:4, Interesting)
It would be nice to be able to issue an authorisation token with the credit agency and pass that to the institution that wants to search my file. Don't have the token? No search, go away.
Oh goodie... (Score:5, Informative)
Or the Equifax breach from 2011 that I experienced (Score:3)
An email address that I used ONLY for Equifax started getting spammed in 2011. They were breached back then. I contacted their customer service to report it and their response was that I needed to contact my email provider to check my spam settings.
Need a 2017 news template?: (Score:4, Funny)
Things that need to be done (Score:4, Insightful)
1. Immediately protect ALL customers by allowing users to lock and unlock their profiles across all the major credit bureaus at ZERO cost the user.
2. Provide lifelong monitoring of profiles and credit activity at ZERO cost.
3. Investigate the insider trading.
4. Remove protections for Equifax against class action lawsuits for any damages that result.
5. Figure out who the F allowed this happen. I am betting an insider did it.
Then, establish a CENTRAL system to coordinate credit activity (but, not have the profiles themselves) so that protection of one's credit is a very simple process.
If you check if you were affected... (Score:2)
agreemment to resolve all disputes by binding arbitration. http://www.equifax.com/terms/ [equifax.com]
While Equifax has appeared to walk away from that statement via a FAQ --- the legal agreement, the one you agree to, still appears to require you to give up your right to sue if you use the service that checks whether or not you were affected by Equifax's security breach.
Equifax recommends FireEye .. (Score:3)
Equifax Breach - Apache Struts flaw relation (Score:2)
---Email-----
Based upon the tremendous amount of publicity surrounding the recent data breach at Equifax, as stewards of the Central Repository we felt it was important to share our perspective on the matter:
Apache Struts: Apache Struts is a popular open-source and free Model-View-Controller (MVC) framework for Java. It is developed and maintained by an active and highly responsible community of voluntee
PDMP (Score:1)
Now, about those state databases containing information about everyone's prescription drugs -- will they have the same level of security that Equifax had?
My guess: no.
Why this leak? (Score:1)
Re: (Score:3)
Some politicians just found out that their personal information was used to steal their ID. Why should they get active any sooner?
Re: (Score:2)
Then I guess we should fire a few of them.
Preferably out of a cannon.
Re: (Score:2)