
The Equifax breach may be the worst leak of personal info ever - mozumder
https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/
======
chrisabrams
Why are identifiers being treated as passwords? It's 2017 and my mind is
boggled that we continue to use SSNs and thumbprints as passwords. These are
more akin to usernames. Why is our most important information not protected by
passwords, or better yet, 2 factor authentication?

If I try to spend $1000 on my credit card at IKEA, my bank usually calls me to
confirm the transaction. However, we don't have such a system when handling
our most important information? Why is this allowed to happen? How many people
have to be damaged before they stop watching Tom Brady throw touchdowns and
get out there to make a difference?

~~~
knz
> If I try to spend $1000 on my credit card at IKEA, my bank usually calls me
> to confirm the transaction. However, we don't have such a system when
> handling our most important information? Why is this allowed to happen?

It's allowed to happen for the same reason the US uses credit cards without
PIN numbers - a lack of desire to spend money on security/upgrades (it's
easier to pass on the cost of fraud via the transaction fees), a weak
regulatory structure for protecting consumers, a glacial rate of technology
adoption in banking systems, and ignorance/unwillingness to evolve by
customers/businesses/executives etc.

~~~
masklinn
Don't forget the odd US anti-fed/anti-state bend which led to your identity
being smeared across thousands of untrustable private companies linked through
a something never originally intended as an identification token (SSN) but
having become done so for the sole reason of being nigh-universal.

Had the US implemented a _proper_ citizen's registry it could be managed as
_that_ with all the security and personal details isolation that entails,
including but not limited to biometric and chipped ID cards.

~~~
agentdrtran
The US cannot implement a proper registry, large sections of the country would
freak out.

~~~
dforrestwilson
Interesting. What sections?

~~~
wyager
Me. The less sensitive information on me that is centralized, the better for
my privacy and security, as very clearly demonstrated by this leak.

If you think Equifax's security is bad, wait until you see what it's like at
any government agency that doesn't explicitly focus on security.

It's also pretty unlikely that a credit bureau decides to use vast stores of
personal information to prosecute people, but governments have done this
several times throughout history, perhaps most notably during WWII.

~~~
Fej
I like to think that fewer try to hack US government services because of the
consequences. Attempting to do so would get a black hat chased after by
multiple three-letter agencies.

I'm sure the FBI is looking into the Equifax breach but not as hard as if
someone breached the Social Security Administration.

~~~
banned1
You have too much faith in the federal government 3-letters:

[https://www.google.com/amp/s/www.wired.com/2016/02/hack-
brie...](https://www.google.com/amp/s/www.wired.com/2016/02/hack-brief-fbi-
and-dhs-are-targets-in-employee-info-hack/amp/)

------
0x00000000
I've been saying for a long time. Companies that store sensitive information
should be required to insure it. Want my SSN for some inane reason? 5
million^H^H^H^H^H^H^H^H^H 500k dollar insurance policy on each one. Seem
excessive? Better buckle down on security or better yet not store extremely
sensitive and damaging information for arbitrary reasons. There is literally
zero reason or consequences for any company to care about security right now.

~~~
jerf
I understand the emotional appeal of overselling the problem, but you'd get
much better response with a $50K insurance policy than an obviously absurd
$5M. Even $50K is sort of generous and probably generally more towards the
worst case end of identity theft than the average case. It is plainly obvious
to everyone that when Bob the upstanding middle class guy is hit by identity
theft that Bob may experience great loss of money and time from his point of
view, but that identity theft was not the one thing standing between Bob and
$5M.

At scale $50K still adds up to a lot, and we'd probably have to cap it some
other way too because at-scale breaches don't add up that far, because the
system does in fact react to them. This particular breach would be a seven
trillion dollar payout if we don't cap it, and the simple reality is that this
breach, no matter how much pain it may eventually cause us, is not going to
cause anywhere near seven trillion dollar's worth of damage to consumers, or
the economy, or anything else. But $50K makes sense for isolated cases that
don't get a coordinated response.

~~~
eropple
Why would you cap punitive damages? Sure, it won't be collected, but that's
okay--this sort of failure _should_ destroy a company that betrayed the
societal trust. It should be a smoking crater when all is said and done.

~~~
conanbatt
We should go one step further and just terminate consumers that use companies
that don't have good security. That way it will never happen again for sure.

~~~
talmand
I can get on board with this as soon as you figure out a way to require
security training for the masses as opposed to the handful in charge of
security.

If you get it to work, we can then proceed to get rid of police departments.

------
banned1
Another commenter, who now deleted the comment, said: "There's a 44% chance
you were affected, but a 100% chance you waive your right to be in a class
action lawsuit if you enroll in their ID protection."

I thought it was a good comment, but I wonder if it matters.

How much would you get? I have been a member of these class action lawsuits
before, and I get, like, $3 for my troubles at the end of the day, so I never
claim the prize because it's another database where my SSN would be stored and
stolen from.

I think the best is to freeze your credit report and deal with the troubles of
having to unfreeze it when you need a loan.

If there are expert people from the Fin Svc industry here, is the above
correct? Is freeze pretty much the only reasonable action now to protect
ourselves?

~~~
busterarm
Saying it's a 44% chance you're affected is really skewing things away from
how severe they really are. At least 22% of Americans are under 18. There are
actually 167 million Americans who own one or more credit cards, so this
actually affects 86% of all US credit card holders.

Not to shamelessly promote, but as soon as this broke yesterday I brought this
to the attention of my firm and we filed I believe this morning.

[http://www.prnewswire.com/news-releases/classactioncom-
files...](http://www.prnewswire.com/news-releases/classactioncom-files-
lawsuit-on-behalf-of-millions-of-equifax-data-breach-
victims-300516335.html?tc=eml_cleartime)

~~~
vxNsr
Could you guys push for free credit freezes and unfreezes going forward
instead of some sorta ridiculously small monetary comp. It should be free at
all bureaus, with Equifax picking up the bill for unfreezing and freezing at
the other two.

~~~
matrix
And. Make it possible to do the process online for all three credit reporting
agencies (one of them still requires a phone call). Having to pay and spend at
least 20 minutes on the phone to lift your credit freeze because is just
ridiculous.

Better yet, lets do away with credit reporting agencies. Why should any
oligopoly or, indeed any non-government entity be allow to have the power to
cause so much harm to is with effectively no accountability?

~~~
astura
How do you prove your identity when freezing and unfreezing? Is it similar to
how you "prove" your identity when you apply for credit?

~~~
kimolas
You would use a PIN that is generated at the time of freezing the account.
However, this doesn't prevent a future attack from obtaining the PINs.

~~~
astura
And if I forget my pin?

------
leroy_masochist
I just used their "check if you've been compromised" tool on their crisis
response site and they are using it not only as a notification service for
potentially affected customers, _but also as a lead generation tool for their
TrustedID Premier service_.

We need a new word, "chutzpah" isn't strong enough in this case.

~~~
jandrese
I think the word you are looking for is gall. As in sheer unmitigated gall.

------
mikeash
If we're lucky, this will be the _best_ leak of personal info ever.

The primacy of the SSN in American society is idiotic. It's a "secret" that
you have to hand out to dozens of different organizations. I've long thought
that we should phase this out by committing to publish all SSNs (and the
associated info, obviously, so it's not just a list of most 9-digit
numbers...) which would force all these companies to stop treating it as
confidential.

The system is dumb and works poorly, but worked will enough that there was no
impetus to fix it. Some people got affected by breaches, and it sucked for
them, but it was always a small enough group that most people didn't care.

Now that a majority of people's "secret" info is no longer confidential, maybe
they'll realize they can't rely on it anymore.

OK, the odds of this actually coming to pass are not great. But I can hope.

~~~
miguelrochefort
I advocate something similar regarding _all_ secrets (passwords, private keys,
credit card numbers, etc).

Secrecy (and privacy) aren't sustainable, and relying on them will just end up
hurting people.

Identity must be solved, not through secrecy, but through transparency.

If AI overcomes us, it will be (in part) because we failed to adapt to this
reality.

~~~
i_cant_speel
How could we go about not having private passwords or credit card numbers?

~~~
pishpash
You authenticate with physical states with enough entropy generation rate,
e.g. physical tokens. All security is physical security.

------
wyc
This is truly low: Equifax gives the affected victims a "special offer" to
protect their identities. In the fine print is a waiver to any class-action
lawsuit.

[https://twitter.com/wyatt_privilege/status/90612079459342745...](https://twitter.com/wyatt_privilege/status/906120794593427456)

~~~
dabockster
I doubt this would be upheld by a judge in the event that a class action were
to be taken to court.

Remember, any legalize like this is worthless unless a judge says it's valid.

~~~
liberte82
Doesn't make them any less scum for trying it.

------
YCode
I'd like to think OPM employees are reading this headline and thinking "Yeah
we'll see!"

The entirety of federal government SF-86s being dumped to a foreign government
has diplomatic and economic repercussions that will last for decades.

~~~
Balgair
To clarify the OP's acronyms:

 _OPM_ : Office of Personnel Management, where all the 'blackmail' files for
cleared gov employees and contractors are stored, in addition to many other
more mundane functions.

[https://en.wikipedia.org/wiki/Office_of_Personnel_Management...](https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach)

 _DoD_ : Department of Defense, but this also refers to contractors in places
like Lockheed and other smaller contrating firms.

 _SF-86_ : Standard Form #86, the form that must be completed to gain any kind
of clearance with the gov. These clearance processes can run into the $20k+
range, though not usually, as they have to send agents out to talk to people
to verify the applicant.

[https://en.wikipedia.org/wiki/Standard_Form_86](https://en.wikipedia.org/wiki/Standard_Form_86)

[https://news.clearancejobs.com/2017/05/31/serious-
penalties-...](https://news.clearancejobs.com/2017/05/31/serious-penalties-
falsifying-sf-86/)

The 2015 data breach of the OPM was a _BIG_ deal in the security clearance
world, as it seems _all_ the blackmail files were stolen. The a large issue
was that the OPM worked on an entirely separate internet that the gov built,
as in they had totally different wires and cables and everything, very
expensive. How this happened is yet to be released AFAIK. Also, many people
were trusting the gov with their darkest secrets, so as to be un-blackmail-
able by others. Now, the gov is not so trustworthy and this then throws a huge
wrench into all of the processes, including retention of employees and
recruitment of new ones.

~~~
YCode
Thanks; I also had to double back and change DoD to the more accurate "federal
government", which includes other branches that used OPM services.

~~~
Balgair
No worries! Thanks for putting this up. This Equifax issue is a big deal, for
sure, but the OPM was too. In general, these breaches are just getting bigger
and worse as time goes on. There has been a lot of talk about the CyberWar,
and if there is one going on, it seems that the US is not winning it very
well.

------
diyseguy
This sort of reminds me of when Wells Fargo called me one day to tell me my
card was compromised. I got on the phone with them only to find out it wasn't.
Then they tried to hard upsell me on a pay by the month identity protection
plan with a 6 month complimentary introductory period.

It seems like it's sort of in Equifax's interest for a breach to happen and
have 144 million people freak out and then buy their $20/month service

~~~
kevin_thibedeau
I hope you changed banks after witnessing their sleazeball tactics first hand.

~~~
imnotlost
Only the absolutely dumbest Americans are Wells Fargo customers at this point.
Or, maybe, they can't read the news.

~~~
astura
I can read. I am not dumb.

Wells Fargo is the biggest mortgage servicer in the United States and you
don't have a choice over who services your mortgage- mine was sold to Wells
Fargo without my say. I could refinance but that comes with _significant_ fees
(>$1,000), I'd lose my amazing interest rate, and there is no guarantee it
won't end up back in Wells Fargo's hands again.

~~~
jedanbik
Not all banks re-service mortgages. BB&T is known to keep servicing mortgages
that they originate.[1] Disclaimer: I have a mortgage through Wells Fargo
(that was almost immediately re-serviced!), but I work for BB&T.

[1]: [https://www.nerdwallet.com/blog/mortgages/bbt-mortgage-
revie...](https://www.nerdwallet.com/blog/mortgages/bbt-mortgage-review/)

~~~
abawany
Exactly. My primary credit union, First Tech, also states that they will
service the mortgages they originate.

~~~
astura
What happens when First Tech gets bought out by [mega credit union] though?

~~~
abawany
First Tech bought out the HP Credit Union (Addison Avenue) and others so in
some sense, it has acted as [mega credit union].

Beyond that, this question is an imponderable for me because who can say what
the future brings vs. the present. I guess one can refinance with some other
credit union were this to happen in the future in a manner that was not
desirable for one's mortgage.

------
hedora
I think $1000 is a lowball estimate for the per-person damage done by this
breach. At $1000/head, they would be looking at $137B of liability with a
market cap of $17B. Good.

How hard is it to opt-out of whatever class action settlement is offered, and
take this to small claims court?

Anyone want to setup a website to automate the paperwork? I'd love to see a
not-for-profit do this moving forward when things like this happen.

~~~
xur17
I would love to see something like this happen as well. I'd be happy to setup
the website, but we'd need a lawyer to help with the forms.

~~~
tonyztan
I would be happy to help out as well. I am not a lawyer, but I just filed in
GA small claims court today. Contact info in profile.

------
empath75
Consider the implications of this security breach if it's a state actor that
did it. I'm going to throw out Russia as an example, but don't take that as me
accusing them of doing it.

Cross reference financial information on millions of americans with data
breaches from yahoo and linked in, and the social graph data that's freely
available from both and you have a serious national security problem. It would
be easy to search for employees with serious financial problems at any
institution you wanted to target with either blackmail or further intrusions.

~~~
eduren
Consider the consequences if it is the same/cooperating state actors behind
the 2015 OPM breach. At that point there would be mountains of blackmail data.

------
kortex
Anyone know roughly how useful this debug information is to would-be
attackers?

> com.ibm.websphere.servlet.error.ServletErrorReport:
> com.ibm.ws.jsp.JspCoreException: Unable to convert string 'uiadmin' to class
> javax.el.ValueExpression for attribute basename:
> java.lang.IllegalArgumentException: Property Editor not registered with the
> PropertyEditorManager > > Caused by: > com.ibm.ws.jsp.JspCoreException -
> Unable to convert string 'uiadmin' to class javax.el.ValueExpression for
> attribute basename: java.lang.IllegalArgumentException: Property Editor not
> registered with the PropertyEditorManager

It looks to me like it's choking on some sort of deserialization, which could
lead to execution of EL code.

[https://issues.jboss.org/browse/RF-13977?_sscc=t](https://issues.jboss.org/browse/RF-13977?_sscc=t)

I'm not in netsec, but this looks pretty damning to me. The fact that I was
able to go from "I have no idea how I'd begin to hit this" to "hey I wonder if
I can hammer on this particular interface and see if I can get it to pop"
makes me think this reaaally not something you should be revealing, above and
beyond the usual "don't show debug information to the outside world".

[https://www.equifax.com/cs7/faces/jspx/login.jspx](https://www.equifax.com/cs7/faces/jspx/login.jspx)

------
whipoodle
There still doesn't seem to exist the political will do to anything real about
this, or to hold accountable in any real way the companies that leak. These
stories happen pretty much every week now, often more than one a week. I think
companies will continue not caring, simply do a blog post after they get owned
about how sorry they are and then proceed with business as usual, unless that
changes.

I don't think the issue is SSN, though it is absurd how we treat SSN as both
an identifier and a secret at the same time. The problem is we don't really
care when secret info gets leaked- even when it's actual secrets and not
something sort-of-secret like SSNs.

------
codazoda
I previously signed up for someone's free Identity Theft Protection service.
After the free service was completed my account was charged around $9 per
month until I noticed it and fixed it.

------
donatj
Is there no way to find out if I am affected without enrolling in their ID
protection?

~~~
mrrsm
This link [0] tells you if they think you are affected (you probably are) and
then asks if you want to sign up for protection which you don't have to do.

[0]
[https://trustedidpremier.com/eligibility/eligibility.html](https://trustedidpremier.com/eligibility/eligibility.html)

~~~
shanev
Warning: You waive your right to sue Equifax if you sign up for protection
using this site.

~~~
ideonexus
This is crucial. I am concerned that #4 of the Terms of Use for this site does
state that you give up your right to sue Equifax or join a class action
lawsuit:

[http://www.equifax.com/terms/](http://www.equifax.com/terms/)

I clicked on the "Enroll" button before reading this (after giving my last
name and six-digit social), and it told me to come back in a week to enroll.
Now I'm wondering, did I just give up my rights?

~~~
kevin_thibedeau
If the hackers have any sense of humor they'll sign everyone up on their
behalf.

------
kakarot
I don't own any credit cards and I do not use credit. Am I still at risk for
having credit taken out in my name if I don't enroll in this "credit freeze"
protection racket people keep mentioning?

~~~
jstarfish
YES!

Most people don't realize this, but credit checks are standard with many
employment applications, apartment applications and utility connections (cell
phones, electric, gas, etc).

You may not have an open line of credit, but by virtue of the fact that your
SSN/PII was queried, it creates a stub profile in the database. Your SSN,
address, license number, whatever you provided are now within potential scope
of this leak-- you just have no credit associated with your identity.

Armed with the PII the fraudster can have gleaned from this leak, there's
nothing stopping them from opening accounts in your name.

(FD: ex-employee. This is not a pitch in favor of their solutions, only an
advisement that you should not assume you're safe.)

~~~
kakarot
Apologies for my ignorance, but what is the best method of recourse here? If I
need to freeze my credit by necessity of covering the asses of other credit
companies whose bad security practices lead to being hacked, I'll be damned if
I will be paying any sort of fee to freeze my credit. That should be covered
by Equifax.

~~~
jstarfish
I agree with your principles. Unfortunately I don't have a solution to
recommend.

As with all cybersecurity incidents there are going to be a lot of vultures
circling this mess, happy to Hoover up your money in exchange for nebulous
"protection"\-- but even Lifelock got hacked some years ago.

Paying for "credit protection" doesn't also address some of the other things
fraudsters can do armed with your PII, such as filing and collecting
fraudulent tax returns. Have fun sorting _that_ out.

My own data was leaked. What am I doing? Admitting I'm fucked, refusing to
feed the vultures, and for all else I have the number of a good attorney.

------
plandis
David Webb is the CTO. He should get a year in prison for every day he decided
not to announce his massive fuck up.

~~~
spydum
pretty sure the responsibility of announcing that sort of thing goes to chief
risk officer, or legal -- not usually technology. though clearly they failed
in some way (security training, sdlc process, m&a due-diligence, or whatever)

------
swiley
Everyone knew these where more or less worthless to begin with, but the people
doing things either have to use them or don't have anything better.

I think at this point we should start authenticating anything that ends up on
someone's credit report using strong cryptography. People who refuse to use it
out of ignorance or disagreement don't have to, they just don't get background
checks (which is kind of the way it works now.)

------
Thriptic
Frankly what is necessary here is a version of medical malpractice for the IT
industry. If you do something which is far outside what is considered industry
best practice and it results in a penetration which harms users, you should be
criminally liable in severe cases with strong punishments. People from these
companies should also be black balled out of the industry.

------
Accacin
I've been using a credit checker called Clearscore, who as far as I recall get
their credit information from Equifax. Has this breach affected any of their
customers outside of the US?

~~~
askew
> As part of its investigation of this application vulnerability, Equifax also
> identified unauthorized access to limited personal information for certain
> UK and Canadian residents. Equifax will work with UK and Canadian regulators
> to determine appropriate next steps.

Nothing on Equifax.co.uk

------
gldalmaso
I'm curious, does the US government offer any way for you to change your SSN
after its leaked?

~~~
hmhrex
Yes, but it can be time-consuming.

[https://faq.ssa.gov/link/portal/34011/34019/article/3789/can...](https://faq.ssa.gov/link/portal/34011/34019/article/3789/can-
i-change-my-social-security-number)

------
Chaebixi
I've been wondering for awhile: what would it take to implement a revocable
identifier to replace SSNs? I've given up hope that companies can secure their
data, but people have no options to take back control when their data is
inevitably disclosed.

------
bigtunacan
Is there a dump available for this yet so we can see just how massively F
__*ed we are now?

------
mmjaa
I just want my own info. Like, I need to see it. Problem is: there is no
simple way to see my own info in this leak. I either get a third-party
involved, and thus make the leak worse, or I .. get everyone elses data and
have a look at it, too.

~~~
astura
You can see all the data Equifax has on you at
[https://www.annualcreditreport.com/](https://www.annualcreditreport.com/)

~~~
mmjaa
Yeah, then I'd have to use a service that has already failed me. I think this
shouldn't be the case.

~~~
astura
This is not a separate service, this is just a unified request to the three
bureaus for your credit report. It's run by the bureaus themselves and
redirects you to their individual sites. You can choose just Equifax if you
want. The other option is contacting Equifax directly by mail -
[https://www.equifax.com/personal/education/credit/report/how...](https://www.equifax.com/personal/education/credit/report/how-
to-get-your-free-credit-report)

------
volkk
As someone who has no time to deal with lawsuits or anything of that sort,
what's the best course of action here? According to their website, it seems
I'm affected?..

~~~
frankydp
Request a credit freeze on the three major reporting agencies.

[https://www.consumer.ftc.gov/articles/0497-credit-freeze-
faq...](https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place)

~~~
volkk
Are there any downsides to doing this? Aside from not being able to get credit
when you need it ASAP

~~~
dwyerm
My experience was that any "Instant Qualification!!" fails instantly, and then
you can't unlock it.

After Equifax lost my data in the _last_ (T-Mobile) breach, I locked all three
providers. Each of the places charged me $10 for the privilege. I still claim
that Equifax should have covered if not for all providers, at least
themselves, instead of providing me with worthless credit monitoring. But
that's a whole other rant.

I was applying for a credit card. The bank then followed up with, "We killed
this because we asked Equifax, and they said no. If you still want a card, you
can apply a temporary unlock for us."

The problem is, as is clear from all the other posts here, Equifax is
terrible. You need to send your super-secret unlock pin via mail to somewhere
and link it up with something and blah blah blah...

It was more trouble than it was worth. I asked the bank if they would consider
switching to another reporting agency because Equifax was demonstrably
terrible, but they said that once they select an agency for a transaction,
they're locked into it.

So, I let that request die. I can try again some time, and there's a 1:3
chance that I'll get screwed all over again, and a 3:3 chance that I'll have
to unlock something, and a 100% chance that I will get angry.

------
carl_island
I love it when a publication using WordPress dings another site for using
WordPress.

