
Cybersecurity Incident Involving Consumer Information - runesoerensen
https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628
======
hrehhf
Suppose Alice is a "victim of identity theft". BigBank gives $10k to Fraudster
as a loan, thinking that Alice is the actual recipient. Experian, Transunion
and Equifax report this loan as a debt which Alice owes to BigBank.

Who is the real victim? The credit reporting agencies want to convince people
that the consumer is the victim, and so Alice bears the burden and risk of
clearing her name. But it is the credit reporting agencies inflicting this
upon Alice. BigBank is the victim who lost money, and BigBank bears the
responsibility for making the mistake of giving out a loan in Alice's name.
The Fraudster committed a crime against BigBank, not against Alice. It is
Experian, Transunion and Equifax, by holding this fraudulent loan against
Alice, who are victimizing Alice.

The idea that Alice was victimized by Fraudster is a concept being perpetuated
by the credit reporting agencies as a way to absolve themselves of
responsibility, and place the burden upon the consumer, and to avoid realistic
identity-verifiction which might slow or complicate the practice of issuing
large amounts of debt to the general public.

~~~
jameshart
What Alice is the victim of is _slander_ , not fraud or identity theft. The
bank lent some money to someone who claimed to be Alice (though the bank only
relied on the fact that that person knew Alice's SSN as proof of that fact).
Then when the bank didn't get paid back, they told a bunch of credit check
bureaus that Alice was a credit risk. This was a _lie_ about Alice, which has
a material impact on Alice's reputation. The credit agencies then go ahead and
repeat that slander.

~~~
njarboe
This is a great description of what is going on with "identity theft". I don't
usually like changing the name of something to try to push an agenda, but
calling "identity theft" "bank slander" would be good idea.

~~~
sjg007
So presumably a class action law suit against the reporters for slander? Might
depend on specifics of the law... Maybe it's time for a better credit
reporting agency startup.

------
courtewing
I strongly encourage anyone in the US to put a full credit security freeze on
all three credit agencies. When a credit freeze is in place, you still have
access to all of your existing loan accounts and whatnot (e.g. credit cards),
but lenders cannot access your credit to open new accounts unless you want
them to.

It's not difficult nor expensive to do, and the freeze lasts until you decide
to revoke it. Whenever you need to allow access to your credit (credit check
for rent, taking out a loan, etc), you can temporarily lift your credit freeze
for a small fee. The fees associated with this are going to be much cheaper
than any of the professional "identify protection" services that exist out
there, and the freeze is significantly more effective at protecting you.

When a company leaks your social security number and personal details, which
almost certainly will happen at some point if it hasn't already, then opening
fraudulent accounts in your name isn't the only risk you face, but it's an
obvious and dangerous possibility that can ruin you financially or make you
spend a considerable amount of time and energy fixing the situation.

For every person in the US with kids, I also strongly suggest that you freeze
their credit as well. There's no good reason for your 13 year old to take out
a loan, but identity thieves don't care about how old their victim is.

~~~
elipsey
Anyone know if there's a way to get your free credit report if you can't
answer the questions for the free one?

The computer says no, and the phone number just sends a letter that says no. I
tried to to buy one from my bank, but as far as I can tell they only sell
subscriptions...

~~~
maxerickson
You could see if Credit Karma works. I think it is mostly a free interface to
Trans Union though.

~~~
toomuchtodo
Funny enough, it also provides your Equifax report.

------
runesoerensen
_" Three Equifax Inc. senior executives sold shares worth almost $1.8 million
in the days after the company discovered a security breach that may have
compromised information on about 143 million U.S. consumers."_

[https://www.bloomberg.com/news/articles/2017-09-07/three-
equ...](https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-
executives-sold-stock-before-revealing-cyber-hack)

Edit: Also discussed here
[https://news.ycombinator.com/item?id=15196309](https://news.ycombinator.com/item?id=15196309)

~~~
OrwellianChild
So, that should _definitely_ get them busted for insider trading, no?

~~~
mathattack
It depends...

 _Regulatory filings show that three days later, Chief Financial Officer John
Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S.
information solutions, exercised options to dispose of stock worth $584,099.
Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on
Aug. 2. None of the filings lists the transactions as being part of 10b5-1
scheduled trading plans.

The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a
spokeswoman for the Atlanta-based company, said in an emailed statement. They
“had no knowledge that an intrusion had occurred at the time.”_

The timing is extremely suspicious. But - if they can prove they didn't know,
they're in the clear. Of course a breech like this quickly goes to the board,
and it's hard to imagine that the CFO and President of US Information
Solutions wouldn't know.

~~~
thephyber
> The timing is extremely suspicious. But - if they can prove they didn't
> know, they're in the clear.

Burden of proof for criminal cases is the other way around. They will likely
spend lots on legal fees just trying to prove they didn't know about the hack
at the time they decided to sell. They will likely end up settling out of
court (guilty or not) because that's how the US legal system works.

Also important -- July 29 is when Equifax claims they noticed the issue.

~~~
goialoq
What actually happens is that they get interviewed repeatedly. If they get
caught in a lie (like Martha Stewart), they face criminal penalties for
perjury. If they keep their story straight, they are acquitted.

------
provost
> approximately 143 million U.S. consumers.

This was only a matter of time. We can rotate credit card numbers, but sadly
not a SSN. I wish I could rotate my US social security number when significant
exposure happens (this would be the 4th or 5th time in 24 months my data has
been exposed).

Assuming legislation passed that allowed you to cancel an exposed SSN and get
a new one, what would it take for that to happen? Surely it's not just the one
agency (SSA) that would need to make the change, but multiple agencies would
need to coordinate the change?

(And of course, I would be personally responsible for informing my banks,
brokerages, loan agencies, etc of my new SSN)

Does anyone have insight into how this could work?

~~~
shubb
It sounds like ssn is not fit for purpose.

If the gov is going to issue a 'secret number ' why not a 2fa device?

~~~
alehul
The SSN was never intended as a national ID.

It was originally created alongside the Social Security Administration, to
track what individuals put in and what they take out. People only received one
upon becoming employed.

Over time, the IRS realized that it could be used as a national ID, and
adopted it for that purpose. They encouraged people to obtain one from a young
age (even for their newborn children), and it was used to replace the original
'honor system' of 'How many children do you have?' tax discounts; now they'd
need to register their child with a SSN.

Companies eventually began piggybacking on the number as a national identifier
(due to our lack of one), and voila. We're left with an awfully insecure
identification system that shouldn't be an identification system for much in
the first place.

For anyone interested in more:
[https://www.youtube.com/watch?v=Erp8IAUouus](https://www.youtube.com/watch?v=Erp8IAUouus),
and the sources below the video.

~~~
reaperducer
Why do we need to number people anyway? People are very consistent with
spelling their own names. This combined with a birth date and/or a birth city
should be enough to uniquely identify anyone.

Think about passwords. A SSN is only nine digits, 0-9.
JohnHarrySmith19900101NewYork is far more secure. And doesn't dehumanize the
recipient.

~~~
dragonwriter
> People are very consistent with spelling their own names.

Is this true of _all_ people?

> This combined with a birth date and/or a birth city should be enough to
> uniquely identify anyone.

For common names and large cities, probably not.

> JohnHarrySmith19900101NewYork is far more secure.

No, it's not; SSNs aren't passwords, and shouldn't need to be “secure” in that
sense, but names aren't secret and birth dates and locations are easily
discoverable (and the _combination of all three_ is frequently publicly
announced!), so this would be _less_ secure.

~~~
dx034
> For common names and large cities, probably not.

Would be interesting to see statistics for that. It wouldn't be New York in
this case, but for example Brooklyn or Queens. Even for the most popular name
combinations, the number of people with the same name born on one day in one
administrative area will be extremely low. Esp if you require middle names to
be included.

~~~
tripzilch
Or you can just use a number. Because unlike names, you can assume one thing
about individuals in a population and that is that they are _countable_.

You still just need 33 bits of information to identify any human on the
planet, anyway.

(post-singularity, evolved into an ever-merging amorphous network of
consciousnesses, we can use multidimensional fractal subsets of R^n, but we'll
cross that bridge when we get there)

------
andirk
Oddly, on their website equifax.com , they offer a solution to see if your
identity is stolen by using a website created today called
equifaxsecurity2017.com , which then offers the solution to 'enroll' which
sends you to a website created a week ago called trustedidpremier.com . At
which point you are to enter your identity information.

Um.

~~~
guelo
By enrolling in the free "Identity Theft Protection" you waive your right to
"PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE
ACTION"
[https://trustedidpremier.com/static/terms](https://trustedidpremier.com/static/terms)

It is a scam to get people to sign away their rights to sue the bastards.

~~~
dalanmiller
Shit. I already submitted and should've read the fine print. I need to un-
enroll.

~~~
Multicomp
If you look at the site ToS you can send an opt out to arbitration by mail to
them within 30 days, at least for the Equifax general ToS

------
Keeeeeeeks
Not sure if anyone else suggested this, but people should file complaints to
the CFPB about this:

[https://www.consumerfinance.gov/](https://www.consumerfinance.gov/)

Not just about the hack, but the fact that their "check to see if you were
affected by our shit" sites include a ToS that waives your right to
participate in a class-action lawsuit.

[https://trustedidpremier.com/static/privacy-
policy](https://trustedidpremier.com/static/privacy-policy)

~~~
diggernet
ToS link:

[https://trustedidpremier.com/static/terms](https://trustedidpremier.com/static/terms)

To my reading, the arbitration clause may only apply to people who take the
step of signing up for the credit monitoring they offer. But, of course, they
are urging everyone to sign up....

------
pgrote
Time for criminal penalties for the management team.

A breach like this will affect thousands of people monetarily and suck time
from them they could have used elsewhere. If you've ever dealt with something
like this, you know the hours it takes to rectify the damage.

The only way corporations will learn to appreciate data security is when
management teams suffer criminal penalties.

~~~
bmon
I don't think it's fair to be throwing any individuals under the bus like
that. There's obviously been several failures at multiple levels but the
company as a whole will have to face the consequences, not just a few managers
it decides to use as scapegoats.

~~~
aidos
Well, except for this:

 _" Three Equifax Inc. senior executives sold shares worth almost $1.8 million
in the days after the company discovered a security breach that may have
compromised information on about 143 million U.S. consumers."_

[https://www.bloomberg.com/news/articles/2017-09-07/three-
equ...](https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-
executives-sold-stock-before-revealing-cyber-hack)

~~~
scott00
Hah, that's actually excellent news for those hoping for criminal
consequences. It might be hard to put anybody in jail for their security
negligence, but to me it looks like those three have served themselves up on a
platter for an insider trading conviction.

------
cdubzzz
Lovely. I just had to give Equifax a bunch of my own info after having my
identity stolen[0]. When dealing with this, I was amazed at how technically
inept all three agencies seem to be. Not to mention the extent to which they
use SSN and other PII to "verify" during phone calls, and try to sell their
credit monitoring services to you. This sort of thing should be provided for
free by these companies if they are going to be managing such valuable data.

[0] [https://chrxs.net/articles/2017/03/23/responding-to-
identity...](https://chrxs.net/articles/2017/03/23/responding-to-identity-
theft/)

------
guelo
By enrolling in the free "Identity Theft Protection" you waive your right to
"PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE
ACTION"
[https://trustedidpremier.com/static/terms](https://trustedidpremier.com/static/terms)

What a scam!

~~~
felippee
How can they prove it was me who waived that right if the data used to
identify me was breached by them and potentially publicly available? The snake
is eating it's own tail here...

~~~
yborg
Great point.

In my case, after entering the information on the "Potential Impact" page, it
immediately informed me I was enrolled without actually informing me whether
or not I was impacted! It basically looks like Equifax used their massive
fuckup to generate business for a service they own that by its nature
incentivizes them to have poor security to encourage people to stay
subscribed!

Given the number of incidents that have at this point affected nearly every
person in at least the US, what value does the data held by the big 3 have?
Almost anyone can claim that any information held by Equifax now was the
result of fraud.

And how does Equifax prove that data wasn't modified in their systems by an
intruder?

------
arikr
Hm, I tried using their tool to see if I've been impacted:

[https://www.equifaxsecurity2017.com/potential-
impact/](https://www.equifaxsecurity2017.com/potential-impact/)

Which says it would tell me if I'm likely impacted, but instead it just gives
a date where I can enroll in some free product, but no info on whether I'm
likely compromised.

Anyone have a workaround? This is important to anyone that wants to identify
if they've been "pwned."

~~~
comex
I got the same page, but then I tried putting in a fake name and got:

> Thank You

> Based on the information provided, we believe that your personal information
> was not impacted by this incident.

So if you just get the enrollment date, I think that means you’re affected.

~~~
scruple
From the r/personalfinance thread, the site kicks back 3 different JSON status
messages:

    
    
      "message-deferred": "Thank You -- Your enrollment date for TrustedID Premier is: xxxxxx Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process."
    
      "message-success": "Thank You -- Based on the information provided, we believe that your personal information may have been impacted by this incident. Click the button below to continue your enrollment in TrustedID Premier."
    
      "message-not-impacted": "Thank You -- Based on the information provided, we believe that your personal information was not impacted by this incident. Click the button below to continue your enrollment in TrustedID Premier"

~~~
foota
So... later date means they don't know yet? Or you have been impacted and
you're only eligible to enroll later?

~~~
scruple
I really don't know. If we take it at face value, I think it means they're
unsure and will hopefully know more later (whatever date it kicks back). At
least, that's what I hope, because I gave in and punched in my information and
I received the deferred message.

------
twinkletwinkle
"Customers"? I'm not an Equifax customer - that is, I've never given them my
name or any information, I've certainly never paid them for a service. Yet it
wouldn't surprise me to learn I'm on their list. Why call me a "customer", I'm
the product you sell to banks.

~~~
trynumber9
The linked article only mentions business customers (i.e. banks). And refers
to us as consumers, which seems correct enough.

------
error54
> Equifax discovered the unauthorized access on July 29

Well over a month later and they're just now getting around to telling people
about a security breach that could affect almost half of all Americans...

How is this ok/legal?

~~~
bodz
Discovering a breach is only a fraction of what has to happen before
customers/public should be notified of said breach. It's not very helpful to
anyone if you put out a press release that just says "we discovered a breach
but have no idea who, if anyone, was affected, we have no idea what was
stolen, and we have no idea who did it." There have to be investigations that
happen prior to any of that being known/released. Investigations to find this
type of stuff out usually takes months, and typically involves the FBI or
other agencies, which sometimes will actually ask you to keep news of the
breach quiet if it might help them track down the perpetrators. You also want
time to fix the issue before you go tell the entire world that there's a hole
in your security.

I work in cybersec and I would actually say that under 1.5 months from
discovery of unauthorized access to releasing this press release (and already
having the equifaxsecurity2017 website up and running) is astonishingly fast
work.

~~~
mannykannot
That seems reasonable, up to a point, but it also looks potentially self-
serving and open to abuse (especially given the news about stock sales by
insiders.) If a company in a position with this level of risk cannot staunch
the leak within hours, it should be required to curtail its activities to the
extent necessary to stop further leakage, until it has the proximate cause of
the problem under control.

Nor should the instigation of credit monitoring be delayed until the
investigation is complete. To pick a contemporary analogy, it would be like
not informing the public of an approaching hurricane until its precise point
of landfall has been determined.

~~~
bodz
Building off your analogy, you don't order mandatory evacuations every time
you see a tropical depression form out in the Atlantic. It's only when the
tropical depression actually turns into a hurricane and is on a collision
course that you warn the public.

Data breaches are the same. If you put out a press release every time your
infosec team discovered an attack, you'd be putting out releases every single
day, multiple times a day, even though most of those breaches would turn out
to be inconsequential after investigation. The public would become totally
desensitized to them. That's why the investigation has to be done to determine
if there actually is something to notify the public about.

Now, there's surely a point in the investigation where you "know" that the
public needs to be notified, but you aren't completely done with the
investigation yet. It would probably be in the public interest to notify
_then_ rather than waiting, but I think companies are scared to do this
because many companies in the past have been lambasted by the public for doing
just that. Apparently people don't like it when you release a statement saying
"we had a major breach and some customers are affected but we don't know who
yet", so it seems that companies are opting to get _all_ the facts before
saying _anything_.

~~~
mannykannot
You seem to be saying that, of the two analogies, mine is closer to actual
practice.

------
oneplane
Sadly, they use
[https://www.equifaxsecurity2017.com/](https://www.equifaxsecurity2017.com/)
as their special domain for this case, which smells 9001% like phishing. I
wonder if anybody at Equifax raised some concerns over that.

------
Waterluvian
The whole concept of these credit agencies infuriates me. I didn't sign up for
it. You have a dossier on me that I have no part of. If you F it up, you'd
better bend over backwards to make sure it doesn't affect me.

~~~
ztjio
This simply isn't true. The only way these agencies get your SSN associated
with your personal info is by your agreement with a bank or similar
organization to do so. It always happens with your express approval, even if
you are not savvy enough to pay attention to what you're approving.

~~~
ceejayoz
"You could avoid being in Experian's database by becoming an off-grid hermit
in Montana" isn't really a great response here.

Bank accounts, cars, housing, etc. are necessities, and consumers have no
power to negotiate in a lot of cases. Good luck getting your bank or landlord
to let you opt-out of credit reporting.

------
unclebucknasty
Fear not. You can check to see if you were affected by visiting their site and
giving them more personal data:

[https://www.equifaxsecurity2017.com](https://www.equifaxsecurity2017.com)

/s

Maybe it doesn't matter much, since they've likely already got it. But, it
feels a bit too soon.

An interesting side-note: That domain was registered about two weeks ago on
8/22/2017\. Whois reveals not a single pointer to Equifax (e.g. equifax.com
email address, etc.). It shows only DNStination Inc., and so is effectively
private.

When you click the "Enroll" link, then "Begin Enrollment" button, it takes you
to [https://trustedidpremier.com](https://trustedidpremier.com), which was
registered on 8/28/2017, using a different registrar (Amazon, with Whois
Privacy). There's not even a reference to Equifax in the domain itself.

As of _today_ , someone registered equifaxsecurity2018.com with a private
(this time, Domains By Proxy) registration. Given the timing and the fact that
this is a different registrar from the original, it's a good bet that's _not_
Equifax. Or is it? Who knows?

And SSL-wise, these don't even appear to be using extended validation certs
(FWIW). At least one is an Amazon cert, free to anyone who hosts on AWS.

They are virtually training people to be phished and creating another
potential disaster with all of these additional domains, private
registrations, etc.

~~~
mr_overalls
This comment should be nearer the top.

Also, equifaxsecurity2017.com appears to be a stock Wordpress site. Equifax is
a bunch of fucking amateurs. Their security culture is broken.

~~~
unclebucknasty
> _Their security culture is broken._

That sums it up perfectly. This is not a mistake here or there, but a
fundamental lack of appreciation for even the most basic principles of online
security. It's like no one there is even thinking about the consequences of
their choices.

Elsewhere on this thread, I commented on their reliance on an outside security
firm to post-mortem this incident. That is ridiculous. They don't seem to
understand that they are in the security business as much as anything else.
They can't outsource this stuff. Their internal teams should be unparalleled.

You're right. It's absolutely cultural.

------
achille
They got hacked years ago. I know this for sure because I'd used a unique
email address to sign up on their website: equifax@<my name>.com

No one else had that email address. Guess what, I started getting phishing
emails to that exact address.

Tried letting them know, but it went nowhere.

~~~
edison85
They've been hacked 3 times before. Like yahoo waiting years to tell anyone
this is just scummy. I hope they make a law sending people to jail over this

~~~
liberte82
This administration won't be doing shit about companies like this. We need to
fix the political system if there's to be any hope of justice for these types
of crimes.

------
SCdF
Doing some junky googling, estimates for how many Americans have a credit card
sits in the ~160-180million range.

In other words, when they say "143 million US customers" they really mean "the
vast majority of Americans with a credit card".

Astounding.

~~~
ewams
About half of the country.

~~~
galloway
Given the average US household size of 2.53 [0], this affects far more than
half the country.

[0]
[https://www.census.gov/data/tables/2016/demo/families/cps-20...](https://www.census.gov/data/tables/2016/demo/families/cps-2016.html)

------
dangayle
Oh nice. A company that does nothing but collect personal information. I’m
_already_ in their identity protection program, so I'm a little nonplussed at
this.

~~~
jcranendonk
Are you extremely surprised at this, or not at all? Just from context, I can't
quite decide which it is.

~~~
dangayle
I'm not at all surprised, but I am disappointed (to say the least).

------
cjhanks
Is anyone being punished for all of the massive security breaches which appear
to be happening on a nearly daily basis?

~~~
g051051
Well, they try to find and convict the hackers, of course. Or did you mean the
companies like Equifax, or Target, or Home Depot that are the victims of the
break-ins?

~~~
cjhanks
I mean the companies like Equifax. Is there nothing illegal about being
careless enough to leak this much important information to hackers? I
personally think they should be held accountable.

~~~
bodz
Putting aside the whole "punishing the victim" argument, the problem is that
it's excruciatingly hard to draw a line between "being careless" and "you did
everything right but it still wasn't enough", and thus it's really hard to
punish someone for cybersecurity mistakes. I work in cybersec consulting, and
it's certainly true that a large number of companies are simply not investing
enough money/time/effort into cybersecurity protections, and are thus doing a
disservice to their customers.

However, there are also plenty of companies that spend hundreds of millions of
dollars, with _massive_ cybersec departments devoted to protecting from
breaches like this, doing pretty much _everything_ they possibly can right,
and they will still be hacked. Cybersecurity is incredibly difficult,
incredibly expensive, and takes a _really_ long time. And even if you get
99.999999% of your company completely impervious to attackers, it only takes
that 0.0000001% of exposure to sink your ship. Cybersec is also constantly
evolving, so it's nearly impossible to keep up with the latest attack vectors,
etc.

Take the Target breach, for example: Target has a _massive_ effort focused on
cybersecurity. They actually have a cybersec research lab that some law
enforcement agencies go to for help with cybersec issues. But the attack that
hit them took them totally by surprise simply because it was a type of attack
that hadn't really been considered, and thus was very very low on the radar
(if there at all) when it came to protecting against it.

Now, companies in the US actually _are_ held accountable (to an extent). Data
breaches that result in HIPAA violations, for example, usually result in
massive fines for companies. Violations of PCI-DSS will land you in hot water
with the major payment card companies. Some states also have cybersec
regulations that result in fines if you're found to be in violation of them
during an audit. The problem, again, is that cybersec is constantly evolving
and these regulations are years behind. The HIPAA cybersec requirements are
actually pretty laughable, partly because of all the reasons listed above.

~~~
yborg
>and thus it's really hard to punish someone for cybersecurity mistakes

No. If you take it upon yourself to hold this information, you are accepting
the responsibility for its disclosure. If you are not willing to accept
penalty for this happening despite your best efforts, you should not be doing
it.

~~~
bodz
So, what should we do? Should we just fire/jail everyone who has ever worked
for a company that was breached? You realize that would be _literally_
everyone, in pretty much every company ever, right? There's a saying in the
cybersec world: "there are two types of companies: those who know they've been
hacked, and those who don't realize it yet".

Cybersecurity is a field where there's already not enough good talent. And
even the _very best_ talent is still going to not be good enough from time to
time.

It is simply completely naive and unrealistic to expect a company to be 100%
hack-proof, and if you start punishing people for that, then you're just not
going to have anyone taking the job at all, and you're going to have even less
security.

~~~
liberte82
Oh come on. Anyone here who is a developer has at least some experience with
raising a security concern to business or management and having it shot down
as not important enough to worry about. We all know companies still aren't
taking cybersecurity seriously enough, and it's because the consequences for a
breach aren't severe enough.

------
jaycroft
How does it take 16 days to go from buying this domain to getting to public
disclosure?

[https://www.equifaxsecurity2017.com/](https://www.equifaxsecurity2017.com/)

whois: ... Domain Name: equifaxsecurity2017.com Registry Domain ID:
2156034374_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: [http://www.markmonitor.com](http://www.markmonitor.com)
Updated Date: 2017-08-25T08:08:31-0700 Creation Date: 2017-08-22T15:07:28-0700
...

------
sriram_sun
From the article: "No Evidence of Unauthorized Access to Core Consumer or
Commercial Credit Reporting Databases." Later on they say "The information
accessed primarily includes names, Social Security numbers, birth dates,
addresses and, in some instances, driver's license numbers."

I am having a difficult time reconciling those two sentences.

~~~
lawnchair_larry
Really makes you wonder what dataset this is, if it is apparently not consumer
credit reports. And where did they get so much data on so many Americans?

~~~
ceejayoz
I'd imagine the vulnerability allowed the "people" table to be accessed, but
not the full list of credit report items for those people.

As for how they got the info, if you have a bank account, a landlord, a
student loan, etc., Equifax knows who you are. Virtually any organization that
extends credit or collects unpaid debts is going to be reporting that to the
three agencies.

------
Deinos
Good analysis over at Krebs on Security:

[https://krebsonsecurity.com/2017/09/breach-at-equifax-may-
im...](https://krebsonsecurity.com/2017/09/breach-at-equifax-may-
impact-143m-americans/)

------
knowuh
> Credit reporting agencies are one of the greatest/worst rackets in the
> modern financial system

Can someone notify me when the class action has been initiated?

~~~
maxerickson
If you want to win big, initiate it. Members of the class are likely to get
something stupid like free credit monitoring from Equifax.

~~~
juancampa
They are already offering exactly that.
[https://www.equifaxsecurity2017.com/](https://www.equifaxsecurity2017.com/)

~~~
dwyerm
I'll bet $5 that signing up for their monitoring service comes with a class-
action waiver sweetener.

~~~
snsr
> _I 'll bet $5 that signing up for their monitoring service comes with a
> class-action waiver_

It does indeed.

[https://trustedidpremier.com/static/terms](https://trustedidpremier.com/static/terms)

~~~
mikestew
Please highlight the part where it specifically says one waives the right to
sue Equifax over the data breach. Because the agreement _is_ specific about
what it covers.

------
bandrami
Oh, hey, isn't that the corporation that is paid shit-tons of money by my
potential landlords, employers, lenders, and for that matter anybody willing
to pony up the cash, to determine if _I_ can be trusted?

Kind of funny, isn't it?

------
unclebucknasty
> _Equifax said that, it had hired a cybersecurity firm to conduct a review to
> determine the scale of the invasion._

I think most people are unaware of the depth of data Equifax has on them,
beyond simple credit scores (e.g. health information).

Which makes the above quote from the article even more unconscionable. There
should be no need for an outside firm to figure out what happened. They should
have in-house expertise that is unmatched (although third-party audits ahead
of time would be wise).

------
tryingagainbro
If it's online, it will be hacked and exposed. The new reality! Let's just try
to limit what info we give to companies, knowing it will be leaked soon or
later.

~~~
mimg
In the case of Equifax customer data was given to them by creditors. Customers
had no say.

------
KomradeKeeks
How can we hold Equifax accountable for this? They literally have one job, and
have failed so miserably at this one job that about half of the US population
has been exposed, regardless of their personal opsec.

Is this grounds for a class-action lawsuit?

------
EGreg
Perhaps it is time for our companies and institutions to move away from social
security numbers, credit cards, driver licenses and such stuff to having
people authenticate using apps on their devices (or in person with
biometrics).

iPhones now have the Secure Enclave, Androids have the Secure Element. You can
store private keys there.

Authentication is done by apps signing challenges. This can be done in many
ways, including oAuth, QR codes to authorize new devices etc.

Identity can be done by posting signed identity claims across websites, and
adding/repudiating public keys in a personal scuttlebutt-type blockchain.

You can then easily sign into site X and prove your identity on sites Y and Z,
without any sites necessarily tracking you between them.

Here is my semi-humble proposal for a decentralized, secure auth protocol that
works with everything out there:

[https://github.com/Qbix/auth](https://github.com/Qbix/auth)

If you have experience writing tech specifications, please reply, I need
someone to write the normative section of that protocol properly.

------
narrator
The problem with the SSN is it is an identifier and a secret. It's a username
and password in one, you can't change it and you need it for any substantial
financial transaction.

Ideally, we'd have both a public username and a private password that we could
change for our financial identification. This would eliminate most of the
problems with these big data breaches. The backup for resetting a forgot
password would be to show up in person and do some sort of biometric scan.
Biometrics have to be done in person at a government office though since they
aren't secret and cannot be changed. There shouldn't be an over the wire API
for biometric identification because then you've got the SSN problem all over
again, a combined username and password that's even more public than an SSN
that can't be changed.

------
pfarnsworth
These fuckers should literally be put out of business. They have one job, and
they fail at it time and time again. They can't be trusted with our data. They
need to be shut down. Does anyone know how to start a ballot measure in
California to create a Proposition to stop using Equifax in California?

------
ceejayoz
> Equifax has established a dedicated website, www.equifaxsecurity2017.com, to
> help consumers determine if their information has been potentially impacted
> and to sign up for credit file monitoring and identity theft protection.

Really? "We lost your info. Sign up for our credit monitoring service!"

~~~
tombrossman
I note that equifaxsecurity2018.com is already registered, but
equifaxsecurity2019.com is available.

~~~
QUFB
Not anymore.

------
edison85
4 executives sold 1.8 million worth of shares randomly not on a pre scheduled
basis 4 days ago likely after they realized the breach.

We need regulatory framework on cybersecurity and failure to adhere to it must
result in mandatory jail time

------
apexalpha
Honest question from a European: how would this work if I moved to the US?
Would I simply not get a loan because I don't have a credit score? Do I apply
at private companies and give them all my loan history?

Here in my country the government (or some agency) keeps track of what loans
you have, and when a new company wants to issue you a loan you access the API
with information like "2 years, €50 each month" and then the program responds
with 'approved' or 'not approved'.

Giving all of these private companies all this data seems counter to American
values of independance etc...

~~~
dx034
Most European countries have credit agencies, just that they have different
names. When moving country, you usually have to build up a new credit
reputation. Even when you move within Europe. A clean history will mean that
you can get some credit cards but bigger loans will often require a few years
of history with at least a current account.

------
silveira
From
[https://trustedidpremier.com/static/terms](https://trustedidpremier.com/static/terms)

 _" By consenting to submit Your Claims to arbitration, You will be forfeiting
Your right to bring or participate in any class action (whether as a named
plaintiff or a class member) or to share in any class action awards, including
class claims where a class has not yet been certified, even if the facts and
circumstances upon which the Claims are based already occurred or existed."_

Sign for their TrustedID Premier and lose your rights.

------
hedora
Ok everyone: Someone here has enough free time to do this, and then buy an
island with the proceeds.

Set up a web page that will automatically opt out of the settlement and file a
small claims court suit against them seeking $1K in damages. $1K is lower than
actual damage done (in wasted time) for most people. It is also lower than the
cost of defending against the suit in court.

~143 million people were impacted, so that's ~ $143B in liability. Their
market cap is $17B. Problem solved.

Even better, most victims never consented to doing business with them, so
there cannot be any binding arbitration issues to get in the way.

------
mrguyorama
>Exploited a US website application vulnerability >The information accessed
primarily includes names, Social Security numbers... credit card numbers for
approximately 209,000 U.S. consumers, and certain dispute documents with
personal identifying information for approximately 182,000 U.S. consumers,
were accessed

Was all this data available and accessible through the same application? I
wonder how likely it was something incredibly trivial, like SQL injection, or
whether they were truly targeted and infiltrated

------
ringaroundthetx
This is why I'm not secretive about my SSN. My neighbor, roommate or a random
passerby isn't the attack vector, it is the trusted institution.

I'm not going to post it here, but I wouldn't even mind saying it over the
phone while standing in line somewhere. Its just not the real attack vector.

Result here shows that whispering it and writing it down on posted notes for a
bank teller have zero bearing on your identity security.

------
lsh123
This is very simple: the cost of this "incident" for Equifax is zero. As a
smart business decision they are not investing (enough) in security and code
quality because they don't need to.

Now if they knew that there is a $1000 fine per each stolen identity
information, then the equation will shift and it will be a much better
business decision to invest into protecting user data.

------
the_unknown
"Residents in the U.K. and Canada were also impacted." Yet Equifax is only
providing lookup or TrustedID protection for Americans.

------
notyourday
This entire thing is a joke and will continue to be a joke until we get laws
that hold executives personally criminally responsible for breaches. Together
with automatic forfeiture of personal assets. As long as there's no _personal_
motivation from people who make hundreds of millions of dollars by sitting on
a top of the pyramid nothing is going to change.

------
rdtsc
> The company has found no evidence of unauthorized activity on Equifax's core
> consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers,
birth dates, addresses and, in some instances, driver's license numbers.

So what are they saying? Was all this information accessed or not accessed?

~~~
raquo
If it wasn't accessed, they would have been very clear about that. They're
just mentioning "core consumer or commercial credit reporting databases",
whatever those are, to dilute the horrifying message and confuse everyone.

------
cmiles74
The fact that they're using their press release, which lets people know how
irresponsible they've been, to try and trick people into waiving their right
to join a class action lawsuit against them is just the worst[0]. Sure, it may
not hold up in court, but it's tricky and slimy and gross.

Credit Karma sent me an email this morning with the subject line "Your New
Score" and I almost spit coffee all over my workstation. In fact my score only
went down a point on Trans-Union, but it still was pretty scary to see in my
inbox.

[0]: [https://techcrunch.com/2017/09/07/equifax-data-breach-
help-s...](https://techcrunch.com/2017/09/07/equifax-data-breach-help-site-
leaves-consumers-with-more-questions-than-answers/?ncid=mobilenavtrend)

------
swat535
Has equifax.ca also been affected? Does anyone have any intel on that? Now i'm
worried

~~~
liberte82
"Equifax also identified unauthorized access to limited personal information
for certain UK and Canadian residents. Equifax will work with UK and Canadian
regulators to determine appropriate next steps. The company has found no
evidence that personal information of consumers in any other country has been
impacted."

Fairly ambiguous and I trust that sentence about as far as I can throw it. I
too am interested in the answer to this, both personally and as an employee of
a company that uses their services.

------
ge96
>The company said that it discovered the intrusion on July 29

Why is this posted now?

------
palerdot
> Equifax is a global information solutions company that uses trusted unique
> data, innovative analytics, technology and industry expertise to power
> organizations and individuals around the world by transforming knowledge
> into insights that help make more informed business and personal decisions.

When they have no clue on what they are conveying about them to the people,
these kind of clueless incidents do happen.

------
ransom1538
Everything you create online will get hacked. It will eventually just be
accessible in a nice query-able format in the future. Your texts with your ex,
your credit reports, your taxes, your shopping habbits, will all just be
public one day. I understand people have a violent reaction to this -- but it
is really becoming true. Mask who you are, hide what you do, send things that
self destruct.

------
amygdyl
I have once gone so far as to write a preliminary claim for defamation and
libel, and put the brief to clerks for barristers to indicate interest and
availability.

My issue was swiftly resolved, but I felt the cold chill as replies came
revised to note that overnight instructions for a separate matter were being
notified to reflect the possible conflicts of interest the association rules
require disclosed.

Barristers chambers can be used by opponent litigants, but with leave from the
Master of Court, if not the Justice or Judge. I am thankful for my memory
fading, and I actively discourage mistaking me for a authority. But I am not
unwelcoming to inquiry from any request for anecdotal vignettes of IP and
Companies Court cases, should be there need and understanding of my
limitations. Laddie, LJ, was the solitary Lord Justice to ever resign the
Queen's Bench. He was protesting the woeful incapacity of the Higher Courts to
try specialised and particularly IP cases.

It was Laddie who handed down the scintillating condemnation of Manchester
United soccer club for suing fans who knitted scarves in club colors.

Closer to home for many, Laddie is the one loss lamented by Patry, who wrote
both testaments and the dead sea scrolls on US copyright and became a
instrumental counsel to the growing young Google. Be unaware of this two names
at your peril, in a litigious world of degenerate law for inventors and
artists, and all who de novo create.

Edit, "bible" was a redundant word; separated paragraphs for clarity.

------
themark
I expect this wont be the only bad news that is released today and tomorrow
given the impending death and destruction coming this weekend.

------
throwaway613834
Question: Is there any way to get a notification whenever a credit account of
any sort has been opened in my name, WITHOUT freezing my credit or otherwise
crippling/slowing/altering any process that exists? I just want a letter or
email notification, not any other changes to anything. Ideally a free way, but
paid if a free way doesn't exist...

------
devrandomguy
So, can anyone tell me, why are there three credit agencies? Why not one, or
thirty? Could I start a credit agency, just by judging that certain people are
level 9000 reliable, and others are just level 100 reliable? I swear it's not
slander, everyone I refer to is reliable, it's just that some of them have
demonstrated exceptional reliability.

~~~
ceejayoz
One would probably mean antitrust action or nationalization.

There are more than three -
[https://en.wikipedia.org/wiki/Innovis](https://en.wikipedia.org/wiki/Innovis)
for example - but the big three are the ones with market power. Anyone can
start one - but it's tough getting banks and landlords to use you, especially
in the beginning when you've got no data. Massive barriers to entry.

------
Shivetya
Points to the wise, always keep your credit FROZEN. All three of the big
credit firms make it simple to do and it has been easy to unlock when I wanted
to do so. if I know I am going to want to use my credit for a new account I
identify which one the bank/merchant/etc will use and unlock it for 48 hours.

------
kyledrake
There should be a way to freeze all 3 (and/or all significant) from a single
web site, and it should be free. It's mind blowing to me that this isn't
codified into law yet.

Actually, if someone did this (well) as a service I would probably even pay a
small amount of money for it. Startup idea?

------
Boothroid
I find the section about the arse-covering website amusing in the way they
cannot help but give it a stupid marketing speak name, and phrase it like it's
some fantastic product they are providing rather than a desperate response to
an existential threat!

------
vkou
> The company has found no evidence of unauthorized activity on Equifax’s core
> consumer or commercial credit reporting databases.

Oh good, sounds like Equifax's valuable data is safe, it's just that of their
unwilling 'customers' that leaked.

~~~
tryingagainbro
_Oh good, sounds like Equifax 's valuable data is safe, it's just that of
their unwilling 'customers' that leaked._

Don't worry, for $9.99 a month they'll help you clean the mess they made. I am
being sarcastic, but I wouldn't be surprised at their audacity.

------
durfdurf
"Another potential complication for the company is that public filings show
that three senior executives, including chief financial officer John Gamble,
sold shares worth almost $1.8m in the days after the attack was detected."

quote from FT.com

------
rj123
They discovered this on July 29, the CFO and two other senior executives sold
shares 3 days later. They are just now reporting it (when most of the news
coverage is focused on the hurricanes). What are the odds they get their day
in court?

------
noncoml
Too big to punish?

~~~
geetfun
Like the old saying... you owe the bank 10 thousand dollars? Your problem. You
owe them 10 billion? Their problem.

------
chejazi
[https://docs.google.com/document/d/1mBxLzOCEKfl4SrckBD7Bp7P5...](https://docs.google.com/document/d/1mBxLzOCEKfl4SrckBD7Bp7P5DMi7MlzSTk37RPieeMM/edit)

------
axelluke
It makes me wonder how they set up their security infrastructure. Were the
hackers able to freely access their HSMs? Do they not monitor access? Would be
nice if some form of RCA is made public.

------
mgalka
>I apologize to consumers and our business customers for the concern and
frustration this causes

What a cop out. "Concern and frustration" are not the problem here. Identity
theft is.

------
frankydp
I am dumbfounded that they are not waving credit freeze fees.

------
jhallenworld
People should be asking just how Equifax ended up with any of your private
information. Do you authorize anyone to share this sensitive information with
them?

~~~
ceejayoz
> Do you authorize anyone to share this sensitive information with them?

Almost certainly. Any time you've taken a loan, opened a bank account, rented
a car, etc. you've likely agreed to it in the fine print.

Whether you had any _choice_ in the matter is a far more important question.

------
damosneeze
So in order to see if my sensitive data was stolen from an Equifax database, I
have to enter my sensitive information into an Equifax database.

~~~
ceejayoz
"Your data wasn't taken! Don't worry, it'll now be lost in the next hack, so
you can have your free credit monitoring then."

------
jiggunjer
Did anyone understand what equifax is from their description in the article? I
had to google it despite the "about equifax" paragraph.

------
AzzieElbab
143 million sounds like pretty much all of their data

------
emodendroket
As long as there are practically no penalties this will keep happening. Forty-
four percent of Americans are affected in this.

------
eiji
Did they had to release the incident now by law, or did they choose the week
so that the Irma weekend can blow over this?

------
matheweis
One thing seems to be conspicuously absent from the press releases; is there
any inkling of who might have done it?

------
ajoy
One possible solution is to use the concept of the public and private keys we
use for digital signing/encryption.

You can use my public key/public SSN to make inquiries about me and check my
credit history. But to open an account or take out a loan etc, you also need
my private key, private SSN, which is not stored once the account modification
is done.

IMHO, this never going to happen, but seems like it could be a solution to
these problems?

------
matthewcford
Nice for Equifax that this happened before GDPR is enforced and they would
have been fined 4 per cent of turnover.

------
secfirstmd
Wonder how much this would cost if it was European citizen Data under the
GDPR...

------
bernardlunn
This is where sovereign identity solutions on Blockchain show the way forward.
For example check out Civic and Pillar. Non-disclosure: no commercial interest
in them. We should own our own data and that must mean decentralised. All
centralised data gets hacked - all.

~~~
ceejayoz
> All centralised data gets hacked - all.

What, and no one ever lost their Bitcoins via a key breach?

Owning our own data has very, very significant security implications. The
average human isn't technically prepared to be their own infosec department.

------
empath75
This is horrendously bad.

------
dannylandau
Can some form of biometrics prevent such incidents going forward?

~~~
ceejayoz
No. Link says it was a vulnerability in their website, so adding biometrics
would've probably just meant your biometrics would've been leaked alongside
your SSN.

------
joshdance
Is there a way to check if your information was exposed?

------
mediocrejoker
How did it take them over a month to report this?

------
ge96
How do you know if this affects you?

~~~
james-skemp
That's what I came here for too. They have a site (go to Equifax for a
notification banner) but providing the information they want just tells me to
check back later. From the text I would assume I wasn't impacted, despite the
fact that it seems almost everyone who used the site would have been.

Edit: Seems that if you have a date you're impacted.
[https://www.reddit.com/r/personalfinance/comments/6yq36a/equ...](https://www.reddit.com/r/personalfinance/comments/6yq36a/equifax_reports_cyber_incident_may_affect_143/dmpbqlr/)

~~~
ge96
Have a date?

Thanks for the info will check it out, I suppose one saving grace for me is my
credit is destroyed.

edit: that's funny "I know we just lost your SSN, but could you type it in
again?" Also curious if by asking for the last six makes search faster,
probably.

site to check impact:
[https://trustedidpremier.com/eligibility/eligibility.html](https://trustedidpremier.com/eligibility/eligibility.html)

Edit that link (trusted) doesn't even say equifax in it, pulled it from
Reddit, would be funny if it was a phishing site

Edit: this one looks more legit

[https://www.equifaxsecurity2017.com/potential-
impact/](https://www.equifaxsecurity2017.com/potential-impact/)

Still not the main domain

~~~
ajoy
seems to be linked to from the main equifax site :
[https://www.equifax.com/personal/](https://www.equifax.com/personal/) (see
banner at top)

------
chmike
Any info on how they were hacked ?

------
pjdemers
DO NOT enter your information into their "have you been affected website".

If you enter your information, you agree not to sue them.

------
Myrth
Is it enough to freeze credit?

------
Chiba-City
The Spice will not flow.

