
Equifax Faces Multibillion-Dollar Lawsuit Over Hack - jameslk
https://www.bloomberg.com/news/articles/2017-09-08/equifax-sued-over-massive-hack-in-multibillion-dollar-lawsuit
======
hedora
I'd love to see the $70B number pan out (though $500 per person is less than
the damages, I think) -- Equifax is a $17B company, and would presumably stop
existing if that happened.

On the other hand, these things always settle out of court, and Equifax
certainly won't settle the suit for more than they're worth.

I said it elsewhere, but I think the right response is to opt out of the
class, and sue for $1000 in small claims court. If ~15% of the class does
this, they are out of business, and lawyers don't get a dime of the $1000.

Also, I'd love to see a new non-profit website that automated the paperwork.

~~~
billh
This class action will likely be settled in the same way the Ticketmaster case
was settled ... with a coupon book good for 2 free credit reports.

~~~
rayiner
Probably for good reason. $500 per class member is an insanely high damages
estimate. 99.9% of people will suffer zero damages because their identities
will not be stolen. Even the ones who do have their identities stolen will
likely be made whole by the credit card companies.

The real damages here are going to be to the banks and credit card companies
that will have to absorb the costs of all the fraud.

As to the Ticket Master case, you can read the complaint yourself and see if
$5 or so per class member settlement value was reasonable:
[http://www.ticketfeelitigation.com/docs/Fourth_Amended_Compl...](http://www.ticketfeelitigation.com/docs/Fourth_Amended_Complaint.pdf).
The theory was that TicketMaster didn't disclose that it was marking up fees
for things like UPS delivery and order processing, and that if customers had
known they wouldn't have ordered the tickets. That's a weak damages theory,
because customers don't care about line items they care about the bottom line.
Either they'll pay $X for the tickets or they won't. Unsurprisingly, that weak
damages theory lead to a small per-class-member settlement.

~~~
raisedbyninjas
"Even the ones who do have their identities stolen will likely be made whole
by the credit card companies."

Fraudulent charges on a credit card are the least of my concerns. This opens
us up to a lifetime of identity theft and insecure accounts of every sort. I'm
not even sure how they can approach remedying the problem. Coordinate with the
SSA to get 150 million people new SSNs at the least.

~~~
logfromblammo
Why would people need new SSNs? It was the credit industry that misused them
as combination of unique identifier and authenticator, and that is not the
SSA's responsibility to fix. The government even tried to curb misuse of the
SSN, but it was not binding on private entities, and they just ignored it.

The solution, whatever it is, does not include anyone continuing to pretend
that the SSN is now or has ever been suitable for any purposes other than for
tracking government benefits managed by the SSA, and possibly also for tax
filings with the IRS.

~~~
aeorgnoieang
> other than for tracking government benefits managed by the SSA, and possibly
> also for tax filings with the IRS

... and all of the other government benefits, programs, or mandated
activities, many (all?) of which demand your SSN. Are you even sure that the
credit industry, i.e. banks, originally misused SSNs? I wouldn't be surprised
if they were _required_ , by the government, to use them, precisely because it
is the closest thing to an official "unique identifier".

Some people also might be concerned with not receiving their SS benefits
either, which isn't entirely far-fetched given that others might now be using
it for nefarious purposes (like trying to collect their SS benefits).

~~~
cr0sh
> I wouldn't be surprised if they were required, by the government, to use
> them, precisely because it is the closest thing to an official "unique
> identifier".

I read something somewhere else (maybe on a different HN thread, maybe here?)
that this was changed in 2000 for something called "red flag laws", IIRC.

So yeah - it is required.

------
runesoerensen
NYS Attorney General on the arbitration/rights waiver clause: _" This language
is unacceptable and unenforceable. My staff has already contacted @Equifax to
demand that they remove it."_
[https://twitter.com/AGSchneiderman/status/906195350532304896](https://twitter.com/AGSchneiderman/status/906195350532304896)

Also: _" I am launching a formal investigation into the #Equifax breach.
Today, I sent a letter to @Equifax seeking additional information."_
[https://twitter.com/AGSchneiderman/status/906197644841766912](https://twitter.com/AGSchneiderman/status/906197644841766912)

~~~
hcurtiss
Yeah, I'm not sure the arbitration language is applicable here anyway. The
claims would arise from Experian's failure to secure their data, not from use
of the "Products" offered by TrustedID (namely, the website allowing me to
check) or the subject matter of the Terms of Use agreement.

~~~
mjn
Their FAQ [1] now appears to explicitly say so: that the class-action waiver
and arbitration agreement only apply to disputes over the credit-monitoring
product itself, not over the original breach. I don't know if they have some
way to still weasel out of that, but publishing that clarification on their
website seems like it'd make it harder?

 _Do the TrustedID Terms of Use limit my options related to the cyber security
incident?_

 _The arbitration clause and class action wavier included in the TrustedID
Premier Terms of Use applies to the free credit file monitoring and identity
theft protection products, and not the cybersecurity incident._

[1] [https://www.equifaxsecurity2017.com/frequently-asked-
questio...](https://www.equifaxsecurity2017.com/frequently-asked-
questions/#tab-2)

------
cletus
Ok, so credit reporting agency collects sensitive personal and financial data
on basically every adult American, loses it to a bunch of criminals and now I
have to deal with the consequences?

I looked into credit freezes yesterday. This is really a total scam. You have
to _call_ each of the three agencies and pay a fee ($5 to $10) each time. If
you need to unfreeze your report to make a legitimate credit application you
have to call each of them twice (once to unfreeze and another to freeze)
paying fees every time.

Now if you're a paying member (paying a minimum of $15/month to each agency)
you can just lock and unlock your credit file on a mobile app (well, three
mobile apps and I'm not sure all three support this). It's amazing how
convenient things get once they're already extorting you for "credit
protection".

This shouldn't even be legal.

Also, if a fraudster defrauds a financial institution with your personally
identifiable details, it should be an issue between the agency and the
financial institution as you were not a party to this loan. The reporting
agency saying you were should be slander.

Financial institutions should be interested in consumers having an easy
ability to lock their credit files as it would decrease the number of
fraudulent credit applications.

So why can't I have a mobile app (or three) for free that allows me to easily
lock and unlock my file or, better yet, to vet every inquiry and approve it or
not?

~~~
SonicSoul
hmm i called the 3 mentioned here today and all were free.

[https://www.consumer.ftc.gov/articles/0497-credit-freeze-
faq...](https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs)

    
    
        Equifax — 1-800-349-9960
        Experian — 1‑888‑397‑3742
        TransUnion — 1-888-909-8872

~~~
kimsk112
[https://www.consumer.ftc.gov/articles/0497-credit-freeze-
faq...](https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place)
said:

"You'll need to supply your name, address, date of birth, Social Security
number and other personal information. Fees vary based on where you live, but
commonly range from $5 to $10."

So depending on where you live, you probably have to pay.

~~~
SilasX
So wait, you only need to provide the very same data that was just breached?
So anyone can just freeze anyone else's credit now?

Edit: well, you have to pay with a credit card so it's traceable, so not that
bad.

~~~
datums
Well depending if you have the answer to the 4-5 security questions , like
previous address ,car loan payment amount, or mortgage , stuff that you would
only know. I don't know the full scope of the compromise, but someone wanting
to use your info would not benefit from freezing it. If you forget your pin
I'm expecting them to send it to the mailing address

~~~
smarks
Even if an attacker doesn't benefit, it's still possible for them to mount a
denial-of-service attack. That could be very damaging. Or, they could use the
threat of a DoS attack for extortion purposes.

------
eduren
>In the complaint filed in Portland, Ore., federal court, _users_ alleged
Equifax was negligent in failing to protect consumer data, choosing to save
money instead of spending on technical safeguards that could have stopped the
attack.

Doesn't "users" imply that we had a choice in the matter? As if we're
Equifax's customers? I feel more like we're victims in this case.

~~~
Taek
Got an email from my Dad today:

"I checked myself, my wife, you and your brother. To the best of my knowledge
none of us have Equifax accounts, but it says they probably got our address &
driver's license for all four of us.

I don't want to waste money on LifeLock. What can I do? Just watch my
accounts?"

Is Visa, MasterCard, etc. at least partially to blame here for picking a bad
solution? My personal ties are not with Equifax, I have no direct means as a
consumer to express dissatisfaction. Can I sue Visa? They are they ones (I
presume anyway) who did the actual information collection from me, and then it
was mishandled.

We need more tools for dealing with data breaches. Things aren't slowing down,
and they aren't going to unless something big changes.

~~~
jaranha
You should watch your accounts. I use Credit Karma and they will send you
alerts and updates for various credit events (account opening/closing, paying
off a balance, etc). It's free. Edit: They only monitor TransUnion and Equifax
data; not Experian.

If you don't want to pay for LifeLock, which I agree is a bit steep, you can
usually get an identity theft protection policy from most major insurances
companies. The premiums vary, but are usually a fraction of LifeLock's fees.
Just be sure you understand what's covered.

I use both of those and it costs me $25/yr total.

You can check the Fair Credit Reporting Act for more information about various
parties' responsibilities in handling your credit information. However, I
don't think you'd be able to sue lenders/creditors in this case. They are
distinct from the credit reporting agency that seems to be at fault.

~~~
throwaway613834
> I use Credit Karma

> They only monitor TransUnion and Equifax data

Where do you see that they monitor Equifax data? I only see TransUnion
mentioned.

------
privaroonie
Yeah, I would think so. So far, we've learned that they've exposed virtually
everyone's data through their incompetence (thus exposing nearly every adult
in the US to a high risk of identity fraud), sold stock to avoid personal
financial losses before the news broke, and set up a scam site to trick people
into giving up their right to sue.

If this isn't criminal, then nothing is. If someone doesn't go to jail over
this, why the hell shouldn't I just go out and commit fraud on a daily basis
myself? It seems to be rewarded in our society...

~~~
outoftacos
I am still unsure as to how any of the credit bureaus exist legally at all, I
never consented to having all my eggs in those three vulnerable baskets. Why
is this my problem all of a sudden?

I get that consumer protections in the US are not very strong, but this just
seems like a shady cartel in cahoots with the banks/insurance companies.
Please tell me I'm grossly misunderstanding something here.

~~~
matthewmcg
It's a historical fluke. Credit bureaus trace back to agencies that compiled
third-party reports on the creditworthiness of business persons. So long as
the information collected is accurate (and not defamatory), this type of
activity is protected under the first amendment.

See the first segment of this episode of the _Backstory_ podcast for a
retelling of how these early agencies worked:
[http://backstoryradio.org/shows/keeping-
tabs-2016/](http://backstoryradio.org/shows/keeping-tabs-2016/)

~~~
cm2187
But then what happens if that information becomes inaccurate? (if your credit
report shows credit events that aren't yours as a result of a fraud). Doesn't
it become a form of defamation?

~~~
conanbatt
John oliver made a segment about this on how a person was denied a rental
contract because one of these agencies said he was a terrorist.

Like really, equifax saying "his score is pretty good, but he IS a terrorist".
Sometimes correcting those things take months.

~~~
mjcl
It's ridiculous, but no property management company wants to risk a fine when
the cost of checking the OFAC SDN list is so small. I'm not sure if we ever
saw a decline due to the OFAC list, so I could easily see it would take a long
time for something that unusual to be straightened out.

------
ineptech
Is it time for a Federal Department of Verifying Whether People Are Who They
Say They Are?

Veryifying identity with SSN is broken. The right way is probably more or less
how big webapps do it - MFA + a password that the user can reset by providing
a bunch of info. The government has the necessary private info to do this in
most cases (e.g. DL# plus your income from last year's taxes), and can fall
back to "Show up at a police station/DMV/other office and talk to a human" in
disputed cases.

I'm sure there are lots of private corporations that would love to be the One
True Arbiter of who's who, but none of us would trust them, or want to pay the
price. An open source solution (something like Keybase?) seems possible, but
not without government backing.

~~~
adrr
Won't work. Once companies start gathering private data stored in this DB, it
can be compromised and government isn't that great at securing data either.
MFA would required everyone having a smart phone or RSA key fobs. SMS/Phone
based authentication isn't secure.

Only real way to get true identity system is biometrics(Fingerprints,DNA, or
Iris) taken at birth. But that will never happen for privacy reasons.

~~~
ineptech
Biometric has its own problems. What's a fingerprint but a password you can't
change?

Any secret can be stolen, bio or otherwise. The key to robust ongoing identity
is not a better shared secret, it's a better way of recovering from theft of
shared secrets. One way is to have a big trove of non-secret-but-not-public
data, like prevous addresses and employers (which is how the credit bureaus
sometimes authenticate people). Who has more such info to draw from than the
government? Another is to use shared info that goes stale quickly, e.g. "What
magazine did you get in the mail yesterday?" Again, the government, by virtue
of being the government, already has candidate info to draw from.

And what if all else fails, if some super-hacker has stolen or has ongoing
access to every single piece of digital information that could be used to
authenticate you? If you're a startup or a corporation or an open source
project, you throw up your hands. If you're the government, you say "Please
visit your nearest police department and bring your photo ID and some utility
bills."

The more I think about it, the more I'm convinced that this is the only good
solution. Like someone else in this thread said, Identity is hard. There's no
silver bullet to make it a tractable problem, but you can throw enormous
resources at it. And in the government's case, the most costly part (building
a brick-and-mortar office in every city, town, village and hamlet in America
and staffing it with humans) has already been paid.

~~~
adrr
What you explained is what global entry, tsa precheck, and nexus programs are.

~~~
ineptech
...except that TSA Precheck doesn't host an OAuth server that my bank can use
in lieu of their dumbshit "street you grew up on" nonsense.

But yes, I agree, it's a good point that the government already does this
(ditto for lost birth certificates, etc) and this would just be tying the
federal identity that they work so hard to verify to a digital one.

~~~
herewulf
> dumbshit "street you grew up on" nonsense.

I call these what they are: Insecurity questions.

I have also taken to writing completely unguessable nonsense as the answers
and recording them in my password manager.

------
redm
I'm not excited about this class action; If they win, the individual payout
will be almost nothing ($10?). The lawyers are the only ones who will really
"make out" with 10's of millions in fees.

There is also a disproportionate effect in that a small portion of the 143
million affected will have a large impact, i.e., "identity theft" while most
will be unaffected.

I think a fund setup to help those who are directly affected is a better idea.
This could be done through government action where penalty proceeds are turned
into a fund. In other worse, similar to the BP oil spill in the gulf where the
fund helped those who lose income or suffered property damage.

~~~
hellogoodbyeeee
I don't really care where the money goes. I think that having one catastrophic
event (huge lawsuits or fines leading to bankruptcy) for a corporate entity
because of negligent security measures may lead other board rooms to move
security measures up their priority list.

~~~
noxToken
It may cause security to get tightened to prevent these types of incidents,
but I doubt that it will improve security culture. Going forward, we would
theoretically be protected from a breach of this type in other companies, but
proper security is a continually moving target. New methods exploits are
discovered all the time. That's what I'm worried about - are they going to be
proactive in securely protecting information against future threats, or will
they just check a few boxes to continue with business as usual?

~~~
woogiewonka
Business as usual, and you know it.

------
eloff
It's a sign of how awful Equifax is that I find myself rooting for the
lawfirms in this case. I really hope they win, and that they get the full $70
billion, and that it's enough to shutter Equifax permanently. What a win that
would be! Also it would serve as a nice cautionary tale to companies that
infosec matters. That insurance for data breaches matters.

Because right now, it's too easy for them to not care. It's us that suffer the
consequences, not them. That has to change.

~~~
pc86
Yes, what a win it would be to simply transfer ownership of Equifax from one
party to another in the event of bankruptcy. The business itself would
continue and nothing would change.

~~~
JumpCrisscross
Investors would get wiped out and many people canned. The signalling value is
massive.

------
jjm
It's time for this draconian type of business service be disrupted. It's
gotten too big and unregulated.

We often question monopolistic behavior with regard to market share and
competition for physical goods. However we don't see this type of questioning
with regard to data monopolies. Hate to say it that while I enjoy the use of
Google and Facebook, they may also fall into this arena. Though with those
companies at least an order of magnitude worth of effort MORE is expended on
some form of heightened security, communication, and standards primary thru
tertiary of their core offering.

~~~
c3534l
Equifax isn't a monopoly. There are four major credit bureaus in the US. At
best that's an oligopoly, but all that realistically does in this situation is
provide more points of security failure.

------
cliffcrosland
To be honest, I feel bad for the engineering team at Equifax. The
vulnerability that compromised their system was a bug in an open-source Java
library, Apache Struts, and security researchers only noticed it a few days
ago. It seems that the Equifax team had very little time to react and update
their software. In some sense, I feel that more blame should be placed on the
engineers who built the highly popular open-source software, not the Equifax
team. Some large number of Fortune 100 companies also experienced the same
vulnerability simply because they trusted a widely used library.

Makes me wary of trusting other big OS libraries, but since rebuilding every
part of the stack from scratch is infeasible and unproductive, we don't have
much choice but to use them.

Technical announcement:

Severe security vulnerability found in Apache Struts using lgtm.com
(CVE-2017-9805):

[https://lgtm.com/blog/apache_struts_CVE-2017-9805_announceme...](https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement)

~~~
bitmapbrother
There is some debate as to which Struts exploit was used. If it was the one
from Sept, 2017 then you make a valid argument. However, if the exploit used
was years old then the fault clearly lies on Equifax for not keeping their
servers up to date.

Also, didn't the Equifax breach happen in May, 2017? If so, I fail to see how
the Sept, 2017 exploit plays into this unless it was in the wild months before
it was published in Sept, 2017 - which I find hard to believe.

------
Dowwie
Consider the possibility that the hackers were agents of a sovereign power,
such as one who has been hurt by economic sanctions and has a history of cyber
warfare. This state could decide to respond to US economic aggression by using
the compromised information of hundreds of millions of Americans to engage in
fraudulent activity.

This event is leading me to about how social security numbers can no longer
serve the role that they have with establishing trust in identity, although
they can continue to be used to uniquely identify a US citizen. This hack may
push markets, and government, to widely adopt biometrics and other sensitive,
personally identifiable information.

What won't happen, unfortunately, is the political will to regulate how
uniquely identifiable personal information is managed and stored.

Suppose that rather than Equifax, Facebook were hacked. What kind of
intelligence and reports does Facebook have on people that would eclipse that
of social security numbers and credit history?

~~~
gbarc888
Undoubtedly Equifax will claim that the hackers were agents of a sovereign
power, to escape liability. Regardless, they admitted on their own web page
that there was a flaw in their web application.

Biometrics would be a terrible idea. Mass surveillance, anyone?

~~~
pc86
I was not aware the citizenship of the hackers had any bearing on Equifax's
liability in this case.

~~~
jedberg
If it's a foreign _government_ it's considered and "act of god", (I.e.
Something out of their control) which releases a lot of liability.

~~~
manquer
to me if you store passwords in plaintext, it is criminal negligence even if
God himself did the hack

------
mrb
So everybody has been talking about "freezing" your Equifax account for a
little bit of protection... Well it turns out the Equifax security freeze PIN
(which is all the "secret" info an attacker needs to unfreeze it) is just the
date & time: MMDDYYHHMM!
[https://mobile.twitter.com/webster/status/906346071210778625](https://mobile.twitter.com/webster/status/906346071210778625)

~~~
usaphp
But would not an attacker then have to know the exact minute that you froze
your account on? If you have only a few tries to unlock your account - how
would attacker possibly guess it?

~~~
warent
525,600 possible pins for a whole year is staggeringly tiny.

1440 tries max if you know the day. 720 if you know if it was day or night.
Botnet and/or proxies can do the rest

------
rangersanger
My hope is that this opens a larger discussion on the business practices of
these credit bureaus, the kind of data they collect, and ultimately their harm
to the public good.

As far as I'm concerned, they stole my data first, then they packaged it up
neatly and gave it to shady persons.

Yes, I'm aware that I "consented" to their collection of my data when I signed
up for a credit card, or a car loan, but it's not a system you can
realistically opt out of. If I want to rent an apartment or, sometimes, even
get a job, I need to consent to a credit pull, so I need to have a positive
credit history.

So, we have a private sector monopoly that I am coerced to give my data to,
for free, to function in society. Seems like a good business to be in, but as
an outsider I'd like to see something drastic happen. Perhaps nationalization,
or breaking up of the big three with deep regulation.

*edited to add omitted "three" in last sentence.

~~~
mbillie1
Nationalization of credit agencies - or even regulation governing exactly how
credit scores are computed, and making that information transparent to the
public - would be a huge step forward. Credit-determining algorithms are
presently a black box to the public.

~~~
ajoy
Is it not possible to write to our legislative representatives about this
about how we think?

~~~
zanny
You can absolutely write them, you just might find you have a hard time making
them care over the sound of campaign donations from the credit oligopoly.

------
coldcode
I have said for years this credit controlling triopoly needs to be shut down
and replace with something less disgusting. Ever tried to fix a mistake they
made in your credit report? You may as well be dealing with the Spanish
Inquisition. There is no penalty for Cxx's who perpetuate inept security to
make more money so security is always job #99. These folks seem to have
cornered the market on ineptness. I doubt any lawsuit will make them do
anything different.

~~~
lr4444lr
Organizations at the hazy nexus of the public-private spheres (e.g. public
benefits corporations, regional transit authorities, FINRA, health insurance
companies) appear to be endlessly prone to "disgusting" fallout like this, no?

------
simonswords82
It's always seemed odd to me that Experian and Equifax have the upside of
being both arbitrarily in charge of so much data and wield ridiculous power,
and yet somehow they're still largely independent and profit making.

I'll watch the outcome of this breach with interest. It strikes me that at the
very least credit rating agencies should be non-profit and very closely
monitored by government. This will include ensuring security best practice is
followed.

As others have rightly pointed out, they even have the audacity to call us
customers. Like somehow we turned 18 and signed up for their service. I
certainly didn't, and it annoys me that a company whom I have no control over
can make or break my credit history.

~~~
g051051
You're what's called a "consumer", as in "Consumer Financial Protection
Bureau". You're only a "customer" of Equifax if you purchase one of their
products.

The CRAs don't make or break your credit history, that's the businesses that
supply information to them. The CRAs are aggregators, and just report what
their members tell them.

~~~
mbillie1
Credit algorithms, specifically your FICO score, are not transparent. There is
no reason beyond the naive assumption of good faith on the part of these
companies to believe that they don't make or break at least your credit SCORE.

------
bogomipz
The US has an adult population(who would hence have credit profiles) of 245
million people. At 143 million, this breach affects more than half of the
adult population. Given this, the majority of credit rating systems of the US
has been compromised. Isn't this enough that the whole "social security number
as a master key" system has to be dismantled? How can it be trusted now?

There is no way to opt out of having your data collected and sold by Equifax,
Experian, TransUnion. The power these companies have over US citizens is
incredible.

Anyone that's ever tried to remove incorrect data on their credit report knows
how painful it is to deal with these companies. Despite dealing and brokering
in electronic data to buyers of your credit profile, your interactions with
them as a consumer can only occur via paper mail and mailing letters which
means weeks or even months for basic communication. They operate like thugs. I
hope this is the end of them and by extension the other two agencies as well.

~~~
thesagan
I don't think the SSN can be trusted as a key. They should be considered
public data now. There's no going back.

------
ThrustVectoring
Coordinating the response here is the key part here, but "massive number of
suits in small-claims court" is probably better for threatening Equifax with
an existential legal threat.

Equifax employs about 10,000 people worldwide. A million small-claims cases
has each Equifax employee handling 100 small-claims cases. I don't think they
can handle that level of distributed legal aggression. It just takes too much
time by too many people, especially if people refuse to settle for anything
less than $1000.

Probably the best way to crowdsource it is to go through the process yourself,
write a step-by-step guide to what you did, and post the results on social
media.

~~~
williamscales
Does anyone know of a sort of recipe book for how to file a small claims court
case in this sort of matter? I'm interested in this avenue but I don't want to
spend a lot of time figuring out how to do it or potentially screw up some
little thing that renders the whole effort futile. It seems like the argument
might be slightly more subtle than a case of, say, theft or fraud. It's
negligence.

~~~
tonyztan
[https://news.ycombinator.com/item?id=15207727](https://news.ycombinator.com/item?id=15207727)

------
atom_enger
The super fucked up part is that it automatically signs you up for their
"Credit protection" if you use their site to see if you were impacted. Doesn't
ask if you'd like to, just says "Thanks for signing up, your year starts now!"

~~~
java_script
From my reading of ToS it also apparently waives your right to be a part of a
class action lawsuit against Equifax...

~~~
s73ver_
Apparently now they're saying that only applies to the monitoring service, and
not to the breach itself. It was on Consumerist
([https://consumerist.com/2017/09/08/equifax-already-being-
sue...](https://consumerist.com/2017/09/08/equifax-already-being-sued-over-
massive-breach-company-criticized-for-amateurish-response-to-theft/)).

------
bishnu
It seems that checking to see if you're affected by the Equifax breach waives
your right to sue Equifax:

[https://techcrunch.com/2017/09/07/i-called-equifax-to-
find-o...](https://techcrunch.com/2017/09/07/i-called-equifax-to-find-out-if-
id-been-affected-but-it-just-hung-up-on-me-three-times/)

No idea how ironclad such a clause would be,k though.

~~~
cmiles74
At this point they will tell you if your effected and then offer to enroll you
in their complimentary "TrustedID" program. If you choose to enroll, that is
when you waive your right to join any class action lawsuit.

~~~
lepht
This isn't true. Just by entering in your information to _check_ if you're
affected, you'll be enrolled automatically if you were indeed affected.

Really scummy behavior.

~~~
creeble
This is not true. I checked, and it offered me the opportunity to sign up "on
or after" a specific date. There is no automatic enrollment.

~~~
lepht
Sorry, I misspoke a bit there. What I was trying to point out was that

> If you choose to enroll, that is when you waive your right to join any class
> action lawsuit.

Isn't true. Just by using the site to check, you're waiving your right to
participate in a lawsuit, as expressed in the site's Terms of Use linked at
the bottom:

[http://www.equifax.com/terms/](http://www.equifax.com/terms/)

> THIS PRODUCT AGREEMENT AND TERMS OF USE ("AGREEMENT") CONTAINS THE TERMS AND
> CONDITIONS UPON WHICH YOU MAY PURCHASE AND USE OUR PRODUCTS THROUGH THE
> WWW.EQUIFAX.COM, WWW.IDENTITYPROTECTION.COM AND WWW.IDPROTECTION.COM
> WEBSITES AND ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS
> AFFILIATES ("SITE").

> No Class or Representative Arbitrations. The arbitration will be conducted
> as an individual arbitration. Neither You nor We consent or agree to any
> arbitration on a class or representative basis, and the arbitrator shall
> have no authority to proceed with arbitration on a class or representative
> basis.

Further detail from an actual lawyer in this comment:

[https://news.ycombinator.com/item?id=15203185](https://news.ycombinator.com/item?id=15203185)

------
whyenot
Suppose each person affected has to spend an hour protecting themselves from
this breach. The cost in wasted time would be 16,313 _years_.

It's high time to set an example. Equifax should no longer exist as a company.
People responsible should end up in jail. Company executives should be held
personally liable. Some would claim it is unfair, but the only way to keep
this from happening again and again is for those responsible to face serious
consequences.

------
schiffern
As usual, Bruce Schneier was right.

"Data is a Toxic Asset"
[https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...](https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html)

------
sillysaurus3
How likely is it that Equifax will face any real trouble from this breach?
Will this be one of the first cases where security negligence causes real harm
to a company? Or will it turn out to be another slap on the wrist?

~~~
Justsignedup
Slap on the wrist, guaranteed:

\- potentially every one of the 143M people are going to have some sort of
trouble

\- WORST CASE equifax shuts down, but that doesn't matter. too late.

\- if everyone was to win a lawsuit for everything equifax is worth, they'd
get maybe $100 minus lawyer fees.

And worse, now we have a financial system dependent on 2 companies. Making a
3rd isn't an easy matter.

::shrug::

~~~
sjg007
EquiFax declares bankruptcy, re-orgs and rebrands.

------
matt_wulfeck
It irks me that I can't file a "long term" (7 year) fraud alert unless I can
prove with a police report that my identity has already been stolen. It's like
giving people a flu shot _only_ if they can prove with a doctors note that
they currently have the flu. Hello! We're trying to _prevent_ fraud here!

This whole industry needs to be turned upside down.

------
ghughes
That’ll be nice for some lawyers. I’d prefer to see severe civil and/or
criminal penalties for the senior management folks who allowed this to happen
on their watch. Expect many more breaches of this magnitude until C-levels
start to feel the consequences of their negligence.

------
mbesto
Anyone have a good source for an unbiased (i.e. not trying to sell me
something) "what exactly should I do" now? File for the class action? Freeze
my accounts? Get identity protection?

~~~
inerte
Doing a credit freeze is a good idea regardless of the recent events:
[https://www.consumer.ftc.gov/articles/0497-credit-freeze-
faq...](https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs)

~~~
donjh
In my state that costs $10/bureau, plus another $10 to temporarily unfreeze or
permanently unfreeze. The fact that they can leak my information and then
charge me to protect myself just seems wrong.

------
ebiggs
Even when there isn't a data breech I don't understand how all big 3 credit
agencies survive doing their business as they currently do... which is to
expose people to the injury of identify theft by default, and then tell them
to pay up if they want a product that protects them from that threat.. How is
that not seen as akin to a gangster protection racket?

------
Nomentatus
Credit card companies could provide other businesses such as Equifax distinct
mere-reference numbers which the customer doesn't see and which can't be used
for purchases - just to absolutely identify which card, for all parties. These
could be added to the magnetic stripe or chip in the card, for example. (It
might be gilding the Lilly, but many such reference numbers could be used for
a given card, re privacy issues or otherwise. But then those numbers couldn't
be usefully passed between companies for all purposes.)

There's no need for anyone but the customer and Credit Card company itself to
retain the actual credit-obtaining-number (other than to allow future
purchases with permission, which is the rarer case, often needs to be
prevented not facilitated, and doesn't excuse Equifax having more than a
reference number.)

Yet the credit card companies don't do this. Why not? 'Cause humans are
idiots, all of us, that's why.

PS - run to the patent office and you might be able to make a ton of money
patenting this, since patents are now given to whoever shows up at the patent
office with the appropriate fees first. Precedence doesn't matter. You would
be implying that you thought the idea up independently, of course, but you're
smart, right? That's totally the sort of thing you could think of
independently. Then when you're rich, you too can help choose what the patent
laws look like, and whether rich people should pay taxes.

------
dickbasedregex
I'd love, love, love to finally see a company earnestly held responsible for
their negligent security practices but I have no hope. Doubly so with this
administration. Equifax getting run into the ground would help a president.

------
topspin
I'd appreciate advice from someone in the know about credit monitoring/repair
services. There are so many and little credible information available about
their capabilities and performance. If you have experience with this who do
you recommend?

I've been caught up in the DOD breech, this Equifax incident and a couple
smaller ones. I'm not interested in pinching pennies here; I want good
results.

~~~
hcurtiss
IMHO - credit monitoring has limited utility. While it can help you identify
issues more quickly, it's still after the fact. For that reason, I bought the
family a Zander Insurance plan. If you get hacked, they handle the fix
(including outreach to the credit bureaus) and cover your expenses. This year
they also added some credit/identity monitoring features and wallet
replacement. I've not yet had to use them, but the service makes a lot of
sense to me.

[https://www.zanderins.com/idtheft2](https://www.zanderins.com/idtheft2)

------
zackmorris
I'd like to know how much influence the consumer credit industry had in
pushing through things like the Citizens United decision. Corporations love to
be people when they can influence elections and make money off poor folks, but
I wonder if they're ready to take the corporate death penalty when they break
the law.

A bunch of class action lawsuits might make options like Move to Amend a lot
more palatable to corporations facing that kind of scrutiny. It also gives
political capital to organizations working to prevent rollbacks on consumer
protections implemented after the Great Recession.

If Equifax's reputation hangs on a single hack, then they probably weren't
that reputable to begin with. Why should we have to live under decisions that
benefit them when they no longer exist, or weren't even who we thought they
were?

------
s73ver_
Good. I hope they get sued into the stone age.

And then, I hope all of the other agencies take note, and start deleting their
data.

~~~
devrandomguy
Nah, they'll just create expendable shell companies to decouple the risk from
the profit.

------
nfRfqX5n
any way to check if we're affected by the hack without putting info into their
form? i called them earlier to see if i had an account, but i don't.

------
banderman
I like how people are encouraged to pay $5-10 to each reporting agency to have
their file locked. Multiply that by the 140,000,000 people whose data
leaked... should generate some nice revenue for all 3 of these companies
holding your exploitable personal data hostage.

------
perseusprime11
This is just pure crazy. There should not be any non-govt agencies that store
such sensitive information. This is not like credit card where you end up
getting a new card. You can't change your name and ssn. I wonder how we will
tackle this problem.

~~~
cr0sh
> I wonder how we will tackle this problem.

Short answer: We won't.

Nothing is likely to drastically change. It'll just be another blip on this
week's news, and on to the next big thing that comes up.

Some individuals, over time, will likely have their lives screwed with, but
because not everyone at one time will have this happen to them, nobody will
care.

Think about how long the EU and others had chip-and-pin for their cards. Also,
everyone knew it was more secure. But it's only been in the past 6 months or
so that the United States is finally getting it - and it isn't everywhere yet.

I'm not trying to say chip-and-pin would have helped this situation (it
wouldn't have). I'm just trying to convey just what kind of social and
political inertia is at hand here in the United States, not to mention the
size of our collective apathy, and extremely short attention spans.

Had something like this had happened in the 1970s or 80s - heads would've
rolled. 60 Minutes would have been all over it. Dan Rather would have frothed
at the mouth. It would have been crazy to the extreme in the media and
elsewhere. Change might have even occurred.

Today? We'll be lucky if we're still talking about this in any amount next
Friday.

------
josephorjoe
Equifax really needs to die over this, like Arthur Andersen after Enron.

[https://en.wikipedia.org/wiki/Arthur_Andersen#Demise](https://en.wikipedia.org/wiki/Arthur_Andersen#Demise)

------
kolbe
I think suing the organizations who irresponsibly gave our data to such an
unsafe organization will be more fruitful. Equifax doesn't have enough money
to truly compensate, but JP Morgan, Bank of America, &c do.

------
mgleason_3
Why is there not a criminal case against these idiots? When you are
controlling something dangerous and you allow that thing to harm someone else,
it's a criminal offense. It's not a matter of whether it's hard. It's simply
your responsibility to ensure no one gets hurt.

This company has already caused harm to literally everyone in the US.
Minimally, we all now have to take action to attempt to avoid identity theft.
And it only gets worse from here.

And these bastards have the chutzpah to wait until hurricane Irma is upon us
to make the announcement.

------
ausjke
Go to hell Equifax, whoever is in charge of security there should be put into
custody before all the litigation.

Multiple steps must be taken for nowadays people to get credit card and debit
card or whatever(loans, money transfer,...). Use SSN, name, mother maid name,
a few security questions, two-step authentication by default, all passwords
must be hashed and salted otherwise it is a crime for the DBA,etc.

Just switched away from 15+-year-yahoo-email after its leakage, now it comes
Equifax, which is 1000x more critical, it is so bad.

------
marbu
> Others expressed frustration that three senior executives sold about $1.8
> million in stock in the days following the discovery of the hack. A
> spokeswoman for Equifax said the men “had no knowledge that an intrusion had
> occurred at the time.”

Wait, what? Isn't this a blatant example of insider trading? Moreover
connected to a problem they are responsible for?. Do they seem to be really
that stupid or is there a chance that they could get away with that in the
end?

------
kbullaughey
Assuming an approximately Bernoulli outcome from Equifax’s perspective, the
stock market thinks there’s only a 13% chance they’ll be shuttered by this
negligence.

~~~
bojackstorkman
This is an interesting point. I'm not great with math, but I'd love if you
could share how you calculated that?

------
Khaine
Thee company and its management should be bankrupted. In Roman times the
architect of a aqueduct and his family had to stand under it during the final
stages of construction. This was a motivation to ensure they did a good job.
Its high time we brought back this sentiment to leadership. If you knowingly
monumentally fuck up you should be ruined.

------
kabdib
I'm involved in the design and maintenance of a PCI environment. Given the
auditing requirements for these environments it is mind-boggling that an
intrusion of this magnitude went unnoticed for several months.

I'm left with the conclusion that they were either negligent or incompetent,
or layers of management were actively trying to cover things up.

------
zimbatm
How does Equifax build their database of people exactly? If it's all based on
public information then they could argue that it's not really a leak. They are
merely interpreting public information to build credit score.

If guess for subscribers they could get more information than publicly
accessible. What fraction does it represent?

~~~
pishpash
It's not public data, it's data that creditors provide.

------
njharman
This is the kind of thing that should end/bankrupt a company.

------
robteix
Use of the site they created to check if your data was leaked may contain
terms and conditions that waive your rights to sue.

[1]
[https://twitter.com/zackwhittaker/status/906178254331142144](https://twitter.com/zackwhittaker/status/906178254331142144)

------
deanstag
With all the Equifax headlines today, I was wondering if there would be a few
poor souls in the the Equifax Tech Department who feels atleast a bit
responsible for the whole mess. ( I do understand it is a collective
responsibility of the management as well )

edit: Was the analysis of the hack published?

~~~
Z1nfandel
The most frustrating place to be in these scenarios is the IT (especially
security) department.

Go ask any security guy if they think their environment is secure. Very few of
us will say yes. It frequently boils down to we ask for things, and there are
budget/manpower/time limitations in getting them implemented.

So a breach occurs, execs say to IT staff "Why was this possible."

IT staff says "We requested back in <month> to fix this, and its working
through the slow process"

Execs say "Why didn't you scream louder, identifying it as a critical issue"

IT: "There are 1000's of other issues, just like this one. The attackers just
managed to exploit this one, instead of one of the others. We can't identify
all issues as critical, because then nothing is critical."

Both parties stay frustrated thinking the other isn't doing their job right.

~~~
deanstag
Yeah, hopefully this is one of those wake up calls where the management
realizes to funnel more resources into IT and security in general.

------
bodz
A lawsuit seems appropriate, but I'm confused on their allegations. How can
this lawsuit claim that Equifax "wasn't spending enough or doing enough to
protect the information" when nobody, except for those within the company,
know how much is spent or done to protect the information?

Is there some public record I'm not aware of that says Equifax underspent on
cybersecurity? Or is this lawsuit just a shot in the dark hoping to hit a
target?

I wouldn't be surprised at all if the allegation _is_ true, but AFAIK there's
no way these individuals actually have proof of it, and it seems like a flaw
in our legal system that people are allowed to make allegations like this
without any type of proof.

~~~
HelloMcFly
That's what the "or" is for in "wasn't spending enough or doing enough." It's
evident that they did not _do_ enough to protect the information. Spend is a
proxy for action, but ultimately it's the action (or inaction) that matters
here. I only see them exonerating themselves to a large degree if they engaged
in routine third-party audits of their security and consistently responded to
every identified issue.

------
anonu
I think this shows that inanity of centralized credit rating agencies. How do
we disrupt this? What if every person you owed money to (Credit cards,
mortgage companies, car loan companies) basically reported your payment status
on a monthly basis on the blockchain? I think this could work... Anyone could
check your credit history - but at least it would be decentralized. There's
obviously a lot of questions: How do you protect privacy of individuals? How
to identify individuals with a number other than your SSN? Or maybe you do
anyway... keeping your SSN secret in this day and age is clearly not viable
longterm.

~~~
bunderbunder
The Fair Credit Reporting Act requires Consumer Reporting Agencies to do two
things that are fundamentally at odds with the idea of using a blockchain:
Negative information must be removed from your record after a certain amount
of time. And false or inaccurate information - which some studies suggest
exists on about 25% of consumer credit reports - must be removed or amended
upon request.

Both of these are Good Things. One of the most important things our legal
system provides is opportunities for remediation when something goes wrong.

------
astaroth360
Time to get rid of credit agencies as a whole. They are entirely useless. Make
a Government agency that handles it instead of trusting the private industry
to make as much profit as they can to the detriment of damn near everyone.

------
yahna
I just want to complain about the credit freeze option for a second.

Like many other people I decided to use this because of the breach, I went to
the government identity theft site and found some links.

Equifax - Fill out the form. "Additional information required" please _mail_
stuff to us.

Experian - In your state (washington) there is an 11 dollar fee for this
service.

Transunion - Fill out a signup form, complete with god damn security
questions. Do the quiz about stuff on my credit report. 10 dollar fee.

Go fuck yourselves you fucking bastards. I hope experian goes out of business
because of this, I really do.

------
danblick
From a security standpoint, it seems like there's a problem treating
everyone's social security number as if it's some kind of secret key.

Has there been any real discussion about alternatives to the present system?
How else could authentication work for opening a bank account?

I imagine that the present system survives (1) because of inertia, and (2)
because it doesn't require much infrastructure and so it's relatively cheap.

Maybe the next step is something like putting a chip into driver's licenses
and ID cards nationwide?

~~~
ebiggs
Soc sec. number is used as an immutable unique identifier for Americans since
that's really the only piece of information that can be used in such a way.
I'm not aware of anybody relying on it as a sole means of authentication... if
it's used for authentication it's always combined with additional information
such as "you had a revolving credit account with: a, b, c, or d".

------
symlinkk
This is probably a dumb question but how does Equifax, TransUnion, etc
actually get the credit info in the first place? If I wanted to start a credit
monitoring company, could I do it?

~~~
hbosch
Your bank gives it to them.

~~~
symlinkk
how does the bank decide which credit reporting firm to give them to? in other
words, if I made an Equifax competitor, how would I convince banks to give me
this info?

~~~
hellofunk
> how would I convince banks to give me this info?

Read "The Art of the Deal.|"

------
lightbyte
I hope this succeeds and bankrupts Equifax, but then what? Over a hundred
million Americans still have their SSN exposed, what are we going to do about
that?

------
vivekd
If someone offered me this case, I would probably decline it on grounds that I
didn't see a reasonable prospect of winning.

Equifax still hasn't revealed any data about how it was hacked, without that
information it's hard to prove they were negligent.

Negligence requires three things: duty, breach and damages.

As to duty:

Does Equifax really owe a duty to every single person whose data it keeps.
That would be a tough argument to make. They didn't sign any contract or make
any agreement with the people whose data they collect. So where does the duty
come from?

Even if the plaintiffs were able to overcome that hurdle, they would then have
to prove breach. Was Equifax careless in they way they handled information
security? I don't see evidence of that, the mere fact that they were hacked
doesn't necessarily mean they were careless. All Equifax would have to show to
win on this count is that they had some sort of basic security system in place
comparable to what other businesses it's size have in place. My guess is that
they do have a security system and that this probably wouldn't be hard for
that to show.

Being hacked would be considered under law to be an intervening criminal
action. It is established that people are not responsible when damage is
caused by someone else's criminal action. So long as Equifax took basic,
prudent steps to protect data, they can't be held responsible for intervening
criminal action.

As to damages

It's hard to see how anything of monetary value was lost by the plaintiffs in
this case. There was a loss of privacy, but I haven't heard of courts giving
out awards for that sort of loss.

I'm sure people more familiar with information security could point to flaws
in they way Equifax protected info. And certainly the way they reacted to the
hack was negative. But bad or imperfect behaviour doesn't in and of itself
give rise to a claim for monetary damages in court. This case doesn't seem
winnable to me.

There is some argument that if you use Equifax's identity theft protection you
may be able to sue, which I think is what this class action is about. But that
still doesn't give rise to damages because none of the plaintiffs can prove
that their identity was actually stolen. And you still don't have breach (no
proof that the hack was the result of Equifax's carelessness).

------
philipps
Is a credit freeze the most effective option here? What else can be done to
prevent the possible effects of this? The FTC site also mentions a Fraud Alert
for cases of suspected identity theft:

[https://www.consumer.ftc.gov/articles/0497-credit-freeze-
faq...](https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs)

------
throwaway613834
Question: Is there any way to get a notification whenever a credit account of
any sort has been opened in my name, WITHOUT freezing my credit or otherwise
crippling/slowing/altering any process that exists? I just want a letter or
email notification, not any other changes to anything. Ideally a free way, but
paid if a free way doesn't exist...

------
arunmib
Bit curious about everyone's thought process with regards to credit freezing.
I'm thinking about leaving the freeze in place and only do temporary unlock on
as needed basis. Considering SSN and other info. compromised have longer life
time, I really cannot think of any other option.

------
TaylorGood
If you enter Test and 12345 into their "checking site" it says account has
been breached:

[https://twitter.com/zackwhittaker/status/906247688768905216](https://twitter.com/zackwhittaker/status/906247688768905216)

------
devhead
Our compliance rules dictate a 24hour window before we must share the data
breach, in what world does the top personal data overlords have no obligation
to disclose in a shorter window? Maybe had they done that, they wouldn't have
had time to cash out their stocks before they tanked upon release.

------
ada1981
$70B works out to less than $500/ person.

I imagine that the firm will take 25-50%.

Also, Equifax will likely just go bankrupt vs. paying 4x what they are worth.

Perhaps we should seek to have the company turned over to the people, at which
point a blockchain based credit system can be implemented.

------
politician
It's time for the USA to adopt EU-style GDPR protections, by constitutional
amendment if necessary.

------
drawkbox
We need more competition in consumer credit agencies and need more control
over access.

We probably need more competition in corporate credit agencies as well like
Moodys/S&P that got us into the housing crash.

The lock-in deals these companies have make them get really lazy on their core
tasks.

------
vthallam
This is like the whole country's credit card holders got affected. Is it a
suggested idea to freeze your credit reporting account and not allow any
issuance of new credit cards? or Like SSN Lock provided by my EVerify provided
by USCIS?

------
jaypaulynice
Sorry, but companies that save pennies and nickels only to lose billions
deserve this...but makes no sense that individuals have to suffer the
consequences...of course they release the news when it's hurricane season.

------
orange_county
I think the banks and loan industry are as guilty for giving information like
this out to ththe credit bureaus.

Next time you apply for a loan or open a credit card, ask them who they report
this too. If it's Equifax, walk away.

------
PacketPaul
I think a reasonable outcome is free credit monitoring for LIFE. I don't
understand how these companies get away with only one year of service as if
the information will be removed after that year.

------
shawn-butler
It gets worse.. some financial news outlets are reporting that the CFO and
executives leading two business divisions dumped shares prior to the news.

Equifax responded they didn't know about the breach and it is unrelated.

------
poland2
This kind of thing actually can be prevented. There should be a law to force
to sacrifice some convenience for safety.

Well, it is convenient to access everything by Internet. But it is a double
sword

Simple but not too simple!!

------
slackfan
For the record, their form doesn't work.

You can enter any arbitrary word and any random six digits and it will tell
you that you probably have been affected, and will prompt you to sign up.

Don't fall for this scam.

------
mcbits
Not if everyone signs up for free credit monitoring as their settlement.

~~~
wyldfire
Gee, does that automatically settle the claim? I suppose it only would if
there were some kind of agreement you make when you apply for the service.

I take some mild comfort knowing that > 90% of US adults likely have been
impacted (wild guess at US folks who have ever applied for credit -- or it's
probably a good amount smaller number if the scope is ever-requested-a-credit-
report).

~~~
mcbits
I'm not an Equifax customer and don't plan to become one by signing up for
anything, so I haven't seen the terms, but I would fully expect to see some
kind of indemnification in there.

~~~
zmarty
You are a "customer" if you want it or not.

------
31reasons
Prospects of this data used to hack the next elections are frightening.

------
Waterluvian
The hack exposes lenders (banks, etc.) to a huge amount of risk, right? So
don't they also have an interest in seeing agencies like Equifax punished
severely for a hack like this?

------
pmarreck
Maybe it's time to issue everyone private keys where the public key is your
"SSN" and it is signed by N people you know to verify identity

~~~
softawre
N people you know? What if I don't have a family or friends?

~~~
pmarreck
If you live in a box, will anyone know you exist? :O

------
bogomipz
Consumers will end up footing the bill for this. This company will just
increase the fee for credit checks in order to pay the penalty.

------
woogiewonka
How do we get in on this lawsuit? What are the implications of this hack to an
average person and what if anything should they do about it?

------
gigatexal
I signed up to be notified before I knew that doing so waived my rights to sue
them. Those damn agreements, I need to read the fine print.

------
cmurf
Good. I hope they go out of business, and the shareholders are wiped out for
having it run incompetently.

------
innovate
freezing credit profiles is a good idea but full account numbers (liability
accounts only) as well as addresses and employer data were also part of this
breach, its likely there will be many long-term consequences
unfortunately...someone with this data can easily impersonate you and level up
the level fraud

------
leyth
How does Equifax gather data on people? Do they get it from the government?

------
smcnally
"PSA: If you check Equifax's site to see if your data was stolen, you _waive
your rights_ to sue Equifax or be part of a class action suit."

[https://twitter.com/zackwhittaker/status/906178254331142144](https://twitter.com/zackwhittaker/status/906178254331142144)

------
unstatusthequo
I've seen at least four class actions filed within 24 hours. The first was
last night.

------
bitmapbrother
Does anyone have information on the hack and what OS / Server they were
running?

------
joeblau
Where is the credit report ICO? I have some Ethereum I want to invest.

------
hbosch
SSN's need firewalls.

------
martin1975
just me here or has this given good pretext for mandatory national id laws,
possibly on a biometric/EMV type of card, or worse, skin implanted rfid chips?

------
crb002
So essentially three Equifax shares to every victim?

------
stevebmark
Semi-related: When does CloudFlare get sued into the ground for man-in-the-
middle-attacking all of their customers for several months?

------
mamazaco
Does anyone know how the hackers got in?

~~~
mamazaco
Haha admin/admin according to
[https://krypt3ia.wordpress.com/2017/09/14/equihax/](https://krypt3ia.wordpress.com/2017/09/14/equihax/)

------
slivanes
Bonus point task: . Get leaked info for Donald Trump . Used said info to
access recent tax returns

~~~
quickthrower2
Careful. Don't start a conspiracy.

------
williamscales
Too big to fail!

------
evidencepi
A perfect application for blockchain.

------
carapace
Apologists please STFU you're making me sick.

Everyone else, call your representative.

You know how people say, "Pictures or it didn't happen?"

Call your representatives and tell _them_ what you think, or it might as well
have never happened.

~~~
jacquesm
Your comment history is some of the worst stuff on HN and some of the best
stuff on HN. Could you attempt to leave out the worst bits?

~~~
carapace
So many possible responses.

First of all, let me tell you I'm a lonely curmudgeon with no social life and
about 1.5 friends. HN functions for me as a crude surrogate for socializing,
in addition to its functions as a place to read about cool stuff, and yes,
occasionally, a place to pop off and talk a little trash. I do try to
contribute good stuff.

So understand that I'm being sincere when I say, thank you for taking the time
to read through my comment history.

I also want to say that I do my best not to troll, and when I fail and people
call me on it, I admit the mistake and apologize.

I was trolling you a little bit there in the other thread and I apologize.

Now then, as to leaving out the worst bits I don't think I can oblige you. In
the first place, because my comments are sincere. I don't always phrase things
in the nicest way, but I have a real point to make with a given comment or I
would omit it. In the second place, what is the "decision algorithm" for
"best" vs. "worst"? My point is, what you or I think are my best/worst
comments may be totally different from what the next person thinks. I have had
one comment moderated by dang once (and I was really embarrassed that he had
to do it.) Other than that I pretty much stand by what I've said. There are a
few comments I would delete if I could but that bird flew the coop long ago.

Consider the old saw about advertising, "Half of your ad budget is wasted, the
problem is, no one can tell you which half."

That said, I take your comment to heart and I'll try to be less cranky on HN.

But I stand by the comment I made above (for example): Apologists for computer
INsecurity make me sick. It's far past time to fix this mess. Related to that,
the people who says "Oh I give a crap." but _don 't_ call their representative
or something like that are basically part of the problem. If one person read
my snarky shitty comment and made the call, it was worthwhile. As for all the
people that read it and didn't pick up the phone, _I want them to know they
suck, just a little_ , because I'm mad at them. In fact, I'm mad at most
people. We stand at the pinnacle of history. But everyone is busy driving and
talking on their cellphones at the same time while meanwhile the _Monarch
Butterfly_ is going _extinct_ right before our eyes! There may not be
_elephants_ in fifty years.

Okay, that's enough of that. Gotta calm down. ;-)

Now about that other thread, where I was kinda trolly, my point there was that
Rational Materialist fundamentalism is still _fundamentalism_. I am a rational
materialist. Physics is the "Word of God". Nevertheless, I have had _personal
experience_ that indicates that physics is contingent on consciousness. I'm
not going to be able to offer any sort of scientific proof of that because the
structure of the Universe precludes it. But it's true. It is a true statement
that _cannot_ be proven. Not even in theory.

There are hard limits to rationality, that a rational person must take account
of _to be rational_.

Consider: you're hanging out somewhere discussing rationality, when suddenly
into the room bursts a Mad Logician! He's got a bomb and he shouts, "Do
something irrational _right now_ or I'm gonna blow us all to kingdom-come!"
What do you do? If you start hopping up and down on one foot that's
irrational, but to do so to prevent the ML from detonating his bomb _is
rational_! Maybe if you ignore him he'll just go away.

It's Russell's Paradox.

This sentence doesn't describe itself.

These words have no meaning.

Etc.

My quip about the square-root of two was meant to point out the fundamental
nature of irrationality. Pythagoras is said to have killed the first guy to
point out that two and the square-root of two are _incommensurable_. The
"rational space" is a subset of the real space. There will _always_ be places
on the map marked, "Here be Dragons".

(Also, if you call shamans con-men be sure to make sure that none of them can
hear you. ;-)

~~~
jacquesm
That's one for the book as well as the one about unicode and writing systems.
To me the quality of a comment is something that indicates how well that
comment will age over time, some comments retain their strength even years
later and your unicode comment is an excellent example of one of those. It
really opened my eyes and gave me some new insight into something that I had
already considered dealt with years ago. So thank you very much for that.

~~~
carapace
Cheers, well met. :-)

Here's to many more long-enduring quality comments.

(It blew me away when I realized that computer text isn't writing! English is
so well served by ASCII, and has been since so early on, that the assumption
that bytes are the same as writing just gets lodged in there, unexamined.)

------
larrykwg
So let me get this right, this company collects credit information and someone
hacked into their web server and stole highly sensitive information about most
of the adult american population. Then the executives sold their stock a day
before they announced the hack to the public. Besides the troubling fact that
you still use social security and credit card numbers as any form of reliable
authentication, how aren't there already federal agents searching every square
inch of the company and interviewing key employees under oath? But no, nobody
is securing this evidence and thus any lawsuit will probably either fail or
end in a small settlement of an amount the company will not be significantly
hurt by, causing no reason for stronger security in the future of this or any
other company.

The kind and amount of information warrant strong regulation in the way the
data can be stored and processed (separate monitored networks not reachable
from the internet would be the absolute minimum), governmental regulation
needs to ensure the security of sensitive personal information like this and
regular checks need to be conducted to ensure their adherence, especially in
the case of a breach like this after the fact, you can't rely on the company
conducting a forensic investigation.

But no of course not. I can already hear Americans preach to me how the free
market is great and solves all your problems.

~~~
devy
No amount of governmental regulations can solve the current date breach
trends. Even government's own intel agencies got hacked too. No organization
is immune to data breaches. It's a matter of time and effort.

A lot of us here are engineers and coders. It's our responsibility to design
better architecture, security conscious protocols and write securer softwares.
And it's up to all of us (regardless which country you are in) to voice up and
resist the idea of weakening encryption or allowing backdoors and instead
advocate for adopting better and more securer encryptions to safeguard private
and sensitive personal information.

~~~
orf
Sure, in a fantasy land. If you where to hold the management criminally
responsible for their lack of investment in IT, security etc you might see
increased investment.

The very fact that all this data was accessed from their public site is very
troubling. What's the chances this is a basic SQL injection issue? What's the
chances they didn't invest in security at all?

~~~
devy
> If you where (sic) to hold the management criminally responsible for their
> lack of investment in IT, security etc you might see increased investment.

What makes you think lack of investment in IT & security is the main reason
they get hacked?

Vice versa, NSA has virtually unlimited (let's just say unlimited means tens
of billion dollars) budget invested in IT and security. They have the top
resources there too. Do they immune from data breaches and being hacked? The
answer is a big NO!

~~~
bsenftner
Certainly a lack of mental investment. The NSA and these credit agencies are
not a comparison, as their jobs are quite different. If nothing else, the NSA
has to be connected to public networks to do their covert operations. Not so
with a "credit rating agency". They should not be on a public network at all.
Before the Internet, they were not, they were on private leased lines.

~~~
devy
You missed the point. I am arguing that no amount of investment is big enough
to make data breaches go away. Even the top intel agency with top budget and
top resources can't avoid breaches, what else would you expect a corporation?

However this is not an excuse for Equifax to not put more focus and investment
on their security.

~~~
orf
> I am arguing that no amount of investment is big enough to make data
> breaches go away.

Sure, nothing is totally secure against a dedicated, motivated attacker with
unlimited resources. Thankfully those are few and far between.

Based on that Equifax has said that this doesn't seem to be the case.

------
ilaksh
This reminds me. Fight Club was a great movie.

------
sequoia_semper
Not a single Mr. Robot reference here? I'm disappointed.

------
odammit
There really needs to be a law for "you did something obviously wrong and got
caught and you kind of suck as a human being" with the punishment being your
arms get cut off and you get tossed into a tank with sharks.

That should be the execs' punishment for the stock sales.

Also, technically speaking, this company sucks.

