Hacker News new | comments | show | ask | jobs | submit login
Equifax Faces Multibillion-Dollar Lawsuit Over Hack (bloomberg.com)
1345 points by jameslk 7 months ago | hide | past | web | favorite | 648 comments



I'd love to see the $70B number pan out (though $500 per person is less than the damages, I think) -- Equifax is a $17B company, and would presumably stop existing if that happened.

On the other hand, these things always settle out of court, and Equifax certainly won't settle the suit for more than they're worth.

I said it elsewhere, but I think the right response is to opt out of the class, and sue for $1000 in small claims court. If ~15% of the class does this, they are out of business, and lawyers don't get a dime of the $1000.

Also, I'd love to see a new non-profit website that automated the paperwork.


This class action will likely be settled in the same way the Ticketmaster case was settled ... with a coupon book good for 2 free credit reports.


To be fair, class action suits aren't really about recovering damages for the class members. Or at least, not entirely. That's almost incidental. Rather, they're most often about leveraging a large class of injured parties--whose injuries are usually relatively minor on an individual basis--to force a change of behavior by adding up all of those small injuries.

The cost of pursuing each claim individually would usually be sufficiently high as to make pursuing a claim unviable. The behavior would remain uncorrected, and the injured parties would receive neither compensation nor the knowledge that the behavior has been altered or eliminated. Nobody wins in that situation.

And while it's almost inevitable that discussions about class action suits will involve complaints about the lawyers fees, that's not really fair. Mass tort litigation is complex and involves significant investments of time and resources on the part of the attorneys involved. Especially if they actually make it to trial. It might seem unfair at first glance, but it enables the class to access the legal system and justice where it otherwise would not. They may be imperfect, but they're a hell of a lot better than the alternative and have had a profound positive impact on our society.


To be fair, class action suits aren't really about recovering damages for the class members. Or at least, not entirely.

That was exactly what they were supposed to be about. The way it usually works out, however, is that the lawyers don't really negotiate on the same side of the table as the class and the class members end up with very little. The lawyers, however, get their fees.

That's why everybody gets pissed about it.

There are other legal remedies to force a change of behavior. If the lawyer wants to use my name (as a class member) for leverage in the suit, he or she should be representing me. The class action is something that is supposed to be for the class members' advantage- working as a group for legal remedy. The tradeoff is you don't get as much legal remedy as you may have had you footed the entire bill and risk of a lawsuit yourself. But some of the negotiated remedies are, indeed, a joke.


>That was exactly what they were supposed to be about.

No, they really aren't, because as the parent says class actions are appropriate where the harm to each individual class member is small, but the small harm is spread out to many people. You as an individual were not harmed much, so you as an individual would not collect much even if you went it alone and recovered 100%. Litigation doesn't (generally) yield more than the harm you suffered.

Besides, if you want a lawyer to represent your interests alone, then you are free to not join the class and pursue your own individual case with the lawyer(s) of your choosing.


Believe it or not, they really are supposed to be about this. Here's a writeup [1] speaking about the Supreme Court's ruling on the matter:

"Purpose? According to the U.S. Supreme Court, the “principal purpose” of class actions is “the efficiency and economy of litigation.” [4]The Court has also noted other justifications for class actions, including:

    the protection of the defendant from inconsistent obligations;
    the protection of the interests of absentees;
    the provision of a convenient and economical means of disposing of similar lawsuits; and
    the facilitation of the spreading of litigation costs among numerous litigants with similar claims.[5]

In other words, people whose claims might be too insignificant to litigate alone can band together. The class action device can eliminate redundancy in the judicial system, streamline litigation, and in some cases, create significant institutional change. "

[1] https://apps.americanbar.org/litigation/litigationnews/pract...


>pursue your own individual case with the lawyer(s) of your choosing

Fewer people than most realize are actually able to do this. Good lawyers don't generally take contingency cases, and if the case is even remotely involved, fees quickly reach to six figures.

Perhaps worse is the stress. Once initiated, you have virtually no control over the process, and it can take over your life. The motions and counter-motions, delays and hearings will wear you down. If the adversary is much better-funded, then they can make it nearly unbearable.

The legal system is not what most people imagine, especially those who flippantly threaten to sue. You have to go through an action (or be close to someone who is) to really get that. Engaging is stressful and costly and, unless you're a combative type with deep pockets who just loves to fight, you'll likely feel like you lost, no matter the outcome.

This, as much as anything, is why class actions are so prevalent.


> If the lawyer wants to use my name (as a class member) for leverage in the suit, he or she should be representing me

If you're paying them they're representing you. If they spend a single client's or their own time building a case, they're not representing you. They are representing your class. If you want to be represented, opt out and hire a lawyer.


> That was exactly what they were supposed to be about. The way it usually works out, however, is that the lawyers don't really negotiate on the same side of the table as the class and the class members end up with very little. The lawyers, however, get their fees.

The lawyers are getting their fees to pay for the service of causing class-action suits to happen. Even if the remedies for a class member are a joke, the amount the company pays is, supposedly, not a joke (and yes, a good amount of that is probably paying those lawyers), and that's supposed to be a deterrent for other companies who are thinking of making the same mistakes.

Whether this works out in practice is debatable, but the current system is coherent in theory.


> They may be imperfect, but they're a hell of a lot better than the alternative and have had a profound positive impact on our society.

No, it isn't better than the alternative. The alternative is to have regulators selected and overseen by elected officials regulate the behavior of companies. We instead of a system of regulation by self appointed ad hoc lawyer-regulators negotiating settlements they think will get past the judge overseeing their case and allow them to collect a fee.

The latter is perhaps better than nothing, but it isn't better than the alternative which happens to be in place in the rest of the developed world.


Regulators selected and overseen by elected officials aren't a foolproof solution either. Sometimes you end up with Scott Pruitt [1] running the EPA, whose objectives are apparently a) denying that climate change exists, and b) dismantling any environmental protections that businesses find inconvenient.

The self-appointed lawyer regulators at least have an incentive to do their jobs: they get a bunch of money.

[1] https://en.wikipedia.org/wiki/Scott_Pruitt


He didn't say foolproof; he said better.


That was his point. Pruitt is not better.


Yes because regulation is working out really well

That is why I have plenty of competition for Internet Access and Net Neutrality is vigorously enforced

That is why the FTC routinely issues fines for False Advertisers for all the false claims that are made daily in ads

That is why there are plenty of bankers in jail for crashing the economy in 2007,

Government regulation is grand


So vote for people who actually want to competently regulate, and work to encourage others to do the same.

Paraphrasing, we are currently getting the regulation we deserve - good and hard.


If you believe democracy is for people. Then you are mistaken. Democracy simply means more than one entity fighting for power. Usually both of them have their own agendas and only give a shit when it’s time to vote. And we all know lying, backstabbing and spreading propaganda on Facebook and media channels is a much better way to win voters than doing what’s good for them.

The system was always a plutocracy and will always be.


>And while it's almost inevitable that discussions about class action suits will involve complaints about the lawyers fees, that's not really fair.

Of course it's fair. It's not like the members of the class get to shop around for cheaper lawyers. The class gets shit either way, they just have to decide if they hate the company more than the lawyers that charge the obscene percentages. And you can't make any kind of cost argument because a billion dollar case isn't anymore complex than a million dollar case. The whole point of it being a class is that it impacted everyone the same so the dollar figures don't change the complexity.


Attorneys' fees in a class action have to be approved by the court, and for large class actions the percentage fee tends to be lower than what a privately-retained lawyer would receive. The privately-retained lawyers in NTP's lawsuit against Blackberry got an approximately 1/3 payout of a $600 million settlement. 20-33% is quite typical in a pure contingency situation. Most court-approved fee awards in class actions that large ($100m+) tend to be a lot lower than that, in the 10-20% range. Courts usually will demand that attorneys submit their billing records (or summaries thereof) along with their fee petitions, and will regularly cut down any fee requests that exceed a certain multiple of what the attorneys invested in the case.

This case is typical: https://www.paymentcardsettlement.com/Content/Documents/Orde.... $5.7 billion settlement, about $500 million in attorneys' fees, or less than 10% of the fund. $160 million worth of time invested by the attorneys to get to that point.

> And you can't make any kind of cost argument because a billion dollar case isn't anymore complex than a million dollar case.

That's not true at all. Big dollar value cases involve either large harms to relatively fewer people, or relatively small harms to large numbers of people. The former kind of case often involves complex subject matter, such as financial transactions, medicines, etc. The latter kind of case often involves a very diverse class and complex issues of causation and damages. Consider the TicketMaster lawsuit: the basic theory of damages is that class members would not have purchased the tickets had they known that TicketMaster was marking up things like UPS charges. Well, clearly lots of class members would have purchased the tickets anyway. Coming up with a realistic damages model in that scenario is difficult. Furthermore, in big consumer class actions like that you've got class members in fifty states with fifty different sets of laws.


Is it weird to also observe that the opposition in a billion dollar case will be significantly more expensive to overcome than in a million dollar case? It seems obvious to me that billion-dollar cases would be more expensive to pursue.


Definitely. E.g. for a $1 million case, the defense likely won't even hire an expert. For a $1 billion case, you'll be responding to thousands of pages of expert reports prepared by half a dozen PhDs in various specialties (and deposing them, fighting over the admissibility of their opinions and the reliability of their methods, etc.). Not to mention that you'll get buried in discovery, etc.


Still, class attorneis will settle faster and for less. That often drives total comp and remedies a order of magnitude more than fees percents, like in the recent antipoaching litigation.


>Attorneys' fees in a class action have to be approved by the court, and for large class actions the percentage fee tends to be lower than what a privately-retained lawyer would receive.

>$5.7 billion settlement, about $500 million in attorneys' fees, or less than 10% of the fund. $160 million worth of time invested by the attorneys to get to that point.

How often to private retained attorneys get $320 million in pure profit. Additionally the 'time invested' already has income for all of the involved lawyers.


This is contingency work. The winning cases have to pay for the losing cases. When they lose, the lawyers invest $160MM worth of very real payroll and consulting fees and get nothing.


> It might seem unfair at first glance, but it enables the class to access the legal system and justice where it otherwise would not.

The fact that it requires so much expertise and money to "access the legal system" in this way is in itself incredibly unfair and unjust. It's a completely broken system.


Yeah, but how can that be solved? The law is very complex in any advanced country (I'd argue necessarily so), and requires specialists to navigate it.


Exactly. It's hard to measure the value of class actions without knowing how the behavior of companies would change without them. I expect we'll see that natural experiment play out now that arbitration clauses are commonplace.


Your first point is only sometimes valid as damages do depend on the severity of the injury, just as in any other case. See http://www.nytimes.com/1999/10/08/business/fen-phen-maker-to... for a class action suit involving serious injury.


Probably for good reason. $500 per class member is an insanely high damages estimate. 99.9% of people will suffer zero damages because their identities will not be stolen. Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

The real damages here are going to be to the banks and credit card companies that will have to absorb the costs of all the fraud.

As to the Ticket Master case, you can read the complaint yourself and see if $5 or so per class member settlement value was reasonable: http://www.ticketfeelitigation.com/docs/Fourth_Amended_Compl.... The theory was that TicketMaster didn't disclose that it was marking up fees for things like UPS delivery and order processing, and that if customers had known they wouldn't have ordered the tickets. That's a weak damages theory, because customers don't care about line items they care about the bottom line. Either they'll pay $X for the tickets or they won't. Unsurprisingly, that weak damages theory lead to a small per-class-member settlement.


> Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

Are credit card companies now in the habit of reimbursing consumers for the considerable time and headache required to sort out fraudulent charges caused by insecure data storage practices in the credit reporting agencies that the credit card companies contract with?

There are numerous reports of identity fraud causing a significant amount of trouble for the consumers involved, and as far as I know, not a one of them has ever received a letter beginning, "We're sorry for the time and trouble you went through to clear this up", with an attached check.


What headache? Get with Capital One, Chase, Citi, or one of the other big names. They are very professional about replacement cards and zero hassle.


Replacement credit cards are not the issue. Whoever has this data has the complete dataset to open new credit cards in your name, buy a car in your name, get plastic surgery in your name, etc.

The hassle will be convincing all those companies that you do not in fact owe them thousands, and there is no automatic protections for these types of harms.


Even worse, is if you don't immediately notice a new account on your credit report, that then goes to collections. -_- 10 years later and I still get threatening calls from the shadiest of shady "collection agencies"


Do you know if there's any way to "notice" these new accounts without having to freeze your credit or otherwise mess with the normal process for getting new credit? I just want a notification, nothing else.


Credit Karma seems to do that OK. Their score is wildly different from their supposed source though.


Oh yeah I don't need the scores, I just want notifications for new accounts. Cool, thanks! I'll check it out.


must be terrifying. sorry about that. but free money is free money.


> Are credit card companies now in the habit of reimbursing consumers for the considerable time and headache required to sort out fraudulent charges caused by insecure data storage practices in the credit reporting agencies that the credit card companies contract with?

It's not a "habit", it's the law. It doesn't matter how the fraudulent charges came to be. If a person disputes a charge and has evidence to show it's fraudulent, then by law the credit card company has to investigate, and deal with it.

It also makes business sense. CC companies make a ton of money with legal transactions, and an anti-consumer, pro-fraud reputation would cost them customers.

> There are numerous reports of identity fraud causing a significant amount of trouble for the consumers involved, and as far as I know, not a one of them has ever received a letter beginning, "We're sorry for the time and trouble you went through to clear this up", with an attached check.

Why would the bank or credit card company send a check? Presumably they're not the one who committed the crime, so why should they cover the damages?

I've had my identity stolen, and it was a PITA to clear up, but the bank and credit companies were reasonable about it, IMO. In a case like this, where it's easy to point at the Equifax breach and say, "See? This is how they got my info.", it's probably even easier to clear up, though I'm sure it's still a hassle.


Time. I'm pretty old, retired, and have a few bucks. Time is my most precious commodity, and I prefer to give it to those who deserve it.

I'm not sure how much I'd want someone to pay me for an hour of my time. Clearing up identity theft can take many hours. Those are hours I can spend bugging the missus, or even bugging you folks.

I am clearly not to blame for their data exfiltration. Who is going to pay me for my time? What is my time worth to them?

This is all theoretical. My credit has been frozen for a long time. It has been that way since the OPM hack. However, for the sake of expression, I point out that my time is pretty valuable to me. Those who steal my time are worse than those who would steal my property. I can insure my property, I can not replace my time.


This has been hitting me hard lately. I'm pretty young at the tail end of my 20s, job is finally stable enough not to worry about money, and have really started to realize how few free hours I can find in a week. Work and its on call rotation, obligations to the girlfriend and social circles, maintenance on the house and cars, bills that don't have an auto pay option.

Last month my auto registration sticker didn't show up in the mail after renewing it. A trip to the county clerk, then the sheriff's office to file a report, then back to the clerk to get another sticker took almost two hours. Stopping by the local bank to change my address after the online system locked my account for two incorrect password attempts took 90 minutes. 6 phone calls after a cancelled auto insurance policy made an auto draft the next month. My coworker has a pile of kids, two with medical issues, it seems like his wife has a part time job dealing with medical billing issues.

Most of these rambling examples aren't the fault of the organizing institution (unlike the Equifax leak at hand), but in the end individuals are bound by those institutions' organizational practices in their pursuit of normalcy. I don't know how it could be implemented or enforced, but at a certain point it feels like individuals should be compensated for suffering organizational incompetence or negligence.


I got lucky and sold my business when I was just 49. However, I worked a minimum of 60 hours per week, for years.

Which gets me to my response:

Cherish that time. I don't care about longevity, I care about maximum value. I may be content to die today, but I'm not content wasting time on something that is forced on me.

I don't regret much, but I do regret my time that was wasted by others. As I look back, I see do many situations where I could have disallowed that while still getting the same eventual outcome.


They do it on purpose and have no intention of fixing their administrative inefficiencies. They know most people don't have the patience for this crap so that discourages people from creating a hassle for them with problem/things that they have to do.

For instance, in a past life I may call up to question a charge on my cable bill. Now that I have more money, I don't waste my time on such nonsense. If the cable company wants to charge me an extra $20 for no reason, they can do so, because it's not worth my time to call them up and get shuffled between departments for 2 hours.


Last time a cable company charged me wrongfully (I wasn't even their customer anymore), I called my bank and had them reverse the charge, as well as block any future ones. Took me like 5 minutes. Now the only time investment I have is throwing their monthly threat letter in the trash about how they will cut my internet access if I don't pay up.


> It's not a "habit", it's the law. It doesn't matter how the fraudulent charges came to be. If a person disputes a charge and has evidence to prove they didn't make it, then by law the credit card company has to investigate, and deal with it.

But the time it takes on the phone to talk to an agent, review your records for legit vs illegit charges, etc. are not reimbursed, which is what they were on about.

> Why would the bank or credit card company send a check?

I think we're talking Target writing the check. Which they didn't exactly volunteer to do, but was covered in the class action at least: https://targetbreachsettlement.com/mainpage/CommonlyAskedQue...


"Even the ones who do have their identities stolen will likely be made whole by the credit card companies."

Fraudulent charges on a credit card are the least of my concerns. This opens us up to a lifetime of identity theft and insecure accounts of every sort. I'm not even sure how they can approach remedying the problem. Coordinate with the SSA to get 150 million people new SSNs at the least.


This is really the concern. With this level of detail, someone can open any kind of new account - not just credit card - dig into everyone's lives (or political opponents on social media for doxxing). And the threat remains in perpetuity.

There is mo way to even estimate the damage as some devious ways of it harming us may not even exist yet.


> There is mo way to even estimate the damage as some devious ways of it harming us may not even exist yet.

Scifi story idea:

Far future. Life extension possible. The government will provide it free (if you want it) - one time only though - when you are near the end of your first life. Upon extension, this technology also turns the clock back to renew you to 20 years old.

You're 78 years old, frail, ready to kick it, but decide to do the extension. You go into the clinic. Give them your information, etc.

Bzzt.

We're sorry, you've already been rejuvenated before. We can't help you, unless you want to pay $$$$$$ for us to go ahead with the procedure.

lolwhut

yep.


Why would people need new SSNs? It was the credit industry that misused them as combination of unique identifier and authenticator, and that is not the SSA's responsibility to fix. The government even tried to curb misuse of the SSN, but it was not binding on private entities, and they just ignored it.

The solution, whatever it is, does not include anyone continuing to pretend that the SSN is now or has ever been suitable for any purposes other than for tracking government benefits managed by the SSA, and possibly also for tax filings with the IRS.


> other than for tracking government benefits managed by the SSA, and possibly also for tax filings with the IRS

... and all of the other government benefits, programs, or mandated activities, many (all?) of which demand your SSN. Are you even sure that the credit industry, i.e. banks, originally misused SSNs? I wouldn't be surprised if they were required, by the government, to use them, precisely because it is the closest thing to an official "unique identifier".

Some people also might be concerned with not receiving their SS benefits either, which isn't entirely far-fetched given that others might now be using it for nefarious purposes (like trying to collect their SS benefits).


> I wouldn't be surprised if they were required, by the government, to use them, precisely because it is the closest thing to an official "unique identifier".

I read something somewhere else (maybe on a different HN thread, maybe here?) that this was changed in 2000 for something called "red flag laws", IIRC.

So yeah - it is required.


You're absolutely correct. We should move to a well designed identity system. However I'd SWAG the development and deployment of such a system around 10-15 years if all of the involved parties were on-board. Equifax could provide the SSA a pile of money and the victims could have a reasonably effective defense against identity theft within months.


wouldn't it be simpler to make ssn number last only five years? it's a partial workaround, but would immediately help by reducing the attack opportunity time massively, along with making it standard to have variable ssn thorough the system and making it easier for people to just renew their after breaches like this, since the current bar for obtaining a new one is quite high


honestly this is only really an issue because organizations are using SSN as authentication and not just as identification, caused probably by the lack of a federal id scheme, compound by the inability to easily change the SSN itself as you would with an id document (which is why here ids are relatively short lived and we can get away with ssn equivalents that are for life)


Bingo. In sweden as example our birth date plus 4 unique digits is your nation wide id/ssn. So obviously your ssn is not exactly a secret and instead you also have to proove that you are you with a photo id or online 2FA id.

There's no such thing as loosing your ssn because it is already public.


> Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

No one will be paid for their time wasted over ID theft resulting from this breach. That's what "made whole" would mean to me.


> 99.9% of people will suffer zero damages because their identities will not be stolen. Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

The extent of the potential damages here isn't limited to credit card fraud. Having your SSN leaked along with your name, date of birth, every recent address you've had, etc. opens you up to a lot of other attack vectors.

Furthermore, credit reports can often inadvertently contain information that relates to one's medical history - you can request that this information be obscured or sealed in your report if you find it, but that means that certain medical information is also within the scope of the potential leak.


All of the identities have been stolen. It’s a matter of whether they’re used at this point.


True, but in the US you can not really sue for possible harms. You can only sue for actual harms which can be remedied by the court. Leaking your information isn't a harm the court can remedy. Abuse of the leaked information is a harm the court can remedy.


Fair point. I would argue that Equifax has breached one of the terms of the Fair Credit Reporting Act, and possibly other privacy regulations.


I don’t think that’s a generally accepted legal standard. It seems similar to saying that Edward Snowden and Chelsea Manning only released information, which the courts can’t remedy. If anything bad should happen due to that leak, then the courts can remedy that in the case of the people who committed those acts.

The government is clearly of the opinion that they can and should prosecute people for leaking information which could cause possible harms.

I’m clearly not a lawyer, but these scenarios seem pretty similar to my untrained eye.


The difference is that their intentional leaking of classified information as people with a security clearance is letter of the law illegal. The difference seems huge and obvious to my untrained eye.


To add to this, their acts were intentional. Yes, you're very right that they were very much illegal acts. However, it needn't be intentionally spilled classified information in order to be illegal. Under certain circumstances, even accidental 'spillage' is a felony. Negligent 'spillage' is also very much a felony.

I've been through quite a bit of training and held my clearance for years. I was a victim of the OPM hack. Well, I guess I still am a victim. Mens rea doesn't really apply when handling classified material/data. If it is accidental AND you report it properly, it's not jail - you are so losing your job, however. You also lose your clearance. It has been a while, but I'm pretty sure you lose it forever.


The State prosecuting someone for a crime is not the same thing as a private individual suing another individual for a tort. Basically everything is different: different rules of procedure, different rules of evidence, different standard of proof required, etc. etc.


> The real damages here are going to be to the banks and credit card companies that will have to absorb the costs of all the fraud.

This is not true at all. They simply reverse the charges. Businesses who accepted the fraudulent transaction(s) are on the hook for it. Anyone who runs a business and handles credit card processing can confirm this.


A bank 'absorbing' a cost surely means passing on that cost to consumers in some way.


If there are 140 million members then any settlement will be individually quite modest (Equifax has annual income of ~600 million dollars, so multiple years of all of it to get to even $10).

It does seem like any penalty for something like this should severely impact the ability of the company to operate though.

I suppose a $0 way to penalize them severely would be to force Equifax to allow individuals to opt out of having Equifax store information about them. Lots of people would do so without understanding that it might impact their ability to get a loan, but so what.


But that would also make Equifax's product not that appealing to the companies that would purchase it. So organisations would have to use one of the other agencies as well.


$500 may be high, but $100 would be more reasonable even for those that didn't have their identity stolen, I've already spent an hour researching the hack to figure out what to look for and whether or not I was included in the set of stolen identities.


Do you think that the FCRA punitive damages ($100-$1000 per person) might apply here?


Unlikely since it doesn't appear credit report-related data was leaked, only PII.


The leaked PII makes it trivially easy to obtain the credit report data


There was a class action suit because a company was marking up the cost of the goods / services they were selling? Isn't this just called business?


Most businesses include their markup in their displayed price. Ticket Master was displaying one price and then sneaking in an extra fee later in the process.


You mean, with a coupon book good for 2 free credit reports... except with ridiculous fine print that will prevent 99% of people from using said coupons...


... 2 free credit reports with the purchase of 3 or more credit reports at the usual price


Is that what the lawyers received for taking the Ticketmaster case?


One scenario would be SSN being massively used by pirates, so companies would stop trusting SSN altogether. Let's hope a startup creates a "proof of identity" service with a photo ID with a chip, a code, and an online certificate for tax purpose.


ah lovely "papers please citizen" and what happen when friend computer with all this proof of identity gets hacked.

Maybe the USA needs everyone to have a new ssn and ban with very strict penalties is use by any one other than the state and then only for highly restricted usages as it is in the UK


Considering that Social Security numbers are not secure, and were never intended to be secure, I favor this approach. Unless you’re the federal government, you shouldn’t know or care about my social security number. Idiots are always going to think SSNs are a good UUID, and I’m always in favor of punishing idiots.


almost 20 years ago when working for british telecom we where read the riot act an where told any non permitted use on NI numbers would be considered gross misconduct and you would be sacked on the spot.


> ah lovely "papers please citizen" and what happen when friend computer with all this proof of identity gets hacked.

While it doesn't solve the "papers please" aspect:

1. Card holds biometric data of person, plus PIN. Card is the only thing that holds this.

2. All card does is output "yes or no" if you are you.

3. You have or use a reader for authenticating who you are. The reader takes you biometric data (fingerprint scan, face scan, or something else), and has you enter your pin. It takes this info, hashes it, compares to the stored info, and outputs the "yes" or "no" answer.

Very basic thing here. 3-factor, and the data about you is never stored anywhere, and the card/reader combo does the rest. The data about you never leaves the card (in fact, it can't - it would be write only for that data).

We have all the technology to do this today. What we don't have is the will. So it won't be implemented.

I'm not saying the above is perfect - but it is 3-factor (what you are, what you have, what you know), and that is what is needed most. The information stays with the owner on the card. All transactions can only be done with the card on-hand to prove you are you. You can change the PIN at will, maybe even the biometric data - but both are write-only, and can't leave the card. The card can read in data (an image for the biometric data, and the code for the PIN), but all it does is hash that together, compare it to the stored hash, and output a yes/no.

I'm not saying the above is perfect, and I am sure I have forgotten something. But it - or something like it - is what we ultimately need. But we won't get it. Ever.


If the card outputs "yes" or "no" you are creating new security incidents just waiting to happen - proxying, oracular attacks, faux cards that respond improperly to the binary question, etc. This means that your system is actually two factor, a pin and biometrics. A pin is extremely weak, and for sure biometrics need to be designed and implemented properly.

Also, notice the other subtle dependency that was introduced with the PIN only kept on the card - the PIN might as well not exist.

This is all known. The issue isn't how to design a security system. The issue is the fly by the seat of the pants lack of security with deadline driven products. Those products only appear to implement a feature set and really don't work, just appearing to work in order to achieve the release exit criteria of a minimum viable product. This gets compounded by products hardly ever revisiting their earlier phases, choosing in this case to add new web features instead of hiring a security team.


True only if the papers are issued by government. A private or non-profit scheme, if hacked, could be abandoned within hours and replaced. To post this comment i had to present some virtual ID to a private organization.


Where are the blockchain proponents? Oh, right, this kind of thing isn't a pyramid scheme. It would be a lot of grunt work and wouldn't be worth a VC investment.


I can hear it coming now... A VC backed military contrator is right now creating MilChain and DarpaCoins.


And after some time it'll become apparent it was a CIA front, and ultimately only achieved to fund the latest insurgency in $PLACE


It isn't paranoia if one is right. Sadly, we are both right.


> I said it elsewhere, but I think the right response is to opt out of the class, and sue for $1000 in small claims court. If ~15% of the class does this, they are out of business, and lawyers don't get a dime of the $1000.

IANAL, but can't you only sue for actual damages not hypothetical damages? According to this [1] your identity with SSN is only worth $30 on the black market. To get $1000 out of them you'd probably need to have your identity actually stolen and prove it was stolen from Equifax.

[1] http://www.bankrate.com/finance/credit/what-your-identity-is...


The damage is not the cost of getting a new SSN, but the cost of verifying that your info is safe (still safe?). This is why companies routinely list the _cost_ of dealing with hacking incidents (scrub all the servers, pay people overtime, etc). I think it's fair to assign costs similarly for equifax.


Info monitoring is what, like $29.99 a month?

Perhaps reasonably ask for 3 years of monitoring, so $980

But those aren't actual costs incurred yet.


My SSN won't change for my lifetime, so really they need to pay that cost of monitoring. Equifax, you owe me $23,392.20. It's in your interest to pay upfront to avoid the cost of inflation.


> My SSN won't change for my lifetime

This breach, I suspect, makes that less likely to be true. After all, one of the few reasons a new SSN can be issued to someone who has one is “A victim of identity theft continues to be disadvantaged by using the original number”.

https://faq.ssa.gov/link/portal/34011/34019/Article/3789/Can...


It would be interesting to see how they define "continues to" and "disadvantaged by" here. It sounds like it may be implying that multiple occurrences of issues need to happen and just knowing that your data's been breached, but not yet abused, could be insufficient qualifications for "disadvantaged by".


That's retail and the pricing seems highly inflated. Does anyone actually buy these services at that price point?

Credit real time monitoring should be an entitlement for those whose data is being collected.


You can sue for anything. They'll have to show up to respond, or you win by default regardless of whether your case is valid or not.

This would cost them a fortune.


I cannot believe that is how the court system works in any jurisdiction... are you commenting on the US?


Stress is a damage and mental health is valuable.


The tests for stress/mental health damages are very stringent.


Isn't Equifax protected from the class action by a few levels of arbitration clauses?


Arbitration clauses agreed to by who? Do most individuals have any relationship with the credit reporting agencies beyond having their private information siphoned up behind their back? (and trying to keep a handle on that, so that their "credit score" remains favorable?)


I never signed anything with Equifax, but they still have my information. I'm sure the great majority of the ~140M records they have are in a similar position.


Yeah, they ought to apply fraud alert status automatically to everyone who was compromised. Every credit application for the next five years requires they contact you personally for new applications.

Doesn't help for all the other issues this will cause, though.


Punitive damages.


There are no "punitive damages" in U.S. Small Claims Courts. Only "actual" (out of pocket) damages.


You can, however, put whatever amount you want (up to the small claims limit) in the initial paperwork. It would get reduced to actual damages if you won. But...big companies often try to settle with you before the actual court appearance. By padding it, you set an expectation that might help. They are likely to settle if the amount is less than the cost to have someone appear.


Sort of / not really.

I guess treble damages are not called "punitive" but they're also not "actual".

https://en.wikipedia.org/wiki/Treble_damages


The GP was talking about Small Claims specifically -- I don't see anything on the linked page that refutes that. In fact, it seems like this applies very narrowly and only where specified by statute.


It was the best I could find. My understanding is that here in CA, if your landlord does not refund your deposit (or properly itemize legitimate expenses against said deposit) you can sue in small claims court and recover 3x damages, up to the small claims court maximum of $7500.

That said, I've never tried it, so it's possible my understanding is wrong.


But then you would have to show $1000 of actual personal damage, which I doubt few if any can, unless you're thinking Equifax will just settle these one after another. But they're just as capable of multiplying out how many of these will have to happen before the losses devastate them like you just did and at some point will actually show up and make you prove your case.


This is the genius of small-claims court. Equifax has to either send a representative (which would cost them more than $1000), or they lose by default. You don't actually have to prove anything.


It really isn't genius at all. At least in my state, either party can object to the small claims status by simply sending a letter. Then it moves over to normal court with normal lawyers. Already you are out the small claims filing fee (yes, you have to pay the court to even bring a small claims case).

Once in normal court, you would need to hire a lawyer, and they would just find some local representation. At this point, you would probably withdraw the case because it isn't worth that investment.

But suppose you kept going. Their local council is going to proxy their attempts to change venue to where they are located. Unless you had a really compelling argument, they would probably win the change of venue. Now you need to find another lawyer somewhere else, and it is probably an expensive locale like New York or LA where they have a firm on retainer. Still want to push the case? Me neither.

By all means, try the small claims route. But don't think for one second that it is a slam dunk.


That is an incredibly pro-corporate anti-individual jurisdiction. Where is this?


I didn't think my state was that unique, so I did a bit of searching and found some interesting gotchas in a few different states:

Alabama: Must file in municipality where the other party (defendant) resides

Alaska: Easy to move to regular court

Arizona: Easy to move to regular court

Delaware: Cannot be used for punitive damages (basically this)

Indiana: Easy to move to regular court (If I am reading it right)

Michigan: Easy to move to regular court

New York: Must file in municipality where the other party (defendant) resides

Oregon: Basically must file in municipality where the other party (defendant) resides. Easy to move to regular court


You would have to do that if the case were actually litigated. The cost to Equifax to defend the case would be, at the very least, several hundred dollars, thousands, more likely.


I saw your post about this in the other thread. If anyone wants to work together on this idea, my contact info is in my profile. If someone has a lawyer we can loop in (or is a lawyer), that would be ideal.


I am in the state of Kansas and will be filling out a small claims petition as well.


Likewise.


Why $1,000? And how would you prove damages equaling that amount?


$15/month for identify protection/tracking X 12 X 40 years.

You can't even dispute $15/month, since that's how much Equifax charges for their identity protection, so that must be how much it's worth since they caused these damages.

That makes it more like $7200 in damages, not including the cost of money over time, inflation, etc.


For anyone reading this: I believe it’s a one time $10 per credit bureau to freeze your credit. Equifax would obviously like to charge you more if you’re willing. Do not sign up for Equifax’s service. It is a rip-off for a number of reasons.


That exceeds the $$ limit for claims is many states.


I'm sure equifax would respond by offering you free credit monitoring for life (which costs them nothing to do)


Who said the hypothetical plaintiff was interested in _Equifax's_ credit monitoring services? They've already demonstrated they can't keep data safe.


future payments are usually discounted rather than inflated (IE money you have to pay now is more of a burden than money you have to pay in the future)


You could prove how much it will cost to buy service that will protect your identity for a period of time.


> that will protect your identity for a period of time

For the rest of your life


If they are out of business, they sell their assets which are office chairs, fax machines, and a giant database with information on everybody. Are you not worried about the sale of that data?


Their business revolves around selling access to that database. So no, not worried about them selling data that they already sell. Very annoyed that they exist to collect & sell the data, of course.


Isn't the potential impact from selling access to the data versus selling the data different?


In a situation like this, if they get bankrupted, the company continues to operate. The ownership is just transferred to the creditors.


i think that cat's already out of the bag..?


Toyotas negligent practices with regard to software killed at least 2 people. Their developers did not even have a bug tracking system at all. They followed only 6 of 90+ industry standard recommended practices. They lied about the system using error-checking RAM when it actually did not. None of that was enough to get a court to declare them negligent. Equifax will be fully acquitted. If a computer is involved, companies can get away with literally killing people. This is court precedent.


Could we create a service that automates most of the work required to sue in SCC?


Am an attorney.

You could create a system that'd help you file SCC complaints quickly, but to have it detailed enough to pass the defendant lawyer's complaints about the deficiencies in your documents would be difficult.

The size of that problem, however, decreases with the narrowness of the subject matter you want to cover/make claims about. If it were a 'Sue Equifax For The 2017 Data Breach' service, then it might work (the whole point about class actions being that they're similar - commonality, typicality etc - enough)


It's small claims we're talking about, the defendant will not have a lawyer, right?


If you sue a corporation, who do you expect to defend it? It will be an attorney.


I don't know about other states, but in California if you sue a corporation in small claims court, they can NOT send an attorney:

Corporation or other legal entity — A corporation or other legal entity (that is not a natural person) can be represented by a regular employee, an officer, or a director; a partnership can be represented by a partner or regular employee of the partnership. The representative may not be an attorney or person whose only job is to represent the party in small claims court. An attorney may appear to represent a law firms as long as that attorney is a general partner of the law firm or is an officer of the corporation. However, in both instances, all the other members of the partnership and all the other officers of the corporations have to be attorneys as well.[1]

[1] http://www.dca.ca.gov/publications/small_claims/basic_info.s...


Apparently this is not uncommon even in normal court.

I sat on a jury in TX where a couple was suing an insurance company, and the insurance company wasn't represented by an attorney. It was really strange, because the first thing the gentleman does is stand up and spend 5 minutes explaining how he isn't an attorney but he regularly represents the insurance company for smaller claims (it was something like $20k IIRC). Then for the remainder of the next hour and a half or so he stumbled around with arguments against the couples slick lawyer. I guess the guy probably lost most of his cases (?) but its worth it to the insurance company to spend a few hundred bucks getting this guy to show up unprepared for an hour or two in the odd chance he could save them $20k every few dozen cases.


So they find someone to send who isn't a lawyer but has a lot of experience in that area of law and is coached by a lawyer.


I think the point of doing this in SCC is that the cost of defending against small-claims is usually greater than the cost of just settling the SCC. Lawyers aren't cheap, and folks going to SCC are banking on them being more expensive than their claim.


Perhaps it would be an officer of the corporation, named in one of the documents on file with the state's Secretary of State or department governing business records. If only the CEO is named, that is the person who has to appear.

I think states usually allow a regular employee of the corporation to appear, though.

Obviously, the small claims court procedures may vary according to jurisdiction, so you'll have to at least check your state's website before running down to the clerk with filings in hand.


Actually, at least where I live the law is that it can not be an attorney.

It must be a regular staff member or manager.

I did not check how many states have a law like that.


Who do you think is going to represent the company?


yes in this case with the amount of people affected the idea would be to do a one-off website 'Sue Equifax For The 2017 Data Breach' each person would pay a fee $ and get a package they could use in their state to file the SCC complaint. Would this be possible? I think there's plenty of people willing to pay $100 in order to sue for $1,000 if it is even possible


If you already have to enter your name/ssn/dob/address 3x for the credit freezes a 4th time to generate the paperwork for a small claims case isn't much extra work


flightright and the likes come to mind


I'd pay $20 for a service that can walk me through what to do/say, templates legal forms, etc. I would absolutely take the time to sue Equifax in small claims court.


California has a convenient free web page that tells you most of the steps: http://www.courts.ca.gov/1007.htm

This has all the forms and a link to what to do with them: http://www.courts.ca.gov/9744.htm


I would pay 20% of every penny that I win in the lawsuit


same here, heck I'd pay $99


I will also crowdfund taking down EQ.

Give me a service and I'm ready to pay.


Why not? Wouldn't it be the same as the kid that automated fighting a speeding ticket or traffic infraction ticket?


Traffic tickets aren't generally resolved in SCC. Traffic tickets are very specific. As the actual attorney pointed out, if you make a generic "file a SCC claim here" app its resultant documents will be pretty quickly discarded as insufficient.

SCC is not hard, it's cheap, and it's designed to be easy to do and not require legal assistance to do so.


They should be driven out of business. Their #1 commodity, the only reason they exist and they don't spend the time or money to protect it?


I said it elsewhere, but I think the right response is to opt out of the class, and sue for $1000 in small claims court.

There's usually no enforcement of penalties in small claims court.


Submit it to debt collectors and put it on Equifax's credit report


And because their security will probably still be a joke after this is all over, someone can hack their database again to ensure they actually put the claim in there.


This. So much this.


send in the bailiffs to confisticate goods ideally the c level execs Porsche


I don't know how many times you have been to Small Claims Courts but there are multiple ways to enforce penalties in Small Claims; a judgment from a judge, a till-tap, levy their wages, place a levy on their bank account, placing a sheriff in their area of business (for a fee) and will stay there until he's collected all the funds, submit to a collections agency etc.

Don't speak on something if you don't know what you're talking about.



If an average person can get a giant mega-corporation to pay up through small claims then there is hope for all of us :)

the only difference is a giant corp can simply say "hey sorry we didn't pay earlier" when if a consumer tried to do that we would have more penalties placed upon us.


levy their wages

Whose wages? If you win against Equifax, Equifax isn't getting a wage. Equifax is paying wages, but you didn't win a suit against its employees. You won against the corporation.

place a levy on their bank account

Seems like your best bet. However, this might be complicated, depending on how they've distributed their assets. Quick, can you tell me the name of the bank, the account number and the exact name on the account?

placing a sheriff in their area of business

Seems to me that Equifax might just keep draining your account through continued fees.

submit to a collections agency

I suspect this might be satisfying in its symbolism, but not necessarily effective against Equifax.

Don't speak on something if you don't know what you're talking about.

Seems like good advice.


> There's usually no enforcement of penalties in small claims court.

perpetuating this mindset that the average consumer is too weak to do anything to these corporations and individuals who hurt them through the court system is nonsense and needs to be avoided. From the article posted below (where my other comment is):

"Allen then reported to a local branch of the bank with sheriff’s deputies, who he instructed to remove cash from the tellers’ drawers, furniture, computers and other property. Approximately one hour later, the Naples News reports, the bank manager produced a check for $5,772.88 to satisfy Allen’s fees and additional costs."

You have a lot more power than you think against corporations and people through our court systems. even small claims courts.


Then what's the point of it?


The ideal way to recompensate $500 or $1000 dollars is to sign up everyone for credit/id theft protection, for say, 5 years.

I don't know where else they get their revenue from, but free credit protection will hurt them significantly in the long run.


I've heard that those credit monitoring plans are a joke, and provide very little value besides the simulation of "doing something."


They just tell you after the fact that a new credit line has been established. It's still on you as the consumer to go prove that it wasn't you and that you didn't open it...

And guess what, the same questions that they ask you to prove you are who you say you are, are the ones that have likely been stolen!


Lifelock themselves were subject of a data breach in 2015.


Can I actually do this? Cause if I can I'm totally doing this.


IANAL, but I think you'd find it virtually impossible to show $1000 of direct, material damages as a result of having your information leaked[0] and to the best of my knowledge this is the only sort of claim that small claims courts allow - I believe they do not allow punitive damages, nor theoretical ones.

0: Unless your info is actually used in a way that harms you, and you can prove that it was a result of this, but that seems unlikely to be true for the majority of affected people.


Is it really so hard? Cost of a service like Equifax's own TrustedID or LifeLocks is over $100/year. Seems you could easily argue that you'd have to subscribe to said service for the next decade to guarantee your credit and identity aren't stolen?

(and I would think refusing to accept Equifax's "coupon" for TrustedID would be a similarly easy argument to make)


> to guarantee your credit and identity aren't stolen?

there's no right to not having your identity not stolen tho. By this logic, shouldn't you _always_ have the identity-theft prevention service paid for already, regardless of what happened to equifax?

I think you'd have to show _actual_ identity theft occurring with your name to claim damages.


No, now you need to sign up for identity-theft protection because Equifax handed all your info to the bad guys.

If it weren't for Equifax, anyone trying to use your identity would have a much harder time.


Many time the thiefs are actually caugh. If he she admits to stealing your data in this leak AND you are damaged, then here is your proof.


I think it's unlikely you'll actually be damaged. Any real financial impact would have been reversed by your bank. Maybe a fee or two that two parties argue about who should reimburse your for it, however I can't see stuff like that adding up to $1,000 (or even $100).


You misunderstood how this affects SS #s holders. Its way more serious than just opening up a credit card and disputing it later on. In such situation the bank will reimburse you and close down fake account, but many banks will put negative information on your account just to warn other banks. You have to look at it from bank perspective, not your own. The bank can report: "okay we don't know how and when but someone opened account in client's name on his behalf so this clients has problems with his identity being stolen. Be warned".

Edit: not to mention the worse damage will be from fraudsters taking loans.


Does this "be warned" flag on someone actually damage them in any way?


Well about 2 months ago (when the leak was happening apparently) I had false information showing up on my credit report for a Comcast debt.

The weird thing is the Comcast debt couldn't have actually been mine. As the date of the debt was smack dab in the middle of when I had service with Comcast before switching to ATT.

Now, during this period I tried to refinance my home and was denied due to a low score with Equifax. I pulled my EQ 2 weeks before trying to qualify and there was nothing. Then I found that after I was denied and pulled it again of course. I submitted a challenge on it, and it was removed within 2 weeks but the damage was already done.

So would this count as real damages?


You need to show a dollar amount that it cost you. If you can do that, you also need to show that had the leak never happened, you never would have had the issue in the first place.

Whether the debt "could have been yours" isn't relevant, what's relevant is how it showed up there. If someone fraudulently signed up for a Comcast account using your social, and they obtained your social via the leak, then yes the leak damaged you. You could go after the difference in your refinanced interest rate now v. what it would have been had you gotten it at the first request (are you paying 0.1% more because rates went up a week after your denial?) and possible the additional interest paid between the denial and the successful refinancing.

But if the Comcast account showed up on your report because someone fat fingered a social and there was no fraud, the leak didn't damage you at all and it was just bad luck.


If you can write up the process in detail for my state, I will give you 15% of what I win from them. If you automate it as much as possible, 20%.


They still have the death penalty for humans in the US, why not companies?


They do, it's called corporate dissolution. Not sure what precedent there is for a class action suit that results in dissolution, but it would be a pretty good precedent to set IMO.


Does anyone have experience with this process and could share some tips, e.g. is it likely to be successful, is it open to non-citizens, how much paperwork are we talking about?


How hard is it to sue in small claims court?


I love your idea. I would be game if something is happening in that direction.


In small claims court, would you not have to show $1000 worth of damages?


Yes, and it's possible using simply arithmetic and market rates! Given that freezing your credit ratings is a necessary precaution after this damage inflicted by their negligently unpartitioned database, we can calculate:

1 legally guaranteed free credit report / year * ($5 freeze before + $5 unfreeze after) * 3 agencies * 33 more years of healthy remaining life God willing = $990 right there.

Move apartments or change jobs just once in that interval, and it will bring you up to a round thousand. Bam.


Actual, not theoretical.


In.


Are you kidding? This is a 100% instant dismissal if it even gets to a judge. The allegations are groundless...the plaintiffs have no knowledge of Equifax's security systems in order to have any sort of standing to make any claims regarding the quality of it.

The sad truth is you can do everything right to the best of your ability and still get hacked. So just the fact that they were hacked isn't sufficient evidence that they were negligent.


NYS Attorney General on the arbitration/rights waiver clause: "This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it." https://twitter.com/AGSchneiderman/status/906195350532304896

Also: "I am launching a formal investigation into the #Equifax breach. Today, I sent a letter to @Equifax seeking additional information." https://twitter.com/AGSchneiderman/status/906197644841766912


Yeah, I'm not sure the arbitration language is applicable here anyway. The claims would arise from Experian's failure to secure their data, not from use of the "Products" offered by TrustedID (namely, the website allowing me to check) or the subject matter of the Terms of Use agreement.


Their FAQ [1] now appears to explicitly say so: that the class-action waiver and arbitration agreement only apply to disputes over the credit-monitoring product itself, not over the original breach. I don't know if they have some way to still weasel out of that, but publishing that clarification on their website seems like it'd make it harder?

Do the TrustedID Terms of Use limit my options related to the cyber security incident?

The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.

[1] https://www.equifaxsecurity2017.com/frequently-asked-questio...


Ok, so credit reporting agency collects sensitive personal and financial data on basically every adult American, loses it to a bunch of criminals and now I have to deal with the consequences?

I looked into credit freezes yesterday. This is really a total scam. You have to _call_ each of the three agencies and pay a fee ($5 to $10) each time. If you need to unfreeze your report to make a legitimate credit application you have to call each of them twice (once to unfreeze and another to freeze) paying fees every time.

Now if you're a paying member (paying a minimum of $15/month to each agency) you can just lock and unlock your credit file on a mobile app (well, three mobile apps and I'm not sure all three support this). It's amazing how convenient things get once they're already extorting you for "credit protection".

This shouldn't even be legal.

Also, if a fraudster defrauds a financial institution with your personally identifiable details, it should be an issue between the agency and the financial institution as you were not a party to this loan. The reporting agency saying you were should be slander.

Financial institutions should be interested in consumers having an easy ability to lock their credit files as it would decrease the number of fraudulent credit applications.

So why can't I have a mobile app (or three) for free that allows me to easily lock and unlock my file or, better yet, to vet every inquiry and approve it or not?


Corporate charters can be dissolved by the government at any time. Given Equifax ONLY deals in building detailed profiles of every US adult and managed to lose that information to criminals is grounds for terminating their corporation.

At this point, their lack of basic security practices has endangered national security by weakening the banking and credit systems.

On top of that, this company is massively unpopular. Their only purpose is to potentially slander Americans en masse. Make a fucking example out of them so the rest of the finance industry takes notice.


The government can't just dissolve a corporation on a whim. We have due process and the rule of law.


> The government can't just dissolve a corporation on a whim.

Not on a whim, but for (e.g., in Delaware) “abuse, misuse or nonuse of its corporate powers, privileges or franchises.” (Delaware Code Title 8, § 284.)

> We have due process and the rule of law.

While rarely used in practice currently (it was more used in the past, and there is a movement to revive the practice), the law provides for charter revocation for corporate misconduct.


The point is that charter revocation requires both the executive and judicial branch to agree. Moreover, I think I can guarantee that any vague sounding statement like "abuse, misuse or nonuse of its corporate powers, privileges or franchises." has been translated into a series of relatively specific conditions by the courts. You can't just sue someone for being vaguely terrible.

Basically, however appalling the unaccountable power of credit bureaus is, it was legal yesterday and it's not the job of either the executive branch or the judicial to decide today that such power isn't legal today. The judicial system especially is oriented towards prevent that kind of thing. Rather, deciding that is the job of (even more dysfunctional) legislative branch.

This, of course, doesn't guarantee that executive or judicial branch couldn't "get religion" and try to get end this situation but it would have it own messiness.

And there you have it - an American legal/government system very much resembling a well built car driven far too long without an overhaul.


It doesn't seem like the executive and judicial branches will need to get involved whatsoever if there is a multibillion dollar lawsuit; if successful this will basically 'dissolve' Equifax.


Well, I wouldn't shed any tears over the dissolution of Equifax and other credit agencies - though a lawsuit would of course involve the judicial branch (the courts).

But the problem is:

A. If Equifax gets a judgment for close to or for more than the company is worth, the simplest way one could assure the suit is paid to sell the company, keeping the operation going rather than ending it.

B. Many businesses integrate credit checks into their operations - it's ridiculous and despicable as mentioned by other but most of these companies and individuals (landlord for example) at least imagine they couldn't survive without the credit agencies so this large group would push for another solution then just getting rid of the credit agencies.

C. Getting rid of one credit agencies leaves the other two even stronger.


If there were a $17 billion judgement against a $17 billion company, it would not sell for $17 billion.

It is also unlikely a $17 billion market cap = $17 billion in assets during an emergency sale. Especially with the shadow of a $17 billion judgement that could encumber the acquired assets.

It's bad business to acquire assets from someone with a judgement against them, unless you're getting a great deal.


If there were a $17 billion judgement against a $17 billion company, it would not sell for $17 billion.

If there is a judgment against a company which that company cannot pay, that company enters bankruptcy.

What happens when a corporation enter bankruptcy is the assets of the corporation are assigned to a receiver. The receiver then disposes of those assets with the aim of raising as much money as possible to pay the creditors involved. In the case of a credit bureau, keeping the bureau functioning would arguably be the best way to earn money to pay the individuals who the corporation owes money to - both the people who the got the judgment (first priority), other creditors(second priority) and then the share-holder (third priority).

This situation means that corporation that produces toxic waste, dumps it in a river and goes bankrupt from a private suit against it could continue to produce toxic in order keep producing and making money, in order to pay that judgment (it would probably be argued that the toxic-waste leak was a one-time thing).

Part of the problem is a private lawsuit isn't a substitute for state regulation even if it's often presented as such. Part of the problem is the very worst that happen to the owners, the shareholder, is their shares become worthless so their incentive for stopping truly bad behavior by organizations is limited.

You might say this is fucked-up and I would agree with you. Don't confuse my comments with statements of support for how things. I simply want to thorough, accurate and complete summary of just what a messy we're in.


Bankruptcy is the strange other side of the US debt system. In this case, it would be an unfair get out of jail free card, a shirking of responsibility.


"Well, I wouldn't shed any tears over the dissolution of Equifax and other credit agencies"

In Project Mayhem we have no names.


> they couldn't survive without the credit agencies

Europe operates just fine without the notion of credit or credit agencies.


If there is a lawsuit, the judicial branch is involved.


This assumes the highest good is to maintain the previously defined delineation of governmental branches.

Some of the legislative branch dysfunction is due to interference from the same corporate interests they should govern.

Corporations are able to DoS their oversight.

You are correct there will be unexpected messiness. The question becomes whether our current trend is sustainable over the long term; many believe the second order effects cannot be worse than the path we are currently on.


What I can't believe is why there's not a criminal case against these idiots? When you are controlling something dangerous and you allow that thing to harm someone else, it's a criminal offense. It's not a matter of whether it's hard. It's simply your responsibility to ensure no one gets hurt. This company has already caused harm to literally everyone in the US. Minimally, we all now have to take action to attempt to avoid identity theft. And it only gets worse from here. And these bastards have the chutzpah to wait until hurricane Irma is upon us to make the announcement.


Bourgeois law in its wisdom protects individual property owners from their mistakes, unless they affect owners of larger property... that said, Equifax may have just fucked over the entire retail/consumer credit industry in the US, so the hammer may very well fall on them. We might get some of those banker perp-walks everyone loves.

But with the current administration as well as Congress (we're likely to see a Federal gov't shutdown over the budget even though the Republicans control the legislature and White House), I wouldn't anticipate seeing any regulation down the pike because of this.

They mention the Struts vuln, but not which one... did an attacker access the info directly via a naive attack, or was this a campaign? Having worked on Enterprise-Ready(tm) systems I wouldn't be surprised if Equifax had an unsegmented network...


If people did not go to jail for the wells fargo fiasco where willful fraud was committed, I very much doubt anyone will go to jail for this. Although you are absolutely right, someone should be severely punished for this.


> This company has already caused harm to literally everyone in the US.

Not yet. People might be annoyed but not many of them have been harmed yet. They're harmed when their identity is actually stolen (i.e. used by someone else), not merely when someone gets access to their data.

(Not saying I like this system. Just saying this it how the system works.)


Since Congress defines what the law is, couldn't they do it? The only law binding Congress's lawmaking powers is the Constitution, and I don't think it restricts their ability to dissolve corporations.


It does actually have such a restriction (Article 1 Section 9): "No bill of attainder or ex post facto Law shall be passed." Further, it prohibits the states from passing such laws as well (Article 1 Section 10).


If Equifax gets sued into bankruptcy and the government passes a law for next time this happens I'd be okay with that outcome.


The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

So this would only work if you can find a clause permitting them to do this. I assume this would be the commerce clause?


In addition to what others have said, you cannot be deprived of life, liberty, or property without due process in the US.


In principle that's true...

In reality 1. You can be shot by a cop even if you do not pose a real threat (they just need to claim they though you might have a gun, simple) 2. People are routinely kept in jail for unreasonably long time because their families cannot afford bail often on things charges are dropped for later 3. Ever hear of civil forfeiture?

The whole thing is a nice story that we love to repeat to each other. Maybe it was easier to accept that during the cold war when the other guys were worse and news traveled slowly (or didn't). It's pretty apparently that isn't true given the quick news cycle... and opening any US history book.

Sometimes I wish I could myself become a corporation. Seams it's much easier to exercise your rights as a corporation.


>Ever hear of civil forfeiture?

Yes, a process in which the government has to prove to the same standard of evidence as someone suing you. That is due process.


The difference being that the government confiscates the property while the case makes its way through court.

In practice this is a huge difference.


> Yes, a process in which the government has to prove to the same standard of evidence as someone suing you.

That's not quite true. They don't make a claim against _you_. They make a claim against the property.

So, it's the same level of evidence and adversarial hearings as someone suing $1,000. This is not due process. It's a farce.


They have to convince a jury that the property in question is the proceeds of a crime.


That's not true in all cases, which is one of the problems people have with civil asset forfeiture.


That is civil asset forfeiture.


Not all states guarantee a jury trial for civil asset forfeiture.

And federal civil asset forfeiture almost always starts out as administrative forfeiture which doesn't involve the judiciary at all.

When the feds seize an asset the owner has 60 days to file a claim. If no claim is filed the government keeps the asset.

If a claim is filed, the government can either pursue civil or criminal forfeiture. In the case of civil forfeiture there is a right to a trial by jury.

However, as I said previously this isn't automatic. The person has to either have the legal knowledge to know how to file a claim, or they need a lawyer. In the majority of cases no claim is filed in many cases because the legal fees necessary to recover the asset will be greater than the value of the asset.

Basically if the government sizes a few grand in cash, it will cost you too much to recover it to make it worth it.

In states like Tennessee, police can seize your cash and you have to sue to get it back. They automatically get to keep the assets unless you sue them. They don't need to convince a jury of anything unless you sue them.

This is not the same thing as a person suing you and then using a replevin action to force you to give up your property. This is like if a person broke into your house, took your TV, and then you were forced to initiate a lawsuit to get it back. Plus you couldn't recover legal fees, it was significantly more complicated and costly than small claims court, and the thief suffered no consequences beyond returning the TV even if they lost the case.

Even Clarence Thomas, the most conservative member of the the Supreme Court, indicated in recent statement that he believes the current way civil asset forfeiture is practiced is unconstitutional.


Due process has been somewhat lacking in practice. https://www.nytimes.com/2017/07/19/us/politics/justice-depar...


I'm sure that comes as great comfort to all the people in the US to whom that's happened.


Confused. Some sources are reporting this was a zero-day vulnerability only recently discovered.

I'm as emotionally upset as anyone else, but if in fact this was a zero-day, I also lose the basic lack of security practices argument.

https://qz.com/1073221/the-hackers-who-broke-into-equifax-ex...


Even with an 0-day, why was consumer data not encrypted at rest with segmentation for access?

If you have the most sensitive information for millions of people, maybe don't only worry about perimeter defense?


True. A flaw in the perimeter doesn't forgive poor data management practices.

Given the number of FS sites running on IBM Websphere and Struts, this may only be the tip of iceberg.


FS == Financial Service???


>Ok, so credit reporting agency collects sensitive personal and financial data on basically every adult American, loses it to a bunch of criminals and now I have to deal with the consequences?

This is what pisses me off - I never gave them authorization to collect information on me. I have no business relationship with these companies. To me they look a lot like parasites even when they're not giving away my data.


EU privacy and right-to-access laws aren't looking so bad now are they


You often agree to this when applying for a loan or credit card.


agreeing under coercion shouldn't be considered agreement.

yes, I realize that the definition of "coercion" here is complicated and nuanced, but I feel the point stands.


You don't have to unfreeze the reports to open a new credit application - the credit app gets rejected (on hold), and the credit issuer will ask you for an auth code. You go to the appropriate agency, log in with the credentials you used when you set up the freeze, provide the request code, they respond with an auth code, you relay the auth code to the credit issuer, credit app progresess.

It basically just forces an auth flow for a credit application, which is quite sane. You can also do the whole process - enrollment and manual authorization - online. It was quite painless for me to do it a couple of years back.


That hasn't been my experience applying for credit with frozen reports. I have to unfreeze them (paying the fee), call the creditor to reattempt to pull the report, then refreeze.


>So why can't I have a mobile app (or three) for free

Yes, and I think it's a bigger question of why we have so little control over or access to our own data in the first place? It's a racket that they monetize our data by selling it to others, then charge us again to access and protect it. And, if you've ever had to go through the pain of having something corrected in a timely fashion, then you know it's doubly-maddening. They are purposely opaque and byzantine.

Yet, without our data, they'd have no business.


>Yet, without our data, they'd have no business

Yet, without credit rating agencies, you'd get no loans.


This kind of thinking is what allows these companies to get away with this kind of incompetence. Loans were given before credit rating agencies existed. This incident shows how flawed our current system is.


> Yet, without credit rating agencies, you'd get no loans.

Loans existed for millenia before credit rating agencies, so that seems unlikely. It's more likely that the people getting the best loans terms today would pay a higher cost for borrowing without credit rating agencies, and that credit references would be more important, though.


There is no such agencies in lots of countries (e.g. France) and still people get loans. When I came to US, I had to purposely take extra credits/loans to boost my inexistent credit history. Now I am credit worthy thanks to my artificial debt.


I'm not arguing against you, just curious... in France, what prevents people from just applying for loans over and over and never paying them back?


There are other means to determine whether someone is eligible for a loan (wages, collateral, family support...).


Not true. But, even if it were, there's no requirement that they operate as they do.


hmm i called the 3 mentioned here today and all were free.

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...

    Equifax — 1-800-349-9960
    Experian — 1‑888‑397‑3742
    TransUnion — 1-888-909-8872


I believe it depends on your state. I'm in California and I had to pay $10 for freezing on Experian and TransUnion, although it was free for Equifax.


Same experience here (also CA), and I was able to freeze all of them online.

It's mildly interesting how different the experience was across the three. Experian gave me the choice between choosing a PIN and getting a generated one, Equifax just gave me a PIN, and for TransUnion I had to choose the PIN (shorter than for the other reports) myself.


How do you freeze them online?


Come on, that's really not hard to find out for yourself. But here are the links anyway:

https://www.freeze.equifax.com/ https://freeze.transunion.com/ https://www.experian.com/freeze/center.html


ugh. even their 10 digit code they provide to unfreeze someone isn't very secure. It's simply todays date plus a 4 digit pin that moves up in the order that someone signs up. For example: 090817xxx1, 090817xxx2. So my wife and I are simply two numbers apart.


Jesus. I think you can provide your own. But yeah, when the user-facing bits are this bad, you know it's nothing but garbage below. I can't believe these companies have so much power.


It worse. It's not even a 4 digit PIN. It's the time in 24-hour format HHMM: https://news.ycombinator.com/item?id=15205579

You and your wife just did it 1 minute apart...


I can't even imagine how something like that can be implemented. Even if you put the most junior developer on this, something so serious should have been reviewed by someone. At least do a quick search on stack overflow or something.


i filled out the experian form online for free:

https://www.experian.com/fraud/center.html#content-01


That's not a credit "freeze". It's just an alert system.


All the confusion in this thread is disturbing. If HN readers can't figure this out, the general public is totally screwed.



https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq... said:

"You'll need to supply your name, address, date of birth, Social Security number and other personal information. Fees vary based on where you live, but commonly range from $5 to $10."

So depending on where you live, you probably have to pay.


Fuck that, Equifax should offer free freezing for anyone affected by their breach. Charging for it is profiting from their own negligence.


Would love to hear a lawyer's take on this.


We all got two comments into this thread and decided literally anything is better than trying to deal with all the crazy legal theories and bullst going on in here.

I've just been skimming search result for lawyer... You're pretty much the only one actually asking for one...


So wait, you only need to provide the very same data that was just breached? So anyone can just freeze anyone else's credit now?

Edit: well, you have to pay with a credit card so it's traceable, so not that bad.


Well depending if you have the answer to the 4-5 security questions , like previous address ,car loan payment amount, or mortgage , stuff that you would only know. I don't know the full scope of the compromise, but someone wanting to use your info would not benefit from freezing it. If you forget your pin I'm expecting them to send it to the mailing address


Even if an attacker doesn't benefit, it's still possible for them to mount a denial-of-service attack. That could be very damaging. Or, they could use the threat of a DoS attack for extortion purposes.


I'm sure paying with a stolen credit card is no problem for somebody willing to steal your identity in the first place...


I thought all 3 were free to freeze but $10 to unfreeze


$10.83 in Texas for Experian

f no I'm not paying them anything


What state do you live in? Credit freeze rules vary from state to state.


I'm wholly ignorant to this but I am very curious. Why would it be like that?


Different state laws mandating different things.

Federal Law allows a fee, some states have passed laws mandating no fee, or no fee to freeze but a fee to unfreeze, etc


Is there a wiki page or government list that describes the rules for each state?



Experian has not accepted phone applications for a security freeze for a while now.


> So why can't I have a mobile app (or three) for free that allows me to easily lock and unlock my file or, better yet, to vet every inquiry and approve it or not?

Indeed. This is now no longer something that would be nice to have; it's the only way the system can possibly work. If a credit agency can no longer verify your identity by asking you questions about your history -- the criminals now have all that information -- there's going to have to be another way.

Sounds like a great YC application! Someone should do it!


PBS also reported that if you sign up for this, you give up your right to go after them if something happens - there's some kind of agreement that you have to go thru some process I forget the name of, in which the company usually wins.

Also, although they offer 1 free year, the problem here (social insurance number, etc) is a lot longer than that, so you'd be paying a recurring amount, wouldn't you?


Specifically indicated on their site:

>2). NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.


Except that isn't binding like the agreement it is contained within.



which state you are in?


Just chiming in to say that I was able to freeze all three online yesterday. No calls needed!


How'd you do this without calls? Did it cost?


I used the handy links here:

http://clark.com/personal-finance-credit/credit-freeze-and-t...

Of course, Equifax just gave me a 500 AND charged my card anyway, so that was nice. The other two worked fine though. Equifax is a steaming pile of garbage.

Edit to mention that I only used burner cards for the payments.


I posted this on another less popular thread about the topic; Equifax stock was down about 14% overnight from yesterday to this morning but held pretty steady today...

"This is not financial advise:

I remember a few commentors on HN recently saying they have made large gains by buying stock of companies after the news of cyber security breaches significantly reduced the share value, then waiting for the dust to settle(reaction-news-cycle to complete) and price to return to similar value after a few months."

Hopefully this time will be different, but I doubt it.


It depends on how well the proposed multi-billion dollar lawsuit goes. It's reasonable that the stock price would include a risk premium.


For NC residents, it's free to freeze your credit files:

http://www.ncdoj.gov/freefreeze


I was able to freeze my credit through on-line forms using instructions here:

https://www.reddit.com/r/personalfinance/wiki/identity_theft

Fees vary by state. I think I paid ~$20 total and not all of them charged me.


Oof. I really don't want to give these incompetent losers my credit card number.


They already have your credit card numbers. Banks report the numbers to them.


I'm amazed these events don't seem to shake the american love for credit cards. Like now you've seen what happens in the extra layers between you and the money, I wish people would go back on the poison pill and maybe switch to debit cards.


Credit cards are great because if someone steals mine and makes fraudulent charges, they're stealing Chase's money, not mine.

(In theory if someone steals money through your debit card you can get it back... in theory. I'd like to avoid ever having to find out how well this works in practice).


For which priviledge Chase charges you something obscene. The process post-theft on a debit card is not as scary as you seem to think it is, but that may be a EU vs US rather than credit vs debit thing.


Chase isn't charging me anything for the privilege. I have two credit cards with them -- one with a $0 fee and the other with a $450 yearly fee (but on which I earn way more than $450 in rewards points a year so it washes out).

They charge interest, but you don't pay any interest if you settle the full balance every month, which I always do.


I'm sure the maths work out at an individual level, but have you considered the effect on pricing being a debit-first society would have?

Most merchants/payment processors include a premium for handling the edge cases that arise from credit-linked misbehaviour. In the same way you sometimes get a cash discount, removing the merchant/provider protections should show up in your wallet as a good (and surprisingly high) surprise.

As I understand it (please correct me), the party who gains for the furtherance of this agenda is the financial service sector who has another opportunity to insert marginal fees and more importantly, a direct access to your transactions without necessarily having the same fiduciary duty or alignement of goals than a bank teller/account manager would have.


Seconded. _Really_ do not want to give them my money, as it they've earned it. This is their screw up.


Credit card number is the last thing you should be worried about.


I use privacy.com for things like this.


Does it affect your credit rating to freeze and unfreeze your credit? I wouldn't be surprised if it does. It's insane to me that looking up your credit rating negatively affects it. WTF is that about?


Freezing/unfreezing does nothing to your credit score. Also, looking up your credit score and pulling a report for personal reasons (read: not a credit line application) will NEVER affect your score. It's what they call a soft credit inquiry, which is not shown on your report when creditors pull it, and won't factor in to credit score calculations. https://www.creditkarma.com/article/hard_inquiries_and_soft_...


It does not affect your credit rating for freezes and unfreezes. And it's a good thing that hard pulls on your credit affect your score, because it's a stop gap for excessively requesting credit. It can also prevent heavy fraud because creditors will often reject potential customers with too many hard pulls.


This is how I feel. https://equifaxbreach2017.com

FYI. That is a satire / parody site and not the real one.


>In the complaint filed in Portland, Ore., federal court, users alleged Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack.

Doesn't "users" imply that we had a choice in the matter? As if we're Equifax's customers? I feel more like we're victims in this case.


Got an email from my Dad today:

"I checked myself, my wife, you and your brother. To the best of my knowledge none of us have Equifax accounts, but it says they probably got our address & driver's license for all four of us.

I don't want to waste money on LifeLock. What can I do? Just watch my accounts?"

Is Visa, MasterCard, etc. at least partially to blame here for picking a bad solution? My personal ties are not with Equifax, I have no direct means as a consumer to express dissatisfaction. Can I sue Visa? They are they ones (I presume anyway) who did the actual information collection from me, and then it was mishandled.

We need more tools for dealing with data breaches. Things aren't slowing down, and they aren't going to unless something big changes.


Visa and MasterCard don't issue credit cards, don't provide credit, don't have your personal information, and don't provide personal information to credit agencies. They are just the network that connects card issuing banks and merchant acquiring banks to process payments.

Your contract is with your card issuer, who provided your personal information to the credit agencies. But you probably agreed not to sue them as part of your agreement when you asked them to issue you a card.


You should watch your accounts. I use Credit Karma and they will send you alerts and updates for various credit events (account opening/closing, paying off a balance, etc). It's free. Edit: They only monitor TransUnion and Equifax data; not Experian.

If you don't want to pay for LifeLock, which I agree is a bit steep, you can usually get an identity theft protection policy from most major insurances companies. The premiums vary, but are usually a fraction of LifeLock's fees. Just be sure you understand what's covered.

I use both of those and it costs me $25/yr total.

You can check the Fair Credit Reporting Act for more information about various parties' responsibilities in handling your credit information. However, I don't think you'd be able to sue lenders/creditors in this case. They are distinct from the credit reporting agency that seems to be at fault.


> I use Credit Karma

> They only monitor TransUnion and Equifax data

Where do you see that they monitor Equifax data? I only see TransUnion mentioned.


I had a problem signing up for a mobile phone contract a while ago. The mobile company eventually told me that Equifax were supplying them with (my) information which was slightly different from what I was saying about myself, so I called up Equifax. To "fix" things, Equifax wanted me to send a notarised copy of my passport to them (at my expense!)

Of course I told them to get lost and just used another mobile provider, but I learned from this episode that all of these consumer services companies share data both ways with these credit checking agencies.


If you've ever opened a bank account or a line of credit you signed something to the effect that you agreed to let your institution share your data with these agencies.


That doesn't make you a user. It just means the bank gave them your info.


After you made the choice to allow them to.


Agreed to it under compulsion. It isn't feasible to go without a banking account / credit union account. Modern society relies on these accounts. And all of these accounts have these reporting measures in their legalese. There is no option to not agree to it.


> Agreed to it under compulsion. It isn't feasible to go without a banking account / credit union account. Modern society relies on these accounts.

A) A credit account is not the same thing as a checking account or credit union account

B) Plenty of people, even in the US, operate without any of these things. It's not fun, but it's absolutely possible.


> Plenty of people, even in the US, operate without any of these things

After my company crashed, my wife divorced me and then I got cancer -- things were pretty grim on my credit-worthiness story. Net-net: I went without a bank-account for a few years and learned to live with pre-paid phones, money-orders, cashing checks at pawn-shops and pre-paid debit cards, and (for medical and other reasons - not able to drive. Good news: I saved on car insurance, gas and parking). All-in-all ... not a lot of fun (it's very expensive and time-consuming to be poor in America!).

But! As you say: it is do-able.


A choice made under duress of not having access to a bank account or credit (which makes someone a de-facto persona non grata in the modern world).

Monopolies aren't choices, and monopolies on essential services are coercive by definition.


Equifax isn't a monopoly. There are 3 major credit reporting agencies in stiff competition with each other. No doubt executives at TransUnion and Experian are cackling with glee at Equifax's stumble.


The non-negotiable choice between allowing them to and being denied service entirely.


It doesn't seem crazy to me that if you ask for someone to loan you money they only do it under the condition that you agree to participate in a system that helps them track your creditworthiness.


It does make sense for lenders to cartelize and force each other to report the creditworthiness-affecting information about their borrowers to one another.

It doesn't make much sense for borrowers, though. But since, by definition, the lenders have the money and the borrowers do not, the borrowers have no real ability to negotiate when lenders get together and do things like that.

But borrowers can vote just as much as lenders can, which is why such behavior is governed by law. So let's not pretend that borrowers somehow agreed to this system in any way. It was forced upon them, and the best they could do about it is pass laws to ensure that lenders at least had to be accurate when reporting, and had to respond reasonably to disputes. Since lenders can lobby and vote, too, borrowers were not able to mandate that the lenders would have much in the way of legal liability when they inevitably get lazy, screw up, and cause real damages to real people.

The law isn't fair; it's just the best compromise that adversarial parties with differing amounts of money, power, and motivation could reach a threshold level of agreement on. It just so happens that a savvy and motivated borrower can completely whitewash their own credit reports for the cost of a few stamps, and maybe some small claims suits, while an ignorant borrower, or one who lacks the time and energy to ride herd on the CRAs, can get completely screwed. It's a numbers game, and the lenders and CRAs can make more money from the latter category than they lose from the former.


One thing I'm not sure about is how this breaks down as to people who paid Equifax or signed up for some service through them compared with people who involuntarily had their credit tracked through Equifax.


I was wondering about this too. Like, I never signed up for them, but apparently their site says I might have been affected. CreditKarma or other credit score companies apparently share user data to these agencies.

Their announcement says social security, addresses and names have been stolen, this is really worse, this data is enough to do ton of things.


CreditKarma doesn't give info to Equifax, it gets info from Equifax.

The credit agencies (of which equifax is one of 3) get their info from credit card companies and other financial institutions. If you've ever signed up for a credit card or gotten a mortgage or car loan the information from that transaction was sent to the credit reporting agencies. That's how they get data to make their determination of how credit worthy you are.


This is why data protection laws are needed. Data about a person needs to belong to the person. This would prevent these large collections without consent.


Yeah, I would think so. So far, we've learned that they've exposed virtually everyone's data through their incompetence (thus exposing nearly every adult in the US to a high risk of identity fraud), sold stock to avoid personal financial losses before the news broke, and set up a scam site to trick people into giving up their right to sue.

If this isn't criminal, then nothing is. If someone doesn't go to jail over this, why the hell shouldn't I just go out and commit fraud on a daily basis myself? It seems to be rewarded in our society...


>> why the hell shouldn't I just go out and commit fraud on a daily basis myself?

Because corporations are protected, individuals are not. This is what happens when business(profit) takes precedence over human rights.

There will be no repercussions for those responsible. No changes will be implemented. At best we'll get a public apology, but even that seems far-fetched.


Should a sound approach, then, not be, to incorporate one-self at birth?

What if A Person were to be born into a corporation and all transactions made by thhem be the corporations actions - if things go south, dissolve the company.

(clearly this is simplistic, but you get the idea)

I want to re-form myself into one of these corporations which has little retribution for actions. I shall pledge 10% of SamStave INC LLC to any attorney on the ~~~prowl~~~ case...


This is extremely difficult for a single person to do without piercing the veil.

https://en.m.wikipedia.org/wiki/Piercing_the_corporate_veil


Indeed, this seems only logical. I honestly have this thought every time I make a large financial decision: Renting a house? Would be much easier to break the lease (Should I ever need to) if my surrogate 'corporation' with few assets were the leasee. Ditto with many medical situations/other large expenses. Plus, much better tax deductions!


> Would be much easier to break the lease (Should I ever need to) if my surrogate 'corporation' with few assets were the leasee

You'll risk losing the assets. If the assets aren't substantial, it's unlikely any landlord will sign the lease with the entity without someone guaranteeing it.


Well, this is why most people (including myself) put rental property under an LLC. I wouldn't let a tenant sign the lease as a corporation unless they were a legit corporation - you know, companies rent houses all the time for executives that relocate, etc. If the tenant breaks the lease, I'd sue the company and their assets.

Real world example: I did a summer internship one year and the company rented a few houses for the interns. Myself and 2 college guys were in one. Landlord claimed damage on the air conditioner because it iced over due to not changing the filter...ended up getting money from the company.


a one person corporation isn't going to work. you'll need multiple people to serve as officers.

that said, the strategy you describe is perhaps workable as a small, close-knit group of reciprocally trustworthy people who leave a sequence of bankrupt corporations in their wake.

it could be a sort of financial lobster: a ring-of-trust which occasionally sheds its corporate shell and then immediately grows a new one.


Consider "service" companies and asset sales. The company name/etc can be valued pretty low and sold to another organization while leaving all the unrealized liabilities in a company without any assets to pay for lawsuits...

This seems pretty common with high value items (say pools/AC units/solar installers/etc) providing long warranties. 5 years in, the warranty is worthless because the original company is gone.


I am still unsure as to how any of the credit bureaus exist legally at all, I never consented to having all my eggs in those three vulnerable baskets. Why is this my problem all of a sudden?

I get that consumer protections in the US are not very strong, but this just seems like a shady cartel in cahoots with the banks/insurance companies. Please tell me I'm grossly misunderstanding something here.


It's a historical fluke. Credit bureaus trace back to agencies that compiled third-party reports on the creditworthiness of business persons. So long as the information collected is accurate (and not defamatory), this type of activity is protected under the first amendment.

See the first segment of this episode of the Backstory podcast for a retelling of how these early agencies worked: http://backstoryradio.org/shows/keeping-tabs-2016/


But then what happens if that information becomes inaccurate? (if your credit report shows credit events that aren't yours as a result of a fraud). Doesn't it become a form of defamation?


John oliver made a segment about this on how a person was denied a rental contract because one of these agencies said he was a terrorist.

Like really, equifax saying "his score is pretty good, but he IS a terrorist". Sometimes correcting those things take months.


It's ridiculous, but no property management company wants to risk a fine when the cost of checking the OFAC SDN list is so small. I'm not sure if we ever saw a decline due to the OFAC list, so I could easily see it would take a long time for something that unusual to be straightened out.


> I never consented to having all my eggs in those three vulnerable baskets

Your information does not just magically make it into the database of a credit bureau. It gets there via public record or because you allowed a creditor to report it to them. You are more than welcome to find a creditor that does not ask for or report to credit bureaus.

Not trying to justify the existence of credit bureaus but let's not kid ourselves. They aren't sending spies to your house or tapping your phone lines to get this info. You personally authorize a large amount of it.


Crass incompetence at securing IT systems is not a criminal offense, no one is going to go to jail for that. But insider dealing is a criminal offense with a potentially heavy jail penalty.


>why the hell shouldn't I just go out and commit fraud on a daily basis myself?

Because you don't have enough wealth to be immune to the legal system.


Yeah, if this didn't light a fire under some butts, nothing will. Remains to be seen whether it is just lip service, though. Our government doesn't like to prosecute people in the financial sector anymore.


I hope their executives get criminal charges. Credit Reporting Agency has a huge responsibility to keep this data safe. Lets charge with their CISO...you know, the one that graduated with a degree in music composition and just recently took down her LinkedIn profile.

https://www.boardroominsiders.com/executive-profiles/1006308...


It is presented like a scam site, but without compelling users to agree to terms and conditions the site doesn't pass the basic contract law requirement of establishing a clear, unambiguous pathway to assent by a consumer to the terms.


Is it time for a Federal Department of Verifying Whether People Are Who They Say They Are?

Veryifying identity with SSN is broken. The right way is probably more or less how big webapps do it - MFA + a password that the user can reset by providing a bunch of info. The government has the necessary private info to do this in most cases (e.g. DL# plus your income from last year's taxes), and can fall back to "Show up at a police station/DMV/other office and talk to a human" in disputed cases.

I'm sure there are lots of private corporations that would love to be the One True Arbiter of who's who, but none of us would trust them, or want to pay the price. An open source solution (something like Keybase?) seems possible, but not without government backing.


USPS is a good contender for identity validation, too.


This is actually how it's done in New Zealand. We have something called realme https://www.realme.govt.nz/, which is made by New Zealand Post (our government post service, with the benefit of offices all over the country to do the initial ID verification for account setup) and the Department of Internal Affairs (they do things like births, deaths, marriages, passports, and citizenship, so they're used to dealing with identity)

It's an awesome system that the US would be lucky to have. I say this as a dual citizen of both countries.


I'm a kiwi citizen too, and for some reason I thought you had to renounce your NZ citizenship to receive a US one; kind of neat to hear the opposite!


The parent poster might have dual citizenship by birth, which would be a different case than starting with only NZ citizenship and acquiring US citizenship later (or vice-versa).


Dual Citizenship in the US isn't explicitly allowed, but it's not disallowed either and in practice isn't an issue. [1].

1- http://immigration.findlaw.com/citizenship/dual-citizenship....


I would not trust USPS with anything. I came by to pick up my mail and they gave me someone else's mail - a stack of 40 some letters / documents - all sorts of sensitive stuff that I could in theory open up and steal that person's identity.

Please, think before you say USPS... this agency is broken as hell. The last thing we want to do is trust our identities to them.


This is actually brilliant considering USPS can process passports and does banking light services (money orders).


USPS is no longer really part of the federal government.


How so? It is one of the very few constitutionally enumerated functions of the federal government, and I don't remember it being privatized?


Yes it is, 100%.


Well . . . 85.7% (6/7). On Sundays, it's Amazon's: https://www.bloomberg.com/news/articles/2015-07-30/it-s-amaz...


No, it absolutely is not, it's a government entity but an independent one like dozens of other agencies.


“independent” agencies are actually part of the executive branch.


Yes, which is part of the government, as I mentioned. The important point was that it was gov't and not private as several people were claiming.


I love that I got downvotes for this. People are mad about the post office.


They should downvote it, it's entirely inaccurate. https://en.wikipedia.org/wiki/United_States_Postal_Service#G...


The USPS is often mistaken for a government-owned corporation (e.g., Amtrak) because it operates much like a business. It is, however, an "establishment of the executive branch of the Government of the United States", (39 U.S.C. § 201) as it is controlled by Presidential appointees and the Postmaster General. As a government agency, it has many special privileges, including sovereign immunity, eminent domain powers, powers to negotiate postal treaties with foreign nations, and an exclusive legal right to deliver first-class and third-class mail. Indeed, in 2004, the U.S. Supreme Court ruled in a unanimous decision that the USPS was not a government-owned corporation, and therefore could not be sued under the Sherman Antitrust Act.[90]


My mistake, I misread you as stating it's 100% not government anymore. My bad!


Thank you for correcting me.


Won't work. Once companies start gathering private data stored in this DB, it can be compromised and government isn't that great at securing data either. MFA would required everyone having a smart phone or RSA key fobs. SMS/Phone based authentication isn't secure.

Only real way to get true identity system is biometrics(Fingerprints,DNA, or Iris) taken at birth. But that will never happen for privacy reasons.


Biometric has its own problems. What's a fingerprint but a password you can't change?

Any secret can be stolen, bio or otherwise. The key to robust ongoing identity is not a better shared secret, it's a better way of recovering from theft of shared secrets. One way is to have a big trove of non-secret-but-not-public data, like prevous addresses and employers (which is how the credit bureaus sometimes authenticate people). Who has more such info to draw from than the government? Another is to use shared info that goes stale quickly, e.g. "What magazine did you get in the mail yesterday?" Again, the government, by virtue of being the government, already has candidate info to draw from.

And what if all else fails, if some super-hacker has stolen or has ongoing access to every single piece of digital information that could be used to authenticate you? If you're a startup or a corporation or an open source project, you throw up your hands. If you're the government, you say "Please visit your nearest police department and bring your photo ID and some utility bills."

The more I think about it, the more I'm convinced that this is the only good solution. Like someone else in this thread said, Identity is hard. There's no silver bullet to make it a tractable problem, but you can throw enormous resources at it. And in the government's case, the most costly part (building a brick-and-mortar office in every city, town, village and hamlet in America and staffing it with humans) has already been paid.


Some people are born without fingerprints. Would make it a crappy method for them


What you explained is what global entry, tsa precheck, and nexus programs are.


...except that TSA Precheck doesn't host an OAuth server that my bank can use in lieu of their dumbshit "street you grew up on" nonsense.

But yes, I agree, it's a good point that the government already does this (ditto for lost birth certificates, etc) and this would just be tying the federal identity that they work so hard to verify to a digital one.


> dumbshit "street you grew up on" nonsense.

I call these what they are: Insecurity questions.

I have also taken to writing completely unguessable nonsense as the answers and recording them in my password manager.


> ...except that TSA Precheck doesn't host an OAuth server that my bank can use in lieu of their dumbshit "street you grew up on" nonsense.

Precheck/Global Entry give you a known flyer/traveler number, which combined with your personal information, authenticates your identity between your travel provider and the government.


That's also problematic. If I can capture your data, then I can supply that data at a later point. Even if there are "secure" endpoints that collect that data for verification; I'd just need to compromise one of those.

Identity is hard.


Biometric national identification is used in many countries, with India's Aadhaar system being the best example. Those systems are mostly used in developing countries that are leapfrogging their financial technology past the legacy systems that the 1st-world powers developed in the 20th century. 'Privacy reasons' is an American cultural anomaly, especially considering the lack of privacy we suffer from the system used by companies like Equifax.


> 'Privacy reasons' is an American cultural anomaly

You can't say that immediately after citing Aadhaar as the "best example" of biometric national identification. There has been massive pushback against Aadhaar for privacy reasons specifically, which just resulted in the Supreme Court declaring privacy to be a fundamental right - something which, incidentally, goes far beyond the approach to privacy taken in the US and Europe.


The whole point would be to move off of shared secrets, so data breached from one company's DB wouldn't be usable to impersonate the victims elsewhere. The idea is to abandon the idea that any data (which ever leaves the consumers's hands) is private or needs to be protected to prevent ID theft.

We have the technology, i.e. certificates, signatures, smart cards, identity federation like SAML.


SSN is an identifier (username), not a verifier (password). Don't deal with anyone using a small number you can't change as an identity verifier.

We got govt + all banks on board with a national digital id. Basically all systems that were considered safe enough such as the major banks online systems (with advanced 2fa) are allowed to issue digital IDs that can be used as logins to all authorities and any other place that needs verified id.

This system probably paid for itself in a hurry.


  Is it time for a Federal Department of Verifying
  Whether People Are Who They Say They Are?
After the colossal theft of employee information from the Office of Personnel Management, I have no faith that the feds would be able to keep the information secure.


I'm not excited about this class action; If they win, the individual payout will be almost nothing ($10?). The lawyers are the only ones who will really "make out" with 10's of millions in fees.

There is also a disproportionate effect in that a small portion of the 143 million affected will have a large impact, i.e., "identity theft" while most will be unaffected.

I think a fund setup to help those who are directly affected is a better idea. This could be done through government action where penalty proceeds are turned into a fund. In other worse, similar to the BP oil spill in the gulf where the fund helped those who lose income or suffered property damage.


IMO, the best outcome would be to put Equifax out of business. I have had my identity stolen and they were complicit in enabling the fraud against me. Once you tell them you're NPI has been compromised, they get incredibly passive aggressive against you and refuse to allow you to manage the situation (i.e. they won't let you unlock your credit to apply for a mortgage).

In short, this breach of public "trust" is only the smoking gun that proves how horrible Equifax is. But, they have a long history of being a parasitic organization that will hopefully die soon.


> they won't let you unlock your credit to apply for a mortgage

So how do you recover from something like that? Are you basically prevented from using credit for the rest of your life?


There are legal limits to how long the data can be stored for. (I want to say it's a federal 7 year limit, but I might be wrong and it might be state laws). Eventually it all times out and your credit resets.


That's not the issue. They are required to immediately remove incorrect information from your credit report. A freeze prevents them from reporting your credit to third parties (i.e. it prevents them from doing business). So, they hate people who freeze their credit. Their strategy seems to be to make having a credit freeze so onerous that you won't do it so they can continue to sell your information to their customers.


For many years I could not get a new credit card, overdraft protection on a checking account or a mortgage. I finally was able to completely remove the freeze so that I could secure a mortgage.


I'm not so sure about that, the data they have just gets resold to some other party when they go bankrupt, possibly many other parties and shit gets worse.


Is there any legal way to stop sales like that? If it were shown that Equifax were negligent in protecting the data on their systems, could a court demand that they remove all of the data to mitigate further harm?


There are already 3 main credit bureaus who have all of your data. It's not about the data it's about how unethical they are in preventing you from controlling the data.

Think about it: if every person in america put a freeze on their credit, all of these companies would go out of business because they would no longer have a product to sell. It gets even worse if you're a victim of identity theft because they cannot charge victims of identity theft to freeze or un-freeze a credit report.


C'mon we live in the real world here. What makes you think Equifax will be put out of business? I agree, the scumbags should be put down like a suffering animal but that will never happen.


I don't really care where the money goes. I think that having one catastrophic event (huge lawsuits or fines leading to bankruptcy) for a corporate entity because of negligent security measures may lead other board rooms to move security measures up their priority list.


I don't think that would matter either. Executives will get golden parachutes and/or get jobs elsewhere doing same thing.

I think only solution is criminal charges/jail time against higher ups who prioritized profits over security.


It may cause security to get tightened to prevent these types of incidents, but I doubt that it will improve security culture. Going forward, we would theoretically be protected from a breach of this type in other companies, but proper security is a continually moving target. New methods exploits are discovered all the time. That's what I'm worried about - are they going to be proactive in securely protecting information against future threats, or will they just check a few boxes to continue with business as usual?


Business as usual, and you know it.


Could lead to actual legislation which IMO is needed. If companies like this fail miserably to protect data it's a sign something bigger is needed and missing. It's like the how Aurthur Andersen represented how accounting firms should not act, and failed miserably.


yes a case of "Pour encourjay lays ortras." as the late Terry Prachet puts it


> I'm not excited about this class action; If they win, the individual payout will be almost nothing ($10?). The lawyers are the only ones who will really "make out" with 10's of millions in fees.

Equifax needs to feel pain so they behave better in the future. Their executives need to be taught that they need to invest in security or it will affect their balance sheet. That will happen even if the payout to individuals is small, just as long as it costs Equifax a lot.


I think this comment is missing the fact that Equifax will be financially punished as a result, possibly resulting in better systemic security overall.


I don't think this logically follows. More likely, Equifax will settle out of court for a much smaller sum. At that point there's now a literal dollar amount associated with a data breach. Perhaps some math will be done, proving out that there would need to be "N" number of breaches before the cost of settling out-of-court for the breaches would be more expensive then materially changing the way they manage data. And "N" number of breaches, that's just so unlikely.

At that point it would be fiscally irresponsible to properly secure this data. They would owe it to their shareholders to continue with their shoddy security and data management procedures.


I would guess they've already done this calculation. Similarly, due to externalities, the cost (to banks) of credit card and similar fraud is small compared to the expense of preventing it.


Don't disagree just some more thoughts.

The risk to the greatest number of people is the increase in interest rates if the lenders do not have the same level of trust in the credit reporting companies.

1% over 30 years is a lot.

Secondly, just taking preventative measures for say 10 years of credit monitoring, from not the company that leaked your data, would cost 15x12x10 $1800.


I think a fund is a good idea, but how do you verify that the people claiming from the fund are the people who were affected? :)

Keeping my identity/online data safe just seems so hopeless that I don't think about it anymore.


I mean, as long as Equifax is hammered with damages, I'm happy.


It's a sign of how awful Equifax is that I find myself rooting for the lawfirms in this case. I really hope they win, and that they get the full $70 billion, and that it's enough to shutter Equifax permanently. What a win that would be! Also it would serve as a nice cautionary tale to companies that infosec matters. That insurance for data breaches matters.

Because right now, it's too easy for them to not care. It's us that suffer the consequences, not them. That has to change.


Yes, what a win it would be to simply transfer ownership of Equifax from one party to another in the event of bankruptcy. The business itself would continue and nothing would change.


Investors would get wiped out and many people canned. The signalling value is massive.


If you wipe out the investors, they will start demanding security before investing in a company. And, if you wipe out the stock, you also wipe out big chunks of the compensation of the CEO, CFO, CTO, etc.

Until this starts hitting important people in the wallet, nothing will change.


It's time for this draconian type of business service be disrupted. It's gotten too big and unregulated.

We often question monopolistic behavior with regard to market share and competition for physical goods. However we don't see this type of questioning with regard to data monopolies. Hate to say it that while I enjoy the use of Google and Facebook, they may also fall into this arena. Though with those companies at least an order of magnitude worth of effort MORE is expended on some form of heightened security, communication, and standards primary thru tertiary of their core offering.


Equifax isn't a monopoly. There are four major credit bureaus in the US. At best that's an oligopoly, but all that realistically does in this situation is provide more points of security failure.


To be honest, I feel bad for the engineering team at Equifax. The vulnerability that compromised their system was a bug in an open-source Java library, Apache Struts, and security researchers only noticed it a few days ago. It seems that the Equifax team had very little time to react and update their software. In some sense, I feel that more blame should be placed on the engineers who built the highly popular open-source software, not the Equifax team. Some large number of Fortune 100 companies also experienced the same vulnerability simply because they trusted a widely used library.

Makes me wary of trusting other big OS libraries, but since rebuilding every part of the stack from scratch is infeasible and unproductive, we don't have much choice but to use them.

Technical announcement:

Severe security vulnerability found in Apache Struts using lgtm.com (CVE-2017-9805):

https://lgtm.com/blog/apache_struts_CVE-2017-9805_announceme...


There is some debate as to which Struts exploit was used. If it was the one from Sept, 2017 then you make a valid argument. However, if the exploit used was years old then the fault clearly lies on Equifax for not keeping their servers up to date.

Also, didn't the Equifax breach happen in May, 2017? If so, I fail to see how the Sept, 2017 exploit plays into this unless it was in the wild months before it was published in Sept, 2017 - which I find hard to believe.


> In some sense, I feel that more blame should be placed on the engineers who built the highly popular open-source software, not the Equifax team.

I completely disagree. It is open-source for a reason. If you find a bug in it, fix it and everybody wins. Otherwise, nobody would ever publish any code/software because you would get sued if you did any mistake. On top of that, the software is free. So you basically want to blame some group which gave you something for free which you used to make big money and expect to also sue them for consequences if they made a mistake.

I also feel bad for the engineering team at Equifax. But on the other hand, you have to take into account that any software you employ could have a security flaw in it. That is why you should have additional means to protect it and no single point of failure. And this is especially true if your whole business depends on that data!

edit: spell check


But why were 143 million records of personal consumer information stored in a way that they could be accessed via a vulnerability in a web server in the first place?

I would have expected this type of data to be stored in such a way that even if someone got access to one of their web/application servers they wouldn't be able to dump 143 million records from it without serious red flags going off.


I would have expected the data to be encrypted at rest. I am not sure why that was not the case.


It doesnt help if that data is being accessed all the time by applications. You just have to break into one application in order to exfil the data or to get the decryption method along with the encrypted data.

'Encryption at rest' only works for data that is not actively used, like backups or if a physical storage device is stolen.

A better additional safeguard is to have quotas and alarms in place for data access. Is data being accessed sequentially in a application environment where data is usually accessed randomly? Is data access bound to individual credentials and do indivudals access more data than usual?

I think, there is actually potential for new database products or addons, which can reduce the impact of breaches in the vicinity of these 'core databases'.


To sum up your link, the vulnerability is the use of an unsafe deserialization similar to:

    ObjectInputStream ois = new ObjectInputStream(input);
    MyObject obj = (MyObject)ois.readObject();
https://lgtm.com/blog/finding_unsafe_deserialization_with_ql


so writing your own software is "unproductive" but you also want to put the blame onto the people who made a framework available?... do you want open source to go away? or do you think that companies that protect such valuable information should be spending more on security assurances?


Consider the possibility that the hackers were agents of a sovereign power, such as one who has been hurt by economic sanctions and has a history of cyber warfare. This state could decide to respond to US economic aggression by using the compromised information of hundreds of millions of Americans to engage in fraudulent activity.

This event is leading me to about how social security numbers can no longer serve the role that they have with establishing trust in identity, although they can continue to be used to uniquely identify a US citizen. This hack may push markets, and government, to widely adopt biometrics and other sensitive, personally identifiable information.

What won't happen, unfortunately, is the political will to regulate how uniquely identifiable personal information is managed and stored.

Suppose that rather than Equifax, Facebook were hacked. What kind of intelligence and reports does Facebook have on people that would eclipse that of social security numbers and credit history?


That was the threat when the OPM got hacked a few years back -- anyone who ever had a background investigation done for a federal job now had their background info in some russian or chinese database dump. With that level of detail, you could start blackmailing some Lockheed or Raytheon employees until they leak some stealth fighter radar secrets to make the monthly false homeloan headaches go away.

I don't think the next world war will be fought with nukes, it will be an economic fight. Leak a few corporate secrets [1] to stall the economy, use the OPM dump and this Equifax dump to originate enough false loans to seize up the financial sector, then cause havok across the electrical grid [2] like you did during the annexation of Crimea just to make sure they stay down.

We've been blind to the other half of the threat of centralized information repositories... the 1984 Big Brother scenario assumes the holder of the information wants to control the citizens, but we never considered the information might have leaked to an actor who wants to destroy the citizens.

[1]: https://en.wikipedia.org/wiki/Sony_Pictures_hack [2]: https://www.wired.com/story/hackers-gain-switch-flipping-acc...


Welcome to WWIII, now in progress. The Russians are kicking our teeth in: they managed to trick us into electing Donald Trump as President...


Undoubtedly Equifax will claim that the hackers were agents of a sovereign power, to escape liability. Regardless, they admitted on their own web page that there was a flaw in their web application.

Biometrics would be a terrible idea. Mass surveillance, anyone?


> Biometrics would be a terrible idea. Mass surveillance, anyone?

What if the biometrics were stored on something you have - say a smartcard (definitely not a phone!)? Along with a PIN. Plus, these two items went into a "write only" store on the card (actually, a hashed value of both are stored).

You have a card reader (one at home - and any place you are doing a transaction to confirm identity also has one). You put in your card. Type your PIN. Present your (physical) biometric.

The reader takes the data, passes it to the card (or maybe the card has the reader and pin pad?). The card runs the hashing again, and compares the values. If all is good, it outputs a "Yes" otherwise a "No".

Remember, only the card holds the data (a hashed version) of the biometric and the PIN. That can only be written (you can do this with your terminal at home?). The only output the card has is that "yes/no" value.

All transactions of such nature would be done with this card.

I'm probably missing some steps or such - but the idea is there. That gives a 3-factor authentication system.

Don't expect it to ever be implemented.


I was not aware the citizenship of the hackers had any bearing on Equifax's liability in this case.


If it's a foreign government it's considered and "act of god", (I.e. Something out of their control) which releases a lot of liability.


to me if you store passwords in plaintext, it is criminal negligence even if God himself did the hack


Force Majeure


So everybody has been talking about "freezing" your Equifax account for a little bit of protection... Well it turns out the Equifax security freeze PIN (which is all the "secret" info an attacker needs to unfreeze it) is just the date & time: MMDDYYHHMM! https://mobile.twitter.com/webster/status/906346071210778625


If this is true (and it looks like it is), this is absolutely insane. For me this puts Equifax into beyond negligent territory.


But would not an attacker then have to know the exact minute that you froze your account on? If you have only a few tries to unlock your account - how would attacker possibly guess it?


525,600 possible pins for a whole year is staggeringly tiny.

1440 tries max if you know the day. 720 if you know if it was day or night. Botnet and/or proxies can do the rest


Has anyone notified them of this bafoonery?


My hope is that this opens a larger discussion on the business practices of these credit bureaus, the kind of data they collect, and ultimately their harm to the public good.

As far as I'm concerned, they stole my data first, then they packaged it up neatly and gave it to shady persons.

Yes, I'm aware that I "consented" to their collection of my data when I signed up for a credit card, or a car loan, but it's not a system you can realistically opt out of. If I want to rent an apartment or, sometimes, even get a job, I need to consent to a credit pull, so I need to have a positive credit history.

So, we have a private sector monopoly that I am coerced to give my data to, for free, to function in society. Seems like a good business to be in, but as an outsider I'd like to see something drastic happen. Perhaps nationalization, or breaking up of the big three with deep regulation.

*edited to add omitted "three" in last sentence.


Nationalization of credit agencies - or even regulation governing exactly how credit scores are computed, and making that information transparent to the public - would be a huge step forward. Credit-determining algorithms are presently a black box to the public.


Is it not possible to write to our legislative representatives about this about how we think?


You can absolutely write them, you just might find you have a hard time making them care over the sound of campaign donations from the credit oligopoly.


I call my both my senators and my congressional representative almost daily. It's important to do, I think more people need to be active in that sense.


I have said for years this credit controlling triopoly needs to be shut down and replace with something less disgusting. Ever tried to fix a mistake they made in your credit report? You may as well be dealing with the Spanish Inquisition. There is no penalty for Cxx's who perpetuate inept security to make more money so security is always job #99. These folks seem to have cornered the market on ineptness. I doubt any lawsuit will make them do anything different.


Organizations at the hazy nexus of the public-private spheres (e.g. public benefits corporations, regional transit authorities, FINRA, health insurance companies) appear to be endlessly prone to "disgusting" fallout like this, no?


It's always seemed odd to me that Experian and Equifax have the upside of being both arbitrarily in charge of so much data and wield ridiculous power, and yet somehow they're still largely independent and profit making.

I'll watch the outcome of this breach with interest. It strikes me that at the very least credit rating agencies should be non-profit and very closely monitored by government. This will include ensuring security best practice is followed.

As others have rightly pointed out, they even have the audacity to call us customers. Like somehow we turned 18 and signed up for their service. I certainly didn't, and it annoys me that a company whom I have no control over can make or break my credit history.


> It strikes me that at the very least credit rating agencies should be non-profit and very closely monitored by government. This will include ensuring security best practice is followed.

Tell that to people riding their free class-action credit monitoring from when their OPM background investigation records got leaked to the russians or chinese thanks to the government's "security best practices".


You're what's called a "consumer", as in "Consumer Financial Protection Bureau". You're only a "customer" of Equifax if you purchase one of their products.

The CRAs don't make or break your credit history, that's the businesses that supply information to them. The CRAs are aggregators, and just report what their members tell them.


Credit algorithms, specifically your FICO score, are not transparent. There is no reason beyond the naive assumption of good faith on the part of these companies to believe that they don't make or break at least your credit SCORE.


I don't think you're even a consumer.

You are the product.

The sell this "information" (your identity and more) between businesses looking to establish whether to give you credit or whatnot.


> It strikes me that at the very least credit rating agencies should be non-profit and very closely monitored by government.

Personal data should be treated with the same care as nuclear fuel. Very very strict conditions.


The US has an adult population(who would hence have credit profiles) of 245 million people. At 143 million, this breach affects more than half of the adult population. Given this, the majority of credit rating systems of the US has been compromised. Isn't this enough that the whole "social security number as a master key" system has to be dismantled? How can it be trusted now?

There is no way to opt out of having your data collected and sold by Equifax, Experian, TransUnion. The power these companies have over US citizens is incredible.

Anyone that's ever tried to remove incorrect data on their credit report knows how painful it is to deal with these companies. Despite dealing and brokering in electronic data to buyers of your credit profile, your interactions with them as a consumer can only occur via paper mail and mailing letters which means weeks or even months for basic communication. They operate like thugs. I hope this is the end of them and by extension the other two agencies as well.


I don't think the SSN can be trusted as a key. They should be considered public data now. There's no going back.


Coordinating the response here is the key part here, but "massive number of suits in small-claims court" is probably better for threatening Equifax with an existential legal threat.

Equifax employs about 10,000 people worldwide. A million small-claims cases has each Equifax employee handling 100 small-claims cases. I don't think they can handle that level of distributed legal aggression. It just takes too much time by too many people, especially if people refuse to settle for anything less than $1000.

Probably the best way to crowdsource it is to go through the process yourself, write a step-by-step guide to what you did, and post the results on social media.


Does anyone know of a sort of recipe book for how to file a small claims court case in this sort of matter? I'm interested in this avenue but I don't want to spend a lot of time figuring out how to do it or potentially screw up some little thing that renders the whole effort futile. It seems like the argument might be slightly more subtle than a case of, say, theft or fraud. It's negligence.



The super fucked up part is that it automatically signs you up for their "Credit protection" if you use their site to see if you were impacted. Doesn't ask if you'd like to, just says "Thanks for signing up, your year starts now!"


Actually, since I'm affected, I got a different message. It's even worse.

They gave me a date in September that I have to remember to come back and sign up for. It's the equivalent of grabbing a ticket in the deli line.

Look at this text: "Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process".

That's enraging. You tell me I'm affected and now I have to come back at some date/time and sign up? At least it has given me the time to read all the comments about waiving class action participation.


How can they justify that? This is 2017. It is stupid easy for them to send out reminders, once a day if need be.

At what point do we finally tell abusive companies like this that they're no longer allowed to be a company?


I got the same message, but nowhere did I read "you have been affected". Is this just implied?

I cancelled my Equifax credit watch account about 5 months ago, when they decided to raise rates.

Never have I hoped so much for a business to be sued out of existence. And hopefully their inside traders will get jail time (yeah, right).


It wasn't implied for me. I put in my SSID (6 digits) and last name. It then told me:

" Based on the information provided, we believe that your personal information may have been impacted by this incident."

It then had some button, I forgot what the button said. This led to the screen about "save the date" for protection.


I got the same message plus "Click the button below to continue your enrollment in TrustedID Premier." The button said "Enroll" so I stopped there.


When I entered my info I got a message saying they do not think I'd been affected by the hack. So if you get a different message, its probably safe to assume you're affected.


Same situation, same experience, same level of outrage. Sign me up for the class.


Even worse, you agree to arbitration in case of disputes waiving your rights to sue..not sure if even enforceable.

You can check if you're impacted then just not proceed to click "enroll" and be able to check without auto-enrolling and agreeing to their 1yr protection + arbitration agreement.


Nah it's OK, I'll just claim that someone got my SIN number and must have used it to access the site...wasn't me - I swear!

There is now plausible deniability for so many things.


From my reading of ToS it also apparently waives your right to be a part of a class action lawsuit against Equifax...


Apparently now they're saying that only applies to the monitoring service, and not to the breach itself. It was on Consumerist (https://consumerist.com/2017/09/08/equifax-already-being-sue...).


> From my reading of ToS it also apparently waives your right to be a part of a class action lawsuit against Equifax...

IIRC, there wasn't even a clickthrough and they framed it as "find out if you're affected." How could that be enforceable?


You'll probably get nothing of note anyway from class action given the scale of this breach. If you are truly impacted in some way, you'll be better off in small claims (or a full suit if it devastates you enough.)


This is beyond absurd.


Second bullet on https://www.equifaxsecurity2017.com/enroll/ contradicts the "automatically"?

... Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier.


do the TOS require one to only go through mediation as a part of this, so by signing up you waive your right to sue?


That should be ex-post-facto of the data breach (i.e. they leaked your data before you agreed to the TOS so you waive your rights to sue from that point forward). I'm not a lawyer and I wouldn't agree to this. I checked and I am affected. I'm going to sign up for LifeLock (because it's super expensive) and file a small claim to recoup the cost.

I really hope this puts Equifax out of business.


I'm curious as to wether any lawyers here can chime in on how well this TOS would hold up in court. I know when I went to check I was never shown the TOS or even a checkbox that needed to be checked to confirm that I agreed to the ToS with a link to them. It feels like the ToS are what comes with the ID protection service and were meant to apply only to lawsuits that might arise from using the ID protection service, but IANAL.


Yes, the TOS does require arbitration (including for actions that occurred before signing the TOS), but it's not clear if it applies to just the child company that is providing the credit monitoring service or if it applies to the actions of the parent company, too.

I am not a lawyer.

https://trustedidpremier.com/static/terms


One thing I'm trying to wrestle with is why they would make you agree to arbitration for actions prior to signing TOS if indeed it applies only to the child company. Your relationship with the child company begins when you sign the TOS, no?


Yup


It seems that checking to see if you're affected by the Equifax breach waives your right to sue Equifax:

https://techcrunch.com/2017/09/07/i-called-equifax-to-find-o...

No idea how ironclad such a clause would be,k though.


The Attorney General of NY says it's not:

https://twitter.com/AGSchneiderman/status/906195350532304896


At this point they will tell you if your effected and then offer to enroll you in their complimentary "TrustedID" program. If you choose to enroll, that is when you waive your right to join any class action lawsuit.


This isn't true. Just by entering in your information to check if you're affected, you'll be enrolled automatically if you were indeed affected.

Really scummy behavior.


This is not true. I checked, and it offered me the opportunity to sign up "on or after" a specific date. There is no automatic enrollment.


Sorry, I misspoke a bit there. What I was trying to point out was that

> If you choose to enroll, that is when you waive your right to join any class action lawsuit.

Isn't true. Just by using the site to check, you're waiving your right to participate in a lawsuit, as expressed in the site's Terms of Use linked at the bottom:

http://www.equifax.com/terms/

> THIS PRODUCT AGREEMENT AND TERMS OF USE ("AGREEMENT") CONTAINS THE TERMS AND CONDITIONS UPON WHICH YOU MAY PURCHASE AND USE OUR PRODUCTS THROUGH THE WWW.EQUIFAX.COM, WWW.IDENTITYPROTECTION.COM AND WWW.IDPROTECTION.COM WEBSITES AND ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS AFFILIATES ("SITE").

> No Class or Representative Arbitrations. The arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis.

Further detail from an actual lawyer in this comment:

https://news.ycombinator.com/item?id=15203185


Suppose each person affected has to spend an hour protecting themselves from this breach. The cost in wasted time would be 16,313 years.

It's high time to set an example. Equifax should no longer exist as a company. People responsible should end up in jail. Company executives should be held personally liable. Some would claim it is unfair, but the only way to keep this from happening again and again is for those responsible to face serious consequences.


As usual, Bruce Schneier was right.

"Data is a Toxic Asset" https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...


How likely is it that Equifax will face any real trouble from this breach? Will this be one of the first cases where security negligence causes real harm to a company? Or will it turn out to be another slap on the wrist?


Slap on the wrist, guaranteed:

- potentially every one of the 143M people are going to have some sort of trouble

- WORST CASE equifax shuts down, but that doesn't matter. too late.

- if everyone was to win a lawsuit for everything equifax is worth, they'd get maybe $100 minus lawyer fees.

And worse, now we have a financial system dependent on 2 companies. Making a 3rd isn't an easy matter.

::shrug::


EquiFax declares bankruptcy, re-orgs and rebrands.


If the insider dealing allegations are founded, jail time.


143 million people, or essentially every US citizen over 18 (give or take a few million.) It most likely includes Senators, Congressman, Donald Trump etc etc. So, yeah, a lot of people will be inconvenienced and pissed off, ad for a very good reason.


Senators, congressmen and Donald Trump himself all had their data previously leaked at least once before. Nothing changed as a result.


I should hope something happens. This is a monumental fuckup.


It irks me that I can't file a "long term" (7 year) fraud alert unless I can prove with a police report that my identity has already been stolen. It's like giving people a flu shot only if they can prove with a doctors note that they currently have the flu. Hello! We're trying to prevent fraud here!

This whole industry needs to be turned upside down.


That’ll be nice for some lawyers. I’d prefer to see severe civil and/or criminal penalties for the senior management folks who allowed this to happen on their watch. Expect many more breaches of this magnitude until C-levels start to feel the consequences of their negligence.


Anyone have a good source for an unbiased (i.e. not trying to sell me something) "what exactly should I do" now? File for the class action? Freeze my accounts? Get identity protection?


A buddy of mine sent me this reddit thread, I'm reading through it still and don't have much finance/credit knowledge, but it seems legit and unbiased to me so far:

https://www.reddit.com/r/personalfinance/comments/6yv4gb/off...

Would be interested in hearing other opinions on what's being said there, especially regarding using the www.equifaxsecurity2017.com site and legal rights.


Doing a credit freeze is a good idea regardless of the recent events: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...


In my state that costs $10/bureau, plus another $10 to temporarily unfreeze or permanently unfreeze. The fact that they can leak my information and then charge me to protect myself just seems wrong.


I just finished filing a complaint with my state's attorney general's office. YMMV, though.


How did you find out if you were affected?


Presumably (s)he holds a US credit card. The stats on this release are such that most adult Americans are more likely affected than not.


Even when there isn't a data breech I don't understand how all big 3 credit agencies survive doing their business as they currently do... which is to expose people to the injury of identify theft by default, and then tell them to pay up if they want a product that protects them from that threat.. How is that not seen as akin to a gangster protection racket?


Credit card companies could provide other businesses such as Equifax distinct mere-reference numbers which the customer doesn't see and which can't be used for purchases - just to absolutely identify which card, for all parties. These could be added to the magnetic stripe or chip in the card, for example. (It might be gilding the Lilly, but many such reference numbers could be used for a given card, re privacy issues or otherwise. But then those numbers couldn't be usefully passed between companies for all purposes.)

There's no need for anyone but the customer and Credit Card company itself to retain the actual credit-obtaining-number (other than to allow future purchases with permission, which is the rarer case, often needs to be prevented not facilitated, and doesn't excuse Equifax having more than a reference number.)

Yet the credit card companies don't do this. Why not? 'Cause humans are idiots, all of us, that's why.

PS - run to the patent office and you might be able to make a ton of money patenting this, since patents are now given to whoever shows up at the patent office with the appropriate fees first. Precedence doesn't matter. You would be implying that you thought the idea up independently, of course, but you're smart, right? That's totally the sort of thing you could think of independently. Then when you're rich, you too can help choose what the patent laws look like, and whether rich people should pay taxes.


I'd love, love, love to finally see a company earnestly held responsible for their negligent security practices but I have no hope. Doubly so with this administration. Equifax getting run into the ground would help a president.


I'd appreciate advice from someone in the know about credit monitoring/repair services. There are so many and little credible information available about their capabilities and performance. If you have experience with this who do you recommend?

I've been caught up in the DOD breech, this Equifax incident and a couple smaller ones. I'm not interested in pinching pennies here; I want good results.


IMHO - credit monitoring has limited utility. While it can help you identify issues more quickly, it's still after the fact. For that reason, I bought the family a Zander Insurance plan. If you get hacked, they handle the fix (including outreach to the credit bureaus) and cover your expenses. This year they also added some credit/identity monitoring features and wallet replacement. I've not yet had to use them, but the service makes a lot of sense to me.

https://www.zanderins.com/idtheft2


Just freeze your credit. It cost a couple dollars, but worth it. It is a hassle to unfreeze sometimes, but worth it.

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...


I'd like to know how much influence the consumer credit industry had in pushing through things like the Citizens United decision. Corporations love to be people when they can influence elections and make money off poor folks, but I wonder if they're ready to take the corporate death penalty when they break the law.

A bunch of class action lawsuits might make options like Move to Amend a lot more palatable to corporations facing that kind of scrutiny. It also gives political capital to organizations working to prevent rollbacks on consumer protections implemented after the Great Recession.

If Equifax's reputation hangs on a single hack, then they probably weren't that reputable to begin with. Why should we have to live under decisions that benefit them when they no longer exist, or weren't even who we thought they were?


Good. I hope they get sued into the stone age.

And then, I hope all of the other agencies take note, and start deleting their data.


Nah, they'll just create expendable shell companies to decouple the risk from the profit.


any way to check if we're affected by the hack without putting info into their form? i called them earlier to see if i had an account, but i don't.


I like how people are encouraged to pay $5-10 to each reporting agency to have their file locked. Multiply that by the 140,000,000 people whose data leaked... should generate some nice revenue for all 3 of these companies holding your exploitable personal data hostage.


This is just pure crazy. There should not be any non-govt agencies that store such sensitive information. This is not like credit card where you end up getting a new card. You can't change your name and ssn. I wonder how we will tackle this problem.


> I wonder how we will tackle this problem.

Short answer: We won't.

Nothing is likely to drastically change. It'll just be another blip on this week's news, and on to the next big thing that comes up.

Some individuals, over time, will likely have their lives screwed with, but because not everyone at one time will have this happen to them, nobody will care.

Think about how long the EU and others had chip-and-pin for their cards. Also, everyone knew it was more secure. But it's only been in the past 6 months or so that the United States is finally getting it - and it isn't everywhere yet.

I'm not trying to say chip-and-pin would have helped this situation (it wouldn't have). I'm just trying to convey just what kind of social and political inertia is at hand here in the United States, not to mention the size of our collective apathy, and extremely short attention spans.

Had something like this had happened in the 1970s or 80s - heads would've rolled. 60 Minutes would have been all over it. Dan Rather would have frothed at the mouth. It would have been crazy to the extreme in the media and elsewhere. Change might have even occurred.

Today? We'll be lucky if we're still talking about this in any amount next Friday.


Equifax really needs to die over this, like Arthur Andersen after Enron.

https://en.wikipedia.org/wiki/Arthur_Andersen#Demise


I think suing the organizations who irresponsibly gave our data to such an unsafe organization will be more fruitful. Equifax doesn't have enough money to truly compensate, but JP Morgan, Bank of America, &c do.


Why is there not a criminal case against these idiots? When you are controlling something dangerous and you allow that thing to harm someone else, it's a criminal offense. It's not a matter of whether it's hard. It's simply your responsibility to ensure no one gets hurt.

This company has already caused harm to literally everyone in the US. Minimally, we all now have to take action to attempt to avoid identity theft. And it only gets worse from here.

And these bastards have the chutzpah to wait until hurricane Irma is upon us to make the announcement.


Go to hell Equifax, whoever is in charge of security there should be put into custody before all the litigation.

Multiple steps must be taken for nowadays people to get credit card and debit card or whatever(loans, money transfer,...). Use SSN, name, mother maid name, a few security questions, two-step authentication by default, all passwords must be hashed and salted otherwise it is a crime for the DBA,etc.

Just switched away from 15+-year-yahoo-email after its leakage, now it comes Equifax, which is 1000x more critical, it is so bad.


> Others expressed frustration that three senior executives sold about $1.8 million in stock in the days following the discovery of the hack. A spokeswoman for Equifax said the men “had no knowledge that an intrusion had occurred at the time.”

Wait, what? Isn't this a blatant example of insider trading? Moreover connected to a problem they are responsible for?. Do they seem to be really that stupid or is there a chance that they could get away with that in the end?


Assuming an approximately Bernoulli outcome from Equifax’s perspective, the stock market thinks there’s only a 13% chance they’ll be shuttered by this negligence.


This is an interesting point. I'm not great with math, but I'd love if you could share how you calculated that?


Thee company and its management should be bankrupted. In Roman times the architect of a aqueduct and his family had to stand under it during the final stages of construction. This was a motivation to ensure they did a good job. Its high time we brought back this sentiment to leadership. If you knowingly monumentally fuck up you should be ruined.


I'm involved in the design and maintenance of a PCI environment. Given the auditing requirements for these environments it is mind-boggling that an intrusion of this magnitude went unnoticed for several months.

I'm left with the conclusion that they were either negligent or incompetent, or layers of management were actively trying to cover things up.


How does Equifax build their database of people exactly? If it's all based on public information then they could argue that it's not really a leak. They are merely interpreting public information to build credit score.

If guess for subscribers they could get more information than publicly accessible. What fraction does it represent?


It's not public data, it's data that creditors provide.


Private companies report information about you to the big agencies, and then they blend in public information. So it is a mix of public and private information.


The credit card companies and lenders provide them with your information. It's not public.


This is the kind of thing that should end/bankrupt a company.


Use of the site they created to check if your data was leaked may contain terms and conditions that waive your rights to sue.

[1] https://twitter.com/zackwhittaker/status/906178254331142144


With all the Equifax headlines today, I was wondering if there would be a few poor souls in the the Equifax Tech Department who feels atleast a bit responsible for the whole mess. ( I do understand it is a collective responsibility of the management as well )

edit: Was the analysis of the hack published?


The most frustrating place to be in these scenarios is the IT (especially security) department.

Go ask any security guy if they think their environment is secure. Very few of us will say yes. It frequently boils down to we ask for things, and there are budget/manpower/time limitations in getting them implemented.

So a breach occurs, execs say to IT staff "Why was this possible."

IT staff says "We requested back in <month> to fix this, and its working through the slow process"

Execs say "Why didn't you scream louder, identifying it as a critical issue"

IT: "There are 1000's of other issues, just like this one. The attackers just managed to exploit this one, instead of one of the others. We can't identify all issues as critical, because then nothing is critical."

Both parties stay frustrated thinking the other isn't doing their job right.


Yeah, hopefully this is one of those wake up calls where the management realizes to funnel more resources into IT and security in general.


You mean on the board of directors, not in the tech department.

Edit: people never seem to like it when I say this. The phrase "the buck stops here" has a meaning.


Haha. I meant in all layers of the organization. Could be the IT Security Department, Policy Department, Could be the homegrown development team, anything.


The H1B's are not going to sacrifice their chance at citizenship nor should they.


Why is H1B relevant here?


A lawsuit seems appropriate, but I'm confused on their allegations. How can this lawsuit claim that Equifax "wasn't spending enough or doing enough to protect the information" when nobody, except for those within the company, know how much is spent or done to protect the information?

Is there some public record I'm not aware of that says Equifax underspent on cybersecurity? Or is this lawsuit just a shot in the dark hoping to hit a target?

I wouldn't be surprised at all if the allegation is true, but AFAIK there's no way these individuals actually have proof of it, and it seems like a flaw in our legal system that people are allowed to make allegations like this without any type of proof.


That's what the "or" is for in "wasn't spending enough or doing enough." It's evident that they did not do enough to protect the information. Spend is a proxy for action, but ultimately it's the action (or inaction) that matters here. I only see them exonerating themselves to a large degree if they engaged in routine third-party audits of their security and consistently responded to every identified issue.


If the plaintiff's expert witnesses can be brought in to show convincingly that the nature of the breach - as we can see from the outside - suggests basic common safeguards were not taken, that could force Equifax's hand to show otherwise.


I'm not a lawyer, but is that not what discovery is for?


I think this shows that inanity of centralized credit rating agencies. How do we disrupt this? What if every person you owed money to (Credit cards, mortgage companies, car loan companies) basically reported your payment status on a monthly basis on the blockchain? I think this could work... Anyone could check your credit history - but at least it would be decentralized. There's obviously a lot of questions: How do you protect privacy of individuals? How to identify individuals with a number other than your SSN? Or maybe you do anyway... keeping your SSN secret in this day and age is clearly not viable longterm.


The Fair Credit Reporting Act requires Consumer Reporting Agencies to do two things that are fundamentally at odds with the idea of using a blockchain: Negative information must be removed from your record after a certain amount of time. And false or inaccurate information - which some studies suggest exists on about 25% of consumer credit reports - must be removed or amended upon request.

Both of these are Good Things. One of the most important things our legal system provides is opportunities for remediation when something goes wrong.


permanent and unrevokable authentication tokens are dangerous.


Time to get rid of credit agencies as a whole. They are entirely useless. Make a Government agency that handles it instead of trusting the private industry to make as much profit as they can to the detriment of damn near everyone.


I just want to complain about the credit freeze option for a second.

Like many other people I decided to use this because of the breach, I went to the government identity theft site and found some links.

Equifax - Fill out the form. "Additional information required" please mail stuff to us.

Experian - In your state (washington) there is an 11 dollar fee for this service.

Transunion - Fill out a signup form, complete with god damn security questions. Do the quiz about stuff on my credit report. 10 dollar fee.

Go fuck yourselves you fucking bastards. I hope experian goes out of business because of this, I really do.


From a security standpoint, it seems like there's a problem treating everyone's social security number as if it's some kind of secret key.

Has there been any real discussion about alternatives to the present system? How else could authentication work for opening a bank account?

I imagine that the present system survives (1) because of inertia, and (2) because it doesn't require much infrastructure and so it's relatively cheap.

Maybe the next step is something like putting a chip into driver's licenses and ID cards nationwide?


Soc sec. number is used as an immutable unique identifier for Americans since that's really the only piece of information that can be used in such a way. I'm not aware of anybody relying on it as a sole means of authentication... if it's used for authentication it's always combined with additional information such as "you had a revolving credit account with: a, b, c, or d".


This is probably a dumb question but how does Equifax, TransUnion, etc actually get the credit info in the first place? If I wanted to start a credit monitoring company, could I do it?


Your bank gives it to them.


how does the bank decide which credit reporting firm to give them to? in other words, if I made an Equifax competitor, how would I convince banks to give me this info?


> how would I convince banks to give me this info?

Read "The Art of the Deal.|"


I hope this succeeds and bankrupts Equifax, but then what? Over a hundred million Americans still have their SSN exposed, what are we going to do about that?


If someone offered me this case, I would probably decline it on grounds that I didn't see a reasonable prospect of winning.

Equifax still hasn't revealed any data about how it was hacked, without that information it's hard to prove they were negligent.

Negligence requires three things: duty, breach and damages.

As to duty:

Does Equifax really owe a duty to every single person whose data it keeps. That would be a tough argument to make. They didn't sign any contract or make any agreement with the people whose data they collect. So where does the duty come from?

Even if the plaintiffs were able to overcome that hurdle, they would then have to prove breach. Was Equifax careless in they way they handled information security? I don't see evidence of that, the mere fact that they were hacked doesn't necessarily mean they were careless. All Equifax would have to show to win on this count is that they had some sort of basic security system in place comparable to what other businesses it's size have in place. My guess is that they do have a security system and that this probably wouldn't be hard for that to show.

Being hacked would be considered under law to be an intervening criminal action. It is established that people are not responsible when damage is caused by someone else's criminal action. So long as Equifax took basic, prudent steps to protect data, they can't be held responsible for intervening criminal action.

As to damages

It's hard to see how anything of monetary value was lost by the plaintiffs in this case. There was a loss of privacy, but I haven't heard of courts giving out awards for that sort of loss.

I'm sure people more familiar with information security could point to flaws in they way Equifax protected info. And certainly the way they reacted to the hack was negative. But bad or imperfect behaviour doesn't in and of itself give rise to a claim for monetary damages in court. This case doesn't seem winnable to me.

There is some argument that if you use Equifax's identity theft protection you may be able to sue, which I think is what this class action is about. But that still doesn't give rise to damages because none of the plaintiffs can prove that their identity was actually stolen. And you still don't have breach (no proof that the hack was the result of Equifax's carelessness).


Is a credit freeze the most effective option here? What else can be done to prevent the possible effects of this? The FTC site also mentions a Fraud Alert for cases of suspected identity theft:

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...


Question: Is there any way to get a notification whenever a credit account of any sort has been opened in my name, WITHOUT freezing my credit or otherwise crippling/slowing/altering any process that exists? I just want a letter or email notification, not any other changes to anything. Ideally a free way, but paid if a free way doesn't exist...


Bit curious about everyone's thought process with regards to credit freezing. I'm thinking about leaving the freeze in place and only do temporary unlock on as needed basis. Considering SSN and other info. compromised have longer life time, I really cannot think of any other option.


If you enter Test and 12345 into their "checking site" it says account has been breached:

https://twitter.com/zackwhittaker/status/906247688768905216


Our compliance rules dictate a 24hour window before we must share the data breach, in what world does the top personal data overlords have no obligation to disclose in a shorter window? Maybe had they done that, they wouldn't have had time to cash out their stocks before they tanked upon release.


$70B works out to less than $500/ person.

I imagine that the firm will take 25-50%.

Also, Equifax will likely just go bankrupt vs. paying 4x what they are worth.

Perhaps we should seek to have the company turned over to the people, at which point a blockchain based credit system can be implemented.


It's time for the USA to adopt EU-style GDPR protections, by constitutional amendment if necessary.


We need more competition in consumer credit agencies and need more control over access.

We probably need more competition in corporate credit agencies as well like Moodys/S&P that got us into the housing crash.

The lock-in deals these companies have make them get really lazy on their core tasks.


This is like the whole country's credit card holders got affected. Is it a suggested idea to freeze your credit reporting account and not allow any issuance of new credit cards? or Like SSN Lock provided by my EVerify provided by USCIS?


Sorry, but companies that save pennies and nickels only to lose billions deserve this...but makes no sense that individuals have to suffer the consequences...of course they release the news when it's hurricane season.


I think the banks and loan industry are as guilty for giving information like this out to ththe credit bureaus.

Next time you apply for a loan or open a credit card, ask them who they report this too. If it's Equifax, walk away.


I think a reasonable outcome is free credit monitoring for LIFE. I don't understand how these companies get away with only one year of service as if the information will be removed after that year.


It gets worse.. some financial news outlets are reporting that the CFO and executives leading two business divisions dumped shares prior to the news.

Equifax responded they didn't know about the breach and it is unrelated.


This kind of thing actually can be prevented. There should be a law to force to sacrifice some convenience for safety.

Well, it is convenient to access everything by Internet. But it is a double sword

Simple but not too simple!!


For the record, their form doesn't work.

You can enter any arbitrary word and any random six digits and it will tell you that you probably have been affected, and will prompt you to sign up.

Don't fall for this scam.


Not if everyone signs up for free credit monitoring as their settlement.


Gee, does that automatically settle the claim? I suppose it only would if there were some kind of agreement you make when you apply for the service.

I take some mild comfort knowing that > 90% of US adults likely have been impacted (wild guess at US folks who have ever applied for credit -- or it's probably a good amount smaller number if the scope is ever-requested-a-credit-report).


Does it matter if you've applied for credit? They track everyone. The important thing to remember is that you are not and have never been a _customer_ of Equifax. You are their product. The banks, car dealerships, etc... that pay them for credit reports _about_ you are their customers.

You are their _product_. And, in my experience, they treat their product like shit when their product gets his identity stolen.


Not that it changes your point, but I'd put the percent impacted a lot lower than 90%. There's a large underclass of people who don't even have a bank account let alone a credit account of any type. A lot of poor people still basically live by cash and EBT-card.

I'd put it closer to 75% max.


I'm not an Equifax customer and don't plan to become one by signing up for anything, so I haven't seen the terms, but I would fully expect to see some kind of indemnification in there.


You are a "customer" if you want it or not.


Prospects of this data used to hack the next elections are frightening.


The hack exposes lenders (banks, etc.) to a huge amount of risk, right? So don't they also have an interest in seeing agencies like Equifax punished severely for a hack like this?


Maybe it's time to issue everyone private keys where the public key is your "SSN" and it is signed by N people you know to verify identity


N people you know? What if I don't have a family or friends?


If you live in a box, will anyone know you exist? :O


Consumers will end up footing the bill for this. This company will just increase the fee for credit checks in order to pay the penalty.


How do we get in on this lawsuit? What are the implications of this hack to an average person and what if anything should they do about it?


I signed up to be notified before I knew that doing so waived my rights to sue them. Those damn agreements, I need to read the fine print.


Good. I hope they go out of business, and the shareholders are wiped out for having it run incompetently.


freezing credit profiles is a good idea but full account numbers (liability accounts only) as well as addresses and employer data were also part of this breach, its likely there will be many long-term consequences unfortunately...someone with this data can easily impersonate you and level up the level fraud


How does Equifax gather data on people? Do they get it from the government?


"PSA: If you check Equifax's site to see if your data was stolen, you waive your rights to sue Equifax or be part of a class action suit."

https://twitter.com/zackwhittaker/status/906178254331142144


I've seen at least four class actions filed within 24 hours. The first was last night.


Does anyone have information on the hack and what OS / Server they were running?


Where is the credit report ICO? I have some Ethereum I want to invest.


SSN's need firewalls.


just me here or has this given good pretext for mandatory national id laws, possibly on a biometric/EMV type of card, or worse, skin implanted rfid chips?


So essentially three Equifax shares to every victim?


Semi-related: When does CloudFlare get sued into the ground for man-in-the-middle-attacking all of their customers for several months?


Does anyone know how the hackers got in?



Bonus point task: . Get leaked info for Donald Trump . Used said info to access recent tax returns


Careful. Don't start a conspiracy.


Too big to fail!


A perfect application for blockchain.


Apologists please STFU you're making me sick.

Everyone else, call your representative.

You know how people say, "Pictures or it didn't happen?"

Call your representatives and tell them what you think, or it might as well have never happened.


Your comment history is some of the worst stuff on HN and some of the best stuff on HN. Could you attempt to leave out the worst bits?


When taking extreme positions or offering gambles at humor or impression, it is often impossible to know which side of the line you will fall. As they say in Hollywood, no one knows anything (about what will become a hit).


So many possible responses.

First of all, let me tell you I'm a lonely curmudgeon with no social life and about 1.5 friends. HN functions for me as a crude surrogate for socializing, in addition to its functions as a place to read about cool stuff, and yes, occasionally, a place to pop off and talk a little trash. I do try to contribute good stuff.

So understand that I'm being sincere when I say, thank you for taking the time to read through my comment history.

I also want to say that I do my best not to troll, and when I fail and people call me on it, I admit the mistake and apologize.

I was trolling you a little bit there in the other thread and I apologize.

Now then, as to leaving out the worst bits I don't think I can oblige you. In the first place, because my comments are sincere. I don't always phrase things in the nicest way, but I have a real point to make with a given comment or I would omit it. In the second place, what is the "decision algorithm" for "best" vs. "worst"? My point is, what you or I think are my best/worst comments may be totally different from what the next person thinks. I have had one comment moderated by dang once (and I was really embarrassed that he had to do it.) Other than that I pretty much stand by what I've said. There are a few comments I would delete if I could but that bird flew the coop long ago.

Consider the old saw about advertising, "Half of your ad budget is wasted, the problem is, no one can tell you which half."

That said, I take your comment to heart and I'll try to be less cranky on HN.

But I stand by the comment I made above (for example): Apologists for computer INsecurity make me sick. It's far past time to fix this mess. Related to that, the people who says "Oh I give a crap." but don't call their representative or something like that are basically part of the problem. If one person read my snarky shitty comment and made the call, it was worthwhile. As for all the people that read it and didn't pick up the phone, I want them to know they suck, just a little, because I'm mad at them. In fact, I'm mad at most people. We stand at the pinnacle of history. But everyone is busy driving and talking on their cellphones at the same time while meanwhile the Monarch Butterfly is going extinct right before our eyes! There may not be elephants in fifty years.

Okay, that's enough of that. Gotta calm down. ;-)

Now about that other thread, where I was kinda trolly, my point there was that Rational Materialist fundamentalism is still fundamentalism. I am a rational materialist. Physics is the "Word of God". Nevertheless, I have had personal experience that indicates that physics is contingent on consciousness. I'm not going to be able to offer any sort of scientific proof of that because the structure of the Universe precludes it. But it's true. It is a true statement that cannot be proven. Not even in theory.

There are hard limits to rationality, that a rational person must take account of to be rational.

Consider: you're hanging out somewhere discussing rationality, when suddenly into the room bursts a Mad Logician! He's got a bomb and he shouts, "Do something irrational right now or I'm gonna blow us all to kingdom-come!" What do you do? If you start hopping up and down on one foot that's irrational, but to do so to prevent the ML from detonating his bomb is rational! Maybe if you ignore him he'll just go away.

It's Russell's Paradox.

This sentence doesn't describe itself.

These words have no meaning.

Etc.

My quip about the square-root of two was meant to point out the fundamental nature of irrationality. Pythagoras is said to have killed the first guy to point out that two and the square-root of two are incommensurable. The "rational space" is a subset of the real space. There will always be places on the map marked, "Here be Dragons".

(Also, if you call shamans con-men be sure to make sure that none of them can hear you. ;-)


That's one for the book as well as the one about unicode and writing systems. To me the quality of a comment is something that indicates how well that comment will age over time, some comments retain their strength even years later and your unicode comment is an excellent example of one of those. It really opened my eyes and gave me some new insight into something that I had already considered dealt with years ago. So thank you very much for that.


Cheers, well met. :-)

Here's to many more long-enduring quality comments.

(It blew me away when I realized that computer text isn't writing! English is so well served by ASCII, and has been since so early on, that the assumption that bytes are the same as writing just gets lodged in there, unexamined.)


So let me get this right, this company collects credit information and someone hacked into their web server and stole highly sensitive information about most of the adult american population. Then the executives sold their stock a day before they announced the hack to the public. Besides the troubling fact that you still use social security and credit card numbers as any form of reliable authentication, how aren't there already federal agents searching every square inch of the company and interviewing key employees under oath? But no, nobody is securing this evidence and thus any lawsuit will probably either fail or end in a small settlement of an amount the company will not be significantly hurt by, causing no reason for stronger security in the future of this or any other company.

The kind and amount of information warrant strong regulation in the way the data can be stored and processed (separate monitored networks not reachable from the internet would be the absolute minimum), governmental regulation needs to ensure the security of sensitive personal information like this and regular checks need to be conducted to ensure their adherence, especially in the case of a breach like this after the fact, you can't rely on the company conducting a forensic investigation.

But no of course not. I can already hear Americans preach to me how the free market is great and solves all your problems.


> I can already hear Americans preach to me how the free market is great and solves all your problems.

This sort of nationalistic flamebait (pro or con, doesn't matter) breaks this site's rules. Would you please read them and follow them when commenting here? https://news.ycombinator.com/newsguidelines.html

On HN we're hoping for at least a slightly higher standard of civility than is common on the internet. Given how strong the forces of polarization (of all kinds) have been as of late, that's something we need everybody here to pitch in with.


No amount of governmental regulations can solve the current date breach trends. Even government's own intel agencies got hacked too. No organization is immune to data breaches. It's a matter of time and effort.

A lot of us here are engineers and coders. It's our responsibility to design better architecture, security conscious protocols and write securer softwares. And it's up to all of us (regardless which country you are in) to voice up and resist the idea of weakening encryption or allowing backdoors and instead advocate for adopting better and more securer encryptions to safeguard private and sensitive personal information.


I think it's a fruitless effort to try and secure all of the data in the world. Our data is lying in too many places, the databases holding them are too complex, as another user stated, a breach is really just about money and time. Our systems are too complex to merely increase security standards.

I think we can significantly improve the situation though with increased data collection laws, and then also more cryptography. Equifax shouldn't have all that data in the first place. A lot of the reasons that companies need data (besides machine learning) can be covered with cryptographic arguments that exclude the data itself.

For example, cryptography exists that would allow me to use my driver's license to prove to you that I am over 21, without ever actually showing you my real birthday or name. You could be 100% convinced that I both have a valid ID and that ID indicates that I am over 21 without learning anything more than those two facts.

If you can do things like that, you can make it illegal for companies to hold more sensitive information. If there's a big data breach that loses sensitive information, the company at fault can be charged for illegal data collection.

I know it's a big step from the data driven world we currently live in, but I think it's the only way to avoid a scenario where pretty much all details of every person's life (including politicians, secret agents, military figures) are public knowledge. We're just collecting far too much data, putting it in far too many places, and it's technologically infeasible to protect all of that.


You hit the nail on the head. Real progress can only be made by severely limiting the amount of data being collected.


Sure, in a fantasy land. If you where to hold the management criminally responsible for their lack of investment in IT, security etc you might see increased investment.

The very fact that all this data was accessed from their public site is very troubling. What's the chances this is a basic SQL injection issue? What's the chances they didn't invest in security at all?


> If you where (sic) to hold the management criminally responsible for their lack of investment in IT, security etc you might see increased investment.

What makes you think lack of investment in IT & security is the main reason they get hacked?

Vice versa, NSA has virtually unlimited (let's just say unlimited means tens of billion dollars) budget invested in IT and security. They have the top resources there too. Do they immune from data breaches and being hacked? The answer is a big NO!


Correct me if I'm wrong, but the NSA leaks have all been the result of internal employees leaking outward, rather than outside people reaching inward where they shouldn't. That's a meaningful distinction, IMO. They call for two completely different types of defense.


You assume it's different for Equifax.

Hacking humans is quite often the easiest point of entry.


From the Equifax webpage[1]: Criminals exploited a U.S. website application vulnerability to gain access to certain files.

[1]: https://www.equifaxsecurity2017.com/

This is inexcusable in 2017. Hacking humans may be easier but it's up to Equifax to figure out how to mitigate that risk. "It's hard" doesn't excuse their behavior.


NSA has leaks, that is different, these guys were actually negligent with your and my data, probably underpaid their developers, didn't listen to them, didn't have proper security protocols etc, etc.


Certainly a lack of mental investment. The NSA and these credit agencies are not a comparison, as their jobs are quite different. If nothing else, the NSA has to be connected to public networks to do their covert operations. Not so with a "credit rating agency". They should not be on a public network at all. Before the Internet, they were not, they were on private leased lines.


You missed the point. I am arguing that no amount of investment is big enough to make data breaches go away. Even the top intel agency with top budget and top resources can't avoid breaches, what else would you expect a corporation?

However this is not an excuse for Equifax to not put more focus and investment on their security.


> I am arguing that no amount of investment is big enough to make data breaches go away.

Sure, nothing is totally secure against a dedicated, motivated attacker with unlimited resources. Thankfully those are few and far between.

Based on that Equifax has said that this doesn't seem to be the case.


Your argument that credit rating agencies shouldn't be on the internet is really terrible.

People pay credit rating agencies to retrieve their credit reports, get credit scores, and open disputes, and the best way to do all that is online.


Yeah, but then they realised they could monetise it by selling your own data back to you with easy, constant, access to it via the web.


High. And they won't be the only agency. I guarantee you we'll hear from the other 2 in the next month or so. Because people aren't held criminally responsible for the security of user data, so why give a shit?


My guess is they paid an 3rd party bs service to "scan" their site for vulnerabilities.


Sure it's our job to do that. The job still gets easier when you have the law backing you up.

An excellent example is how many companies are in panic mode right now to get GDPR compliant before next year. There's a lot of security engineers and developers that finally get the budgets and time they've asked for to improve customer privacy, because the potential fallout of non-compliance is too big to ignore.


"No amount of governmental regulations can solve the current date breach trends." I'm sorry, but that is just flat out false. That type of thinking is just bizarre to me. It would make a gargantuan difference. Hold executives personally accountable, with whistle blower laws protecting the developers who identify weak security. It would change the freaking world over night.


Forget regulation. Pass laws and just fine them. A lot. So much it's a threat to the company's existence. Pretty sure it'll turn out to be a solvable problem.

If it isn't a solvable problem then we need to start talking about getting this data off the Internet.


What is regulation if not law?


Equifax had engineers and coders building their hackable site, at the direction of Equifax, within the scope of the law (unless we discover they broke security regulations). Having regulations with suitable punishments gives the company an incentive to build the site securely, and it would have been skin flecks off their back to do it, but their profit motive and lack of legal incentive meant they didn't care to.

If you're really so terrified of the government that you're against security regulations for the website of one of the largest credit card information collectors in America, then you deserved to be hacked too.


Totally agree - 2016 was a record year in terms of breaches and it keeps going.

The problem lies in that security and efficiency have been historically at odds with each other.

This is what inspired us to work on bringing a novel data security technology from the University of Harvard to the market: www.f-lock.ca . Essentially we are allowing for querying functionality, while achieving homomorphic-level of security. Would love to connect with any people here who share the same vision!


Regulation is absolutely capable of reducing the damage done by these types of attacks and incentivizing companies to make the necessary investments. Nothing will ever be 100% secure but that is no reason to just give up on trying. We tried letting the free market do the right thing and it failed, this is the reason the government exists.


You can't stop breaches, but there are minimum things you can do that help.

1. Collect the minimum amount of information you actually need

2. Hash and salt the data you store

3. Tell the people the truth about what happened to their data within a reasonable time

These are all things that can potentially be enforced.


true. I once worked at a bank and we used a 3rd party data warehouse web solution to get started with a new business. 6 months into it, i noticed that I could access cross customer information by modifying local javascript variables. When I brought this up to my manager he told me to patch this up asap. which i did, using MD5, because i was a jr engineer back then and didn't know any better (and apparently neither did my manager, nor the creators of that data warehouse)

my point being, without guidelines, or regulations, or some sort of security rating standard, managers will continue to make these mistakes.


> No amount of governmental regulations can solve the current date breach trends.

I think there's a few things that could be done:

1. Invalidate all SSN numbers.

2. Force people to get a new ID card; make it like the smart-card passport card (or make people get such a card). That becomes your ID and number.

3. Getting that card requires you to be present physically for fingerprinting. Put the fingerprint data on the card, and no where else.

4. Make regulations that only allow for loans to be done in person - no more mailings, nothing online - if you want credit, you have to show up in person.

5. To prove who you are: Fingerprint, your card (with picture - and fingerprint data on the card), plus your pin number. Essentially chip and pin identification, with a fingerprint scan (and maybe a face scan too).

6. Make it so if you want to do online transactions - or any transaction for that matter - you must provide all of this. Basically, at home, a card reader that can read the chip, allow you to enter the pin, scan your fingerprint and face, and if all of that matches what's on the card, then an "acknowledgement" is sent.

Essentially the above would implement a 3-factor auth. I am not saying the above is perfect (I am absolutely certain I have screwed something up there - but the basic idea is what I am trying to convey), but we essentially have to do a clean break away from all current ID and credit/loan/payment systems - and move to a system that introduces a TON of friction.

Physical Presence (Something you are)

Physical Token (Something you have)

PIN (Something you know)

And all the data about "who you are" (face scan, fingerprint) stored on the card (hashed of course) only, no where else. Basically - the card, your presence, and your knowledge all have to be present, and the card's processor authenticates you.

And these factors need to be presented each and every time you do a transaction of any sort involving money or identification.

And no online or by-mail signup for credit. That should be done in physical form only.

Finally - allow for at-will changes of the PIN, and yearly a forced change of the PIN.

The problem with the above, though, is many-fold. It would be extremely costly - for everyone. It is also (seems in a way) draconian. But something of the above nature would need to be done, post haste, if we wanted this to go away.

And basically not allow any kind of storage of credit information or whatnot by -any- entity (and I am not sure how that would even work or if it could). Maybe all they have is a hash value and your name, and the card can generate that hash value as "authentication"/"identity" - but you have to have everything there (you, card, pin), and only the card holds the information, and only generates a hash.

I dunno - but again, this is the idea. I'll leave the details to people smarter than I on these things.

I don't expect something like this to be ever implemented, though. One would think this breach would do it, but it won't.


> how aren't there already federal agents searching every square inch of the company

Usually reserved for criminal cases, not civil ones.

> regulation in the way the data can be stored and processed

Have it.

> regular checks need to be conducted to ensure their adherence

Have it.

> I can already hear Americans preach to me how the free market is great and solves all your problems.

Please quote me the "solve all your problems" source.


> Usually reserved for criminal cases

Is this not? If that's the case I need to get out of this dumpster fire of a country.


IDK whether it has the potential to be, but that's how it currently stands.

I can tell because criminal cases are prosecuted by the state; civil cases are prosecuted by private parties. (And class action is always civil.)

But by all means, move to somewhere less dumpster-firey where large businesses and governments don't get hacked.


Just to make sure that we aren't all talking past each other...

1. I assume the FBI is investigating the hack itself (who did it, etc.). Citation?

2. I assume the SEC is investigating the suspicious timing the executives who were selling stock before the announcement. I'd also assume it could turn into a criminal investigation. Cite?

3. The class action suit is a civil action asserting that Equifax was negligent (that's what the Bloomberg article that these comments are currently pointing to is about).

4. There could be criminal negligence in securing their networks. It seems like that could be either of a Federal or state issue. Anyone know if this investigation would take place with the FBI, or if there is another federal agency which would take the lead on that?


I think your comment can be easily interpreted as a knee-jerk criticism of American regulatory environment en mass. At best this is a straw-man, and at worse it's a hyperbolic jump to assumptions about the attack vector, existing regulations, and how you believe them to be insufficient.

It's too early to know anything for sure about the breach and certainly holding pre-made assumptions prevents a more level headed, careful analysis of the facts.

That being said, I agree that on the face of it, this is pretty damning evidence that regulations were either not in place, or were not verified to an acceptable level.


Finance industry regulation is a joke in the USA. It's largely self monitoring based! http://scholarship.law.cornell.edu/cgi/viewcontent.cgi?artic...


It's not the thing he/she said, it's how he/she said it.

Interestingly, Canada's financial industry is also mostly self-regulated which has always struck me as a foolish model.


The NY Attorney general is looking into the situation now.

https://www.nytimes.com/2017/09/08/business/equifax.html?rre...



"Then the executives sold their stock a day before they announced the hack to the public."

Selling stock the day before the news makes these guys seem like absolute criminals, but (a) it's not what happened and (b) the soundbyte doesn't represent what is likely the case.

The reality:

- Breach happened between March - July 2017

- Breach detected July 29th (A Saturday)

- Executives sold stock August 1 (A Tuesday)

- Breach announced September 9th (5 weeks later)

From the company's own statement, which you can BET was vetted by a lot of attorneys:

"Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted."

I would bet, dollars to donuts, this is just terrible timing optically for the executives.

What is much more likely reality is that they detect breaches on a regular basis, and until the forensic team came back with the bombshell - likely many weeks later - of the scope of the data loss, the executives were not even informed.


I'm reading a book now call "Liquidated: an Ethnography of Wall Street" by Karen Ho from Princeton. There is this incredible part at the beginning of the book where the Vice Presidents of Goldman Sachs are training the incoming group of Junior Analysts who have all just graduated MBA school, telling them how to treat the executives of the companies they are going to be analyzing.

They make them shout over and over "MANAGEMENT ALWAYS LIES, MANAGEMENT ALWAYS LIES, MANAGEMENT ALWAYS LIES".

That scene took place in the early 90's, and I can't imagine anyone thinks it's gotten better in regards to the ethics of top management, their understanding of technology, or their desire to participate in insider training.


Such a mantra may not be true, but it imbues analysts with a sense of skepticism. The analysts are the very people Goldman expects to detect lying management.


July 29 < August 1 < September 9

I don't see anything exonerating in the timeline you described. You are making assumptions here that could excuse the executives if they were true. These are nothing but assumptions though.


The sales were unplanned, meaning they weren't entered per the usual stock sale cycle. If that's not evidence enough of at least insider trading, coupled with your timeline, I don't know what is.


>What is much more likely reality is that they detect breaches on a regular basis, and until the forensic team came back with the bombshell - likely many weeks later - of the scope of the data loss, the executives were not even informed.

Your hypothesis is predicated on the fact that you trust their timeline, and make assumption that type of events could have occurred within each groups at Equifax on those days..


Brazenness is already in evidence: Equifax's management thinks offering one measly year of credit monitoring, which will inevitably lead to huge sales of such a service, is an adequate response. What makes you think they are not at least as brazen about their stock positions in Equifax?


> I would bet, dollars to donuts, this is just terrible timing optically for the executives.

Difficult to prove, but I too suspect it’s just bad timing.

Note that the three executives sold relatively small portions of stock: 13%, 9%, 4% of their respective personal holdings.


That isn't the only thing that needs to be done. We need to make a new SSN system that is based on Public Key Crypto. Make 2 keys, one fully private stored offline completely by the government, one for us that we then use to create multiple hashes based on what we are doing. 1 for taxes, 1 for loans, 1 for SSN info, 1 for voting (so we can sign for our online voting), 1 for proof of work, etc. then when someone steals our info we can axe a key for that form, and create a new one. the primary key that we hold can't be changed without our knowledge, but in the case that our info is breached, and we lose either of the keys we then go to a government office and verify fully (with a few keys that had already been used and then get a new one. In the case of a bank breach though, we could just kill the existing one and change it at a local branch or online if we trusted that.


> how aren't there already federal agents searching every square inch of the company and interviewing key employees under oath? But no, nobody is securing this evidence

Do we know that there aren't? Would it be public knowledge if there was an investigation?


If there was insider trading on the breach information, they'll be in the slammer soon enough.

It would be pretty stupid, considering how easy it would be to get caught, and to avoid a mere ~14% decline on your share value? Yes, people can be stupid and greedy. I guess we'll see if this applies to these execs.


And we already know they are stupid and greedy because of the hack.


Don't conflate the free market with zero regulation.


Maybe not but in every free market argument I've seen, the regulations that free market purists are willing to acknowledge are hazy at best, most likely because they will never need to be implemented because such a system will never exist. Even if it did, it would eventually evolve back into our current system (I think), because I think thats how our current system evolved in the first place.


At least they aren't "too big to fail" since there are two other major credit bureaus doing basically the same thing they do.


This reminds me. Fight Club was a great movie.


Not a single Mr. Robot reference here? I'm disappointed.


There really needs to be a law for "you did something obviously wrong and got caught and you kind of suck as a human being" with the punishment being your arms get cut off and you get tossed into a tank with sharks.

That should be the execs' punishment for the stock sales.

Also, technically speaking, this company sucks.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: