Hacker News new | past | comments | ask | show | jobs | submit | page 2 login
Equifax Faces Multibillion-Dollar Lawsuit Over Hack (bloomberg.com)
1345 points by jameslk on Sept 8, 2017 | hide | past | web | favorite | 648 comments



>In the complaint filed in Portland, Ore., federal court, users alleged Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack.

Doesn't "users" imply that we had a choice in the matter? As if we're Equifax's customers? I feel more like we're victims in this case.


Got an email from my Dad today:

"I checked myself, my wife, you and your brother. To the best of my knowledge none of us have Equifax accounts, but it says they probably got our address & driver's license for all four of us.

I don't want to waste money on LifeLock. What can I do? Just watch my accounts?"

Is Visa, MasterCard, etc. at least partially to blame here for picking a bad solution? My personal ties are not with Equifax, I have no direct means as a consumer to express dissatisfaction. Can I sue Visa? They are they ones (I presume anyway) who did the actual information collection from me, and then it was mishandled.

We need more tools for dealing with data breaches. Things aren't slowing down, and they aren't going to unless something big changes.


Visa and MasterCard don't issue credit cards, don't provide credit, don't have your personal information, and don't provide personal information to credit agencies. They are just the network that connects card issuing banks and merchant acquiring banks to process payments.

Your contract is with your card issuer, who provided your personal information to the credit agencies. But you probably agreed not to sue them as part of your agreement when you asked them to issue you a card.


You should watch your accounts. I use Credit Karma and they will send you alerts and updates for various credit events (account opening/closing, paying off a balance, etc). It's free. Edit: They only monitor TransUnion and Equifax data; not Experian.

If you don't want to pay for LifeLock, which I agree is a bit steep, you can usually get an identity theft protection policy from most major insurances companies. The premiums vary, but are usually a fraction of LifeLock's fees. Just be sure you understand what's covered.

I use both of those and it costs me $25/yr total.

You can check the Fair Credit Reporting Act for more information about various parties' responsibilities in handling your credit information. However, I don't think you'd be able to sue lenders/creditors in this case. They are distinct from the credit reporting agency that seems to be at fault.


> I use Credit Karma

> They only monitor TransUnion and Equifax data

Where do you see that they monitor Equifax data? I only see TransUnion mentioned.


I had a problem signing up for a mobile phone contract a while ago. The mobile company eventually told me that Equifax were supplying them with (my) information which was slightly different from what I was saying about myself, so I called up Equifax. To "fix" things, Equifax wanted me to send a notarised copy of my passport to them (at my expense!)

Of course I told them to get lost and just used another mobile provider, but I learned from this episode that all of these consumer services companies share data both ways with these credit checking agencies.


If you've ever opened a bank account or a line of credit you signed something to the effect that you agreed to let your institution share your data with these agencies.


That doesn't make you a user. It just means the bank gave them your info.


After you made the choice to allow them to.


Agreed to it under compulsion. It isn't feasible to go without a banking account / credit union account. Modern society relies on these accounts. And all of these accounts have these reporting measures in their legalese. There is no option to not agree to it.


> Agreed to it under compulsion. It isn't feasible to go without a banking account / credit union account. Modern society relies on these accounts.

A) A credit account is not the same thing as a checking account or credit union account

B) Plenty of people, even in the US, operate without any of these things. It's not fun, but it's absolutely possible.


> Plenty of people, even in the US, operate without any of these things

After my company crashed, my wife divorced me and then I got cancer -- things were pretty grim on my credit-worthiness story. Net-net: I went without a bank-account for a few years and learned to live with pre-paid phones, money-orders, cashing checks at pawn-shops and pre-paid debit cards, and (for medical and other reasons - not able to drive. Good news: I saved on car insurance, gas and parking). All-in-all ... not a lot of fun (it's very expensive and time-consuming to be poor in America!).

But! As you say: it is do-able.


A choice made under duress of not having access to a bank account or credit (which makes someone a de-facto persona non grata in the modern world).

Monopolies aren't choices, and monopolies on essential services are coercive by definition.


Equifax isn't a monopoly. There are 3 major credit reporting agencies in stiff competition with each other. No doubt executives at TransUnion and Experian are cackling with glee at Equifax's stumble.


The non-negotiable choice between allowing them to and being denied service entirely.


It doesn't seem crazy to me that if you ask for someone to loan you money they only do it under the condition that you agree to participate in a system that helps them track your creditworthiness.


It does make sense for lenders to cartelize and force each other to report the creditworthiness-affecting information about their borrowers to one another.

It doesn't make much sense for borrowers, though. But since, by definition, the lenders have the money and the borrowers do not, the borrowers have no real ability to negotiate when lenders get together and do things like that.

But borrowers can vote just as much as lenders can, which is why such behavior is governed by law. So let's not pretend that borrowers somehow agreed to this system in any way. It was forced upon them, and the best they could do about it is pass laws to ensure that lenders at least had to be accurate when reporting, and had to respond reasonably to disputes. Since lenders can lobby and vote, too, borrowers were not able to mandate that the lenders would have much in the way of legal liability when they inevitably get lazy, screw up, and cause real damages to real people.

The law isn't fair; it's just the best compromise that adversarial parties with differing amounts of money, power, and motivation could reach a threshold level of agreement on. It just so happens that a savvy and motivated borrower can completely whitewash their own credit reports for the cost of a few stamps, and maybe some small claims suits, while an ignorant borrower, or one who lacks the time and energy to ride herd on the CRAs, can get completely screwed. It's a numbers game, and the lenders and CRAs can make more money from the latter category than they lose from the former.


One thing I'm not sure about is how this breaks down as to people who paid Equifax or signed up for some service through them compared with people who involuntarily had their credit tracked through Equifax.


I was wondering about this too. Like, I never signed up for them, but apparently their site says I might have been affected. CreditKarma or other credit score companies apparently share user data to these agencies.

Their announcement says social security, addresses and names have been stolen, this is really worse, this data is enough to do ton of things.


CreditKarma doesn't give info to Equifax, it gets info from Equifax.

The credit agencies (of which equifax is one of 3) get their info from credit card companies and other financial institutions. If you've ever signed up for a credit card or gotten a mortgage or car loan the information from that transaction was sent to the credit reporting agencies. That's how they get data to make their determination of how credit worthy you are.


This is why data protection laws are needed. Data about a person needs to belong to the person. This would prevent these large collections without consent.


Yeah, I would think so. So far, we've learned that they've exposed virtually everyone's data through their incompetence (thus exposing nearly every adult in the US to a high risk of identity fraud), sold stock to avoid personal financial losses before the news broke, and set up a scam site to trick people into giving up their right to sue.

If this isn't criminal, then nothing is. If someone doesn't go to jail over this, why the hell shouldn't I just go out and commit fraud on a daily basis myself? It seems to be rewarded in our society...


>> why the hell shouldn't I just go out and commit fraud on a daily basis myself?

Because corporations are protected, individuals are not. This is what happens when business(profit) takes precedence over human rights.

There will be no repercussions for those responsible. No changes will be implemented. At best we'll get a public apology, but even that seems far-fetched.


Should a sound approach, then, not be, to incorporate one-self at birth?

What if A Person were to be born into a corporation and all transactions made by thhem be the corporations actions - if things go south, dissolve the company.

(clearly this is simplistic, but you get the idea)

I want to re-form myself into one of these corporations which has little retribution for actions. I shall pledge 10% of SamStave INC LLC to any attorney on the ~~~prowl~~~ case...


This is extremely difficult for a single person to do without piercing the veil.

https://en.m.wikipedia.org/wiki/Piercing_the_corporate_veil


Indeed, this seems only logical. I honestly have this thought every time I make a large financial decision: Renting a house? Would be much easier to break the lease (Should I ever need to) if my surrogate 'corporation' with few assets were the leasee. Ditto with many medical situations/other large expenses. Plus, much better tax deductions!


> Would be much easier to break the lease (Should I ever need to) if my surrogate 'corporation' with few assets were the leasee

You'll risk losing the assets. If the assets aren't substantial, it's unlikely any landlord will sign the lease with the entity without someone guaranteeing it.


Well, this is why most people (including myself) put rental property under an LLC. I wouldn't let a tenant sign the lease as a corporation unless they were a legit corporation - you know, companies rent houses all the time for executives that relocate, etc. If the tenant breaks the lease, I'd sue the company and their assets.

Real world example: I did a summer internship one year and the company rented a few houses for the interns. Myself and 2 college guys were in one. Landlord claimed damage on the air conditioner because it iced over due to not changing the filter...ended up getting money from the company.


a one person corporation isn't going to work. you'll need multiple people to serve as officers.

that said, the strategy you describe is perhaps workable as a small, close-knit group of reciprocally trustworthy people who leave a sequence of bankrupt corporations in their wake.

it could be a sort of financial lobster: a ring-of-trust which occasionally sheds its corporate shell and then immediately grows a new one.


Consider "service" companies and asset sales. The company name/etc can be valued pretty low and sold to another organization while leaving all the unrealized liabilities in a company without any assets to pay for lawsuits...

This seems pretty common with high value items (say pools/AC units/solar installers/etc) providing long warranties. 5 years in, the warranty is worthless because the original company is gone.


I am still unsure as to how any of the credit bureaus exist legally at all, I never consented to having all my eggs in those three vulnerable baskets. Why is this my problem all of a sudden?

I get that consumer protections in the US are not very strong, but this just seems like a shady cartel in cahoots with the banks/insurance companies. Please tell me I'm grossly misunderstanding something here.


It's a historical fluke. Credit bureaus trace back to agencies that compiled third-party reports on the creditworthiness of business persons. So long as the information collected is accurate (and not defamatory), this type of activity is protected under the first amendment.

See the first segment of this episode of the Backstory podcast for a retelling of how these early agencies worked: http://backstoryradio.org/shows/keeping-tabs-2016/


But then what happens if that information becomes inaccurate? (if your credit report shows credit events that aren't yours as a result of a fraud). Doesn't it become a form of defamation?


John oliver made a segment about this on how a person was denied a rental contract because one of these agencies said he was a terrorist.

Like really, equifax saying "his score is pretty good, but he IS a terrorist". Sometimes correcting those things take months.


It's ridiculous, but no property management company wants to risk a fine when the cost of checking the OFAC SDN list is so small. I'm not sure if we ever saw a decline due to the OFAC list, so I could easily see it would take a long time for something that unusual to be straightened out.


> I never consented to having all my eggs in those three vulnerable baskets

Your information does not just magically make it into the database of a credit bureau. It gets there via public record or because you allowed a creditor to report it to them. You are more than welcome to find a creditor that does not ask for or report to credit bureaus.

Not trying to justify the existence of credit bureaus but let's not kid ourselves. They aren't sending spies to your house or tapping your phone lines to get this info. You personally authorize a large amount of it.


Crass incompetence at securing IT systems is not a criminal offense, no one is going to go to jail for that. But insider dealing is a criminal offense with a potentially heavy jail penalty.


>why the hell shouldn't I just go out and commit fraud on a daily basis myself?

Because you don't have enough wealth to be immune to the legal system.


Yeah, if this didn't light a fire under some butts, nothing will. Remains to be seen whether it is just lip service, though. Our government doesn't like to prosecute people in the financial sector anymore.


I hope their executives get criminal charges. Credit Reporting Agency has a huge responsibility to keep this data safe. Lets charge with their CISO...you know, the one that graduated with a degree in music composition and just recently took down her LinkedIn profile.

https://www.boardroominsiders.com/executive-profiles/1006308...


It is presented like a scam site, but without compelling users to agree to terms and conditions the site doesn't pass the basic contract law requirement of establishing a clear, unambiguous pathway to assent by a consumer to the terms.


Is it time for a Federal Department of Verifying Whether People Are Who They Say They Are?

Veryifying identity with SSN is broken. The right way is probably more or less how big webapps do it - MFA + a password that the user can reset by providing a bunch of info. The government has the necessary private info to do this in most cases (e.g. DL# plus your income from last year's taxes), and can fall back to "Show up at a police station/DMV/other office and talk to a human" in disputed cases.

I'm sure there are lots of private corporations that would love to be the One True Arbiter of who's who, but none of us would trust them, or want to pay the price. An open source solution (something like Keybase?) seems possible, but not without government backing.


USPS is a good contender for identity validation, too.


This is actually how it's done in New Zealand. We have something called realme https://www.realme.govt.nz/, which is made by New Zealand Post (our government post service, with the benefit of offices all over the country to do the initial ID verification for account setup) and the Department of Internal Affairs (they do things like births, deaths, marriages, passports, and citizenship, so they're used to dealing with identity)

It's an awesome system that the US would be lucky to have. I say this as a dual citizen of both countries.


I'm a kiwi citizen too, and for some reason I thought you had to renounce your NZ citizenship to receive a US one; kind of neat to hear the opposite!


The parent poster might have dual citizenship by birth, which would be a different case than starting with only NZ citizenship and acquiring US citizenship later (or vice-versa).


Dual Citizenship in the US isn't explicitly allowed, but it's not disallowed either and in practice isn't an issue. [1].

1- http://immigration.findlaw.com/citizenship/dual-citizenship....


I would not trust USPS with anything. I came by to pick up my mail and they gave me someone else's mail - a stack of 40 some letters / documents - all sorts of sensitive stuff that I could in theory open up and steal that person's identity.

Please, think before you say USPS... this agency is broken as hell. The last thing we want to do is trust our identities to them.


This is actually brilliant considering USPS can process passports and does banking light services (money orders).


USPS is no longer really part of the federal government.


How so? It is one of the very few constitutionally enumerated functions of the federal government, and I don't remember it being privatized?


Yes it is, 100%.


Well . . . 85.7% (6/7). On Sundays, it's Amazon's: https://www.bloomberg.com/news/articles/2015-07-30/it-s-amaz...


No, it absolutely is not, it's a government entity but an independent one like dozens of other agencies.


“independent” agencies are actually part of the executive branch.


Yes, which is part of the government, as I mentioned. The important point was that it was gov't and not private as several people were claiming.


I love that I got downvotes for this. People are mad about the post office.


They should downvote it, it's entirely inaccurate. https://en.wikipedia.org/wiki/United_States_Postal_Service#G...


The USPS is often mistaken for a government-owned corporation (e.g., Amtrak) because it operates much like a business. It is, however, an "establishment of the executive branch of the Government of the United States", (39 U.S.C. § 201) as it is controlled by Presidential appointees and the Postmaster General. As a government agency, it has many special privileges, including sovereign immunity, eminent domain powers, powers to negotiate postal treaties with foreign nations, and an exclusive legal right to deliver first-class and third-class mail. Indeed, in 2004, the U.S. Supreme Court ruled in a unanimous decision that the USPS was not a government-owned corporation, and therefore could not be sued under the Sherman Antitrust Act.[90]


My mistake, I misread you as stating it's 100% not government anymore. My bad!


Thank you for correcting me.


Won't work. Once companies start gathering private data stored in this DB, it can be compromised and government isn't that great at securing data either. MFA would required everyone having a smart phone or RSA key fobs. SMS/Phone based authentication isn't secure.

Only real way to get true identity system is biometrics(Fingerprints,DNA, or Iris) taken at birth. But that will never happen for privacy reasons.


Biometric has its own problems. What's a fingerprint but a password you can't change?

Any secret can be stolen, bio or otherwise. The key to robust ongoing identity is not a better shared secret, it's a better way of recovering from theft of shared secrets. One way is to have a big trove of non-secret-but-not-public data, like prevous addresses and employers (which is how the credit bureaus sometimes authenticate people). Who has more such info to draw from than the government? Another is to use shared info that goes stale quickly, e.g. "What magazine did you get in the mail yesterday?" Again, the government, by virtue of being the government, already has candidate info to draw from.

And what if all else fails, if some super-hacker has stolen or has ongoing access to every single piece of digital information that could be used to authenticate you? If you're a startup or a corporation or an open source project, you throw up your hands. If you're the government, you say "Please visit your nearest police department and bring your photo ID and some utility bills."

The more I think about it, the more I'm convinced that this is the only good solution. Like someone else in this thread said, Identity is hard. There's no silver bullet to make it a tractable problem, but you can throw enormous resources at it. And in the government's case, the most costly part (building a brick-and-mortar office in every city, town, village and hamlet in America and staffing it with humans) has already been paid.


Some people are born without fingerprints. Would make it a crappy method for them


What you explained is what global entry, tsa precheck, and nexus programs are.


...except that TSA Precheck doesn't host an OAuth server that my bank can use in lieu of their dumbshit "street you grew up on" nonsense.

But yes, I agree, it's a good point that the government already does this (ditto for lost birth certificates, etc) and this would just be tying the federal identity that they work so hard to verify to a digital one.


> dumbshit "street you grew up on" nonsense.

I call these what they are: Insecurity questions.

I have also taken to writing completely unguessable nonsense as the answers and recording them in my password manager.


> ...except that TSA Precheck doesn't host an OAuth server that my bank can use in lieu of their dumbshit "street you grew up on" nonsense.

Precheck/Global Entry give you a known flyer/traveler number, which combined with your personal information, authenticates your identity between your travel provider and the government.


That's also problematic. If I can capture your data, then I can supply that data at a later point. Even if there are "secure" endpoints that collect that data for verification; I'd just need to compromise one of those.

Identity is hard.


Biometric national identification is used in many countries, with India's Aadhaar system being the best example. Those systems are mostly used in developing countries that are leapfrogging their financial technology past the legacy systems that the 1st-world powers developed in the 20th century. 'Privacy reasons' is an American cultural anomaly, especially considering the lack of privacy we suffer from the system used by companies like Equifax.


> 'Privacy reasons' is an American cultural anomaly

You can't say that immediately after citing Aadhaar as the "best example" of biometric national identification. There has been massive pushback against Aadhaar for privacy reasons specifically, which just resulted in the Supreme Court declaring privacy to be a fundamental right - something which, incidentally, goes far beyond the approach to privacy taken in the US and Europe.


The whole point would be to move off of shared secrets, so data breached from one company's DB wouldn't be usable to impersonate the victims elsewhere. The idea is to abandon the idea that any data (which ever leaves the consumers's hands) is private or needs to be protected to prevent ID theft.

We have the technology, i.e. certificates, signatures, smart cards, identity federation like SAML.


SSN is an identifier (username), not a verifier (password). Don't deal with anyone using a small number you can't change as an identity verifier.

We got govt + all banks on board with a national digital id. Basically all systems that were considered safe enough such as the major banks online systems (with advanced 2fa) are allowed to issue digital IDs that can be used as logins to all authorities and any other place that needs verified id.

This system probably paid for itself in a hurry.


  Is it time for a Federal Department of Verifying
  Whether People Are Who They Say They Are?
After the colossal theft of employee information from the Office of Personnel Management, I have no faith that the feds would be able to keep the information secure.


I'm not excited about this class action; If they win, the individual payout will be almost nothing ($10?). The lawyers are the only ones who will really "make out" with 10's of millions in fees.

There is also a disproportionate effect in that a small portion of the 143 million affected will have a large impact, i.e., "identity theft" while most will be unaffected.

I think a fund setup to help those who are directly affected is a better idea. This could be done through government action where penalty proceeds are turned into a fund. In other worse, similar to the BP oil spill in the gulf where the fund helped those who lose income or suffered property damage.


IMO, the best outcome would be to put Equifax out of business. I have had my identity stolen and they were complicit in enabling the fraud against me. Once you tell them you're NPI has been compromised, they get incredibly passive aggressive against you and refuse to allow you to manage the situation (i.e. they won't let you unlock your credit to apply for a mortgage).

In short, this breach of public "trust" is only the smoking gun that proves how horrible Equifax is. But, they have a long history of being a parasitic organization that will hopefully die soon.


> they won't let you unlock your credit to apply for a mortgage

So how do you recover from something like that? Are you basically prevented from using credit for the rest of your life?


There are legal limits to how long the data can be stored for. (I want to say it's a federal 7 year limit, but I might be wrong and it might be state laws). Eventually it all times out and your credit resets.


That's not the issue. They are required to immediately remove incorrect information from your credit report. A freeze prevents them from reporting your credit to third parties (i.e. it prevents them from doing business). So, they hate people who freeze their credit. Their strategy seems to be to make having a credit freeze so onerous that you won't do it so they can continue to sell your information to their customers.


For many years I could not get a new credit card, overdraft protection on a checking account or a mortgage. I finally was able to completely remove the freeze so that I could secure a mortgage.


I'm not so sure about that, the data they have just gets resold to some other party when they go bankrupt, possibly many other parties and shit gets worse.


Is there any legal way to stop sales like that? If it were shown that Equifax were negligent in protecting the data on their systems, could a court demand that they remove all of the data to mitigate further harm?


There are already 3 main credit bureaus who have all of your data. It's not about the data it's about how unethical they are in preventing you from controlling the data.

Think about it: if every person in america put a freeze on their credit, all of these companies would go out of business because they would no longer have a product to sell. It gets even worse if you're a victim of identity theft because they cannot charge victims of identity theft to freeze or un-freeze a credit report.


C'mon we live in the real world here. What makes you think Equifax will be put out of business? I agree, the scumbags should be put down like a suffering animal but that will never happen.


I don't really care where the money goes. I think that having one catastrophic event (huge lawsuits or fines leading to bankruptcy) for a corporate entity because of negligent security measures may lead other board rooms to move security measures up their priority list.


I don't think that would matter either. Executives will get golden parachutes and/or get jobs elsewhere doing same thing.

I think only solution is criminal charges/jail time against higher ups who prioritized profits over security.


It may cause security to get tightened to prevent these types of incidents, but I doubt that it will improve security culture. Going forward, we would theoretically be protected from a breach of this type in other companies, but proper security is a continually moving target. New methods exploits are discovered all the time. That's what I'm worried about - are they going to be proactive in securely protecting information against future threats, or will they just check a few boxes to continue with business as usual?


Business as usual, and you know it.


Could lead to actual legislation which IMO is needed. If companies like this fail miserably to protect data it's a sign something bigger is needed and missing. It's like the how Aurthur Andersen represented how accounting firms should not act, and failed miserably.


yes a case of "Pour encourjay lays ortras." as the late Terry Prachet puts it


> I'm not excited about this class action; If they win, the individual payout will be almost nothing ($10?). The lawyers are the only ones who will really "make out" with 10's of millions in fees.

Equifax needs to feel pain so they behave better in the future. Their executives need to be taught that they need to invest in security or it will affect their balance sheet. That will happen even if the payout to individuals is small, just as long as it costs Equifax a lot.


I think this comment is missing the fact that Equifax will be financially punished as a result, possibly resulting in better systemic security overall.


I don't think this logically follows. More likely, Equifax will settle out of court for a much smaller sum. At that point there's now a literal dollar amount associated with a data breach. Perhaps some math will be done, proving out that there would need to be "N" number of breaches before the cost of settling out-of-court for the breaches would be more expensive then materially changing the way they manage data. And "N" number of breaches, that's just so unlikely.

At that point it would be fiscally irresponsible to properly secure this data. They would owe it to their shareholders to continue with their shoddy security and data management procedures.


I would guess they've already done this calculation. Similarly, due to externalities, the cost (to banks) of credit card and similar fraud is small compared to the expense of preventing it.


Don't disagree just some more thoughts.

The risk to the greatest number of people is the increase in interest rates if the lenders do not have the same level of trust in the credit reporting companies.

1% over 30 years is a lot.

Secondly, just taking preventative measures for say 10 years of credit monitoring, from not the company that leaked your data, would cost 15x12x10 $1800.


I think a fund is a good idea, but how do you verify that the people claiming from the fund are the people who were affected? :)

Keeping my identity/online data safe just seems so hopeless that I don't think about it anymore.


I mean, as long as Equifax is hammered with damages, I'm happy.


It's a sign of how awful Equifax is that I find myself rooting for the lawfirms in this case. I really hope they win, and that they get the full $70 billion, and that it's enough to shutter Equifax permanently. What a win that would be! Also it would serve as a nice cautionary tale to companies that infosec matters. That insurance for data breaches matters.

Because right now, it's too easy for them to not care. It's us that suffer the consequences, not them. That has to change.


Yes, what a win it would be to simply transfer ownership of Equifax from one party to another in the event of bankruptcy. The business itself would continue and nothing would change.


Investors would get wiped out and many people canned. The signalling value is massive.


If you wipe out the investors, they will start demanding security before investing in a company. And, if you wipe out the stock, you also wipe out big chunks of the compensation of the CEO, CFO, CTO, etc.

Until this starts hitting important people in the wallet, nothing will change.


It's time for this draconian type of business service be disrupted. It's gotten too big and unregulated.

We often question monopolistic behavior with regard to market share and competition for physical goods. However we don't see this type of questioning with regard to data monopolies. Hate to say it that while I enjoy the use of Google and Facebook, they may also fall into this arena. Though with those companies at least an order of magnitude worth of effort MORE is expended on some form of heightened security, communication, and standards primary thru tertiary of their core offering.


Equifax isn't a monopoly. There are four major credit bureaus in the US. At best that's an oligopoly, but all that realistically does in this situation is provide more points of security failure.


To be honest, I feel bad for the engineering team at Equifax. The vulnerability that compromised their system was a bug in an open-source Java library, Apache Struts, and security researchers only noticed it a few days ago. It seems that the Equifax team had very little time to react and update their software. In some sense, I feel that more blame should be placed on the engineers who built the highly popular open-source software, not the Equifax team. Some large number of Fortune 100 companies also experienced the same vulnerability simply because they trusted a widely used library.

Makes me wary of trusting other big OS libraries, but since rebuilding every part of the stack from scratch is infeasible and unproductive, we don't have much choice but to use them.

Technical announcement:

Severe security vulnerability found in Apache Struts using lgtm.com (CVE-2017-9805):

https://lgtm.com/blog/apache_struts_CVE-2017-9805_announceme...


There is some debate as to which Struts exploit was used. If it was the one from Sept, 2017 then you make a valid argument. However, if the exploit used was years old then the fault clearly lies on Equifax for not keeping their servers up to date.

Also, didn't the Equifax breach happen in May, 2017? If so, I fail to see how the Sept, 2017 exploit plays into this unless it was in the wild months before it was published in Sept, 2017 - which I find hard to believe.


> In some sense, I feel that more blame should be placed on the engineers who built the highly popular open-source software, not the Equifax team.

I completely disagree. It is open-source for a reason. If you find a bug in it, fix it and everybody wins. Otherwise, nobody would ever publish any code/software because you would get sued if you did any mistake. On top of that, the software is free. So you basically want to blame some group which gave you something for free which you used to make big money and expect to also sue them for consequences if they made a mistake.

I also feel bad for the engineering team at Equifax. But on the other hand, you have to take into account that any software you employ could have a security flaw in it. That is why you should have additional means to protect it and no single point of failure. And this is especially true if your whole business depends on that data!

edit: spell check


But why were 143 million records of personal consumer information stored in a way that they could be accessed via a vulnerability in a web server in the first place?

I would have expected this type of data to be stored in such a way that even if someone got access to one of their web/application servers they wouldn't be able to dump 143 million records from it without serious red flags going off.


I would have expected the data to be encrypted at rest. I am not sure why that was not the case.


It doesnt help if that data is being accessed all the time by applications. You just have to break into one application in order to exfil the data or to get the decryption method along with the encrypted data.

'Encryption at rest' only works for data that is not actively used, like backups or if a physical storage device is stolen.

A better additional safeguard is to have quotas and alarms in place for data access. Is data being accessed sequentially in a application environment where data is usually accessed randomly? Is data access bound to individual credentials and do indivudals access more data than usual?

I think, there is actually potential for new database products or addons, which can reduce the impact of breaches in the vicinity of these 'core databases'.


To sum up your link, the vulnerability is the use of an unsafe deserialization similar to:

    ObjectInputStream ois = new ObjectInputStream(input);
    MyObject obj = (MyObject)ois.readObject();
https://lgtm.com/blog/finding_unsafe_deserialization_with_ql


so writing your own software is "unproductive" but you also want to put the blame onto the people who made a framework available?... do you want open source to go away? or do you think that companies that protect such valuable information should be spending more on security assurances?


Consider the possibility that the hackers were agents of a sovereign power, such as one who has been hurt by economic sanctions and has a history of cyber warfare. This state could decide to respond to US economic aggression by using the compromised information of hundreds of millions of Americans to engage in fraudulent activity.

This event is leading me to about how social security numbers can no longer serve the role that they have with establishing trust in identity, although they can continue to be used to uniquely identify a US citizen. This hack may push markets, and government, to widely adopt biometrics and other sensitive, personally identifiable information.

What won't happen, unfortunately, is the political will to regulate how uniquely identifiable personal information is managed and stored.

Suppose that rather than Equifax, Facebook were hacked. What kind of intelligence and reports does Facebook have on people that would eclipse that of social security numbers and credit history?


That was the threat when the OPM got hacked a few years back -- anyone who ever had a background investigation done for a federal job now had their background info in some russian or chinese database dump. With that level of detail, you could start blackmailing some Lockheed or Raytheon employees until they leak some stealth fighter radar secrets to make the monthly false homeloan headaches go away.

I don't think the next world war will be fought with nukes, it will be an economic fight. Leak a few corporate secrets [1] to stall the economy, use the OPM dump and this Equifax dump to originate enough false loans to seize up the financial sector, then cause havok across the electrical grid [2] like you did during the annexation of Crimea just to make sure they stay down.

We've been blind to the other half of the threat of centralized information repositories... the 1984 Big Brother scenario assumes the holder of the information wants to control the citizens, but we never considered the information might have leaked to an actor who wants to destroy the citizens.

[1]: https://en.wikipedia.org/wiki/Sony_Pictures_hack [2]: https://www.wired.com/story/hackers-gain-switch-flipping-acc...


Welcome to WWIII, now in progress. The Russians are kicking our teeth in: they managed to trick us into electing Donald Trump as President...


Undoubtedly Equifax will claim that the hackers were agents of a sovereign power, to escape liability. Regardless, they admitted on their own web page that there was a flaw in their web application.

Biometrics would be a terrible idea. Mass surveillance, anyone?


> Biometrics would be a terrible idea. Mass surveillance, anyone?

What if the biometrics were stored on something you have - say a smartcard (definitely not a phone!)? Along with a PIN. Plus, these two items went into a "write only" store on the card (actually, a hashed value of both are stored).

You have a card reader (one at home - and any place you are doing a transaction to confirm identity also has one). You put in your card. Type your PIN. Present your (physical) biometric.

The reader takes the data, passes it to the card (or maybe the card has the reader and pin pad?). The card runs the hashing again, and compares the values. If all is good, it outputs a "Yes" otherwise a "No".

Remember, only the card holds the data (a hashed version) of the biometric and the PIN. That can only be written (you can do this with your terminal at home?). The only output the card has is that "yes/no" value.

All transactions of such nature would be done with this card.

I'm probably missing some steps or such - but the idea is there. That gives a 3-factor authentication system.

Don't expect it to ever be implemented.


I was not aware the citizenship of the hackers had any bearing on Equifax's liability in this case.


If it's a foreign government it's considered and "act of god", (I.e. Something out of their control) which releases a lot of liability.


to me if you store passwords in plaintext, it is criminal negligence even if God himself did the hack


Force Majeure


So everybody has been talking about "freezing" your Equifax account for a little bit of protection... Well it turns out the Equifax security freeze PIN (which is all the "secret" info an attacker needs to unfreeze it) is just the date & time: MMDDYYHHMM! https://mobile.twitter.com/webster/status/906346071210778625


If this is true (and it looks like it is), this is absolutely insane. For me this puts Equifax into beyond negligent territory.


But would not an attacker then have to know the exact minute that you froze your account on? If you have only a few tries to unlock your account - how would attacker possibly guess it?


525,600 possible pins for a whole year is staggeringly tiny.

1440 tries max if you know the day. 720 if you know if it was day or night. Botnet and/or proxies can do the rest


Has anyone notified them of this bafoonery?


My hope is that this opens a larger discussion on the business practices of these credit bureaus, the kind of data they collect, and ultimately their harm to the public good.

As far as I'm concerned, they stole my data first, then they packaged it up neatly and gave it to shady persons.

Yes, I'm aware that I "consented" to their collection of my data when I signed up for a credit card, or a car loan, but it's not a system you can realistically opt out of. If I want to rent an apartment or, sometimes, even get a job, I need to consent to a credit pull, so I need to have a positive credit history.

So, we have a private sector monopoly that I am coerced to give my data to, for free, to function in society. Seems like a good business to be in, but as an outsider I'd like to see something drastic happen. Perhaps nationalization, or breaking up of the big three with deep regulation.

*edited to add omitted "three" in last sentence.


Nationalization of credit agencies - or even regulation governing exactly how credit scores are computed, and making that information transparent to the public - would be a huge step forward. Credit-determining algorithms are presently a black box to the public.


Is it not possible to write to our legislative representatives about this about how we think?


You can absolutely write them, you just might find you have a hard time making them care over the sound of campaign donations from the credit oligopoly.


I call my both my senators and my congressional representative almost daily. It's important to do, I think more people need to be active in that sense.


I have said for years this credit controlling triopoly needs to be shut down and replace with something less disgusting. Ever tried to fix a mistake they made in your credit report? You may as well be dealing with the Spanish Inquisition. There is no penalty for Cxx's who perpetuate inept security to make more money so security is always job #99. These folks seem to have cornered the market on ineptness. I doubt any lawsuit will make them do anything different.


Organizations at the hazy nexus of the public-private spheres (e.g. public benefits corporations, regional transit authorities, FINRA, health insurance companies) appear to be endlessly prone to "disgusting" fallout like this, no?


It's always seemed odd to me that Experian and Equifax have the upside of being both arbitrarily in charge of so much data and wield ridiculous power, and yet somehow they're still largely independent and profit making.

I'll watch the outcome of this breach with interest. It strikes me that at the very least credit rating agencies should be non-profit and very closely monitored by government. This will include ensuring security best practice is followed.

As others have rightly pointed out, they even have the audacity to call us customers. Like somehow we turned 18 and signed up for their service. I certainly didn't, and it annoys me that a company whom I have no control over can make or break my credit history.


> It strikes me that at the very least credit rating agencies should be non-profit and very closely monitored by government. This will include ensuring security best practice is followed.

Tell that to people riding their free class-action credit monitoring from when their OPM background investigation records got leaked to the russians or chinese thanks to the government's "security best practices".


You're what's called a "consumer", as in "Consumer Financial Protection Bureau". You're only a "customer" of Equifax if you purchase one of their products.

The CRAs don't make or break your credit history, that's the businesses that supply information to them. The CRAs are aggregators, and just report what their members tell them.


Credit algorithms, specifically your FICO score, are not transparent. There is no reason beyond the naive assumption of good faith on the part of these companies to believe that they don't make or break at least your credit SCORE.


I don't think you're even a consumer.

You are the product.

The sell this "information" (your identity and more) between businesses looking to establish whether to give you credit or whatnot.


> It strikes me that at the very least credit rating agencies should be non-profit and very closely monitored by government.

Personal data should be treated with the same care as nuclear fuel. Very very strict conditions.


The US has an adult population(who would hence have credit profiles) of 245 million people. At 143 million, this breach affects more than half of the adult population. Given this, the majority of credit rating systems of the US has been compromised. Isn't this enough that the whole "social security number as a master key" system has to be dismantled? How can it be trusted now?

There is no way to opt out of having your data collected and sold by Equifax, Experian, TransUnion. The power these companies have over US citizens is incredible.

Anyone that's ever tried to remove incorrect data on their credit report knows how painful it is to deal with these companies. Despite dealing and brokering in electronic data to buyers of your credit profile, your interactions with them as a consumer can only occur via paper mail and mailing letters which means weeks or even months for basic communication. They operate like thugs. I hope this is the end of them and by extension the other two agencies as well.


I don't think the SSN can be trusted as a key. They should be considered public data now. There's no going back.


Coordinating the response here is the key part here, but "massive number of suits in small-claims court" is probably better for threatening Equifax with an existential legal threat.

Equifax employs about 10,000 people worldwide. A million small-claims cases has each Equifax employee handling 100 small-claims cases. I don't think they can handle that level of distributed legal aggression. It just takes too much time by too many people, especially if people refuse to settle for anything less than $1000.

Probably the best way to crowdsource it is to go through the process yourself, write a step-by-step guide to what you did, and post the results on social media.


Does anyone know of a sort of recipe book for how to file a small claims court case in this sort of matter? I'm interested in this avenue but I don't want to spend a lot of time figuring out how to do it or potentially screw up some little thing that renders the whole effort futile. It seems like the argument might be slightly more subtle than a case of, say, theft or fraud. It's negligence.



The super fucked up part is that it automatically signs you up for their "Credit protection" if you use their site to see if you were impacted. Doesn't ask if you'd like to, just says "Thanks for signing up, your year starts now!"


Actually, since I'm affected, I got a different message. It's even worse.

They gave me a date in September that I have to remember to come back and sign up for. It's the equivalent of grabbing a ticket in the deli line.

Look at this text: "Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process".

That's enraging. You tell me I'm affected and now I have to come back at some date/time and sign up? At least it has given me the time to read all the comments about waiving class action participation.


How can they justify that? This is 2017. It is stupid easy for them to send out reminders, once a day if need be.

At what point do we finally tell abusive companies like this that they're no longer allowed to be a company?


I got the same message, but nowhere did I read "you have been affected". Is this just implied?

I cancelled my Equifax credit watch account about 5 months ago, when they decided to raise rates.

Never have I hoped so much for a business to be sued out of existence. And hopefully their inside traders will get jail time (yeah, right).


It wasn't implied for me. I put in my SSID (6 digits) and last name. It then told me:

" Based on the information provided, we believe that your personal information may have been impacted by this incident."

It then had some button, I forgot what the button said. This led to the screen about "save the date" for protection.


I got the same message plus "Click the button below to continue your enrollment in TrustedID Premier." The button said "Enroll" so I stopped there.


When I entered my info I got a message saying they do not think I'd been affected by the hack. So if you get a different message, its probably safe to assume you're affected.


Same situation, same experience, same level of outrage. Sign me up for the class.


Even worse, you agree to arbitration in case of disputes waiving your rights to sue..not sure if even enforceable.

You can check if you're impacted then just not proceed to click "enroll" and be able to check without auto-enrolling and agreeing to their 1yr protection + arbitration agreement.


Nah it's OK, I'll just claim that someone got my SIN number and must have used it to access the site...wasn't me - I swear!

There is now plausible deniability for so many things.


From my reading of ToS it also apparently waives your right to be a part of a class action lawsuit against Equifax...


Apparently now they're saying that only applies to the monitoring service, and not to the breach itself. It was on Consumerist (https://consumerist.com/2017/09/08/equifax-already-being-sue...).


> From my reading of ToS it also apparently waives your right to be a part of a class action lawsuit against Equifax...

IIRC, there wasn't even a clickthrough and they framed it as "find out if you're affected." How could that be enforceable?


You'll probably get nothing of note anyway from class action given the scale of this breach. If you are truly impacted in some way, you'll be better off in small claims (or a full suit if it devastates you enough.)


This is beyond absurd.


Second bullet on https://www.equifaxsecurity2017.com/enroll/ contradicts the "automatically"?

... Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier.


do the TOS require one to only go through mediation as a part of this, so by signing up you waive your right to sue?


That should be ex-post-facto of the data breach (i.e. they leaked your data before you agreed to the TOS so you waive your rights to sue from that point forward). I'm not a lawyer and I wouldn't agree to this. I checked and I am affected. I'm going to sign up for LifeLock (because it's super expensive) and file a small claim to recoup the cost.

I really hope this puts Equifax out of business.


I'm curious as to wether any lawyers here can chime in on how well this TOS would hold up in court. I know when I went to check I was never shown the TOS or even a checkbox that needed to be checked to confirm that I agreed to the ToS with a link to them. It feels like the ToS are what comes with the ID protection service and were meant to apply only to lawsuits that might arise from using the ID protection service, but IANAL.


Yes, the TOS does require arbitration (including for actions that occurred before signing the TOS), but it's not clear if it applies to just the child company that is providing the credit monitoring service or if it applies to the actions of the parent company, too.

I am not a lawyer.

https://trustedidpremier.com/static/terms


One thing I'm trying to wrestle with is why they would make you agree to arbitration for actions prior to signing TOS if indeed it applies only to the child company. Your relationship with the child company begins when you sign the TOS, no?


Yup


It seems that checking to see if you're affected by the Equifax breach waives your right to sue Equifax:

https://techcrunch.com/2017/09/07/i-called-equifax-to-find-o...

No idea how ironclad such a clause would be,k though.


The Attorney General of NY says it's not:

https://twitter.com/AGSchneiderman/status/906195350532304896


At this point they will tell you if your effected and then offer to enroll you in their complimentary "TrustedID" program. If you choose to enroll, that is when you waive your right to join any class action lawsuit.


This isn't true. Just by entering in your information to check if you're affected, you'll be enrolled automatically if you were indeed affected.

Really scummy behavior.


This is not true. I checked, and it offered me the opportunity to sign up "on or after" a specific date. There is no automatic enrollment.


Sorry, I misspoke a bit there. What I was trying to point out was that

> If you choose to enroll, that is when you waive your right to join any class action lawsuit.

Isn't true. Just by using the site to check, you're waiving your right to participate in a lawsuit, as expressed in the site's Terms of Use linked at the bottom:

http://www.equifax.com/terms/

> THIS PRODUCT AGREEMENT AND TERMS OF USE ("AGREEMENT") CONTAINS THE TERMS AND CONDITIONS UPON WHICH YOU MAY PURCHASE AND USE OUR PRODUCTS THROUGH THE WWW.EQUIFAX.COM, WWW.IDENTITYPROTECTION.COM AND WWW.IDPROTECTION.COM WEBSITES AND ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS AFFILIATES ("SITE").

> No Class or Representative Arbitrations. The arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis.

Further detail from an actual lawyer in this comment:

https://news.ycombinator.com/item?id=15203185


Suppose each person affected has to spend an hour protecting themselves from this breach. The cost in wasted time would be 16,313 years.

It's high time to set an example. Equifax should no longer exist as a company. People responsible should end up in jail. Company executives should be held personally liable. Some would claim it is unfair, but the only way to keep this from happening again and again is for those responsible to face serious consequences.


As usual, Bruce Schneier was right.

"Data is a Toxic Asset" https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...


How likely is it that Equifax will face any real trouble from this breach? Will this be one of the first cases where security negligence causes real harm to a company? Or will it turn out to be another slap on the wrist?


Slap on the wrist, guaranteed:

- potentially every one of the 143M people are going to have some sort of trouble

- WORST CASE equifax shuts down, but that doesn't matter. too late.

- if everyone was to win a lawsuit for everything equifax is worth, they'd get maybe $100 minus lawyer fees.

And worse, now we have a financial system dependent on 2 companies. Making a 3rd isn't an easy matter.

::shrug::


EquiFax declares bankruptcy, re-orgs and rebrands.


If the insider dealing allegations are founded, jail time.


143 million people, or essentially every US citizen over 18 (give or take a few million.) It most likely includes Senators, Congressman, Donald Trump etc etc. So, yeah, a lot of people will be inconvenienced and pissed off, ad for a very good reason.


Senators, congressmen and Donald Trump himself all had their data previously leaked at least once before. Nothing changed as a result.


I should hope something happens. This is a monumental fuckup.


It irks me that I can't file a "long term" (7 year) fraud alert unless I can prove with a police report that my identity has already been stolen. It's like giving people a flu shot only if they can prove with a doctors note that they currently have the flu. Hello! We're trying to prevent fraud here!

This whole industry needs to be turned upside down.


That’ll be nice for some lawyers. I’d prefer to see severe civil and/or criminal penalties for the senior management folks who allowed this to happen on their watch. Expect many more breaches of this magnitude until C-levels start to feel the consequences of their negligence.


Anyone have a good source for an unbiased (i.e. not trying to sell me something) "what exactly should I do" now? File for the class action? Freeze my accounts? Get identity protection?


A buddy of mine sent me this reddit thread, I'm reading through it still and don't have much finance/credit knowledge, but it seems legit and unbiased to me so far:

https://www.reddit.com/r/personalfinance/comments/6yv4gb/off...

Would be interested in hearing other opinions on what's being said there, especially regarding using the www.equifaxsecurity2017.com site and legal rights.


Doing a credit freeze is a good idea regardless of the recent events: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...


In my state that costs $10/bureau, plus another $10 to temporarily unfreeze or permanently unfreeze. The fact that they can leak my information and then charge me to protect myself just seems wrong.


I just finished filing a complaint with my state's attorney general's office. YMMV, though.


How did you find out if you were affected?


Presumably (s)he holds a US credit card. The stats on this release are such that most adult Americans are more likely affected than not.


Even when there isn't a data breech I don't understand how all big 3 credit agencies survive doing their business as they currently do... which is to expose people to the injury of identify theft by default, and then tell them to pay up if they want a product that protects them from that threat.. How is that not seen as akin to a gangster protection racket?


Credit card companies could provide other businesses such as Equifax distinct mere-reference numbers which the customer doesn't see and which can't be used for purchases - just to absolutely identify which card, for all parties. These could be added to the magnetic stripe or chip in the card, for example. (It might be gilding the Lilly, but many such reference numbers could be used for a given card, re privacy issues or otherwise. But then those numbers couldn't be usefully passed between companies for all purposes.)

There's no need for anyone but the customer and Credit Card company itself to retain the actual credit-obtaining-number (other than to allow future purchases with permission, which is the rarer case, often needs to be prevented not facilitated, and doesn't excuse Equifax having more than a reference number.)

Yet the credit card companies don't do this. Why not? 'Cause humans are idiots, all of us, that's why.

PS - run to the patent office and you might be able to make a ton of money patenting this, since patents are now given to whoever shows up at the patent office with the appropriate fees first. Precedence doesn't matter. You would be implying that you thought the idea up independently, of course, but you're smart, right? That's totally the sort of thing you could think of independently. Then when you're rich, you too can help choose what the patent laws look like, and whether rich people should pay taxes.


I'd love, love, love to finally see a company earnestly held responsible for their negligent security practices but I have no hope. Doubly so with this administration. Equifax getting run into the ground would help a president.


I'd appreciate advice from someone in the know about credit monitoring/repair services. There are so many and little credible information available about their capabilities and performance. If you have experience with this who do you recommend?

I've been caught up in the DOD breech, this Equifax incident and a couple smaller ones. I'm not interested in pinching pennies here; I want good results.


IMHO - credit monitoring has limited utility. While it can help you identify issues more quickly, it's still after the fact. For that reason, I bought the family a Zander Insurance plan. If you get hacked, they handle the fix (including outreach to the credit bureaus) and cover your expenses. This year they also added some credit/identity monitoring features and wallet replacement. I've not yet had to use them, but the service makes a lot of sense to me.

https://www.zanderins.com/idtheft2


Just freeze your credit. It cost a couple dollars, but worth it. It is a hassle to unfreeze sometimes, but worth it.

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...


I'd like to know how much influence the consumer credit industry had in pushing through things like the Citizens United decision. Corporations love to be people when they can influence elections and make money off poor folks, but I wonder if they're ready to take the corporate death penalty when they break the law.

A bunch of class action lawsuits might make options like Move to Amend a lot more palatable to corporations facing that kind of scrutiny. It also gives political capital to organizations working to prevent rollbacks on consumer protections implemented after the Great Recession.

If Equifax's reputation hangs on a single hack, then they probably weren't that reputable to begin with. Why should we have to live under decisions that benefit them when they no longer exist, or weren't even who we thought they were?


Good. I hope they get sued into the stone age.

And then, I hope all of the other agencies take note, and start deleting their data.


Nah, they'll just create expendable shell companies to decouple the risk from the profit.


any way to check if we're affected by the hack without putting info into their form? i called them earlier to see if i had an account, but i don't.


I like how people are encouraged to pay $5-10 to each reporting agency to have their file locked. Multiply that by the 140,000,000 people whose data leaked... should generate some nice revenue for all 3 of these companies holding your exploitable personal data hostage.


This is just pure crazy. There should not be any non-govt agencies that store such sensitive information. This is not like credit card where you end up getting a new card. You can't change your name and ssn. I wonder how we will tackle this problem.


> I wonder how we will tackle this problem.

Short answer: We won't.

Nothing is likely to drastically change. It'll just be another blip on this week's news, and on to the next big thing that comes up.

Some individuals, over time, will likely have their lives screwed with, but because not everyone at one time will have this happen to them, nobody will care.

Think about how long the EU and others had chip-and-pin for their cards. Also, everyone knew it was more secure. But it's only been in the past 6 months or so that the United States is finally getting it - and it isn't everywhere yet.

I'm not trying to say chip-and-pin would have helped this situation (it wouldn't have). I'm just trying to convey just what kind of social and political inertia is at hand here in the United States, not to mention the size of our collective apathy, and extremely short attention spans.

Had something like this had happened in the 1970s or 80s - heads would've rolled. 60 Minutes would have been all over it. Dan Rather would have frothed at the mouth. It would have been crazy to the extreme in the media and elsewhere. Change might have even occurred.

Today? We'll be lucky if we're still talking about this in any amount next Friday.


Equifax really needs to die over this, like Arthur Andersen after Enron.

https://en.wikipedia.org/wiki/Arthur_Andersen#Demise


I think suing the organizations who irresponsibly gave our data to such an unsafe organization will be more fruitful. Equifax doesn't have enough money to truly compensate, but JP Morgan, Bank of America, &c do.


Why is there not a criminal case against these idiots? When you are controlling something dangerous and you allow that thing to harm someone else, it's a criminal offense. It's not a matter of whether it's hard. It's simply your responsibility to ensure no one gets hurt.

This company has already caused harm to literally everyone in the US. Minimally, we all now have to take action to attempt to avoid identity theft. And it only gets worse from here.

And these bastards have the chutzpah to wait until hurricane Irma is upon us to make the announcement.


Go to hell Equifax, whoever is in charge of security there should be put into custody before all the litigation.

Multiple steps must be taken for nowadays people to get credit card and debit card or whatever(loans, money transfer,...). Use SSN, name, mother maid name, a few security questions, two-step authentication by default, all passwords must be hashed and salted otherwise it is a crime for the DBA,etc.

Just switched away from 15+-year-yahoo-email after its leakage, now it comes Equifax, which is 1000x more critical, it is so bad.


> Others expressed frustration that three senior executives sold about $1.8 million in stock in the days following the discovery of the hack. A spokeswoman for Equifax said the men “had no knowledge that an intrusion had occurred at the time.”

Wait, what? Isn't this a blatant example of insider trading? Moreover connected to a problem they are responsible for?. Do they seem to be really that stupid or is there a chance that they could get away with that in the end?


Assuming an approximately Bernoulli outcome from Equifax’s perspective, the stock market thinks there’s only a 13% chance they’ll be shuttered by this negligence.


This is an interesting point. I'm not great with math, but I'd love if you could share how you calculated that?


Thee company and its management should be bankrupted. In Roman times the architect of a aqueduct and his family had to stand under it during the final stages of construction. This was a motivation to ensure they did a good job. Its high time we brought back this sentiment to leadership. If you knowingly monumentally fuck up you should be ruined.


I'm involved in the design and maintenance of a PCI environment. Given the auditing requirements for these environments it is mind-boggling that an intrusion of this magnitude went unnoticed for several months.

I'm left with the conclusion that they were either negligent or incompetent, or layers of management were actively trying to cover things up.


How does Equifax build their database of people exactly? If it's all based on public information then they could argue that it's not really a leak. They are merely interpreting public information to build credit score.

If guess for subscribers they could get more information than publicly accessible. What fraction does it represent?


It's not public data, it's data that creditors provide.


Private companies report information about you to the big agencies, and then they blend in public information. So it is a mix of public and private information.


The credit card companies and lenders provide them with your information. It's not public.


This is the kind of thing that should end/bankrupt a company.


Use of the site they created to check if your data was leaked may contain terms and conditions that waive your rights to sue.

[1] https://twitter.com/zackwhittaker/status/906178254331142144


With all the Equifax headlines today, I was wondering if there would be a few poor souls in the the Equifax Tech Department who feels atleast a bit responsible for the whole mess. ( I do understand it is a collective responsibility of the management as well )

edit: Was the analysis of the hack published?


The most frustrating place to be in these scenarios is the IT (especially security) department.

Go ask any security guy if they think their environment is secure. Very few of us will say yes. It frequently boils down to we ask for things, and there are budget/manpower/time limitations in getting them implemented.

So a breach occurs, execs say to IT staff "Why was this possible."

IT staff says "We requested back in <month> to fix this, and its working through the slow process"

Execs say "Why didn't you scream louder, identifying it as a critical issue"

IT: "There are 1000's of other issues, just like this one. The attackers just managed to exploit this one, instead of one of the others. We can't identify all issues as critical, because then nothing is critical."

Both parties stay frustrated thinking the other isn't doing their job right.


Yeah, hopefully this is one of those wake up calls where the management realizes to funnel more resources into IT and security in general.


You mean on the board of directors, not in the tech department.

Edit: people never seem to like it when I say this. The phrase "the buck stops here" has a meaning.


Haha. I meant in all layers of the organization. Could be the IT Security Department, Policy Department, Could be the homegrown development team, anything.


The H1B's are not going to sacrifice their chance at citizenship nor should they.


Why is H1B relevant here?


A lawsuit seems appropriate, but I'm confused on their allegations. How can this lawsuit claim that Equifax "wasn't spending enough or doing enough to protect the information" when nobody, except for those within the company, know how much is spent or done to protect the information?

Is there some public record I'm not aware of that says Equifax underspent on cybersecurity? Or is this lawsuit just a shot in the dark hoping to hit a target?

I wouldn't be surprised at all if the allegation is true, but AFAIK there's no way these individuals actually have proof of it, and it seems like a flaw in our legal system that people are allowed to make allegations like this without any type of proof.


That's what the "or" is for in "wasn't spending enough or doing enough." It's evident that they did not do enough to protect the information. Spend is a proxy for action, but ultimately it's the action (or inaction) that matters here. I only see them exonerating themselves to a large degree if they engaged in routine third-party audits of their security and consistently responded to every identified issue.


If the plaintiff's expert witnesses can be brought in to show convincingly that the nature of the breach - as we can see from the outside - suggests basic common safeguards were not taken, that could force Equifax's hand to show otherwise.


I'm not a lawyer, but is that not what discovery is for?


I think this shows that inanity of centralized credit rating agencies. How do we disrupt this? What if every person you owed money to (Credit cards, mortgage companies, car loan companies) basically reported your payment status on a monthly basis on the blockchain? I think this could work... Anyone could check your credit history - but at least it would be decentralized. There's obviously a lot of questions: How do you protect privacy of individuals? How to identify individuals with a number other than your SSN? Or maybe you do anyway... keeping your SSN secret in this day and age is clearly not viable longterm.


The Fair Credit Reporting Act requires Consumer Reporting Agencies to do two things that are fundamentally at odds with the idea of using a blockchain: Negative information must be removed from your record after a certain amount of time. And false or inaccurate information - which some studies suggest exists on about 25% of consumer credit reports - must be removed or amended upon request.

Both of these are Good Things. One of the most important things our legal system provides is opportunities for remediation when something goes wrong.


permanent and unrevokable authentication tokens are dangerous.


Time to get rid of credit agencies as a whole. They are entirely useless. Make a Government agency that handles it instead of trusting the private industry to make as much profit as they can to the detriment of damn near everyone.


I just want to complain about the credit freeze option for a second.

Like many other people I decided to use this because of the breach, I went to the government identity theft site and found some links.

Equifax - Fill out the form. "Additional information required" please mail stuff to us.

Experian - In your state (washington) there is an 11 dollar fee for this service.

Transunion - Fill out a signup form, complete with god damn security questions. Do the quiz about stuff on my credit report. 10 dollar fee.

Go fuck yourselves you fucking bastards. I hope experian goes out of business because of this, I really do.


From a security standpoint, it seems like there's a problem treating everyone's social security number as if it's some kind of secret key.

Has there been any real discussion about alternatives to the present system? How else could authentication work for opening a bank account?

I imagine that the present system survives (1) because of inertia, and (2) because it doesn't require much infrastructure and so it's relatively cheap.

Maybe the next step is something like putting a chip into driver's licenses and ID cards nationwide?


Soc sec. number is used as an immutable unique identifier for Americans since that's really the only piece of information that can be used in such a way. I'm not aware of anybody relying on it as a sole means of authentication... if it's used for authentication it's always combined with additional information such as "you had a revolving credit account with: a, b, c, or d".


This is probably a dumb question but how does Equifax, TransUnion, etc actually get the credit info in the first place? If I wanted to start a credit monitoring company, could I do it?


Your bank gives it to them.


how does the bank decide which credit reporting firm to give them to? in other words, if I made an Equifax competitor, how would I convince banks to give me this info?


> how would I convince banks to give me this info?

Read "The Art of the Deal.|"


I hope this succeeds and bankrupts Equifax, but then what? Over a hundred million Americans still have their SSN exposed, what are we going to do about that?


If someone offered me this case, I would probably decline it on grounds that I didn't see a reasonable prospect of winning.

Equifax still hasn't revealed any data about how it was hacked, without that information it's hard to prove they were negligent.

Negligence requires three things: duty, breach and damages.

As to duty:

Does Equifax really owe a duty to every single person whose data it keeps. That would be a tough argument to make. They didn't sign any contract or make any agreement with the people whose data they collect. So where does the duty come from?

Even if the plaintiffs were able to overcome that hurdle, they would then have to prove breach. Was Equifax careless in they way they handled information security? I don't see evidence of that, the mere fact that they were hacked doesn't necessarily mean they were careless. All Equifax would have to show to win on this count is that they had some sort of basic security system in place comparable to what other businesses it's size have in place. My guess is that they do have a security system and that this probably wouldn't be hard for that to show.

Being hacked would be considered under law to be an intervening criminal action. It is established that people are not responsible when damage is caused by someone else's criminal action. So long as Equifax took basic, prudent steps to protect data, they can't be held responsible for intervening criminal action.

As to damages

It's hard to see how anything of monetary value was lost by the plaintiffs in this case. There was a loss of privacy, but I haven't heard of courts giving out awards for that sort of loss.

I'm sure people more familiar with information security could point to flaws in they way Equifax protected info. And certainly the way they reacted to the hack was negative. But bad or imperfect behaviour doesn't in and of itself give rise to a claim for monetary damages in court. This case doesn't seem winnable to me.

There is some argument that if you use Equifax's identity theft protection you may be able to sue, which I think is what this class action is about. But that still doesn't give rise to damages because none of the plaintiffs can prove that their identity was actually stolen. And you still don't have breach (no proof that the hack was the result of Equifax's carelessness).


Is a credit freeze the most effective option here? What else can be done to prevent the possible effects of this? The FTC site also mentions a Fraud Alert for cases of suspected identity theft:

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...


Question: Is there any way to get a notification whenever a credit account of any sort has been opened in my name, WITHOUT freezing my credit or otherwise crippling/slowing/altering any process that exists? I just want a letter or email notification, not any other changes to anything. Ideally a free way, but paid if a free way doesn't exist...


Bit curious about everyone's thought process with regards to credit freezing. I'm thinking about leaving the freeze in place and only do temporary unlock on as needed basis. Considering SSN and other info. compromised have longer life time, I really cannot think of any other option.


If you enter Test and 12345 into their "checking site" it says account has been breached:

https://twitter.com/zackwhittaker/status/906247688768905216


Our compliance rules dictate a 24hour window before we must share the data breach, in what world does the top personal data overlords have no obligation to disclose in a shorter window? Maybe had they done that, they wouldn't have had time to cash out their stocks before they tanked upon release.


$70B works out to less than $500/ person.

I imagine that the firm will take 25-50%.

Also, Equifax will likely just go bankrupt vs. paying 4x what they are worth.

Perhaps we should seek to have the company turned over to the people, at which point a blockchain based credit system can be implemented.


It's time for the USA to adopt EU-style GDPR protections, by constitutional amendment if necessary.


We need more competition in consumer credit agencies and need more control over access.

We probably need more competition in corporate credit agencies as well like Moodys/S&P that got us into the housing crash.

The lock-in deals these companies have make them get really lazy on their core tasks.


This is like the whole country's credit card holders got affected. Is it a suggested idea to freeze your credit reporting account and not allow any issuance of new credit cards? or Like SSN Lock provided by my EVerify provided by USCIS?


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: