Hacker News new | comments | ask | show | jobs | submit login
Equifax under pressure after data breach update (bbc.co.uk)
191 points by yawz 11 months ago | hide | past | web | favorite | 82 comments

Given the way they handled this, I assume Equifax actually has no idea what was leaked. The CEO publicly throwing a single sysadmin under the bus for lack of patches indicates they are probably operating in the security stone ages and have insufficient logging to reconstruct what happened in any capacity. Just my guess.

> I assume Equifax actually has no idea what was leaked...

Agree. But not necessarily due to ineptitude.

> "...throwing a single sysadmin under the bus for lack of patches indicates they are probably operating in the security stone ages..."

Disagree about the conclusiveness of the indication. Disagree Strongly. Equifax, Experian, & TransUnion are all high-value targets for state-level-actors who are prly pretty good at breaking into things.

If we ever find out that 8-year-old Jimmy from New Jersey broke into Equifax instead of...say...Russia, I'll owe you a dollar.

Data about people needs to become a huge liability for corporations. If they want to (massively) profit off information about me, there must be incentives to keep that information safe beyond bad PR when it leaks. There's a legislative idea I like, undeniably a pipe dream at this moment, which in broad strokes is this:

If a corporation holds data records about people, and those records are leaked in any way, a fine of $100-1000 (depending on severity) per record must immediately be paid to a supervising government agency. The impacted people can then receive their share of the fine upon request.

You can Socrates this whole thing to death (what is a record? what is a leak?) but our legal system is, if nothing else, extremely well-practiced at creating robust definitions for abstract things. The solution presented seems extreme within our current paradigm, but it (or something like it) must come to pass if we are to have any hope of avoiding information dystopia.

GDBR hopefully will be what you are asking.

Others on HN have recommended this before and I finally went ahead and froze my credit reports with the credit agencies. I haven't missed it in the last six-months. If I ever need a car load or credit card, I can temporarily unfreeze with specific agencies to grant access to the creditor. Here's the numbers:

Equifax — 1-800-349-9960

Experian — 1-888-397-3742

TransUnion — 1-888-909-8872

Innovis — 1-800-540-2505

A lawyer friend of mine who specializes in identity theft told me this was too extreme a way to go and that I should sign up for Credit Karma. But isn't that just opening up yet another access point to thieves? Plus, I feel that freezing my credit denies these reporting agencies the value of data.

I'd love to freeze my credit but as one of the millions of Americans living overseas I have learned that this is flat out impossible for us. I've even written to my Senators and they can't get it done either (One positive note, it was surprisingly easy to reach them and they seemed genuinely eager to help).

Fortunately 'identity theft' is an imaginary concept, you cannot have your identity stolen - you are still you and no one can ever change that. It's the financial institutions' problem to fix at the end of the day, but there is this expectation that you are obliged to help them understand how they fell for a scam, and you are expected to do this for free or they make your life more difficult.

We do need a better system for expats.

The entire term "identity theft" is designed to offload blame from the companies themselves. Should be called "criminally negligent data loss" in many cases.

Yes. A negligent bank blames you because they didn't bother verifying a criminal's claim to be you.

Someone on another HN thread suggested the term "bank slander".

I was able to complete freezes online for all. Are you able to say why it posed an obstacle for you to freeze your file please?

The credit bureaus were unwilling to validate requests from non-US address when I tried, just after news broke of the Equifax breach. The online forms literally had no provision for changing the country, with US State and ZIP code (of my current address) being mandatory fields.

I asked about it in the expats Stack Exchange site and others had the same problem: https://expatriates.stackexchange.com/questions/12104/how-ca...

Same goes for Social Security accounts, they require a US address before they permit you to log in online and monitor your account for fraud.

> A lawyer friend of mine who specializes in identity theft

That's odd. IANAL but everyone I know (including lawyers) says that freezing it is the way to go.

Maybe if everyone froze their credit your friend might be looking for new work? ;)

I've had mine frozen for years. Unfrozen it once to buy a house and a second time to buy a car. Not a problem. As a side benefit, it keeps me from applying for random credit cards.

I don't know if it denies the agencies the value of your data, but maybe so, because they clearly don't want you to do it.

> I don't know if it denies the agencies the value of your data, but maybe so, because they clearly don't want you to do it.

It does. There's a cost per credit file to store/manage, and with a freeze in place, no revenue generation can occur on that file.

Highly recommend US residents freezing their Work Number file [1], in addition to their credit file at each of the 3 credit reporting agencies.

[1] https://krebsonsecurity.com/2017/11/how-to-opt-out-of-equifa...

Anyone with an existing credit relationship with you can still do soft inqueries so it’s not complete but (on paper) it does prevent them from selling your name to others. However if you look even closer these companies have other databases which are not intended for being used in credit decisions and are thus not subject to FCRA and it’s impossible to have information removed from those. They have every address I ever lived at, every phone number I’ve ever had, a list of known associates including relatives of ex-girlfriends whom I lived with only briefly during school, and apparently I own a sporting goods store in Texas - can’t tell them otherwise.

Whoa wait what how do I find my info in there?

I wouldn't trust a fox to tell me how to keep my chickens.

Have fun trying to get it unfrozen. I work for a financial services company. Every time I speak with someone about unfreezing their credit, I laugh and tell them "good luck but I can't open a new account for you until your credit is unfrozen. I understand you froze it for identity protection but your credit is frozen. You told the financial companies to not open any new accounts, even for yourself. There's nothing I can do for you right now".

Have fun trying to get it unfrozen.

Why? Is it really that hard getting it unfrozen?

You just told the credit agencies that there's fraud on your account but now need just a one time exception to break the freeze. Just think about that from the agency's position.

What?I have unfrozen my account twice.It costs money every time I unfreeze that is about it.

What if the function of freeze_credit_report(..) is buggy too ? I do not think freezing a credit report will make this any safer. It might be just another flag in their already buggy system.

Seems like you did the right thing: https://youtu.be/vsMydMDi3rI?t=2397

They should be shut down permanently. Full stop.

Furthermore, the very existence of these credit agencies should be sincerely alarming to most normal people, and probably already is. These databases should not exist.

Agreed. We don’t wait for a bomb to go off before arresting a terrorist. We arrest them for having the bomb.

Equifax, TransUnion and the others are clearly bombs waiting to explode.

Arrest the bastards and shut them down before they go off!

>These databases should not exist.

Especially since consumers have no say in the matter at all.


Oh C'mon!!! -1?! lol

Immediate dismantlement of the credit-bureaus outside of a police-state would lead to...for example, pissed off sys-admins who want to sell the last valuable thing they have access to: MOAR consumer information that they already have about you.

Additionally, personal-lending would either cease for a period (and break the economy,) or they'd come up with a new way to judge our ability to re-pay & it would undoubtedly be bad/reactionary, & we'd have an version of 2008.

There's a natural tendency to want to "BURN IT DOWN!!!" b/c it's bad; I get that, but we haven't done the work to come up with something better & a transition plan. This is how the Arab-Spring turned into MF Admiral Sisi (or whatever) in Egypt, despite good initial intentions.

We are completely entrenched in this consumer-lending system whether you like it or not.

You need a "what comes after?" plan. I feel like this is common sense????

rotrux 11 months ago [flagged]


Could you please stop posting unsubstantive comments to Hacker News?


I find the comments here fascinating. The consensus seems to be very much that Equifax were negligent and shouldn't be able to run operations like this.

Meanwhile we have this[0] thread (also on the front page of HN as I write) about how the EU is cracking down on US tech firms data collection activities and the GDPR which is seeking to restrict it. There is much less of a consensus on there that it is a Good Thing. There are accusations that this is a restriction on US trade, or some kind of EU tech envy.

I find it hard to reconcile these two positions? The EU seem to be doing exactly what people on this thread are asking for? The GDPR would enable regulators to impose crippling fines (4% global turnover) if Equifax were to lose EU citizens data after May this year. Do people want similar law in the US or not?


> I find it hard to reconcile these two positions?

I would assume (but can't be bothered to verify) that those positions are being held by different people.

As independent voter we need more congress people like Elizabeth Warren!

It's disgusting that the majority of congress are letting this slide.

The majority of their constituents are letting it slide. Data breaches are a yawn to most of the American public. They don't really understand what it means, they think the problem is "hackers" and not poor security practices, and few are ever directly victimized.

I would agree. It's the same with privacy and mass surveillance. The main issue is education and the fact that most people don't quite understand what it means for the NSA to gobble up all of their data, including what they read, what they post online, where they go, who they talk to, and so on, and all without even needing an individual warrant.

From what I've seen even previously pro-mass surveillance people and politicians do an 180 degree on their surveillance stand when they discover that data has been used against them and it's impacting their life to a large degree at that point. This again points to the fact that they previously didn't truly understand the implications of mass surveillance and how easily it could be abused.

Let's not leave corporations (particularly in the tech industry) out of this; they have a great deal of the same information.

The ethics of data collection on a mass scale is something which all industries need to take a long, hard look at.

How do we combat this behavior? How do you convince the general populous that this is a big deal? I can't think of any way that isn't absolutely catastrophic... which would lead to a hurried, half-baked reactionary attempt to 'fix' the problem. Sigh.

Start fining companies when user data is lost. News would report on companies getting fined for shitty security practices, which also makes it clear that the problem isn't hackers. Plus companies have an incentive to spend money on securing their data.

They tried. The Republican Party leadership suspended all investigation of Equifax. Equifax is part of the finance industry and the finance industry are major sponsors of the Republican Party.

They're major sponsors of both parties. According to http://fortune.com/2017/03/08/wall-street-2016-election-spen... their donations in 2016 split about 45-55 Democrat-Republican. In 2012, according to http://www.businessinsider.com/wall-street-responsible-for-o... they contributed significantly to Obama's re-election campaign.

If you really think the "finance industry" as a whole is what's pushing for the Equifax investigation to be shelved, then I expect the same would have happened under Democratic leadership.

One of the biggest problems I see is it is really hard to attribute an instance of Identity Theft to a specific breach. So you can't (as a reporter) go out and build stories about people directly affected by the breach to build awareness of the problem. People tend to ignore (or be ignorant) of the situation unless it affects themselves or the people they have relationships with.

She's a great consumer advocate. I don't like her as a politician. She'd be better if it weren't for all the lefter than average politics she brings with her.

Consumer advocacy is inherently leftist politics.

It was everybody. The breach was total. No point in assuming anything less.

For breaches involving PII like this, I think the default should be to assume everything was stolen, and it be the burden of the company to prove the breach was smaller.

No it wasn't. Nothing changed about the number of affected consumers.

This is just about as delicate an information-security problem as the world has faced.

It'd be one thing if you got a letter in the mail re: your personal exposure, but there's a very serious assumption that everyone is glossing over:

Do you want EVERYONE to know more about what Equifax lost about EVERYONE &, more importantly, you want it RIGHT NOW?

Well I guess so do I; the easier for me to ruin you and all your friends' credit & then get me a new-new sweeeet new yacht 4 to cruise around in some tropical country without an extradition treaty.

Mass disclosure before adequate protection or remediation measures (assuming any are possible) is IRRESPONSIBLE BC INFORMATION IS REALLY POWERFUL...this includes more metadata about what Equifax lost. You don't know what disclosure right-now will expose you to. This seems pretty clearly like an "err on the side of caution" situation.

That's easy: assume they have everything. So whatever is in your credit report, possibly including items so far back that your credit report would not longer list them is out there. If it were anything less, if there were any good news at all then you can bet it would be trumpeted from the highest towers. Only in the very worst of cases is there nothing positive left to spin.

It's been five months since it was publicly announced.

5 months is prly not enough time to fix whatever hell this would unleash. I'll stop short of saying Equifax doesn't need to be scared of bad press, but I will say the silence around this is at least partially to protect the people whose data was stolen.

I wonder if the personal financial information on everyone in congress and the executive branch are in the data. You'd think they would get right on it given that they are equally at risk.

If I were Equifax, I’d have a group dedicated to monitoring the records of such people and ensuring that fraud got shut down very quickly with no cost or hassle to the target.

The real question is, why would someone offer credit products to someone just presenting a SSN and a signature. Mother's maiden name?

That's the real idiocy of the american system (not letting Equifax off the hook here)

That would imply a level of concern and corporate maturity that seems absent.

You misunderstand. It’s not about concern, but rather about insulating powerful people from the consequences of your fuckups so they’ll let you get on with the business of screwing over everybody else.

If your business is built on causing problems for essentially every American adult, you’ll get away with a lot more if you can exclude lawmakers from that set.

As a potential total tangent:

I wonder how much MORE this problem has become / is becoming as we replace sys admins / systems people with developers who play with infrastructure APIs like as with AWS, producing complex infrastructure under deadlines and with self-assurance. I say this because for years sys admins were the bad guys, even slowing down progress because security concerns, stability and best practices were to be considered before speed of delivery and features.

And I say all this because I'm a hybrid sysadmin/developer ("DevOps") consultant with a stronger leaning on the systems side historically; I can tell you that almost no one techs me out on the systems side of things anymore. By systems I mean core Linux and the typical ecosystem around it (including redundancy, performance and infra monitoring), infrastucture architecture and yes, security. There is wisdom and experience that's required here, and no 'bootcamps' can exist to replace that.

With a push to the cloud, is it possible that security has gone out the window? I'm 75% I know the answer, but I admit this would make a great research article.

Edit: although in this Equifax case perhaps that is a bad example. Unpatched systems?

Equifax competitor Experian offers a free "dark web scan" to find out if your identity has been compromised. It should be easy for Equifax to compete. All they have to do is query their own database.

And their stock is up a a couple bucks today. Go figure.

Equifax did something bad, and Congress responded by making sure consumers would be unable to sue Equifax as a class.

The investors are probably correct in assuming that nothing bad will happen to Equifax over this.

Does anyone else think that Equifax will suffer long term consequences and be acquired by another reporting agency ?

No, they will benefit financial from this breech.

Shut it down. They provide no value to anyone.

I agree. Zero out the stockholders and send some executives to prison for negligence and fraud. The corporate death penalty is the only way we'll see companies take infosec seriously. If I were CEO at Transunion right now, looking at what's happened to Equifax as a result of the breach (nothing), I wouldn't spend a minute's time thinking about upgrading my security practices.

i'm in favor of shutting it down too. we have other credit bureaus and we need to make an example out of a major company that didn't respect its consumer data to make sure that practices tighten up.

Yep, absolutely no value. That's why all those banks and businesses pay them for their reports.

> That's why all those banks and businesses pay them for their reports.

Now those banks give me a worse interest rate because Equifax leaked my info and I have fraudulent activity on my 'record. Seems like everyone is winning in this debacle except for the people's who info was leaked.

File a report online with Equifax, they will have to remove it with a specified time period. Then have your bank run it again.

Yep, and they have no competitors so getting rid of Equifax means getting rid of the entire industry.

When did Experian and TransUnion stop trading??

I was using sarcasm in response to sarcasm.

I meant the industry as a whole.

But we don't have evidence the industry as a whole is being run like Equifax do we?

There are other competitors.

I was using sarcasm to respond to sarcasm.

Banks dont need to be provided value.

A business can be a total fuck up and still provide tremendous value.

Don’t believe? Just look at Uber.

tremendous value


Do not confuse no value to you with no value at all.

I didn't - I don't see the value that Uber offers to society - maybe breaking the taxi monopolies? Doesn't seem like something very valuable to society.

I'm talking about value to society.

Why on Earth should they be held to that kind of standard? The vast majority of society will never be their customer.

They are selling fundamentally things that dont belong to them.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact