Equifax Data Breach

[Celebrity]

One of the worst data breaches ever was sustained by Equifax. I read a report on Friday that estimated the chance of anybody's personal info being stolen at 1 in 2.

https://www.nytimes.com/2017/09/08/...tions-are-confusing-heres-what-to-do-now.html

By Friday morning, this had changed, and I got a "your personal information may have been impacted by this incident" notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed "Trump" and arbitrary numbers and got the same message.

So... this is really bad. All of the data personally identifies the victims. The combination of a social security number and a last and first name could potentially cause real harm.

While Americans are getting robbedof their privacy, security, and identity, the responsible company is offering a credit monitoring service.

Why is it that I tolerate the cycle of abuse? First, my data was compromised. Then they offered to watch me. I can't get a moment of privacy, unless I go completely off the grid. But I grew up with this set of tools; phones, computers, credit cards, etc. Everything has a chip inside of it now, and that is not going to help protect against the theft of what thieves already have from the company which processes the data. What's going to happen when the credit monitoring service gets robbed?

How long does this have to go on before people demand some of their freedom and a little bit of privacy back?

 

[Carjosse]

There are two problems to address here, the SSN system which should be replaced with a national ID and secondly holding Equifax's management accountable.

Most likely neither will happen.

 

[Unitedwestand13]

There are two problems to address here, the SSN system which should be replaced with a national ID and secondly holding Equifax's management accountable.

Most likely neither will happen.

I hope my family was not one of the people who entrusted this company with their security.

 

[Carjosse]

I hope my family was not one of the people who entrusted this company with their security.

Well you don't have a choice, they collect your data regardless of if you actually wanted them to. If you have ever taken out a credit card or paid a bill they have data on you.

 

[Unitedwestand13]

Well you don't have a choice, they collect your data regardless of if you actually wanted them to. If you have ever taken out a credit card or paid a bill they have data on you.

But what kind of company is equifax?

 

[chuckiechan]

One of the worst data breaches ever was sustained by Equifax. I read a report on Friday that estimated the chance of anybody's personal info being stolen at 1 in 2.

https://www.nytimes.com/2017/09/08/...tions-are-confusing-heres-what-to-do-now.html



So... this is really bad. All of the data personally identifies the victims. The combination of a social security number and a last and first name could potentially cause real harm.

While Americans are getting robbedof their privacy, security, and identity, the responsible company is offering a credit monitoring service.

Why is it that I tolerate the cycle of abuse? First, my data was compromised. Then they offered to watch me. I can't get a moment of privacy, unless I go completely off the grid. But I grew up with this set of tools; phones, computers, credit cards, etc. Everything has a chip inside of it now, and that is not going to help protect against the theft of what thieves already have from the company which processes the data. What's going to happen when the credit monitoring service gets robbed?

How long does this have to go on before people demand some of their freedom and a little bit of privacy back?

I don't know if we have any defense any more other than to slow things down in the "instant credit" industry and have documents signed by snail mail.

we could, however, trace the I.P. And realllyyy slow down their transactions and go partly manual in the hopes their governments will do something. No one cares about the perps.

 

[Skeptic Bob]

But what kind of company is equifax?

It is a credit reporting agency. There are three main ones in the US: Equifax, Experian and Trans Union. Your credit score/FICO score is based on the information those three agencies amass on you. It isn't something you can opt out of.

 

[Celebrity]

I don't know if we have any defense any more other than to slow things down in the "instant credit" industry and have documents signed by snail mail.

we could, however, trace the I.P. And realllyyy slow down their transactions and go partly manual in the hopes their governments will do something. No one cares about the perps.

I don't think there is anything conservative about this... there is no quarantine, the data is just gone. And unlike physical property, this data can be cloned ad infinitum.

There's no "controlled burn" that can cut back on potential damage. There's no suit of armor to stop attacks. We're being forced to admit constant vigilance by third party agencies into our lives, time and time again, as the agencies with which we trust our data are compromised. It's a scandal, not a battle.

 

[eohrnberger]

I don't know if we have any defense any more other than to slow things down in the "instant credit" industry and have documents signed by snail mail.

we could, however, trace the I.P. And realllyyy slow down their transactions and go partly manual in the hopes their governments will do something. No one cares about the perps.

What better way for an International opponent to disrupt the US economy.

Any word on who they think the hackers were?

 

[Captain Adverse]

Why is it that I tolerate the cycle of abuse? First, my data was compromised. Then they offered to watch me. I can't get a moment of privacy, unless I go completely off the grid. But I grew up with this set of tools; phones, computers, credit cards, etc. Everything has a chip inside of it now, and that is not going to help protect against the theft of what thieves already have from the company which processes the data. What's going to happen when the credit monitoring service gets robbed?

How long does this have to go on before people demand some of their freedom and a little bit of privacy back?

I say to hell with credit scores; and that the Social Security system should never have been used as an identifier beyond it's original purpose. That purpose was to collect funds for retirement from an employer tax.

Now banks, apartment rentals, almost every financial transaction requires this number...and it is used not only to trace sources of income, but how we spend our money.

Credit scores are a direct result of our credit based economy.

Easy credit has been the bane of that economy as far as I am concerned. People are living from check to check just to cover their existing debt.

I remember back when Visa sent out "introductory" credit cards with a $200.00 limit to just about everyone. That was the first hook in the credit system line.

Now we have Credit Reporting companies who collect all this information and we can't rent, or buy anything on credit of any value without their approval.

They aren't the only ones with all our information. Credit companies (Visa, MasterCard, American Express), Google, Bing, Amazon (if you buy from them), email providers, Steam, Paypal, etc..

There are even Data Mining companies who buy our civil and criminal records from city and state governments, our financial information from Google et al, and from any other source willing to sell (schools, Universities, etc.)

They then sell our "Backgrounds" to anyone willing to pay. I am hardly surprised that hackers are able to get and use it.

I don't know what we can do about it. Sometimes I wish the movies could be real (Destroying all the Credit Info):

 

[Hawkeye10]

I say to hell with credit scores; and that the Social Security system should never have been used as an identifier beyond it's original purpose. That purpose was to collect funds for retirement from an employer tax.

Now banks, apartment rentals, almost every financial transaction requires this number...and it is used not only to trace sources of income, but how we spend our money.

Credit scores are a direct result of our credit based economy.

Easy credit has been the bane of that economy as far as I am concerned. People are living from check to check just to cover their existing debt.

I remember back when Visa sent out "introductory" credit cards with a $200.00 limit to just about everyone. That was the first hook in the credit system line.

Now we have Credit Reporting companies who collect all this information and we can't rent, or buy anything on credit of any value without their approval.

They aren't the only ones with all our information. Credit companies, Google, Bing, Amazon (if you buy from them), email providers, Steam, Paypal, etc..

There are even Data Mining companies who buy our civil and criminal records from city and state governments, our financial information from Google et al, and from any other source willing to sell (schools, Universities, etc.)

I am hardly surprised that everything about us is available to anyone willing to pay. How much more that hackers are able to get and use it.

I don't know what we can do about it. Sometimes I wish the movies could be real:

We can have another Great Depression....or worse.....give the lesson another chance to take.

AND WE WILL

 

[volsrock]

But what kind of company is equifax?

Really?

 

[Crosscheck]

And right on cue.

The sale of nearly $2 million in corporate stock by high-level Equifax executives shortly after the company learned of a major data breach has sparked public outrage that could turn into another hurdle for the credit rating agency.
The sales all occurred before the company publicly reported the breach, a disclosure that quickly sent its stock tumbling. The timing of the sales could attract federal scrutiny, legal experts say, though proving insider trading would be difficult. A company spokeswoman said the executives did not know about the breach when they sold their shares.

Then the company offers a free one year subscription to its identity-monitoring service. Then after a year you would pay $20 a month. How kind of them.

Nothing will happen to the execs at Equifax because there are too many politicians on the take.

http://www.chicagotribune.com/business/ct-equifax-insider-0909-biz-20170908-story.html

 

[Visbek]

We can have another Great Depression....or worse.....give the lesson another chance to take.

AND WE WILL

Please, stop shouting.

Another bad recession, or even another Great Depression will not put an end to credit, or to credit agencies.

Recent history should make that quite obvious. A massive international credit bubble burst in 2007, and today Americans are back to record levels of borrowing.

Another credit crisis might slow it down, but won't end it, not even close. It's simply too useful. People need credit to buy cars, homes and pay for education. People rely on it to buy items they want and/or need. Businesses need credit to survive, not just for customers to buy goods and services, but for their own functions. It's far too profitable for banks to give up.

 

[Visbek]

Nothing will happen to the execs at Equifax because there are too many politicians on the take.

I have to say, that seems unlikely. Usually, corporate execs have a system to delay selling stock, precisely to avoid the appearance of insider trading; they didn't use it. They're high ranked enough to strongly suggest they knew about this. Even the Senate Finance is looking into it.

 

[Visbek]

I say to hell with credit scores....

Yeah, thing is? The credit agencies are going to compile one for you anyway, and anyone who wants to check your credit is going to look at it.

the Social Security system should never have been used as an identifier beyond it's original purpose. That purpose was to collect funds for retirement from an employer tax.

The reality is that in a society of well over 300 million people, we need a unique identifier that operates on a federal level. The smart thing would be to set up a federal identity system, but obviously some paranoid whackos would object to it. So, we're stuck with SSNs.

Thus, even without SSNs, various companies and agencies would use some unique identifier to track you. The problem isn't using SSNs, it's that Equifax got hacked.

Easy credit has been the bane of that economy as far as I am concerned. People are living from check to check just to cover their existing debt.

Easy credit has positive and negative aspects. People tend to take the positive for granted (access to funds when needed; no need to carry massive amounts of cash around; easy to purchase items online/via mail/via phone) and only pay attention to the negative (credit can be abused; card companies can be vicious about fees and penalties).

I don't know what we can do about it.

Advocate for stronger consumer protections, including protections on privacy.

and/or​

Enroll in an identity protection service, and get on with your life.

 

[ThoughtEx.]

It's the government's fault, bear with me here.

There’s no phrase as feared in information security as "zero-day." Zero-days are vulnerabilities no one knew existed, until they've been taken advantage of. They got their name because there is literally “zero days” to do anything to prevent them. They are surprise-secrets—“unknown unknowns,” to quote former Secretary of Defense Donald Rumsfeld.

But if it’s the element of being unknown that makes a vulnerability dangerous, then it's actually our own laws and policies that are making us the most susceptible right now. Our contradictory demands from tech companies and our inconsistent enforcement of laws leaves the public largely unaware of how exposed they are—right up until they’re hit with the realization there’s a problem. Think of these regulatory problems as "policy zero-days."

U.S. Cyber Policy Makes Americans Vulnerable | Time.com

Under the guise of "safety" our government is leaving us vulnerable to the Chinese and to the Russians and any other black hat group. They are even allegedly compromising hardware as it comes off the assembly line for easier access later. It's time we minded our own backyard and stop blaming the companies that spend a good chunk on cyber security, when the game is rigged against them.

 

[Visbek]

It's the government's fault, bear with me here.

Under the guise of "safety" our government is leaving us vulnerable to the Chinese and to the Russians and any other black hat group. They are even allegedly compromising hardware as it comes off the assembly line for easier access later. It's time we minded our own backyard and stop blaming the companies that spend a good chunk on cyber security, when the game is rigged against them.

Yeah... no, it's not that simple.

It's up to a company like Equifax to keep its system secure. And it's up to software vendors to determine when and how to release information about vulnerabilities to its customers.

I'm fairly confident the federal government doesn't have the power to order private companies to patch their systems. Nor is it clear that the federal government alone knew about vulnerabilities which were subsequently used in any of these major hacks.

As the article points out, hackers routinely use phishing attacks and other forms of social engineering to gain access to what ought to be secure systems -- they've done that since before the existence of the Internet. Despite what the article says, you can patch computers, but you can't patch stupid people.

Now, we should note that agencies like the NSA do figure out vulnerabilities in software, and withhold it for use with their own surveillance and espionage functions. That's a legitimate issue, and we can ask whether it's more important for the NSA to gather intelligence, or to use that information to protect the US -- as well as its allies, and its enemies. However, my understanding is that few (if any) of those vulnerabilities are in the wild.

I don't think there are a lot of details on how Equifax actually got hacked. But so far, I haven't seen anything that suggests it was via a vulnerability that the federal government deliberately sat on in order to gather intelligence. It sounds a lot more like Equifax was cavalier in protecting their data, training their staff, and responding to the hack. Hard to see how that's the government's fault.

 

[ThoughtEx.]

Yeah... no, it's not that simple.

It's up to a company like Equifax to keep its system secure. And it's up to software vendors to determine when and how to release information about vulnerabilities to its customers.

I'm fairly confident the federal government doesn't have the power to order private companies to patch their systems. Nor is it clear that the federal government alone knew about vulnerabilities which were subsequently used in any of these major hacks.

As the article points out, hackers routinely use phishing attacks and other forms of social engineering to gain access to what ought to be secure systems -- they've done that since before the existence of the Internet. Despite what the article says, you can patch computers, but you can't patch stupid people.

Now, we should note that agencies like the NSA do figure out vulnerabilities in software, and withhold it for use with their own surveillance and espionage functions. That's a legitimate issue, and we can ask whether it's more important for the NSA to gather intelligence, or to use that information to protect the US -- as well as its allies, and its enemies. However, my understanding is that few (if any) of those vulnerabilities are in the wild.

I don't think there are a lot of details on how Equifax actually got hacked. But so far, I haven't seen anything that suggests it was via a vulnerability that the federal government deliberately sat on in order to gather intelligence. It sounds a lot more like Equifax was cavalier in protecting their data, training their staff, and responding to the hack. Hard to see how that's the government's fault.

Really, because experts are fairly confident that you are mistaken.

https://www.eteknix.com/expert-says-nsa-have-backdoors-built-into-intel-and-amd-processors/

Equifax has had several breaches in the past, and each time they increased spending on cyber security, and upped their encryption. Which it's still pretty impossible to break the type of encryption they use. Could they have been phished? Possibly, but they pay a great deal of money for experts to come in and train all their employees in how to avoid just such a thing. And they actively monitor every computer on their network. Heck, my company does, we are constantly watching people getting pulled aside and reprimanded, or fired for breaches on internet usage.

It's a well known thing in the tech industry that the government is ****ing us, because they like to keep tabs on us. And they ain't ordering anybody, they are just doing it. Wouldn't be very effective spies if they made it known what they intended.

 

[Visbek]

Really, because experts are fairly confident that you are mistaken.

Dude. Seriously. Read your own article.

Eteknix retracted the article. The AFR got Broussard's claims completely wrong. There is no CPU backdoor, that's a conspiracy theory.

Equifax has had several breaches in the past

I'm pretty sure that is not correct.

There have been instances where Equifax customers were targeted for phishing attacks, and Equifax had to shut down some of its customer-facing servers as a result. That was in 2007. I don't see any instances where the company was hacked, and leaked data like we saw this week (SSN, birthday, name etc).

it's still pretty impossible to break the type of encryption they use. Could they have been phished?

Yup. That is almost certainly what happened.

they pay a great deal of money for experts to come in and train all their employees in how to avoid just such a thing.

While that's a reasonable assumption, I'm not aware of any evidence that they've done so in a timely or effective manner.

Again, you can't patch stupid.

It's a well known thing in the tech industry that the government is ****ing us, because they like to keep tabs on us. And they ain't ordering anybody, they are just doing it. Wouldn't be very effective spies if they made it known what they intended.

sigh

In case you missed it, one of the biggest known NSA information grabs was done with the cooperation of the telcos and ISPs, e.g. AT&T letting the NSA dupe data flowing through its data centers.

I seriously doubt that the NSA is directly hacking the servers of most companies in the US. If that were the case, security experts would be finding evidence of it all the time.

Thanks but no thanks for the conspiracy theories.

 

[Visbek]

More indications that Equifax needs to fire a bunch of its IT people

The PINs for freezing credit were issued sequentially, not randomized. Nice.
https://arstechnica.com/information...r-security-freeze-on-consumer-credit-reports/

The site to check if you were hacked basically runs on a generic Wordpress, without some basic security oversights, including leaving a user name exposed in the page's source code
https://arstechnica.com/information...ossibly-the-worst-leak-of-personal-info-ever/

The site also used a free shared SSL cert. Keep in mind they had a few months to set up that site.
https://www.theregister.co.uk/2017/09/08/equifax_breach_notification/


Equifax only said it was an "application vulnerability". Might not be phishing, unless they're lying (which is possible). One expert suspects it was SQL injection attack.
https://www.digitalshadows.com/blog...ach-the-impact-for-enterprises-and-consumers/

 

[ThoughtEx.]

Dude. Seriously. Read your own article.

Eteknix retracted the article. The AFR got Broussard's claims completely wrong. There is no CPU backdoor, that's a conspiracy theory.



I'm pretty sure that is not correct.

There have been instances where Equifax customers were targeted for phishing attacks, and Equifax had to shut down some of its customer-facing servers as a result. That was in 2007. I don't see any instances where the company was hacked, and leaked data like we saw this week (SSN, birthday, name etc).



Yup. That is almost certainly what happened.



While that's a reasonable assumption, I'm not aware of any evidence that they've done so in a timely or effective manner.

Again, you can't patch stupid.



sigh

In case you missed it, one of the biggest known NSA information grabs was done with the cooperation of the telcos and ISPs, e.g. AT&T letting the NSA dupe data flowing through its data centers.

I seriously doubt that the NSA is directly hacking the servers of most companies in the US. If that were the case, security experts would be finding evidence of it all the time.

Thanks but no thanks for the conspiracy theories.

I don't trust that retraction, I know it sounds like a conspiracy, I know that. But bear with me here. I don't want put on a watchlist for spreading this kind of information. That's why I used that particular one. And I didn't accredit the equifax hack to an NSA backdoor in the hardware. I put in aside " They are even allegedly compromising hardware as it comes off the assembly line for easier access later."

I accredit the attack vulnerabilities in general that the government aren't making companies aware of, like tainted chips manufactured overseas. Or the dozens of types of malicious code that the NSA keeps under wraps so they can use it later.

As far as NSA backdoors are concerned. They are a real thing, and the NSA will pressure anyone that tries to expose them into retracting their statements.

https://www.computerworld.com/artic...ardware-level-backdoor-in-computer-chips.html

https://www.technologyreview.com/s/...e-backdoors-may-still-be-a-problem-from-hell/

Large Corporations are terrified of hacks, they spend a great deal updating systems year to year, hiring cyber security firms, employee training, etc, because to not do so pisses off their shareholders, managing partners, and the public in general. It's easy to blame Equifax for being lax, but the truth is, they were not.

Incident Response
Based on their current statement, we know a few of the facts:

Attackers had access to the data mid-May to 29-July-2017
Once the company detected the intrusion, they stopped it
Once stopped, they called in an reputable outside firm to help with the forensics
After assessing the impact to consumers, they’ve taken steps to help protect them from further damage

Equifax hasn’t released any technical details about the intrusion yet beyond that the attackers used an vulnerability in one of their applications to gain access. That’s ok, that information isn’t valuable to the impacted consumers at this point.

Equifax Breach - an Example of Good Communications -

They were clearly prepared for a breach, and handled it as well as could be expected.

And the NSA does hack American Companies all the time, they just don't take anything. If nothing is taken, there is little reason to call in a forensic team to figure out the hack. Which makes it harder to detect them, most of their hacking is snooping in our business making sure we aren't plotting something. Doesn't mean the vulnerabilities they intentionally keep in place can't be used to take something. And they want you to think it's a conspiracy theory. Which I know is something a conspiracy theorist would say. But seriously, alot of this stuff was exposed in the documents Snowden released. Everyone got all caught up in them tracking our meta data, but the real scarey **** got looked over.

 

[Hawkeye10]

Please, stop shouting.

Another bad recession, or even another Great Depression will not put an end to credit, or to credit agencies.

Recent history should make that quite obvious. A massive international credit bubble burst in 2007, and today Americans are back to record levels of borrowing.

Another credit crisis might slow it down, but won't end it, not even close. It's simply too useful. People need credit to buy cars, homes and pay for education. People rely on it to buy items they want and/or need. Businesses need credit to survive, not just for customers to buy goods and services, but for their own functions. It's far too profitable for banks to give up.

Our global debt levels are already at "certain death" levels, this economic system and I claim this civilization are terminal. I dont actually know that debt will be allowed in what we cook up next, maybe current Muslim practices of trying to live without debt will act as our laboratory for doing away with it.

 

[Visbek]

Our global debt levels are already at "certain death" levels, this economic system and I claim this civilization are terminal. I dont actually know that debt will be allowed in what we cook up next, maybe current Muslim practices of trying to live without debt will act as our laboratory for doing away with it.

Our debt levels are nowhere near "certain death" levels, not even close.

Our civilization is nowhere near "terminal." The very idea is as ridiculous as it is common throughout history. Someone in the West has been complaining about the decline of civilization since at least Hesiod's day.

Modern civilization -- not just the US, not just the West, but the whole world -- cannot live without debt, or some viable replacement. Nor should we want to live that way. Almost no one could afford a home without debt; few people could get higher education without debt; most people can barely afford cars without debt.

I recognize that some people can be irresponsible with debt, and this caused a serious issue when it created a credit bubble. The system today, though not perfect, is far better than it was for most of the 2000s. Mortgage originators are not throwing loans at anyone with a pulse; consumers spent years paying off debt; many companies are sitting on massive amounts of cash, as a result of years of fat profit margins. Debt levels also grew much slower after 2007 than it did between 2000 and 2007.

If anything, the biggest issue of the recent debt run-up is for the auto industry. After years of people generally hanging on to older cars, people started buying cars as the economy recovered. Auto loan standards seem to have gotten a bit lax, but even there the real issue is that the auto industry is expecting people to buy fewer cars. A decline in autos will hurt a bit, but shouldn't trigger off a massive bubble burst.

 

[Hawkeye10]

Our debt levels are nowhere near "certain death" levels, not even close.

Our civilization is nowhere near "terminal." The very idea is as ridiculous as it is common throughout history. Someone in the West has been complaining about the decline of civilization since at least Hesiod's day.

Modern civilization -- not just the US, not just the West, but the whole world -- cannot live without debt, or some viable replacement. Nor should we want to live that way. Almost no one could afford a home without debt; few people could get higher education without debt; most people can barely afford cars without debt.

I recognize that some people can be irresponsible with debt, and this caused a serious issue when it created a credit bubble. The system today, though not perfect, is far better than it was for most of the 2000s. Mortgage originators are not throwing loans at anyone with a pulse; consumers spent years paying off debt; many companies are sitting on massive amounts of cash, as a result of years of fat profit margins. Debt levels also grew much slower after 2007 than it did between 2000 and 2007.

If anything, the biggest issue of the recent debt run-up is for the auto industry. After years of people generally hanging on to older cars, people started buying cars as the economy recovered. Auto loan standards seem to have gotten a bit lax, but even there the real issue is that the auto industry is expecting people to buy fewer cars. A decline in autos will hurt a bit, but shouldn't trigger off a massive bubble burst.

Global debt is now 325% GDP, most of it not backed up by any assets that will hold up in a crash, what happens when you try to carry three times your yearly income on your credit cards? The principle never gets paid is what happens, and once we are out of this manufactured low interest rate environment which will happen we are all ruined.