[John Michael Kane]

Quote:

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”

Equifax has established a dedicated website, http://www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year. The website also provides additional information on steps consumers can take to protect their personal information. Equifax recommends that consumers with additional questions visit http://www.equifaxsecurity2017.com or contact a dedicated call center at 866-447-7559, which the company set up to assist consumers. The call center is open every day (including weekends) from 7:00 a.m. – 1:00 a.m. Eastern time.

In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. Equifax also is in the process of contacting U.S. state and federal regulators and has sent written notifications to all U.S. state attorneys general, which includes Equifax contact information for regulator inquiries.

Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.

CEO Smith said, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”

https://www.equifaxsecurity2017.com/

Bottom line is, looks like quite a bit of sensitive info was leaked. They are offering a year worth of credit monitoring, you can sign up for it via the link above.

[Repo]

So. .. . basically everyone with a credit rating?

[John Michael Kane]

It looks pretty bad. I usually keep my credit reports frozen (meaning new applications for credit in my name will be automatically denied). Still, a lot of havoc can be had with the type and scale of this breach. I urge every forum member that is potentially affected by this breach to keep a close eye on their credit reports and bank statements.

Also, if you haven't pulled your free annual credit reports, now would be a good time to visit this site: http://www.annualcreditreport.com

I also have more credit report information in my signature link for anyone who is interested, or just post a reply to this thread below.

[The Wire]

(09-07-2017 05:28 PM)John Michael Kane Wrote:  

It looks pretty bad. I usually keep my credit reports frozen (meaning new applications for credit in my name will be automatically denied). Still, a lot of havoc can be had with the type and scale of this breach. I urge every forum member that is potentially affected by this breach to keep a close eye on their credit reports and bank statements.

Also, if you haven't pulled your free annual credit reports, now would be a good time to visit this site: http://www.annualcreditreport.com

I also have more credit report information in my signature link for anyone who is interested, or just post a reply to this thread below.

Awesome thread. According to the website I could be affected.

It's these breaches that get me paranoid from storing my financial information in one spot. Side topic but do you trust things like Mint and Personal Capital? My big issue is that they can violate some terms of your banks if you are providing a third party access to your account(for the banks that don't offer a read only username).

[John Michael Kane]

I've used both Mint and Personal Capital. I've never had a problem with them. I understand the Terms of Service complications, but if you're really that concerned, you can always go back and use the old-fashioned spreadsheets instead of linking site like Mint.com.

[Thersites]

Mister Metokur some up the situation for those who don't have the time to read about this mess.

[John Michael Kane]

Equifax executives should face criminal charges for taking so long to disclose the breach, especially after they sold their stock off. I agree, no excuses.

[5-7 Hedonist]

Great find, and all good advice up above. I agree with tossing the Equifax execs behind bars for a long, long time.

It will be insightful to see how the -- much maligned and always popular whipping boy -- CFPB flexes it's muscles on this.

[Jordan151]

They doxxed half the country. Am I paranoid for thinking that white collar crime is going to shoot through the roof? These executives deserve much worse than prison time.

[Oz.]

(09-07-2017 05:28 PM)John Michael Kane Wrote:  

I usually keep my credit reports frozen (meaning new applications for credit in my name will be automatically denied).

How do you do this? and is it a good idea?

[John Michael Kane]

Credit reports, by default are "unfrozen". That means that when you apply for new credit (a car loan, credit card, mortgage, etc.) the bank can look at your credit reports with your permission (meaning when you submit an application for credit). If you have no intention of applying for any type of credit for a long time (say you have all the credit cards, car loans, etc. you need for a while), then it doesn't hurt to freeze all your reports, meaning that anyone who fraudulently tries to open a credit/load account with your personal information will automatically be denied. The fee is $10 per credit reporting agency.

More info here: https://www.consumer.ftc.gov/articles/04...reeze-faqs

and here... http://clark.com/personal-finance-credit...haw-guide/

[Chowder Head]

(09-07-2017 05:14 PM)John Michael Kane Wrote:  

https://www.equifaxsecurity2017.com/

Bottom line is, looks like quite a bit of sensitive info was leaked. They are offering a year worth of credit monitoring, you can sign up for it via the link above.

Are they offering to freeze credit reports along with the credit monitoring deal?

[John Michael Kane]

I didn't see that as part of the deal, so most likely not. You could call them and ask them to wave the fee if you're a member of the affected group and see if they'll do it as a courtesy.

[Duke Castile]

Here's what I'd like to know; is there a way to exploit this situation by having something negative removed?

[John Michael Kane]

(09-07-2017 10:37 PM)Fisto Wrote:  

Here's what I'd like to know; is there a way to exploit this situation by having something negative removed?

All disputes have to go through their system and are usually verified by A.I. systems. Hard to game the system that way. Thankfully, there are a number of ways to get negative info removed the legit method. Do you have a few negative marks on your credit report? PM me if you want some help trying to remove them.

[username]

Hopefully this is the catalyst for a complete overhaul of social security numbers. It is just plain dumb that if someone has that one number they can completely fuck you up. Get loans, get credit cards, access bank accounts, etc all just by having your secret number.

A better solution would be cryptography where you "sign" with your key. By signing you prove who you are while never having to reveal your key.

Of course this will never happen because then how will big businesses get the cheap labor via illegal aliens stealing other people's identity and how will politicians get their sheep followers that do everything they say.

[John Michael Kane]

There is a vested interest in NOT HAVING a secure system. Just think, who would be selling a multi-billion dollar industry's worth of products related to ID protection, credit report monitoring, fraud insurance, etc? Combatting criminals is big business, they don't want the system to be TOO SECURE.

[Silver_Tube]

The equifax chief of security was clearly hired based on merit, check out her credentials:

[John Michael Kane]

Ahhhhhhhhhhhhhh, diversity! Hiring music gurus to manage Enterprise-grade security for a firm with massive amounts of extremely sensitive data. Great idea! Thanks feminists!

[budoslavic]

[/url]

[url=https://twitter.com/AGSchneiderman/status/906235416738705408]

[palsofchaos]

It's $10 per credit bureau to freeze your credit. I have to pay the company who mishandled personal data so their screw up won't affect me?

Somedays I think these 'breeches' are just elaborate ploys to get consumers to subscribe to credit tracking services...

[Samseau]

Good thing there was a professional in charge!

[The Beast1]

At a previous fortune 500 company I worked at a few years ago, you could reset your password by simply knowing your manager's name and your username by calling the helpdesk.

I contacted the security team about this on my last day basically telling them to get their act together as this is the lowest hanging fruit for a hacker to take advantage of.

The CSO, a woman, wanted to know how a bad actor would be able to figure out the company's usernames. I told her usernames are trivial and easy to ask for over the phone and I could easily find out who someone's manager was by going onto Linkedin. People know not to give out passwords, but usernames? Fucking idiot.

They still don't have a decent system implemented.

[budoslavic]

Quote:

Highly Sensitive Details of 143 Million Users Stolen in Equifax Hack

Equifax — one of the largest providers of consumer credit reporting and other financial services in the US — said last night it was the victim of a hack during which attackers made off with details on over 143 million of its customers.

While the amount of stolen data is impressive in its size alone, affected users have real reasons for concern because of the nature of the data hackers made off with.

According to a press release the company put out, attackers stole names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers.

Furthermore, hackers also accessed credit card numbers for approximately 209,000 US users and dispute documents with personal identifying information for approximately 182,000 more.

In addition, Equifax said attackers also had limited access to the personal details of UK and Canadian residents but did not reveal the number of affected users.

Hackers made off with highly sensitive information

In most breaches, hackers get access to limited information, such as names, addresses, or credit card numbers. A breach of this magnitude and depth of sensitive information is a rare event, and a dangerous one.

Any hacker holding the information stolen from Equifax can very easily build in-depth profiles on its targets and carry out fraudulent transactions, illegal tax returns, hijack online accounts, and more.

Equifax made another big mistake by not notifying users right away. The company said it detected the hack on July 29, but waited more than a month to issue a public warning so users could freeze their assets or take precautionary measures.

"This is a disastrous data breach, probably one of the most detrimental breaches of this year, capable of undermining trust in an already quite fragile online financial space," Ilia Kolochenko, CEO and Founder of High-Tech Bridge told Bleeping Computer via email.

"Such a delayed public disclosure of the breach is quite dubious. Probably the disclosure was reasonably postponed in the interests of investigation, but it still could endanger the victims," Kolochenko added.

Equifax launches website to check if you're affected

Rick Smith, Equifax CEO, apologized for the incident in a YouTube video (see below) and offered to provide free credit monitoring services for one year to all US citizens, not just those affected by the breach.

If you think the offer is generous, it is not. The 143 million figure is about 45% of the US' entire population, but if excluding children, the elderly and other inactive age groups, that's a large chunk of the active credit-eligible population anyway, meaning most US consumers were affected regardless.

Equifax using breach to peddle its own services

Equifax has set up a web page where affected users can verify if they're included in the reported data breach. They can also use this website to enroll in free credit monitoring services.

Users included in the breach have a higher priority and can sign up and receive the free credit monitoring offer right away.

Users not included in the breach will receive their one-year free credit monitoring service but from a later date. In the meantime, Equifax encourages these users to sign up for a commercial plan of credit monitoring services, just in case. In other words, Equifax is using its own hack to sell credit card monitoring services.

But beware, anyone using the website will automatically waive their rights to sue Equifax.

[/url]

Blunder after blunder after blunder

The marketing blunder comes to complete the numerous other technical failures. For example, Equifax's breach verification site uses a stock WordPress site, hardly the best technology for running secure sites.

Because it allows users to verify if they're in the breach by checking their name and last six digits of their SSN, the site quickly got flagged by OpenDNS as a phishing site. When it launched, the site also had SSL issues, which also contributed to OpenDNS marking the site as a threat.

The primary Equifax website is also still vulnerable to an XSS flaw reported last year. One of the Equifax login pages shows debug codes that could be useful in gaining an idea about how Equifax's internal network works.

In its official statement, Equifax said the intrusion took place after "criminals exploited a U.S. website application vulnerability to gain access to certain files."

With such a clumsy effort on the technical side, it is no wonder that LinkedIn's CISO (Chief Information Security Officer) wanted to lay low.

The good news is that Equifax is hiring new staff to bolster its security department, but it may be just too late [1, 2].

Insider trading?

Besides expecting a visit from the FTC and ambulance chasing lawyers holding class-action lawsuits in their hands, Equifax should also expect the SEC.

Shortly after the data breach press release was published, Bloomberg reported that three Equifax high-ranking execs were allowed to sell company stock of nearly $1.8 million.

The date of this transaction came after the company discovered the data breach. In statements to the press, Equifax said the execs who sold their stock were not aware of the breach, an explanation that few are experts are buying.

[url=https://twitter.com/gregotto/status/905931074857037825]

Equifax stock (NYSE:EFX) is expected to plummet when the US stock market opens on Friday, later today.

[Sherman]

Here is a discussion of the waver issue.


"Equifax TrustedID customers waive their rights to a class-action lawsuit"

http://www.marketwatch.com/story/why-som...2017-09-08

Now, I am not sure if it is a good idea to sign up with them. They gave me a date next week to sign up. There are already class action lawsuits that have been filed.