Equifax Says Cyberattack May Have Hit 143 Million Customers
18EDIT: The total US population is 323.1 million…
By Brian Womack
September 7, 2017, 3:47 PM CDT September 7, 2017, 5:15 PM CDT
Breach exposed Social Security and credit card numbers
‘Clearly a disappointing event for our company,’ CEO says
Equifax Inc. said its systems were struck by a cyberattack that may have affected about 143 million U.S. customers of the credit reporting agency, shedding light on one of the largest and most intrusive breaches in history.
Intruders accessed names, Social Security numbers, birth dates, addresses and driver’s license numbers, Equifax said in a statement. Credit card numbers for about 209,000 consumers were also accessed, the company said. Equifax shares dropped more than 8 percent in after-hours trading.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Chief Executive Officer Richard Smith said.
The company set up a website, www.equifaxsecurity2017.com, that consumers can use to determine whether their information was compromised. It’s also offering free credit-file monitoring and identify-theft protection.
…
- 23 comments, 68 replies
- Comment
Three Equifax Managers Sold Stock Before Cyber Hack Revealed
Sure, these execs didn’t know anything, right?
@therealjrn Neither did Martha Stewart.
Oh, in the name of all that is holy, how does Equifax stay in business? I can’t count the number of data breaches those idiots have had, and they are the worst of the worst of the credit reporting agencies.
But their execs can short the stock and rake in hundreds of thousands of dollars, and the stockholders take it in the shorts and Equifax issues a vague apology with a promise of “credit monitoring” and lather, rinse, repeat.
And how good can their credit monitoring be, if their security monitoring is so rock solid that every year or so there’s another Equifax breach?
They suck.
Fuck Equifax.
So I clicked through on the website to see the report, then clicked on their link to check if you were on the list of those compromised (https://www.equifaxsecurity2017.com/potential-impact/) and safari and firefox both have blocked it as a deceptive website. Anyone know if this is actually true or not?
@Kidsandliz I’m suspicious about the site anyway because you have to give your last name and the last 6 digits of your SSN. Anyone that knows where I was born can deduce the first 3 digits so that’s providing a 3rd party (the site gets redirected to trustedidpremier dot com) with a large dataset of personal info. Maybe if they asked for the last 4 digits I might feel safer but not 6 digits.
@Kidsandliz The Ars Technica article explains why you saw that: https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/. Short answer: Equifax is incompetent.
@SSteve Thanks
@Kidsandliz Thanks for posting the link. It says that I’m not on the list, and just to be safe, I also checked under my maiden name.
I really loathe all the credit agencies, though. Every one of them. I have no trust in them, and that especially includes all the ones that most consumers don’t interact with, such as LexisNexis (otherwise known as the Spawn of Satan)
@Shrdlu Do you feel confident in the response that you’re not on the list? I feel uneasy about trusting them. For some reason.
@InFrom
The Equifax exposure checker has shown some tendencies to be very unreliable, according to some reports.
@InFrom @f00l I didn’t just use their checker, and I’d strongly recommend against trusting it, no matter which answer they gave. I have other resources, and they all report back negative on my personal data showing up anywhere. I should add that I’m extremely careful, including everything from those I’m willing to write checks to, to insisting on only my Amex for transactions with folks I don’t trust. There are businesses where I will only use cash.
None of this means that I’ve let my guard down. Nor will I. Ever.
So I clicked through on the website to see the report, then clicked on their link to check if you were on the list of those compromised (https://www.equifaxsecurity2017.com/potential-impact/) and safari and firefox both have blocked it as a deceptive website. Anyone know if this is actually true or not?
@Kidsandliz I’m pretty sure deceptive sites are just determined by a bunch of people reporting it as being deceptive. And while it does look sketchy as hell (which could very well be why it got reported so much), it’s linked to directly from Equifax’s real site, so I think it is legit.
@Kidsandliz You must have been hacked! You’re double posted!
@therealjrn blame the goat.
@m33rkat Thanks
@therealjrn Actually I clicked on “Say it” twice because it was reacting so slowly I thought maybe I didn’t click. Meh flaw.
@Kidsandliz I’m just glad the haxors didn’t get you.
@therealjrn Thank you for posting this. It says I wasn’t compromised, but I get the free monitoring anyway
Disappointing my ass, try major catastrophe, you stupid fool. (No offense to our @f00l.)
@Barney He’s not disappointed that our information got disseminated. That’s exactly what they do. He’s just disappointed that they didn’t profit from it.
@Barney
It’s cool.
I made the list!
@medz Me too! And my wife! Not sure about our robot, though. It wasn’t allowed to check.
@SSteve 1 year of free protection, whoopty doo. All the bad guys have to do is wait until next year.
@medz Yep. 143 million people aren’t going to change their driver’s license and social security numbers. The people holding this info can afford to play the long game.
@medz +1. They won’t let me enroll in the monitoring program until 9/13 for some reason. Probably due to the massive number of people responding, they’re attempting to meter website traffic.
¯\_(ツ)_/¯
@ruouttaurmind I got the 12th. Hope you aren’t identity thieved on Tuesday!
Sometimes meh gets a meh, but Equifax gets my Ughh. Just disgusting.
What really ticks me off is that they gather and profit from all our personal information and we have no say in the matter and no ability to opt out. Then we get to suffer for their incompetence. At least when Target gets hacked it’s information we willingly gave them.
It’s too bad this happened during a U.S. Administration that has a historically low regard for consumer protection or the rights of individuals over corporations. I expect the consequences for Equifax to be a token punishment at most. A few executives might get shuffled off to a different multi-million dollar job somewhere else. Meanwhile, all us proles get free identity theft protection for a whole year!
/giphy zoidberg hooray
I will bet money that Equifax comes up with a scheme to profit from the free identity theft protection through either upselling or automatically extending your enrollment after a year when we’ve forgotten all about it and conveniently charging it to your credit card without asking first. Make sure you read the small print before you sign up. These people have no scruples.
@SSteve I read a little while ago that in order to get the free credit monitoring for a year there is a clause in the fine print that states you waive your right to sue them for any damages that arise from their security breach.
I can hear the gears already starting to spin up on the class action suit machinery. So start planning now on how you’ll spend the money when you get your check in three years for $1.43.
@SSteve
/image get paid! animated gif
@SSteve
Lawyers called these “coupon lawsuits”. The lawyers get a payout. Things may or may not improve re the problem. Legislation may or may not be passed.
The customer or injured party gets the $ equivalent of a piece of chewing gum.
@SSteve, @f00l, I received a pair of dollar store jumper cables for the Ford Bronco II settlement maybe a dozen years ago.
One of the Chase Bank credit card settlements actually netted about $45.
The De Beers diamond cartel settlement sent a check for $80.
The PB plumbing settlement paid over $4,000 to replace all the plumbing in my house with copper.
I always join these CA lawsuits when I have standing 'cause you just never know what may come of it.
@ruouttaurmind
I’m not against these lawsuits, or against joining them. But many of them pay pennies. No-one will be retiring or taking a vacation in the payouts, except in rare circumstances.
@f00l Agreed. Probably 80% that I’ve opted to join have settlements not worth the effort it took to join. I never expect to strike it big, but those few which have paid checks worth depositing gives me motivation to continue participating. The plumbing settlement in particular really surprised me. I expected to get pennies on the dollar if I went out of pocket to pay for the retrofit. I never expected the settlement to handle everything for me with zero expense to me.
@f00l the lawyers might retire, take a vacation, or but a vacation home or new yacht with their payouts, though.
@f00l @ruouttaurmind I had a Norplant (birth control in five tubes to last five years) put in my arm after my first child and we ended up getting pregnant (with a miscarriage) a year later. Had the tubes removed as soon as we knew we were with child. But apparently it was a common problem and there was a large lawsuit filed that I joined. Never heard a thing about it afterwards for two years until all the company offered was a different birth control for a year. Made by the same company - so we turned it down. Only one I’ve ever joined.
I usually check out all three yearly but I missed last year. I was about to check it this month but now I have reservations. Equifax was the one company that always had wrong information on it and I faxed, emailed and mailed a letter each year to get them to fix it and they never have. Does anyone know if they have done anything to prevent future hacks or should I do the other two and skip them? Also, has anyone used that Creditkarma site to check credit scores and if so is it any good?
@WTFsunshine wow I wouldn’t have taken an alternate either; that’s just beyond unethical on their part. Sad you had to go thru that awful experience, and that then their response to the suit doesn’t even begin to make it right
@WTFsunshine I use credit karma; it has been extremely helpful for me the past couple of years; it’s accurate, up to date, sends me messages (I use the phone app) whenever there is any change or application for credit. I am not sure it reports all the credit agencies; think it is just Equifax and Trans whatever. I could be wrong though.
@kerryzero Thank you for answering my question. It is very much appreciated. I was unaware that they had an app - I’ll have to go look that up. Thank you for your sympathy on the other issue as well.
@WTFsunshine I use it. Spent YEARS trying to get a rather major mistake fixed. Finally saw it was fixed on the 2 credit agencies through them (as someone else said they only report on two). They don’t use the “usual” credit score used by banks, etc. and instead use some other score. I have no idea how those scores correlate with each other. On the other hand, at this point my scores are about 25-30 points apart on creditkarma between the credit reporting agencies for reasons I can’t identify since what they show on the report is identical and theoretically are using the same formula to calculate it from both reports.
@Kidsandliz
Each agency calculates and sells its own scores, created using internal formulas. They sell a variety of scores (variances in formula used for calculation), supposedly tailored for the industry and purpose of the score lookup.
FICO (Fair, Issac, and Company) pioneered this practice, and their scores have the best reputation.
If you apply for a mortgage, the big daddy score your bank or mortgage broker pulls will probably be the FICO mortgage score. It’s kinda the assumed industry baseline from what I hear.
The credit bureaus themselves started calculating and selling scores, in hopes of grabbing some of FICO’s business.
Most of the scores you see with credit monitoring services are bureau calculated scores, not actual FICO scores. But the scores should be similar.
Smallish variations in score from bureau to bureau often have to do with exactly how up to date one bureau is compared to another, or similar small data variations that won’t show up on a consumer credit monitoring report. Small variations don’t mean a lot.
If you want to know your actual FICO mortgage score, often your bank will pull it at no change.
/8ball Are we fucked?
As I see it, yes
Strange how they’re advertising a FREE one-time scan to see if your data is on the Dark Web. IIRC, they did start to advertise this BEFORE the announcement.
@sgrazi Discover card offers to monitor for your information showing up for free. I dont know if they are using the same service, but I signed up just last month.
@sgrazi What they are getting is if you sign up you have then opted out of any class action suit and agreed to arbitration. A win for them if they can get as many people as possible ineligible for membership in a class action suit.
@Kidsandliz Heard that on the radio yesterday, fortunately before doing anything to sign up. We get the ‘dark web search’ stuff through work so I’m going to let them do that
Hi, just so you know, if you sign up for the free service, you’re opting for mandatory binding arbitration unless you opt out in writing within 30 days.
@dashcloud But then aren’t you also opting out of the free service?
@Kidsandliz No- you’re just taking the (very hidden) option to not use arbitration.
@dashcloud Thanks
Sigh… (Please read this thru and think a bit before you respond… if you still feel I’m crazy after you think on it for a bit… eh, post away.)
The problem isn’t that The Bad People are breaking into systems and getting at people’s data or that companies (like Equifax) are unable to keep their proverbial pants zipped up. These things are not new, have always been with us and always will be.
We’ve had compromise after compromise of SS#s. Four million last year (or was the the year before? I’ve lost track). 18 million a while back; now 143 million with this latest breach. If someone were to claim that more SS#s have been compromised than not, would anyone really question it? It certainly sounds believable. I know I would not be surprised to learn that it is actually true.
Yet, even though hundreds of millions of people in the US have had their SS#s compromised, has there been any real effort to make this information (SS#s) less valuable to The Bad People? No, there has not. In fact, the companies that run the systems with security based on this compromised information, including the companies that have actually released this information to The Bad People, have pushed for legislation to make the owners of the compromised information responsible for their (the company’s) losses.
When a password is compromised, whether by a breach or phishing or some other means, we tell people to change it. (I say we, because I work in IT and maintain systems that contain PII, but also because I am one of the people whose password and other information has been compromised in the past). But a person’s SS#? To change it, a person has to go work for the mob long enough to learn where the bodies are buried (without dying), get busted by law enforcement (without dying), testify in court (without dying) and then (if they are still alive) they can get a new SS# (plus an apparently unacceptably mediocre SUV according to TV ads). There is simply too much risk of death in this process for it to be a practical fix, not to mention the need for hundreds of millions of vulnerable mobsters, etc.)
What I feel we really need is for the SSA to be hacked and EVERY SS# be compromised. But even with this, I seriously doubt that there would be any real push to change what is really broken.
Anyways, enough ranting. I’m going to bed right after meh rolls over at midnight, since I got less than four hours of sleep last night and have to be up in less than seven hours for a very long day of tiring stuff to do.
@baqui63 is my smart friend
@meh you’re jsut saying that 'cuz you’re drunk.
@baqui63 NUH UH
@meh uh huh! also, I’m now off to bed, so you can win this argument if you can still type and click.
@baqui63 I’m not being critical, I’m being curious: So what do you suggest as the fix?
@ruouttaurmind I don’t know his opinion, but not using the social security number as a convenient unique ID for people in any system outside of social security would be a good start. Using it (or part of it) as a password of sorts is even worse.
@ruouttaurmind, knowledge of a person’s SS# should be no more significant than knowing any other piece of public information about that person. As an example, my knowing your SS# should be no more significant than my knowing that you have used the forum at meh.com.
Unlike @djslack (apparently, anyway; apologies to @djslack if I have made an incorrect assumption) I have no problem with a SS# being used as a (mostly) unique identifier (database key, whatever) for a person across multiple systems. What do I care if my bank, the IRS and my doctor all use the same ID# for me? They all use the same given name, phone number and zip code for me and I’m ok with that, so why should their ID# for me be any different?
However, as @djslack later states, not using the SS# as any form of a password (ie. for any form of authentication) would be a good start. Why do I have to use “the last four digits of the primary account holder’s SS#” as the PIN for my TMobile account? Especially given that my SS#, name, address, DOB, email address(es), telephone number(s), employer(s), salary(ies), etc. may be public information. BTW- my “mother’s maiden name” has not been Pike (her actual maiden name) in any company’s records for me since the late 1980s.
(Note that I have not tried to get TMobile to use something other than the last four digits of my SS# as the PIN for my account, so it may be that they are not a good example. If so, I apologize in advance to John Legere and company.)
The solution is simple: stop using potentially public and immutable information to authenticate identity.
I fully understand and acknowledge that this will be hard to change for many companies. I also firmly believe that any system where it is hard to change is poorly designed and the company using it is putting their profit margin (ie. not paying enough for security) above the security of their customers. (Again, using TMobile as a possibly flawed example: I’m fine with defaulting my PIN to the last four digits of my SS#, but I should be able to change it whenever I want, without significant hassle. If changing my PIN at will would require TMobile to make significant changes to their system, then their system is not well designed, etc.)
@baqui63 You’re right and said it way better than me. The only problem I have with using it as the de facto unique ID is the fact that it’s also used as an identity verifier, so you have these conflicting needs to use it everywhere but keep it private. Making the second change removes my concerns on the first count. If you can treat it as public information, hell, use it as my phone number too.
see, @baqui63 is my smart friend
@meh baqui63 might be part of the vast government false-flag conspiracy to put microchips under your skin for identification, and then, all currency will be abolished, and you will need to go to FEMA camps to get your food, and the floride in the water is changing the climate and Area 51 and stuff.
True story.
(I’m just being silly. @baqui63 obviously knows what he’s typing about. And FEMA food isn’t too bad. What’s it called? “Green Soylent”?)
@baqul63 In our state they finally took our SSN off of our drivers licenses and gave us a permanent OLN. Unfortunately, places started to ask for our drivers license to put the number in their computers or cash registers which is as bad as when they used to ask for our SSN. Same with putting phone numbers on checks so we always put “unlisted” on them. At least most stores got smart and only ask for zip codes to track where customers are coming from to shop. Just too many ways these days for our information to get out there.
@baqui63 great post. I was looking for a paragraph with a similar criticism of biometric information, because you know that’s coming.
And it’s the same potato, all over again.
@WTFsunshine I don’t have a problem with use of these numbers for IDENTIFICATION purposes and thus I see nothing wrong with a store wanting a phone number or DL number on a check. After all, I’m the one requesting the favor of paying by check rather than cash.*
My problem is with using these numbers for AUTHENTICATION purposes. These are very different things.
*Given that a personal check contains most, if not all, of the information required to steal a person’s identity, I’ve stopped using them except for paying people I trust (my gun club dues, my condo association and until May of this year, child support to my ex-wife). I’m looking into ways that our condo association might take electronic payments (I’m its president) but this is not as straightforward as it sounds, especially for a 16 unit condominium.
@baqui63 I agree with your statements. I only have issue with where the information is kept on file. Some banks send your check physically and/or digitally to too many places. Once someone gets hold of your OLN (or what you put in the memo line I.e. Johnny’s soccer team fees) all they have to do is request your driving record (which anyone can do electronically as well as anything that is public information (your address, court records, marriage and divorce records and the list goes on) through county and state records) with it and then they have more than enough to steal your identity, money, create a new DL in their own name and go to the post office to file a forwarding address. By the time you get a notification that a forwarding address was filed it’s too late to undo the damage. Monitoring your accounts online is something a lot of people (the elderly for example) still do not do. Even in these days when vigilance is even more important than the days of old where scammers had to stalk your mailbox. BBB lets you sign up for emails from them to see which new scams are being done and I have my family and parents on the email list. So I am agreeing with you- not against- but just explaining a little further to why I typed what I did.
I guess I can tack another year of free credit monitoring to the 4-5 years I got already from previous hacks?
As a further insult to injury, Equifax has also completely fucked up the PINs for credit freezes (apparently going back at least a decade or more):
@dashcloud so don’t tell people exactly when you froze…
@medz they don’t need to know exactly when you froze it. If you put the freeze on in response to the breech it will be trivial to guess it
@unksol I imagine there will be some red flags if someone is guessing up to 86400 possible pins per day for each person. It should lock them out after three tries or so, right?
@medz this is Equifax you’re talking about, right? Locking someone out of something is clearly not their strong suit.
According to snopes (just received)
As of 8 September 2017, Equifax’s own web site, EquifaxSecurity2017.com, stated that the cyber attack is not covered by TrustedID Premier’s arbitration clause:
from
The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.
from https://www.equifaxsecurity2017.com/
and
again from snopes
"The company was also criticized following reports that a trio of executives — Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — sold a combined $2 million in company stock on 1 August and 2 August 2017.
Equifax said that the three officials were unaware of the data breach at the time they sold their stock."
If you want to believe them.
@sgrazi Even if they were unaware of the data breach, it doesn’t mean that they weren’t told, “Don’t ask questions. Go sell your stock before the end of the week.”
@baqui63 That I would believe. When a certain public company was headed towards a tank (it is still around), my brother-in-law, CFO there at the time, told my dad to sell all his stock in that company, don’t ask any questions, don’t say why you are doing it, just do it now. Several weeks later the shit hit the fan.
@sgrazi
I believe they were lobbying Congress for limitations in liability recently, including before the beach was announced.
Equifax lobbied to take away breach victims’ right to sue
https://boingboing.net/2017/09/09/depraved-indifference.html
Gotta love ethics.
@f00l I don’t think Equifax and Ethics can be used together @Kidsandliz I applaud your brother in- law for looking out for family while putting his butt on the line for doing so.
I have not read through all of these posts yet, so sorry if this is a repeat. This was an interesting article about checking if your account was compromised.
https://www.axios.com/equifax-security-check-website-strips-users-of-legal-rights-2483000146.html
@sophi it’s not accurate, as discussed in the post one above this.
The language in question applies when signing up for the free credit monitoring service, and Equifax states that that clause does not apply to the breach itself.
No doubt that they have handled this very poorly in just about every way imaginable. It’s very shitty for the consumer who has no say over them having access to their data in the first place.
I see that Lifelock has ramped up the advertising.
It’s important that many corporate assholes make money on this event, I guess.
Damn them. Fuck them.
From ZDNet.com
We tested Equifax’s data breach checker — and it’s basically useless
According to the article, people have entered test data and gotten misleading results. Prosper have also entered their own data multiple times, to receive multiple conflicting results.
http://www.zdnet.com/article/we-tested-equifax-data-breach-checker-it-is-basically-useless/
Also this beach happen months ago.
Like May 2017*.
According to Consumerist
https://consumerist.com/2017/09/07/equifax-announces-data-breach-affecting-143-million-customers/
Right now I hate these companies much much more than I normally do.
@f00l i think an equally useful/accurate tool when compared to the data breach checker is…
/8ball was my data breached?
As I see it, yes
@Yoda_Daenerys
Agreed.
/8ball It is. Is it?
You may rely on it
What do I care? The Russians (or Chinese, whatever) already have my fingerprints.
@PocketBrain The Russians also (supposedly) helped put a real dick in charge of the country too. Sorry - to all of his supporters here in the forum.
I would join a class-action lawsuit, but there’s no point. By the time it’s settled, the checks will just go to whoever stole our identities.
Chatbot lets you sue Equifax for up to $25,000 without a lawyer
https://www.theverge.com/2017/9/11/16290730/equifax-chatbots-ai-joshua-browder-security-breach
Here’s a wonderful article on how to handle identity theft and the accounts that might be opened: http://www.kalzumeus.com/2017/09/09/identity-theft-credit-reports/
For a shorter version, check out the Twitter thread by the same guy that led to the above article: