Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Businesses Software Hardware Technology

Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed (bloomberg.com) 90

Bloomberg is reporting that Equifax, the credit reporting company that recently reported a cybersecurity incident impacting roughly 143 million U.S. consumers, learned about a breach of its computer systems in March -- almost five months before the date it has publicly disclosed. The company said the March breach was unrelated to the recent hack involving millions of U.S. consumers, but one of the people familiar with the situation said the breaches involve the same intruders. From the report: Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said. Equifax's hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The revelation of a March breach will complicate the company's efforts to explain a series of unusual stock sales by Equifax executives. If it's shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.

In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.

This discussion has been archived. No new comments can be posted.

Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed

Comments Filter:
  • Silver Lining (Score:2, Insightful)

    by Anonymous Coward

    Maybe this will make people stop being so dependent on debt. Then perhaps the price of things will go down since no one will finance them any longer. Then maybe we'll see the banksters starving in the gutter.

    • Re:Silver Lining (Score:5, Insightful)

      by newcastlejon ( 1483695 ) on Monday September 18, 2017 @06:47PM (#55222631)

      Then maybe we'll see the banksters starving in the gutter.

      "When banks fail, it is seldom bankers who starve."

      • "when banks fail" is using the term of art "bank failure" which is completely different from and unrelated to banks going out of business due to lack of buyers for their services.

    • Re: (Score:3, Informative)

      Yea... you must either be a millionaire or not own a home.
    • Re:Silver Lining (Score:4, Insightful)

      by bobbied ( 2522392 ) on Monday September 18, 2017 @07:07PM (#55222747)

      Maybe this will make people stop being so dependent on debt. Then perhaps the price of things will go down since no one will finance them any longer. Then maybe we'll see the banksters starving in the gutter.

      You do realize that credit reporting is done for more life events than those related to debt right?

      You want a cell phone and don't use a prepaid one? Likely a credit check and monthly reports about your account...

      You open an account with the local electric company? Credit check, and likely ongoing reports..

      Open a checking or savings account? Brokerage account? 401k/IRA?

      You simply are NOT going to get away with not having your data show up at one of the big three unless you live a very unconventional life, only accept or spend cash and never do any one of the things we usually take for granted in today's world.

      • by Anonymous Coward

        And are you aware that these companies prey on people through the use of 'credit' systems? No way to opt out, no way to protect yourself, and corporations have all the cards, as usual.

        This should be treated like a monopoly and completely broken up. Who cares that people can't buy $200k houses they can't afford? The market will adapt or it will die, plain and simple.

        Debt is modern slavery and only brings negative things to your life.

        • Re: Silver Lining (Score:4, Insightful)

          by orlanz ( 882574 ) on Monday September 18, 2017 @09:59PM (#55223359)

          Debt is modern slavery

          A 100 years ago, this was quite true, and it still is in many parts of the world. People always have needed loans. Savings are quite difficult to secure. The more you have the more bad actors target you. So people took loans for that cow, bike, education, or house. But back then, that debt passed on to your children. It wasn't unusual to have the grandfather build a house and the grandchildren pay it off.

          The interest you got charged was based on who you knew and what collateral you had. Gold, silver, daughters, etc. The lender many times basically owned your family. Those without connections or collateral had to beg or got no loans. They could never climb up in society.

          The modern Credit System, even with all its faults, is phenomenal and quite far from your statement. It allows strangers to partially assess the risk of an investment in the other. Additionally, the debt doesn't pass on to others. The failure of the investment is shared by only all parties to the deal. This allows for greater investments and returns in society. The only figurative chaines of slavery are the ones self-imposed.

          As for cheaper houses. Sure without lending, houses would be cheaper but they would be smaller too with less features. If you want, you can still build your own 1950's 1000 sqft ranch home on 1/2 an acre of unincorporated land in less than 6 months for under $50k.

          • 1/2 an acre of unincorporated land within driving distance of Seattle (within 40 miles - yes, 2 hours driving) is worth $500K-$1m, depending how close to water you are.
            • by orlanz ( 882574 )

              And land within Seattle or New York or Washington DC are far far more than that... What is your point? There is a lot of demand for land close to most cities... let alone major ones like Seattle. Even places like Hyderabad, London, Sydney, Hong Kong, and Singapore are higher than that. You need to go much further out to places where the land is ~$10k per acre to build something for less than $50k.

        • Debt makes the world go around, and has for thousands of years.

        • by Cederic ( 9623 )

          these companies prey on people through the use of 'credit' systems

          How, exactly?

          Seriously, I'm properly curious here. How do they prey on people?

      • Or you could just move to a country that isn't owned by corporations.
  • by Anonymous Coward on Monday September 18, 2017 @06:41PM (#55222601)

    By an interesting coincidence, I ended finally applying for a credit card (after many years of debit card only) - and American Express wanted me to fill out a form that would have the US treasury make all of my tax records available to Equifax. I looked into it a bit more and apparently American Express has this rather heavy handed tactic of picking some of their customers more or less at random, suspending all their accounts, and then holding the accounts hostage until the customers agree to have the treasury release their tax forms to Equifax. In a perfect world, American Express would face some consequences for forcing their customers to give all kinds of detailed and unnecessary financial information to a firm as incompetent and malicious as Equifax.

    • by Anonymous Coward

      In a perfect world, nobody would be dumb enough to apply to American Express when credit cards can be obtained elsewhere for much better rates and/or no monthly fees.

  • don't get it (Score:5, Insightful)

    by kiviQr ( 3443687 ) on Monday September 18, 2017 @06:41PM (#55222605)
    You hire a security firm and at the same time you don't bother to update critical security issue with the software? Did they have an audit or did they just pay $$ for a PCI compliance sticker? How did the audit go - how come it not revealed issues with too much data being accessible from public subnet? just too many questions....
    • Re: (Score:3, Informative)

      by Anonymous Coward

      Did they have an audit or did they just pay $$ for a PCI compliance sticker?

      Virtually every audit I've been a part of in over 20+ years in IT has been a sham. I've worked in hospitals, movie studios, etc. They're all bullshit.

      • Did they have an audit or did they just pay $$ for a PCI compliance sticker?

        Virtually every audit I've been a part of in over 20+ years in IT has been a sham. I've worked in hospitals, movie studios, etc. They're all bullshit.

        I agree with this.. it is all about checking off boxes with very little understanding of the big picture or implications.

        I mean, I think audits are better than no oversight at all but not by much.

    • by pjw2072 ( 139601 )
      PCI compliance is more about checking a few boxes and has little to do with true security. I recently spoke to the head of security for a fairly large financial company and he told me that PCI compliance created a lot of red tape, but enforced very little security. All of the major companies go through other testing outside of PCI to make sure they're secure. I have no doubt Equifax was fully PCI compliant.
  • by Streetlight ( 1102081 ) on Monday September 18, 2017 @06:52PM (#55222657) Journal
    If the hack was perpetrated five months ago and kept quiet, there has been plenty of time for a great use of the data to be used in enormous amounts of fraud. I haven't heard of such, but may not have listened carefully enough. So, is there really a problem?
    • by SlaveToTheGrind ( 546262 ) on Monday September 18, 2017 @08:33PM (#55223103)

      If the hack was perpetrated five months ago and kept quiet, there has been plenty of time for a great use of the data to be used in enormous amounts of fraud.

      A few thoughts about that:

      1. High-volume fraud gets you caught. Most criminals dealing in this kind of activities are smart enough to get that.

      2. With the pieces of data leaked here -- names, SSNs, addresses, etc. -- there's not much to go stale. There's actually less incentive for bad guys to use it in the short term, because that's when everyone will be the most vigilant. Better to wait for things to calm down and everyone to become complacent again.

      3. Even if someone disregarded point #1 and went ahead and engaged in some short-term low-volume fraud, it would be hard to separate that signal from the noise of the flow of already-existing fraud. See point #1.

      • I'd also add:

        4. The criminals who steal the personally identifying information rarely use it. It's too risky. Instead, they'll offer it on various black market sites to other people. So while the hackers might have 100 million+ identities to offer, they might be slowly releasing them for sale and the buyers might be taking their time using them. It's not like the hackers will suddenly open up 100 million credit cards under 100 million people's names.

  • Credit Freeze (Score:3, Interesting)

    by Anonymous Coward on Monday September 18, 2017 @06:55PM (#55222671)

    Tried to do a credit freeze with Equifax on two occasions last week, and got a 500 Error from their server. Credit freezes on the other two of the big three, Experian and Transunion, went well.

    • by Anonymous Coward

      Send a paper letter via USPS certified, return receipt requested. Sample letters from the California Attorney General can be found here:

      https://www.oag.ca.gov/idtheft/facts/freeze-your-credit

      Details may differ for your state.

  • I am seeing the development of a narrative where you end up taking the blame. Sort of like BP tried to do with TransOcean.
    • by zlives ( 2009072 )

      it depends on if they gave a stamp of approval or not...

    • I am kind of curious WHO was actually performing their day to day operational tasks. Was it their own in-house IT? Did they follow all procedures that SHOULD have prevented this? Was there anything else that could have been done to prevent this.
      • Depends on what procedures they adopted. If it was something like the PCI standard [pcisecuritystandards.org] they likely could have followed everything, well except the part about not retaining sensitive information, and still gotten hacked. The PCI standard is the bare minimum that should be followed but is something written for MBA types so it has checkboxes that give you a warm fuzzy feeling. It does offer some protection but there are better standards but these are harder and require actual thought. Also if they were reasonably
        • I have to agree with you on their approach. They did seem to stop at protecting the consumer information part. But this also points out a glaring deficiency in the US. Maybe they really should look at some regulation similar to HIPAA as this deals with a person's overall well-being, albeit financial and not medical.

    • In fairness, Mandiant as a company probably sucks as badly as many corporate IT security services, and did little to actually help Equifax.
  • by sentiblue ( 3535839 ) on Monday September 18, 2017 @07:06PM (#55222735)
    Lies after lies... they simply refuse to do the right thing. My prediction is that lenders will stop using Equifax reports to make lending decisions and there will be a law/legislation to allow customers to request creditors not to report their information to Equifax.... or to any bureau for that purpose.
    • My prediction is that Equifax will heap all the blame on the now former execs and claim that all is now good. It won't be, but that will be the PR position.

      The only real issue now is how aggressive the SEC will be in investigating and prosecuting these former execs.

      I assume that there is some kind of agreement between the execs and Equifax, intended to shield both parties. Whether this works and whether one side decides to renege on the agreement may determine the outcome of any SEC investigation.

  • by WillAffleckUW ( 858324 ) on Monday September 18, 2017 @07:21PM (#55222799) Homepage Journal

    If the US lived under capitalism, the corporation would be dissolved and its executives would be jailed.

    Luckily, we live in a Mercantilist society, where only the oligarchs make the rules, and our "elections" are fixed.

    • If oligarchs had fixed our election properly then Hillary would be president today. Mercantilism is the opposite of free trade and globalism.
      • Here we go again... another person stating their political view on a completely irrelevant subject.
  • by Anonymous Coward

    get what you deserve.

    Our CIO has a psychology degree, and he is terrible. Security is an afterthought. Instead of designing things to be secure from the ground up (like UNIX), we play whack-a-mole (like Windows) when we find problems.

  • by Anonymous Coward

    Why do we need three of these companies anyway? More is not better.

    Shut Equifax down. Liquidate assets, divide up cash to all 140+ million impacted people around the globe.

    And use that as example of what happens when company has data breach. No new laws necessary.

    The others will get the very clear message.

    Case closed.

  • by Anonymous Coward

    ...I'll just state the obvious: no one ever voluntarily gave their info to Equifax.

  • by Optic7 ( 688717 ) on Tuesday September 19, 2017 @12:07AM (#55223693)

    As far as I know.

    In 2009 I used an email address unique to equifax only, never used anywhere else (I use a different email address to register at each website, usually in the form of websitedomainname@mydomain) to register at their website for the annual free credit report.

    In 2011, I start getting a bunch of spam at the equifax-specific address. Bad spam, as in it's very unlikely that the spammers obtained my address by just buying a mailing list from Equifax and more likely someone stole it from them.

    In other words, they've had poor security for years and years.

    • What makes you think they didn't sell it to whoever wanted to have the information?
      • by jafiwam ( 310805 )

        What makes you think they didn't sell it to whoever wanted to have the information?

        Or, just guessed it.

        If you tail spam blocker logs a few times, you figure out they are brute-forcing email addresses too.

      • by Optic7 ( 688717 )

        The nature of the spam. If it had been for something even borderline legitimate, like "hey, we have xyz service or product you may be interested in", I would have figured they had definitely sold my address. But from what I recall it was really junky spam, like pharmaceuticals, pr0n, phishing, and scams. I highly doubt that Equifax would sell their customers' email addresses to purveyors of that crap, at least for a price that those people could afford to pay. Equifax had at least some reputation to protect

    • Honestly, it wouldn't surprise me if they sold access to your credit information (as they often do) and included your e-mail address in the mix. Then some company just has to hire a shady "e-mail marketing" company and your e-mail address is on a spammer list.

  • by Anonymous Coward

    A bunch of sniveling golden parachute cowards, miscreants, and incompetents! Jail them!!

  • Does anyone really think that this ends with just Equifax? The other credit agencies have more than likely been breached at some point too. I would not bet against the probability that every US citizen has likely had some or all of their identity and financial information leaked, hacked, stolen or sold to other parties. We may all end up adding a credit watching/protection "service" to the list of our many, monthly paycheck leeches. First World Problems I guess...

news: gotcha

Working...