Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed

Bloomberg is reporting that Equifax, the credit reporting company that recently reported a cybersecurity incident impacting roughly 143 million U.S. consumers, learned about a breach of its computer systems in March -- almost five months before the date it has publicly disclosed. The company said the March breach was unrelated to the recent hack involving millions of U.S. consumers, but one of the people familiar with the situation said the breaches involve the same intruders. From the report: Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said. Equifax's hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The revelation of a March breach will complicate the company's efforts to explain a series of unusual stock sales by Equifax executives. If it's shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.

In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.

Silver Lining

[Anonymous Coward]

Maybe this will make people stop being so dependent on debt. Then perhaps the price of things will go down since no one will finance them any longer. Then maybe we'll see the banksters starving in the gutter.

Re:Silver Lining

[newcastlejon]

Then maybe we'll see the banksters starving in the gutter.

"When banks fail, it is seldom bankers who starve."

Re:

[nedlohs]

"when banks fail" is using the term of art "bank failure" which is completely different from and unrelated to banks going out of business due to lack of buyers for their services.

Re:

[Michael James Battaglia]

Yea... you must either be a millionaire or not own a home.

Re:Silver Lining

[bobbied]

Maybe this will make people stop being so dependent on debt. Then perhaps the price of things will go down since no one will finance them any longer. Then maybe we'll see the banksters starving in the gutter.

You do realize that credit reporting is done for more life events than those related to debt right?

You want a cell phone and don't use a prepaid one? Likely a credit check and monthly reports about your account...

You open an account with the local electric company? Credit check, and likely ongoing reports..

Open a checking or savings account? Brokerage account? 401k/IRA?

You simply are NOT going to get away with not having your data show up at one of the big three unless you live a very unconventional life, only accept or spend cash and never do any one of the things we usually take for granted in today's world.

Re: Silver Lining

[Anonymous Coward]

And are you aware that these companies prey on people through the use of 'credit' systems? No way to opt out, no way to protect yourself, and corporations have all the cards, as usual.

This should be treated like a monopoly and completely broken up. Who cares that people can't buy $200k houses they can't afford? The market will adapt or it will die, plain and simple.

Debt is modern slavery and only brings negative things to your life.

Re: Silver Lining

[orlanz]

Debt is modern slavery

A 100 years ago, this was quite true, and it still is in many parts of the world. People always have needed loans. Savings are quite difficult to secure. The more you have the more bad actors target you. So people took loans for that cow, bike, education, or house. But back then, that debt passed on to your children. It wasn't unusual to have the grandfather build a house and the grandchildren pay it off.

The interest you got charged was based on who you knew and what collateral you had. Gold, silver, daughters, etc. The lender many times basically owned your family. Those without connections or collateral had to beg or got no loans. They could never climb up in society.

The modern Credit System, even with all its faults, is phenomenal and quite far from your statement. It allows strangers to partially assess the risk of an investment in the other. Additionally, the debt doesn't pass on to others. The failure of the investment is shared by only all parties to the deal. This allows for greater investments and returns in society. The only figurative chaines of slavery are the ones self-imposed.

As for cheaper houses. Sure without lending, houses would be cheaper but they would be smaller too with less features. If you want, you can still build your own 1950's 1000 sqft ranch home on 1/2 an acre of unincorporated land in less than 6 months for under $50k.

Re:

[sdinfoserv]

1/2 an acre of unincorporated land within driving distance of Seattle (within 40 miles - yes, 2 hours driving) is worth $500K-$1m, depending how close to water you are.

Re:

[orlanz]

And land within Seattle or New York or Washington DC are far far more than that... What is your point? There is a lot of demand for land close to most cities... let alone major ones like Seattle. Even places like Hyderabad, London, Sydney, Hong Kong, and Singapore are higher than that. You need to go much further out to places where the land is ~$10k per acre to build something for less than $50k.

Re:

[sdinfoserv]

sure thing bud, live where land is cheap because wages are minuscule. If you're a programmer making $40K per year in the Midwest vs a programmer making $130K on one of the coasts and you're saving 15%......
At the end of the road - programmers on the coasts can afford to live anywhere while the one making jack wages is stuck exactly in nowhere , forever.

Re:

[MightyMartian]

Debt makes the world go around, and has for thousands of years.

Re:

[Cederic]

these companies prey on people through the use of 'credit' systems

How, exactly?

Seriously, I'm properly curious here. How do they prey on people?

Re:

[schleimkeim]

Or you could just move to a country that isn't owned by corporations.

Re:

[bobbied]

By all means move.... Enjoy living in the third world...

Re:

[Aighearach]

No, that's just moronic. If you don't want the records to exist, you have to prevent them from being created. Deleting them afterwards is just another idiot thing that will get you in more trouble.

Re:

[phantomfive]

What is even more pertinent is who the hell hacked them and more to the point why?

It looks like it was just standard hacking that we see going on every time a new exploit gets released. When there's a new exploit, the whole internet gets probed.

There is a market for this kind of user info, and that's probably where it will get dumped.

Re:

[Dutch Gun]

If the music major had any IT smarts, Equifax wouldn't be in this mess to begin with.

American Express requires Equifax

[Anonymous Coward]

By an interesting coincidence, I ended finally applying for a credit card (after many years of debit card only) - and American Express wanted me to fill out a form that would have the US treasury make all of my tax records available to Equifax. I looked into it a bit more and apparently American Express has this rather heavy handed tactic of picking some of their customers more or less at random, suspending all their accounts, and then holding the accounts hostage until the customers agree to have the treasury release their tax forms to Equifax. In a perfect world, American Express would face some consequences for forcing their customers to give all kinds of detailed and unnecessary financial information to a firm as incompetent and malicious as Equifax.

Re:

[Anonymous Coward]

In a perfect world, nobody would be dumb enough to apply to American Express when credit cards can be obtained elsewhere for much better rates and/or no monthly fees.

Re:

[coofercat]

With those APR rates, you'd have to be seriously stupid to leave money on an amex card. So yeah, it's a charge-card.

Re:

[Cederic]

The lesson here is: Don't use a credit card for short term business funding.

I mean, really? That's fucking ludicrous.

don't get it

[kiviQr]

You hire a security firm and at the same time you don't bother to update critical security issue with the software? Did they have an audit or did they just pay $$ for a PCI compliance sticker? How did the audit go - how come it not revealed issues with too much data being accessible from public subnet? just too many questions....

Re:

[Anonymous Coward]

Did they have an audit or did they just pay $$ for a PCI compliance sticker?

Virtually every audit I've been a part of in over 20+ years in IT has been a sham. I've worked in hospitals, movie studios, etc. They're all bullshit.

Re:

[bravecanadian]

Did they have an audit or did they just pay $$ for a PCI compliance sticker?

Virtually every audit I've been a part of in over 20+ years in IT has been a sham. I've worked in hospitals, movie studios, etc. They're all bullshit.

I agree with this.. it is all about checking off boxes with very little understanding of the big picture or implications.

I mean, I think audits are better than no oversight at all but not by much.

Re:

[pjw2072]

PCI compliance is more about checking a few boxes and has little to do with true security. I recently spoke to the head of security for a fairly large financial company and he told me that PCI compliance created a lot of red tape, but enforced very little security. All of the major companies go through other testing outside of PCI to make sure they're secure. I have no doubt Equifax was fully PCI compliant.

Re: Insider trading, jail for life

[rholtzjr]

NO. Life sentences means that we the taxpayers are still on the hook. And they get an all expense paid trip to club fed.

Re:

[jafiwam]

It's time to make it illegal to use Social Security numbers for any purpose other than government usage. The release of SSNs is the real Equifax damage here. There is no need for colleges, banks or hospitals to be using it. Colleges, banks and hospitals managed to function before SSNs came into existence; they can do so again.

There's nothing wrong with using the SSN to track who people are, that plus DOB avoids name collisions in data and lets everybody figure out who they are dealing with for sure. Which is a good thing.

There is A LOT wrong with using the SSN like a password that has to be secret to be useful. Unfortunately there isn't a substitute for it at this time.

We don't know who has the data yet. The OPM hack was probably chinese mob or chinese gov (like they are different) and "wreck some guy's credit by opening c

Has there been any fraud since the hack?

[Streetlight]

If the hack was perpetrated five months ago and kept quiet, there has been plenty of time for a great use of the data to be used in enormous amounts of fraud. I haven't heard of such, but may not have listened carefully enough. So, is there really a problem?

Re:Has there been any fraud since the hack?

[SlaveToTheGrind]

If the hack was perpetrated five months ago and kept quiet, there has been plenty of time for a great use of the data to be used in enormous amounts of fraud.

A few thoughts about that:

1. High-volume fraud gets you caught. Most criminals dealing in this kind of activities are smart enough to get that.

2. With the pieces of data leaked here -- names, SSNs, addresses, etc. -- there's not much to go stale. There's actually less incentive for bad guys to use it in the short term, because that's when everyone will be the most vigilant. Better to wait for things to calm down and everyone to become complacent again.

3. Even if someone disregarded point #1 and went ahead and engaged in some short-term low-volume fraud, it would be hard to separate that signal from the noise of the flow of already-existing fraud. See point #1.

Re:

[Jason Levine]

I'd also add:

4. The criminals who steal the personally identifying information rarely use it. It's too risky. Instead, they'll offer it on various black market sites to other people. So while the hackers might have 100 million+ identities to offer, they might be slowly releasing them for sale and the buyers might be taking their time using them. It's not like the hackers will suddenly open up 100 million credit cards under 100 million people's names.

Credit Freeze

[Anonymous Coward]

Tried to do a credit freeze with Equifax on two occasions last week, and got a 500 Error from their server. Credit freezes on the other two of the big three, Experian and Transunion, went well.

Re:

[Anonymous Coward]

Send a paper letter via USPS certified, return receipt requested. Sample letters from the California Attorney General can be found here:

https://www.oag.ca.gov/idtheft/facts/freeze-your-credit

Details may differ for your state.

Watch out Mandiant

[edi_guy]

I am seeing the development of a narrative where you end up taking the blame. Sort of like BP tried to do with TransOcean.

Re:

[zlives]

it depends on if they gave a stamp of approval or not...

Re: Watch out Mandiant

[rholtzjr]

I am kind of curious WHO was actually performing their day to day operational tasks. Was it their own in-house IT? Did they follow all procedures that SHOULD have prevented this? Was there anything else that could have been done to prevent this.

Re:

[Bob the Super Hamste]

Depends on what procedures they adopted. If it was something like the PCI standard [pcisecuritystandards.org] they likely could have followed everything, well except the part about not retaining sensitive information, and still gotten hacked. The PCI standard is the bare minimum that should be followed but is something written for MBA types so it has checkboxes that give you a warm fuzzy feeling. It does offer some protection but there are better standards but these are harder and require actual thought. Also if they were reasonably

Re:

[rholtzjr]

I have to agree with you on their approach. They did seem to stop at protecting the consumer information part. But this also points out a glaring deficiency in the US. Maybe they really should look at some regulation similar to HIPAA as this deals with a person's overall well-being, albeit financial and not medical.

Re:

[phantomfive]

In fairness, Mandiant as a company probably sucks as badly as many corporate IT security services, and did little to actually help Equifax.

Typical unethical US Corporate

[sentiblue]

Lies after lies... they simply refuse to do the right thing. My prediction is that lenders will stop using Equifax reports to make lending decisions and there will be a law/legislation to allow customers to request creditors not to report their information to Equifax.... or to any bureau for that purpose.

Re:

[whoever57]

My prediction is that Equifax will heap all the blame on the now former execs and claim that all is now good. It won't be, but that will be the PR position.

The only real issue now is how aggressive the SEC will be in investigating and prosecuting these former execs.

I assume that there is some kind of agreement between the execs and Equifax, intended to shield both parties. Whether this works and whether one side decides to renege on the agreement may determine the outcome of any SEC investigation.

Re:

[Cederic]

credit companies do not exist to help us, the consumers, manage or validate our good credit. They exist to help lending companies avoid bad lending scenarios

Turn that around though. A 'bad lending scenario' is one in which a consumer takes on debt that they can't afford, ending up in financial difficulties.

That's not helping the consumer.

Some people may be denied access to credit that they can afford but broadly the system benefits people that can't make good financial decisions by protecting them (and the institutions from which they're trying to borrow) from their own poor judgement.

submitting corrections, cleaning up errors... these are all revenue negative activities that drain resources from selling the data.

Without these the data being sold is less accurate and less valuable. Banks w

Good thing USA is not a capitalist country

[WillAffleckUW]

If the US lived under capitalism, the corporation would be dissolved and its executives would be jailed.

Luckily, we live in a Mercantilist society, where only the oligarchs make the rules, and our "elections" are fixed.

Re:

[DNS-and-BIND]

If oligarchs had fixed our election properly then Hillary would be president today. Mercantilism is the opposite of free trade and globalism.

Re:

[sentiblue]

Here we go again... another person stating their political view on a completely irrelevant subject.

Hire an anti-tech music major...

[Anonymous Coward]

get what you deserve.

Our CIO has a psychology degree, and he is terrible. Security is an afterthought. Instead of designing things to be secure from the ground up (like UNIX), we play whack-a-mole (like Windows) when we find problems.

Re: lost of telemarketing calls

[rholtzjr]

Those are the India based telemarketers spoofing their numbers.

shut them down and liquidate assets

[Anonymous Coward]

Why do we need three of these companies anyway? More is not better.

Shut Equifax down. Liquidate assets, divide up cash to all 140+ million impacted people around the globe.

And use that as example of what happens when company has data breach. No new laws necessary.

The others will get the very clear message.

Case closed.

The worst thing..

[Anonymous Coward]

...I'll just state the obvious: no one ever voluntarily gave their info to Equifax.

Breached in 2011 too, never reported anywhere

[Optic7]

As far as I know.

In 2009 I used an email address unique to equifax only, never used anywhere else (I use a different email address to register at each website, usually in the form of websitedomainname@mydomain) to register at their website for the annual free credit report.

In 2011, I start getting a bunch of spam at the equifax-specific address. Bad spam, as in it's very unlikely that the spammers obtained my address by just buying a mailing list from Equifax and more likely someone stole it from them.

In other words, they've had poor security for years and years.

Re:

[schleimkeim]

What makes you think they didn't sell it to whoever wanted to have the information?

Re:

[jafiwam]

What makes you think they didn't sell it to whoever wanted to have the information?

Or, just guessed it.

If you tail spam blocker logs a few times, you figure out they are brute-forcing email addresses too.

Re:

[Optic7]

The nature of the spam. If it had been for something even borderline legitimate, like "hey, we have xyz service or product you may be interested in", I would have figured they had definitely sold my address. But from what I recall it was really junky spam, like pharmaceuticals, pr0n, phishing, and scams. I highly doubt that Equifax would sell their customers' email addresses to purveyors of that crap, at least for a price that those people could afford to pay. Equifax had at least some reputation to protect

Re:

[Jason Levine]

Honestly, it wouldn't surprise me if they sold access to your credit information (as they often do) and included your e-mail address in the mix. Then some company just has to hire a shady "e-mail marketing" company and your e-mail address is on a spammer list.

Re:

[Optic7]

Could be, but it didn't seem like it to me at the time. See my other reply with some further thoughts: https://slashdot.org/comments.... [slashdot.org]

Jail Time for Equifax Senior Execs!

[Anonymous Coward]

A bunch of sniveling golden parachute cowards, miscreants, and incompetents! Jail them!!

Who else isn't talking?

[ZNetracer]

Does anyone really think that this ends with just Equifax? The other credit agencies have more than likely been breached at some point too. I would not bet against the probability that every US citizen has likely had some or all of their identity and financial information leaked, hacked, stolen or sold to other parties. We may all end up adding a credit watching/protection "service" to the list of our many, monthly paycheck leeches. First World Problems I guess...