Equifax Says 2.5 Million More Americans May Be Affected By Hack (reuters.com) 78
According to Reuters, Equifax said about 2.5 million additional U.S. consumers may have been impacted by a cyber attack at the company last month. Last month, the company disclosed that personal details of up to 143 million U.S. consumers were accessed by hackers between mid-May and July.
As for what led to the breach, Ars Technica reports it was "a series of costly delays and crucial errors." From the report: Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.
As for what led to the breach, Ars Technica reports it was "a series of costly delays and crucial errors." From the report: Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.
Seriously, who hasn't been impacted? (Score:1)
Re: (Score:1)
Re: (Score:3)
People outside the USA were affected, eg: Equifax says 400,000 U.K. customers were affected by hack [cnn.com]
Re: (Score:2)
In addition to Alain's comments about the UK customers, there was also 100K Canadians affected: http://www.cbc.ca/news/busines... [www.cbc.ca]
Also, while no one was known to be affected, Argentina's Equifax employee portal was found to be gated by the username/password admin/admin: http://www.bbc.com/news/techno... [bbc.com]
Re: (Score:1)
Also, while no one was known to be affected, Argentina's Equifax employee portal was found to be gated by the username/password admin/admin
Just beautiful.
just stop right here (Score:2)
Re: (Score:2)
When was the last time a hacker broke in to a system and copied only part of a database? If they took anything, you assume they took everything.
Re: (Score:2)
Now can we all stop worrying about security and NPPI since it's all out there anyway?
In the voice of Professor Farnsworth: (Score:1)
Professor Farnsworth: "Good News Everyone! Equifax Says 2.5 Million More Americans May Be Affected By Hack"
Leela: But that's worse than what it was before!!!
Professor Farnsworth: "Huh, wuh?"
Mail your creditors. (Score:5, Interesting)
Your personal information is being shared by your creditors/bank with equifax. That is the only way they collect information.
Write your creditors and say you no longer consent to your information being sent to equifax due to their ongoing security issues. There are two other reporting agencies they can use, tell them you only want information shared with experian and transunion until further notice. Even if they say no, say you will hold them legally responsible for information shared with equifax after equifax has been shown to be an immediate and clear security risk.
It is pretty much the only way to hurt equifax. Gets companies to stop using them. Convince companies that no matter how strong their own privacy policies are, they don't work if they are not transitive to everyone they share your information with.
Heck, make this idea popular enough that credit card companies start listing "wont share your information with equifax." as a selling point and it will hurt them bad and make everyone take security more seriously.
Re: (Score:2)
There are two other reporting agencies they can use...
They have been breached also. We can stop with the denials. The entire system is wide open
Re: (Score:3)
Looking at the impact of the Breach of Equifax financially and how that benefits their competitors, you have to wander at major corporation level where income directly ties to bonus, how much would executives spend to knock out a competitor, perhaps a million dollars, probably, if say a $10 million bonus when a large chunk of a major competitors income suddenly shifts to your corporation. Corporate wars, really do happen now, psychopathic greed and giving them power was guaranteed to make it happen, there
Re: (Score:2)
tell them you only want information shared with experian and transunion until further notice
Here's the thing. Whenever you find yourself in a situation where someone has to check your credit, you're on the wrong side of the table to make demands.
Anyways both of those agencies you mention are as crooked and incompetent as equifax. They both got caught in the same scandal of selling people fake credit scores while giving a different one to lenders.
Re: This would have no legal weight at all. (Score:2)
One-sided contracts such as you describe have no moral authority, and are abhorrent to a free and democratic society. That American kangaroo courts regularly enforce them is prima facie evidence that the courts have no legitimacy, that they are nothing more than a tool for the shameless exploitation of the working people.
Re: (Score:1)
Write your creditors and say you no longer consent to your information being sent to equifax due to their ongoing security issues.
Yeah, like they'd care.
Re: (Score:2)
Write your creditors and say you no longer consent to your information being sent to equifax due to their ongoing security issues. There are two other reporting agencies they can use, tell them you only want information shared with experian and transunion until further notice.
At this point there's no reason to believe the other bureaus are any less leaky than Equifax. Equifax may have just been the first bureau with a breach of this scale purely by chance. It would be different if there was a history of repeated breaches unique to them.
Re: (Score:2)
... you no longer consent ...
I don't think that anyone consented to share their data with Equifax in the first place.
Re: (Score:2)
It's not how it works minion. You cannot opt out of the credit check unless you never want credit. All three of the companies share information with each other (and there are more than the 3 big ones) regardless of your consent.
I understand I won't get a penny (Score:3)
Re:I understand I won't get a penny (Score:5, Interesting)
They fucked up the rest of my life
I work daily with credit reports and I will tell you this; even as a legitimate customer of credit agencies we are struggling to use their data. It's basically garbage.
You would think they have a carefully crafted database with data integrity up the pooper, but in fact it feels more like they're having nonchalant clerks punch in notepad a boatload of data collected from forms submitted by gas station attendants.
There's truncated fields, overlapping codes, conflicting date formats, unclear buckets with meaningless labels. Sometimes the street address and street name are in the same field, sometimes the creditor name and the amounts are in the same field but their phone number and area code are in two different fields. I've seen first name and last name concatenated in the first name field (with no space), or different spelling for the same financial institution appearing twice in the same customer report.
So don't worry too much. Your credit file is basically "encrypted" by sheer indifference and lack of concern for data quality.
Re: (Score:2)
It has come to a point where we need AI to decipher careless garbage inserted into carelessly designed systems. Basically Skynet will be right to get rid of people.
Re: (Score:2)
They've been around since 1899 and this is the first major breach. A huge legacy company that went to Internet-based services, and this is their first major breach. That's pretty amazing.
You won't get perfect security. Everything that allows access into itself will get hacked.
The solution is to not do it that way [johnmoserforcongress.com].
Equifax gets hacked, but you have a hardware device which Equifax uses to identify you? That device doesn't share a secret, but instead accepts a challenge and returns a response signed usi
Hacked turtles all the way down (Score:1)
They are the VW of credit agencies.
bah (Score:2)
an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded
Yeah, right. Makes it sound like "equifax", eg some MBA, tried to get "admins" to patch it, but they refused.
Almost certainly what happened was the "Equifax email" was from an IT guy, and some admin manager said "NO, we can't do it right now."
I wonder what department the email was from, and to. And what conversation was had outside of an email stream. "Too c
Re: (Score:2)
I'm all for hiring a diverse team based solely on merit, if the pile of resumes representing the best-qualified candidates does, in fact, belong to a diverse team. Doing anything else (like, for example
Re: (Score:3)
I'm actually a systems security engineer and their music major CISO was way, way above my level on infosec knowledge.
Re: (Score:2)
How? I think you're lying can I please see some evidence that she's competent beyond her lame PCI DSS cert?
I really don't believe you at all.
Re: (Score:2)
Never mind I googled you... yes as someone who has only been out of community college a few years most professionals know more than you this is not surprising.
Re: (Score:2)
Mauldin kind of scrubbed herself from the Internet and made her Linked-In profile private after the breach. She has given interviews in which she discussed at length the evolution of the CISO role from a simple evolution of InfoSec engineering to a broad strategic role of organizational risk management.
Thing is, I'm good on risk management—a lot better than most professionals in my field, because risk is a broad topic that doesn't just include things like security vulnerabilities and e-mail spoofin
Re: (Score:2)
Great response though it wandered a bit. Anyhow don't sell yourself short she's the pointy haired boss from dilbert and they user their CISO position to train a promising C level executive instead of rewarding a good hacker, engineer, or scientist and they got the results they deserved.
Re: (Score:3)
I don't buy it. She's been in technical positions for a long while and the only black spot on her record is she strongly-defended cloud computing by talking about both the new opportunities to offload many of the security concerns to the provider (who can do it better) and to institute new security controls (because cloud computing lets you fuck up royally if you really want to). What shot down Equifax? A simple, traditional failure to patch a vulnerable piece of software--cloud, local bare metal, or VM
Re: (Score:2)
My decades around hackers and nerds allows me to intuit that she is a manager and not a true technical person. Just from her stupid haircut.
After the subsequent numerous extremely bad hacks and the statement from the CEO that the org has a culture of tenure and mediocrity... the smoking gun that she sucks is that she was working there to begin with. A good hacker would have had a difficult time with the culture there and quit out of frustration.
Re: (Score:2)
My decades around hackers and nerds allows me to intuit that she is a manager and not a true technical person. Just from her stupid haircut.
You could also intuit that I'm a politician from my $800 suit [johnmoserforcongress.com]. I'm also my Campaign Committee's chair, treasurer, accountant, chief technology officer, Web designer (could you tell?), content writer, speech writer, publicist, campaign strategist, information security officer, lawyer, and secretary.
I happen to like train wrecks. Why work at a place that's well put together when you could be rebuilding a nation? I've pushed back against management, pointed out enormous operational flaws, and gotten myse
Re: (Score:2)
I'd much rather have a job that's low stress, high paying, and full of smart co-workers. Counter intuitively you don't actually learn much from untangling a messy clusterfuck of an IT workplace. You just get burned out. Top talent is an infosec wizard who can lead and manage, it's a rare person and she's probably going to expect a lot more than a "culture of mediocrity and tenure" to retain.
So they had some chubby mom-looking bitch with a music degree. She did graduate summa cum lade and she did get
Re: (Score:2)
Yeah, over three months when I got to my last job I started working 10 hour days, going home and working remotely, studying 5 new technologies, forgetting to eat until like 9pm, forgetting to shower, etc. Manager told me to slow down. Eventually, I came home, collapsed, cried for a while, then crawled into bed and slept 14 hours; I woke up feeling fantastic.
I wonder what kind of infosec degree you could have gotten pre-2002.
Re: (Score:2)
EE, CS, Mathematics, Physics, CIS. I know everyone rags on her degree but a solid 1/3rd of infosec people are for all intents and purposes seat warming frauds. This is one of them. It's not her degree I have a problem with, it's her.
Simplified (Score:2)
shut them down (Score:1)
If an ordinary citizen did something this bad, we'd either get the death penalty or life in the gulag torture camps (living death). So this company needs to get the death penalty. Remember, corporations are people too!
Revoke Equifax's charter, shut them down, seize their assets for the public coffers. The American people deserve to see the management of Equifax standing in an unemployment line.
Re: (Score:2)
luckily we live in a nation of laws where we don't just seize your property and close your business because you annoyed some people!
Equifax is victim. Yes they failed to take steps to prevent their victimization but that does not mean it was right for hackers/criminals to go in and steal their data; anymore than leaving your door unlocked entitles me to go into your house and take your stuff while you are at work today.
Yes it greatly reduces the sympathy I have for the Equifax and their management who lost
Re: (Score:2)
Idiot, it's not THEIR data, it's OUR data
Really, did I miss something is there some giant open source project that has aggregated credit reporting data on most of the public? Did you do it personally in your mothers basement. Give me break you, dip shat A/C, since we are name calling. It is their data, period full stop, that it happens to be about you does not magically change that.
people who have diminished the liberty and property rights of millions of people
Really, again how have they diminished your liberty or property rights? You mean how they made it easier and faster for your borrow money, and did not even charge y
Re: (Score:2)
So Equifax entered into a contractual agreement to keep our credit data safe
Really, I am not away of being a direct party to a contract with Equifax anytime in recent memory. My bank might agreed to keep my personal information safe and failed in doing so by giving it to Equifax but than my beef should be with them. After all they are the ones who turned it over to a third party.
And YES, motherfucker, forcing people to take time from their lives to deal with this situation DIMINISHES OUR FREEDOM.
Who is forcing you to do anything? You don't even have to visit their website you are entirely free to proceed with your life as if everything is just fine. Which is probably what you should do moron
Re: (Score:2)
Yup, we're a nation with literally millions of laws, and literally millions of souls rotting in our gulag to show for it. Why can't Equifax's "corporate person" rot in the gulag too?
Oh yeah... it's because we have "the best justice money can buy". Equifax has a whole lot of ill-gotten money, therefore they can buy a whole lot of "justice".
Re: (Score:2)
I'll totally support a HIPPA like law that says if you aggregate any PII you have to take appropriate steps and precautions to protect it.
So that in the future Equifax like incidents can be punished. All I am saying is that we don't have that law today. We have a Constitutional protection against post facto law making for good reason. Don't let that get eroded because you're mad at Equifax today. That will make a bad situation worse. Pass a new regulation and hold future persons/corporations to account
Re: (Score:2)
Since apparently you have the budget to purchase laws - alas, I do not - why be so modest? Credit bureaus snoop, spy, slander, and work tirelessly to make the poor stay poor and the rich stay rich. Let's just make them illegal.
Ah, if only us plebs could afford to buy some laws...
Everybody was affected. (Score:1)
Maybe some had more data to share than others, but I wouldn't bet on anyone's personal data escaping unscathed. It would take an act of Congress to protect citizens from the fallout of this breach, but I doubt the current "business friendly" environment will do much to protect the average American.
Re: (Score:1)
Actually, the cost of the infrastructure to protect against this [johnmoserforcongress.com] is likely under two million dollars if done correctly. The consumer devices would total $2.844 billion at $18 per consumer, although many of us like the $50 Yubikey 4 devices (these each store thousands of FIDO U2F credentials).
It would take maybe 4 months of a single $120,000 programmer's time to integrate FIDO security with a CRA's Web-based authentication platform, or $40k per CRA (the change is something our own programming team here w
Re: (Score:2)
Time to Lock All Three by Default (Score:1)
FTC should now direct that ALL these types of organizations shall LOCK ALL CREDIT REPORTING unless requested to be opened by the OWNER of the accounts.
Admin/admin (Score:2)
Not just forgetting to patch but also allowing entrance via default admin/admin login/password [cnbc.com], perhaps allowing attackers to discover other credentials and attack vectors to exploit elsewhere.
Why are there only 3 Major Credit Bureaus (Score:1)
Has anyone bothered to ask why there are only 3 major credit bureaus?
Re: (Score:2)