Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses Privacy The Internet United States

Equifax Says 2.5 Million More Americans May Be Affected By Hack (reuters.com) 78

According to Reuters, Equifax said about 2.5 million additional U.S. consumers may have been impacted by a cyber attack at the company last month. Last month, the company disclosed that personal details of up to 143 million U.S. consumers were accessed by hackers between mid-May and July.

As for what led to the breach, Ars Technica reports it was "a series of costly delays and crucial errors." From the report: Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.
This discussion has been archived. No new comments can be posted.

Equifax Says 2.5 Million More Americans May Be Affected By Hack

Comments Filter:
  • Tibetan monks here on sabbatical? Dogs? The flea's on said dogs?
  • and say Everybody
    • by green1 ( 322787 )

      When was the last time a hacker broke in to a system and copied only part of a database? If they took anything, you assume they took everything.

    • Now can we all stop worrying about security and NPPI since it's all out there anyway?

  • by Anonymous Coward

    Professor Farnsworth: "Good News Everyone! Equifax Says 2.5 Million More Americans May Be Affected By Hack"
    Leela: But that's worse than what it was before!!!
    Professor Farnsworth: "Huh, wuh?"

  • Mail your creditors. (Score:5, Interesting)

    by John Meacham ( 1112 ) on Monday October 02, 2017 @07:21PM (#55297835) Homepage

    Your personal information is being shared by your creditors/bank with equifax. That is the only way they collect information.

    Write your creditors and say you no longer consent to your information being sent to equifax due to their ongoing security issues. There are two other reporting agencies they can use, tell them you only want information shared with experian and transunion until further notice. Even if they say no, say you will hold them legally responsible for information shared with equifax after equifax has been shown to be an immediate and clear security risk.

    It is pretty much the only way to hurt equifax. Gets companies to stop using them. Convince companies that no matter how strong their own privacy policies are, they don't work if they are not transitive to everyone they share your information with.

    Heck, make this idea popular enough that credit card companies start listing "wont share your information with equifax." as a selling point and it will hurt them bad and make everyone take security more seriously.

    • There are two other reporting agencies they can use...

      They have been breached also. We can stop with the denials. The entire system is wide open

      • by rtb61 ( 674572 )

        Looking at the impact of the Breach of Equifax financially and how that benefits their competitors, you have to wander at major corporation level where income directly ties to bonus, how much would executives spend to knock out a competitor, perhaps a million dollars, probably, if say a $10 million bonus when a large chunk of a major competitors income suddenly shifts to your corporation. Corporate wars, really do happen now, psychopathic greed and giving them power was guaranteed to make it happen, there

    • by lucm ( 889690 )

      tell them you only want information shared with experian and transunion until further notice

      Here's the thing. Whenever you find yourself in a situation where someone has to check your credit, you're on the wrong side of the table to make demands.

      Anyways both of those agencies you mention are as crooked and incompetent as equifax. They both got caught in the same scandal of selling people fake credit scores while giving a different one to lenders.

    • Write your creditors and say you no longer consent to your information being sent to equifax due to their ongoing security issues.

      Yeah, like they'd care.

    • Write your creditors and say you no longer consent to your information being sent to equifax due to their ongoing security issues. There are two other reporting agencies they can use, tell them you only want information shared with experian and transunion until further notice.

      At this point there's no reason to believe the other bureaus are any less leaky than Equifax. Equifax may have just been the first bureau with a breach of this scale purely by chance. It would be different if there was a history of repeated breaches unique to them.

    • ... you no longer consent ...

      I don't think that anyone consented to share their data with Equifax in the first place.

    • by guruevi ( 827432 )

      It's not how it works minion. You cannot opt out of the credit check unless you never want credit. All three of the companies share information with each other (and there are more than the 3 big ones) regardless of your consent.

  • by Snotnose ( 212196 ) on Monday October 02, 2017 @07:23PM (#55297857)
    But an we toss all the Cxx'x into prison for a few years, strip them of their assets, and make Equifax an example? They fucked up the rest of my life, one would hope the rest of their lives would be fucked as well.
    • by lucm ( 889690 ) on Monday October 02, 2017 @11:15PM (#55298849)

      They fucked up the rest of my life

      I work daily with credit reports and I will tell you this; even as a legitimate customer of credit agencies we are struggling to use their data. It's basically garbage.

      You would think they have a carefully crafted database with data integrity up the pooper, but in fact it feels more like they're having nonchalant clerks punch in notepad a boatload of data collected from forms submitted by gas station attendants.

      There's truncated fields, overlapping codes, conflicting date formats, unclear buckets with meaningless labels. Sometimes the street address and street name are in the same field, sometimes the creditor name and the amounts are in the same field but their phone number and area code are in two different fields. I've seen first name and last name concatenated in the first name field (with no space), or different spelling for the same financial institution appearing twice in the same customer report.

      So don't worry too much. Your credit file is basically "encrypted" by sheer indifference and lack of concern for data quality.

    • They've been around since 1899 and this is the first major breach. A huge legacy company that went to Internet-based services, and this is their first major breach. That's pretty amazing.

      You won't get perfect security. Everything that allows access into itself will get hacked.

      The solution is to not do it that way [johnmoserforcongress.com].

      Equifax gets hacked, but you have a hardware device which Equifax uses to identify you? That device doesn't share a secret, but instead accepts a challenge and returns a response signed usi

  • They are the VW of credit agencies.

  • by Blymie ( 231220 )

    an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded

    Yeah, right. Makes it sound like "equifax", eg some MBA, tried to get "admins" to patch it, but they refused.

    Almost certainly what happened was the "Equifax email" was from an IT guy, and some admin manager said "NO, we can't do it right now."

    I wonder what department the email was from, and to. And what conversation was had outside of an email stream. "Too c

  • Some clarification was required. 43 people in Delaware were not impacted. Thank you Ironically, the payouts made to management who are resigning, will on a per victim basis probably be greater than any of the victims will receive via any legal action taken.
  • If an ordinary citizen did something this bad, we'd either get the death penalty or life in the gulag torture camps (living death). So this company needs to get the death penalty. Remember, corporations are people too!

    Revoke Equifax's charter, shut them down, seize their assets for the public coffers. The American people deserve to see the management of Equifax standing in an unemployment line.

    • by DarkOx ( 621550 )

      luckily we live in a nation of laws where we don't just seize your property and close your business because you annoyed some people!

      Equifax is victim. Yes they failed to take steps to prevent their victimization but that does not mean it was right for hackers/criminals to go in and steal their data; anymore than leaving your door unlocked entitles me to go into your house and take your stuff while you are at work today.

      Yes it greatly reduces the sympathy I have for the Equifax and their management who lost

      • Yup, we're a nation with literally millions of laws, and literally millions of souls rotting in our gulag to show for it. Why can't Equifax's "corporate person" rot in the gulag too?

        Oh yeah... it's because we have "the best justice money can buy". Equifax has a whole lot of ill-gotten money, therefore they can buy a whole lot of "justice".

        • by DarkOx ( 621550 )

          I'll totally support a HIPPA like law that says if you aggregate any PII you have to take appropriate steps and precautions to protect it.

          So that in the future Equifax like incidents can be punished. All I am saying is that we don't have that law today. We have a Constitutional protection against post facto law making for good reason. Don't let that get eroded because you're mad at Equifax today. That will make a bad situation worse. Pass a new regulation and hold future persons/corporations to account

          • Since apparently you have the budget to purchase laws - alas, I do not - why be so modest? Credit bureaus snoop, spy, slander, and work tirelessly to make the poor stay poor and the rich stay rich. Let's just make them illegal.

            Ah, if only us plebs could afford to buy some laws...

  • Maybe some had more data to share than others, but I wouldn't bet on anyone's personal data escaping unscathed. It would take an act of Congress to protect citizens from the fallout of this breach, but I doubt the current "business friendly" environment will do much to protect the average American.

    • Actually, the cost of the infrastructure to protect against this [johnmoserforcongress.com] is likely under two million dollars if done correctly. The consumer devices would total $2.844 billion at $18 per consumer, although many of us like the $50 Yubikey 4 devices (these each store thousands of FIDO U2F credentials).

      It would take maybe 4 months of a single $120,000 programmer's time to integrate FIDO security with a CRA's Web-based authentication platform, or $40k per CRA (the change is something our own programming team here w

  • Comment removed based on user account deletion
  • by Anonymous Coward

    FTC should now direct that ALL these types of organizations shall LOCK ALL CREDIT REPORTING unless requested to be opened by the OWNER of the accounts.

  • Not just forgetting to patch but also allowing entrance via default admin/admin login/password [cnbc.com], perhaps allowing attackers to discover other credentials and attack vectors to exploit elsewhere.

  • Has anyone bothered to ask why there are only 3 major credit bureaus?

  • Comment removed based on user account deletion

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...