nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone

'We pride ourselves on being a leader in managing and protecting data'

Really, you do do you.

I pride myself at being good at detecting bullshit, the needle moved a bit at that statement.

It should have moved off the scale and bent the needle, but I've recently re-calibrated it.

111
1
Silver badge

Re: 'We pride ourselves on being a leader in managing and protecting data'

I've lately made the scale on mine logarithmic, as a stopgap it works but I'm not convinced it's future proof.

60
0
Silver badge

Re: 'We pride ourselves on being a leader in managing and protecting data'

I've lately made the scale on mine logarithmic,

No scale means anything unless it has dimensions. We need an SI or ElReg quantum for data breaches. I'd suggest that the unit is called a "Dido", but I'm wondering that the actual scaling should be. I think it needs to be some product of:

1) absolute size of the breach in individual accounts or records exposed,

2) the significance of the data lost on some scale of 1 to 5, where Talk Talk are a three, and Equifax a four - you'd get a five for losing personally sensitive information eg health, personal circumstances, where I have a distinction between personally confidential data and personally sensitive data.

3) a scaled value for the stupidity in allowing the breach on a 1-3 scale. A simple SQL attack is about as basic as you get, that's a 3, a nation-state attack using zero days is a 1.

4) Track record. Simply the number of known breaches in the previous three years.

So, for the last Talk Talk hack, I'm reckoning 157,000 x 3 x 3 x 3 / 1m = 4.24 Didos.

Now, do we take that number of 4.239m as one Dido, and measure other breaches against that? Or do we divide by a million to keep the numbers easy to use, and keep the honorarium, but then quantify the Talk Talk breach as 4.239 Didos? Either way the sheer size of the Equifax breach means Dan 55 is most certainly correct to be using a log scale.

19
0
Silver badge

Re: 'We pride ourselves on being a leader in managing and protecting data'

It was the Bovine excrement meter that was logarithmic.

And with good reasons, as drifting off topic, we are daily faced with two parts of the establishment essentially calling each other bare faced liars.

Politics is no longer about who has the best policies, its about who tells the most attractive lies.

Judging by latest polls, that would be Jeremy Corbyn.

6
5
Silver badge
Stop

Re: 'We pride ourselves on being a leader in managing and protecting data'

Cut the crap, just vote for lizards. You know it makes sense.

Just make sure that you vote for the correct lizard, ok?

5
0
Anonymous Coward

Re: 'We pride ourselves on being a leader in managing and protecting data'

Sadly, I'm afraid the statement is true. In terms of big corporations, they may indeed be a leader in managing and protecting data.

1
1
Silver badge
Holmes

Re: 'We pride ourselves on being a leader in managing and protecting data'

I notice that as of 18.00 UK time, equifax uk is still offline! Hmmm -

0
0
Bronze badge
FAIL

Re: 'We pride ourselves on being a leader in managing and protecting data'

Wadda crock! How much you want to bet the other two agencies are compromised now, and just haven't discovered it yet, like Equifax did? Credit monitoring is NOT enough, They should lock down ALL our credit for free, and lift it when we need it with a simple phone call, for one transaction each, like opening another account. We shout NOT have to pay for their stupid mistakes!

3
0
Bronze badge

Re: 'We pride ourselves on being a leader in managing and protecting data'

My fault, I asked for a credit report, but as I don't use credit, their system went into meltdown at finding out they didn't have a single piece of information about me..

0
0
Silver badge
Flame

Re: Assisting "every US consumer in the country"

And screw everyone else, such as the "unknown number of Canadian and UK customers"?

I'm asking seriously, because unfortunately I'm probably one of them.

But then, as per the headline, probably so is everyone else who's ever had a bank account.

It certainly looks like enough of the right sort of data has been pinched to commit identity theft, on an epic scale.

Personally I'd like to know why such sensitive data is even accessible over the internet, instead of being secured behind a private network, as per trading systems and other sensitive financial data.

6
0
Silver badge
Joke

So?

Credit reporting and checking agency Equifax has admitted to a massive breach of security that could affect almost half of the US population. In a statement, the credit-checkers claimed that hackers managed to get access to some of its data in mid-May

Since Equifax's business model is selling credit data, it's not so much a 'hack' but more 'an unknown new client' that they can't bill.

110
0
Silver badge

Re: So?

Yes. They don't really care that the data is out there. Just outraged that they couldn't charge a fortune for supplying it and therefore make more profit. Their response is hardly inspiring. A years free identity fraud subscription for a service they run themselves and therefore costs them very little. Maybe saying they'll pay the costs of all fraud carried out because of it might be a bit more reasonable.

22
0
Anonymous Coward

Re: So?

Also monitoring fraud for the first year after your details are stolen is not very useful. These types of details are usually used multiple years after being stolen.

9
0
Silver badge
Facepalm

Only

... the names, Social Security Numbers, birth dates, addresses

Isn't that all fraudsters need?

> 3 execs sold stock

Excellent, data loss might just get them a slap on the wrist, but the SEC hands out prison sentences for insider trading.

Loved the tweet from ElReg, by the way!

59
0

Re: Only

An interesting data point. How many execs hold stock? If it's a dozen then these three are dirty. If it's 2,000 then they are likely random noise.

10
0
Anonymous Coward

Re: Only

It's pretty unlikely. Rule 10b5-1 sets out how this goes for executive share sales:

1) Exec sits down with compliance officers and declares their desire to sell shares, along with some reason (e.g. new house, new boat, divorce etc.) for the sale and a neutral rationale for pricing (e.g. company price now +x% growth)

2) They agree upon a price and time window sufficiently broad and far into the future to eliminate the advantage of whatever privileged non-public information the exec holds, this is at least 90 days but usually >6 months away because that's a typical non-public information window (i.e. 2 quarters)

3) The plan is captured in writing and archived

4) The sale is triggered blindly triggered by a broker upon the conditions being met

Ironically insider trading is much, much harder to do when you're an actual insider. Presumably if the company has declared the sales they're happy 10b5-1 was followed.

16
0
Silver badge

Re: Only

Rule 10b5-1 sets out how this goes for executive share sales

Prisons are full of people who broke rules. Insider trading is difficult when companies work by strict interpretations of those rules, but again, prisons.

Not that I have any clue what happened here but saying insider trading doesn't happen because compliance is *absurd*. It might not be prosecuted successfully because good lawyers and technicalities but it happens, continuously.

8
0

Re: Only

Exactly! The Board and Executives would likely have been informed immediately and halted any financial transactions.

To see the Chief Financial Officer of Equifax sell stock just days after the breach was discovered is pretty strong evidence for an investigation.

12
0

Re: Only

The Reuters article says " None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans. "... but it's ok, they say they didn't know about it when they sold...

5
0
Anonymous Coward

Re: Only

I hope the SEC do exactly that.

2
0
Silver badge

Re: Only

whats to stop them going "ooh shit , dump shares" , now knock up one of those declaration things and date it 6 months ago.

2
1
Silver badge

Re: Only

The fact the declaration has to be made to an outside entity who's sole job it is to be as suspicious as possible for any shenanigans?

4
0
Anonymous Coward

Re: Only

"None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.."

Which also isn't unusual. 10b5-1 plans are confidential and do not have to be published, but must be produced if required by the SEC. At the end of the day they're private financial transactions, often quite substantial and often on a schedule.

Now I'm not saying the process wasn't followed, but it'd be really surprising if it wasn't. The stocks dropped 15% after hours, and experience tells us they'll probably rebound; penalties for data breaches in the US are effectively nonexistant and the people impacted by the breach aren't equifax's customers.

So these chaps, probably on 7 figure salaries, saved themselves at most 100k in the short term at the risk of serious prison time, million dollar fines and never working again.

Again, not saying they didn't do it, but just because they offloaded a bunch of shares shortly after a major incident doesn't mean the two are connected. Directors and execs sell shares all the time.

4
0
Silver badge

Re: Only

Can't see the problem here. (sarcasm, for those that don't detect such things without help)

After all a free year of fraud monitoring from an organisation that was incompetent enough to cause the problem in the first place is a good thing right? Besides which, after a whole year, everyone will have changed their social security number, birth date and address anyway therefore prolonged monitoring past this arbitrarily low time period is not necessary. (again, sarcasm, for those that still don't detect such things without help)

It still amuses/scares me about the daftness of using what's meant to be a largely private government identifier in as many (effectively public) databases as possible. A data value is either considered private and priviledged knowledge or it's a publicly available value - it can't be both at the same time. i.e. an SSN should be considered to have no additional value or identity importance than an individual's name would have.

5
0

New kind of social security numbers?

The Register

@TheRegister

To avoid hackers, ensure you use lower and uppercase characters, and at least one symbol, in your social security number #equifaxadvice

Did I miss something? social security numbers are digits only.

5
23

Re: New kind of social security numbers?

It's a joke about useless advice.

62
0
Silver badge
Happy

Re: New kind of social security numbers?

Ah Merkin and Sarcasm

May the two never meet and get on, as it provides endless entertainment for us Brits.

21
2
Bronze badge
Facepalm

Re: New kind of social security numbers?

*WHOOOOOOSH* As the joke goes right over his head...

Where's the eyeroll emoticon?

12
0
Silver badge
Holmes

Re: "Did I miss something?"

Yes, a British upbringing.

1
0

Thank goodness

the thieving scum got

<quote>...only the names, Social Security Numbers, birth dates, addresses and, in some instances, driver's license numbers of 143 million Americans were exposed</quote>

I was worried they might have obtained some data that they could then use to commit some fraud related crime and cause some poor sod a barrel load of grief

49
0

Re: Thank goodness

Its awesome when debt collectors come after you for purchases you never had anything to do with.When you straighten it out somewhat, they sell the debt and you start over again. And again, and again. The only person whom truly loses is the victim for years. They have to prove their innocence over and over.

14
0
Silver badge
Pirate

Re: Thank goodness

"I was worried they might have obtained some data that they could then use to commit some fraud related crime and cause some poor sod a barrel load of grief"

I was worried they might have uncovered my secret fetish for midget poodle porn and tried to blackmail me. Fortunately, only Google knows about my fetish, so I can rest easy.

11
0
Anonymous Coward

Re: Thank goodness

"Its awesome when debt collectors come after you for purchases you never had anything to do with.When you straighten it out somewhat, they sell the debt and you start over again. And again, and again."

Sounds like the sub-prime disaster waiting to happen again.

I strongly suspect that the debt collecting agencies work on the principle that if they pester you enough, you'll eventually relent and pay to make them go away.

Advice I've had from family and friends encourages this route.

I also suspect that they give you a "gullibility" or "weakness in the face of pestering" rating. Pay up too easily and you let yourself in for future scam demands.

4
0
Silver badge

Re: Thank goodness

If you are certain you don't owe the debt, send them one letter by registered post telling them so.

After that ignore them. If they send the bailiffs round, call the police. If they take you to court, take them to court back (for harassment and obtaining money with threats, aka extortion.)

I'm pretty sure they won't be able to sell your debt on after any of that.

8
3
Silver badge

Re: Thank goodness

It doesn't work like that.

The ONLY time bailiffs will turn up is when you have had a CCJ issued against you and you fail to make payments on a court ordered payment. In other words, you default.

Debt collection agencies have NO power to send in bailiffs. NONE.

""""""""""""""""""""""""""""""""""""""""""""""""""s at all!!!!!

7
0
Silver badge

Re: Thank goodness

The ONLY time bailiffs will turn up is when you have had a CCJ issued against you

I agree wholeheartedly that this is what *should* happen, but sometimes the heavies are sent round to intimidate people who don't know their rights/legal position. That's why I advised calling the police.

13
0

Re: Thank goodness

"In other words, you default."

This is not a default.

A default is between you and a bank but is not the same, legally, as a CCJ.

Though creditors might see it the same.

Though it does stay on your file for 6 years, making it extremely unlikely you'll get a mortgage, credit card, loan, car finance or possibly even a phone contract until it drops off.

Not as bad as a payment arrangement without default, which means it stays on file for 6 years from the date of the last payment!

0
0
Silver badge

Re: Thank goodness

"Its awesome when debt collectors come after you for purchases you never had anything to do with."

It's a pity that there are not laws against irresponsible lending with penalties as severe as those for getting into debt. So many people are conned into taking on hidden debt - like the "only" £47 a month for the phone contract, the "only" £200 a month car contract, or the BT cheap Infinity deals which limit people to 10Gbytes/month in the small print - a friend of ours, not stupid, was hit with an £80 penalty charge by BT because she was visited by grandchildren who took the opportunity to download everything in sight - and had no idea about the limit because the account was set up by her deceased husband, who didn't tell her.

Credit rating agencies have done a huge landgrab, going from respectable organisations that gave businesses information on the creditworthiness of other businesses, to deeply intrusive organisations that collect information on everybody. It looks like it's now coming back to hit a lot more people than just the ones on which they hold junk information.

8
1
Silver badge

Re: Thank goodness

I have no idea what my "credit score" is, and no desire to find out.

I'm at the point in my life, where I don't need to buy much more. I do have a credit card, because it makes life much easier, but it gets paid off each month.

If someone wants to open a credit card in my name with the information they stole from Equifax, there's probably very little I can do about it, short of telling the card company to go piss up a rope when they try to bill me for a card I never applied for. All I'm going to say, is "Equifax".

8
0
Anonymous Coward

Can't even be arsed to use an Equifax cert?

If you follow the link to see if you've been affected it redirects twice - first to equifaxsecurity2017.com, with a cloudflare ssl cert, and then when you click on "Check Potential Impact" you get redirected to trustedidpremier.com, with an amazon cert. How the hell are you supposed to know if any of these sites are legit?

39
0
Silver badge

Re: Can't even be arsed to use an Equifax cert?

If I ended up at either of those I'd close the browser window thinking I was being phished.

Why didn't they use a subdomain under equifax.com?

10
0
Silver badge

Re: Can't even be arsed to use an Equifax cert?

Most people are smart enough to delete those equifax root certs along with those chinese ones and turk trust is probably why.

2
0

Re: Can't even be arsed to use an Equifax cert?

Also they failed to defensively register

equifaxsecurity.com

equifax2017.com

equifaxsecurity2107.com

equifaxsecurity2018.com

etc.

As a result they've all been registered by a mixture of people having fun and miscreants stealing data.

6
0
Silver badge

Re: Can't even be arsed to use an Equifax cert?

"Why didn't they use a subdomain under equifax.com?"

They are in no way the only culprits for that . There's a page somewhere with a tech bloggers rant about the subject , aimed at Halifax bank mostly . he set up similar domains to make the point.

twas very funny .

I doubt big business learned anything though.

youtube is another one and also one that gets liknto to a lot , with real ugly looking domain names

2
0

Re: Can't even be arsed to use an Equifax cert?

Yes, Quite. Sometimes I think I'm in a very small minority when I suggest this to people - they usually just look at me funny like i've said something insane.....

2
0
Silver badge

Re: Why didn't they use a subdomain under equifax.com?

Under the current cicumstances, who would trust the equifax.com domain?

1
0
Silver badge

Re: Can't even be arsed to use an Equifax cert?

I rebelliously ignored my antivirus' "phishing" warnings and had a peek at equifaxsecurity dot com, which turns out to be a page entitled "M-I-C-K-E-Y-M-O-U-S-E" and has an embedded YouTube video of some weird Japanese pop thing called "Hinoi Team - Night of fire".

0
0
Silver badge

Sounds like 143 million POTENTIALLY affected

Another article had a link to an Equifax site where you could check if you were impacted, and it said I was not. I know they have my credit data, so obviously they didn't get everyone.

Unless the whole thing was a ruse to get people to input their last name and last six of SSN which is what it required to determine impact, of course!

The way I look at it, if hackers did get all the relevant information for every person in the US who has a credit rating, it wouldn't matter much to most of us. The odds of them using my information to try to get credit would be pretty low.

Such a breach would also likely force some major changes in the way credit operates in the US, because they'd no longer have any way of validating if you were who you say you were without you presenting yourself in person with government issued ID at somewhere mutually agreed upon like your local bank. If it were no longer possible to apply for credit online it wouldn't be a bad thing at all.

12
0
wub

Re: Sounds like 143 million POTENTIALLY affected

" ...they'd no longer have any way of validating if you were who you say you were without you presenting yourself in person with government issued ID at somewhere mutually agreed upon..."

Huh, Exactly what I had to do recently, to prove to the IRS that I was who my tax return said I was BEFORE they would even process the form. Seems that there has already been a rash of false filings from my area lately. Has nothing to do with the flaw in the IRS website that allowed anyone to download complete copies of prior tax filings.

Why did nobody use that security hole to grab Donald Trump's returns?

5
0
Silver badge

Re: Sounds like 143 million POTENTIALLY affected

I think we'd probably be better in general if it wasn't so easy to do so much electronically or via mail just using a few bits of not-so-secret information to identify yourself. Most banks offer free notary services for their customers, which is basically "proving you are who are say you are" when signing something. If you had to visit when applying for a new credit card or signing your tax return the only effect would be that banks would have to dedicate a full time employee to this because demand would shoot up.

The additional hassle might keep people from applying for that 8th credit card, which is probably a good thing.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing