back to article Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone

Global credit reporting agency Equifax admitted today it suffered a massive breach of security that could affect almost half of the US population. In a statement, the biz confessed that hackers managed to get access to some of its internal data in mid-May by exploiting a vulnerable website application. They remained on the …

Page:

  1. Alan W. Rateliff, II
    Flame

    Forced to use them, irrespective of how we want to live

    Equifax, Experian, and Trans Union all enjoy a captive user base. If you do anything in life your information flows through at least one of these companies. Need car insurance, a bank account, to get an apartment, to rent a car or moving truck, to rent storage, to buy a house, cellular, home phone, or cable TV services? Any one of those and more require that your information travel through these services which have proven time and again they lack security prowess.

    But, here is where I think we as consumers must accept some culpability: from my recollection all of these breaches have occurred via pathways of convenience, that is, some Internet portal which has access to a back-end rich with data which we can access on a whim via web browser or app. While, yes, we expect that companies will keep our information safe, whether we want them to have it or not, we should also expect a severe increase in risk for having conveniences like web access to such data.

    (Of course, we hear about data breaches so much I think we have on the whole developed a fatigue, complacency, and even ambivalence toward personal data collection

    But where does the problem really fall? Is it our requirement for instant and unfettered access to information, the entities which fulfill this requirement, or the fact these entities are able to collect this information in the first place? Maybe somewhere else?

    It aggravates me no matter how much I personally avoid (or at least try to avoid) situations in which I would be forced to give personal or private information to someone or something, others are quickly handing that information over, anyway. I avoid using Google products, but calling or sending a text message to an Android phone or email to a Gmail account exposes me. Even Some Business and its associated domain is not safe because it uses Google Apps for email, or Office 365, or its records are stored in Azure or Amazon cloud.

    I do not use social media, but my family or friends post everything about their lives on it, and by extension when I participate in their lives they post mine, as well, giving me the only recourse of becoming anti-social. FFS, even some of my customers do it!

    In order to survive this increasingly connected world I have to accept that my life may no longer be private, at least to some degree, and as such these entities which broker in information have to accept their place as responsible custodians of said information.

    1. Adam 52 Silver badge

      Re: Forced to use them, irrespective of how we want to live

      We, I at least, don't want them to have my data. But it goes to them anyway.

      I don't want the convenience of a web portal. I just want the whole protection racket - because that's what it is - shut down.

      I really, really, hope that our American friends get together a class action to take $200 a piece for every affected user. Which just happens to be Equifax's entire annual revenue.

      1. Anonymous Coward
        Anonymous Coward

        Re: Forced to use them, irrespective of how we want to live

        Better make it $199 to avoid Chapter 11.

  2. Anonymous Coward
    Anonymous Coward

    I'm safe..

    When the hackers scroll down to my Equifax Credit Rating, they'll just keep scrolling.

    LOL

    1. JCitizen
      Unhappy

      Re: I'm safe..

      I'd laugh, but unfortunately, when I think of all the trouble a criminal can do to make your life absolutely miserable, I just can't LOL!! :p

      I've seen people put in jail, in and out, arrested, you name it, because some crook used their identity to throw off the police when they get stopped. It can take 10 years and a LOT of personal finances to clean it all up, and it isn't even our fault. THAT is why I think the Feds need to take the toys away from the credit agencies until that can help us clean up the damage that THEY allowed to happen!!

  3. Winkypop Silver badge
    Facepalm

    Corporate criminality

    "only the names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers of 143 million Americans were exposed."

    That's OK then, at least they didn't get hold of the key to the executive washroom!!

  4. xXSwolGunzXx

    " the company's core consumer and commercial credit reporting databases were untouched – only the names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers of 143 million Americans were exposed"

    Rigorous risk analysis determined that securing the proprietary information was cost-effective. Not so much the PII--Equifax's competitors all have that data as well so why bother?

  5. FozzyBear
    Mushroom

    Well If you are going to fuck up you may as well fuck up in spectacular fashion. I tip my hat at Equifax, they have managed a fuck up of monumental proportions .

    I mean it. Congratulations to everyone involved at equifax, you bunch of brainless wankers

  6. a_yank_lurker

    Oh Well

    There goes my credit rating. I wonder if they can go negative? </snark>

    1. JCitizen
      Megaphone

      Re: Oh Well

      I could get worse - ever been arrested for something you didn't do? It can take 10 years to clean up the mess, and break the bank to boot.

  7. Anonymous Coward
    Anonymous Coward

    "After such a monumental IT cockup, Equifax has called in a professional security firm to lock down its systems and pick apart the event....". The parent company of the company I work for recently paid for an audit of its IT and security systems. To do the audit, they chose that well known and respected IT Audit company Standard and Poor's! I'd say the parent company wasn't too confident in their own abilities. That, or S&P's audit was cheap enough to get past the accountants. Anon for obvious reasons.

    1. JCitizen
      Pirate

      Yeah - S&P

      doesn't exactly sound like an IT security expert corporation to me. Sounds like someone in upper management has absolutely no clue. That is, unless they just want to ignore the problem and let a financial audit substitute for what really needs to get done.

  8. Anonymous Coward
    FAIL

    "exploiting a vulnerable website application"

    Just in case anyone was thinking that an organization that possesses key identity databases on hundreds of millions of people might have a policy on doing F'ING PEN TESTING on all internet facing applications, it turns out that they don't.

    1. JCitizen
      Facepalm

      Re: "exploiting a vulnerable website application"

      Aughhhh GEEZE! That figures!

  9. Hans 1
    WTF?

    hackers managed to get access to some of its internal data in mid-May by exploiting a vulnerable website application. They remained on the system until they were discovered on July 29.

    On September 7th, Equifax publicly announces the security breach.

    What took you so long ? Why do crackers get a month to do as they please before it gets announced ?

    1. Dan 55 Silver badge

      Didn't you read the article? So the execs can sell their stock.

  10. Mr Dogshit

    "the heart of who we are and what we do"

    You're fucking data pimps, you pimp data.

    Equifax and Experian should not exist. I believe it to be immoral that these companies make a profit from my very existence.

  11. Anonymous Coward
    Anonymous Coward

    we're all doomed

    Since when did anyone other than our self care about our data. To employers its an inconvenience which has to be processed as cheaply as possible. To M$ its a source of revenue which they can sell.

    To the uninformed its is something to broadcast on social media.

    The General Data Protection Regulations is too little and too late, unfortunately Article 25 (Data Protection By Design and Default), Article 30 (Records of Processing Activities), Article 32 (Security of Processing), Article 87 (Processing of National Indentification Number) should have been in place in 2016 not 25 May 2018.

    1. Anonymous Coward
      Headmaster

      Re: we're all doomed

      Technically it is in place now, it just isn't being enforced until May 2018.

  12. Potemkine! Silver badge

    Security is our priority

    AFAIK, it's the third major security breach for Equifax in two years. Well done chaps!

    The best part in this story is the $1.8 millions of stocks sold by three executives 3 days after the breach was discovered, and the answer of Equifax when asked about it: "The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares"

    It tells a lot about how stupid Equifax considers the Rest of The World is.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security is our priority

      I have to get permission from the board before I can trade in my employer's shares. Any credit rating agency worth it's salt should have the same rules.

    2. Wensleydale Cheese

      Re: Security is our priority

      The best part in this story is the $1.8 millions of stocks sold by three executives 3 days after the breach was discovered, and the answer of Equifax when asked about it: "The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares"

      Three days and the executives not knowing about it suggests a flaw in their management reporting processes.

  13. ctrlaltdelete

    Three top level executives including the CFO sold stock in unplanned transactions a few days after the breach was discovered and Equifax claims it was just a coincidence. I think that deserves attention from US regulators and law enforcement, because it sounds like people with inside information in a panic.

    Also, why hire a Chief Financial Officer named Gamble? Isn't that asking for trouble? It's like flying in a plane with a pilot who's name is Whiskey.

  14. Wonder Warthog

    Appears Indigenous

    In a possibly unrelated irony, attemps to view the Equifax page set up to inform you if your data was compromised, www.equifaxsecurity2017.com, shows it has an invalid https certificate, and is even blocked by OpenDNS as being a phishing site. Guess when you handle millions of people's personal info, you naturally have the best data security practices money can buy.

  15. Anonymous Coward
    Anonymous Coward

    only the names, social security numbers, birth dates, addresses

    and, in some instances, driver's license numbers

    Could have been worse, let me congratulate them!

  16. Anonymous Coward
    Anonymous Coward

    Selling company stock before the back was announced

    "Three Equifax bosses sold company stock just days after the intrusion was detected on July 29, and therefore about a month before details of the mega-hack were announced today"

    In the UK, that is a financial crime.

    1. Anonymous Coward
      Anonymous Coward

      Re: Selling company stock before the back was announced

      "In the UK, that is a financial crime."

      In theory, but compare the number of British bankers who went to prison after 2008 with the number in the US.

  17. Anonymous Coward
    Anonymous Coward

    couldn't have happened to nicer people

    ...

    that said, it would be poetic justice if the data of the actual clients got exposed, not data on milions of plebs...

  18. Aladdin Sane

    Where's GDPR when you need it?

  19. Anonymous Coward
    Anonymous Coward

    Award for Equifax staff

    Can The Register award the three guys who sold their shares a DAFTS (Diploma in Alternative Facts and Transmission Studies)?

    1. Aladdin Sane

      Re: Award for Equifax staff

      Is that the one supplied by Trump University?

  20. Anonymous Coward
    Anonymous Coward

    Credit ratings

    Should be abolished, they keep people in poverty and under the heel of brutal payday loan companies, for the sake of in some cases very small amounts of money that balloon into a Godzillabill of monumental proportions. In many cases the rates being charged are higher than the fines for *stealing* the goods purchased on credit. (9000% is an example given) not to mention student loans etc.

    (gets off soapbox)

    Equifax should be closed down and the executives involved put in pound-me-in-the-ass Federal prison for this abomination!!!!!! After a (short) fair trial of course.

    1. Aladdin Sane

      Re: Credit ratings

      So you propose a return to lending to whoever asks for money? Were you around in 2008?

      1. Anonymous Coward
        Anonymous Coward

        Re: Credit ratings

        Credit scoring has been around for a lot longer than that. The issue in 2008 was a failure to understand the impact of lending so poorly to so many. This was brought about by bending the rules and accepting risk that was outside of normal parameters. The bankers, managers and policy makers are the cause of that.

        There is no such thing as free money, just look at the state of the UK after the Tony Blair and Gordon Brown debacle. If they hadn't been so profligate the economy would not have suffered so badly as it has. The UK is about to suffer another dose of reality thanks to the disruption caused by Brexit. ( There is no need to comment on Brexit as it is too late to avoid. )

        This is what happens when the lunatics take over the asylum.

        1. jdoe.700101

          Re: Credit ratings

          I think another part of the 2008 issue what that everyone thought that they had successfully transferred the risk, and thus weren't too concerned about credit ratings.

      2. Wensleydale Cheese

        Re: Credit ratings

        "So you propose a return to lending to whoever asks for money? Were you around in 2008?"

        Credit rating has been around since the 1970s, possibly much sooner.

        It didn't prevent the financial meltdown in 2008, did it?

  21. Dr U Mour
    Facepalm

    How Can You Protect Your Data?

    https://www.equifax.co.uk/resources/articles/what_are_data_breaches.html

    "If you are worried about the security of your personal data, Equifax Identity Watch Pro is available for £9.95 a month"

  22. Grunt #1

    Really ? I should just publish it on the web myself.

    "CEO Richard Smith said that the company's core consumer and commercial credit reporting databases were untouched – only the names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers of 143 million Americans were exposed."

    Dick Smith, please tell me whether it is more important to lose your commercial data and income stream or my data multiplied 143 million times.

  23. Grunt #1

    How many idiots does it take to compromise everyone's security; 143,000,000 and counting.

    Why does anyone bother to willingly give their PERSONAL data to these shysters?

    1. NeilPost Silver badge

      Re: How many idiots does it take to compromise everyone's security; 143,000,000 and counting.

      You don.t.............. as credit references agencies it's their business to slurp as much of it as they can get their grubbies on.

  24. NeilPost Silver badge

    WTF

    Jeez, why the fuck are these fuckwits holding un-tokenised card data. Have they not heard of fucking PCI/DSS.

    Fine 'em, and fine their ass off with a punative fine - Say 25% of global revenue.

    1. Anonymous Coward
      Anonymous Coward

      Re: WTF

      US, not us.

  25. Paul 87

    Stock sell off

    Surely the stock sell off is the very definition of insider trading? Dumping a load of it right before you release a public report which any idiot knows would negatively affect the share price

  26. Stumpy

    Frankly, it should be illegal for any company that has suffered a breach to offer protection and remediation services to its caffected clients itself. It should always be a trusted third party, as should the investigation into the breach iteself also.

    Talk about marking your own homework....

    1. Anonymous Coward
      Anonymous Coward

      Quite right

      Equifax need to be sternly dealt with, as a deterrent to other companies with sucky security, "security through obscurity" ie keeping records on a PDP-11, etc.

      Just because its obsolete does not mean someone can't steal the database with a pickup truck during "routine" maintenance or walk out with the hard disk cartridge.

      Or for that matter getting around airgaps with a good old fashioned CDRW.

      (hint: this is why most sensible businesses have a no-music-or-MP3 policy)

    2. Anonymous Coward
      Anonymous Coward

      Perhaps any company suffering a breach must cease trading while they sort out the mess.

  27. imanidiot Silver badge

    Obvious 'innit g'vnr

    " possibly gaining clues as to who has it."

    World+Dog, possibly limited to the highest bidder for the moment.

  28. adam payne

    "only the names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers of 143 million Americans were exposed."

    Only!?!

  29. Anonymous Coward
    Anonymous Coward

    Not our data, change the laws

    Laws need to be changed to make it clear that an individual owns themselves, owns the data they create, and owns the date that is them. Then enforcement has to be on the level currently available to companies and industries trying to stop "piracy" of date they claim as their own. Data they claim as their own because that industry created it.

    Change the laws and put the operators and major owners of companies whose business model has them collecting and selling our data without concern for people or laws. We do the same when it comes to other crimes, recreational drugs for one example, there is no reason we should be applying the same standards to much more basic criminal activities.

    As it is no one from Equifax is going to jail, bonuses will still be paid, companies involved will not be called a criminal organizations, business will continue and profits will grow as has so often been the case in the past.

  30. Anonymous Coward
    FAIL

    Customer Help Web Site No Help

    I followed the link to their web site from the article and Firefox gave me this instead.

    "Your connection is not secure

    The owner of www.equifaxsecurity2017.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website."

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like