back to article Equifax mega-leak: Security wonks smack firm over breach notification plan

Credit reference agency Equifax has been criticised for its breach response in the wake of the disclosure on Thursday of a megahack that affected the data of up to 143 million people in the US alone. The credit reference agency admitted that criminals may have been able to access data including names, social security numbers, …

  1. chris street

    Go to the organ grinder..

    Theres no way that I'm signing up and waiting to find... oh wait. The unwashed in the UK don't even get to do that.

    They've a UK presence. So complain loud and hard to the ICO direct. There is no route to complain direct to Equifax so you've exhausted their complaints route. If there are enough complaints at the ICO every single time there is a breach maybe just maybe they will get off their fat backsides and do something.

    Also ask if your financial companies use Equifax. If they do start withdrawing your services from them and tell them why. Make them care by affecting their bottom line and maybe stupid stuff like this will actually get dealt with.

    1. Anonymous Coward
      Anonymous Coward

      Re: Go to the organ grinder..

      It's a nice thought but Experian/Equifax are used by everyone nearly so you can't avoid them. Also it's not just financial companies anymore, they hold data on all your payments to utilities and services. It's a crafty way to build up better profiles by offering exchange of information with companies. I remember years ago when working in Telecoms they started doing it.

      1. DaLo

        Re: Go to the organ grinder..

        However this shouldn't be allowed after 25th May 2018 as the UK version of GDPR will be in place. You can refuse to have your data shared with Equifax and the company involved cannot withhold a product from you unless they can prove it is required for the purposes of fulfilling a contract.

        they may be able to claim justification for the contract bit in gaining your credit profile but them creating extra information beyond that on your profile or the credit reference agency utilising it for marketing or selling it would not be allowed.

        1. This post has been deleted by its author

          1. Anonymous Coward
            Anonymous Coward

            Re: Go to the organ grinder..

            No you are wrong and it is very different to the DPA. Under the DPA customers who had a relationship with a supplier were fairly free game when it came to further utilisation of their data as long as it was specified in their data protection registration.

            I never said it was contractual arrangements - as in you can write it into a contract, it was for the contract bit of the GDPR (Section 6(1)(b) to be precise).

            this states: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

            Which is the reason they will use as justification for the requirement to make use of a credit reference agency .

            Legitimate interest is not as broad as you seem to think it is. There is a significant caveat that except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. . If you look at the guidelines relating to this clause you can see that it is very limited in scope - you can't just declare that we have an interest in marketing to our customers so we can carry on doing it.

            The primary justification is definitely that explicit consent is required and preferred. This can't be in a privacy policy or general terms and conditions. Therefore if I do not state that my details cannot be used for marketing purposes, then they can't and a service can not normally be withheld because of it.

            If you think the DPA and the UK version of GDPR are functionally the same then I suggest you go back and read them carefully soon, because you may have a rude awakening and the fine is not to be sniffed at.

            1. This post has been deleted by its author

              1. Adam 52 Silver badge

                Re: Go to the organ grinder..

                Nobody knows how GDPR will pan out yet, and what the courts will consider acceptable under the legitimate interested justification.

                Google and Equifax will be arguing for liberal interpretation. I'm hoping that the AC above is correct. It's hard to see a legitimate interest in banks sharing transaction level information just so they can be members of a club though.

                1. Adam 52 Silver badge

                  Re: Go to the organ grinder..

                  Sorry, been thinking about this a bit more. The banks (and Facebook and Microsoft) all rely on a consent clause in the contract at the moment. That means that they currently don't believe that the necessity criteria is met (or that there's no harm in requiring consent just in case) even under the UK's more lax interpretation than other EU states.

                  If that's the case then the necessity justification won't be available post-GDPR either, because nothing much is changing there, and they'll have to rely on one of the others. It's not life or death, there's no public interest, preventing crime is a stretch so there really is only consent or a very optimistic "legitimate interest".

                2. post-truth

                  Re: Go to the organ grinder..

                  Under GDPR Legitimate Interests will become the refuge of the terminally desperate.

              2. Anonymous Coward
                Anonymous Coward

                Re: Go to the organ grinder..

                "Direct marketing is specifically called out in the GDPR as a legitimate interest..."

                No it isn't the only place is in recital 47. Although that states The

                processing of personal data for direct marketing purposes may be regarded as carried out

                for a legitimate interest. The key is the 'may' bit which has been discussed ad infinitum on various channels. The consensus is that this only applies if it would not have been possible to get explicit consent at that time and definitely does not apply to a second level recipient of that data.

                The whole point of explicit consent was to allow the data subject to decide what their data could be used for. If a company was allowed to override this just by saying it was in their interest then this would negate the need for explicit consent in nearly every case.

                Quite a good break down of it is here: https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/

                Which states:

                "Therefore, marketing and sales organizations would be ill advised to skip consent collection and instead rely on legitimate interests to justify, for example, tracking prospects’ online behavior based on site visits, email engagement, IP address location tracking, etc. to show behavioral ads or create sales lead scores.

                For those insisting on the possibility of a blanket, categorical affirmative interpretation of this last sentence as absolving all direct marketers of the need to ever obtain consent, Recital 70 firms rejects this possibility:

                (70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

                It is therefore unambiguous that direct marketers must obtain consent as a rule, unless they are able to prove legitimate interest in particular cases where data subjects reasonably expect such data processing to take place, as per outlined in Recital 47."

                Finally you mention the ePD but that is not the UK law. The UK law is PECR 2003 (latest amendment 2016)which was putting the ePD into UK law.

                There is no grounds for you to apply for a financial service and end up having marketing sent to you from a third party company due to your inclusion on credit reference agency file without your explicit and unambiguous consent.

                1. post-truth

                  Re: Go to the organ grinder..

                  Interestingly, none of the responses in this otherwise rather good geeky brainstorming thread have addressed any of the three biggest GDPR vulnerabilities of the data brokers. Keep working in it, folks. It's going to be fun.

    2. Anonymous Coward
      Anonymous Coward

      Re: Go to the organ grinder..

      Can you complain to the ICO if you don't know if you've been affected? The ICO obviously already know about the breach so until they state who was affected you can't take a complaint much further.

    3. Unhelpful Yoda
      Trollface

      Re: Go to the organ grinder..

      Only folks with low credit scores complain about Equifax.

    4. Anonymous Coward
      Anonymous Coward

      Re: Go to the organ grinder..

      Wait until July 2018. Sue them then. It'll be a whole lot easier.

  2. Len Goddard

    Alternatives

    I've come across this marvelous alternative to online credit. It involves small paper tokens. You can exchange some of the tokens (called cash) for a secure storage facility called a mattress - a one-time expense, no recurring charges.

    1. big_D Silver badge

      Re: Alternatives

      This isn't about credit, it is about credit scoring. They'll hold information on you anyway if you have had any transactions with any of their customers.

  3. Anonymous Coward
    Anonymous Coward

    I surprised they haven't set up a call centre in Nigeria to deal with it.

    1. ecofeco Silver badge

      How do you know they haven't? :)

      1. elDog

        'cause there are some lower case letters?

        Just sayin.

  4. Anonymous Coward
    Anonymous Coward

    Are they the ones with the talking dog, idiot manbaby and dead eyed female who's never out of pyjamas? Not that I really care.

    1. Anonymous Coward
      Anonymous Coward

      It's the idiot talking dog in pyjamas.

    2. Irongut

      I think they're the ones with the idiot who thinks providing them with his personal and financial details for free makes checking his credit score some sort of game. Or that could be Experian, they're basically the same tbh - privacy invading leeches who hold records on you without your consent and provide no service in return (to individuals at least).

  5. K

    Would they be subject to GDPR rules?

    Interesting to understand the future impact of the new EU rules, especially if they were holding UK/EU citizen data.

    1. Anonymous Coward
      Anonymous Coward

      Re: Would they be subject to GDPR rules?

      Short answer: yes.

  6. Anonymous Coward
    Anonymous Coward

    Likely cause

    So the talking head thinks that it was probably an SQL injection attack.

    No proof at the moment, but if it does transpire to be the case, then for their company's gross incompetence, every one of Equiux' directors should have their knackers publicly nailed to a tree, in front of a drunk audience of hooting, jeering peasants.

    For the two ladies of the board (being a gentleman myself) I'd only require that they have one toe nailed to the same tree.

    1. Anonymous Coward
      Anonymous Coward

      Re: Likely cause

      If true, I'm amazed that those idiots don't have defenses. Where convenient, for years I've had libraries not only to immunize myself, but also to auto-log all SQL injection attacks for subsequent analysis/profiling and, if I'm lucky, identification for turning the tables on unexpectedly careless players.

  7. Anonymous Coward
    Anonymous Coward

    How is their response "good"?

    A special purpose sign-up site with a domain name (www.equifaxsecurity2017.com) that couldn't look more like a phishing site if it tried, offering one pathetic year of "you're fucked" notification and no compensation. And you're not even their customer in the first place!

    1. Anonymous Coward
      Anonymous Coward

      Re: How is their response "good"?

      > And you're not even their customer in the first place!

      But you are if you take up the "free" service. In 12 months time it will probably auto-renew and they'll start charging you for it.

      This could all be one huge marketing exercise.

      1. joed

        Re: How is their response "good"?

        I was once offered the free credit monitoring (some online store that will remain unnamed). Obviously, I just ignored it as sharing more information than leaked by the store with some 3rd party (saying "trust us") would just add irony to the situation. I guess I was not cynical enough to envision auto-renewal. Thanks for the insight.

        1. Destroy All Monsters Silver badge

          Re: How is their response "good"?

          I think it was the sarcastic "good".

          If not, one should flush those contented "security researchers" down the loo illico presto.

          Most belong there anyway, being glorified mechanics looking for flaws in systems built by peasants led by donkeys.

    2. Nameless Faceless Computer User

      Re: How is their response "good"?

      oh, it's even worse. Someone investigating that website discovered that the "test" to see if your data was compromised always returned a positive result to ensure the maximum number of people sign up for their paid service.

  8. Ian Michael Gumby
    Boffin

    Class action lawsuit.

    This is a major class action lawsuit in the making.

    There's no denial as to the harm this can cause because it makes it easier for the crooks to target individuals and to steal identities.

    There is also no excuse.

    They should be offering free credit monitoring for the next 5 years.

    1. Derezed

      It should be...

      It should be for life. People can't change their date of birth or social security number. They also shouldn't have to move house to avoid being scammed because some fuck witted company can't keep its data off the internet.

    2. linuxgb

      Re: Class action lawsuit.

      Let me get this straight ... we trusted them with our most personal details which got leaked, and so to try and make us feel better they'd like to offer us another year of trusting them with our most personal details? Sounds great, where do I sign?

      1. Dominion

        Re: Class action lawsuit.

        Not exactly. Someone else trusted them with your personal data, which has now got leaked. As mentioned above, they are now using it as a marketing opportunity to sell you their dodgy products.

  9. Banksy
    Joke

    As long as it wasn't anything important....

    "The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers."

    1. Anonymous Coward
      Anonymous Coward

      Re: As long as it wasn't anything important....

      It's worth flagging up that US S.S. numbers are not the analogue of UK National Insurance numbers (which are not fit for purpose anyway. But that's for another fuck up).

      They're leveraged into a lot of commercial and government systems.

      Any breach which means they can't be trusted is catastrophic.

      1. anothercynic Silver badge
        Angel

        Re: As long as it wasn't anything important....

        It's worth flagging up that US S.S. numbers are not the analogue of UK National Insurance numbers (which are not fit for purpose anyway. But that's for another fuck up).

        They're leveraged into a lot of commercial and government systems.

        Just like the UK National Insurance numbers. Excellent. ;-)

      2. bombastic bob Silver badge
        Unhappy

        Re: As long as it wasn't anything important....

        "It's worth flagging up that US S.S. numbers are not the analogue of UK National Insurance numbers"

        their TRUE usage is as "taxpayer identification numbers". There are similar numbers for corporations. You can't legally work without one, because your income is reported to the IRS using "that number".

        aside from the fact that "Social Security" is in itself a misnomer, oxymoron, etc. - there is NO security, and it's not "social" at all - it's a tax collection number.

  10. ecofeco Silver badge
    Trollface

    Wot?

    You means Wordpress and crusty kludgy websites with 3 dozen external 3rd party servers and multiple scripting languages that also uses an unsecure phone app are not the Interwebs?

    Get with the times old farts!

  11. Anonymous Coward
    Anonymous Coward

    They're part of the problem

    Equifax - Hah! They got me turned down for a loan here in 'Murica back in the spring. Credit score was 'too low'. I got their "one per year" free credit report. No credit cards listed. And that wasn't a surprise, because I don't have any credit cards, because I don't like paying interest. Turns out, if you don't have any credit cards listed on their files, your credit score is so low, you can't get a loan. Talking around, I was told, to raise my credit score, get a credit card or two. Ooops, I haven't done that yet. And now, ooops, if I had, I'd be SCREWED. So now, every person who has gotten a credit card to raise their credit, is SCREWED. Hah!! Experian and its [censored]-poor security is part of the problem, not the solution.

    1. Number6

      Re: They're part of the problem

      The US credit scoring system is not fit for purpose anyway. What you get is a snapshot, so the day before I pay off a credit card bill my score can be noticeably lower than the day after. It fails to note that this is a repeating pattern and actually represents a sensible and responsible use of credit.

      As for paying interest, if you're doing that on a credit card then you're using it wrong.

      1. Anonymous Coward
        Anonymous Coward

        Re: They're part of the problem

        "As for paying interest, if you're doing that on a credit card then you're using it wrong."

        Personally, I agree. That's why I don't hold credit cards, I don't pay them off promptly. So, no credit cards for me, so I won't have to pay interest.

        But repayment isn't what the bank is looking at when it runs a credit score. I have confirmed with a former bank employee: For the CONSUMER credit score, it tells the bank your likelihood of paying them income, i.e. interest. It has nothing to do with actual tendency to repay a loan. On a BUSINESS credit score, the bank actually checks out the likelihood of repayment.

    2. Anonymous Coward
      Anonymous Coward

      Re: They're part of the problem

      And now, ooops, if I had, I'd be SCREWED

      Sadly, AC, you're STILL screwed, because Equifux have spewed all your details to the world. The fact that you don't have a credit card to exploit will be immaterial, because at this very moment there's probably a house full of Bulgarian crims making applications in your name, with all your details. And the idiots at the credit card companies are going "hey, great, a new mark with no cards and no outstanding loans! He'll be a low risk, lets give him a card with a limit as much as he wants!"

      1. Anonymous Coward
        Anonymous Coward

        Re: They're part of the problem

        Bulgarian crims? Hey, don't be so mean to the Ukrainians and Byelorussians!

  12. Anonymous Coward
    Anonymous Coward

    US consumers - we're all screwed

    US consumers - we're all screwed. Out of 143 million, Equifax will notify only 209 thousand. That's 0.15% (not fifteen percent, that's 15 hundredths percent) of the consumers affected. Sounds like inadequate notification to me, smells like class action lawsuit.

    Read below, scraped direct from the Equifax web site:

    "potentially impacting approximately 143 million U.S. consumers. "

    "The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers,"

    "Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted."

    1. a_yank_lurker

      Re: US consumers - we're all screwed

      If it does go class action, I would like to see a settlement that drives out of business. Also, I would like the DO(in)J actually do something worthwhile and nail some the C-suite for vacation in Club Fed. That is the only way companies will take notice; no job with the possibility of prison.

  13. Anonymous Coward
    Anonymous Coward

    CC hacked starting mid-August Thank you Equifax!

    BEWARE!

    Equifax site reported me as NOT at risk when I checked Thursday after the announcement.

    If I had not glanced at my CC statement Friday it would have reached several thousand dollars and gone on for a few more weeks before I got my bill and noticed it.

    Subtle hack too. Charged a few hundred dollars (amount varied a little each time) every few days to what looked like a educational magazine/bookstore site. Usually my card company catches these right away and notifies me. I had to call them.

    1. Anonymous Coward
      Anonymous Coward

      Re: CC hacked starting mid-August Thank you Equifax!

      I got a text from Chase security (my credit card provider) on Monday asking if a particular transaction was legit. It was for 45 cents. They cancelled the charge and issued me a new card.

      I'm pretty sure that's unrelated though as it says only a small number (220K) of credit cards were compromised. I'd presume the ones compromised would be from people who would have actually had reason to pay Equifax for something and had given them their credit card number. If you hadn't done that, I think your CC hack, like mine, was just coincidence. I use that card to buy stuff online all the time (I use paypal where I can, but a lot of places don't take it) so I'm not surprised it happens every few years. Doesn't cost me any money, and it isn't the only credit card I have (but the only one I ever use online) so NBD.

  14. Anonymous Coward
    Anonymous Coward

    Right now on the Equifax site

    'Identity theft and data breach white paper

    'Almost three quarters (73%) of GB adults online think that companies should tell them that they have experienced a data breach and 63% would expect to be notified of a breach within hours.'

    https://www.equifax.co.uk/data-breach/react.html

    Hope the executives who sold $2 million of shares last week don't have anything to hide - such as prior knowledge of the breach.

    1. Zaxxon

      Re: Right now on the Equifax site

      Not only did execs at Equifax sell stock, someone has bought a few hundred thousand $ worth of put options before the public announcement that are now worth millions.

    2. TonyHoyle

      Well considering one was the CFO and one was the 'president of U.S. information solutions' the idea that neither of them knew of a significant data breach days after it happened is farcical.

      1. AlbertH

        Well considering one was the CFO and one was the 'president of U.S. information solutions' the idea that neither of them knew of a significant data breach days after it happened is farcical.

        Isn't that the very essence of insider dealing? I was under the impression that this was illegal and should result in long jail sentences.

        There is also the issue of criminal irresponsibility - these clowns have no idea about data security (it's not the first time they've been compromised) and they should be shut down and jailed. The other "credit checking" agencies also need thorough investigation, and if there's the slightest possibility that they could be compromised, they also need to be shut down - and prosecuted for negligence - and the whole rotten industry should cease. Banks and other financial institutions should revert to doing their own checking of customers - just like they used to.

    3. Unhelpful Yoda
      Thumb Up

      Re: Right now on the Equifax site

      I would buy on any dips. In a country with no consequences for corporate crooks...

      ( reference search terms: WellsFargo CEO, Fake Accounts, Golden Parachute)

      ...companies will continue to use Equifax.

    4. post-truth

      Re: Right now on the Equifax site

      That's another thing the execs have to fear - derivative claims from shareholders. And you don't even need fraud to jail them. With the data protection laws changing, this will have peculiar effects on the "business record" admissibility rules of criminal evidence in each jurisdiction. Interestingly, as Google execs found out the hard way a few years ago, most EU nations award custodial sentences (generally five years or less, though Greece has up to 10) for criminal data protection offenders (i.e. controllers), and breaches undoubtedly will engage those criminal laws.

  15. Anonymous Coward
    Mushroom

    I tried placing a fraud alert for myself with TransUnion

    The Java Servlet blew up:

    500 Servlet Exception

    [show] java.lang.IllegalStateException: Can't sendRedirect() after data has committed to the client.

    java.lang.NullPointerException at com.truelink.app.consumerCredit.site.fa.tags.dfpAd.DFPAdTag.doStartTag(DFPAdTag.java:24) at _jsp._copy._fa._fraudAlert._addInitialAlertConfirm_0en__jsp._jspService(copy/fa/fraudAlert/addInitialAlertConfirm_en.jsp:147) at _jsp._copy._fa._fraudAlert._addInitialAlertConfirm_0en__jsp._jspService(_addInitialAlertConfirm_0en__jsp.java:30) at com.caucho.jsp.JavaPage.service(JavaPage.java:64) at com.caucho.jsp.Page.pageservice(Page.java:548) at com.caucho.server.dispatch.PageFilterChain.doFilter(PageFilterChain.java:194) at com.caucho.server.httpcache.ProxyCacheFilterChain.doRequestCacheable(ProxyCacheFilterChain.java:252) at com.caucho.server.httpcache.ProxyCacheFilterChain.doFilter(ProxyCacheFilterChain.java:193) at com.caucho.server.webapp.DispatchFilterChain.doFilter(DispatchFilterChain.java:131) at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:290)

    [...]

    Awesomeness.

    1. Alan J. Wylie

      Re: I tried placing a fraud alert for myself with TransUnion

      https://www.equifax.com/cs7/faces/jspx/login.jspx

      Request Attributes

      Name Value

      _HKHACK_ yes

  16. Destroy All Monsters Silver badge
    Windows

    TOP.MEN are working on this.

    "Who?"

    "TOP. MEN."

    Yeah, looks like my former CIO has found a new job.

  17. Alan J. Wylie

    It's so secure

    that if you're called O'Reilly it won't let you enter your name.

    Nor Mountbatten-Windsor

  18. Public Citizen
    Flame

    What isn't covered in this article is the action taken by high level executives of Equifax between the time the breach was discovered and when it was disclosed.

    At least 3 high level executives sold large amounts of Equifax stock, probably in violation of US Securities Law.

    This whole situation stinks on ice.

  19. Captain Boing
    Trollface

    ... and Equifax sat on the news of the leak for 41 days! so that three senior execs could dump their stock...

    https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack

  20. Anonymous South African Coward Bronze badge

    Which company will remain schtum on a major leak for 41 days, then try to blame somebody else?

    Boggles the mind, really.

  21. Anonymous Coward
    Anonymous Coward

    sources of authoritative information

    Nearly every bloody link in this piece is to twitter! Who do you think you are, el Reg - Donald Trump?

    I suspect there may be some rather more reliable and authoritative journalistic sources available.

  22. andrew ginty

    Surely the FS companies who passed customers data to Equifax have a responsibility

    The banking, insurance and credit industries are dependent on credit reference checks as part of their risk processes. Compliance to risk processes is a regulatory necessity, so they have to go to companies like Equifax for such checks.

    So, if for example, I apply for interest-free credit on a TV, a new card, a loan, a mortgage or an insurance policy, it's a certainty that my details are checked with a reference agency, who, by the nature of their business, will keep records.

    If that agency, is foolish enough to lose those records, the companies who gave them their customers' details, should have at least a duty of care to those customers (and prospective customers) to check whether their details are amongst those that Equifax so generously shared with god-knows-whom are those of their customers (or prospective customers).

    So (all the banks, insurance companies, mortgage companies, mail-order companies, utilities etc ...) should be in the process of working out who's details have been shared with Equifax, and whether they are amongst the hundred-plus million.

    Holding breath. May go blue.

  23. Jake Maverick

    it's all a part of the plan...we seem to be somewhat behind schedule, hence this....but it wnt be long now until u are forced to give DNA samples and fingerprints everytime u do anything, like withdraw your own money from the bank....they're impossible to fake, right...? no.....

  24. Sam Therapy
    Happy

    Article picture

    Why is Steve Buscemi taking a pair of grips to his phone?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon