back to article What's that, Equifax? Most people expect to be notified of a breach within hours?

Equifax hasn't found time for a houseclean and is making claims of authority and competence about security breaches that, following its own recent high profile breach, come off as pretty cringeworthy. An autumn 2016 whitepaper from Equifax - still available here at the time of publication – attempts to position the credit …

  1. Alister

    Equifax is ideally placed to help businesses if they experience a data breach

    Yes... yes you are. Just not quite in the way you thought you meant.

    1. Anonymous Coward
      Anonymous Coward

      They should also advertise themselves as data experts. No one has even touched on the fact that their consumer data is a giant stinking ball of flaming crap. Wrong addresses, loans, bank and credit accounts on nearly everyone.

      Little known fact that they charge consumers money to try to correct their data. Quite a scam to knowingly gather inaccurate data, fail to secure it, sell it to businesses, and then charge the consumer to correct their errors and to monitor their reporting.

      1. ecofeco Silver badge
        Pirate

        I've said it before: the perfect American business is to produce and deliver NOTHING and force people to pay for it.

        Here is that very example.

        1. Anonymous Coward
          Holmes

          @eco - "I've said it before: the perfect American business is to produce and deliver NOTHING and force people to pay for it."

          Americans are only trying to perfect what the Brits have passed down to us.

    2. Mark 85
      Facepalm

      See icon

  2. Anonymous Coward
    Anonymous Coward

    Bunch of fuds.

    Local parlance, fairly negative.

  3. Anonymous Coward
    Anonymous Coward

    Equifax’s promised expertise...

    Is a rat knowing exactly when to escape the sinking ship:

    https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed

    1. Anonymous Coward
      Anonymous Coward

      'rat knowing exactly when to escape the sinking ship'

      Equifax insider share selling? A good example of 'American-Exceptionalism' right there!

      1. Anonymous Coward
        Anonymous Coward

        American-Exceptionalism At Work...

        "The giant Equifax data breach shows once again that the talons on corporate clawback policies remain tiny."

        https://www.bloomberg.com/gadfly/articles/2017-09-19/equifax-hack-executive-pay-is-still-protected

  4. Not also known as SC

    How?

    "Equifax is ideally placed to help businesses if they experience a data breach. We have one of the largest sources of detailed consumer data in the UK."

    I don't have time (OK can't be bothered then) to download the white paper to see how Equifax can help a business which experiences a data breach. If some one else does download it can you explain just how Equifax would be able to help? Surely if a company suffers a data breach they already have customer details so why would Equifax having these details help? Are Equifax offering a form of data restoration facility if a company's customer data is destroyed by the breach because in that case how would a company know which records have been destroyed?

    1. Bronek Kozicki
      Holmes

      Re: How?

      I have not seen the document in question, but can offer an educated guess. The document contains recommendation that the breached company should buy ID protection services for the affected customers. From Equifax, of course.

      1. Graham Cobb Silver badge

        Re: How?

        Or, maybe, Equifax can tell them which of their customers might cause them grief (lawyers, politicians and other rich people) and so should be dealt with politely, helpfully and efficiently and which ones (everyone else) can be ignored or sent to a useless website,

        A strategy I am assuming they are using themselves.

    2. phuzz Silver badge

      Re: How?

      Equifax might be able to help by saying "yup, that customer there, they were hacked because someone already had all their details from us and used them to breach your systems".

  5. The Man Who Fell To Earth Silver badge
    FAIL

    Do what we say, not what we do.

    The above is apparently Equifax's motto on security.

  6. alain williams Silver badge

    Words are cheaper than sysadmin time

    'nuff said.

    1. Ian Michael Gumby
      Boffin

      Re: Words are cheaper than sysadmin time

      Sorry mate.. Struts isn't system admin.

      Its application admin.

      Some companies are large enough that the responsibility gets split.

      1. Adam 52 Silver badge

        Re: Words are cheaper than sysadmin time

        Sysadmins can't patch application libraries. Not if you expect the applications to work afterwards. You might get away with it with dynamically linked libc, but Java, Python or Go libraries (start praying if you use any stats or data science libraries) won't necessarily be backwards compatible and no sysadmin is going to know the subtleties of how each library call is used.

        If you're lucky to have an application support team then it's their problem otherwise it's a developer problem.

        1. Destroy All Monsters Silver badge

          Re: Words are cheaper than sysadmin time

          Whoever's problem it is, DO IT!

  7. TechnicianJack
    Paris Hilton

    Not Qualified

    It's not surprising that things like this happen when people who don't know what they're doing are employed for important jobs. Seems said Chief Security Officer's only qualifications are in Music, and nothing relating to any technology. Combined with her 'retirement' and subsequent attempt to expunge her information from the internet suggests she's trying to cover it up. Of course, she may have learned security herself, or picked the skills up on the job with no formal qualifications, but I doubt that someone who knows what they're doing, even with no official qualifications would then try to hide all their information.

    http://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15

    http://www.thegatewaypundit.com/wp-content/uploads/susan-mauldin-600x600.jpg

    1. Bronek Kozicki

      Re: Not Qualified

      If I was on her place I would keep that visible. The fault is on the board of directors for putting her in a position show was not qualified to. Since that information is was public, there is no suspicion of her trying to pass the qualifications she did not have.

    2. Anonymous Coward
      Anonymous Coward

      Re: Not Qualified

      Hey - don't knock the #Diversity hire. As well as being a tick in the 'Women in tech' and 'women on the board' columns, she does security from the musical perspective.

      1. John Brown (no body) Silver badge

        Re: Not Qualified

        "she does security from the musical perspective."

        And when the music stops, she'll be in another (highly paid) chair somewhere else.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not Qualified

          I guess she has to... face the music!

          Aha ha ha ha ha ha oh...

      2. VulcanV5
        Happy

        Re: Not Qualified

        Definitely, the Post of the Month. Puts me in mind of Michael O'Leary, running an airline from his newsagent's perspective: stacking 'em high, and only later bothering about returns.

    3. Ian Michael Gumby
      Boffin

      Re: Not Qualified

      This industry is rife with people who are under qualified.

      30 years ago.... to call yourself a software engineer, you needed to go to a college and graduate with a 4 yr degree in an accredited engineering program.

      Today... its a job title.

      When I look at resumes where someone who calls themselves an engineer who didn't go to school for engineering, I hammer them in the interview.

      When I see a resume chock full of buzzwords, I hammer them to see what they know. How they handle stress. Note, I haven't made anyone cry... that's a feat that I've only seen happen once while my friend was interviewing someone.

      1. veti Silver badge

        Re: Not Qualified

        30 years ago.... to call yourself a software engineer, you needed to go to a college and graduate with a 4 yr degree in an accredited engineering program.

        In what jurisdiction was that?

        Everywhere I've worked, it's always been a job title and nothing more. Most of the best jobs are. (See also: journalist, politician, forecaster, commentator, manager, director.)

    4. Cederic Silver badge

      Re: Not Qualified

      Please, don't be an elitist idiot.

      Back when Ms Mauldin went to university a degree was all about learning, academia and getting an education. It wasn't intended to be vocational training for a job.

      Most people that age in IT don't have a degree at all, especially in the UK - only 20% of people even went to university - and it hasn't stopped them being effective at their jobs.

      You're casting personal aspersions on someone based on your own prejudices. Stop.

      1. a_yank_lurker

        Re: Not Qualified

        In the of (th)UGA back in the day it was a 'university' were going to class was to sober up between binges and parties. If she was like most, her time in Athens was alcohol/drug induced haze. (The thuga bit is because the football team traditionally has a rap sheet that would make a mobster proud).

      2. Doctor Syntax Silver badge

        Re: Not Qualified

        "Most people that age in IT don't have a degree at all, especially in the UK - only 20% of people even went to university - and it hasn't stopped them being effective at their jobs."

        But was she effective at her job?

      3. Destroy All Monsters Silver badge
        Headmaster

        Re: Not Qualified

        You're casting personal aspersions on someone based on your own prejudices. Stop.

        Can there be any OTHER prejudices that should be considered?

        I don't think so.

        They are called hunches & heuristics and work pretty well.

        This is also why people stay out of colored neighborhoods. It's not racism.

  8. Anonymous Coward
    Anonymous Coward

    Where I used to work,

    the head of our Change Advisory Board was former air hostess.

    1. Triggerfish

      Re: Where I used to work,

      Well you know if they are good at what they do fair enough.

      In this case I am guessing thinking admin/admin for access is probably a sign they didn't study up for the role.

    2. Anonymous Coward
      Anonymous Coward

      Re: Where I used to work,

      "the head of our Change Advisory Board was former air hostess"

      The paths to follow for a change are located here, here and here.

      Keep your Change Orders upright and follow the laminated instructions in the pouch in front of you.

      Do not inflate your 'Panic, I've fucked my change' jacket unless instructed to do so by a Sysadmin.

      Right - I'll be off to get a bloody good seeing to by the Captain. Carry on team.

    3. Anonymous Coward
      Anonymous Coward

      Re: Where I used to work,

      Why would an air hostess necessarily be a bad choice for a CAB head? She wouldn't be making the decisions herself - it is more of facilitator role to get the people from technical, business, financial, etc. domains to reach consensus. Having an "outsider" in that role is probably not a bad idea.

      She doesn't need to personally understand every detail about why making changes the weekend before year end closing is a bad idea, or why the business wanting to delay a critical Microsoft patch released early and out of cycle due to active exploitation is risking a breach. That's for business and technical people to understand - she just has to make them understand each other.

      For someone used to soothing the angry flying public for years, dealing with heated arguments between people on the IT side and business side should be child's play!

      1. This post has been deleted by its author

  9. Nimby
    Angel

    Equihax

    Ah, Irony, if only there was something one could build from you.

  10. DainB Bronze badge

    Also in Australia

    Westpac is using Equifax in Australia for credit reporting and felt sudden need to send following email on 7th of September

    Hi DainB,

    At Westpac, part of our service promise is a commitment to fix mistakes when we make them.

    That's why we're writing to let you know that when opening your Westpac Reward Saver account we used Equifax (previously Veda Group Limited) to provide us with information to make a decision on whether to lend. Our required disclosure to you was not clear enough of our use of Equifax for this process.

    No action is required from you and we apologise for any inconvenience caused. If you have any questions about what this means for you or need help with anything else, please feel free to drop into your local branch or call us on 1300 655 505.

    Sincerely,

    The Consumer Deposits Team

  11. Anonymous Coward
    Anonymous Coward

    Aren't Mandiant and FireEye part of the same group?

    So hire the former to hide the debacle of the latter?

  12. Hans 1
    Paris Hilton

    I guess that since their security team was not notified for almost two months they thought they would wait the same number of hours before notifying the users.... They wanted to be fair, after all ...

    Paris, the closest I could find to dumb and dumber ...

  13. Anonymous Coward
    Anonymous Coward

    How long before....

    Crapita buy Equifax.... I see synergies...

    1. ecofeco Silver badge
      Trollface

      Re: How long before....

      ...and new paradigms leveraging and repurposing existing content by reaching out to overlooked possibilities!

  14. flingback

    Business as usual in the US&A...

    I am a Brit out here for a few days and this morning saw an Equifax ad on TV. It basically said "Do you know if your details are on the dark web for sale? Use our free search to check...". At no point did it say "because of us your details are on the dark web" nor did it make any indication that they may actually BE THE REASON.

    You can bet that most people have no clue this has happened, and Equifax have turned this into a bloody marketing/advertising campaign to recruit new customers. Unbelievable really. I guess there needs to be a body who can hold them accountable and fine them accordingly...

    1. ecofeco Silver badge
      FAIL

      Re: Business as usual in the US&A...

      No "may be the reason" about it.

      They ARE the reason.

    2. Anonymous Coward
      Anonymous Coward

      Edited for clarity

      "Do you know if your details are on the dark web for sale? Use our free search to make SURE they are..."

      There, FTFY

      Anon because Trump, Equifax, etc.

    3. JamesPond
      WTF?

      Re: Business as usual in the US&A...

      "I guess there needs to be a body who can hold them accountable and fine them accordingly."

      I don't know if anyone noticed after the financial crisis but a significant number of European banks and financial institutions got fined startlingly large amounts by the US authorities. And the Europeans coughed up without a fight. But I didn't see many or in fact any (I'm happy to be corrected) US banks being fined by European governing bodies for their part in starting the financial collapse. Equifax is a US firm so I'm not expecting any significant fining to happen.

  15. Anonymous Coward
    Anonymous Coward

    Why is it the none of the "reporters" and none of the "Government agencies" have engaged their brain cells on this..............

    Equifax upon first realizing this massive breach should have automatically put a freeze on all of their accounts and notified the two other credit agencies of the breach so they could keep an eye on it and freeze their associated accounts. Then instead of 140 million people scrambling to freeze their accounts, only a few million trying to get credit would be impacted by trying to un-freeze their accounts.

    I would rather be told I can't get credit because the big-3 were acting proactively and locking all the accounts affected than worrying that someone may be stealing my identity until I pay the fees to freeze my accounts.

    Equifax should have to pay for all of the fees associated with freezing all of the affected accounts at all three companies, period!

    1. Eddy Ito

      They could also have taken the route of putting a fraud alert on people's credit reports which wouldn't even bother those trying to get credit as a stop gap measure while they were busy screwing the pooch between when they discovered the breach and now.

      I'll be sending the bill for my freezes at the other companies to equifax as well as a bill for the time it took for me to do it since it was considerable as the web sites and automated phone systems of both transunion and equifax fell over multiple times for me. Fortunately experian worked on the first go. I'm thinking somewhere in the $75-$100/hr range is a reasonable rate and if they don't pay I'll be happy to take them to small claims court.

      I recommend everyone else hit by the breach do the same as it will be fun to watch equifax implode responding to 143 million small claims cases worth about $250 a pop. A rough calc shows that to be about three times their market cap of ~$11.2B

      1. Compression Artifact

        "I'll be sending the bill for my freezes at the other companies to equifax as well as a bill for the time it took for me to do it since it was considerable as the web sites and automated phone systems of both transunion and equifax fell over multiple times for me."

        I hope you have more luck with this than I did trying to get Anthem to reimburse me for what I spent on postage and return-receipt certified mail to freeze my credit files after their breach was announced.

        I can only take some cruel pleasure in the knowledge that what Anthem spent on the salaries of the bureaucrats for the time and effort it took to reject my claim was probably at least an order of magnitude more than the reimbursement I wanted.

        1. Doctor Syntax Silver badge

          "I hope you have more luck with this than I did trying to get Anthem to reimburse me"

          But did you take the approach Eddie proposes: the small claims court?

    2. ps2os2

      Why is it the none of the "reporters" and none of the "Government agencies" have engaged their brain cells on this..............

      One Answer: Trump

      Follow on the answer: Trump has put billionaires and other people entirely unqualified people in charge of the government. He is making the FDA (Food & Drug Administration) into a political hack that you will no longer be able to trust any medication that is sold in the US. The others range from a person who is supposed to be in charge of education to one that wants to outsource education to other companies who want to run the system for profit. Another wants to close down our National Park system, like The Grand Canyon, or Yellowstone etc. Another one that has been put in charge of our Nuclear system to a person who wants to shut it down. This country will poison itself before the communist take over.

      1. Destroy All Monsters Silver badge

        One Answer: Trump

        Ah, the eternally direct reasoning of the progressive brain.

        1. Anonymous Coward
          Anonymous Coward

          >> One Answer: Trump

          > Ah, the eternally direct reasoning of the progressive brain.

          Just like all the Nazis who blamed Obama for everything they didn't like for eight years.

          Pot. Kettle. Black.

          1. Sam Therapy
            Happy

            Or rather, A shade differential comparison scenario.

    3. ecofeco Silver badge
      Pirate

      Equifax should have to pay for all of the fees associated with freezing all of the affected accounts at all three companies, period!

      LOL That's just crazy commie talk! You private the profits and socialize the losses, son! That's the American way!

  16. David Neil

    Nice email from Clearscore this week

    "Many of you will have read over the past week about the Equifax US hacking incident. I want to reassure you that ClearScore is not involved in this hack. Our systems and data remain secure.

    Equifax have confirmed to us that no UK financial data was compromised in this incident."

    Sent on 16 September, the day after Equifax admitted 400k UK people's data had been moved offshore by 'accident'

  17. benderama

    Sounds like a case of "do as I say, not as I do"

  18. ecofeco Silver badge
    Mushroom

    Hours?

    We're damn lucky if we find out within MONTHS.

    To hell with all those bastards.

  19. EveryTime

    It's not that a music degree disqualifies you from being in charge of information/transaction security. It's just that such a degree is a contra-indicator.

    Rather than a formal course of education and research into a technical area, you chose a degree that was decidedly non-technical. (Generally music degrees have negligible math requirements, I once took an excellent course in 'Acoustics' from Dr. Bose. Vanishingly few music majors had the analytic and numeric mathematics background to succeed with that material.)

    What would qualify you? Doing work in the field that was publication level: Journal papers, conference paper, even a significant role in open source projects. Even at that the top level of management it's not just "people management", it's making having the background to understand what decisions are being made and when you are being misled by the middle managers.

    1. Graham Cobb Silver badge

      At the time that I started my IT career (1978), Music was quite a common degree for other entrants. Personally I did Maths. Very few of my peers did a specifically computing degree.

      I seem to remember that at that time Music was the most common non-STEM (we didn't call it that then) degree for computing professionals.

      1. Destroy All Monsters Silver badge

        I seem to remember that at that time Music was the most common non-STEM (we didn't call it that then) degree for computing professionals.

        That was when computing professionals were actually mathematicians or maybe engineers in electronics.

        I don't see what Music has to do with any of this unless we are talking vocational college and a Moog synth.

    2. Anonymous Coward
      Anonymous Coward

      The ability to understand and orchestrate the flow of music is similar to many skills required in IT. Maybe we need more musicians.

      Actually we need anyone who is not from marketing.

    3. Jtom

      To go a step further, one usually gets a degree in the subject that most interests them, and that especially applies when the field does not pay well, like music. If she is that enthused with music, then how likely is it that she takes much interest in a field like data security? There really isn't much cerebral overlap, is there?

  20. Andrew Barr

    Couple of rumors that I have heard....

    Some interesting stock movements pre hack news release, so maybe a short sell money grab.

    Their check if you have been compromised webpage gives different results for the same data.

    Something tells me that this may not be the way to handle a security breach!

  21. Anonymous Coward
    Anonymous Coward

    Still not clear on the actual size of this breach

    When it happened I checked on their site and they said they didn't believe I was affected. I later heard there were some initial issues with the site, so I checked myself again after getting the SSNs from my mom and dad so I could check for them as well. Still not affected, nor were either of them.

    I think it was "up to 143 million people potentially affected", unless my family is just damn lucky. We all have a fairly lengthy credit history and high credit ratings, so it isn't like we wouldn't be in a major credit bureau's database. Maybe they only got people with last names up to 'R' or something...

    1. Adam 52 Silver badge

      Re: Still not clear on the actual size of this breach

      Well you've just put your and your nearests' details into a dodgy bodged together site, so I expect you'll be in the next leak, due any day now.

    2. Blake St. Claire

      Re: Still not clear on the actual size of this breach

      When first I checked my wife _was_ potentially at risk.

      Checked back a few days later and now she isn't.

      Which is it? I'll check back again in a few days.

  22. Anonymous Coward
    Anonymous Coward

    "We did have one of the largest sources of detailed consumer data in the UK."

    TFTFT as it would now be the hackers...

    Shine a light, you couldn't make this shit up.

    I haven't seen such a perfect example of Irony for a few days.

  23. Anonymous Coward
    Anonymous Coward

    Most people expect to be notified within hours

    In this case "most people" seems to have meant those senior execs who used that inside info to sell their stock ahead of the news.

    I wonder how the rest of the employees who own stock in Equifax feel about their management? (Never mind the rest of us.) I wouldn't want to be one of them, alone in a room with one of the regular employees whose 401k balance took a hit.

  24. JBowler

    Corporations are not expected to be honest

    Indeed, required NOT to be honest.

    Marketing is required to cover up problems that would otherwise cause the share price to tank; that means marketing is REQUIRED to lie. It isn't an optional extra.

    Anyway, who are you trying to fool? Obviously Equifax, while it certainly lies, has no responsibility whatsoever to the people who they rate; they are the PRODUCT not the CUSTOMER. The customer is the company that wants to know if the beef is good, the beef is the person with the credit rating.

    Stop winging, live with it or change it.

  25. Winkypop Silver badge
    Coat

    Equifax announces new bar and liquor outlet franchise

    "Equifax Pubs, Where Everybody Knows Your Name"

    I know when to leave -->

  26. Anonymous South African Coward Bronze badge

    Dear Mr Bucket

    Whoopsy

    Ahahahahaha

    (all in copperplate writing)

  27. Anonymous Coward
    Anonymous Coward

    Enough said?

    https://www.equifax.co.uk/business/connectselect/en_gb

    Nothing to do with protecting credit, just for collecting marketing data. In other words, worse than useless.

    AC because I want to be.

  28. Sam Therapy
    Mushroom

    This bunch of useless fucksticks need to be nailed to doors, left on a beach and run over with flail tanks. At the very least.

  29. Jtom

    Well, I can work around this breach. I've reached the point where I no longer need credit. What worries me is the thought of a data breach involving my insurance company. Over the years, my wife and I have acquired enough valuables (jewelry, gold, silver, coins, antiiques, etc.) to justify a big rider policy for coverage beyond standard homeowners' insurance. To get the rider, I had to itemize each asset and provide the address of where it is kept. That data now resides with the insurance provider. I have to believe that thieves would love to know who owned what, and where it was kept. I think there are a lot of us 'accidently affluent' retirees living in modest neighborhoods but holding substantial wealth, and we would be easy targets.

  30. oldon

    "30 years ago.... to call yourself a software engineer, you needed to go to a college and graduate with a 4 yr degree in an accredited engineering program"

    You must be joking ... as I recall, at that time there were plenty of so-called 'software engineers' who had literally just wandered in off the street with zero qualifications, and accordingly many of them were absolutely clueless. There were also those had gone to so-called 'colleges', acquired so-called 'degrees' and were still absolutely clueless.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like