back to article Equifax: About those 400,000 UK records we lost? It's now 15.2M. Yes, M for MEELLLION

Last month, US credit score agency Equifax admitted the personal data for just under 400,000 UK accounts was slurped by hackers raiding its database. On Tuesday this week, it upped that number ever-so-slightly to 15.2 million. In true buck-passing fashion, at the time of writing, Equifax hadn't even released a public statement …

  1. Christoph

    And what the hell is all this data on UK citizens doing on their US based servers?

    Not that we have time to get the EU to administer a kicking before we lose EU protection.

    1. Chris Miller

      That EU 'protection' was in place when all this happened. It did a whole lot of nothing. Quelle surprise.

      1. Anonymous Coward
        Anonymous Coward

        Force majeure!

        As the Athenian said to the Melians, "... you know as well as we do that right, as the world goes, is only in question between equals in power, while the strong do what they can and the weak suffer what they must".

        The USA considers itself the 800 lb gorilla, and doesn't much care what European legislators do or say.

        1. Paul 195

          Re: Force majeure!

          It's safe to say that whatever influence the EU has with the US, a Brexited UK will have even less.

        2. Anonymous Coward
          Anonymous Coward

          Re: Force majeure!

          On further reflection, the US administration doesn't even care very much what American legislators or judges say and do. Or the people who wrote the Constitution and the Bill of Rights.

          "If the President does it, it's not illegal". - Richard M. Nixon

          "The Constitution is just a goddamned piece of paper". - George W. Bush

          1. Tom Paine

            Re: Force majeure!

            The US is fuckedf until they stop worshipping that vwretched thing and write themselves a modern Constitution, like most if the rest of the world. One good solid civil war should do it.

      2. Tom Paine

        nuts

        Neither did the UK or US data protection help, so spare us the bulgy eyes please

    2. J. R. Hartley

      Easy

      Simply fine them £20000 for every persons data they leak.

      That'll tighten the bastards.

      1. Prst. V.Jeltz Silver badge

        Re: Easy

        Thats quite a lot of zeros!

        2900,000,000,000

        2.9 trillion.

        Whilst I consider credit agencies as data sluping pirates whose trade shouldnt even be legal , that is a bit harsh! :)

        1. Gotno iShit Wantno iShit

          Re: Easy

          Is it? My heart bleeds.

          How about we reduce it to £2,000 per real person out of the 13.8 million records not triggering a 'you're in the shit, it's our fault but don't dream we'll clean up the mess' letter.

          Assuming half those 13.8m are duplicates and test data that's only £27,800,000,000. We can be reasonable.

        2. Anonymous Coward
          Anonymous Coward

          Re: Easy

          By a curious coincidence, $2.9 trillion is about the same amount as the USA has wasted (well, actually, quite a bit worse than wasted) killing people in Asia - since 2003.

        3. Anonymous Coward
          Anonymous Coward

          Re: Easy

          But it would pay for Brexit.

          1. itsecman

            Re: Easy

            **@!** paying for Brexit! If it's my personal data, it's me that is impacted directly and me that should get the money!

            1. BebopWeBop

              Re: Easy

              Don't worry - you will be paying the cost for Brexit anyway....

        4. Prst. V.Jeltz Silver badge
          Trollface

          Re: Easy

          wow , 13 thumbs down for suggesting that 3 Trillion Pounds was a steep fine!

          You bunch of Daily Mail readers!

          Hangings too good for 'em eh?

    3. macjules
      Coat

      Nice to know they have got protection in now .. they have installed Kaspersky AV software.

    4. VinceH

      "And what the hell is all this data on UK citizens doing on their US based servers?"

      This is a question that needs to be properly addressed. As yoganmahew pointed out in response to a previous article on this:

      Regrettably, the investigation shows that a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.

      This 'process failure' was supposedly corrected in 2016... yet the data was subject to the hack in May 2017. We can only assume that the correction was to stop data being sent to the US, but not to actually remove the data that was already there as a result.

      Not only, but also:

      The information was restricted to: Name, date of birth, email address and a telephone number, and Equifax can confirm that the data does not include any residential address information, password information or financial data.

      But now it's "names, home and email addresses, telephone numbers, and account recovery questions" - so the 'process failure' resulted in more data being stored in the US than Equifax claimed (reading between the lines of their statement at the time - they didn't say what was stored due to this 'process failure', only what was accessed).

      This needs to be dealt with properly - full fat legal action and fines, not just the usual mild slap on the wrist.

  2. Alister

    Any answers to security questions – such as your mother's maiden name – given to Equifax during an account signup should now be considered compromised, the NCSC warned, and should be changed for other websites, if possible.

    Mum? Hi, yes, listen, I need you to change your maiden name to something different...

    Yeah, but look, it's not me, it's the government...

    Well can't you forge your birth certificate, or something?

    Ok, ok, forget I asked...

    1. Anonymous Bullard

      It's already public information anyway.

      You shouldn't be putting the real answer in

      1. Cynical Observer

        Fully agree that it wouldn't take a dedicated miscreant very long to retrieve such info but here's the question that follows the suggestion that people should use some other value.....

        Who is going to feel happy telling lies to a credit rating agency - knowing that the leeches share info and that getting wrongly flagged with one can make life just that little bit awkward.

        The better approach is surely to educate the agencies (and others) so that they stop asking for it in the first place?

        1. Anonymous Coward
          Anonymous Coward

          And there you have it in a nutshell

          "Who is going to feel happy telling lies to a credit rating agency[?]"

          Perfectly put. That is the exact dilemma that faces all would-be honest, decent citizens living in a world dominated by filthy, corrupt corporations and filthy, corrupt politicians.

          Should we try to behave honestly and decently, and get it in the neck over and over and over? Or should we try to play them at their own game - which entails more or less trying to play football uphill on a vertical pitch where the opposing team does not have a goal?

        2. JamesPond
          Unhappy

          Maiden name

          Do the credit agencies even check your mothers maiden name or do they just use it as a security question? I have only ever given my mother's maiden name to banks when I opened an account, not even to credit card companies or Equifax itself when I had an account with them.

          Unfortunately I did use the same fake maiden name I used with Equifax at other companies such as my mobile phone provider.

          Fortunately I have used a password manager for several years so no account has the same password and the majority of accounts with money involved have two-factor authentication.

          1. Anonymous Coward
            Anonymous Coward

            Re: Maiden name

            Surprised they can still call it a maiden name, shouldn't it be "non gender specific, pre partnership agreement familial nomenclature" or similar?

        3. Omgwtfbbqtime

          "The better approach is surely to educate the agencies ..."

          Starting with custodial sentences for the Exec board (all) and senior line management (directly implicated).

          1. Tom Paine

            Re: "The better approach is surely to educate the agencies ..."

            And how long do you think you should expect to spend in the big house when code you wrote / systems you design or operate gets hacked?

            1. Omgwtfbbqtime

              @Tom Paine

              That would entirely depend on what documentation you kept, where you flagged up the potential flaws and were overruled by manglement on the grounds of cost.

              Or if the hack is down to your failure to follow the recorded design spec because you couldn't be bothered/knew better.

              Basically get everything in writing.

        4. Tom Paine

          Errr

          The better approach is surely to educate the agencies (and others) so that they stop asking for it in the first place?

          With the additional benefit of the end of consumer credit from anyone but banks, with the concommitant collapse of the car, consumer electronics, interior design, package holiday and subscription media industries! Sounds like heaven to me, though most of the rest if the population will be a bit lost for a few years

      2. wolfetone Silver badge

        "It's already public information anyway.

        You shouldn't be putting the real answer in"

        I thought for years I was putting the real answer in, then it turned out my mother wasn't my real mother.

        So, really, I was ahead of the game on that.

        1. Anonymous Coward
          Anonymous Coward

          Thanks for the confirmation

          I did think your name sounded a tad Irish. (I'm licenced to joke about the Irish - I've kissed the Blarney Stone, and my maternal grandfather was born in Tipperary on April 1st).

      3. WallMeerkat

        "You shouldn't be putting the real answer in"

        > You shouldn't be putting the real answer in

        OK so not only do we have the wacky combinations of numbers, letters, symbols, uppercases etc. for passwords - each of which must be unique as sites are always getting hacked - when the inevitable happens and can't for the life of me remember what particular weird series of ASCII I used for a particular site, I click the password reset link only to then try and remember what fake maiden name / first pet / first school I used.

        Where does it end?

        1. Anonymous Coward
          Anonymous Coward

          Re: "You shouldn't be putting the real answer in"

          That's why you use a password manager, and always give them fake answers. That is what you do, isn't it?

        2. Anonymous Coward
          Anonymous Coward

          Re: "You shouldn't be putting the real answer in"

          Boycott the Internet for a day with a switch off your router day, preferably on Black Friday. Advertise clearly why the boycott has been called so these numpties understand. Even the Telco's will get the message then.

          Better yet make it for a whole weekend.

        3. Richard Parkin

          Re: "You shouldn't be putting the real answer in"

          Obviously you have recorded your fake answers in your password manager, like I do.

      4. itsecman

        That's assuming it is Security Data. You can't lie about your Date of Birth when applying for Credit......well you can, but it's Fraud!

        1. YARR
          Boffin

          You can't lie about your Date of Birth when applying for Credit......well you can, but it's Fraud!

          This is good reason to store mandatory personal data in a hashed form like passwords.

          i.e. The bank don't know your DOB, but if you give them a date they can check if it's the same as before.

    2. HelpfulJohn

      "Mum? Hi, yes, listen, I need you to change your maiden name to something different..."

      In my case this would be an interesting conversation as she's been dead for quite a while.

      But I've always lied about that particular piece of data, anyway, and never the same lie to different data-slurpers. My mum has *lots* of "maiden names".

      I wonder whether that makes me part of the "duplicates" the Equifax kleptos talk about?

  3. Anonymous Coward
    Anonymous Coward

    Are they implying that their customers (i.e. other companies) hand our security responses over to Equifax along with everything else ?

    1. Adam 52 Silver badge

      No, they're saying:

      "If you have been told by Equifax that security details from your Equifax.co.uk membership account – such as password and secret questions - have been accessed, you should ensure those details are not used on any other accounts."

      'twas in the link.

      1. Doctor Syntax Silver badge

        "If you have been told by Equifax that security details from your Equifax.co.uk membership account"

        This involves about a quarter of the UK population. Are you telling me that one in 4 of us has set up such an account? And if not what other data is involved?

        1. Richard Tobin

          Records != accounts

          As the "stop press" says, the number of accounts is nothing like that.

        2. Anonymous Coward
          Anonymous Coward

          @Doc Syntax:

          According to Equifax, 700,000 Brits have been seriously violated. If we assume that about 75% of the population are >=18 and there are 65M Brits then 700,000/(0.75 * 65,000,000) = 1% of the working population. Or you can go with the GDPR and probably DPA infringing value of 15M instead of 700,000.

          In the UK we don't have security by SSN but then, me and the wife managed (~2005) to order a birth cert for my brother in law and then a passport for him with minimal hassle.

          To be honest it only really occurred to me what we'd done/got away with a bit later: but at least he got to go on holiday 8)

          1. itsecman

            I believe that it is still possible to obtain a Birth Certificate for anyone with minimal effort and then use this to request a UK passport as highlighted by Frederick Forsyth in his 1971 novel "Day of the Jackal". Certainly this was the case a couple of years back.

            1. Alister

              Yep, all you need is name, date and place of birth. No evidence of identification of the requestor is required.

              1. Prst. V.Jeltz Silver badge

                "Yep, all you need is name, date and place of birth. No evidence of identification of the requestor is required."

                STILL?

                I remember reading that in "Jolly rogers cookbook" and other such subversive docs passed around on BBSs , but that was a long time ago , when we knew F*** all about security - all passwords were default etc.

                I would have bet my house that since then , with the rise of ID fraud , someone in authority might have stumbled on the idea of not handing out anyones ID documents to anyone else without any form of verification.'

                In fact why the fuck do they do that? Its akin to me ringing the passport office and saying can I have a duplicate of Boris Johnson's passport please?

            2. Alan Brown Silver badge

              "it is still possible to obtain a Birth Certificate for anyone with minimal effort"

              Freely available to anyone who asks and pays the fee.

              "and then use this to request a UK passport "

              The method used should have been sealed in the 1960s. After all it's the registrar of Births _DEATHS_ and marriages, so it's not as if the relevant disqualification document is filed in another government department.

              (FWIW, many countries _do_ tag records with a death date specifically to ensure that ID documents in the name of dead children can't be obtained. The UK seems to think this is too hard despite it being a known vulnerablity long before Frederick Forsythe wrote about it.)

          2. Alan Brown Silver badge

            "...me and the wife managed (~2005) to order a birth cert for my brother in law and then a passport for him with minimal hassle."

            Isn't it amazing how a document which is _explicitly_ "Not an identification document and must not be used as one" is a core requirement for obtaining what _ARE_ identification documents?

    2. Prst. V.Jeltz Silver badge

      "Are they implying that their customers (i.e. other companies) hand our security responses over to Equifax along with everything else ?"

      No, us poor bastards who never wanted anything to do with them and did not consent to them collecting as much data as they could on us , are ok, presumably. However a large number of people decided to create an account with Equifax to find out what rating they gave them ( or other people ) . They are the ones who lost the security info etc.

      1. WallMeerkat

        "However a large number of people decided to create an account with Equifax to find out what rating they gave them ( or other people ) . They are the ones who lost the security info etc."

        Because there is no point applying for finance - be it a credit card, mortgage, car finance etc. if for some reason there is a black mark on your record.

        Applying for credit and being declined puts a very very very dark blue mark on your record (lenders hate it).

        Also, given the amount of hacks going on, it is useful to keep a close eye on your credit record for $UNKNOWN_CREDIT_CARD

      2. Alan Brown Silver badge

        "us poor bastards who never wanted anything to do with them and did not consent to them collecting as much data as they could on us , are ok, presumably."

        I DPA section 11'd them a few years back. Their response made it clear that whilst they were complying with the law (removing all marketing data and ensuring information was not sold on), they would NOT remove any of the other data held.

        Quite frankly, feeding Equifax management into a woodchipper feet first would be too kind.

    3. Anonymous Coward
      Anonymous Coward

      Figures

      Would you really be surprised, seeing that they think of us in much the same light as they would so many tons of guano?

  4. Doctor Syntax Silver badge

    "After all, we're not customers of Equifax who can refuse to provide data for its servers – it just collects it all, one way or another, and sell it on to others."

    The way in which it collects it needs to be looked at. If you as a data subject pass data to some company who then passes it on to Equifax then that company needs to be held liable. Either that or Equifax needs to be held liable in a UK court. I'd like to know what the ICO is doing about this. A quarter of the UK population is affected. Perhaps if everyone who gets one of these letters were to write to their MP to raise the matter in Parliament it might actually be borne on the Home Secs - both of them - that this privacy thing needs to be taken a bit more seriously.

    1. Kraggy

      I don't think you understand just how lax UK law is regarding the cavalier way retail organisations, financial institutions and a plethora of others to whom Joe Public by necessity gives his personal details, are allowed to pass on that information to the 'big three' credit reference agencies: Experian, Equifax and CallCredit:

      https://www.clearscore.com/credit-score/what-are-credit-reference-agencies

      1. Pascal Monett Silver badge

        I've just checked that link and I'm incensed and somewhat frightened at the same time. Just by opening an account in the UK, you are automatically included in one or more credit reference agency's files. Is there any mention of that in your Ts & Cs when you open the account ? I'm guessing maybe, but maybe not. Can you opt out if there is ? Hah !

        That takes me to wondering how things are managed in France. Banks lend money (sometimes), so they have a customer history. Do they share it and how ? I know that there is a national register of people that are forbidden from having a checkbook or credit/debit card, but that is not managed by a private company.

        Questions, questions.

        1. Anonymous Coward
          Anonymous Coward

          > "Just by opening an account in the UK, you are automatically included in one or more credit reference agency's files. Is there any mention of that in your Ts & Cs when you open the account ?"

          Yes, the words "credit reference agency" (Equifax, Experian, et al) are normally found in the terms for any financial product or other credit-bearing facility (i.e. all current accounts, credit cards, mail order with buy-now-pay-later, etc). The terms will also include mention of "fraud detection agencies" (SIFAS) for financial products.

          > "Can you opt out if there is ? Hah !"

          Other than not applying for the product, nope (essentially, the credit reference agency's data is integral to their decision making process for whether to offer you credit). They're still affected by the DPA if they should lose your data, though (i.e. you could bring a civil case against them for damages due to loss or distress as a result of the data leak*, and/or get fined by the ICO [currently £500k max]).

          * see Vidal-Hall v Google.

    2. Disgruntled of TW
      Megaphone

      It's not optional ...

      Try removing yourself from all three credit reference agency's records, and see how your life pans out without successful credit checks. All three agencies are now indelibly etched into our lives. Are we better with or without them? That is the interesting question.

  5. pleb

    So I don't have an "account" with Equifax, nothing I can log in to, so there is no password or mother's maiden name to steal. But obviously Equifux still have loads of data about me to lose/leave on the bus/park bench. But the way they tell it, it is account details etc that were stolen. How does that play for peeps like me with no account?

    1. Mark 85

      Basically, your up the creek without an oar. An "account" can mean you actually opened one to verify your info or they opened one in response to a enquiry. Same for us in the States. The badguys can own us and we'll never know unless we actually opened an account. That is until we go for a loan, credit card, bank account, etc.

    2. Anonymous Coward
      Anonymous Coward

      You do have an account, but they haven/t told you. All credit agencies should be made to contact all subjects with details on what data they hold and if it was compromised.

      Me? I'm going back to cash and cheques only.

      1. nijam Silver badge

        > All credit agencies should be made to contact all subjects with details on what data they hold and if it was compromised.

        Better yet, all of them should be obliged to submit data they hold to the data subject for validation annually, and pay for that validation at a rate of (say) £5 per item in the record. And for that matter, not just credit reference agencies, but any organisation - including, separately, each government department and agency.

  6. Oh Homer
    Big Brother

    UK not a high priority, apparently

    This is just one of the problems of UK citizens relying on American companies, especially when the shit hits the fan. We're always going to be second class citizens, assuming we get any consideration at all.

    Taking any sort of remedial or punitive action against American companies is also rather difficult. Even their own government doesn't seem to care, so what hope do we have?

    And anyway, what reasonable expectation should we have of the US government respecting our privacy enough to want to do anything about this at all, given that they are by far the greatest violators of it (yes, still to this day).

    It also doesn't help when our fanatically neoliberal politicians (which these days is basically all of them) "deregulate" things to the point where an American arms dealer is put in charge of the UK Census (except in Scotland, where the British arm of a US torture contractor was given the job). Not that the UK government has ever even pretended to care about our privacy anyway.

    Our private data in their hands.

    [shudder]

    1. Anonymous Coward
      Anonymous Coward

      Re: UK not a high priority, apparently

      I’m a UK citizen, no I don’t trust ANY US company, but I guess my details are with Equifax, but not through my choice. Perhaps the solution right now is for all UK companies that pass on details to Equifax to write to their customers and fess up and start offering significant compensation.

    2. Anonymous Coward
      Anonymous Coward

      Re: UK not a high priority, apparently

      Do you know who hosts and manages their data?

  7. Anonymous Coward
    Anonymous Coward

    "a file containing 15.2m UK records"

    No wonder they got hacked, haven't they heard of databases?

    1. Anonymous Coward
      Anonymous Coward

      Yes, it's called Excel

      1. Wensleydale Cheese

        Yes, it's called Excel

        Excel specifications and limits

        For "Excel 2016-2013"

        Total number of rows and columns on a worksheet: 1,048,576 rows by 16,384 columns

        1. tcmonkey

          Yep, so use csv representations in every cell, she'll be right ;)

    2. NonSSL-Login

      Usually one would use the built in sql command 'sqldump', which raises no alarms unlike other hacker tools, and dump the database in to a single .sql file for snarfing away,

  8. batfastad

    Post

    So they are going to broadcast to the current resident of a property that a previous resident at that property's details are on the Equifax hack list. Sounds legit.

    1. JetSetJim

      Re: Post

      Almost as legit as the email I got, allegedly from my company's HR dept, saying that we were getting a years credit monitoring for free - just click on this link that looks like it has the company name in it, but is actually on the wrong domain, and it's been leet-ified and so looks like myC0mpany.mp2.io domain.

      1. Allonymous Coward

        Re: Post

        That probably was a legitimate email, if they're anything like as useless as our HR department.

        1. Alan Brown Silver badge

          Re: Post

          "if they're anything like as useless as our HR department."

          You misunderstand the purpose of a HR department.

          It is not there for staff protection or assistance, it is there to protect the COMPANY from the staff. Being useless and difficult to deal with is not an accident.

          Any statements to the contrary are pure bunkum.

    2. Anonymous Coward
      Anonymous Coward

      Re: Post

      It can't be any worse than it is now.

  9. Jamie Jones Silver badge

    The annoying thing is that we need to care when we shouldn't.

    When did we enter the "alternate universe" where if a company lends people money thinking they are me, is it my problem?

    Why isn't it:

    "Hey Mr. banker.. Someone fooled you into giving them money? Sucks to be you!"

    Because I come from a small community, I could probably get the mothers maiden name, place of birth, and date of birth of many of the people I was in school with (most have their birthday listed on facebook, and I already know the year they were born)

    It shouldn't be information I should need to keep private anyway.

    If you lend "me" money, you should have no right to force me to pay, or blacklist me, or ruin my reputation, if I say it wasn't me, unless you can get it proven in a court of law. Until then, anything you say or do should be considered slander or libel.

    "Mitchell and Webb" put it rather eloquently: https://youtu.be/CS9ptA3Ya9E

  10. Anonymous Coward
    Facepalm

    Your details. Free. Forever.

  11. Cynical Observer
    Stop

    Time for a New Best Practices

    Any answers to security questions – such as your mother's maiden name – given to Equifax during an account signup should now be considered compromised, the NCSC warned, and should be changed for other websites, if possible.

    About five years ago, we started to see large UK public sector bodies reject things such as Mother's Maiden Name when configuring security questions. As others have pointed out, it's too easily known and some users will simply consider it to be immutable - they will refuse to misrepresent mum's maiden name. Date of Birth falls into the same category.

    The silly thing is - this isn't friggin' brain surgery (or rocket science). Ten years ago, at least one UK bank saw the merit in allowing customers to define their own memorable question - it can be as simple as first Car/first pet/first office location/first love. It strictly speaking doesn't actually matter as at the end of the day, it's only a string of alphanumeric characters.

    Perhaps it's about time we started to define a list of questions that are best avoided - and point to the Equifax incident as that watershed moment when it was decided that things had to change.

    1. Allan George Dyer

      Re: Time for a New Best Practices

      Why is a "memorable question" considered an authenticator separate from a password? It is still "something you know". As you point out, it's only a string of alphanumeric characters, but, I'd suggest, inherently more vulnerable than a password.

      We can tell people to keep their password secret and they might do that, but if you tell someone to think of a memorable question, they are going to pick something that is significant to their identity, and therefore something they are likely to discuss with others. Aside - are those, "find your drag queen name" (and similar) games where you use the name of your first pet and the name of the street where you grew up just social engineering to reveal this sensitive information?

      There is no need for a list of questions that are best avoided because it's ALL of them. Anything about me that is memorable is not secret, and anything about me that is secret is not memorable.

      1. Pascal Monett Silver badge
        Coat

        My mother's maiden name is Spongebob.

        1. Allonymous Coward

          My mother's maiden name is $q002Z&x3409

          1. VinceH

            Does she come from the planet Z'k$ty92##gq5^, like my mum?

      2. lglethal Silver badge
        Go

        Re: Time for a New Best Practices

        @ Allan

        Your right that memorable questions are inherently more vulnerable than a password. Although in truth, they should ONLY be used to reset a Password by sending an email to the registered address (requiring any hacker to also have access to the registered email address in order to access the account) this is not always the case.

        But the fact that we have these memorable questions is more of a sign of the failure of our current password regimes. Hell we need passwords for everything these days. Just here at work I have 4 different passwords for various systems in the office, None of which are allowed to be the same and all of which need to be changed every month. I'm an engineer, but even I make mistakes trying to remember which one has a capital in it, which one doesnt, which one is longer, what number am I up to in my never ending climb through the year.

        Whilst People are stuck trying to remember things like this, then unfortunately there will often be a need for memorable questions. Unfortunately most Password Systems at the Moment dont allow the sort of xkcd System (correcthorsebatterystaple) which is much harder to crack but easier to remeber because they want capitals, numbers, and special charachters included (and usually limit password size).

        It's just an unfortunate side effect of where we are with security right now. If you can come up with a better System, you'll make a Million! :)

        1. Allan George Dyer

          Re: Time for a New Best Practices

          @ lglethal - Since NIST and GCHQ are now recommending not forcing regular password changes, it sounds like you need a new CISO in your office, preferably one who's heard of SSO. Current standard practice is broken (why limit the password size when you are hashing it?), and the "fix" of using memorable questions is like putting a band-aid on a compound fracture. Unfortunately, it is cheap.

          PKI with certificates stored on secure smartcards or USB tokens would be a better system but the initial cost is high, the learning curve is steep, and the real benefits come when a critical mass of service providers accept the same certificates, so I'm not rolling in Millions yet ;(

      3. Anonymous Coward
        Anonymous Coward

        Re: Time for a New Best Practices

        > "Why is a "memorable question" considered an authenticator separate from a password?"

        Because it gives a level of protection when someone who re-uses their password between sites has their account compromised on another site, and someone tries to interact as them on yours. Obviously, this is assuming the other site doesn't ask the same question/get given the same information, which may not be a valid assumption.

        Yes, you could use 2FA via phone, but (a) there are some documented and well-known security issues with that which have been covered by The Register previously, (b) not everyone has or can use a smartphone, (c) implementations for dumb-phones that use time-bounded codes sent via SMS are not user-friendly* (had the SMS turn up about 4 hours after it was requested, and the "usable window" for it had expired), and (d) not everyone owns or can use a mobile phone.

        * bonus usability points to MS on this one, whose system will send the code through to your designated phone as an audio call (i.e. ring you), rather than insisting on transmission via SMS (or equivalent).

        1. Wensleydale Cheese

          Re: Time for a New Best Practices

          "(c) implementations for dumb-phones that use time-bounded codes sent via SMS are not user-friendly* (had the SMS turn up about 4 hours after it was requested, and the "usable window" for it had expired)"

          I've also experienced the situation where there is no phone signal indoors, which involved going outside and walking until reception kicks in and the SMS message arrives.

          By the time I got back to the computer, the code had expired.

      4. VinceH

        Re: Time for a New Best Practices

        "Aside - are those, "find your drag queen name" (and similar) games where you use the name of your first pet and the name of the street where you grew up just social engineering to reveal this sensitive information?"

        Yes. I've been pointing this out to people for many a year - usually when anyone relays them to me. Many people pass them on innocently on social engineering sites, thinking they're a bit of fun, but they often reveal potentially valuable data.

    2. Alan Brown Silver badge

      Re: Time for a New Best Practices

      "we started to see large UK public sector bodies reject things such as Mother's Maiden Name when configuring security questions."

      Of course if a company asks for this online and you put in "FuckOffCuntFace", it's going to make for some interesting times if you phone up and they decide to bring up the answer to that question.

  12. Simple Si
    Mushroom

    Whoopsie

    I just checked the Equifax UK site and came across this text about the incident:-

    Although Equifax’s UK business was not breached, the attack regrettably compromised the personal information of a range of UK customers. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.

    https://www.equifax.co.uk/incident.html

    Nice use it for the term "process failure" - suppose it sounds better than "management fuck up". Hey I know, let's blame the process rather than those that implemented it. Some may say criiminal negligence absolved in the same way as a bank robber claiming a process failure in their method of withdrawing money.

  13. tfewster
    Facepalm

    SOX

    Hang on - Equifax are a publicly traded US company, so they come under the Sarbanes-Oxley act. Yes, SOX is primarily intended to prevent CxO fraud, but it has other elements to protect the integrity of financial reporting and shareholder value, such as securing critical systems and regular audits.

    Failure to meet the required standards means CxOs can be personally fined or imprisoned. So are the SEC pursuing a prosecution?

    1. FozzyBear
      Devil

      Re: SOX

      Nope, never, Not a Chance. Just like every other aspect of failure in America.

      It was the Russians. They are totally to blame. We are the victim here. The CEO whines whilst flicking through his latest copy of "mega yachts for overpaid wankers"

    2. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: SOX

        .001% of turnover per individual should do it.

  14. Amorous Cowherder
    Facepalm

    "All Watched Over by Machines of Loving Grace"

    Welcome to your wonderful free and open society guided by the ( human written ) algorithms of machines, start breaking down the walls and boundaries and feel the love pour in. Oh wait, you mean if we hand over control of complex global systems to machines with no more "sense" than a ZX81, machines we're barely able to fully understand running complex networks of interaction we simply cannot comprehend, things will start f**king up in a serious way?

    Well blow me down, who'd a thunk handing over all that to a bunch of spotty CS college dropouts with a single year of studying humanities and ecology systems and with very little world experience, would dump us in this big old fecking mess!

  15. Anonymous Coward
    Go

    Sue the bastards....

    For everything they have. That's the only way anything will ever change. The government (of both the UK and the U.S.) will refuse to take serious steps against any major information aggregator, because these companies are wired into law enforcement, intelligence agencies, tax authorities and politically active financial sector companies.

  16. Anonymous Coward
    Anonymous Coward

    Classic Bait & Switch 'Corporateering'

    Typical - Whether its Yahoo: 'oh no the real number is EVERYTHING we had or all 3 bn a/c's, or this, which is even worse proportionately..... Really hope GDPR fines are heavier on the 2nd or 3rd attempt (the real admission).....

  17. Anonymous Coward
    Anonymous Coward

    I don't suppose....

    ....that any of Equifax senior exec's personal data was compromised?

    Maybe they could publish the addresses of their McMansions so us poor people could drop by and have a chat.

  18. I sound like Peter Griffin!!

    What are your thoughts on...

    Industry-level joint development of Apple's 'Secure Enclave' system to get to a stage where it would 2-factor requests for information/authorisation and just releas a Yay or Nay without ever releasing or sharing the actual data...? Is it not time for this to be embraced on a much wider scale?

    1. Anonymous Coward
      Anonymous Coward

      Re: What are your thoughts on...

      Why would you need to use Apples version? It just a hardware security module, the same thing that is in a smartcard, or what is in every PC from the last 5 years (TMP).

      It doesn't happen in most countries as it costs too much, people dont want it (national ID card in the UK), it can go wrong, can still be hacked. Some countries have done it and its worked well, others, not so well.

      The problem is, the card is your proof, your data is still stored in a Database controlled by the government or outsourced to a company to run. That can still be hacked, data stolen, changed etc. Then used in countries that don't use your ID card.

      1. John Robson Silver badge

        Re: What are your thoughts on...

        "The problem is, the card is your proof, your data is still stored in a Database controlled by the government or outsourced to a company to run. That can still be hacked, data stolen, changed etc. Then used in countries that don't use your ID card."

        If only we could have a system that allowed the data held on a card to be trusted. Say by a combination of digital signatures and encryption.

    2. PM from Hell

      Re: What are your thoughts on...

      .You are actually talking about about Attribute exchange, the technology is in development and there are standards currently being defined see www.openidentityexchange.org/ for further information. The combination of attribute exchange coupled with User Managed Access where users are given a portal to manage which explicit permissions they have granted for organisations to use data could provide a way to mitigate issues like this. Or it may provide a huge attack face for the back hats.

      The Concept of the secure enclave does exist with the GOV.UK Verify ID service which is in production and used to establish user identification for a number of central government services (https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify), the number of Central Government services using GOV.UK Verify to authenticate users is increasing and there are pilots taking place to allow the online checking of eligibility to services within Local Government are taking place at the moment. Usage will grow over time and access to the service for commercial organisation is in the pipeline.

      1. Alister

        Re: What are your thoughts on...

        The problem with GOV.UK Verify is that it outsources / delegates the verification process to third parties, including credit reference agencies...

        So the security and verification it provides are just as vulnerable as it's weakest link.

        Hello Experian, Verizon...

        1. Anonymous Coward
          Anonymous Coward

          Re: What are your thoughts on...

          Perhaps they will be held onshore in the UK once we Brexit.

          1. nijam Silver badge

            Re: What are your thoughts on...

            > Perhaps they will be held onshore in the UK once we Brexit.

            Hahaha. Hahahahahahaha...

            Very droll.

        2. Allonymous Coward

          Re: What are your thoughts on...

          The problem with GOV.UK Verify

          ...is that it's GOV.UK Verify.

  19. steviebuk Silver badge

    Yet...

    ...they've still been given a IRS contract despite this. The IRS must be as stupid as Equifax's security.

  20. wolfetone Silver badge

    "“We are aware that Equifax was the victim of a criminal cyber attack in May 2017," the NCSC said in a statement today."

    No. They're not the victim. They dropped the ball, and they've obviously been dicking about for years with the way they have handled data that, in all fairness, doesn't belong to them.

    The 15.2 million people who have had their details stolen, they're the victims.

    1. scrubber

      "We are aware..."

      "We are aware that Equifax has been criminally negligent in protecting personal details of people and are going to enforce new rules that any UK company sending details of citizens abroad are held liable for any losses incurred through that third party's negligence." Is what it should have said.

  21. Anonymous Coward
    Anonymous Coward

    so...

    basically, EVERYBODY on their UK database (given that the rest of the population is on database with other, equally reliable credit rating agencies).

    Great news for those unfortunates who used the same, or some of the same details elsewhere. How many maiden name does your mother have? They could start to probe those details against, major e-mail providers, for a start. You never know, out of 14 milions, at least, what, 10% should let you into the inbox, and then, well, it's a wide world of info in there...

  22. Potemkine! Silver badge

    Welcome to the Fist Fuck Play Club!

    CEO Rick Smith also jumped ship, taking his $90m retirement pot with him.

    That's well earned money, he will deserve his gold member card at the Club.

    I wonder what happened to the IT underling who was accused of wrongdoing... I doubt (s)he got a golden parachute, didn't (s)he?

  23. Aladdin Sane

    I've said it before and I'll say it again

    What the fucking fuck is wrong with these people?

  24. RobertLongshaft

    Can we sue em?

    Is the only real question here, can I get some wonga out of em?

    1. wolfetone Silver badge

      Re: Can we sue em?

      "Is the only real question here, can I get some wonga out of em?"

      I think we could.

    2. JakeMS

      Re: Can we sue em?

      I hope so! If I get one of those letters then I'll be contacting my lawyer and seeing what he says. We may be able to claim for free fraud insurance etc :-). But we can't do anything until we get confirmation that we're affected.

      If you get a letter, do not loose it. It may be vital in your case as proof you're affected. In addition if anyone wants to see it send copies, not the original.

    3. John Brown (no body) Silver badge

      Re: Can we sue em?

      "Is the only real question here, can I get some wonga out of em?"

      I'm wondering what is involved in the "free" credit/fraud protection they are offering and how much time and effort the victims will have to put in to checking and maintaining that protection, potentially for life. I wonder if a small claims court action would be in order to compensate for the time spent in tracking all this stuff?

  25. Prosthetic Conscience
    Meh

    Equifax has brought every analytical tool, technique and data asset it has available to bear in order to ‘fill in the blanks’

    [...]

    GROUP BY maiden_name, password

    1. VinceH
      Facepalm

      As it fills in those blanks, of course, that information will be stored along with the rest in one of its databases, where it will be perfectly secu... oh.

  26. tiggity Silver badge

    Too glib

    "The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry"

    I know in the age of being open on social media that they may regard DOB as not an issue as lots of people (foolishly) splash it around - I beg to differ.

    I use false DOB everywhere I possibly can, as its a key identifying factor, except for things where I legally have to give my actual DOB (e.g. my bank for openinga n account). So my real DOB is out in the wild, coupled with a name far less common name than "Jane Smith" style of name, that gives neer do wells compromising data about me (as after all, quite likely to have been some other "hack" (read sloppy / non existent security practices) that could let bad actors join other information about me with the DOB.

    Until DOB leaked via equifax, someone would have needed to hack my doctors, bank etc. for my DOB (or social engineered by asking relatives / close friends my DOB) - i.e. needed to make an effort, they would not have got it via social medial, internet searches etc.

    1. VinceH

      Re: Too glib

      Pretty much the same applies to me - but with social media, even if you've given a fake DOB and/or made sure its not made visible (preferably both), you still have the issue of those who know you wishing you a happy birthday on the day in question on those sites.

      I've always discouraged this*, but it doesn't stop some from doing it. All I could really do when that happens is try to unlink it somehow. For example on Facebook IIRC it was possible - and perhaps still is, dunno - remove a third party comment from your wall/timeline. Although even if you do, the comment will still be on their timeline.

      * Not for this specific reason, but just because I'm a grumpy old bastard, and I have no interest whatsoever of celebrating (or even being reminded of) my birthday, online or IRL.

      1. Alan Brown Silver badge

        Re: Too glib

        " you still have the issue of those who know you wishing you a happy birthday on the day in question on those sites."

        99 out of 100 will only do so because the site says it's your birthday and they should send a message.

  27. chris street

    Find out who does searches with Equifax

    If you really feel strongly enough - specify that all future dealings are with institutions that don't use Equifax. If they do - drop them and tell them why.

    You can get free reporting from Noddle.com and see who is doing searches and which agency are used - start hitting Equifax customers and they will pay attention and so will Equifax.

    1. EnviableOne

      Re: Find out who does searches with Equifax

      Noddle.com is a subsiduary of .... Call Credit

      ClearScore is a subsiduary of ..... Equifax

      CreditExpet is a subsiduary of .... Experian

      plus they all share data with each other, and some companies use more than one.

  28. Anonymous Coward
    Anonymous Coward

    Max ICO fine

    £100,000 - if that. Toothless org.

    1. THMONSTER

      Re: Max ICO fine

      The watchsloth will give them a vicious gumming the likes of which they have never experienced before.

      ooo, stop it, that tickles...

    2. EnviableOne

      Re: Max ICO fine

      current max is £500k, they tried 475k with talk talk, but the courts knocked it back to 400k

      once GDPR kicks in its £17 million or 4% of global turnover from previous full year whichever higher.

      for Equifax turnover 2016 = $3,144.9mil so max fine is $125.79mil

  29. Anonymous Coward
    Anonymous Coward

    That's not a problem, I'll just change my mothers maiden name.

    1. Anonymous Coward
      Anonymous Coward

      Praise for Equifax

      My brother is a thief and fraudster who stole from me. I never thought to use a different maiden name until now. So, Thankyou Equifax for the heads up.

  30. Shameless Oracle Flack

    Do More by Doing Less

    https://www.linkedin.com/pulse/why-companies-defenseless-against-cyberattacks-what-o-keefe-ph-d-/

    "Winning is about a deep understanding of your own strengths and weaknesses as well as the enemies. What is wholly missing in enterprise IT security is the latter: a strategic sense of vulnerability has given way to an unearned confidence in security products and best practices, comfortably layered into the localized IT bureaucracy that rejects change, embraces process over results, and like the French admiring their Maginot line, imagines they are safe."

  31. Sierpinski

    Alexa order two tonnes of creamed corn. Alexa confirm order.

    I suspect there will be an uptick in the use of devices that ease the automation of purchases using limited amounts of customer data to make accounts in the first place.

  32. itsecman

    Catch 22

    So your data may have been stolen form the CRA and it could be used for fraudulent activity such as obtaining credit etc.. This will all impact you Credit Rating, but you can check this by... signing... up.. to... a ...CRA! Mmmmm!

  33. DrM
    FAIL

    Firebrands

    http://BluePhotons.com

  34. j_me

    Does Equifax need your permission to get your data

    because from this article it seems that they just directly ask companies for it https://www.inc.com/associated-press/equifax-data-money.html

    "......They gather as much information about you from lenders, aggregate it, and sell it back to them," said Brett Horn, an industry analyst with Morningstar.

  35. Anonymous Coward
    Anonymous Coward

    Wat doing?

    With apologies to Moose.

  36. Anonymous Coward
    Anonymous Coward

    Fine. I'll just change my mother's maiden name then...

    Oh wait.

    Never mind. I guess I'll have to make something up. And the challenge is now remembering which places have the genuine one and which have the fictional one...

  37. Anonymous Coward
    Anonymous Coward

    So What Next?

    Letter from Equifax (Qui?) received a few days ago...

    What exactly is the perceived wisdom about how to proceed - can't tell from the many comments I've already read?

    & as a Techno-dweeb would be grateful for some objective, clear-headed advice. The May! hack a reality; no turning back - what does any individual affected do now that's smart, practical, relatively 'safe'?

    If Equifax personnel aren't answering the 'phone anyway... & it's already been pointed out - would you really want to add personal detail to info you didn't know the Co. had about you in the first place, particularly under these circumstances?!

    Never heard of the other 2 Credit Providers either...

    Some positive, even mildly-reassuring, thoughts would be appreciated.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon