SoylentNews is people
SoylentNews
from the Quis-custodiet-ipsos-custodes? dept.
We had three Soylentils send in notice of a major breach at Equifax. The company has a web site specifically for this breach: https://www.equifaxsecurity2017.com/.
Equifax Data Breach Could Affect 143 Million Americans
Equifax, one of the big three US consumer credit reporting agencies, says that criminals exploited a web application vulnerability to gain access to "certain files":
Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Is there a silver lining to this event?
Also at NYT, Ars Technica, and CNN.
Huge Cyber Theft from Equifax!
"Cyber security expert Morgan Wright weighs in on the Equifax Inc hack, which may have exposed the personal details of potentially more than 143 million people." http://www.foxbusiness.com/features/2017/09/07/equifax-143m-us-consumers-affected-by-criminal-cyber-security-breach.html
Equifax Hacked - Data Breach of *Basically Everyone's* PII
According to ARS, Consumerist, and others:
Equifax announced today that it discovered “unauthorized access” to their systems — i.e. a data breach — on July 29. 143 million records, basically *everyone* in their database.
That query must have taken a long time to run.
Whoever got into their systems had access from mid-May through the end of July, so about two-and-a-half months.
Equifax says it has “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases,” but plenty of Equifax systems were accessed, and data purloined. The company adds the standard adage about reporting the incident to law enforcement and working with both independent forensic investigators as well as the relevant authorities to sort out who’s responsible.
What was stolen?
This one is bad. The illicitly accessed data includes:
- Names
- Dates of birth
- Addresses
- Social Security numbers
- Driver’s license numbers
That is, of course, basically the identity theft jackpot. Every account that needs verification that you’re you asks for that exact set of data, so now anyone can be you.
So, all of your PII are belongs to us.
Original Submission #1 Original Submission #2 Original Submission #3
(Score: 4, Informative) by fishybell on Friday September 08 2017, @01:36AM (1 child)
We all win this time!
I'm very much of the opinion that there aren't enough disincentives for companies that house sensitive data. I say make an example out of them and shut them down, or better yet, that, and use this as a starting off point for getting rid of the whole "you know this secret number, so you must be this person" shtick.
(Score: 1, Informative) by Anonymous Coward on Friday September 08 2017, @04:52AM
For the love of all that is good, this, a hundred, nay, a million times this!
Also, see the first item under 'best practices' over at the SSA: https://www.ssa.gov/phila/ProtectingSSNs.htm#best [ssa.gov]. They say so themselves that you should not use this as a unique identifier!
(Score: 1, Insightful) by Anonymous Coward on Friday September 08 2017, @01:45AM
Gas chamber is too good for these cretins.
(Score: 3, Interesting) by takyon on Friday September 08 2017, @02:05AM (7 children)
At this point, hasn't the SSN for every American been compromised?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Funny) by coolgopher on Friday September 08 2017, @02:08AM
Easy fix, just rename it to the "Social Insecurity Number".
(Score: 2) by el_oscuro on Friday September 08 2017, @02:15AM
It is probably easy to do a search for people who haven't been pwned:
In your SQLi query:
/search.php?x%27%20union%20select%20%2A%20from%20subjects%20where%20pwned%3C%3E%27Y%27--
No results returned. Please refine your search.
SoylentNews is Bacon! [nueskes.com]
(Score: 3, Insightful) by JoeMerchant on Friday September 08 2017, @02:39AM
It's a poor secret, only protected by the slight inconvenience of having to be a "trusted agency" to get it.
What really protects your CC#, check routing numbers, SSN, and every other "valuable" number in your life is the threat of prosecution to those who would misuse them. That's what's scary about identity theft on the internet, is that the abusers often will live outside the jurisdiction of the victims' country.
🌻🌻 [google.com]
(Score: 2) by richtopia on Friday September 08 2017, @02:41AM (3 children)
Honestly we need to replace the SSN. However I have no good solution, and I'm not sure if anyone does. The number is designed to track people for Social Security, however it has expanded into a national ID number.
Maybe we can do something involving a decentralized currency blockchain. Buzzwords really work, right?
(Score: 3, Funny) by fyngyrz on Friday September 08 2017, @06:05AM
FTFY.
(Score: 0) by Anonymous Coward on Friday September 08 2017, @08:49PM
the cto of the opm says they're looking into this "bitchain stuff".
(Score: 2) by cykros on Friday September 08 2017, @10:51PM
If we really need a national identifier to take the role of the SSN, it should be a public key, issued and signed at a government agency (perhaps your local post office?), able to be replaced in the event of a compromise (and perhaps on a schedule). The real trouble would come in ensuring that people manage to keep their private key safe and not lose it. Perhaps some rugged memory built into one's driver's license?
The idea of a number that is used everywhere being a secret key that opens up all manner of doors is completely asinine. While it might be okay enough to differentiate between John Smith (822-37-8324) and John Smith (836-82-5724), it's not remotely up to the task of providing authentication and should cease to be used as such.
(Score: 0) by Anonymous Coward on Friday September 08 2017, @02:09AM (4 children)
Tried their website, there is a place to enter last name and 6 digits from SSN. It said that I was not affected, but the search seemed really quick (like a Google search). I wonder if they just say "you are OK" to everyone?
(Score: 4, Informative) by urza9814 on Friday September 08 2017, @02:19AM
Nope, mine didn't say specifically that I was affected, but it doesn't say that I'm not. It just gives me an enrollment date for identity protection. So I guess that's a yes.
Shit.
(Score: 0) by Anonymous Coward on Friday September 08 2017, @02:34AM (1 child)
>Tried their website, there is a place to enter last name and 6 digits from SSN.
Next week's headline: THAT database gets hacked, everyone else's SSN compromised.
(Score: 1, Insightful) by Anonymous Coward on Friday September 08 2017, @03:50AM
Yeah, that did occur to me. I'm taking the 1 in a thousand chance (they asked for 6 of the 9 SSN digits) that any crooks will find it easier to get full matching numbers and names...instead of trying to guess the rest of my number.
(Score: 4, Informative) by Thexalon on Friday September 08 2017, @05:37PM
Some things to be aware of about that:
1. According to TechCrunch's article on this [techcrunch.com], accepting the identity protection offer waives your right to participate in the pending class-action lawsuit against Equifax.
2. According to ArsTechnica [arstechnica.com], the site https://www.equifaxsecurity2017.com/ [equifaxsecurity2017.com] is atrocious when it comes to security: It runs on unmodified Wordpress, and has bad SSL settings.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 5, Informative) by deadstick on Friday September 08 2017, @02:13AM (28 children)
...Three high-level Equifax execs dumped their shares before it could get out. https://www.nbcnews.com/tech/security/massive-equifax-data-breach-could-impact-half-u-s-population-n799686 [nbcnews.com]
(Score: 4, Insightful) by aristarchus on Friday September 08 2017, @02:18AM (25 children)
Doncha just love capitalism! The market has a solution to even a total disaster like this!
(Score: 3, Interesting) by The Mighty Buzzard on Friday September 08 2017, @02:53AM (24 children)
Yes, I do. I've had a solution to this for decades: don't use credit. Do a quick, free credit check a couple times a year to make sure you still don't have any and everything is shiny.
My rights don't end where your fear begins.
(Score: 2, Insightful) by Anonymous Coward on Friday September 08 2017, @03:51AM (20 children)
Hey dumbfuck! You, via the already listed identifying info, are already in these databases, even if you have never taken out credit, per se. Now, somebody else can take out credit for you. Looks like you still lost the game...albeit with insufferable smugness still intact.
(Score: 2) by The Mighty Buzzard on Friday September 08 2017, @10:20AM (3 children)
Oi, dipshit, did you miss the part where I never use credit? That means A) ruined credit means nothing to me and B) I can check a couple times a year and get anything someone did in my name easily removed.
My rights don't end where your fear begins.
(Score: 3, Funny) by edIII on Friday September 08 2017, @05:19PM (2 children)
Yep. I probably have about 10-15 parasites on my credit right now, just as I did 20 years ago when I first looked into it.
Checked the website, I "may have been affected", and I just laughed.
1) I don't use credit
2) If a company demands a credit report before doing business with me, I remind them that they will pay for it, and I will suffer zero damages from anything on it. If they want $500 extra dollars I just walk out the fucking door.
3) Cash is king. When you pay something in full, you can talk to the owner or supervisor and they WILL take away the penalties. They hate watching that much money leave.
4) I have always lied. Whatever addresses the criminals think they have are inaccurate. To top it off, the parasites and general ineptitude of the credit reporting agencies, have added addresses to my credit report that I have nothing to do with. A feature, not a bug :)
Unlike you, I don't remove shit anymore. It's like added shielding for days like this :)
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Insightful) by cykros on Friday September 08 2017, @11:00PM (1 child)
Not using credit is usually easier said than done. Sure, you might avoid ever having a mortgage by staying in the rental cycle, but then, most landlords will do a credit check and refuse to rent to you if your credit is trashed. Living out of a trailer may be a solution, though isn't without its pitfalls. Unless you're born into money or otherwise have a well-to-do benefactor to help you out while you build up enough of your own (ie, someone who gives you informal credit outside of the banking system), you're stuck either using credit, or at least generally spending a lot more money in the long run than would be necessary if you had (ie, renting for 15 years to save up enough to buy a cheap house outright rather than relying on a mortgage).
Basically, while of course there are ways that a minority of people can slip through the cracks and do things like live off-lease at someone else's rental or with someone who trusts them to pay rent, those cracks simply aren't big enough for the majority of the population to fit through at the same time.
(Score: 3, Informative) by Runaway1956 on Friday September 08 2017, @11:26PM
When I was a kid, it was recognized that a mortgage was probably an unavoidable debt. It was pretty common for people to finance a home, and a car. There really isn't anything else that people should be financing. Today, people purchase lunch on credit, balancing a wallet full of credit cards that are all overdrawn. Somewhere, we've lost our clues.
(Score: 3, Interesting) by Justin Case on Friday September 08 2017, @01:18PM (15 children)
Why should I care in the slightest if Criminal A tricks stupid careless sloppy Bank B into giving money to A because A claims to be me?
I'm not involved in this transaction in any way. I am not a "victim" of "identity theft". My identity wasn't stolen; I still have it.
Now I suppose clueless Bank B might ask me to pay back the loan someday. My response: What loan? Show me the contract bearing my signature. Oh you don't have one? Fuck off.
(Score: 2, Informative) by Anonymous Coward on Friday September 08 2017, @02:59PM (11 children)
Because Bank B will file on your credit, causing your legitimate creditors to review the conditions they provide you, your insurance providers to raise your rates, and credit to be denied to you should you suddenly need it.
(Score: 2, Interesting) by Anonymous Coward on Friday September 08 2017, @04:36PM (4 children)
Actually, those are among the least of his worries. What is truly terrifying is if some twizzledick owes back taxes on your stolen identity. The IRS typically won't give a fuck if you plead that this was someone else that fraudulently ran up a tax bill in your name. And need I point out that, with the IRS, they don't need to prove you are guilty, you need to prove you are innocent? Also, bad credit rating could affect access to medical care. Be afraid. Be very afraid.
(Score: 0) by Anonymous Coward on Friday September 08 2017, @05:19PM (3 children)
Is that actually true? Yes, any kind of identity theft will be a PITA, and possibly legally expensive, for the victim to sort out. Given adequate defense, do legitimate tax court cases usually end unfairly?
(Score: 0) by Anonymous Coward on Friday September 08 2017, @07:07PM (2 children)
From the section titled "Spread and impact" (at the bottom of the wiki page) [wikipedia.org]:
Also, Identity Theft Victims Are Waiting Months for Their Tax Refunds, TIGTA Says [accountingweb.com] Yep, unfortunately it's true.
(Score: 0) by Anonymous Coward on Friday September 08 2017, @07:40PM (1 child)
Your quote doesn't match the question.
The question was whether process in the tax court could be described as fair. That it may take longer to claim a tax refund in the case of identity theft is obvious.
(Score: 0) by Anonymous Coward on Friday September 08 2017, @09:50PM
????? Michelle Brown found herself in the position of having to clear her name and prove that she was not a convicted felon. In what rational universe could that possibly be construed as fair?!? Meanwhile, here in the real world, defendants are (supposed to be) considered innocent until proven guilty.
(Score: 2) by edIII on Friday September 08 2017, @05:25PM (4 children)
Ohhhh, I hope they fucking do. Please, please, please let this happen to me. Banks have what lawyers masturbate to at night; Deep Pockets.
If Bank B fucked up that big, I can get Lawyer C to put the big D into Bank B. Afterwards, I get a tidy sum after splitting it with the lawyer.
In a court of law, they need to prove it was me.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Friday September 08 2017, @07:45PM (3 children)
Months and $$$ later, yeah, you may receive justice. Depends if you can afford to front the $$$ and spend months fighting. Seems unlikely to me that a lawyer would take such a case purely on contingency.
(Score: 3, Informative) by edIII on Friday September 08 2017, @09:23PM (2 children)
Then you have no imagination, and are largely ignorant of the processes involved.
Sue them in small claims court. The top limit is $5k, but it will only cost you $75 max to initiate the lawsuit. By law, Equifax must appear and send an executive down with the lawyer. This is why when a large corporation fucks up they will settle on the $5k, if they are smart. That's much less than the cost of sending a lawyer and executive to a small claims court in California. If they don't appear it's also very likely I receive a default judgement against them, as my arguments are not about pain and suffering using facts they themselves put out in public.
If/When I win the case, it sets precedence. Then I speak with the lawyer and inform him that the $5k will be used to put up a how-to website describing how everyone else can sue them in small claims court too. Death by 10,000 cuts to follow. Unless I get $100k, and for that, I would be willing to agree to no class actions or websites created. Either way, I fucked them out of thousands just by filing the damn suit. Even funnier is just to sue for the costs of the suit plus $1 for principles. I know the plane costs and paying the lawyer and executive far exceed whatever I could get, so they get fucked.
Often companies like to not pay. Lawyers have told my family, "Good luck collecting". Bwahahahahhahahahhha!! You show up with a sheriff at their headquarters and start taking chairs, desks, computers, etc. It's all legal, and I can do it until the sale of their shit can get rid of my judgment. I've been there looking at the lawyers face and his response was, "I will have the check by tomorrow".
Yes, there are lawyers that would eat that up on contingency in a second. Remember, if he wins, there are 143 million (minus 1) other prospects for doing the exact same thing. Plus the possibilities of class actions. I've never been in an agreement with Equifax, so they don't get arbitration.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Saturday September 09 2017, @11:05AM
It only sets a precedent if the case is published.
(Score: 0) by Anonymous Coward on Saturday September 09 2017, @10:36PM
Idea: ask the court to grant an injunction against Equifax keeping records about the plaintiff. Unintended consequences may ensue. :-)
(Score: 0) by Anonymous Coward on Friday September 08 2017, @08:34PM
About insurance:
http://www.equifax.com/business/insight-score-insurance [equifax.com]
(Score: 3, Informative) by edIII on Friday September 08 2017, @05:31PM (2 children)
Yes, Stand your ground. I did it with a wireless carrier that claimed I racked up thousands of dollars in charges on an account opened in my name with my social. Of course... this was Sprint. Who I have never done business with in my life. I never signed any contract, and Sprint is notorious for shitty security and events exactly like this.
They tried suing me and I laughed my fucking ass off and watched them lose theirs. Reasonable doubt was provided nicely by the thousands of dollars I had being paying a different wireless carrier under contract for several years before the account was opened at Sprint. None of the numbers called belonged to anyone I knew. Anybody with a brain could see it was fraud, which excluded Sprint.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Friday September 08 2017, @08:38PM
The standard, I think, is a preponderance of evidence. Had they managed to get criminal charges filed against you, the standard would be reasonable doubt.
(Score: 1) by anubi on Saturday September 09 2017, @03:17AM
I hope you got a nice settlement for all that pain and aggravation they brought upon you.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Friday September 08 2017, @08:32PM (2 children)
> don't use credit
Yes, the solution is to go off the grid. And pity the fools who have postpaid gas, water, electricity, telephone, cable/satellite TV, or Internet.
(Score: 3, Informative) by The Mighty Buzzard on Friday September 08 2017, @08:57PM (1 child)
Those aren't credit. Those are bills. The former is someone advancing you money and hoping you pay it back, the latter is simply charging you either before or after services have been rendered. In the case of my Internet and insurance bills, it's before because they know exactly what the charge will be for a month. In the cases of gas/water/electricity they have no idea how much to charge until I've used the service in question for a month, so they're forced to charge afterwards.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Saturday September 09 2017, @10:16AM
You may never have asked someone to loan you money, but utility companies do credit inquiries:
(source [howstuffworks.com])
One definition of credit, which applies to utility bills, is [dictionary.com] "confidence in a purchaser's ability and intention to pay, displayed by entrusting the buyer with goods or services without immediate payment." Semantics aside, Experian says [soylentnews.org] that it receives reports from those companies--which it uses in a score that it sells to insurance companies. Were you able to avoid giving your personal information to providers of "gas, water, electricity, telephone, cable/satellite TV, or Internet" when signing up for those services? I'm guessing the answer is no, meaning CRAs have your personal information. If you somehow do without utilities or don't have them in your name, the CRAs still have your informatoin. You provided it when you requested those free credit checks.
Even if you never apply for a loan, CRAs can affect you. In some states, employers are allowed to request records from CRAs as part of a background check. The whole point of the CRA is to buy and sell information about you. If they're careless with it, there could be harm to you even if you never apply for what you define as credit.
(Score: 4, Interesting) by richtopia on Friday September 08 2017, @02:43AM (1 child)
Perhaps it is time to buy stocks in LifeLock and identity theft companies. They might be ineffective, but that won't stop people running to them scared.
(Score: 5, Informative) by stretch611 on Friday September 08 2017, @02:57AM
Lifelock is a waste of money. Most things they do can be done for free with little effort.
Older, but they actually settled with the FTC back in 2010... [ftc.gov]
In 2015, the FTC ordered it to pay another $100 million [ftc.gov] because it never followed the settlement from 2010.
IMHO, Lifelock is not a company that should be allowed to be in business.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 1, Flamebait) by urza9814 on Friday September 08 2017, @02:26AM (4 children)
In response, they've offered one year of free monitoring.
So if the criminals are smart they'll try to sit on some of that information for a year...says they may have gotten some credit card numbers, but that's the only thing on that list that *might* expire in that time. Drivers licenses are usually good for five, and SSN and DOB aren't going to change at all. One year doesn't seem like enough.
(Score: 2) by Justin Case on Friday September 08 2017, @02:45AM (1 child)
Why would they call law enforcement?
I mean, don't they all expect to go to jail over this?
And when will we be getting our $10,000 per victim compensation? Not that I can buy my privacy back for $10,000, but it would be a modest start.
(Score: 2) by Thexalon on Friday September 08 2017, @05:40PM
Of course not. Equifax is an important financial institution vital to our modern economy. We can't possibly upset their shareholders by leading people away in handcuffs just for a little gross negligence, insider trading, or illegal handling of consumer data. Why, even the mere thought of an investigation would pose a serious problem, and we should really just forget this whole thing ever happened.
- every politician ever
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Insightful) by stretch611 on Friday September 08 2017, @03:04AM (1 child)
Of course part of their business is credit monitoring...
So they are going be providing their own service for free to the people they screwed with their crappy security problems. How is that supposed to make people feel safe?
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 1) by anubi on Saturday September 09 2017, @03:26AM
1 year my ass. This ought to be "lifetime".
If *I* screw someone over ( say, a car accident ), I can't weasel out of it with a "one year medical assistance offer".
Why should they get off so easy?
I believe they should be on the hook to handle everything associated with fixing credit reporting screwups for the rest of everyone who has been affected lives. Including unlimited guarantees against loss of innocent people's funds or time, with time valued at $100/hour.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Friday September 08 2017, @02:52AM
How can this not make things worse? To use it, you have to provide your info to yet another company with sketchy low-paid employees.
What can they really do anyway? They can't undo the leak. They can't arrest people, and government won't cooperate. For example, the IRS might know a dozen people using your social security number, and they don't do shit. Another example is the millions of people who are older than 112 according to social security number, despite there being roughly 500 in the entire world. Stopping identity theft is almost trivial for the government, but roughly impossible for non-government.
(Score: 1, Interesting) by Anonymous Coward on Friday September 08 2017, @04:57AM (3 children)
Equifax.com links to http://www.equifaxsecurity2017.com/ [equifaxsecurity2017.com] which OpenDNS claims is a phishing site...
Mwaaahahaha... did I miss amateur hour or something or are they just having it in a place I'm not invited to?
(Score: 0) by Anonymous Coward on Friday September 08 2017, @08:40AM
https://www.equifax.com/personal/ [equifax.com] links to it. That is hilarious though.
(Score: 4, Interesting) by Justin Case on Friday September 08 2017, @01:36PM (1 child)
I sat in an all-day meeting with about 25 people: our local police, FBI rep, risk manager, PR person, legal rep, CFO designee, CIO designee and so on all down the line, all to listen to a marketing spiel by an "identity theft protection" outfit.
Of course they would do nothing to actually protect anyone.
But once a breach occurs, simply transfer your entire victim list (name, address, phone, email, account number...) to their public anonymous FTP server and they would get started straight away notifying all the victims.
I tried to point out that this would be committing a breach in the process of responding to a breach. Everyone stared at me as if I was peeing in the punch bowl.
(Score: 1) by anubi on Saturday September 09 2017, @03:33AM
Join the club.
This is yet another example of why I *hated* working corporate.
So many suits, ties, handshakes, and signatures... so little common sense. I wasn't one of "the inner circle", so nothing I had to offer would be taken seriously.
It was like watching a drunk wreck their own car.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]