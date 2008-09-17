from the Quis-custodiet-ipsos-custodes? dept.
We had three Soylentils send in notice of a major breach at Equifax. The company has a web site specifically for this breach: https://www.equifaxsecurity2017.com/.
Equifax Data Breach Could Affect 143 Million Americans
Equifax, one of the big three US consumer credit reporting agencies, says that criminals exploited a web application vulnerability to gain access to "certain files":
Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Is there a silver lining to this event?
Equifax announced today that it discovered “unauthorized access” to their systems — i.e. a data breach — on July 29. 143 million records, basically *everyone* in their database.
That query must have taken a long time to run.
Whoever got into their systems had access from mid-May through the end of July, so about two-and-a-half months.
Equifax says it has “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases,” but plenty of Equifax systems were accessed, and data purloined. The company adds the standard adage about reporting the incident to law enforcement and working with both independent forensic investigators as well as the relevant authorities to sort out who’s responsible.
What was stolen?
This one is bad. The illicitly accessed data includes:
- Names
- Dates of birth
- Addresses
- Social Security numbers
- Driver’s license numbers
That is, of course, basically the identity theft jackpot. Every account that needs verification that you’re you asks for that exact set of data, so now anyone can be you.
So, all of your PII are belongs to us.
(Score: 3, Insightful) by fishybell on Friday September 08, @01:36AM
We all win this time!
I'm very much of the opinion that there aren't enough disincentives for companies that house sensitive data. I say make an example out of them and shut them down, or better yet, that, and use this as a starting off point for getting rid of the whole "you know this secret number, so you must be this person" shtick.
(Score: 1, Insightful) by Anonymous Coward on Friday September 08, @01:45AM
Gas chamber is too good for these cretins.
(Score: 2) by takyon on Friday September 08, @02:05AM (2 children)
At this point, hasn't the SSN for every American been compromised?
(Score: 2) by coolgopher on Friday September 08, @02:08AM
Easy fix, just rename it to the "Social Insecurity Number".
It is probably easy to do a search for people who haven't been pwned:
In your SQLi query:
/search.php?x%27%20union%20select%20%2A%20from%20subjects%20where%20pwned%3C%3E%27Y%27--
No results returned. Please refine your search.
(Score: 0) by Anonymous Coward on Friday September 08, @02:09AM (2 children)
Tried their website, there is a place to enter last name and 6 digits from SSN. It said that I was not affected, but the search seemed really quick (like a Google search). I wonder if they just say "you are OK" to everyone?
(Score: 3, Informative) by urza9814 on Friday September 08, @02:19AM
Nope, mine didn't say specifically that I was affected, but it doesn't say that I'm not. It just gives me an enrollment date for identity protection. So I guess that's a yes.
Shit.
(Score: 0) by Anonymous Coward on Friday September 08, @02:34AM
>Tried their website, there is a place to enter last name and 6 digits from SSN.
Next week's headline: THAT database gets hacked, everyone else's SSN compromised.
(Score: 2) by deadstick on Friday September 08, @02:13AM (1 child)
...Three high-level Equifax execs dumped their shares before it could get out. https://www.nbcnews.com/tech/security/massive-equifax-data-breach-could-impact-half-u-s-population-n799686 [nbcnews.com]
(Score: 2) by aristarchus on Friday September 08, @02:18AM
Doncha just love capitalism! The market has a solution to even a total disaster like this!
(Score: 2) by urza9814 on Friday September 08, @02:26AM
In response, they've offered one year of free monitoring.
So if the criminals are smart they'll try to sit on some of that information for a year...says they may have gotten some credit card numbers, but that's the only thing on that list that *might* expire in that time. Drivers licenses are usually good for five, and SSN and DOB aren't going to change at all. One year doesn't seem like enough.
