Equifax's Twitter account linked to a website created by a software engineer imitating the real breach info site:
People create fake versions of big companies' websites all the time, usually for phishing purposes. But the companies do not usually link to them by mistake.
Equifax, however, did just that after Nick Sweeting, a software engineer, created an imitation of equifaxsecurity2017.com, Equifax's page about the security breach that may have exposed 143 million Americans' personal information. Several posts from the company's Twitter account directed consumers to Mr. Sweeting's version, securityequifax2017.com. They were deleted after the mistake was publicized.
By Wednesday evening, the Chrome, Firefox and Safari browsers had blacklisted Mr. Sweeting's site, and he took it down. By that time, he said, it had received about 200,000 hits.
Fortunately for the people who clicked, Mr. Sweeting's website was upfront about what it was. The layout was the same as the real version, complete with an identical prompt at the top: "To enroll in complimentary identity theft protection and credit file monitoring, click here." But a headline in large text differed: "Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That's So Easily Impersonated By Phishing Sites?"
Also at The Verge.
Previously: Equifax Data Breach Could Affect 143 Million Americans [Updated]
Are You an Equifax Breach Victim? You Could Give Up Right to Sue to Find Out
Outrage Builds after Equifax Executives Banked $2 Million Following Data Breach
Equifax CIO, CSO "Retire" in Wake of Huge Security Breach
Related Stories
We had three Soylentils send in notice of a major breach at Equifax. The company has a web site specifically for this breach: https://www.equifaxsecurity2017.com/.
Equifax Data Breach Could Affect 143 Million Americans
Equifax, one of the big three US consumer credit reporting agencies, says that criminals exploited a web application vulnerability to gain access to "certain files":
Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Is there a silver lining to this event?
Also at NYT, Ars Technica, and CNN.
Visiting Equifax's site to see if you're a victim of the recent data breach can require you to waive lawsuit rights:
By all accounts, the Equifax data breach is, as we reported Thursday, "very possibly the worst leak of personal info ever." The incident affects possibly as many as 143 million people.
But if you want to find out if your data might have been exposed, you waive your right to sue the Atlanta-based company. We're not making this up. The company has now published a website allowing consumers to input their last six digits of their Social Security numbers to find out.
Like most websites, at the bottom of this new site is a section called "Terms of Use." There, in paragraph 4, is bolded, uppercase text of note. It tells site visitors that you agree to waive your right to sue and instead must "resolve all disputes by binding, individual arbitration."
AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.
Submitted via IRC for SoyCow5389
The sale of nearly $2 million in corporate stock by high-level Equifax executives shortly after the company learned of a major data breach has sparked public outrage that could turn into another hurdle for the credit rating agency.
The sales all occurred before the company publicly reported the breach, a disclosure that quickly sent its stock tumbling. The timing of the sales could attract federal scrutiny, legal experts say, though proving insider trading would be difficult. A company spokeswoman said the executives did not know about the breach when they sold their shares.
“It certainly would be exactly the type of trading pattern before a high-profile event that the [Securities and Exchange Commission] would investigate,” said Brandon L. Garrett, a professor at the University of Virginia School of Law. “Even if they do not bring charges it is the type of conduct that a company should not tolerate in its executives. It sends a terrible message to the public and to customers.”
The SEC declined to comment on whether it was investigating the matter.
Submitted via IRC for SoyCow5743
On Friday, Equifax announced that two top executives would be retiring in the aftermath of the company's massive security breach that affected 143 million Americans.
According to a press release, the company said that its Chief Information Officer, David Webb, and Chief Security Officer, Susan Mauldin, would be leaving the company immediately and were being replaced by internal staff. Mark Rohrwasser, who has lead Equifax's international IT operations, is the company's new interim CIO. Russ Ayres, who had been a vice president for IT at Equifax, has been named as the company's new interim CSO.
The notorious breach was accomplished by exploiting a Web application vulnerability that had been patched in early March 2017.
However, the company's Friday statement also noted for the first time that Equifax did not actually apply the patch to address the Apache Struts vulnerability (CVE-2017-5638) until after the breach was discovered on July 29, 2017.
Source: https://arstechnica.com/tech-policy/2017/09/equifax-cio-cso-retire-in-wake-of-huge-security-breach/
(Score: -1, Spam) by Anonymous Coward on Thursday September 21 2017, @09:08PM (1 child)
Night black. Rock hard. 🅳🅸🅲🅺 🅽🅸🅶🅶🅴🆁🆂.
For sure we never fuck no old pussy.
Hell yeah we fuck a lotta young pussy.
🅳🅸🅲🅺 🅽🅸🅶🅶🅴🆁🆂 gonna breach yo wet folds wit this black hot nigger dick.
(Score: -1, Spam) by Anonymous Coward on Thursday September 21 2017, @09:32PM
Lameness filter encountered. Post aborted!
Regex this!
(Score: 5, Interesting) by bob_super on Thursday September 21 2017, @10:26PM (2 children)
In order to properly teach Equifax to get their house in order, the fake website should present the Equifax-leaked personal information of all the Equifax IT and executives, from the CEO down to the Webadmin.
Those fuckers couldn't secure critical information for 143 million people. They should have to chase down every . single . place where by their own incompetence, their own personal data is now exposed. And the innocent public affected by the release should get to watch.
There should be bad consequences for terrible behavior. That's the excuse to put black people in jail, it should apply to giant leaks.
Nobody should get to say "oops, I guess I'll take my stocks and pension early" after decades of arguing they should be paid royally because of their immense responsibilities.
(Score: 2) by Thexalon on Thursday September 21 2017, @11:55PM (1 child)
The CEO, of course, recently got a golden parachute out of there. He's going to let us all go down with his ship, of course.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by DeathMonkey on Friday September 22 2017, @05:48PM
No kidding. "Early retirement" is such fitting punishment for harming 143 million Americans!
And then there's there's these assholes who sold their shares right before the announcement. [latimes.com] I'm sure the CFO and the President of the IS department had no idea they were going to announce a major breach in a few days...
(Score: 0) by Anonymous Coward on Thursday September 21 2017, @10:26PM (3 children)
The comments of the fake website's comment applied to me as well. I thought good and hard about going to that website and entering personal information. The same could be said of numerous class action lawsuit websites, too (which may be a strategy to reduce the number of claimants).
Regardless, though, I'm immediately reminded of PuTTY. It's such a great and versitile tool. Too bad it's hosted on one of the least official [greenend.org.uk] websites. In fact, I suspect it is the single best and industry standard program on the most suspicious location.
I wonder why they never moved it. Anybody here know?
(Score: 0) by Anonymous Coward on Thursday September 21 2017, @10:56PM
You needn't provide any personal information to download PuTTY. The executable is "signed using an Authenticode certificate". You do check those, right?
(Score: 2) by requerdanos on Thursday September 21 2017, @11:04PM
Admittedly, I don't know, but would guess that as a Windows application intended for people who live in the Windows World, much of their target audience is of the "I don't really get that security stuff" variety, and one might wonder why go to the trouble of making a real-looking website or having signed official builds if the userbase of the program wouldn't, by and large, notice.
There are lots of windows admins and lots of windows users that do know what's up, of course, but I wouldn't think they would make up a huge percentage of the userbase of any Windows-World software, not even this one. (Though of course this one, as a common ssh tool, should have a higher percentage of security-savvy users than other windows things, I believe that still doesn't make for an overpowering number.)
This is rather a shame, because the situation has been exploited [securityaffairs.co] in the wild.
Situation for Equifax is similar--the vast majority of their victims* don't know from good security. But in both cases, just because there's a large group of users or victims that doesn't know much about security doesn't mean that there are not experts who DO know about security, and doesn't absolve Equifax nor Mr. Tatham of their responsibilities in the realm thereof.
---
* Equifax's users are those who have subscriptions to negative or neutral things that Equifax says about their victims; it's a different group than the one to which I refer above.
(Score: 3, Informative) by FatPhil on Thursday September 21 2017, @11:34PM
You'll be telling me you've never hears of Ian Jackson next.
"What the fuck's Debian?" I hear you cry!
Chiark's one of the more reliable hosts on the internet - it's not rebranded, mergered, or renamed itself in at least 20 years. Simon Tatham's stuff hasn't moved either, why would it - it's where it belongs, on his chiarck home page?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves