Credit reporting firm Equifax says data breach could potentially affect 143 million US consumers

NP @jadinolf

 

"A company spokeswoman, Ines Gutzmer, said in an email Thursday night: 'The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares.'..."

https://www.washingtonpost.com/business/technology/equifax-hack-hits-credit-histories-of-up-to-143-million-americans/2017/09/07/a4ae6f82-941a-11e7-b9bc-b2f7903bab0d_story.html?hpid=hp_rhp-top-table-main_equifax-6pm:homepage/story

That's rich. Dunno which would be worse -- if they knew or if they didn't know.

 

"...Cybersecurity professionals criticized Equifax on Thursday for not improving its security practices after those previous thefts, and they noted that thieves were able to get the company’s crown jewels through a simple website vulnerability.

'Equifax should have multiple layers of controls so if hackers manage to break in, they can at least be stopped before they do too much damage', Ms. Litan said...

https://www.nytimes.com/2017/09/07/...column-region&region=top-news&WT.nav=top-news

 

https://www.howtogeek.com/209396/how-to-prevent-identity-thieves-from-opening-accounts-in-your-name/

 

Well, today I check again and it said I was compromised.

I had two ID threat protections going at the same time. CSID provided by South Carolina for a breach there a few year back is the outfit owned by Experian; not Equifax as I thought previously. In any case, that protection expired. Also don't believe I gave them any personal financial account data to monitor. My second threat protection is provide by OPM is with MyIDCare which is an independent outfit. That one has my personal financial account data.

 

"...[Equifax's] Amateur response

...What's more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat...

Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks."

https://arstechnica.com/information...ossibly-the-worst-leak-of-personal-info-ever/

 

Ummm, BTW:

By using www.equifaxsecurity2017.com/ to see if you have been impacted, you "agree" to a TOS under which you givew up your right to sue Equifax and agree to binding arbitration: http://www.equifax.com/terms/

Of course this is a standard clause in probably every agreement you have with a corporation, but in this context - just by using a website - it's extreme.

With tin foil hat on for a moment, perhaps one of the goals of Equifax's "convenient", not telling everyone everything webpages, was to insulate itself from civil liability.

The first of the class actions was filed this AM in Oregon:

http://www.oregonlive.com/portland/index.ssf/2017/09/two_oregon_residents_file_clas.html

 

This only applies is you chose to use the free ID theft service they are providing. Also I believe its scope would be limited to the service used or purchased. It would not affect you legal rights outside of this scope:

 

Thanks @itman

My Bad

 

Or if one prefers online...

https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp

https://fraud.transunion.com/fa/fraudAlert/landingPage.jsp

https://www.experian.com/fraud/center.html

 

Good thing some hacker doesn't create a site where you enter the last 6 digits of your social security number and last name.
I f you were issued a number before 1972, the hacker could figure out the first three, because those were issued by state.

https://www.ssa.gov/history/ssn/geocard.html

 

"Suspect trading in Equifax options seen

Equifax (EFX -12.9%) options are not exactly a high-volume product. In fact, in the entire month of July, just under 260 put options traded.

So CNBC's Jon Najarian is scratching his head over activity on August 21, when someone purchased a full 2.6K September puts struck at $135. The roughly $156K investment is now worth more than $4M thanks to today's plunge in EFX's stock price..."

https://seekingalpha.com/news/3294441-suspect-trading-equifax-options-seen

 

Couldn't have said it better myself:

 

"Equifax Probed by New York Attorney General Over Cyber Hack...

'The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred,' Schneiderman said...

In the wake of the breach, Equifax said it was offering its credit-monitoring service at no charge. Schneiderman took issue with language on Equifax’s website that asked those who signed up for the service waived their right to sue.

'This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it,' Schneiderman wrote on Twitter..."

https://www.bloomberg.com/news/arti...-by-new-york-attorney-general-over-cyber-hack

 

Equifax binding-arbitration opt-out:

"...Friday morning, after social media users began complaining about the arbitration clause, Equifax updated its terms of service to give consumers an escape hatch if they do not wish to be bound by its language.

Here's how the opt-out provision reads:

In order to exclude Yourself from the arbitration provision, You must notify Equifax in writing within 30 days of the date that You first accept this Agreement on the Site (for Products purchased from Equifax on the Site). …

[You] must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration..."

https://www.washingtonpost.com/news...breach-website/?tid=hybrid_collaborative_1_na

 

https://theintercept.com/2017/09/08...-to-be-banned-just-like-the-cfpb-wants-to-do/

Discusses the shocking forced arbitration clauses further.

 

So Equifax will not tell anyone if they were zapped unless they agree to use ""TrustedID Premier"?

 

What a head spinner. This undoubtedly even tops the OPM breach? Ugh

 

The hackers have had the info dump for months so most of it has hit the dark web and been sold. Web requests, phone calls and snail mail is just a waste of time right now - and fruitless. Now the hack is public, the would-be fraudsters will ramp up their activities.

The biggest threat of this hack is identity theft. These fraudsters will be taking out loans in people's names as well as maxing out credit cards and lines of credit. The only way to stop them is for the credit reporting companies to get pro-active. Leaving everything up to potential victims is a real cop out on their part. It seems to me that it would be prudent for Equifax to put a fraud alert at no charge on everybody's account until this can be sorted out.

 

All three major credit reporting agencies need to do this, if not more, e.g., free credit report freezes (for those states that do not require this), simplified free temporary lifting of the freeze, extrended credit monitoring.

This catasrophe is a national security issue threatening the US economy and social order for years to come.

For the next 50 or so years criminal proxies for half the adult population will be falsifying loans, bank accounts, credit card accounts, IRS filings to get refunds, impersonating financial and other institutions to gather more info, etc. etc. At the same time millions will have their credit ratings destroyed for varying periods of time, have funds sucked out of financial accounts, have crimes committed under their identities , etc. etc. Social Security numbers are now near worthless for identification purposes. The eventual fallout from this breach will play out in ways we have yet to imagine and will cause enormous damage. This is a financial EMP.

Equifax, TransUnion, and Experian need to recognize this as an industry problem and step up and do whatever it takes to limit the damage.

 

To my knowledge the 1st 90 days are a freebie, with the option to upgrade.

Equifax's requirement that affected customers sign up for arbitration also drew a backlash. Democrats in the House and Senate called on the company to pull back its requirement that anyone who signs up for credit monitoring give up their right to sue Equifax in a class-action lawsuit.