Equifax Security Breach Is A Complete Disaster… And Will Almost Certainly Get Worse

from the hang-on... dept

Okay, chances are you’ve already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven’t, you need to pay more attention to the news. I won’t get into all the details of what happened here, but I want to follow a few threads:

First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it’s not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was…) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it’s set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user — “Edelman” — the name of a big PR firm.

Not surprisingly, it didn’t take long for various security tools to warn that the site wasn’t safe.

And, when Equifax pushed people to its own “TrustedID” program to supposedly check to see if you were a victim of its own failures… it just started telling everyone yes no matter what info they put in:

So, yeah, what the hell did Equifax do during those six weeks it had to prepare? Oh, well, a few of its top execs used the delay to sell off stock, which may put them in even more hot water (of the criminal variety). Also, just days before it revealed the breach, and long after it knew of it, the company was talking up how admired its CEO is. This is literally the last tweet from Equifax prior to tweeting about the breach (screenshotted, because who knows how long it’ll last):

I can’t see any scenario under which Smith keeps his job. And it seems likely that many other execs are going to be in trouble as well. Beyond the possible insider trading above, there’s already scrutiny on its corporate VP and Chief Legal Officer, John J. Kelley, who made $2.8 million last year and runs the company’s “security, compliance, and privacy” efforts.

And despite six weeks to prepare for this, the following was Equifax’s non-apology:

We apologize to our consumers and business customers for the concern and frustration this causes.

That’s a classic non-apology. It’s not apologizing for its own actions. It’s not apologizing for the total mess it’s created. It’s just apologizing if you’re “concerned and frustrated.”

Oh, and did we mention that the very morning of the day that Equifax announced the breach, it tweeted out about a newsletter it published about how “safeguarding valuable customer data is critical.” Really (again, screenshotted in case this disappears):

What the fuck, Equifax? Should we even mention that Equifax has been a key lobbying force against data breach bills? Those bills have some problems… but, really, it’s not a good look following all of this.

And while there was some concern that signing up to check to see if you were a victim (again: look, you probably were…) would force you out of being a part of any class action lawsuit, that’s since been “clarified” to not apply to any class action lawsuits over the breach. And you better believe that the company is going to be facing one heck of a class action lawsuit (a bunch are being filed, but they’ll likely be consolidated).

That’s all background of course. What I really wanted to discuss is how this will almost certainly get worse before it gets better. More than twelve years ago, I wrote that every major data breach is later revealed to be worse than initially reported on. This has held true for years and years. The initial analysis almost always underplays how serious the leak is or how much data is leaked. Stay tuned, because there’s a very high likelihood we’ll find out that either more people were impacted or that more sensitive information is out there.

And that should be a major concern, because what we already know here is stunning. As Michael Hiltzik at the LA Times noted, this is the mother lode of data if you want to commit all sorts of fraud:

The data now at large includes names, Social Security numbers, birthdates, addresses and driver?s license numbers, all of which can be used fraudulently to validate the identity of someone trying to open a bank or credit account in another person?s name.

In some cases, Equifax says, the security questions and answers used on some websites to verify users? identity may also have been exposed. Having that information in hand would allow hackers to change their targets? passwords and other account settings.

Other data breaches may have been bigger in terms of total accounts impacted, but it’s hard to see how any data breach could have been this damaging. For over a decade, we’ve pointed out that credit bureaus like Equifax are collecting way too much data, with zero transparency. In fact, back in 2005, we wrote about Equifax itself saying that it was “unconstitutional and un-American” to let people know what kind of information Equifax had on them. The amount of data that Equifax and the other credit bureaus hold is staggering — and as this event shows, they don’t seem to have much of a clue about how to actually secure it.

At some point, we need to rethink why we’ve given Equifax, Experian and TransUnion so much power over so much of our everyday lives. You can’t opt-out. They collect most of their data without us knowing and in secret. You can’t avoid them. And now we know that at least one of them doesn’t know how to secure that data.

Filed Under: , , , ,
Companies: equifax

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Equifax Security Breach Is A Complete Disaster… And Will Almost Certainly Get Worse”

Subscribe: RSS Leave a comment
90 Comments
Anonymous Coward says:

Their solution is a sales trick

Their “free credit monitoring” is only for a year and you have to pay for it after that. The data taken however will still be out there and most likely being actively used against you, for the rest of your life. That sure seems fair recompense to me…. No wait, it seems like that is exactly why the top peoples first reaction was to sell stock.

Sasparilla says:

Re: Their solution is a sales trick

The classic part of all this (confirming your theory) is that the Equifax web site is returning random results for the same users – this whole thing was just an opportunity for them:

https://yro.slashdot.org/story/17/09/10/0128214/techcrunch-equifax-hack-checking-web-site-is-returning-random-results

Paul Brinker (profile) says:

Its all about lawsuit prevention

Its funny, but the very act of looking up if your a victim appears to wave your right to trial by court and requires you to go to mandatory arbitration.

Not sure a judge is going to accept this but its really ugly in terms of legal protections.

It gets better, if your a customer you’ve already signed away your rights, and if you agree to the free credit monitoring, you agree to arbitration as well.

The only good thing is that this also falls under the fair credit reporting act, so that act may override arbitration, but no one actully knows for sure.

Mike Masnick (profile) says:

Re: Its all about lawsuit prevention

Its funny, but the very act of looking up if your a victim appears to wave your right to trial by court and requires you to go to mandatory arbitration.

As mentioned in the post, this isn’t actually true. 1. the terms actually only say the arb clause applies to the monitoring service, not the rest of Equifax and 2. the company explicitly has said it doesn’t apply to this breach.

I know this claim went viral today and got covered in lots of places, but it’s simply not true.

Anonymous Coward says:

Re: Re: Re: Its all about lawsuit prevention

The information has been verified by media and at least one AG getting comments from Equifax:

“The TOS doesn’t cover the cybersecurity incident”

The TOS is thus irrelevant in this case and btw. would only be eforceable for TrustedID-users who signed up for the premium service.

Anonymous Coward says:

Re: Its all about lawsuit prevention

There are already several class actions being initiated in the context of breach of contract, insider trading and negligence of duties. I think there is enough to at least give some unwanted disclosures and enough scathering critique to force political actions.

Equifax is looking at enough legal/judicial scrutiny to need consideration of if they can keep afloat economically.

Anonymous Coward says:

Down Under done over too

Aussies are also affected, but hey the excuses are top notch. Well Veda has only changed ownership and names recently so credit data wouldn’t have been sent to the USA just yet, well maybe not.

Despite Equifax tweeting its assurances that there is no evidence yet its Australian customers are affected, cybersecurity expert Mark Gregory from RMIT said Australians should urgently check their credit records.
“We should probably assume at this point that the data has not been integrated between the countries, but that’s not to say that there hasn’t been some data integration,” he said.

http://www.abc.net.au/news/2017-09-08/smiley-credit-check-australians-financial-information-at-risk/8887198

illuminaut (profile) says:

The problem isn’t just equifax, it’s that identity theft is nearly impossible to fully recover from. One year of free monitoring is an absolute joke. We need to be able to get new SSN numbers in the case of identity theft. Every identifying piece that’s permanent is an absolute nightmare when breached, it’s the same reason why biometric passwords are a terrible idea.

AEIO_ (profile) says:

Re: Re:

"it’s that identity theft is nearly impossible to fully recover from."

No no, you’re not thinking about it right. It’s actually an opportunity in disguise. Once someone grabs your identity, you complain and then YOU go and buy all kinds of stuff as yourself and then blame THEM.

Oh, that high-end computer, that 666" TV, that gold-plated XBox? I Didn’t Do It, Nobody Saw Me Do It, There’s No Way You Can Prove Anything!.

Anonymous Coward says:

Re: Problem isn't just Equifax

.

<> ” At some point, we need to rethink why we’ve given {Federal/state/local Government} so much power over so much of our everyday lives. You can’t opt-out. They collect most of their data without us knowing and in secret. “

____

Your American Government is ten times worse than Equifax.

At least Equifax will suffer severe financial consequences for its malicious actions and incompetence — government politicians and bureaucrats need not worry about such outcomes.

Also, SSAN as de facto national ID # is entirely the severe fault of the Federal Government. SSAN’s should be abolished, but the Fed’s luv them for tracking & controlling the citizens.

Anonymous Coward says:

Re: Re:

We need to be able to get new SSN numbers in the case of identity theft.

There simply aren’t enough numbers to reassign them all after a breach this large.
SSNs are only 9 digits, and share space with ITINs.

If we’re going to replace SSNs, we’d best re-think the whole idea of using the same static number to identify ourselves everywhere. There are some countries where it’s illegal to use government ID numbers for non-official purposes (for example, in Ontario, Canada, it’s illegal to store a health card number for non-medical purposes; or for the SSN-equivalent "SIN", "Unless an organization can demonstrate that the reason it is requesting an individual’s SIN is specifically permitted by law, or that no alternative identifiers would suffice to complete the transaction, it cannot deny or refuse a product or service on the grounds of a refusal to provide a SIN").

Anonymous Coward says:

Re: Re: Re:

It’s actually illegal to use your SSN for anything but taxes and social security but they’re used everywhere anyway without consequence. There’s absolutely no reason an insurance company needs your SSN, for example, and you can register for insurance without it but good luck if you try… The agents will probably have no idea how to go about that if they even admit such a thing is possible.

Anonymous Coward says:

Re: Re: Re: Re:

If you pulled this "trick" anywhere else, you’d be in prison.

Not really. You can do it with real estate (a reverse mortgage). You can do it with most small/medium sized items (at pawn shops or similar). And there’s no laws preventing you from doing it with other things, just a general lack of organized groups/people offering to be the counter-party.

simonides (profile) says:

Re: Re: Re: Short selling? What about naked short selling?

I’m not convinced that short selling should be illegal, just limited, if I understand this right. A short seller has to borrow shares of the company and pay interest while waiting for the stock to fall. What strikes me as worthy of outlawing is “naked short selling,” because that allows someone to sell shares that he or she does not own and does not have to borrow. If (as if) enough investors refused to make their shares available for others to borrow, short selling would be a minor problem, and maybe sometimes a useful market device. But there are no limits to naked short selling, and to its ability to irrationally drive down as company’s share price until the company dies.

Anonymous Coward says:

Re: Re: Re:2 Short selling? What about naked short selling?

There is certainly a point in allowing stock holders to allow or disallow shorting as well as the shorted stock should not remain in the owners portfolio.

But I would be even more careful in regards to free flowing options, since they are a derivative of the stock-market and even more so derivatives of the derivative markets like vix and xiv. Btw. ETFs and indexes are also derivatives…

Shorting a stock can be fixed so that the effects are minimally disruptive, but the option market needs a collateral to provide security and an infinite volume derivative can never act as such.

Anonymous Coward says:

People v.

You know when you hear of a lawsuit and it’s referred to as "People v. Such-and-such"? This will probably be the first time People actually does mean everyone!

And also,

We apologize to our consumers and business customers for the concern and frustration this causes.

is a great example of such statements usually released by companies after these events.
No admission of guilt, though, fair enough, any good lawyer wouldn’t let that one pass.

But then they’re basically saying "We see you’re feeling concerned and frustrated over something, though we can’t imagine why, but we’re so empathetic we feel and share your pain."
No you don’t, no that’s not why you should be sorry, and NO NO NO the onus for our distress isn’t on us, it’s on you!

So commiserate all you want, but fuck off with empty gestures after such a colossal fuck-up!

That’s the kind of statement that would be inappropriate when you get my McD order wrong, so learn that, because it may serve you well in a not so distant future.

simonides (profile) says:

Re: That apology

Actually, Anonymous Coward, that apology really is an apology for what they allowed to happen. But only to the extent that “this” caused “concern and frustration,” which minimizes the actual damage that could, and probably will, happen to some people. The apology is soothing, but not too far from “we apologize for the fact that our security inadequacies has sent you crybabies into hysterics, whining to rapacious law firms, you bastards.”

SirWired (profile) says:

Typical, the banks are protected and we aren't

It’s important to note that nearly all of the information compromised was information about citizens (most of which aren’t in there by choice), and it’s the exact information used to commit ID theft.

But info that would let you steal money from banks directly? (Like credit card account numbers?) That’s locked down just fine, except for a “measly” 200k-ish accounts.

Note to Equifax: The fact that my account numbers likely aren’t public does not help me feel better. I’ve had a credit card used fraudulently four times not, and at no time was it anything but a minor inconvenience. My most vital identifying data is most certainly quite a bit more important.

JoeDetroit (profile) says:

Holy Crap

Of course I read the first article on this which provides a link to the Equifax site “…to see if your data was compromised…” I click the link, follow the instructions & say to my wife “my data was part of the hack!”. Then I continue to read articles on this & tell her “no, it looks like they ALL people are getting referred to the data monitoring site”.

Now this morning I read this posting & find that the site for checking of I’m a victim (which it doesn’t) was not secure! These people monitor our credit! They hold all the cards & see all of our’s as well! These people CAN’T make mistakes like this! It’s inconceivable!

The clowns that run this outfit are too busy counting their money to do any kind of a decent job. Time to take their money back & fire them. They are not competent enough to be cashiers at Walmart.

Anonymous Coward says:

Re: Holy Crap

Trust me: Equifax is not the least secure handler of information and their handling is not the most amateurish we will see.

Data security is a black hole you can never fill with money. The answer for many indebted companies is to prioritize other issues.

EFX is screwed because the CEO and directors has kept digging with their advertising of security, trading on some potential insider knowledge and general lack of understanding about what has occured.

SirWired (profile) says:

On another note, my ID info has been stolen three times now

Just to demonstrate the pathetic inadequacy of protection of our most vital information, this will be the 3rd time my Name, DOB, Address, and SSN have been stolen.

I’ve been hit with OPM, Anthem, and now this; I might as well put that information at the bottom of my e-mail signature at this point.

I know that at least the last four digits of my SSN, along with a ccard acct. number were used to steal one of my credit cards last year in a fascinating social engineering attack. (Used the telephone account access system to authenticate with a Cap One CSR to change my e-mail address. They then used the new e-mail to answer “yes” when e-mailed an alert about a huge obviously-fraudulent charge they were trying to make.)

Anonymous Coward says:

Re: On another note, my ID info has been stolen three times now

Just to demonstrate the pathetic inadequacy of protection of our most vital information, this will be the 3rd time my Name, DOB, Address, and SSN have been stolen.

Good news! It hasn’t been stolen, just illegally copied. Equifax never lost access to the data—it’s still sitting on their servers, ready for future criminals to copy again.

Test (profile) says:

Diversity ftw!

I don’t understand why you’re all such Equifax haters. They’ve got diversity, which everyone knows is our strength.

In fact, their chief information security officer is a woman with a bachelor’s AND a master’s in music composition. https://www.boardroominsiders.com/executive-profiles/1006308/Equifax,-Inc./Susan-Mauldin

Thank Gaia the company didn’t hire a white man with a background in computer security. I can’t imagine how bad the breach would have been then.

SirWired (profile) says:

Re: Fail. (On your part)

If you look at her previous jobs, she’s worked in security for years (her previous job was the same role at another company.) I am 100% sure that at the time she was in college, there wasn’t any sort of degree one could get in computer security.

Many of the best hackers I know don’t have degrees that have anything whatsoever to do with computing; it’s not unusual at all.

I’m not saying she’s good at her job, just that the information you posted would not give you any useful information on if somebody was a “diversity hire” or not. (Certainly there are plenty of “white men with a background in computer security” that are also complete failures at similar jobs.)

Anonymous Coward says:

Re: Re: Fail. (On your part)

Fail on both of your parts.

I have met more than enough “Experienced Security Professionals” that are only capable of regurgitating something a magazine told them. More than 50% of all Companies and their Security/Compliance teams do not fundamentally understand security.

I would not trust any “experienced” professional in IT for shit, there are just too many fucking idiots that only know enough to get by.

For example… how long has this been around?
https://xkcd.com/936/

Only recently has NIST updated their password recomendations.

Additionally, most companies still use the old “security theater” method of password security.

adding rules that enforce complexity only REDUCE the actual security of the password because complexity rules only lets hackers know which combinations of passwords they don’t have to try for. This reduces the permutation strength by at least an order of magnitude per complexity requirement rule added to the password. 1 rule = one order of magnitude weaker password, 2 rules, that is 2 orders of magnitude weaker password, 3 rules… you get the idea!

That password policy is just the tip of that iceberg. I have seen organizations present numerous security requirements for users while almost completely reducing them for executives and upper management, even upper level IT come with far fewer security requirements.

I even watch as companies do stupid shit like prevent build in copy paste and screen capture tools. They only reduce productivity and hackers still get the shit they want with no additional effort. Yes, I have heard that this to also prevent theft by employee…. I have yet to see it stop any form of breach. The number of cases I had to deal with each year in corporate espionage was not impacted one iota by the fucking security theater approaches to keeping company assets safe.

Breaches like this, let me tell you, almost every company in the US has already had a similar breach and almost 1/2 of those are not even aware of a current or a past breach.

it is seriously THAT BAD!

Anonymous Coward says:

Re: Re: Re: Fail. (On your part)

And you fail for your flawed security thinking. Without password complexity rules, the majority of users will default to creating passwords like ‘Password123″. I don’t care if you have zero complexity rules, that password will be cracked/guessed in seconds because it is so easy and is susceptible to a regular dictionary attack.

It doesn’t matter that hackers know what kind of complexity rules they can ignore, a password like ‘;324k5@#$%-098awle5i398$%43klj454$$#’ is going to be far more secure even with complexity rules than ‘Password123’. Forcing more complexity rules on users so their passwords end up looking more like the former is always a good thing, not bad.

Anonymous Coward says:

Re: Re: Re:3 Fail. (On your part)

Agreed, but has no relation to my point. You can construct an easy to remember password(or passphrase) that is also complex and doesn’t need to be written down. The example I used above is intentionally hard to remember only to highlight the difference between a good and bad password.

Case in point, 1HBw0tRr8%, uses the first letter of each word in the phrase “I have been working on the railroad” with some letters swapped out for their l33t equivalents and a number and symbol added to the end for increased complexity. I should be able to reasonably remember that password without writing it down, while meeting common complexity requirements and it will be vastly more secure than Password123.

Additionally, password managers make your argument moot.

Cowardly Lion says:

Re: Re: Re:4 Fail. (On your part)

Just to pour some petrol on the fire…

https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

The real world problem with "1HBw0tRr8%" is that you’ll need to change it to something quite different say every 30 days, for x number of accounts, x being (in my case) quite large. So to avoid getting continuously locked out, you’ll adopt some kind of pattern, an aide-memoire if you will. Unfortunately these patterns are pure gravy to people whose business it is to pry open accounts.

Using a password manager is often forbidden by OpSec/InfoSec people as it puts all the crown jewels all one place.

Uriel-238 (profile) says:

Re: Re: Re:5 Fail. (On your part)

The problem with difficult-to-remember passwords is that they get written down somewhere.

That’s the point of the (encrypted) password manager is that a worker has to remember only ONE pile of gibberish (and not write it down) and the rest get remembered, assuming proper security hygiene (e.g. don’t let someone shoulder surf while you’re typing)

I had assumed that Equifax’s sin was the same as government agencies — not taking computer security seriously enough — but it sounds like they still think they’re in the early nineties and don’t keep up on the state-of-the-art protocols.

Like the ones that suggest the worse vulnerabilities are between chair and keyboard.

Well, hackers do.

And they’ve got lists and lists of BCAK exploits.

Anonymous Coward says:

Re: Re: Fail. (On your part)

Many of the best hackers I know don’t have degrees that have anything whatsoever to do with computing; it’s not unusual at all.

Many of the best doctors I know don’t have degrees that have anything whatsoever to do with medicine, or a degree at all; They just supply me drugs.

Anonymous Coward says:

Re: Re: Fail. (On your part)

I am 100% sure that at the time she was in college, there wasn’t any sort of degree one could get in computer security.

I’m pretty sure there were degrees in things like computer science. And if she’s so good at it now, maybe she should go back to school for an appropriate degree. She should be able to dance right through, right?

JoeCool (profile) says:

Re: Re: Re: Fail. (On your part)

Computer science, or even better, Electrical Engineering where you learn not only how to program, but how computers work in the first place. The biggest problem I have with most CS degree plans I’ve seen is a lack of fundamentals in hardware… many CS degrees don’t even require boolean math! I’ve asked programmers with an MS in CS to make a state machine, and they give me a blank stare… to which I give back a horrified stare.

Groaker (profile) says:

Re: Re: Re: Fail. (On your part)

Having been a paid programmer in ’65, I believe that degrees in computer science were a rarity back then, if they existed at all. I can recall a bull session laughing at some University that was offering the start of a degree program. and we all laughed about the ridiculousness of it.

Oh how things have changed.

Anonymous Anonymous Coward (profile) says:

Re: Re: Fail. (On your part)

In my experience, when interviewing job candidates, I tend to ignore degrees. I do care what you know, but I care more about what you can do. I have fired many people with the right degrees who could do nothing.

In this case, it is obvious that security was not important to the company. What we don’t know is the reason why. It could be cost, it could be technical difficulty, it could be a lack of ability. It could be something else or a combination of several factors.

We do know part of the end result. Many years of horrible experiences for many many people, and likely a financial industry with zero interest in making things easier/better for those people. Those people probably include some/many of us.

Anonymous Coward (profile) says:

Re: Re: Diversity ftw!

I’d tell you what I’m trying to say, but I wouldn’t want to mansplain to you. Instead I’ll just leave this here:

Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed
https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed

I’m sure she’s super-duper competent at computer security and stuff, despite her music composition degrees. If only she had a fourth month to secure her systems after she learned of the first breach.

Truly says:

Re: Diversity ftw!

You are absolutely right! And if a bad white computer scientist had been in charge, she would have had more time for the important things, like golf and gardening! Better still, let’s outsource the data to Pakistan, just like insurers have been allowed and encouraged to do with all of our medical records. Pakistan is a high security place where breaches will never occur!

PaulT (profile) says:

Re: Diversity ftw!

Strange how you’d point to her degrees rather than the industry experience she gained afterwards as the sum total of her knowledge on the subject. Did you think she went straight from college to be CISO of a major company with nothing in between? I also wonder how many of the white male officers at other companies with major security breaches recently you’ve been examining to poke holes in their education – I’m going to presume zero.

Let me guess – you’re a white guy with a CS degree but no industry experience, and you’ve decided that it’s “diversity” that’s making it difficult to get that sweet job you saw a black women with the same qualifications get a while back, and not your shitty attitude, zero industry knowledge and entitlement complex?

Anonymous Coward says:

Re: Silver Linings

Why on earth would they limit themselves to committing one fraud when the penalty is exactly the same for doing it 143 million times. We live in a computerized society where an intelligent criminal is able to automate their crimes and steal hundreds of dollars from a good percentage of the people they now can control. That would be over 1 million people even if they have only a 1 percent success rate. Are you feeling better about your data now? Try back in a decade when you have multiple cars, boats, personal loans and credit cards in your name, yet no job or savings to even keep your cell phone active.

Anonymous Coward says:

Re: Re: Silver Linings

Self-limiting to exactly one fraud is indeed unlikely, but with the scale involved here, we may actually find ourselves with a shortage of fraud because the fraudsters just can’t spare enough time to victimize everyone and/or find enough stuff they want. There’s only so many millions of dollars of stuff you can fraudulently obtain before there’s no point in going further, so at some point, the fraudsters may just give up and retire to enjoy their ill-gotten gains.

Anonymous Coward says:

Just a reminder where these people get their ideas and how they morphed

http://time.com/3961676/history-credit-scores/

A brief history of the fist credit reporting agency and how it changed into the monstrosities we have today.

The will probably get off with a slap on the wrist but it’s gonna be a shit storm of outrage for quite a while I was watching the PBS newshour last night and both the presenter and the expert guest started the segment stating they had both been affected and the last word on the subject was that signing up for the monitoring abrogated to right to sue..

Now the NewsHour is mostly viewed by the over 65 but they have middle aged children that they will likely call in a panic either for themselves or for them and you can bet there are going to be a lot of eyes on this for a long time.

So It’s got that going for it, which is nice.

Truly says:

Re: Just a reminder where these people get their ideas and how they morphed

Let’s see: Each of 143 million people suffer about $100,000 lifetime damages, and strain, drain, and worry about the hack. Before attorney fees, that’s 14,300,000,000,000 in total damages.

That $14 trillion should just about put Equifax where it belongs: out of business.

Bt Garner (profile) says:

Re: Re:

Fry and Laurie had it right: Its not identity theft, I still have my identity. The company that extended the credit (et al) is the one that did not authenticate that the buyer was who they claimed to be. So, why am I getting dragged into this when I had nothing to do with it?

Though I do wonder, how many persons will now try to purchase things as themselves and claim identity theft…

Anonymous Coward says:

Re: Re: Re:

Fry and Laurie had it right: Its not identity theft, I still have my identity.

Also see Ross Anderson’s description of this false narrative:

Now back when I worked in banking, if someone went to Barclays, pretended to be me, borrowed £10,000 and legged it, that was “impersonation”, and it was the bank’s money that had been stolen, not my identity. How did things change? … [Now,] those impersonated are treated as targets, when the targets are actually those banks on whom the impersonation is practised. This is a precursor to refusing bank customers a “remedy” for “their loss” because “they failed to protect themselves.”

Anonymous Coward says:

“You can’t opt-out. They collect most of their data without us knowing and in secret. You can’t avoid them.”

Given this the execs should pay a high price for their incompetence such as jail time. I’m not even bringing up the fact that they cashed out before revealing the damage. No accountability from any corps mishandling our info.

Anonymous Coward says:

I’m still waiting for the consequences of the Anthem hack to, um, Anthem. I don’t believe they’ve even been fined over the last one and that was a breach where the hackers got the key to decrypt the data, if I remember correctly. Heck, it might not even have been encrypted. I’m too lazy to double-check it.

Like the guy above, my information has now been jacked 3-times that I know of. That doesn’t include more minor hacks like linkedin, yahoo, and the one’s I’ve never heard about. It may as well be public at this point.

One of the more egregious things I’ve heard about, it’s not a hack, was ADP selling salary information that they got from processing you checks. This kind of thing should have been illegal from the start. Seriously, you process the check, and get to sell the information….

And this is where we dropped the ball. These big giant collectives of personal data needed to be stopped a long time ago. If you want to have it, fine, if it gets out people go to jail and companies get wrecked. If you want to take the risk you take the punishment.

But, don’t worry, Jeffrey’s on the job, oh wait, he’s busy getting police tanks and bazooka’s, while the public gets reamed by these kind of crimes.

ECA (profile) says:

Yaaa-Hooo

Thinking of what this can cause..
If they would break into the OTHER 2 agencies..

Any info they could give out would be subject to Scrutiny..
And need to be Validated..

So, that the 3 agencies responsible for ANY credit you get, would be GONE..
THEN, either the bank HAS to listen to you, or NOT..if NOT, they still need to figure out WHO they can give money to..
HONESTY unchecked??

Anonymous Coward says:

"In trouble"

I can’t see any scenario under which Smith keeps his job. And it seems likely that many other execs are going to be in trouble as well.

You’re implying that Smith is in trouble. He was making 12 million dollars per year, and very likely has an indemnity agreement such that Equifax will pay any legal costs arising from his work. Even if fired, he won’t be in the poorhouse anytime soon. There are 143 million people in more trouble than him.

AnonBob says:

Walter Tangoe Foxtrot

First off, if memory serves an Equifax executive was caught selling the entire database years ago and got a slap on the wrist. This is nothing new. The entire executive board at all 3 major credit ratings companies are all criminals and ought to be thrown in the slammer for the rest of their lives. That’s too harsh? Then break em’ up. A local credit ratings agency is more than capable of reporting on local loans.

It’s amazing the lengths companies will go to, collecting information on everyone they can, in order to secure a loan. Next they’ll start telling us how to live our lives. Although I do think most people are coming to the realization if they ever want to get anywhere they need to decide what they’re willing to put up with and work hard at not putting up with it.

AEIO_ (profile) says:

Re: Re:

Oh the government values your data and privacy; that’s why they want "just":

  • all of your phone metadata,
  • electronic payments that allows for accidental instant tracking,
  • US Post Office photo-scanning Every Single Letter and package, and
  • forced banking reports on any deposits over $10K (and SOMEONE watches for multiple in-a-row lower-cost deposits)

The Government Cares all about you and wants to know =everything= there is to know about their precious constituency.

"All the better to guard you with, my dear." — Grandma from the Little Red Riding Hood.

Anonymous Coward says:

Look at the good side of this

With virtually every adult identity in the US compromised:
– Who will be able to pass a security check for a job working with DOD classified data, for a job with the FBI or CIA or NSA or DHS?
– Who will pass a background check for these crooked web sites who claim to verify people for jobs, dates, contracting and so on?
– Who will pass an HR background check for any professional or skilled job?

Congratulations, we’re all criminals now. As Mike said, this is going to get much bigger.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...