Equifax Security Breach Is A Complete Disaster... And Will Almost Certainly Get Worse

from the hang-on... dept

Okay, chances are you've already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven't, you need to pay more attention to the news. I won't get into all the details of what happened here, but I want to follow a few threads:

First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it's not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was...) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it's set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user -- "Edelman" -- the name of a big PR firm.

Not surprisingly, it didn't take long for various security tools to warn that the site wasn't safe.

And, when Equifax pushed people to its own "TrustedID" program to supposedly check to see if you were a victim of its own failures... it just started telling everyone yes no matter what info they put in:

So, yeah, what the hell did Equifax do during those six weeks it had to prepare? Oh, well, a few of its top execs used the delay to sell off stock, which may put them in even more hot water (of the criminal variety). Also, just days before it revealed the breach, and long after it knew of it, the company was talking up how admired its CEO is. This is literally the last tweet from Equifax prior to tweeting about the breach (screenshotted, because who knows how long it'll last):

I can't see any scenario under which Smith keeps his job. And it seems likely that many other execs are going to be in trouble as well. Beyond the possible insider trading above, there's already scrutiny on its corporate VP and Chief Legal Officer, John J. Kelley, who made $2.8 million last year and runs the company's "security, compliance, and privacy" efforts.

And despite six weeks to prepare for this, the following was Equifax's non-apology:

We apologize to our consumers and business customers for the concern and frustration this causes.

That's a classic non-apology. It's not apologizing for its own actions. It's not apologizing for the total mess it's created. It's just apologizing if you're "concerned and frustrated."

Oh, and did we mention that the very morning of the day that Equifax announced the breach, it tweeted out about a newsletter it published about how "safeguarding valuable customer data is critical." Really (again, screenshotted in case this disappears):

What the fuck, Equifax? Should we even mention that Equifax has been a key lobbying force against data breach bills? Those bills have some problems... but, really, it's not a good look following all of this.

And while there was some concern that signing up to check to see if you were a victim (again: look, you probably were...) would force you out of being a part of any class action lawsuit, that's since been "clarified" to not apply to any class action lawsuits over the breach. And you better believe that the company is going to be facing one heck of a class action lawsuit (a bunch are being filed, but they'll likely be consolidated).

That's all background of course. What I really wanted to discuss is how this will almost certainly get worse before it gets better. More than twelve years ago, I wrote that every major data breach is later revealed to be worse than initially reported on. This has held true for years and years. The initial analysis almost always underplays how serious the leak is or how much data is leaked. Stay tuned, because there's a very high likelihood we'll find out that either more people were impacted or that more sensitive information is out there.

And that should be a major concern, because what we already know here is stunning. As Michael Hiltzik at the LA Times noted, this is the mother lode of data if you want to commit all sorts of fraud:

The data now at large includes names, Social Security numbers, birthdates, addresses and driver’s license numbers, all of which can be used fraudulently to validate the identity of someone trying to open a bank or credit account in another person’s name.

In some cases, Equifax says, the security questions and answers used on some websites to verify users’ identity may also have been exposed. Having that information in hand would allow hackers to change their targets’ passwords and other account settings.

Other data breaches may have been bigger in terms of total accounts impacted, but it's hard to see how any data breach could have been this damaging. For over a decade, we've pointed out that credit bureaus like Equifax are collecting way too much data, with zero transparency. In fact, back in 2005, we wrote about Equifax itself saying that it was "unconstitutional and un-American" to let people know what kind of information Equifax had on them. The amount of data that Equifax and the other credit bureaus hold is staggering -- and as this event shows, they don't seem to have much of a clue about how to actually secure it.

At some point, we need to rethink why we've given Equifax, Experian and TransUnion so much power over so much of our everyday lives. You can't opt-out. They collect most of their data without us knowing and in secret. You can't avoid them. And now we know that at least one of them doesn't know how to secure that data.


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 8 Sep 2017 @ 8:36pm

    Their solution is a sales trick

    Their "free credit monitoring" is only for a year and you have to pay for it after that. The data taken however will still be out there and most likely being actively used against you, for the rest of your life. That sure seems fair recompense to me.... No wait, it seems like that is exactly why the top peoples first reaction was to sell stock.

    reply to this | link to this | view in chronology ]

  • identicon
    Paul Brinker, 8 Sep 2017 @ 8:50pm

    Its all about lawsuit prevention

    Its funny, but the very act of looking up if your a victim appears to wave your right to trial by court and requires you to go to mandatory arbitration.

    Not sure a judge is going to accept this but its really ugly in terms of legal protections.

    It gets better, if your a customer you've already signed away your rights, and if you agree to the free credit monitoring, you agree to arbitration as well.

    The only good thing is that this also falls under the fair credit reporting act, so that act may override arbitration, but no one actully knows for sure.

    reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 8 Sep 2017 @ 9:10pm

      Re: Its all about lawsuit prevention

      Its funny, but the very act of looking up if your a victim appears to wave your right to trial by court and requires you to go to mandatory arbitration.

      As mentioned in the post, this isn't actually true. 1. the terms actually only say the arb clause applies to the monitoring service, not the rest of Equifax and 2. the company explicitly has said it doesn't apply to this breach.

      I know this claim went viral today and got covered in lots of places, but it's simply not true.

      reply to this | link to this | view in chronology ]

      • identicon
        alternatives(), 9 Sep 2017 @ 2:39am

        Re: Re: Its all about lawsuit prevention

        <i>I know this claim went viral today and got covered in lots of places, but it's simply not true.</i>

        No, the claim WAS true. They have changed the TOS.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 9 Sep 2017 @ 3:59am

          Re: Re: Re: Its all about lawsuit prevention

          The information has been verified by media and at least one AG getting comments from Equifax:

          "The TOS doesn't cover the cybersecurity incident"

          The TOS is thus irrelevant in this case and btw. would only be eforceable for TrustedID-users who signed up for the premium service.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Sep 2017 @ 3:17am

      Re: Its all about lawsuit prevention

      There are already several class actions being initiated in the context of breach of contract, insider trading and negligence of duties. I think there is enough to at least give some unwanted disclosures and enough scathering critique to force political actions.

      Equifax is looking at enough legal/judicial scrutiny to need consideration of if they can keep afloat economically.

      reply to this | link to this | view in chronology ]

  • identicon
    utopia, 8 Sep 2017 @ 9:40pm

    lawsuit prevention

    Looks like all adult American are affected by this leak. It will be hard to find a judge and juries are not directly affected nor their direct families not among the victims.
    Does it mean the Equifax and their executive can not be sued?

    reply to this | link to this | view in chronology ]

    • icon
      AEIO_ (profile), 8 Sep 2017 @ 10:19pm

      Re: lawsuit prevention

      I'm sure we can find a dozen Equifax employees who have direct access to the data that have accidentally(!) removed their own information. Typos happne.

      After all, who else could be so impartial?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2017 @ 11:44pm

    Down Under done over too

    Aussies are also affected, but hey the excuses are top notch. Well Veda has only changed ownership and names recently so credit data wouldn't have been sent to the USA just yet, well maybe not.

    Despite Equifax tweeting its assurances that there is no evidence yet its Australian customers are affected, cybersecurity expert Mark Gregory from RMIT said Australians should urgently check their credit records.
    "We should probably assume at this point that the data has not been integrated between the countries, but that's not to say that there hasn't been some data integration," he said.

    http://www.abc.net.au/news/2017-09-08/smiley-credit-check-australians-financial-information-at- risk/8887198

    reply to this | link to this | view in chronology ]

  • icon
    illuminaut (profile), 8 Sep 2017 @ 11:50pm

    The problem isn't just equifax, it's that identity theft is nearly impossible to fully recover from. One year of free monitoring is an absolute joke. We need to be able to get new SSN numbers in the case of identity theft. Every identifying piece that's permanent is an absolute nightmare when breached, it's the same reason why biometric passwords are a terrible idea.

    reply to this | link to this | view in chronology ]

    • icon
      AEIO_ (profile), 9 Sep 2017 @ 2:51am

      Re:

      "it's that identity theft is nearly impossible to fully recover from."

      No no, you're not thinking about it right. It's actually an opportunity in disguise. Once someone grabs your identity, you complain and then YOU go and buy all kinds of stuff as yourself and then blame THEM.

      Oh, that high-end computer, that 666" TV, that gold-plated XBox? I Didn't Do It, Nobody Saw Me Do It, There's No Way You Can Prove Anything!.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Sep 2017 @ 6:43am

      Re: Problem isn't just Equifax

      .

      <> " At some point, we need to rethink why we've given {Federal/state/local Government} so much power over so much of our everyday lives. You can't opt-out. They collect most of their data without us knowing and in secret. "

      ____

      Your American Government is ten times worse than Equifax.

      At least Equifax will suffer severe financial consequences for its malicious actions and incompetence -- government politicians and bureaucrats need not worry about such outcomes.

      Also, SSAN as de facto national ID # is entirely the severe fault of the Federal Government. SSAN's should be abolished, but the Fed's luv them for tracking & controlling the citizens.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Sep 2017 @ 10:16am

      Re:

      We need to be able to get new SSN numbers in the case of identity theft.

      There simply aren't enough numbers to reassign them all after a breach this large. SSNs are only 9 digits, and share space with ITINs.

      If we're going to replace SSNs, we'd best re-think the whole idea of using the same static number to identify ourselves everywhere. There are some countries where it's illegal to use government ID numbers for non-official purposes (for example, in Ontario, Canada, it's illegal to store a health card number for non-medical purposes; or for the SSN-equivalent "SIN", "Unless an organization can demonstrate that the reason it is requesting an individual's SIN is specifically permitted by law, or that no alternative identifiers would suffice to complete the transaction, it cannot deny or refuse a product or service on the grounds of a refusal to provide a SIN").

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Sep 2017 @ 12:59pm

        Re: Re:

        It's actually illegal to use your SSN for anything but taxes and social security but they're used everywhere anyway without consequence. There's absolutely no reason an insurance company needs your SSN, for example, and you can register for insurance without it but good luck if you try... The agents will probably have no idea how to go about that if they even admit such a thing is possible.

        reply to this | link to this | view in chronology ]

        • icon
          JoeCool (profile), 14 Sep 2017 @ 9:18am

          Re: Re: Re:

          While I was in college (UofH), your SSN was also your student ID number. I literally wrote my SSN on EVERY SINGLE ASSIGNMENT I turned in, and so did every other student. Now that I think about it, I wonder what foreign students did since they didn't have a SSN. Probably made them use there student VISA ID.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 12:27am

    Well, now there stock looks like a good short. Maybe I can quit my job now

    reply to this | link to this | view in chronology ]

    • icon
      tom (profile), 9 Sep 2017 @ 3:02am

      Re:

      Someone beat you to it: https://www.cnbc.com/2017/09/08/suspect-trading-in-equifax-options-before-breach-might-have-generate d-millions-in-profit.html

      Have to wonder if a janitor or secretary got a bright idea after overhearing the 3 executives discuss selling stock.

      reply to this | link to this | view in chronology ]

      • icon
        JoeCool (profile), 9 Sep 2017 @ 8:56am

        Re: Re:

        Stock shorting should be illegal. If you pulled this "trick" anywhere else, you'd be in prison.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 9 Sep 2017 @ 10:02am

          Re: Re: Re:

          Stock shorting should be illegal. If you pulled this "trick" anywhere else, you'd be in prison.

          Why? Doing so based on 'inside information' is already illegal, and if shorting were completely illegal, one could still make money with options.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 9 Sep 2017 @ 11:43am

          Re: Re: Re:

          If you pulled this "trick" anywhere else, you'd be in prison.

          Not really. You can do it with real estate (a reverse mortgage). You can do it with most small/medium sized items (at pawn shops or similar). And there's no laws preventing you from doing it with other things, just a general lack of organized groups/people offering to be the counter-party.

          reply to this | link to this | view in chronology ]

          • icon
            JoeCool (profile), 14 Sep 2017 @ 9:15am

            Re: Re: Re: Re:

            Those "examples" are NOTHING like shorting. Shorting is selling stocks you DON'T HAVE, then buying some LATER to cover what you owed. A reverse mortgage is getting money for a house you actually owe. Pawning items is getting money for items you actually have. See the difference?

            reply to this | link to this | view in chronology ]

        • identicon
          michael, 9 Sep 2017 @ 12:00pm

          Re: Re: Re:

          If shorting stock were illegal, our financial system would collapse. Learn something about finances before spouting off.

          reply to this | link to this | view in chronology ]

        • identicon
          simonides, 10 Sep 2017 @ 3:52pm

          Short selling? What about naked short selling?

          I'm not convinced that short selling should be illegal, just limited, if I understand this right. A short seller has to borrow shares of the company and pay interest while waiting for the stock to fall. What strikes me as worthy of outlawing is "naked short selling," because that allows someone to sell shares that he or she does not own and does not have to borrow. If (as if) enough investors refused to make their shares available for others to borrow, short selling would be a minor problem, and maybe sometimes a useful market device. But there are no limits to naked short selling, and to its ability to irrationally drive down as company's share price until the company dies.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 11 Sep 2017 @ 9:55am

            Re: Short selling? What about naked short selling?

            There is certainly a point in allowing stock holders to allow or disallow shorting as well as the shorted stock should not remain in the owners portfolio.

            But I would be even more careful in regards to free flowing options, since they are a derivative of the stock-market and even more so derivatives of the derivative markets like vix and xiv. Btw. ETFs and indexes are also derivatives...

            Shorting a stock can be fixed so that the effects are minimally disruptive, but the option market needs a collateral to provide security and an infinite volume derivative can never act as such.

            reply to this | link to this | view in chronology ]

      • identicon
        Thad, 9 Sep 2017 @ 11:02am

        Re: Re:

        It's possible that the sale was automatic; some people set accounts up to automatically rebalance at the beginning of every quarter.

        But yes it looks suspicious as hell and should be one of the first things the investigators look into.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 12:34am

    Their stock*

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 2:55am

    People v.

    You know when you hear of a lawsuit and it's referred to as "People v. Such-and-such"? This will probably be the first time People actually does mean everyone!

    And also,

    We apologize to our consumers and business customers for the concern and frustration this causes.

    is a great example of such statements usually released by companies after these events. No admission of guilt, though, fair enough, any good lawyer wouldn't let that one pass.

    But then they're basically saying "We see you're feeling concerned and frustrated over something, though we can't imagine why, but we're so empathetic we feel and share your pain." No you don't, no that's not why you should be sorry, and NO NO NO the onus for our distress isn't on us, it's on you!

    So commiserate all you want, but fuck off with empty gestures after such a colossal fuck-up!

    That's the kind of statement that would be inappropriate when you get my McD order wrong, so learn that, because it may serve you well in a not so distant future.

    reply to this | link to this | view in chronology ]

    • identicon
      simonides, 10 Sep 2017 @ 3:45pm

      That apology

      Actually, Anonymous Coward, that apology really is an apology for what they allowed to happen. But only to the extent that "this" caused "concern and frustration," which minimizes the actual damage that could, and probably will, happen to some people. The apology is soothing, but not too far from "we apologize for the fact that our security inadequacies has sent you crybabies into hysterics, whining to rapacious law firms, you bastards."

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 3:07am

    You know who isn't affected ?

    Richard Stallman of GNU fame.

    No mobile phone, no credit card, always pays with caaash.

    reply to this | link to this | view in chronology ]

  • identicon
    SirWired, 9 Sep 2017 @ 3:25am

    Typical, the banks are protected and we aren't

    It's important to note that nearly all of the information compromised was information about citizens (most of which aren't in there by choice), and it's the exact information used to commit ID theft.

    But info that would let you steal money from banks directly? (Like credit card account numbers?) That's locked down just fine, except for a "measly" 200k-ish accounts.

    Note to Equifax: The fact that my account numbers likely aren't public does not help me feel better. I've had a credit card used fraudulently four times not, and at no time was it anything but a minor inconvenience. My most vital identifying data is most certainly quite a bit more important.

    reply to this | link to this | view in chronology ]

  • icon
    JoeDetroit (profile), 9 Sep 2017 @ 3:28am

    Holy Crap

    Of course I read the first article on this which provides a link to the Equifax site "...to see if your data was compromised..." I click the link, follow the instructions & say to my wife "my data was part of the hack!". Then I continue to read articles on this & tell her "no, it looks like they ALL people are getting referred to the data monitoring site".

    Now this morning I read this posting & find that the site for checking of I'm a victim (which it doesn't) was not secure! These people monitor our credit! They hold all the cards & see all of our's as well! These people CAN'T make mistakes like this! It's inconceivable!

    The clowns that run this outfit are too busy counting their money to do any kind of a decent job. Time to take their money back & fire them. They are not competent enough to be cashiers at Walmart.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Sep 2017 @ 3:45am

      Re: Holy Crap

      Trust me: Equifax is not the least secure handler of information and their handling is not the most amateurish we will see.

      Data security is a black hole you can never fill with money. The answer for many indebted companies is to prioritize other issues.

      EFX is screwed because the CEO and directors has kept digging with their advertising of security, trading on some potential insider knowledge and general lack of understanding about what has occured.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 3:40am

    "For over a decade, we've pointed out that credit bureaus like Equifax are collecting way too much data, with zero transparency."

    Well, what they're collecting is pretty transparent *now*.

    reply to this | link to this | view in chronology ]

    • icon
      XcOM987 (profile), 9 Sep 2017 @ 11:49am

      Re:

      I voted funny, but this would be funnier still if it didn't have such dire impacts.

      I hope that they secure the database in the UK much better than they do in the US.

      reply to this | link to this | view in chronology ]

  • identicon
    SirWired, 9 Sep 2017 @ 3:53am

    On another note, my ID info has been stolen three times now

    Just to demonstrate the pathetic inadequacy of protection of our most vital information, this will be the 3rd time my Name, DOB, Address, and SSN have been stolen.

    I've been hit with OPM, Anthem, and now this; I might as well put that information at the bottom of my e-mail signature at this point.

    I know that at least the last four digits of my SSN, along with a ccard acct. number were used to steal one of my credit cards last year in a fascinating social engineering attack. (Used the telephone account access system to authenticate with a Cap One CSR to change my e-mail address. They then used the new e-mail to answer "yes" when e-mailed an alert about a huge obviously-fraudulent charge they were trying to make.)

    reply to this | link to this | view in chronology ]

    • identicon
      Stephen, 9 Sep 2017 @ 7:40am

      Re: On another note, my ID info has been stolen three times now

      Equinox, like OPM, was an accident waiting to happen. Putting so much personal info into one central repository was virtually begging the Fates to bring it all crashing down in ruins.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Sep 2017 @ 9:58am

      Re: On another note, my ID info has been stolen three times now

      Just to demonstrate the pathetic inadequacy of protection of our most vital information, this will be the 3rd time my Name, DOB, Address, and SSN have been stolen.

      Good news! It hasn't been stolen, just illegally copied. Equifax never lost access to the data—it's still sitting on their servers, ready for future criminals to copy again.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Sep 2017 @ 10:05am

      Re: On another note, my ID info has been stolen three times now

      I've been hit with OPM, Anthem, and now this; I might as well put that information at the bottom of my e-mail signature at this point.

      I'm in the same boat with all three. And those are just the three we've been told about.

      reply to this | link to this | view in chronology ]

  • identicon
    Test, 9 Sep 2017 @ 3:56am

    Diversity ftw!

    I don't understand why you're all such Equifax haters. They've got diversity, which everyone knows is our strength.

    In fact, their chief information security officer is a woman with a bachelor's AND a master's in music composition. https://www.boardroominsiders.com/executive-profiles/1006308/Equifax,-Inc./Susan-Mauldin

    Thank Gaia the company didn't hire a white man with a background in computer security. I can't imagine how bad the breach would have been then.

    reply to this | link to this | view in chronology ]

    • identicon
      SirWired, 9 Sep 2017 @ 4:36am

      Fail. (On your part)

      If you look at her previous jobs, she's worked in security for years (her previous job was the same role at another company.) I am 100% sure that at the time she was in college, there wasn't any sort of degree one could get in computer security.

      Many of the best hackers I know don't have degrees that have anything whatsoever to do with computing; it's not unusual at all.

      I'm not saying she's good at her job, just that the information you posted would not give you any useful information on if somebody was a "diversity hire" or not. (Certainly there are plenty of "white men with a background in computer security" that are also complete failures at similar jobs.)

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Sep 2017 @ 7:36am

        Re: Fail. (On your part)

        Fail on both of your parts.

        I have met more than enough "Experienced Security Professionals" that are only capable of regurgitating something a magazine told them. More than 50% of all Companies and their Security/Compliance teams do not fundamentally understand security.

        I would not trust any "experienced" professional in IT for shit, there are just too many fucking idiots that only know enough to get by.

        For example... how long has this been around?
        https://xkcd.com/936/

        Only recently has NIST updated their password recomendations.

        Additionally, most companies still use the old "security theater" method of password security.

        adding rules that enforce complexity only REDUCE the actual security of the password because complexity rules only lets hackers know which combinations of passwords they don't have to try for. This reduces the permutation strength by at least an order of magnitude per complexity requirement rule added to the password. 1 rule = one order of magnitude weaker password, 2 rules, that is 2 orders of magnitude weaker password, 3 rules... you get the idea!

        That password policy is just the tip of that iceberg. I have seen organizations present numerous security requirements for users while almost completely reducing them for executives and upper management, even upper level IT come with far fewer security requirements.

        I even watch as companies do stupid shit like prevent build in copy paste and screen capture tools. They only reduce productivity and hackers still get the shit they want with no additional effort. Yes, I have heard that this to also prevent theft by employee.... I have yet to see it stop any form of breach. The number of cases I had to deal with each year in corporate espionage was not impacted one iota by the fucking security theater approaches to keeping company assets safe.

        Breaches like this, let me tell you, almost every company in the US has already had a similar breach and almost 1/2 of those are not even aware of a current or a past breach.

        it is seriously THAT BAD!

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 11 Sep 2017 @ 6:35am

          Re: Re: Fail. (On your part)

          And you fail for your flawed security thinking. Without password complexity rules, the majority of users will default to creating passwords like 'Password123". I don't care if you have zero complexity rules, that password will be cracked/guessed in seconds because it is so easy and is susceptible to a regular dictionary attack.

          It doesn't matter that hackers know what kind of complexity rules they can ignore, a password like ';324k5@#$%-098awle5i398$%43klj454$$#' is going to be far more secure even with complexity rules than 'Password123'. Forcing more complexity rules on users so their passwords end up looking more like the former is always a good thing, not bad.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 11 Sep 2017 @ 7:16am

            Re: Re: Re: Fail. (On your part)

            It does not matter how good a password is if it is written down somewhere convenient to the computer that the user uses. A weak password that the user can remember is better than the complex password being in plain view.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 11 Sep 2017 @ 8:33am

              Re: Re: Re: Re: Fail. (On your part)

              Agreed, but has no relation to my point. You can construct an easy to remember password(or passphrase) that is also complex and doesn't need to be written down. The example I used above is intentionally hard to remember only to highlight the difference between a good and bad password.

              Case in point, 1HBw0tRr8%, uses the first letter of each word in the phrase "I have been working on the railroad" with some letters swapped out for their l33t equivalents and a number and symbol added to the end for increased complexity. I should be able to reasonably remember that password without writing it down, while meeting common complexity requirements and it will be vastly more secure than Password123.

              Additionally, password managers make your argument moot.

              reply to this | link to this | view in chronology ]

              • identicon
                Cowardly Lion, 11 Sep 2017 @ 9:38am

                Re: Re: Re: Re: Re: Fail. (On your part)

                Just to pour some petrol on the fire...

                https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

                The real world problem with "1HBw0tRr8%" is that you'll need to change it to something quite different say every 30 days, for x number of accounts, x being (in my case) quite large. So to avoid getting continuously locked out, you'll adopt some kind of pattern, an aide-memoire if you will. Unfortunately these patterns are pure gravy to people whose business it is to pry open accounts.

                Using a password manager is often forbidden by OpSec/InfoSec people as it puts all the crown jewels all one place.

                reply to this | link to this | view in chronology ]

                • icon
                  Uriel-238 (profile), 11 Sep 2017 @ 12:15pm

                  Re: Re: Re: Re: Re: Re: Fail. (On your part)

                  The problem with difficult-to-remember passwords is that they get written down somewhere.

                  That's the point of the (encrypted) password manager is that a worker has to remember only ONE pile of gibberish (and not write it down) and the rest get remembered, assuming proper security hygiene (e.g. don't let someone shoulder surf while you're typing)

                  I had assumed that Equifax's sin was the same as government agencies -- not taking computer security seriously enough -- but it sounds like they still think they're in the early nineties and don't keep up on the state-of-the-art protocols.

                  Like the ones that suggest the worse vulnerabilities are between chair and keyboard.

                  Well, hackers do.

                  And they've got lists and lists of BCAK exploits.

                  reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Sep 2017 @ 7:52am

        Re: Fail. (On your part)

        Many of the best hackers I know don't have degrees that have anything whatsoever to do with computing; it's not unusual at all.

        Many of the best doctors I know don't have degrees that have anything whatsoever to do with medicine, or a degree at all; They just supply me drugs.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Sep 2017 @ 7:57am

        Re: Fail. (On your part)

        I am 100% sure that at the time she was in college, there wasn't any sort of degree one could get in computer security.

        I'm pretty sure there were degrees in things like computer science. And if she's so good at it now, maybe she should go back to school for an appropriate degree. She should be able to dance right through, right?

        reply to this | link to this | view in chronology ]

        • icon
          JoeCool (profile), 9 Sep 2017 @ 9:06am

          Re: Re: Fail. (On your part)

          Computer science, or even better, Electrical Engineering where you learn not only how to program, but how computers work in the first place. The biggest problem I have with most CS degree plans I've seen is a lack of fundamentals in hardware... many CS degrees don't even require boolean math! I've asked programmers with an MS in CS to make a state machine, and they give me a blank stare... to which I give back a horrified stare.

          reply to this | link to this | view in chronology ]

        • icon
          Groaker (profile), 9 Sep 2017 @ 2:37pm

          Re: Re: Fail. (On your part)

          Having been a paid programmer in '65, I believe that degrees in computer science were a rarity back then, if they existed at all. I can recall a bull session laughing at some University that was offering the start of a degree program. and we all laughed about the ridiculousness of it.

          Oh how things have changed.

          reply to this | link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 9 Sep 2017 @ 8:08am

        Re: Fail. (On your part)

        In my experience, when interviewing job candidates, I tend to ignore degrees. I do care what you know, but I care more about what you can do. I have fired many people with the right degrees who could do nothing.

        In this case, it is obvious that security was not important to the company. What we don't know is the reason why. It could be cost, it could be technical difficulty, it could be a lack of ability. It could be something else or a combination of several factors.

        We do know part of the end result. Many years of horrible experiences for many many people, and likely a financial industry with zero interest in making things easier/better for those people. Those people probably include some/many of us.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Sep 2017 @ 7:09am

      Re: Diversity ftw!

      Just what are you trying to say?
      Perhaps if you had better communication skills you would be able to express your true feelings.

      reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 9 Sep 2017 @ 3:23pm

      Re: Diversity ftw!

      As if that has fuck-all to do with anything.

      reply to this | link to this | view in chronology ]

    • identicon
      Truly, 10 Sep 2017 @ 1:37am

      Re: Diversity ftw!

      You are absolutely right! And if a bad white computer scientist had been in charge, she would have had more time for the important things, like golf and gardening! Better still, let's outsource the data to Pakistan, just like insurers have been allowed and encouraged to do with all of our medical records. Pakistan is a high security place where breaches will never occur!

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 12 Sep 2017 @ 1:55am

      Re: Diversity ftw!

      Strange how you'd point to her degrees rather than the industry experience she gained afterwards as the sum total of her knowledge on the subject. Did you think she went straight from college to be CISO of a major company with nothing in between? I also wonder how many of the white male officers at other companies with major security breaches recently you've been examining to poke holes in their education - I'm going to presume zero.

      Let me guess - you're a white guy with a CS degree but no industry experience, and you've decided that it's "diversity" that's making it difficult to get that sweet job you saw a black women with the same qualifications get a while back, and not your shitty attitude, zero industry knowledge and entitlement complex?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 5:58am

    Silver Linings

    On the plus side, the chances of someone maliciously using your data to commit fraud and ruining your life forever is only 1 in 143 million. Yay!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Sep 2017 @ 6:35am

      Re: Silver Linings

      Why on earth would they limit themselves to committing one fraud when the penalty is exactly the same for doing it 143 million times. We live in a computerized society where an intelligent criminal is able to automate their crimes and steal hundreds of dollars from a good percentage of the people they now can control. That would be over 1 million people even if they have only a 1 percent success rate. Are you feeling better about your data now? Try back in a decade when you have multiple cars, boats, personal loans and credit cards in your name, yet no job or savings to even keep your cell phone active.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Sep 2017 @ 9:47am

        Re: Re: Silver Linings

        Self-limiting to exactly one fraud is indeed unlikely, but with the scale involved here, we may actually find ourselves with a shortage of fraud because the fraudsters just can't spare enough time to victimize everyone and/or find enough stuff they want. There's only so many millions of dollars of stuff you can fraudulently obtain before there's no point in going further, so at some point, the fraudsters may just give up and retire to enjoy their ill-gotten gains.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 6:35am

    Not sure what the problem is - can't you just change your birthdate (or fingerprint or iris-patterns) if it becomes commonly known...? /s

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 9 Sep 2017 @ 6:42am

    Truth in naming

    Equifax, Experian, TransUnion or Exasperation

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 6:46am

    Just a reminder where these people get their ideas and how they morphed

    http://time.com/3961676/history-credit-scores/

    A brief history of the fist credit reporting agency and how it changed into the monstrosities we have today.

    The will probably get off with a slap on the wrist but it's gonna be a shit storm of outrage for quite a while I was watching the PBS newshour last night and both the presenter and the expert guest started the segment stating they had both been affected and the last word on the subject was that signing up for the monitoring abrogated to right to sue..

    Now the NewsHour is mostly viewed by the over 65 but they have middle aged children that they will likely call in a panic either for themselves or for them and you can bet there are going to be a lot of eyes on this for a long time.

    So It's got that going for it, which is nice.

    reply to this | link to this | view in chronology ]

    • identicon
      Truly, 10 Sep 2017 @ 1:46am

      Re: Just a reminder where these people get their ideas and how they morphed

      Let's see: Each of 143 million people suffer about $100,000 lifetime damages, and strain, drain, and worry about the hack. Before attorney fees, that's 14,300,000,000,000 in total damages.

      That $14 trillion should just about put Equifax where it belongs: out of business.

      reply to this | link to this | view in chronology ]

  • identicon
    Justin, 9 Sep 2017 @ 7:10am

    Jail time

    I will be more worried about things if this does not result in massive jail time for those at the top, but I am not going to hold my breath.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 7:14am

    So what happens when a crook uses said data to defraud a business?

    1) defrauded business demands payment from you because your "identity" was "stolen"?
    2) defrauded business takes measures to help prevent future errors.

    reply to this | link to this | view in chronology ]

    • icon
      Bt Garner (profile), 9 Sep 2017 @ 8:34am

      Re:

      Fry and Laurie had it right: Its not identity theft, I still have my identity. The company that extended the credit (et al) is the one that did not authenticate that the buyer was who they claimed to be. So, why am I getting dragged into this when I had nothing to do with it?

      Though I do wonder, how many persons will now try to purchase things as themselves and claim identity theft...

      reply to this | link to this | view in chronology ]

      • icon
        JoeCool (profile), 9 Sep 2017 @ 9:11am

        Re: Re:

        Though I do wonder, how many persons will now try to purchase things as themselves and claim identity theft...

        Considering the breach covers EVERY adult in the US, and considering what percentage of the population are con-artists, this will probably be at least in the thousands, if not tens of thousands.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Sep 2017 @ 9:54am

        Re: Re:

        Fry and Laurie had it right: Its not identity theft, I still have my identity.

        Also see Ross Anderson's description of this false narrative:

        Now back when I worked in banking, if someone went to Barclays, pretended to be me, borrowed £10,000 and legged it, that was “impersonation”, and it was the bank’s money that had been stolen, not my identity. How did things change? ... [Now,] those impersonated are treated as targets, when the targets are actually those banks on whom the impersonation is practised. This is a precursor to refusing bank customers a “remedy” for “their loss” because “they failed to protect themselves.”

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Sep 2017 @ 4:15pm

        Re: Re:

        yup, but the identify theft industry will not have any of that. I'm guessing they are already hot on the heels of their favorite representative to get emergency legislation thru to force individuals to pay up or face jail time.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 8:40am

    "You can't opt-out. They collect most of their data without us knowing and in secret. You can't avoid them."

    Given this the execs should pay a high price for their incompetence such as jail time. I'm not even bringing up the fact that they cashed out before revealing the damage. No accountability from any corps mishandling our info.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 9:54am

    I'm still waiting for the consequences of the Anthem hack to, um, Anthem. I don't believe they've even been fined over the last one and that was a breach where the hackers got the key to decrypt the data, if I remember correctly. Heck, it might not even have been encrypted. I'm too lazy to double-check it.

    Like the guy above, my information has now been jacked 3-times that I know of. That doesn't include more minor hacks like linkedin, yahoo, and the one's I've never heard about. It may as well be public at this point.

    One of the more egregious things I've heard about, it's not a hack, was ADP selling salary information that they got from processing you checks. This kind of thing should have been illegal from the start. Seriously, you process the check, and get to sell the information....

    And this is where we dropped the ball. These big giant collectives of personal data needed to be stopped a long time ago. If you want to have it, fine, if it gets out people go to jail and companies get wrecked. If you want to take the risk you take the punishment.

    But, don't worry, Jeffrey's on the job, oh wait, he's busy getting police tanks and bazooka's, while the public gets reamed by these kind of crimes.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 9 Sep 2017 @ 10:19am

    Yaaa-Hooo

    Thinking of what this can cause..
    If they would break into the OTHER 2 agencies..

    Any info they could give out would be subject to Scrutiny..
    And need to be Validated..

    So, that the 3 agencies responsible for ANY credit you get, would be GONE..
    THEN, either the bank HAS to listen to you, or NOT..if NOT, they still need to figure out WHO they can give money to..
    HONESTY unchecked??

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 10:29am

    "In trouble"

    I can't see any scenario under which Smith keeps his job. And it seems likely that many other execs are going to be in trouble as well.

    You're implying that Smith is in trouble. He was making 12 million dollars per year, and very likely has an indemnity agreement such that Equifax will pay any legal costs arising from his work. Even if fired, he won't be in the poorhouse anytime soon. There are 143 million people in more trouble than him.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 9 Sep 2017 @ 12:39pm

    So...

    Two- and Three-factor authentication for everything!

    Not a half-bad idea.

    reply to this | link to this | view in chronology ]

  • identicon
    AnonBob, 9 Sep 2017 @ 1:32pm

    Walter Tangoe Foxtrot

    First off, if memory serves an Equifax executive was caught selling the entire database years ago and got a slap on the wrist. This is nothing new. The entire executive board at all 3 major credit ratings companies are all criminals and ought to be thrown in the slammer for the rest of their lives. That's too harsh? Then break em' up. A local credit ratings agency is more than capable of reporting on local loans.

    It's amazing the lengths companies will go to, collecting information on everyone they can, in order to secure a loan. Next they'll start telling us how to live our lives. Although I do think most people are coming to the realization if they ever want to get anywhere they need to decide what they're willing to put up with and work hard at not putting up with it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2017 @ 10:51pm

    If the government doesn't value your data and privacy there is no chance private industry will.

    reply to this | link to this | view in chronology ]

    • icon
      AEIO_ (profile), 9 Sep 2017 @ 11:36pm

      Re:

      Oh the government values your data and privacy; that's why they want "just":

      • all of your phone metadata,
      • electronic payments that allows for accidental instant tracking,
      • US Post Office photo-scanning Every Single Letter and package, and
      • forced banking reports on any deposits over $10K (and SOMEONE watches for multiple in-a-row lower-cost deposits)

      The Government Cares all about you and wants to know =everything= there is to know about their precious constituency.

      "All the better to guard you with, my dear." -- Grandma from the Little Red Riding Hood.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Sep 2017 @ 10:50am

        Re: Re:

        All of the text of your conversation is automatically transcribed and included as extracted text, in one of the metadata fields. "Just metadata" can include everything relevant from a phone call without needing to have a recording of the conversation attached.

        reply to this | link to this | view in chronology ]

  • icon
    blademan9999 (profile), 10 Sep 2017 @ 11:19am

    Equifax is doomed.

    Equifax only as a revenue of a little over $3 billion a year.
    That means if they were to give a mere TWENTY DOLLARS to each person who has had their information leaked it would cost them nearly their ENTIRE YEARLY REVENUE. Equifax is fucked.

    reply to this | link to this | view in chronology ]

  • icon
    RickF (profile), 10 Sep 2017 @ 5:34pm

    Payouts

    I'd like to know, how much money has the identity theft insurance industry paid out in claims per year? I bet if you make a claim a) your credit score takes a hit and b) they'll try to deny the claim.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Sep 2017 @ 7:43am

    Look at the good side of this

    With virtually every adult identity in the US compromised:
    - Who will be able to pass a security check for a job working with DOD classified data, for a job with the FBI or CIA or NSA or DHS?
    - Who will pass a background check for these crooked web sites who claim to verify people for jobs, dates, contracting and so on?
    - Who will pass an HR background check for any professional or skilled job?

    Congratulations, we're all criminals now. As Mike said, this is going to get much bigger.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.