Equifax - Data Breach

jkp · 2017-09-09 02:04:44 UTC

In case anyone is interested…

As you may have heard, Equifax, one of the three largest credit monitoring bureaus in the U.S., announced a data breach at the company that may have affected 143 million U.S. consumers. The breach included social security numbers, birth dates, addresses, credit card numbers as well as other personal information.

To help determine if your personal information was compromised, Equifax set up a website - www.equifaxsecurity2017.com - where you can learn more about the incident and enroll in a free credit monitoring service.

rudyinDana · 2017-09-09 02:16:06 UTC

I’m interested. I’m also a bit sick of these breaches. Free credit reporting. Great. If you get hacked 3 times in a year, you get 3 offers of free credit reporting. Sometimes, they then have the nerve to offer paid upgrades. There are ways for them to make using the data stolen very difficult. The data is generally collected with only implied consent. I’ll stop now. Basically, saying I’m sorry and offering to let you know you have identity theft or worse to worry about.We’ll see if we get some rules from real security experts or congressional dig and pony shows where executives who are clueless about security have to answer stupid questions.

JDRoberts · 2017-09-09 02:17:45 UTC

Before signing up for the free credit monitoring, read the following:

rudyinDana · 2017-09-09 02:21:02 UTC

I’ve already got credit monitoring via American Express and AAA offers free monitoring to their members for those interested. Equifax cam go to hell.

tgauchat · 2017-09-09 02:45:16 UTC

And thus provide a perfect path for phishers to use? No thank-you.

Equifax needs to be sued out of business.

It is impossible to boycott them, because their “customers” aren’t us consumers who were affected by the break; no no no… the customers are the credit providers (banks and other lenders), and credit information users (banks, many, many, employers, landlords, insurance companies, marketing companies, and more).

We are at the mercy of these companies: In order to apply for a credit card or bank account, you MUST consent to handing over your personally identifiable information. This is outrageous.

SBDOBRESCU · 2017-09-09 02:56:27 UTC

Where is the x3 like? I’ve got the email offer and was thinking what a shady thing to do…

SBDOBRESCU · 2017-09-09 03:29:25 UTC

Consumer Union petition calling on Congress to hold Equifax accountable and work on solutions to prevent these devastating breaches in the future

https://secure.consumersunion.org/site/SPageNavigator/20170908EquifaxPetitionPage.html;jsessionid=00000000.app248a?NONCE_TOKEN=F6243544DC3C8864C3AE3B5F894ACD8F

JH1 · 2017-09-09 14:01:05 UTC

A few things to think about…

For starters, Equifax bears the responsibility. To be in the business and reap the benefits they also have to accept the risk and absorb the losses as well. There are some pretty disheartening issues with their response, for sure. That said, I can’t see how our modern lending system (therefore our economy) can function without someone collecting and managing this type of data.

Response:
I’ve seen, and worked with many companies post breach and it’s not easy - everyone will pick apart even honest mistakes. The bad thing is some of these issues aren’t just trips up, some appear to be outright traps.

Breach:
What’s publicly known about the breach, at least AFAIK, isn’t really enough to slip a noose around their neck just yet. The real question here, for me at least, is did they follow appropriate state of the art practices and provide the proper standard of care? Even if they did, breaches can and have occurred. If they ignored known security issues, or refused to follow proper practices that’s another thing entirely. So far, what’s known publicly is there was a app vuln that was exploited. Did they know about it and roll the dice on not patching it? Was it a in house coded app? Were proper app security coding practices followed? Were proper OWASP mitigations in place and were WAF systems and processes in place? Some of the developers here are quite familiar with an app vuln and a decision to put off fixing it due to operational, capital or other perceived costs in the short term and how that cycle can continue for far too long. Bottom line is there is a lot to consider here. Just because you are breached does not mean you didn’t do your job or didn’t do it well. But it could mean that or worse. Details matter.

Ultimately, I am a huge advocate for the best security practices. When ones thinks about a breach like this and how it might affect them, and what they think Equifax should / could have done to prevent it, also put those same practices into place in their work as well. Despite security having the highest level of visibility and acceptance it has ever enjoyed, there are still a lot of nay-saying out there - dismissing security concerns due to the effort, costs, and denials over the impacts. This comes from all walks of life - execs, administrators, developers, even board members.

Of course, security is never absolute, it is only possible to limit and manage the risk.

jkp · 2017-09-09 15:24:31 UTC

johnahesch · 2017-09-09 15:29:51 UTC

And…their execs dumped stock before the breach went public.

rudyinDana · 2017-09-09 17:08:23 UTC

Sometimes these breaches have insider help… Not always and not necessarily in this case, but this is the LAST thing large companies want to be known…

rudyinDana · 2017-09-09 17:08:58 UTC

Martha Stewart went to jail for less.

tgauchat · 2017-09-10 00:05:16 UTC

I’m highly certain that Equifax will settle a class action (for a non-trivial total cost, but nothing of significant value to the victims here…), and then… continue to be wildly successful and the execs walk away rich regardless.

The only “equitable” solution is for their real customers (lenders, marketers, insurance companies) to pull out of their contracts and move all business to the competition.

But life ain’t fair.

JH1 · 2017-09-10 00:21:38 UTC

Class actions tend to be that way. The only winners are the lawyers.

As far as if Equifax deserves such a fate, I’ll wait to see if they were good stewards of the information. I do believe someone needs to manage the data, it may be that they are in fact doing a better job than their competition. For all we know, Experian and Transunion may be wildly insecure, follow bad practices and have piss poor security hygiene - so I wouldn’t hope that they take over at Equifax’s expense just yet. You may just jump from the pan to the fire. .

It could be that Equifax are just the unlucky ones that got popped. Conversely, it could be that they were horribly ill prepared and had terrible security practices, ignored known vulnerabilities, besmirched researchers (Would have gotten away with it if it weren’t for you meddling kids!) that pointed it out to them, etc. We’ll see.

JDRoberts · 2017-09-10 00:24:28 UTC

Equifax’ greatest vulnerability isn’t the data breach itself, it’s the fact that their company officers sold off stock when they knew about the breech and the public did not. And the apparent delay in notifying anyone. ( we don’t know for sure yet that they didn’t notify the FBI and there was an investigation going on, but if they didn’t, they do have some vulnerabilities.)

rudyinDana · 2017-09-10 00:30:01 UTC

Wait until it comes out the SysAdmin password was 12345

vlad · 2017-09-10 15:19:47 UTC

What worries me is that this seems to be a treasure trove for the people whose information was stolen… Does the public really think that signing up for credit Monitoring is a sufficient step to take here? I am hoping that this kicks off the process for comprehensive legislation which should attempt to

Educate people about cybersecurity
Come up with some plan to render the stolen data useless for future hacks (new social security numbers? A new more secure way to tie a consumer to a financial instiution?)
Regulate Shepards of personal data much more strictly with larger consequences for not having sufficient protections in place
Hold Equifax accountable for the breach and their delayed response

I am really sick of the status quo of being notified I’m hacked and being provided only with reactive measures to “protect” myself in the future - I don’t want to have to wake up every day wondering if I will have my identity stolen, with the data they got in this hack it’s not a matter of if it will happen, it’s a matter of when it will happen, because from now on, 143 million Americans will be vulnerable to it (if they weren’t already before). I have sent out letters to all of my political representatives with basically the same complaint but am not very hopeful on receiving a response that will be sufficient…

kahilzinger · 2017-09-10 16:50:32 UTC

They are a treasure trove, which means they will always be a target. But, in computer security, there is never a magic bullet. Codes is wrote by human being and human beings make mistakes or cannot anticipate every thing that could ever come up. You have to protect yourself. Personally, I carry identity fraud service on my accounts and credit PLUS, I have an identity fraud rider on my homeowner’s policy. Plus, I check my bank accounts every few days.

They do their due diligence. They have to. It is things like this, Target, Stuxnet, etc. that bring these sophisticated attacks into the light so that those who write code can learn from these things and better prepare for future attacks.

We all are trusting code wrote by many different individuals with our homes. Most of it runs on servers located outside of our homes, some of it on third party services and services. We are all taking calculated risks all the time.

tgauchat · 2017-09-10 18:04:33 UTC

That won’t “ever” be an option. The IRS, Social Security Administration and State tax authorities could never competently update their systems to a switchover.

I forget whether us is a myth or not, but I heard that SSNs were originally illegal (or at least not intended) to be used by anyone except the specific Government agencies originally designated. The use for bank accounts and credit history was never supposed to happen… long before the risk of a hack like this was even a thought.

vlad · 2017-09-10 18:56:18 UTC

I’m not so much taking about zero day exploits, of which there isn’t much an organization can do in those scenarios. We don’t have any detailed information on the hack yet so I guess I can’t speculate but there have been many occasions where data that should have been encrypted at rest and/or security wasn’t properly implemented. The OWASP top 10 outlines a few of these: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2017_Release_Candidate_1

Im not sure if we will ever actually know what the source of the hack was but I have a hunch that it wasn’t a zero-day attack… I have 6 years of experience professionally developing software (Before ST I was at a Healthcare shop that integrated with many other health systems) and in that short amount of time I already have completely lost all confidence in your average enterprise to keep personal information secure. From self signed certs, to public keys being sent unencrypted, to private keys being sent by mistake instead of public, non salted password hashes, weak ciphers, APIs missing authentication, internet facing databases without authenticatiIon, etc. and of course phishing. The standard across the entire industry needs to be raised - I don’t think this would be acceptable in other professions… I would never trust a software shop to build me a house