The Umpteenth Security Breach - Equifax

The Rocketry Forum

Help Support The Rocketry Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.

Winston

Lorenzo von Matterhorn
Joined
Jan 31, 2009
Messages
9,560
Reaction score
1,748
Ditto on the following. I've read that the hack was possible because of a failure to install an available security update.:

"Bear in mind this is the THIRD TIME in 16 months that Equifax has been hacked– there was another breach earlier this year, and another in May 2016.

Even worse– this wasn’t an overnight attack. Hackers spent MONTHS probing the Equifax network, burrowing deeper into the system and gaining access to more and more data with each attempt.

Yet Equifax’s defenses failed to detect anything.

Finally on July 29, a whopping TEN WEEKS after the attacks started, Equifax realized that something was wrong."


-----

Equifax waited weeks before alerting 143 million of its customers that a data breach exposed sensitive personal information like social security numbers.

But U.S. companies are required by law to quickly report any new information that could materially affect its financial outlook. The fact that Equifax discovered the breach on July 29 but did not disclose the problem until Sept. 7 raises questions about whether it followed those laws.

"It's pretty remarkable how long Equifax has been aware of the problem and did not disclose it," said Eric Chaffee, a law professor at University of Toledo and editor of the Securities Law Blog. "The main problem here is the failure to disclose a catastrophic cyberattack that compromised the information that is at the heart of Equifax's business model. This created a duty to disclose this attack in a timely fashion to investors, potential investors, and those whose data was compromised."


-----

WHERE ARE THE DAMNED HANDCUFFS?
2017-09-08 09:12 by Karl Denninger

It's time to start locking people up and destroying businesses with federal criminal indictments.

The Internet has made many things very easy -- and fast. But it has also made many things quite-insecure, especially when corners are cut.

I can design and implement extremely secure internet-connected data facilities and services. I not only have done so they're in active use right now. Some are more-important than others, but all are important to me. Among other things my home is connected via same, never mind the work product I've developed for the last, oh, 30ish years when working on various pieces of computer-technology.

It has never been penetrated.

Do you know why? Because to get in you need cryptographic keys that you don't have, and as technology has advanced so has my willingness to regenerate said keys to keep step with same, along with taking proper security precautions with the necessary components to issue said credentials.

In other words I do my ****ing job.

Equifax did not. Nor did all of the other places that have had ridiculous data breaches over the last few years. Nor did the people who called me a couple of years ago in a panic because one of their "senior" IT people stripped the protection from their master key and stuck it on a network volume that was backed up to the cloud for convenience purposes. For the record, that person was not fired and the firm in question did not immediately re-generate all the keys issued by same.

So far I haven't read anything in the paper about them being compromised, but that doesn't mean they haven't been. It just means it didn't hit the papers.

Yet.

Equifax, along with Trans-Union and Experian, hold data on virtually every US Citizen over the age of about 18 and a large number of those who are not adults. If you have any sort of credit relationship with anyone they have a file on you. That file is indexed by something that until about 20 years ago was stamped on the face of said card "Not for Identification" -- your Social Security number.

Congress has permitted these firms to pervert that which it designated not for identification use, but only for the use of the Federal Government in administering retirement and disability benefits under the Social Security program, with the IRS having access to it so as to make sure your contributions to same were accurately recorded. Since deliberately turning its back on the outrageous abuse of same by private industry Congress has then gone even further and not only allowed and mandated its use by other firms, such as banks, for identification purposes it has effectively barred you from having any such account or access without same.

This, despite the fact that on the face of said cards until fairly recently it was explicitly stated: NOT FOR IDENTIFICATION as that was written into the original law that resulted in the issuance of same.

But what's even worse than that perversion for which every Congresscritter and Executive Branch member should be tried and imprisoned for the rest of their lives is what Congress and the Executive have not done since -- on purpose.

They have not enforced the law with regard to intentional and willful misconduct when it comes to cyber security in these large data stores nor do they give a damn about the material and incalculable harm these large firms inflict on consumers when your data is either stolen or misused because of their intentionally lax security. Further, the Congress and Executive allow effective extortion of every consumer in the nation by allowing these companies to charge you to freeze your credit, thus denying scammers access, they can charge you again to "unfreeze" it temporarily if you wish to obtain new credit and they deem said data "theirs" instead of "yours" which means you can't insist that they either not collect and store it or delete it.

See, proper security costs money and can be inconvenient. Having access to such data only when properly-secure machine certificates are used to encrypt same and all communication all the way back to a traceably-secure device would mean that "instant credit" decisions at millions of cash registers (e.g. to sell you a credit card while in the checkout line) could not be made.

Forcing these companies to allow consumers to turn "on" and "off" access to their credit files whenever they want, without cost, would mean that these companies couldn't sell your data to anyone and everyone who has a few bucks, and they'd have much smaller businesses than they have now. And prosecuting and jailing the executives of firms who put convenience for their customers, which are businesses -- not consumers -- ahead of security would mean they'd have no business at all. But at the same time it would make defending against someone opening a credit account in your name and stealing your identity very easy since you could disable access to your credit information any time you wish without having to pay to turn it on and off.

Because of how these firms operate and their business practices, choices they have voluntarily made, you get screwed -- again. This breach is so large and so egregious that no amount of "monitoring" and "credit watching" will do a damn thing. You're going to get ****ed as a consequence of this and your obsession with posting crap on Facesucker, Twatwaffle and Instrascrew instead of immediately demanding that strong, effective action be taken to put a stop to this crap.

The solution is to force Equifax to eat the cost of ANY fraud that ensues and all costs of its cleanup including liquidated damages for your time and effort on a permanent basis since they, and not you, decided to use an identifier never intended for that purpose and in addition they, and not you, were grossly negligent in failing to secure said data. In addition forcing all of these firms to allow no-cost lock and unlock options for consumers where locking your file at one bureau does so at all of them and can be done at zero cost at any time for any reason on a permanent basis would actually mitigate said risk. Finally, deeming any credit opened while you have locked your file as conclusively fraudulent and uncollectable with liquidated damages payable to you if someone does it anyway would shift the burden from you for said incidents to them.

And finally we can start by indicting right now the executives at Equifax who sold stock after the breach occurred and before it was reported along with indicting the company itself under federal Racketeering statutes -- they claim they didn't know but I call bull**** on that and demand an immediate felony criminal investigation of both the executives and company including but not limited to the immediate seizure of every single electronic device owed by said executives and the company that might hold evidence documenting that they're lying.

But instead of doing the right thing what we get is more mealy-mouthed bull****, and you, America, sit for it.

The breach is Equifax's fault.

The lack of immediate prosecutorial and policy response by the government is your fault, America, because you refuse to demand that it happen right damn now backed up by immediate and no-holds-barred protest, up to and including destroying all credit-issuing businesses through lawful economic action until the above occurs.
 
If I released someone's personal data the police could come after me. When a huge firm does it nothing really happens as far as I know. That has to stop. These firms need to take data security extremely seriously. Its not as if I have any control over what they do with my personal data.

My wife and I put credit freezes on all three credit firms years ago. No one can access our data without our permission. This makes certain things a pain in the rear, like applying for a mortgage, but it also prevents others from opening accounts; well at least easily. Credit freezes are free, but they can charge you to lift the freeze. If you have no need to apply for credit you may want to freeze your credit.
 
If I released someone's personal data the police could come after me. When a huge firm does it nothing really happens as far as I know.



There has been a class action suit filed already. They will pay for what happened. Problem is the victims will most likely end up with $3.00 compensation each and the attorneys will get the rest of the settlement. I say put them out of business.
 
There has been a class action suit filed already. They will pay for what happened. Problem is the victims will most likely end up with $3.00 compensation each and the attorneys will get the rest of the settlement. I say put them out of business.
It's supposed to be for up to $70 billion which comes out to $489.51 per person in the potential 143 million Americans affected.

Equifax Faces Multibillion-Dollar Lawsuit Over Hack

Class action seeking to represent 143 million consumers alleges company didn’t spend enough on protecting data

https://www.bloomberg.com/news/arti...r-massive-hack-in-multibillion-dollar-lawsuit

The case was filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions. Ben Meiselas, an attorney for Geragos, said the class will seek as much as $70 billion in damages nationally.

Equifax didn’t respond to request for comment on the matter.
 
If I released someone's personal data the police could come after me. When a huge firm does it nothing really happens as far as I know.
We peons don't have the money to buy governments.

On credit freezes:

Security freezes are designed to prevent a credit reporting company from releasing your credit report without your consent. However, you should be aware that using a security freeze to take control over who is allowed access to the personal and financial information in your file may delay, interfere with or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, insurance, government services or payments, rental housing, employment, investment, license, cellular telephone, utilities, digital signature, Internet credit card transaction or other services, including an extension of credit at point of sale.

A great tutorial by a guy who's a major hacker target because of what he investigates and what his blog thereby reveals:

08 JUN 15
How I Learned to Stop Worrying and Embrace the Security Freeze

https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/
 
Equifax has put up a website to see if you are affected by said breach. The real pain here, is that if you log into see if you've been affected, you waive all rights to any and all lawsuits. damned if you do, screwed if you don't..

I remember a time when you only need to do a credit check for a mortgage, for a car loan, and maybe some other type of loan or large purchase. Now, you seem to need to have "good credit" and allow a credit check to buy groceries..
 
While we are on the subject one thing that really bothers me is that even your car insurance rates are determined by your credit score. As long as you don't let your insurance lapse and pay as required why should your credit score have anything to do on determining your rate? That's what your driving record is for. No problem here, I would say it helps me out, but still against that type of crap.
 
Equifax has put up a website to see if you are affected by said breach. The real pain here, is that if you log into see if you've been affected, you waive all rights to any and all lawsuits. damned if you do, screwed if you don't..

Originally there was some language that could be interpreted that way, but that has been cleared up. We don't waive anything by checking if we are potentially impacted. I am potentially impacted.

And, class action lawsuits are great for the lawyers running them but any proceeds to the plaintiffs will be miniscule.
 
Originally there was some language that could be interpreted that way, but that has been cleared up. We don't waive anything by checking if we are potentially impacted. I am potentially impacted.

And, class action lawsuits are great for the lawyers running them but any proceeds to the plaintiffs will be miniscule.

I heard on NPR that originally they had the language of waiving your rights by signing up for the credit monitoring service, but apparently a number of state's attorneys general made it clear that they would go after them if they really did that. Apparently Equifax said that the language "wasn't supposed to be there" and has since been removed.
 
Another fun fact.

If you sign up for the monitoring, I understand that you have to actually subscribe to their service with a credit card and the first year is free. After that, if you do not cancel, it annually renews at retail pricing.

Nice way to pay for their recovery efforts.
 
Back
Top