Equifax

[yossarian22c]

The company's entire business is to collect financial information and provide analysis to banks about the risk of lending you money. By leaking all of everyone's personal data they have basically made issuing credit to anyone not in person extremely risky.

Is there any reason their corporate charter shouldn't be revoked?

Also I sure hope the FCC is investigating those executives who sold millions in stock 2 days after the breach was discovered but months before they made it public. Sure looks like insider trading.

[D.W.]

And an interesting bit, they offer credit protection services.  (free for a year due to their *censored* up)  Essentially their screw up created potential clients...

So they neglected to install critical security updates.  They learned of this breech then neglected to tell the public (until long after they cashed out).  Then they tried to cover their asses by getting people to sign away the right to sue for agreeing to arbitration.

[TheDrake]

It would be nicer if people and corporate entities cut them off and only dealt with Transunion and Experian.

I don't think "revoking a charter" is a thing, and in particular not in Delaware where I assume they incorporated.

FTC has opened a probe, and Warren is introducing legislation.

I feel relatively confident that some heads will roll on this one in one form or another, because a lot of rich and powerful people are part of the breach and stand to lose the most.

I'm not sure exactly what action to take. I have two monitoring services on my credit (not Equifax). So any inquiry should flag. I'm contemplating a credit freeze, but I happen to be in the middle of some things that may require an inquiry, so that's not ideal.

To some extent, I expect some herd effects. Not sure how they'll target people out of 140MM options.

In practical terms, I'm not sure this is so much information that isn't already available. It's just a lot more than usual.

None of that absolves Equifax in any way. Their Board should be firing execs right about now, if they have any credibility. I won't hold my breath.

The information, as reported, is this:

"names, Social Security numbers, birth dates, addresses, and driver's license numbers"

Generally speaking, its already not hard to find my address or birth date. A DL number? Not sure how far that gets you. The SSN is the big deal.

A much smaller number had credit card numbers out.

The best long term solution is one in which somebody with those small tidbits can't apply for credit and get it. This would be fought tooth and nail by retailers (online and offline), lenders, auto dealers... really just about everybody who wants your money today, not tomorrow.

Solutions could include actually mailing you something you need to confirm, physical presence with ID, even a three day waiting period to allow your monitoring to inform you of inquiries in time to initiate a freeze.

[ScottF]

I think we need to be a bit careful about grabbing pitchforks. yossarian, did they "leak" everyone's data or were they hacked/breached (not a loaded question, I really haven't read much on this)? Both are bad, but not really in the same category.

I work in the SaaS industry and it used to be fashionable to jump all over any competitor who had an outage (talk about it on social media, etc.). We quickly realized that outages, while rare and largely preventable, can still happen to anyone. In our case, our hosted server facilities went down at the same time our backup facilities were hit by lightning on the opposite coast. If Equifax is shown to be grossly negligent then, by all means, have at 'em.

[NobleHunter]

There's something to be said about dropping the hammer on them pour encourager les autres.

[TheDrake]

They don't deserve the benefit of the doubt, Scott. In addition to the shady stuff may have done with selling stock and

So then I decided to test the system with a different last name and six random numbers. I used the more popular English spelling of my last name for this purpose, entering “Burr” instead of “Buhr” and entered six random numbers I don’t even remember now.

Sure enough, this made-up person had also been impacted. I tried it over and over again and got the same message. The only time I did not get the message I’d been impacted was when I entered “Elmo” as the last name and “123456” as my Social Security number.

Some of my colleagues also tried to fool the system and came up with different outcomes. Sometimes, after entering a made-up name, the site said they had been impacted. A few times it said they were not.

Others have tweeted they received different answers after entering the same information.

The assignment seems random. But, nevertheless, they were still asked to continue enrolling in TrustID.

What this means is not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.

It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.

imaginary people identified as being hacked

"We know that criminals exploited a U.S. website application vulnerability," Equifax said in an update on its website Wednesday night. "The vulnerability was Apache Struts CVE-2017-5638." Equifax said it was working with a leading cybersecurity firm, reported to be Mandiant, to investigate the breach. Mandiant declined an NBC News request for comment.

Related: The One Move to Make After Equifax Breach

The Apache Software Foundation, which oversees the Apache Struts project, said in a press release Thursday that a software update to patch the flaw was issued in March, one day after it was first discovered.

"The Equifax data compromise was due to their failure to install the security updates provided in a timely manner," the Foundation said in the statement.

Equifax said in a statement to NBC News Thursday that the investigation continues, and "we identified the vulnerability on July 29 and took immediate action to stop the intrusion."

tech details

[TheDrake]

And this deserves the creation of a new word combining incompetent and comical.

Equifax's site used to set up credit account monitoring in the wake of last week's security breach is also vulnerable to hackers, ZDNet has learned.

In the aftermath of the breach, the going recommendation has been to set up alerts and freezes on any and all credit accounts. Countless are thought to have flocked to the websites and the credit rating agency phone banks to protect themselves from hackers.

The problem is that that Equifax's site used to set up alerts on individual's credit rating history (which we are not linking to) can be easily spoofed, security researcher Martin Hall told ZDNet.

ZDNet article with technical detail

[yossarian22c]

I think we need to be a bit careful about grabbing pitchforks. yossarian, did they "leak" everyone's data or were they hacked/breached (not a loaded question, I really haven't read much on this)? Both are bad, but not really in the same category.

You're right, leak probably isn't the appropriate word but I would go with grossly negligent. They didn't keep their software patched appropriately and didn't have the data encrypted. Based on what their business was those are unforgivable sins. I really see no justification for allowing them to continue as a business enterprise.

[Gaoics79]

Yossarian normally I'd bristle at the implication that we can deign to "allow" a private company to exist or not exist based on its treatment of its customers. Yet, that is the problem: most never chose to be Equifax's "customers". Anyone with a credit card, a car loan, a mortgage, heck even a cell phone is forced to be a "customer" to one of these agencies, Equifax included. This type of situation is not unlike a BP oil spill where I'd welcome government coming in and putting a boot on the neck of private industry.

[TheDrake]

Susan Mauldin, chief security officer, retired and was replaced by Russ Ayres in an interim role, while chief information officer David Webb left and was replaced by Mark Rohrwasser in an interim capacity, the firm said.

Such wonderful theatre. Wait until you go public, then fire them. Not fire them 2 months ago when you found out what happened.