Jump to content

OT - Uh oh - Equifax hacked - personal info for 140+ million exposed


Phil O'Keefe

Recommended Posts

That's about half the country. Social security numbers, birth dates, even driver's license numbers were revealed in some cases.

 

And it's not just people in the USA - Canadians and people in the UK are also affected.

 

Looks like we can't even trust the credit reporting agencies to keep our personal information secure.

 

Great. philpalm.png

 

Anyway, you'd probably better read the linked article and use the tool linked in it to check whether or not you're one of the unlucky ones...

 

http://www.msn.com/en-us/money/compa...tN0?li=BBnb7Kz

 

Link to comment
Share on other sites

  • Members

I tell everyone, just assume your personal info has been stolen by somebody. Take the steps - change all the relevant passwords, check all bank and credit accounts, check with the IRS to see if a fake return has been filed under your name/SSN, keep the computers clear of viruses, spyware, all that.

 

And....don't do personal banking business over a public wifi network. Really, that's just asking for trouble but people, especially kids, do it all the time.

 

nat

 

Link to comment
Share on other sites

  • CMS Author

How do we know that's a legitimate Equifax web site and that we're not giving away our last name and 2/3 of our social security number to a data broker,if it hasn't already been stolen?

 

The link (off the equifax.com) web page takes you to https://trustedidpremier.com/eligibility/eligibility.html

Who the heck is that and why should we trust them? Maybe the Equifax web site got hacked and filling out the form sends your information to someone who might do something nasty with it - like put it in a package of 99,999 other names and partial social security numbers and sell it to someone who will sell that list to someone else who will make up about a dozen moneymaking accounts and then burn the computer.

Link to comment
Share on other sites

How do we know that's a legitimate Equifax web site and that we're not giving away our last name and 2/3 of our social security number to a data broker,if it hasn't already been stolen?

 

The link (off the equifax.com) web page takes you to https://trustedidpremier.com/eligibility/eligibility.html

Who the heck is that and why should we trust them? Maybe the Equifax web site got hacked and filling out the form sends your information to someone who might do something nasty with it - like put it in a package of 99,999 other names and partial social security numbers and sell it to someone who will sell that list to someone else who will make up about a dozen moneymaking accounts and then burn the computer.

 

That's all certainly possible Mike, but I obtained the link from a major website's news story, and saw the same one used on another major site in their coverage of the story, so I have to assume the link is legitimate and not a scam.

 

Equifax discovered the hacking days ago and just now announced it, so assumedly they used the time in between to get their house in order.

Link to comment
Share on other sites

  • Members
Actually they discovered the hack at the end of July' date=' [i']and took this long to tell people their identities had been compromised[/i] (I'm one of the lucky ones, of course). That's almost worse than that the hack happened in the first place.

 

There's a class action suit in the works that alleges the Equifax compromised their security procedures because they wanted a better bottom line. If that's true, I hope they hammered into the ground.

 

Oh, it just gets better and better.

  1. Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers. So they got out before the stock on Equifax tanked and made money on the deal.
    https://www.bloomberg.com/news/artic...ing-cyber-hack
  2. The website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.
    https://arstechnica.com/information-...nal-info-ever/
  3. That new web site that you have to use to see if you are affected - if you use the site you also agree to a binding arbitration clause and agree not to sue. At the bottom of this new site is a section called "Terms of Use." There, in paragraph 4, is bolded, uppercase text of note. It tells site visitors that you agree to waive your right to sue and instead must "resolve all disputes by binding, individual arbitration."
     
    It will be up to the courts to decide whether arbitration agreements are enforceable. The legal standard is whether they're "unconscionable." We'll find out soon enough because class-action lawsuits are already being lodged on behalf of breach victims. New York Attorney General Eric Schneiderman strongly challenged the terms of service in a tweet to his followers: "This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it."
    https://arstechnica.com/tech-policy/...e-to-find-out/
  4. If your credit is compromised, Equifax will not help you straighten it out. "We do not offer, provide, or furnish any products, or any advice, counseling, or assistance, for the express or implied purpose of improving your credit record, credit history, or credit rating," the company in its 7,200-word terms and conditions. "By this we mean that we do not claim we can 'clean up' or 'improve' your credit record, credit history, or credit rating."
    http://money.cnn.com/2017/09/08/technology/equifax-monitoring-services/index.html

And in the end, you simply have no choice but to continue to use these companies. If you want a car, a house, a loan of any type, you have to submit your information to them.

 

Oh yea, they got my info too. Lucky me. :mad: :mad: :mad: :mad: :mad: :mad: :mad: :mad: :mad: :mad:

Link to comment
Share on other sites

  • CMS Author

 

Equifax discovered the hacking days ago and just now announced it, so assumedly they used the time in between to get their house in order.

 

They discovered the hack at the end of July, and disclosed it early in August. I wonder why it took this long for us common folks to get the word. Interestingly, three Equifax executives sold some of their personal shares of company stock a day or two before the hack was disclosed (they claim to have no knowledge of the problem), and the next day the stock took a dive.

 

 

OMG! Now what should I do? They got my name and 2/3 of my SS number and they said I may have been compromised, but it took less than a second for that to come back, so I'll bet they say that to all the girls. And I have to remember to come back in the middle of next week to enroll in what I guess is the free year of credit monitoring.

 

I'm done for. I should have known better. We all should have known better.

Link to comment
Share on other sites

  • Members

This just seems to be getting worse and worse. If you went to the Equifax and were told that you weren't affected, well, it probably isn't correct. It seems that the web site simply gives random answers.

  • Those hoping to find out if their Social Security number and other identifying info was stolen, along with a potential 143 million other American’s data won’t find answers from Equifax. In what is an unconscionable move by the credit report company, the checker site, hosted by Equifax product TrustID, seems to be telling people at random they may have been affected by the data breach.

  • Also, if you have a credit freeze on your account at Equifax, turns out the PIN is just a date/time stamp. And it appears that they have been using this for well over a decade.

 

Every time there is a data breech, it always takes a while before the full scope of the damage is known. Given the damaging information being released just in the first couple days, one has to wonder just how bad this will be when everything is finally known.

 

 

Link to comment
Share on other sites

  • Members

The only good thing about this - and it is bad too - is this could be a wakeup call in the sense its not about using the Internet and taking security precautions but that no one in our data driven society is immune from the data theft whether you go on line or not

 

Just glancing through the Privacy Rights Clearinghouse many types businesses are being hacked practicality every few days: medical facilities, financial institutions, government agencies, small business, grocery stores and on and on . If you look at a lot of the reports the extent of the hack is unknown including the number of records captured

Now on a general level most people know this, but few question the stability of our data driven society.

 

as one small incident: "....39DollarGlasses immediately took action and commenced an investigation to determine what information may have been accessed. 39DollarGlasses determined that the unknown individual may have accessed some of its customer names, addresses, telephone numbers, and credit/debit card information.."

 

 

It seems like we live on this huge ship winch is being constantly battered with holes, perhaps most are tiny and only allow a few drops of water seep into the ship daily for each incident. Others are a trickle or more. So are we capable as a society able to question the weaknesses of computer technology? That in itself seems to be a taboo...

 

 

So why is Equifax making the consumer do the leg work to "try" to determine if we've been affected by this breach? In fact making the whole process unreliable? And how can there be a solution to this?

Link to comment
Share on other sites

  • Members
That's about half the country. Social security numbers, birth dates, even driver's license numbers were revealed in some cases.

 

And it's not just people in the USA - Canadians and people in the UK are also affected.

 

Looks like we can't even trust the credit reporting agencies to keep our personal information secures.

 

Great. philpalm.png

 

Anyway, you'd probably better read the linked article and use the tool linked in it to check whether or not you're one of the unlucky ones...

 

http://www.msn.com/en-us/money/compa...tN0?li=BBnb7Kz

 

We never could trust those evil ***holes w/our privates. It's a formidable combination, evil intent with incompetence. Americans didn't stand a chance. I know I'm in that batch.

Link to comment
Share on other sites

  • Members

Wow, everyone is angry at the company that got hacked - no mentioning the hackers themselves. I thought they were the real bad guys in these situations.

 

Sure, maybe Equifax was lax in their procedures. Or maybe not. How can I know? I can't take a few things heard off the web or in conversations somehow as solid proof of guilt. If I ran that company, would I have done things differently? How could I answer that question unless I knew a thousand more facts of the matter than I do now?

 

Society runs to judgement so quickly, it's scary. Looking for someone to blame, some target to take the heat.

 

I totally agree we rely too much on these faceless outfits that have our personal info. I totally agree that the internet+business=profits scenario has both enriched and endangered us. But only a very few people really worry about the dangers - until they experience them. Then it's all calling down fire and brimstone -

 

I also think the average person is extremely lazy and fatalistic when it comes to internet and digital privacy issues. Any new convenience, however insecure, however risky, gets grabbed up and used right off the bat. Everyone hides in the crowd. So here we go - the whole crowd has now been data-robbed - oops, that tactic didn't work, surprise, surprise.

 

You can protect yourself pretty well regardless of all this data-hacking. And I don't mean by going off the grid. However, there's no such thing as 100% safe - just relative degrees of safety that the wiser among us find out how to achieve. When has life ever offered us more than that?

 

nat

 

 

 

 

 

Link to comment
Share on other sites

 

There's a class action suit in the works that alleges the Equifax compromised their security procedures because they wanted a better bottom line. If that's true, I hope they hammered into the ground.

 

If it can be shown that they compromised their security, they're going to get hammered hard. If they can show that those three executives knew about the hack prior to selling off their shares, someone's going to jail.

 

I heard the class action is suing for 70 billion, which sounds like a lot until you do the math... 70 billion divided by 143 million people... and then divide that in half for the lawyer's fees and costs, and as usual, the ones who will make the real money off this sad event are the attorneys.

Link to comment
Share on other sites

  • Members
Wow, everyone is angry at the company that got hacked - no mentioning the hackers themselves. I thought they were the real bad guys in these situations.

 

 

The reason that I feel so angry at the company is that there is (for lack of a better term) an "air of arrogance" surrounding this whole thing. They really don't care about the fallout from this. They may face a fine or a law suit, but in the end they will continue to make money, and will likley make even more due to this in the future (remember, their sister company TrustedID is a company that helps 'protect' your credit and personal information - for a price). There will be hearings on Capitol Hill, but nothing will happen, and they will continue on down the road on their merry way, whistling all the way to the bank, because they are simply "too big to fail".

 

From everything that I have read on the tech sites, the hack was due to a long known vulnerability in their web platform. It apparently was a flaw that was around the last time they were hacked (2013) and they did nothing about correcting it. Why bother, what can be done to them anyway?

 

Then there is the fact that the hack occurred in May, they didn't discover it till July (says a lot about the competency of the IT folks) and they didn't report it till September - during which time at least three of the upper echelon sold their stock and made money (which sounds illegal to me - or at least it ought to be).

 

The company stated the delay was to allow them time to prepare a response. That response could have been handled better by a high school computer club. Then it is discovered that the site that is supposed to tell you if you have been a victim it just spitting out random answers. But they want you to sign up for their Credit Monitoring. While its is supposed to be free for a year, I'm sure they will make even more money as folks continue the monitoring for years.

 

And that is really the rub here. The information that was stolen will be valuable for decades. Unlike other breaches at other companies, this isn't a simple fix of going online and changing your username and password. You can't get a new name, new birth date, new SSN, etc. The company was caviler with their security and some nasty folks took advantage of it. And you and I will be affected by it for a very long time.

 

If I leave my front door unlocked and someone comes in and steals my safe with my $5,000 in it, that is on me. If I have your money in that safe, say $5,000, along with the keys to your house and car, and I leave the front door open and the safe combination on a table next to the safe, who are you more mad at - the crooks who took the stuff, or me for not safeguarding your property. And this is far worse than someone stealing a safe.

 

Link to comment
Share on other sites

  • Members

 

The reason that I feel so angry at the company is that there is (for lack of a better term) an "air of arrogance" surrounding this whole thing. They really don't care about the fallout from this. They may face a fine or a law suit, but in the end they will continue to make money, and will likley make even more due to this in the future (remember, their sister company TrustedID is a company that helps 'protect' your credit and personal information - for a price). There will be hearings on Capitol Hill, but nothing will happen, and they will continue on down the road on their merry way, whistling all the way to the bank, because they are simply "too big to fail".

 

If I leave my front door unlocked and someone comes in and steals my safe with my $5,000 in it, that is on me. If I have your money in that safe, say $5,000, along with the keys to your house and car, and I leave the front door open and the safe combination on a table next to the safe, who are you more mad at - the crooks who took the stuff, or me for not safeguarding your property. And this is far worse than someone stealing a safe.

 

I certainly want whoever's to blame to be blamed. As for analogies with a personal safe...in all cases of robbery, the robbers are the primary bad guys, no?

 

A business like Equifax should have a fiduciary duty, of course, to take all reasonable measures to keep the data safe. If they fail that duty, then sure, let the legal proceedings proceed. They could have taken reasonable measures and still been hacked. I'm just claiming that there's no way to know if they took reasonable measures or not without diving deep into the technicalities and the legalities. It will be complicated. The public doesn't like complicated when they are upset.

 

And I don't deny that so much stuff sound fishy regarding Equifax's actions. But what if you went to court, charged with something, and the judge said, "What I read on the internet is really fishy and makes you sound guilty - I'm going with that, guilty as alleged, sentence is death by angry mob."

 

It's the rush to judgement that bothers me - millions of armchair judges, juries and executioners. Happens all the time - they should teach kids in school how hard it truly is to determine the truth in complex matters, how difficult to figure exactly what happens, who did what, who is to blame, what the appropriate actions the justice system should take.

 

But the crowd is not interested - if the crowd is angry, the crowd is heavily, heavily biased to uncritical condemnation right off the bat. All it takes is for something bad to happen and a few articles insinuating guilt and that's good enough for most people to set their jaws and sign the death warrant.

 

It's not good enough for me. If I'm going to condemn someone I damn sure better not be talking out of my hat motivated by outraged self-interest. I better listen to all sides of the story and go through something like a critical analysis, listening to people who know more about this kind of thing than I do. If I'm too involved to be objective, I should hand it off to someone else to assess.

 

nat

 

Link to comment
Share on other sites

  • CMS Author

It's interesting that with all the regulations and transparency requirements that there are for banks and other financial institutions, there doesn't seem to be an equivalent for the credit rating companies, even though they're so closely related to the banking business.

Link to comment
Share on other sites

  • Members
It's interesting that with all the regulations and transparency requirements that there are for banks and other financial institutions' date=' there doesn't seem to be an equivalent for the credit rating companies, even though they're so closely related to the banking business.[/quote']

 

Absolutely. I've mentioned probably more times than people wish, that the tech industry has been since the 80s the extremely favored child of the business world. So there's a bit of a spoiled child syndrome at work - no rules for us, we're tech and you're not!

 

Now that the industry has matured into these giant-sized organizations, whose products an policies are totally interwoven into the daily lives of all of us, they are big and powerful enough to resist control, regulation, responsibility.

 

Shoulda spanked 'em when they were young, me old Dad woulda said. :)

 

nat

 

Link to comment
Share on other sites

  • Members

Well, even more on the Equifax front, and none of it is good. Latest news comes from Argentina where they had a breach. Looked initially like about 100 victims (all employees) this time. But what is really scary - the administrator user name and password was 'admin/admin' (admin/password would have been my first guess).

 

But wait, it gets worse

"From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. "The site also lists each person's DNI [documento nacional de identidad]- the Argentinian equivalent of the social security number - again, in plain text." All told, there were more than 14,000 such records, Mr Krebs said, concluding that the firm had been "sloppy".

 

More over at the BBC http://www.bbc.com/news/technology-41257576

 

 

Link to comment
Share on other sites

  • Members

As we mentioned earlier, we will probably find out this gets worse as time goes on. It has now been revealed that the vector into the hack of the Equifax servers was a known vulnerability in the Apache Struts software and that a patch had been released over two months prior to the hack. While the patch is not exactly as easy as simply uploading a new piece of software and does require some work to patch the vulnerability, it appears that Equifax did nothing to patch the exploit. (https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/)

 

Given what we have learned about their security practices I can't say I am surprised. I would also not be surprised to learn that there were probably other known vulnerabilities that remained unpatched and that this was not the only vector used to compromise their servers.

 

 

Link to comment
Share on other sites

  • Members
As we mentioned earlier, we will probably find out this gets worse as time goes on. It has now been revealed that the vector into the hack of the Equifax servers was a known vulnerability in the Apache Struts software and that a patch had been released over two months prior to the hack. While the patch is not exactly as easy as simply uploading a new piece of software and does require some work to patch the vulnerability, it appears that Equifax did nothing to patch the exploit. (https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/)

 

Given what we have learned about their security practices I can't say I am surprised. I would also not be surprised to learn that there were probably other known vulnerabilities that remained unpatched and that this was not the only vector used to compromise their servers.

 

 

I followed the link to the arstechnica article - it's a bit hard for me to follow, not being versed in apps like Apache Struts and such....

 

Correct me if I'm wrong here: boiled down, the article says Apache Struts is a "framework" for developing Java apps "that run....Web servers." Ok, so I take that to mean Apache Struts is some sort of high-level programming language or app that enables users to produce customized apps to run complex arrays of Web servers. So Apache Struts must help users integrate all the various modules that come into play running servers like this - and security would logically then be one of the main "modules" or "protocols" or whatever tech term is used for custom programming with pre-written, high-level subroutines these days.

 

So we have all these government agencies, banks, large internet companies, and "Fortune 500 companies" who use Apache Struts to develop apps to run their servers, and Apache Struts issues patches, like all subscription software apps do, to fix this and that, and to try and stay abreast of security vulnerabilities.

 

Now it gets interesting, and I recommend folks follow the link to the Apache Struts Foundation statement issued Sept 9 just past. Here are some italicized quotes from that statement:

 

We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time it is not clear which Struts vulnerability would have been utilized, if any.

 

So my interpretation is that they are sorry to hear the bad news, but they say the Equifax breach may or may not have been caused by a problem with Apache Struts.

 

....the security breach was already detected in July [5], which means that the attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time...

 

Ok, Apache Struts says there are two possibilities - either Equifax had not updated all their servers and got hit with an attack that could have been prevented had they completed their updates, OR the big hack used a vulnerability that Apache Struts does not know about, ie the hackers have simply won this latest battle in the ongoing data wars. So they at least leave open the possiblity that Equifax (or Apache Struts) is not really to blame.

 

Onward - this next quote I find fascinating:

 

...once [Apache Struts is]..notified of a possible security issue, we privately work with the reporting entity to reproduce and fix the problem and roll out a new release hardened against the found vulnerability. We then publicly announce the problem description and how to fix it. Even if exploit code is known to us, we try to hold back this information for several weeks to give Struts Framework users as much time as possible to patch their software products before exploits will pop up in the wild.

 

So Apache Struts will learn about a vulnerability, dig into it, and come up with a patch. This process will take some variable amount of time. Once they have the patch, they send it to all the users (remember we're talking about big companies, governments, banks, etc.) and hold back publicly announcing the vulnerability "for several weeks" to give the users time to install the patches and cover their butts.

 

So I'm defining in my mind an intrinsic problem with this whole process, and it's a doozy. The public notification is at the very end of a potentially long period of time that is the sum of these time-variable activities:

 

> however long a vulnerability actually exists before someone finds it and reports it to Apache Struts,

 

> however long it takes Apache Struts to analyze the vulnerability, to write a patch, to test it, and to deploy it to the user base,

 

> "several weeks" is given to the users to install the patch (hopefully) before "exploits will pop up in the wild."

 

After all of the above time passes, then the public is notified.

 

So it seems to me the entire process is geared to announcing things publicly only after the "all is well" has been sounded. This protects the users - it protects Apache Struts - it keeps any crisis covered up until, hopefully, all is fixed. But hey, the pop-ups in the wild can and do happen during this cover-up period. Big pop-ups.

 

I feel a screaming need here for some sort of regulation - once a vulnerability is known, at least some notification to a governmental agency should be required. And some some sort of process whereby the users can't get away with delaying patch installations due to whatever internal problems they might have. Like mandatory shut-down if an announced patch is not installed by date X. In the public interest - hence the need for regulation.

 

This is all too big to leave to failures to manage on our behalf....

 

nat

 

 

 

Link to comment
Share on other sites

  • 3 weeks later...
  • Members
Interesting read but in the end is the real culprit is Internet tech it self? I see parallels between it and the nuclear industry.

 

That's a very interesting article indeed. Especially where it describes that it was March 6 that Apache Struts announced the vulnerability and provided the patch to users. By March 10, the hackers started penetrating Equifax. And that, once the hackers were in, they made their own back door, so even once Equifax installed the patch, the patch wouldn't keep the hackers out.

 

This is sci-fi, thriller sort of stuff - too bad it's real.....

 

I appreciate the fact that attention is being given to attacking the root problem, which is the hackers and their sophistication and possible ties to international espionage of some sort. And the general complexity of the entire internet security culture. It's pretty much still the wild west.

 

nat

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...