Equifax exposes personal info of 143 million Americans

USA credit-reporting bureau Equifax has been hacked. The breach allowed hackers to access the personal information of "approximately 143 million" Americans, or about 44% of the populace. According to the company, names, Social Security numbers, birth dates, and some driver's license numbers were exposed by the attack. Other, much smaller leaks include the credit card numbers for about 209,000 people and credit dispute documents for about 182,000 people. The information leaked this way could allow criminals to apply for fraudulent credit accounts or engage in other sensitive activities that rely on Social Security numbers for personal identification.

Equifax was aware of this catastrophic exposure of personal information July 29, but sat on news of the hack until it had full details of the breadth of the intrusion. The company has set up an information portal for the breach so that Americans can check whether their personal data has been affected by the attack, and it's offering one year of its TrustedID Premier service to those who were victims of the breach. Be aware  that signing up for TrustedID Premier could affect your legal rights in the event of a class-action suit over this breach. Equifax's general terms of service mandate individual arbitration for disputes with the company unless a customer opts out in writing, a practice that New York attorney general Eric Schneidermann has already called "unacceptable and unenforceable" in a Tweet.

My spouse and I have both been affected by this hack (along with TR business guy Adam Eiberger and his family). We plan to freeze our credit reports at all three of the major bureaus and set up credit monitoring for the foreseeable future. We may also be setting up more rigorous security protections with our existing financial service providers. Ars Technica has a list of other steps one can take to protect their identity, as well. Because of the largely fixed nature of Social Security numbers, I'm expecting headaches from this breach for many years to come, barring a major re-imagining of the way financial institutions and businesses handle identity verification. For now, all we can do is batten down the hatches and wait.

Comments closed
    • Captain Ned
    • 2 years ago

    The LinkedIn profile of Equifax’s Chief Security Officer is interesting, especially in the education section.

    [url<]http://directorblue.blogspot.com/2017/09/equifax-you-had-one-job.html[/url<]

      • chuckula
      • 2 years ago

      I’m not saying that I’m qualified to be a CSO of a company that’s very existence directly hinges on keeping large amounts of sensitive data secure.

      But I am saying that I’m more qualified than who they got now!

        • NovusBogus
        • 2 years ago

        I dunno man, I’ve looked at a few of those C-suite job postings on the Internet and they usually list “2+ years of being in good with all the right people” pretty high up the requirements list. I certainly don’t qualify, but maybe I just don’t attend the right country clubs for that kind of thing.

      • Anonymous Coward
      • 2 years ago

      Hmm, yeah would have been nice to see what those “professional” jobs were about. A person could in theory start with one background and end up very good in another field via work experience, although in this case the evidence suggests that is not what happened.

      • NovusBogus
      • 2 years ago

      Oops, looks like someone might have just fallen off the corporate ladder.

      • lilbuddhaman
      • 2 years ago

      oh look, a diversity hire

        • Anonymous Coward
        • 2 years ago

        Thats idiotic. The problem here is that they appear to have hired someone who was incompetent. Also a woman, but thats besides the point. There are lots of women who can manage IT and security just fine, individual heroism is not a requirement frankly, but for whatever reason they (apparently) chose to hire someone to keep a seat warm while the bus drove off a cliff.

        Thats the issue. Not women, not diversity.

        • Wirko
        • 2 years ago

        ♬!

      • Voldenuit
      • 2 years ago

      Maybe she invented a music-based form of encryption, like Hedy Lamar?

      Too much to hope for?

        • Anonymous Coward
        • 2 years ago

        Musical CAPTCHA?

          • CuttinHobo
          • 2 years ago

          You have to be able to play a visually-garbled sheet of music on the instrument of their choosing. Genius!

      • derFunkenstein
      • 2 years ago

      Oh, music COMPOSITION! I was music ed. Well, great. I’ll never be a CSO now.

    • Krogoth
    • 2 years ago

    Methinks this leak was an industrial espionage operation. The guys who pulled this off are professional criminals not some disgruntled employee.

      • K-L-Waster
      • 2 years ago

      Never assume malicious genius is at work when garden variety incompetence will do.

        • Anonymous Coward
        • 2 years ago

        So far security incompetence seems more likely that hacking brilliance.

        I’d like to hear how it was done though.

        • Krogoth
        • 2 years ago

        This leak has all of the hallmarks of industrial espionage done by professionals. They simply took advantage of the incompetence which made their job easier.

        They didn’t take advantage of their stolen goods off the bat either which means they have larger plans for them.

    • AMDisDEC
    • 2 years ago

    I’ve signed up for the class action lawsuit against them.

    Their business is to manage, control and safe guard customer data, and that’s it. If they can’t perform this duty, then what good are they?

    The question is, what level of compensation should be awarded, and what value should be placed on your personal financial information, $10, $100, $1000?
    A $100 per person award would likely bankrupt the company, but that’s a good thing. Their function should have never been placed under a private entity anyway. It would be better for citizens if their function were under federal or state government control.

      • 223 Fan
      • 2 years ago

      Ever hear of OPM?

        • AMDisDEC
        • 2 years ago

        Other People’s money!

          • Captain Ned
          • 2 years ago

          Try Office of Personnel Management, as in part of the US Federal Gov’t.

          [url<]https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/[/url<]

            • AMDisDEC
            • 2 years ago

            What’s your point?
            Obviously these hackers aren’t high school kids sitting in their Momma’s basements, but more likely professionals in the Russian/Ukrainian cyber-terrorist groups.
            The irony is these same two countries who consistently show up on the FBI’s top 10 most wanted for cyber crimes have for the last 20 years enjoyed easy immigration to the US, like New wave Operation Paperclip Nazi operatives.

            • Captain Ned
            • 2 years ago

            [quote<]It would be better for citizens if their function were under federal or state government control.[/quote<] That's my point. I work for State gov't. There is no entity that is as inflexible, slow to respond, slow to innovate, and slow to understand the actual threats and risks as gov't. We're no good at prevention but, by golly, we're experts in bayoneting the wounded.

            • 223 Fan
            • 2 years ago

            Not to mention when bureaucrats screw up there is no one to sue.

            • AMDisDEC
            • 2 years ago

            That’s utter nonsense.
            I’ve worked for various agencies in the government, as well as military primes supporting the same. I can safely say, there are no private companies capable of leveraging the finances and resources of the Federal government agencies such as the US Treasury, DoD, NASA or NSA .

            The problem here is private publicly traded corporations who are so motivated by profit, they spend very little on R&D, modernization and innovation.
            They are akin to the public utility companies who refuse to invest and still run electricity over transmission lines paid for by taxpayer in the 1940s.
            Equifax (as well as the other companies) spends much money to increase the amount of personal data it collects on us, and little money on methods to secure that data. This breach should serve to put them out of business and replace them with something more sensible for the times.

            The federal government invests hundreds of billions on R&D to develop newer encryption and security methods. All that’s needed are systems engineers to implement new systems integrating these solutions, and these systems actually already exist for securing military and national security data.

            • NovusBogus
            • 2 years ago

            DoD and NSA..those are the ones where the two disgruntled employees walked off with ‘keys to the kingdom’ and posted everything on the Internet for the lulz, right? Clearly paradigms of internal security and access control worthy of even more power and influence over the citizenry.

            • AMDisDEC
            • 2 years ago

            That’s right. It took an inside job to get to the data, and even though those employees were extremely vented to gain top secret clearances, there was still levels of data they didn’t have access to.

            • ludi
            • 2 years ago

            No, “extremely vented” is what would have happened if the active security detail had encountered the thieves in the act.

            • AMDisDEC
            • 2 years ago

            You don’t understand the process of getting hired at the NSA or any other high security government post.
            It isn’t at all like getting hired at Equifax.

            • MOSFET
            • 2 years ago

            So is it private or public?

            [quote<]private publicly traded corporations who are so motivated by profit[/quote<] and what else would a company be motivated by? Revenues only get you so far; expense tracking only gets you so far...at the end of the day/year, it's about how much you made AND kept. That's capitalism. The alternatives...well, not for me. (I swear, this is not an attack - but you seem to like AMD's penchant for "profit".)

            • AMDisDEC
            • 2 years ago

            “That’s capitalism. The alternatives…well, not for me.”

            Tell that to the Chinese who these so-called American Capitalism experts are in debt to the tune of $5 Trillion, and growing.
            Is that the alternative you’re speaking of, A communist country that out-capitalists the Capitalist?
            I know what your response will be; The Chinese aren’t Communists.
            Perhaps they are the new revised communists, but Americans are Capitalists, and not too good at it because as usual, they fail to comprehend the basic laws of cause and effect as the communists have indisputably proven.
            $5 Trillion dollars! That’s a heck of a lot of capital.

            • Anonymous Coward
            • 2 years ago

            Being light on regulation doesn’t mean management sees IT as anything other than a burden. The most secure place I’ve worked was at a university, running on state & federal money.

            • AMDisDEC
            • 2 years ago

            Every state across the country seems to forget how much research money they receive from government entities, annually.

    • juzz86
    • 2 years ago

    Question from an Australian with very little knowledge of your workings:

    Surely there is recourse for you here? A ‘free’ year of the coverage you should’ve had by default seems extremely pissy (considering the price you’ve already paid for it).

    nVidia had to pay for what was basically nothing through a class action. Is this similar? Will it be massive because of the scale?

    It seems like a totally monumental -uck up.

      • NovusBogus
      • 2 years ago

      Compensation requires proof of malfeasance or trying to cover it up, simply getting pwned due to bad luck and/or colossal stupidity doesn’t qualify. Bear in mind NV wasn’t actually convicted of any wrongdoing. They settled out of court because that was preferable to having engineers and execs admit very publicly that they shipped a product with a questionable optimization, i.e. bribing the lawyers was cheaper than loss of goodwill and future sales due to reliability concerns.

      Also, a free year of some crappy service is actually pretty typical of US class action lawsuit settlements. The way it works is the lawyers walk away with $50 million or so and the actual class members get like ten cents worth of phony perks. This is America, law is for lawyers.

        • juzz86
        • 2 years ago

        Thanks for the run-down mate.

    • albundy
    • 2 years ago

    “Thank You
    Based on the information provided, we believe that your personal information may have been impacted by this incident.
    Click the button below to continue your enrollment in TrustedID Premier. ”

    Time to lawyer up…again. You better believe I’ll be suing for any and all damages.

    • Mr Bill
    • 2 years ago

    Not a server expert but the information portal for the breach is hammered, its not even responding to qwery. If this is an example of their server prowess; no wonder they were hacked.

    • GTVic
    • 2 years ago

    That is 44% of the population which basically equals the political party split. So that means all the Democrats just got hacked.

      • Kretschmer
      • 2 years ago

      No, if you factor out children and people without credit it was more or less everyone with an active credit history. Scary stuff!

    • YukaKun
    • 2 years ago

    Full disclosure: I work at Experian.

    HAHAHAHAHA!

    Sorry. That is all.

      • Mr Bill
      • 2 years ago

      +3 Made me laugh

      • NovusBogus
      • 2 years ago

      Just wait till next month. 😉

      • ronch
      • 2 years ago

      That was evil, but it felt so good!!

      • adampk17
      • 2 years ago

      There are two types of companies. Those that have been hacked and those that don’t know it yet.

        • Anonymous Coward
        • 2 years ago

        Only the paranoid survive.

        • Wirko
        • 2 years ago

        Subtype: been hacked and now believe they’re immune.

        [url<]https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/[/url<] [quote<]In 2015, a breach at Experian jeopardized the personal data on at least 15 million consumers. Experian also for several months granted access to its databases to a Vietnamese man posing as a private investigator in the U.S. In reality, the guy was running an identity theft service that let cyber thieves look up personal and financial data on more than 200 million Americans.[/quote<] ha. ha.

          • Anonymous Coward
          • 2 years ago

          Oh I see, the bosses [i<]are immune[/i<]. They have figured out that the security budget can be routed elsewhere and no harm is done.

    • derFunkenstein
    • 2 years ago

    Tangential: some Equifax execs sold stock after the breach but before informing the public: [url<]http://www.marketwatch.com/story/equifax-executives-sold-stock-after-data-breach-before-informing-public-2017-09-07[/url<] They claim to have had "no knowledge" but please...

      • chuckula
      • 2 years ago

      Equifax Execs!!! You got some splainin’ to do!

      • Captain Ned
      • 2 years ago

      Insider trading prosecutions have had some rough times of late, but anyone employed by Equifax who sold between 7/29/17 (discovery) and public reveal should expect a visit from the SEC.

        • derFunkenstein
        • 2 years ago

        I should certainly hope so.

        • chuckula
        • 2 years ago

        [quote<]anyone employed by Equifax who sold between 7/29/17 (discovery) and public reveal should expect a visit from the SEC.[/quote<] I don't think those Equifax insiders would do very well against Bama's defensive line!

        • Kougar
        • 2 years ago

        Damn well better.

          • NovusBogus
          • 2 years ago

          Oh, they will. SEC investigates even totally innocuous things, to the point that most publicly traded companies prohibit employee trading outside of very narrow windows. The better question is whether any charges will stick, which unfortunately depends a little bit on what they did or didn’t know and a whole lot on the quality of their lawyers and/or political connections.

      • Kougar
      • 2 years ago

      How naive do these people have to be to think they could get away with insider trading off the worst information leak in US history?

        • Redocbew
        • 2 years ago

        In my experience there’s a fine line between business people who believe they can accomplish anything, and business people who believe they can get away with anything.

        • derFunkenstein
        • 2 years ago

        Pretty ballsy, I’ll say

        • Anonymous Coward
        • 2 years ago

        Could be the whole place has self-selected to be nest of incompetence.

    • Vigil80
    • 2 years ago

    Maybe some emergency legislation that disallows the agencies to charge for credit freeze/thaw?

    “Oops, I tripped and stuck you with this needle of swamp rotitis. Guess I really should tie my shoelaces. Oh well, lucky for you I have this medicine you can buy!”

      • chuckula
      • 2 years ago

      I was able to freeze for free at Equifax/Experian/Trans Union.

      Something tells me they are a little more willing to do that for free since it might prevent them from getting sued or legislated into doing it.

        • G8torbyte
        • 2 years ago

        Also don’t forget Innovis: [url<]https://www.innovis.com/personal/securityFreeze[/url<] It's the other agency that runs credit reports on consumers.

    • chuckula
    • 2 years ago

    Just got done freezing credit at all three major bureaus. Next to take care of the Mrs.

    I’m still on the fence about mini-Chuckula but he’s never tried to apply for credit (I’m expecting that after he turns 3).

      • Ummagumma
      • 2 years ago

      You better look to see if the bureaus haven’t already started files on “little Chuckula” already….

      For all you know, someone else has “helped him” get started on his future creditworthiness.

    • Captain Ned
    • 2 years ago

    I could have (and often have) said that something like this was bound to happen at some point given the day job. Maybe now those people will listen to us [/s].

    Aye, the haggis is in the fire for sure.

      • chuckula
      • 2 years ago

      Why the hell anybody at Equifax thought that leaving hundreds of millions of credit records directly accessible from their public website was a good idea is beyond me.

        • derFunkenstein
        • 2 years ago

        I haven’t seen anything on exactly what the breach was, but is that what happened? I wondered if it was just some contractor gained access to stuff he shouldn’t have. Not that I want my info floating around either way.

          • chuckula
          • 2 years ago

          Details are still sketchy but the initial report from Ars based on information from Equifax’s own announcement indicated that the attack was made against the Equifax website: [url<]https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/[/url<] Maybe there was more to it than that, but it appears the website was at least part of the issue.

            • derFunkenstein
            • 2 years ago

            Ah, yeah. The statement on the Equifax check page is pretty clear.

            [quote<] Criminals exploited a U.S. website application vulnerability to gain access to certain files.[/quote<]

            • Captain Ned
            • 2 years ago

            If this was an SQL Injection attack, Equifax IT management should be publicly burnt at the stake. It’s a decade-old attack trivially blocked.

        • Redocbew
        • 2 years ago

        Agreed. The site should have had its own data pool that had been scrubbed of sensitive information. Unless there’s more than just a web based exploit involved, it’s hard to see how simple incompetence doesn’t have a role here.

    • derFunkenstein
    • 2 years ago

    With 143 million exposures, it seems like pretty much every adult who has ever had a loan or credit card issued is affected. I know my wife and I are, too. This is just the worst.

    Also, I think it’s hilarious they’re giving a free year of this service designed to protect the people they were unable to protect in the first place.

      • DragonDaddyBear
      • 2 years ago

      A year won’t be enough, either. This is going to affect people for years.

        • derFunkenstein
        • 2 years ago

        Without a doubt. We’re all screwed.

          • spiketheaardvark
          • 2 years ago

          Since we are near to achieving %100 failure, at minimum “Credit monitoring” needs to become universal.

      • Mr Bill
      • 2 years ago

      Congress should weigh in and redefine what needs to be present to apply for credit. I think habeus corpus and notary witness should become a requirement.

        • NovusBogus
        • 2 years ago

        Banks aren’t gonna like that; how else would they spam us with credit card offers? Sure, Congress could try but they wouldn’t get very far.

        “That’s a nice pool of buyers for national debt you have there, it would be a shame if something were to happen to it…”

      • designerfx
      • 2 years ago

      143 million is the initial estimate. With enough time, the estimates tend to be larger than initial. This is the “downplay”, which accounts for 46% of america. It wouldn’t surprise me if the total is 80% or so. [url<]https://www.techdirt.com/articles/20170908/17363538172/equifax-security-breach-is-complete-disaster-will-almost-certainly-get-worse.shtml[/url<]

        • derFunkenstein
        • 2 years ago

        Yeah I certainly don’t expect them to come back and say “oh, sorry for the panic, it was only like half that”

    • chuckula
    • 2 years ago

    The whole system that treats Social Security numbers* as a magic passcode is complete bravo sierra that needs to come to an end sooner rather than later.

    * Incidentally, if you want to see how little federal law seems to matter, the original Social Security act made it a felony to use your SSN for any purpose other than actually doing social security transactions. What a joke.

      • derFunkenstein
      • 2 years ago

      At least some government entities are getting away from SSNs. For example, pretty much every state board of education assigns state-wide ID numbers to students (edit: and staff, too) for reporting purposes. Why can’t the financial world do the same? Many of our customers in some states have removed the SSN from the student data management software I work with because they don’t need it for reporting purposes.

        • Captain Ned
        • 2 years ago

        [quote<]At least some government entities are getting away from SSNs. Why can't the financial world do the same?[/quote<] Taxes and the IRS. Any sort of financial world income is reported to the IRS on an SSN for an individual or an EIN for a non-natural person. Seeing as the IRS is still using 30+ YO mainframes as its core processing, trying to change the IRS before changing that infrastructure would cost more $$ than any American would be happy to see being spent on the IRS. Even then, as a gov't IT project it'll clearly go at least 5x over budget and 3x the delivery date. [quote<]Scientists at CERN in Geneva have announced the discovery of the heaviest element yet known to science. The new element Governmentium (Gv). It has one neutron, 25 assistant neutrons, 88 deputy neutrons and 198 assistant deputy neutrons giving it an atomic mass of 312. These 312 particles are held together by forces called morons which are surrounded by vast quantities of right-on-like particles called peons. Since Governmentium has no electrons or protons, it is inert. However, it can be detected because it impedes every reaction with which it comes into contact. Even a tiny amount of Governmentium causes a reaction which normally takes only a few days to complete to four years or more to finish or resolve. Governmentium has a normal half-life of 2- 6 years. It does not decay but instead undergoes a reorganization in which a portion of the assistant neutrons and deputy neutrons exchange places. In fact, Governmentium’s mass will actually increase over time since each reorganization will cause more morons to become neutrons, forming isodopes. This characteristic of moron promotion leads some scientist to believe that Governmentium is formed whenever morons reach a critical point of concentration. This hypothetical quantity is referred to as critical morass. When catalyzed with money, Governmentium becomes Administratium, an element that radiates just as much energy as Governmentium since it has half as many peons but twice as many morons. Vast sums of money are consumed in the exchange yet no other by-products are produced[/quote<]

          • derFunkenstein
          • 2 years ago

          If they’re not going to move away from using the SSN, then the government should be able to change it. Frankly, I don’t see this as a valid excuse to give people immutable identification numbers that are magic passwords to everything in the real world.

            • Captain Ned
            • 2 years ago

            I fully agree with you, yet the fact remains that a good chunk of the Federal world is still running on ’70s-era mainframes and the needed changes just aren’t possible in that architecture.

            If you want to bring Federal ID into the 21st century, Federal IT has to get there first. Congress won’t pay for it and voters won’t force Congress to pay for it, so we’re stuck. And no, 21 years just in state-level gov’t has done nothing to make me such a cynic.

        • Mr Bill
        • 2 years ago

        It was policy at Texas Tech U that students make up their own random number (not their SSN) to use for posting of tests.

      • spiketheaardvark
      • 2 years ago

      It’s obviously a broken system. Hopefully things won’t have to get much worse before someone decides to design a better system. Maybe something that doesn’t rely on keeping an unchangeable 8 digit number secret.

      • Wirko
      • 2 years ago

      Living across the pond, I cannot really grasp what the consequences are. Our governments give us numeric or alphanumeric usernames upon birth. It now seems that the US government issues a numeric passwords to everyone and you can never change it, correct?

        • Captain Ned
        • 2 years ago

        One’s SSN was originally designed for one purpose. It is one’s account number in the US gov’t old-age pension scheme (please divert all analyses of Social Security fiscal realities to R&P; this isn’t the place). It is for that reason that the original Act forbade the use of SSNs as ID numbers for any other purpose.

        Add to this the particular American paranoia over universal Federal gov’t-issued ID cards (“papers please” may have worked in Eurasia, but not in any way in the US post-WWII) and you get the dichotomy of a populace that doesn’t want to be identified yet, if they are in the workforce, must have an SSN so that their proper benefit amounts may be calculated at some point in the future.

        Up until about 1970 or so [/handwave] if you were not part of the formal workplace and not earning formal wages, you didn’t need an SSN. Over time, and so slowly so that the vast majority never sensed it, the Federal gov’t ignored the ID prohibition of the original Act (my Dad joined the active-duty military in 1962 and his SSN was his serial #) and has now used it for everything.

        Case in point. SSNs are issued in the format xxx-yy-zzzz. XXX represents where it was issued, YY represents when it was issued, and ZZZZ is simply sequential for each YY. I was born in 1964. In those days, one never got an SSN until they entered the workforce, yet my paternal grandfather ran out and got me one at my birth, mainly because he wanted me to have a “Vermont” SSN (008- or 009-, and the location prefixes are public record) because I was born in a Kansas AFB base hospital. To this day, every time someone runs a credit bureau on me (about every 5 years when I buy a new car) I warn them that they will see an alert that says I’m too young for the middle 2 digits in my SSN as, according to how it was done back then, my SSN is 20 years older than me.

          • Wirko
          • 2 years ago

          Ah, thanks. So the SSN is not a random number but also reveals some information about your (probable) age and location. That’s too bad in itself if the numbers are leaked. (not if, WHEN).

          And, of course, that fear of identification is another thing that’s less familiar to us Eurasians – I mean, the police will identify you and track you in any country if they feel like doing so, right?

            • Captain Ned
            • 2 years ago

            [quote<]And, of course, that fear of identification is another thing that's less familiar to us Eurasians - I mean, the police will identify you and track you in any country if they feel like doing so, right?[/quote<] We Americans still hold dear the idea of just walking off into the wilderness and dropping off the face of the digital planet. C'mon, that trope is why Westerns still exist.

            • K-L-Waster
            • 2 years ago

            But presumably you still expect running water, a Starbucks within a 5 minute drive, and free WiFi, right?

            (Up here in Canada we don’t romanticize the idea of walking off into the wilderness so much… largely ‘cus it’s frickin’ cold out there….)

      • Wirko
      • 2 years ago

      When everyone is a felon, no one is.

Pin It on Pinterest

Share This