Equifax’s latest breach is very possibly the worst leak of personal info ever

“It’s a sad reality in 2017 that a data breach affecting 143 million people is dwarfed by other recent hacks—for instance, the ones hitting Yahoo in 2013 and 2014, which exposed personal details for 1 billion and 500 million users respectively; another that revealed account details for 412 million accounts on sex and swinger community site AdultFriendFinder last year; and an eBay hack in 2014 that spilled sensitive data for 145 million users,” Dan Goodin reports for Ars Technica.

“The breach Equifax reported Thursday, however, very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals,” Goodin reports. “By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely.”

“What’s more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population,” Goodin reports. ” When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come.”

Read more in the full article here.

MacDailyNews Take: Goodin also notes that the stupidly constructed website which Equifax created to notify people if they’re affected by the breach and DOESN’T EVEN CLEARLY DO SO (Hint, clueless Equifax IT doofuses: Tell the user if they are AFFECTED or NOT AFFECTED, you fscking morons), “is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.”

Would that the levels of security and privacy that Apple delivers were matched by companies that are in possession of everything needed to steal someone’s identity and basically ruin their lives. All of the information that people like us choose Apple products in order to protect has basically been pissed away in one fell swoop by braindead Equifax. Looks like we could have used some random porous Windows PCs and Android phones for all that privacy and security matters to shit outfits like Equifax.

If there’s any justice in this world, Equifax — who obviously couldn’t even bother to hire qualified IT people who understand how to protect highly sensitive data — will be destroyed over this latest breach by lawsuits, fines, and loss of business due to their blatantly obvious incompetence.

FYI: The U.S. FTC’s “Do You Need a New Social Security Number?” page is here.

SEE ALSO:
Beleaguered Yahoo faces U.S. SEC probe over data breaches – January 23, 2017
Yahoo confirms data breach of at least 500 million user accounts – September 22, 2016
1.16 million more reasons why Apple Pay is the future: Staples’ security breach payment card debacle – December 20, 2014
Judge rules banks can sue Target over credit card breach; Apple Pay value proposition intensifies – December 8, 2014
Massive data breach: Target’s Windows-based PoS terminals were infected with malware – January 13, 2014

53 Comments

      1. Every time a libtard colleague utters a nasty canard or unfounded gossip, I simply smile for the confirmation of my correctness. A “down vote” from a libtard is a plus in my book.

      1. The Consumer Financial Protection Bureau issued a proposed rule to prevent consumers from being forced to accept arbitration clauses (see the post below), but the rule won’t be effective until later in September. However, the House has voted to block the rule. So far, there has been no action in the Senate.

    1. What this country needs is a new national identity system that is more secure than a number.

      My identity was stolen earlier this year and numerous attempts at batting credit cards have occurred. Total PIA.

      My ID was probably stolen at a doctors office or medical facility. Every time I check in, they make a copy of my Medicare card, with SS number, and drivers license, with everything else needed for identify theft.

      Also, I had credit checks for solar last year

      Too many easy opportunities for thieves.

      We need a new system

      1. Fully agree. We need a tech leader to develop a better system – an ApplePay-like method for personal ID and passwords. Existing systems at this point are more disruptive for the end user than any sophisticated hacker.

    2. Fun fact! Did you know Equifax has a special product called “The Work Number®”. This is a secret (club) where HR departments for big companies volunteer your salary and other employment information so other club members can see if you lied on that application!

      https://www.theworknumber.com/

      It’s not just your SSN and address for sale on the dark net tonight..

      Sleep well
      (And never ever lie about your prior job dates/salary).

    3. If you are considering locking down your credit remember that there are consequences. I was told that no new credit lines could be opened. Sounded good. But then I found out that..

      1. If you are applying for a clearance with federal government/DOD, the first thing they will do is check your credit — and that’s just for the “interim clearance” (lets you work until the real investigation is over). If you lock down your credit record this could delay your ability to work. Some private companies will also look at your credit when you apply for a job (you will sign permission for them to do this of course)

      2. Locking down my credit record threw an exception on my taxes. Turns out the credit bureaus sell a service to validate your address and other basic info. In some cases, the IRS uses this service. I know this because they couldn’t validate my information.

    1. Derek, Any news? After the Equifax, OPM, Home Depot, Target, Yahoo… I mean what’s left to breach? OPM, victims have 10 years credit monitoring. I am not sure if it’s worth it to get Equifax’s credit monitoring service. On the other hand, any good lawyer will ask you to prove your ID Theft was born from the Equifax breach. Given the number of breaches, it may be impossible to prove who’s at fault.

      1. YES. I wrote up a summary evaluation as a comment series in the thread at the MDN page. It provides links to two articles that elaborate upon the fact that the Equifax response website is 🐂💩. I also added a link beneath that post regarding the $23 million fine Equifax and TransUnion had to pay at the start of 2017 for proven FRAUD perpetrated against their customers.

        Summary:
        Do not bother with the worthless/broken Equifax response website. Hopefully, this crap company will be shamed into providing a REAL response in the near future.

        1. I believe I speak for almost everyone when I say DAMN those three Equifax executives who sold their company stock after the breach was discovered. Insider trading at its most craven and cynical! I say, lock them up and throw away the key. Following due process, of course.

    1. This can’t hold up in court. They are required to inform you if you have been affected. On the part of the consumer, checking the website would meet that requirement, and you can’t possibly agree to arbitration, by checking. You could be held to arbitration if you accept the credit monitoring.

      At another level, submitting your information and getting a response, is under duress. I propose Equifaxe’s agreement is non-binding and meaningless.

  1. this sounds bad

    even if you found out you’ve been compromised , what can you do about it?

    you can’t really change
    your social security number, name, birth date etc

    not like a password you can alter.

    ——-

  2. All three credit reporting agencies offer a credit freeze service. In cases where there is identity theft the service is free. Otherwise depending on the state the service is anywhere from $4-10 per agency. With a credit freeze nobody can get a loan or credit card in your name if they require a credit check (which is a universal requirement) Money well spent in my opinion. Identity theft services like LifeLock and whatever Equifax is offering only notifies you of suspicious behavior after the fact.

    https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

    https://www.transunion.com/credit-freeze/place-credit-freeze

    https://www.experian.com/freeze/center.html

  3. At their core methodologies, Equifax, Transunion, and Experion are the three most insidious and far-reaching civilian domestic spy agencies operating nearly uncheckedwithin U.S. borders. They form an integral part of the US’s National Security Police-Spy Apparatus led by the 17 spy agencies dominated by the CIA and the NSA. Whatever the latter two can’t legally collect on citizens, they can legally purchase from those three.

    1. Not correct. Sure, they collect some financial information about you, but “insidious”, “far reaching spy organization”, you’ve got to be kidding. Who makes this crap up? The information they collect goes into models that predict how likely you are to repay a debt if one is incurred. Your actual credit card company has more information about you than those three companies (equifax, transunion, experion) do.

  4. There’s no defending Equifax for screwing up and likely causing many people some real problems in the coming years….but to say that they need to be “destroyed” and “shut down” is over the top blather. Do you really have any idea what you’re saying? (rhetorical question)

    The primary reason people in the US are able to borrow money so cheaply (relatively speaking) for things like cars, homes, personal loans, credit cards, student loans, boat loans, and on and on…is because we have credit bureaus that have collected enough trusted and reliable information about people for financial institutions to get comfortable lending to you in an automated manner. It’s really that simple. You cannot have one without the other.

    Again, Equifax was breached and there will be significant consequences. I wonder if it’s worse than the Chinese getting into the Government personnel information two or three years ago (they even got fingerprints there, including very detailed histories of personal issues for anyone who has ever applied for a position with the government). Or is it worse than stealing our top secret defense plans, or nuclear secrets…or every other damn thing that has been stolen online.

    1. If Equifax goes under because of this data breach, it will be because of their insecure operation. That’s how things are supposed to work. Credit reporting agencies may serve a purpose, but they have a duty to make sure the information they are reporting to their customers is accurate and to insure all of us on whom they are collecting data that what they collect on us is kept secure. If they can’t do both of those things, they deserve whatever fate befalls them.

      Wouldn’t you like to know why it took Equifax so long to discover the breach as well as why it took them so long to notify us?

      1. No doubt you’re right about that. If it happens, it happens. I just don’t think we should be going around wishing it happens. Even losing one of the three bureaus would have an impact – on competition, on pricing, on availability….which would have an impact on the institutions that rely on them.

        While all three provide a similar sounding product or output, they do so in very dissimilar ways. Additionally, the quality and quantity of data is unlikely to be the same universally across the three bureaus because their information sources aren’t all identical, nor are the models they’ve built to weigh consumer risks. If there were 10 or more companies of scale providing this service, I wouldn’t lose any sleep about 1 getting cremated for such a failure/breach. But when there are just 3 primary ones…the consequences are less sanguine.

  5. Three general thoughts on this massive and inexcusable screw up…

    1. Defenders of the Windows hegemony have used the security via obscurity myth to justify why Apple products have so few viruses and hacks versus Windows. But the massive numbers of iPhones and iPads in use put the lie to that. It’s time that big businesses dump MS Windows version ALL. That FUBAR spaghetti code has been the source of endless bugs and data breaches since the inception of the internet. It’s time for Microsoft to own up to this, recognize the severity of the problem and completely rewrite Windows using one of the standard UNIX variants. This is not just a good idea, at this point it is a national security interest.

    2. It’s high time that two-factor authentication and/or use of biometric data be made mandatory on the interwebz. That’s not gonna help technophobes who are unable or unwilling to learn basic computer/internet skills. But for the remaining 95% who have these basic skills it will greatly increase security.

    3. Let’s make the lesson to industry plain and clear by suing Equifax to the point of bankruptcy.

  6. DO NOT USE EQUIFAX TEST WEBSITE!

    It has been confirmed that the website Equifax set up in response to their record-setting data breach is BROKEN and NON-FUNCTIONAL. Don’t bother with it at this time!

    I strongly suspect Equifax will be SHAMED into starting from scratch all over again in the near future.

    MEANWHILE:

    Here is relevant reading, followed by a third link regarding a fine nasty Equifax had to pay earlier this year for FRAUD:

    Equifax Breach Response Turns Dumpster Fire@KrebsOnSecurity

    Equifax’s Instructions Are Confusing. Here’s What to Do Now.

    …Equifax should have made the monitoring last forever. Since it didn’t, it will now be able to solicit everyone who signs up for its year of free service. And what do you want to bet that the company will offer an extension bright and early on day 366 for, say, $16.95 per month?

    So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.

    In the meantime, here’s hoping that this breach is the nudge you need to finally sign up for permanent freezes on your credit files. I’ve used them for years, and here’s how they work. You sign up (and pay some fees, because you knew it wasn’t going to be free to protect data that you didn’t ask these companies to store, right?) at Equifax’s, Experian’s and TransUnion’s websites. Christina Bater, managing director at Barrett Asset Management in New York, suggests freezing your file at the little-known company Innovis, too. Hey, why not?

    IOW: Do NOT bother with the Equifax website. Instead: FREEZE YOUR CREDIT FILES!

    Here’s hoping this train wreck destroys Equifax’s reputation and kills the company dead. Good riddance (IMHO).

    1. From January 4, 2017, here is a series of articles from around the net about Equifax and TransUnion being fined for deceitful bait-and-switch abuse of their customers:

      TransUnion And Equifax Fined $23 Million For Deceiving Customers

      Equifax is Dead-To-Me.

      Sadly, we now have to clean up the record setting catastrophic identity theft they inexplicably allowed to happen, and to which they have YET to adequately respond. IOW: Ignore their broken response website. It has been proven to be utter nonsense that tests nothing and signs visitors up for nothing. AKA: It’s 🐂💩

        1. Why Equifax’s policy was different is unclear and the company would not address it. But that such a discrepancy had gone unnoticed and unaddressed for so long underscores how lightly regulated the industry is.
          They might be even further behind on their debts after their cases are dismissed, making it harder to re-establish their credit. The effect of a dismissal lasts for years. At the very least, Equifax’s change in how it handles Chapter 13s means that the shadow cast by a past bankruptcy isn’t quite as long.I advice you to read this http://illinoisassetbuilding.org/wp-content/uploads/2016/03/IMPACT_Trapped-by-Credit_2014_1.pdf
          And feel free to contact me for ane reason on https://maybeloan.com

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.