Equifax Says Cyberattack May Have Affected 143 Million Customers

Ron Czapala · 2017-09-08 01:20

https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html

excerpt

Equifax, one of the three major consumer credit reporting agencies, said on Thursday that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers.

The attack on the company represents one of the largest risks to personally sensitive information in recent years, and is the third major cybersecurity threat for the agency since 2015.

Equifax, based in Atlanta, is a particularly tempting target for hackers. If identity thieves wanted to hit one place to grab all the data needed to do the most damage, they would go straight to one of the three major credit reporting agencies.

“This is about as bad as it gets,” said Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”

Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in website software, according to an investigation by Equifax and security consultants. The company said that it discovered the intrusion on July 29 and has since found no evidence of unauthorized activity on its main consumer or commercial credit reporting databases.

In addition to the other material, hackers were also able to retrieve names, birth dates and addresses. Credit card numbers for 209,000 consumers were stolen, while documents with personal information used in disputes for 182,000 people were also taken.

Other cyberattacks, such as the two breaches that Yahoo announced in 2016, have eclipsed the penetration at Equifax in sheer size, but the Equifax attack is worse in terms of severity. Thieves were able to siphon far more personal information — the keys that unlock consumers’ medical histories, bank accounts and employee accounts.

“On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” said Avivah Litan, a fraud analyst at Gartner.

An F.B.I. spokesperson said the agency was aware of the breach and was tracking the situation.

Equifax has created a website, www.equifaxsecurity2017.com, to help consumers determine whether their data was at risk.

https://www.equifaxsecurity2017.com/

George Sutton · 2017-09-08 01:55

Thanks for providing this information. It's a very serious breach for many folks.

Heater. · 2017-09-08 02:33

Ron Czapala,

Ha, that is a hoot. Did you notice their "jingle" at the bottom of that page ?

Powering the World with Knowledge

Apparently so!

Heater. · 2017-09-08 02:38

Of course a sensible approach if you think these sharks have leaked everything they know about you is to sign up for their leaky web site and tell them even more.

Not !

rabaggett · 2017-09-08 10:21

I had my identity stolen once...

They got a lawyer and made me take it back!

MikeDYur · 2017-09-08 15:17

From USA TODAY

Equifax cyberattack triggers class-action lawsuit

https://usat.ly/2vSWy34

Credit-reporting giant Equifax was hit with a class-action lawsuit within hours after disclosing that a cyberattack had potentially compromised personal information for 143 million U.S. consumers.Filed in Oregon federal court late Thursday, the civil action accuses the Georgia-based company of failing to maintain adequate electronic security safeguards as part of a corporate effort to save money.The lawsuit on behalf of plaintiffs Mary McHill and Brook Reinhard seeks an order requiring Equifax to preserve all records related to the breach and formally designating the case as a class-action for all consumers affected by the cyberattack.

Ron Czapala · 2017-09-08 16:57

ABC News - "In wake of Equifax breach, what to do to safeguard your info"

http://abcnews.go.com/Technology/wireStory/equifax-breach-exposes-143-million-people-identity-theft-49694776

There's no way around it: The news from credit reporting company Equifax that 143 million Americans had their information exposed is very serious.

The crucial pieces of personal information that criminals may need to commit identity theft — Social Security numbers, birthdates, address histories, legal names — were all obtained. And once your personal data is out there, it's basically out there forever.
...
The strongest possible option a person can take immediately is placing what's known as a credit freeze on their credit files with the major credit bureaus — Equifax, TransUnion and Experian. A credit freeze locks down a person's information, making it impossible to open new accounts and bank cards in their name. But locking your credit also locks you out from opening new accounts as well.

CNBC

https://www.cnbc.com/2017/09/08/how-to-protect-yourself-after-the-equifax-data-breach.html

Heater. · 2017-09-08 18:57

Grief.

Equifax should be barred from any further business. The directors arrested and all computers impounded. Immediately.

At least then we could contact someone we might trust, the regulators, to find out if our data was published or not.

MikeDYur · 2017-09-09 13:27

Equifax has the gull.

If you want help from Equifax, there are strings attached:

http://money.cnn.com/2017/09/08/technology/equifax-monitoring-services/index.html

davejames · 2017-09-10 03:11

https://finance.yahoo.com/news/psa-no-matter-equifax-may-010153057.html

Ron Czapala · 2017-09-11 13:14

Updated info at https://www.equifaxsecurity2017.com/

September 11, 2017

We are committed to keeping consumers updated on the steps we are taking to provide them with the support they need and address any issues they are facing in response to this incident. We recognize that some consumers continue to face challenges and in response we have made the following updates:

1) Adjusted our PIN Generation for Security Freezes
We understand and appreciate that consumers have questions about how a PIN is currently generated for a consumer initiating an Equifax security freeze solution. All consumers placing a security freeze will be provided a randomly generated PIN.

2) Call Center Support
When we recognized that Hurricane Irma could impact some of our call center wait times, we arranged to ramp up agents quickly to replace agents impacted by the storm and updated our website to make consumers aware of the situation.

3) Clarification Regarding Automatic Sign-Up to TrustedID Premier
We are not requesting consumers’ credit card information when they sign up for the free credit file monitoring and identity theft protection we are offering to all U.S. consumers. Consumers who sign up for TrustedID Premier will not be automatically enrolled or charged after the conclusion of the complimentary year of TrustedID Premier.

4) Obvious Link from Equifax.com
To make it easier for consumers to find the website dedicated to providing information about this incident, we have reconfigured our website, www.equifax.com, to feature the link more prominently.

5) Adjusted the TrustedID Premier and Clarified Equifax.com
We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.

We are listening to issues consumers have experienced and their suggestions. These are helping to further inform our actions, and we are now sharing regular updates on this website. Thank you for your continued patience and feedback as we continue to improve this process.

GordonMcComb · 2017-09-11 19:08

Interesting letter from them. They did forget the most important part, though:

6) PRETTY PLEASE DON'T SUE US!

Phil Pilgrim (PhiPi) · 2017-09-11 19:13

They still haven't clarified how they determine whether someone's info has been compromised. There have been reports of different results given for the same last name and SSN digits, along with results for phony names and random digits.

-Phil

Heater. · 2017-09-11 19:27

Phil,

Yes indeed: https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/

These guys should be in jail already and the whole scam shut down.

msrobots · 2017-09-11 21:45

" the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident"

Yeah, right.

Besides that the three top execute Officers sold shares worth around $3.500,000 between knowing of the attack and doing a press release about it, they now sell a product to make more money out of their own wrongdoing.

brilliant

Mike

GordonMcComb · 2017-09-11 22:36

Phil Pilgrim (PhiPi) wrote: »

They still haven't clarified how they determine whether someone's info has been compromised.

The 143 million figure is probably the number of consumer records they store. They likely don't know what database records were traversed, so they're assuming SELECT *.

The verification response returns way too quickly for there to be any kind of deep DB lookup. I tried a day after the announcement, and the response came virtually immediately. No hash lookup in the world is that that efficient.

erco · 2017-09-13 14:52

Robots to the rescue:

https://www.theverge.com/2017/9/11/16290730/equifax-chatbots-ai-joshua-browder-security-breach

MikeDYur · 2017-09-14 14:00

Simple easy stress free identity theft.

Equifax had 'admin' as login and password in Argentina - http://www.bbc.co.uk/news/technology-41257576

Equifax Says Cyberattack May Have Affected 143 Million Customers

Comments