Full Scope of Equifax Data Breach Revealed

Discussion in 'HardForum Tech News' started by DooKey, May 10, 2018.

  1. DooKey

    DooKey [H]ardness Supreme

    Messages:
    8,066
    Joined:
    Apr 25, 2001
    Everyone by now knows that Equifax had a data breach that exposed over 140 million consumers personal information to include social security numbers. What most people didn't know was the full scope of the breach and now Equifax has released the information to the Securities and Exchange Commission. Not only were SSNs compromised, but birthdays, addresses, gender identifications, driver's license numbers and other data were compromised. Overall this was once heck of a gold mine for identity theft criminals. When is someone going to go to jail for this stuff? Thanks cagey.

    New information shows the 146.6 million consumers affected in the data breach didn't just have their social security numbers stolen. Most of them also had their birthdays, addresses, driver's licenses and more exposed.
     
  2. lollerwaffle

    lollerwaffle Gawd

    Messages:
    666
    Joined:
    Feb 3, 2008
    In other words, enough information to circumvent credit freezes, which are the only protection from the really scary fraud schemes that come out of this.
     
  3. LOCO LAPTOP

    LOCO LAPTOP [H]ardForum Junkie

    Messages:
    10,268
    Joined:
    May 4, 2006
    Is there a place to check to see if you have been one of those 140 million that got their shit stolen?
     
  4. Ehren8879

    Ehren8879 [H]ardness Supreme

    Messages:
    4,261
    Joined:
    Sep 24, 2004
    answer: no one.

    no one is going to jail for this. IT security is a joke in the US
     
    captaindiptoad likes this.
  5. sfsuphysics

    sfsuphysics I don't get it

    Messages:
    13,692
    Joined:
    Jan 14, 2007
    I dont want someone to go to jail over this.. well other than the people who did it. I want a lifetime of free identity theft monitoring and fixing. None of this bullshit 1 year monitor through our own service crap, because identity thieves know this too and on month 13 all hell breaks loose
     
  6. Rabid_Platypus

    Rabid_Platypus n00b

    Messages:
    26
    Joined:
    Jan 10, 2013
    I think that when you do a credit freeze, you have to establish an "unfreeze passphrase".
     
  7. sfsuphysics

    sfsuphysics I don't get it

    Messages:
    13,692
    Joined:
    Jan 14, 2007
    Are you a US resident, who has a social security card and has ever used credit? Yup your shit has been stolen

    But yeah there is a site to check just google equifax data breech check
     
    BHenry and heatlesssun like this.
  8. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    We throw people in jail all of the time. If it's people at the highest levels and not the guy that didn't push out the patch, then maybe. Where you get corporations attention is when you hit them in the wallet.
     
  9. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    It's VERY common, my wife has been a victim and it's a pain in the ass. You just have to be proactive, keep an eye on reports. There's a zillion ways an identify can be stolen. Hopefully tech like blockchain can be implemented to help with this situation.
     
  10. Aireoth

    Aireoth 2[H]4U

    Messages:
    2,752
    Joined:
    Oct 12, 2005
    We are actually closer to the end premise of Fight Club today than in the 90's. Pretty much every adult in the US has been compromised, same with Canada (CRA lost a ton of shit a few years ago to heartbleed), Homedepot, Adobe, hospitals, etc all impacted across the western world. All it would take to send our financial systems into utter chaos is a massive coordinated attack using all that stolen information.
     
  11. MrTryfe

    MrTryfe Limp Gawd

    Messages:
    435
    Joined:
    Apr 3, 2012
    This is virtually everyone of working age, in the US. Don't wonder about if you're affected - the chances are very high that you are.

    I'd be interested to see figures for the rest of the world. Equifax operates in a couple dozen other countries also.
     
  12. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,987
    Joined:
    Nov 15, 2016

    make sure you go to the one that ends in .ru

    it will want your SS# and other items though .. to verify you are who you say you are..but its cool

    ;>)
     
  13. SFB

    SFB [H]Lite

    Messages:
    64
    Joined:
    Feb 21, 2011
    Link to check can be found here: equifaxsecurity2017


    Equifax.PNG
     
  14. Jagger100

    Jagger100 [H]ardness Supreme

    Messages:
    7,478
    Joined:
    Oct 31, 2004
    I guarantee people have lost their passphrase. I would guess they fix it using the same type of info that you use to apply for the freeze.
     
    BHenry likes this.
  15. darckhart

    darckhart Limp Gawd

    Messages:
    237
    Joined:
    Jun 15, 2013
    More like Equifax should be forced to shut down.......
     
    clockdogg likes this.
  16. KamelRed

    KamelRed [H]ard|Gawd

    Messages:
    1,182
    Joined:
    Aug 30, 2007
    SFB likes this.
  17. exlink

    exlink [H]ardness Supreme

    Messages:
    4,316
    Joined:
    Dec 16, 2006
    Honestly at this point I wouldn't be surprised if the vast majority of US citizens have their personal information stolen and are available on the dark web. There are so many breaches all the time, your information isn't really safe anymore.
     
  18. SFB

    SFB [H]Lite

    Messages:
    64
    Joined:
    Feb 21, 2011
    I completely agree with you. It blows my mind why there is such a push for biometric security. Once compromised always compromised.... I'll stick to my passwords and pins with multi-factor authentication. It's my body, and I choose not share it with anyone!
     
    clockdogg and GoldenTiger like this.
  19. Uvaman2

    Uvaman2 2[H]4U

    Messages:
    3,110
    Joined:
    Jan 4, 2016
  20. LOCO LAPTOP

    LOCO LAPTOP [H]ardForum Junkie

    Messages:
    10,268
    Joined:
    May 4, 2006
    oddly enough that site doesn't work for me. I do the little I'm not a robot and hit submit and it just sits there.
     
  21. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,620
    Joined:
    Feb 3, 2014
    Which they will store in plain text in an unencrypted file store on amazon cloud...
     
    PantherBlitz likes this.
  22. exlink

    exlink [H]ardness Supreme

    Messages:
    4,316
    Joined:
    Dec 16, 2006
    Estimated US population (July 2017): 325,719,178
    Persons under 18 y/o: 22.8%

    https://www.census.gov/quickfacts/fact/table/US/PST045217

    325,719,178*(1-.228) = ~251,455,205 adults

    If 145 million users were affected then approximately 106 million adults (~42%) were unaffected. Almost a coin flip.
     
  23. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,620
    Joined:
    Feb 3, 2014
    Well In Canada we just get this:


    403 ERROR
    The request could not be satisfied.
    The Amazon CloudFront distribution is configured to block access from your country.

    They say Canadian's were effected by this I should get to know what they have on me and if they lost it.
     
  24. Cyraxx

    Cyraxx 2[H]4U

    Messages:
    4,060
    Joined:
    Feb 21, 2005
    There used to be scrutiney... e.g. Arthur Anderson falling due to their ignorance of Enron. Now everyone just shrugs their shoulders and goes "meh".

    I think part of the problem is a lack of competition.
     
  25. zamardii12

    zamardii12 2[H]4U

    Messages:
    2,591
    Joined:
    Jun 6, 2014
    There should not be a single private company in this country that has access to all that information without government oversight on-hand. Not saying it would have been prevented, but there needs to be extremely strong and tough regulations regarding our most sensitive information.
     
  26. PantherBlitz

    PantherBlitz Limp Gawd

    Messages:
    421
    Joined:
    Apr 14, 2011
    That's why hostile states are behind so much of this shit. Creating chaos for every member of the armed forces and blackmailing politicians to do your bidding are two motives that come to mind.
     
  27. Silentbob343

    Silentbob343 [H]ard|Gawd

    Messages:
    1,754
    Joined:
    Aug 2, 2004
    Am I missing something? We already knew the scope of the information...
     
  28. exlink

    exlink [H]ardness Supreme

    Messages:
    4,316
    Joined:
    Dec 16, 2006
    I think this probably means you may have been affected. I entered my info and a few family members and the same thing you're experiencing happened with all of them. But the moment I entered something fake it would come back as being unaffected.

    Likely if your last name and last 6 digits of your SSN matches a line in the database of affected users its searching then its locking up.
     
  29. MRAB54

    MRAB54 Gawd

    Messages:
    834
    Joined:
    Sep 9, 2001
  30. WhoMe

    WhoMe Gawd

    Messages:
    827
    Joined:
    Jan 3, 2018
    Might as well rename themselves Equifacts: need detailed facts about people? We have 'em we even give 'em away.
     
  31. seanreisk

    seanreisk Gawd

    Messages:
    914
    Joined:
    Aug 29, 2011
    The internet is a simple system. It seems complicated, but it's a simple system. They were testing mechanical registers in the 90's (a system where routers and switches use non-programmable silicon with strong rules about traffic at the local router level) but telecoms hated them then, although it seems like a good idea now. There was an idea in the 2000's that banks would issue a unique SIM card for your phone, a card with a unique time-locked identity, and your bank or credit card would verify all purchases through your phone, but that was too expensive, too.

    There was a time when FERPA and HIPAA were going to require a human approval before issuing more than one person's information from the database. Assholes who study data didn't like the idea that your name, address, SSN, etc., etc., wasn't in the data warehouse, though, don't ask me why, 'cause that's fucking stupid.

    Businesses, telecoms and banks talk tough about security in the 21st century, but they don't want to pay for it, they want to blame criminals and law enforcement for the problem, and they want someone to magically come up with a way to provide security over a very simple system. You can say that you don't want to pay for heightened security, but the reality is, you already do - banks and businesses pass the costs on to you.

    P.S. All online games should be UDP. That way, all the security we implement for business can be ignored for games.
     
  32. exlink

    exlink [H]ardness Supreme

    Messages:
    4,316
    Joined:
    Dec 16, 2006
    TrustedID Premier is Equifax's identity protection service. They provided it for free* to all affected users for 1 year.

    The website name is tacky, I agree. But its easier than the likely alternatives of www,equifax,com/personal/breach or something along those lines. Need to make it simple so when the news and radio was talking about the breach then people would more easily remember the website to check later.

    *you had to get all of your personal information stolen, not really "free"
     
  33. Ur_Mom

    Ur_Mom I'm Not Serious

    Messages:
    19,749
    Joined:
    May 15, 2006
    The executives are the ones that sign off on security policy. A "CYA" type of thing. The guy that didn't push out the patch isn't responsible. The CISO/CIO is and his boss. They are ultimately the ones that are responsible for it. The buck stops there.

    Hit them in the wallet. With Equifax, it's really hard. Don't subscribe to their credit monitoring service? Fine. That's just secondary. Their primary business isn't with you. They get your information when you apply for credit, etc. You're the product, not the consumer. Can't opt out, either. Unless you just don't apply for credit, home, etc..

    I think the Equifax breach shows how lax the US is in privacy and actually caring about it. We don't. There should be a lot more pressure on these guys. While I think the GDPR goes a bit overboard, it's doing something that's needed. Tame it down a little bit and it'd be good. You have a breach from lax security, you're fucked and it's not some lame slap on the wrist.
     
  34. Susquehannock

    Susquehannock 2[H]4U

    Messages:
    3,380
    Joined:
    Jul 26, 2005
    Access and store personal information without consent. Check.
     
  35. sfsuphysics

    sfsuphysics I don't get it

    Messages:
    13,692
    Joined:
    Jan 14, 2007
    Unless of course they get the government to legally allow them to be held harmless in situations like this, then you just want to lock all the doors to their building and set the fucker on fire.
     
  36. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,488
    Joined:
    Mar 4, 2013
    The Feds should file fraud charges against the CISO for failure to perform her duties and collecting her salary. It wasn't that the breach happened that is most telling. Despite true best efforts, crap happens. What was telling was the 3 Stooges circus that happened afterwards. It quickly became obvious they had no Incident Response Plan. Even their first attempt at a "Has your data been stolen" site was reported to have been breached. Having a tested workable IRP is a CISO's job one. This CISO failed that task.

    The Board of Directors should also face criminal charges for failing to perform their oversight duties.
     
    Ur_Mom likes this.
  37. SFB

    SFB [H]Lite

    Messages:
    64
    Joined:
    Feb 21, 2011
  38. Aireoth

    Aireoth 2[H]4U

    Messages:
    2,752
    Joined:
    Oct 12, 2005
    Capitalism is failing due to cronyism, incidents like this should decimate the company, maybe even destroy it, so that other corporations can rise from the ashes. Instead these entities are protected from their failings.

    I don't know what the fix is, but I do know that I don't like this.
     
  39. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,223
    Joined:
    Nov 16, 2009
    And if you forget that passphrase(pin) how do you reset it? They ask you questions that can be answered with the data they lost...... I didn't even bother freezing my accounts. Why the F would I pay them 10$ each to protect myself from data they lost due to incompetence, that doesn't provide any additional security......


    It goes back farther than that. It appears they didn't have(or had a very shitty) patching plan. Took way too long to patch a well known critical vuln in Struts, and also apparently have no data classification policy with monitoring of outbound PII. How the fuck did they not catch a single user extracting TB's of data from their system? The amount of incompetence in a company of that size, holding some of the most critical data is mind boggling......