1

According to initial reports, it’s looking like one of the big credit reporting companies in the US has had a breach of over 140 million accounts. Of course, some of the data that was exposed include social security numbers, address and potentially drivers license numbers. Seriously, this is one of the big companies responsible for handling the credit history for Americans, something that directly impacts getting any kind of credit/loan. They hold some of the most sensitive information for identity and they had a breach.

They have a site up with some basic info, as well as to find out if you may be part of the breach and how to sign up for credit protection (I have to laugh a bit at this) for a year. https://www.equifaxsecurity2017.com/

I don’t know if I’m one of the affected, but at this point, I don’t know if there is anyone on the planet who hasn’t had their info breached in the last few years. I would recommend anyone who hasn’t considered it, to look into freezing their credit. This is something I’ve recommended to many employees in the bank, an idea I picked up from Brian Krebs. Even with data out there, if the credit is frozen, no one can take money out of my name. Of course, they can do other damage, but getting money is usually the first target for identity theft.

It’s a straight forward process with all of the credit bureaus (of course Quifax is one of them) and may cost you little or no money at all. You can always unfreeze or thaw (temporary) your credit whenever you need to with a phone call or request, you just need to know the pin you used to freeze it.

Here is Brian’s article and links to do so: How I Learned to Stop Worrying and Embrace the Security Freeze – Krebs on Security

Sources: Equifax compromised 143 million people's Social Security numbers and other data - The Verge

Update 1:

Link to Brian Krebs article: Breach at Equifax May Impact 143M Americans – Krebs on Security

Update 2:

Another article by Ars Technica: Why the Equifax breach is very possibly the worst leak of personal info ever | Ars Technica

Update 3:

Here are a few more articles I’ve seen pop-up up regarding this situation.

Ars Technica (some tips on what to do, though the first tip you may want to wait on): So, Equifax says your data was hacked—now what? | Ars Technica

Ars Technica (you may not want to sign up for their credit monitoring): Are you an Equifax breach victim? You could give up right to sue to find out [Updated] | Ars Technica

Verge (info about why the credit system is bad): Our entire credit bureau system is broken - The Verge

Sophos (info on why SSNs are bad for as a national ID): Naked Security – Sophos News

Update 4:

Another detailed article by Brian Krebs. This covers a lot of details that have been floating around, such as the lackluster site Equifax has put up for people to get more info, the executives that sold shares and the arbiration clause for the free credit monitoring.

Lifehacker has a bit of info on the arbiration clause in the credit monitoring and how to opt-out of it if you want to take Equifax up on their offer.

Update 5:

Another update by Sophos, which covers just how bad the pin for a credit security freeze at Equifax is. For those who recently froze their credit, it’ll be a good idea to try to keep a close eye on your credit. The odds aren’t in your favor.

Update 6:

Ars Technica just published a short article regarding the infamous arbitration article as well as changing the credit freeze pins. In regards to the arbitration, they say it is meant for the credit monitoring and not for the breach. Their spokesperson said in regards to the freeze pin that they will have a fix in the next 24 hrs.

Update 7:

Two more articles to add to the list. Krebs has posted a FAQ, more or less, on the breach. It covers many common questions about the breach as well as what a credit freeze is, how it works and how it’s different from other options.

Slashdot has an article with initial reports that Equifax is putting the blame on Apache Struts. This seems to be in the early phases of being verified. I’ll post more info as I find it.

Update 8:

I forgot to post this with the earlier update. Have any of you heard of a chatbot? It’s a bot that has been used to answer questions and help people work through particular tasks. One such example is a bot that has helped people handle parking tickets. The bot is able to help those affected by the breach go through the process of filing a lawsuit in small claims court against Equifax. More info on the Verge.

Update 9:

Thanks to @connor-sw with today’s Spark for this one. Looks like Equifax’s site to setup a credit alert is vulnerable to a nasty XSS vulnerability. I think it’s safe to say at this point, take anything Equifax says or suggests with a grain of salt.

Update 10:

Looks like Equifax is trying to project some good will by waiving the fees for the credit freeze.

Update 11:

Krebs released a new article last night showcasing more failures in security regarding websites. Turns out, they have an employee portal available in Argentina with an amazing amount of basic security issues.

Update 12:

More sources are reporting that the Apache Struts vulnerability is what lead to the breach. The vulnerability was patched about two months before the breach, and active attacks were going on for this vulnerability.

Update 13:

The FTC is now investigating the Equifax breach. Hopefully we’ll start getting more details.

Update 14:

Visa and MasterCard are sending notices to financial institutions about the breach from Equifax and that they affect around 200,000 cards, with transactions dating back from Nov 2016.

Update 15:

Two new articles to share, one from Ars and another from the BBC. Equifax’s CIS and CSO have been removed over the breach, and quite a few Britons have been affected by the breach.

Update 16:

Bloomberg has two articles today. The first is about a criminal investigation that has started into the stock sales by the executives who sold their stock before the announcement was made. The second talks about how Equifax had another breach even earlier than the one that we’ve been notified about.

https://www.bloomberg.com/news/articles/2017-09-18/equifax-stock-sales-said-to-be-focus-of-u-s-criminal-probe

https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed

Update 17:

A full stack developer has shown Equifax that their idea of providing a site for info about their breach was not thought out well. Besides the first day reports of A/V reporting it as a phishing site, the fact it doesn’t used Equifax’s own domain means it’s easy for someone to be tricked.

Update 17.1:

The Verge just updated their article to reflect a tweet that has been deleted and to show other tweets showing that Equifax customer support has been sending people to the wrong URL on several occasions.

Updated 18:

Brian Krebs published another article with some clarification regarding the articles on the earlier breach with Equifax. He is saying it isn’t related to the current one, because he covered that when it happened.

Update 19:

Yet again, Equifax has shown that they don’t put much thought into security and following best practices to keep people safe by trying to get people already affected by a breach to do things they shouldn’t.

Update 20:

It is now official that three of the top executives at Equifax have retired. The CIO and CISO left not too long after the news came out, and the CEO just announced his “retirement” today. Just as with Target, executives at all companies should take note that there will be a lot of pressure on them in the wake of a breach announcement.

Update 21:

Equifax’s new CEO is very sorry.

On behalf of Equifax, I want to express my sincere and total apology to every consumer affected by our recent data breach. People across the country and around the world, including our friends and family members, put their trust in our company. We didn’t live up to expectations.

Update 22:

Three new articles with more info about the breach. The first from Bloomberg reports that the breach has the telltale signs of being a state-sponsored hack. I would think it’s safe to say that anything of a large enough scale would either be a large crime organization or state-sponsored. I don’t think using the term state-sponsored has as much power as it used to since many breaches now use it. Bloomberg also reports that part of the reason the breach went for so long undetected is that Equifax and Mandiant, the security consulting firm helping with the breach, had a disagreement sometime shortly after the hacking team broke in.

https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros

Rueters and Ars Technica cover about the same info. Rueters reports that Equifax has said that it suspects an additional 2.2 million are impacted by the breach. Ars covers the series of missteps that created the perfect storm.

http://www.reuters.com/article/us-equifax-breach/equifax-failed-to-patch-security-vulnerability-in-march-former-ceo-idUSKCN1C71VY

Update 23:

The former CEO has been talking to Congrees regarding the breach, and he is putting the blame of the breach on one person.

Update 24:

I sure hope Equifax has put in some changes to strengthen their security since it was recently announced that the IRS has contracted Equifax to handle taxpayer identity verifiaction and fraud prevention. Let that sink in a bit.

Update 25:

Brian Krebs published a summary of the Congressional hearing with the former CEO. I’m glad he did as I wasn’t interested yesterday, nor today, to watch 3 hours of this mess. There is also a brief mention of the Yahoo breach (probably brief because it’s Yahoo).

Update 26:

I’m a bit behind on news due to SpiceWorld, but here are a few links with updates. First, Equifax’s site has been found to have been providing malware infested advertising. Brian Krebs goes into more detail than Nake Security in saying that webpage has been updated and that there wasn’t another breach. At this point, I don’t think this will help anyone feel any better working with Equifax.

Also, due to this malvertising campaign, the IRS has suspended the contract it has with Equifax for their services to verify taxpayer identities.

Brian has two more articles to expand on the Equifax inferno (I think it’s safe to say this is more severe than a dumpster fire). The number of UK residents exposed has increased. Also, your salary history is also exposed.

Update 27:

On Sunday, John Oliver shared some candid responses to Equifax’s response to their inferno of a reaction to the breach. No new info, but a good share for anyone who hasn’t been keeping updated with this disaster.

Update 28:

Well, it has been a while since there has been anything new on this. Unfortunately, something new has popped up. It looks like Equifax was warned beforehand that something was seriously wrong.

Update 29:

Equifax has reopened their salary lookup service. with “security enchancements”. Brian Krebs goes into detail that these enchancements may not be a whole lot.

Update 30:

BleepingComputer posted an article with three new pieces of info. The first is that in their Q3 earnings call, the breach has incurred $87.5 million in expenses. They also expect to spend about around $56-110 million in the coming months, which won’t include any class-action lawsuits. Equifax has also cleared the two executives who sold their shares before the public announcement, saying they didn’t know of the breach (apparently their exec team is terribly with communication). There is still a big demand on new protections on consumers.

https://www.bleepingcomputer.com/news/business/hack-cost-equifax-only-87-5-million-for-now/

Update 31:

Both the former CEO and the interim CEO have been answering questions at the Committee on Commerce, Science, and Transportation this week for a hearing titled “Protecting Consumers in the Era of Major Data Breaches.” When asked about encrypting the data, the former CEO said it was decided not to encrypted data at rest. The interim CEO isn’t sure if that has been done since the breach.

Update 32:

It’s been a while since some interest news around Equifax has been made, but fortunately (unfortunately?) for is, it has happened! Equifax has released an app that is supposed to making locking one’s credit easy… but it doesn’t work as advertised.

https://arstechnica.com/information-technology/2018/02/equifax-releases-credit-report-locking-app-thatlocks-up/

https://arstechnica.com/information-technology/2018/02/equifax-releases-credit-report-locking-app-thatlocks-up/

Update 33:

Thanks to Dennis5204 for sharing this one!

There’s also an article up today on Yahoo Finance (beware auto-play vid) about people successfully suing Equifax in small claims courts and getting paid damages up to $10,0000.

https://finance.yahoo.com/news/people-successfully-suing-equifax-almost-10000-app-193607932.html

Update 34:

It looks like there is another strike against the general public with the US government. Mick Mulvaney, head of the Consumer Financial Protection Bureau, is stepping down the probe on Equifax regarding the breach.

https://www.reuters.com/article/us-usa-equifax-cfpb/exclusive-u-s-consumer-protection-official-puts-equifax-probe-on-ice-sources-idUSKBN1FP0IZ

Update 35:

32 Senators have written a letter asking why the Consumer Financial Protection Bureau isn’t investigating Equifax (update 34). At least someone is paying attention.

Update 36:

Just when I start thinking that this situation will finally calm down, something new happens! In what has to be the largest surprise to no one, it has been discovered that another 2.4 million Americans have had their data breached by Equifax.

Update 37:

A former exec has been charged with insider trading for selling stock before the news hit of the breach.
https://www.theverge.com/2018/3/14/17119538/equifax-insider-trading-data-breach-charges

Update 38:

There is yet again more updates on this whole mess. I’m wondering if this story will ever die, though I still hope that the hammer will drop for Equifax, though it probably won’t happen.

Thanks to Mike400 for this update from ZDnet saying that many companies are still using the software that was the center of the breach.

https://community.spiceworks.com/t/650313

Also, Ars Technica shared details that have been finally released by Equifax on what data and how much was stolen. The reason we haven’t known about this until now, is as said by Equifax:

"With respect to the data elements of gender, phone number, and email addresses, US state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access," Equifax's management asserted in the SEC letter.

https://arstechnica.com/information-technology/2018/05/equifax-breach-exposed-millions-of-drivers-licenses-phone-numbers-emails/

@mikeober @dennisberube0423

118 Spice ups
2

2 minutes shy of beating the post in SNAP!

Snap! Equifax experiences major breach, Amazon to hunt for new headquarters ?

7 Spice ups
3

Hmm… I’ll link to this since I included info on freezing credit. Just in case anyone wants that info.

5 Spice ups
4

Yeah, good find.

1 Spice up
5

How do we know https://www.equifaxsecurity2017.com/ isn’t a phishing site? Troy Hunt?

11 Spice ups
6

I decided to look up the Target data breach, because I’m curious on the number of accounts compromised. This looks to be larger, at least by initial reports, than Target. Target was around 110-120 mil. Not only are more potential accounts compromised, but much more sensitive information compromised. Considering what happened with Target and the management shuffle, fines and lawsuits, I wonder how this one will play out.

6 Spice ups
7

Who’s watching the watchers?

26 Spice ups
8

It’s what is linked to on their website, so unless their website has been compromised it looks legit.

9

This looks like a good time for them to come up with a reasonable new way to keep track of people, considering SSN was never intended for this use.

11 Spice ups
10

Wow, this is big

11

It’s funny you mention that, I had federal examiners say that same thing to me and the rest of management last year when they audited the bank. Situations like these make me a bit nervous sometimes being in IT, especially management. I can’t imagine the feeling that must go through not only the IT team at a company with a data breach, but also management. I hope I never have to be in those shoes.

6 Spice ups
12

I was thinking about this on the way home. I wonder if the PKI infrastructure could be used in anyway. There are some solid encryption algorithms, I wonder how feasible one of them would be to rework the national ID system. Part of this too is due to companies and the government relying on a form of ID that wasn’t meant to act as a national ID.

4 Spice ups
13

I’m sorry but what kind fool thought this was a good idea, and how did it possibly get approved ?

Equifax has a breach and direct you to “equifaxsecurity2017.com” (What ? Reeks of phishing, much ?) with anonymized/private registration info (no less !), and where they redirect you to another site requiring you to provide your last name and last 6 digists of your SSN … at (wait for it) … “trustedidpremier.com
ALSO with private registration info.

I’d like to know how many Cracker-Jack box tops their “thecuwity” team had to collect to get a “Internets Expurt” certificate in order to get their job.

Seriously, what special gem thought THIS was a “good” idea ?
Beyond ridiculous, and so bad as to be laughable. Oh except that’s OUR data they’re asking us to play fast and loose with, while imperiously demanding, “just trust us with your data at our PHISHING-like domain names with hidden registration info”

16 Spice ups
14

And this is why my credit card had to be changed recently? (Like a week ago, out of the blue no explanations)?

1 Spice up
15

Good ol’ Krebs had published his response on this, and it’s a good one. Breach at Equifax May Impact 143M Americans – Krebs on Security

There are a few things to consider what we know so far. Equifax has know about this since the end of July, and we are now hearing about this today. That is over a month to leave everyone exposed. Granted it takes time to perform an investigation and management probably wanted to get solid evidence before making a public statement due to the backlash that’ll happen. There would be a lot of frustration if they said there could be a breach and there wasn’t. Not to mention their value would drop (are they publicly traded?). It’s still over a month that information has been exposed and they knew something was wrong.
Too bad GDPR isn’t in effect, since some UK residents were effected. Canada too! Krebs also mentions that Sen. Mark Warner talks about pushing Congress to do something about this. Guess what? The cat is out of the bag. Why wasn’t more done with the Target breach? Yes, more protection for a nation’s people it’s needed, but the damage has already been done. 1 free year of credit monitoring ain’t going to do squat. This is an American institution that is designed to hold and protect our identifies so we can function as good citizens, and it failed it’s basic function.
What’s more, they aren’t disclosing info on how the beach happened and what was vulnerable. They’ll also need to explain why this vulnerable Web server had any access to sensitive info. A month into their investigation and they are still holding many cards close to their chest.
Krebs also brings up some good points about the free credit monitoring. The registration service had been up and down since the news started spreading. I guess they can’t design a system to handle a good portion of American citizens visiting it, who want to try to keep themselves safe. The monitoring is also done be Equifax. So, we should trust you to monitor our identity when you couldn’t keep it safe in the first place? I guess it’s better than nothing. Also, why do people have to wait to register when their identity is at risk now? As you can tell, I’m quite upset at this.
Being in a regulated industry, dealing with money, there is already a lot of hoops I have to jump through to show I’m doing everything I can to keep the bank safe. This is going to be a discussion point for any audit I go through, just like how Target was. It’s going to make my life that much harder. :disappointed_relieved:

9 Spice ups
16

I want the option to force them to “forget” about me, LOL.

5 Spice ups
17

Credit Monitoring Bureau leaks like a 300 year old rusty bucket; offers 1 year free credit monitoring - anybody else see the problem / irony with that?

Can I choose to get my free year with Experian or TransUnion?

6 Spice ups
18

Also, WTF Equifax! Did you not know you are a huge, high profile target?

Ps. Have you heard of a thing called a “class action lawsuit?” I can see 2 potential classes, one for people in general, and one for people whose credit cards you lost. Even if the jury (who are all being tracked by you) gives a smallish award to a class of 140 million people, you are screwed. Let’s say $10 bucks per, that’s potentially $1.4 billion dollars.

Pss, Equifax, There are a lot of people who don’t really like you either, since you are basically a huge tattle tale for financial mistakes, lol.

As a consumer, I expect to see a lot of heads rolling at Equifax, at a high level. (or at least I hope)

6 Spice ups
19

Stop using all forms of credit for the rest of your life, that’s about the only way to do that.

3 Spice ups
20

I tried going to the “Potential Impact” and Firefox warned me of a deceptive site at trustedidpremier.com – seriously?

1 Spice up