So Equifax had a huge loss of data – over 143 million folks’ worth. That’s pretty much everyone in the US who has credit. This is huge!
So – to read more, this great article from Ars Technica.
Most importantly, go to the Equifax site and check to see if you’re affected (I bet you are!). It will tell you to come back after a certain date to complete the process of registering for free monitoring. They say 1 year, but I bet it ends up being much longer. They have screwed all of us.
Site to check: https://www.equifaxsecurity2017.com/
Amanda in the South Bay
And read the Hackernews comments about that seemingly scammy site they set up.
Alain the site fixer
@Amanda in the South Bay: Yea the site is so underwhelming. I think Equifax hasn’t come to terms with the scale of this yet. It will change the company (or put it out of business) permanently. I hope this spurs some re-think by our best and smartest on a replacement for SS numbers and how data is used in this country. I mean at this point, foreign agents have huge amounts of info on Fed employees, folks with security clearances, who’s having affairs, and now this. I can barely imagine how that’s going to be put to ill use.
Unless I’m missing something, their auto enrollment process is screwed up–when attempting to “complete” the enrollment process, I keep getting looped back to the same initial enrollment screen and asked for the same SS data.
Le Comte de Monte Cristo, fka Edmund Dantes
I was wondering yesterday – why in hell would they have a setup where batch functions would be open to the internet? Why wouldn’t that sort of work be airgapped?
For me to get credit reports for myself, it is a laborious process. Just to get reports for BK clients, there’s a time-consuming verification process.
I’ve long been telling my several tech-allergic friends that they might as well enjoy social media – their private information is out there already. I’d qualify that a little, but now I don’t have to any more.
@dr. bloor: Same issue for me; worse, if they ask you to complete the process, I read that that means you have been one of the people who now has their entire financial info being sold to thieves (Russia no doubt.) These companies save money on security measures because they are never held libel for their failures – this is insane and proof that our political system has been bought by these corporate whores. We are screwed because 1) we never asked for this vital data to be held by them 2) we are at their mercy to protect it 3) they have no consequences when they do lose it 4) we have to clean up the mess on our own when we are screwed by them.
@Cheryl Rofer: Yup. Our protection now is “herd immunity”. One can argue that so many hundreds of millions of numbers, etc., are out there that the chance of me in particular being singled out is small.
It doesn’t help much though when me has a bunch of money stolen, etc.
This is a solvable problem, but Congress seems to have no inclination to do anything sensible about it.
I recommend the Security Freeze program, which almost all states now require the three credit bureaus to offer. It prevents any release of your credit report without your specific permission. That prevents anyone who steals your identity from opening credit lines of any sort, and it also cuts off marketing of your information behind the scenes. It makes the credit bureau work for you upon your request only.
The CPFB should force Equifax to promote and offer a free security freeze for everyone (with 148 million records, it’s not even worth tracking whose info did/didn’t get released).
Le Comte de Monte Cristo, fka Edmund Dantes
There was the other tidbit of the group of officers (including the CFO) who cashed in options and sold after the big reveal.
These guys suck at what they do. Their scoring algorithms have no relation to common sense, and act as an extra tax on people who work for a living.
We’d be better off without them.
David ?Canadian Anchor Baby? Koch
@ElegantFowl: Thanks much for the tip. I plan on doing the Security Freeze. Info here: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place
Le Comte de Monte Cristo, fka Edmund Dantes
But if govt requires your specific authorization for release of your info, then what about the right of the credit bureaus to profit? Freedom is threatened when you decide to quit being a commodity!
would explain my cc getting hijacked two weeks ago…
Yay! I’m a winner. And I also had a credit card stolen this week. But that’s happened before, and this is the card we use the most.
I went to the Equifax website last night, and could not get its widget to work to check whether I’d been affected. Then called their 800 hotline and all they gave me was a run-around without admitting that the website doesn’t work. Seems obvious that it was slapped together quickly when news leaked out that they had been hacked. Equifax wants to pretend that they were planning to contact consumers directly, but the news media just happened to get wind of the story as they were in the process of doing so.
The real priority at Equifax when they figured out they’d been hacked, as the WaPo report reveals, was to keep the hack secret while high ranking officials at the company sold off their stocks. They unloaded nearly $2 million in stock in the days in July right after the hack was discovered.
Le Comte de Monte Cristo, fka Edmund Dantes
“Mistakes were made, but what is important now is not to assign blame or point fingers while we deal with the catastrophic loss of critical data on 143 million consumers”.
Thing is, I’m already enrolled in a monitoring thing courtesy of a previous breach.
Credit Freeze it is.
IANAL, but that should be “insider trading”.
And if it isn’t, the law should be rewritten to classify it as such. Nobody should be making a profit from security breaches.
edit: should read all comments before posting
The Ars Technica article uou mention says this about your Equifax “site to check”:
Well, I did that and I am told to enroll in 5 days. Being the chief IT officer for my household, I also did that for Ms Spousal ThresherK, and they took her right away.
Makes me wonder.
Also, I wonder if a thief would ring up less $$ on her Talbots card than she does.
@Another Scott: I’ve also made the herd immunity argument. I’m surprised we don’t see more identity theft.
About a month ago, one of my credit card companies called and emailed me that there were suspicious charges on my credit card. The call and email themselves looked like they could be phishing, but I took a chance, and they were genuine. Several charges for gaming online and Waffle House (that seems to be the one that triggered that communications), less than $100 altogether. They sent me a new card and removed the charges. If I were going to steal someone’s credit card, hey, I’d buy a car or do something big!
I guess we’ll be seeing more of this. Wonder what it will do to the credit card companies’ bottom line.
The worse thing about this is that I can’t take my business elsewhere. I have absolutely no recourse in any meaningful way. Stabbed in the back by the Invisible Hand.
But Congress will do something…
At this point in my credit life, he who steals my virtual purse is truly stealing trash. Which is strangely comforting.
DO NOT ENROLL IN THE EQUIFAX PROTECTION
You waive your rights to sue them in doing so, forever. It’s a lifetime binding contract that requires arbitration in future matters.
I’m in the same boat. fraud alert is gonna expire soon anyways, so may as well up it to a full on freeze
Well, I apparently picked the wrong week to stop snorting crack. Bartender, may I have another. A good thing that I a maxed out all my credit cards myself.
Smart move is to do a fraud alert or freeze over the phone if you can. equifax is fucking this up 8 different ways, so do it with another of the big three and they’re required to forward it to the other two who are also required to put an alert/freeze on your account with them.
Gin & Tonic
@Pharniel: This. They will also convert this “free” service to a chargeable service after a year.
Some guy on Twitter filled out that form using the last name “Smith” and the digits “123456” and got the identical page – you have been compromised and should sign up for our monitoring service. So clearly there is no actual database behind the form.
@satby: I was gonna say “Good line” and then I Yahoogled it to find out it’s Shakespeare. For years I thought it was Whitman.
Now I feel the need to do something to prove my geek cred in this space.
Steve in the ATL
@Cheryl Rofer: thieves usually make a few small charges to see if the number works before they go for the big prize
scratch that – that’s only true for a fraud alert. for a full on freeze you have to call each credit company. I’d still call them tho
@Gin & Tonic:
Here’s a tweet with a screen shot of the weasel words –
good luck getting in that site
@Gin & Tonic: They told me I’m good. Not that I believe them, and I certainly won’t be trusting them to alert me to any problems.
Tilda Swintons Bald Cap
Speaking of the evil Internet:
Major Major Major Major
Sweet rollerblading Moses.
@nonynony: The law specifically prohibits this kind of behavior.
As you’ve probably assumed, guessed, or looked into, if that can be proven beyond a reasonable doubt, those responsible will be looking at prison time.
And I hope they nail the bastard execs that took profits and bailed. That is insider trading and Martha Stewart went to the slammer for way less.
@burnspbesq: I hope prisons and restitution!
What Have the Romans Ever Done for Us?
Not sure that registering for credit monitoring doesn’t do more harm than good anyway. I was affected by one of the Federal Government data breaches and given free credit monitoring, but I had to give the credit monitoring entity the account numbers and other specifics of each account I wanted them to monitor…so if they get hacked (and there’s not guarantee they won’t) all that sensitive info falls into the wrong hands instantly.
No, rich people get fined a few thousand dollars. Prison is reserved for low level drug dealers, burglars and other such riffraff.
@Le Comte de Monte Cristo, fka Edmund Dantes: Right? I really hate how a lot of the reporting on this story says that “customers'” data has been revealed. It’s not like we choose to do business with credit bureaus; we’re the product, not the consumers.
@Le Comte de Monte Cristo, fka Edmund Dantes:
Yeah and good luck to you if you ever need to report/correct an error.
Not any more. The new AG has specifically said that finding and ending leaks coming from the White House is the most important the DoJ has, and all others will not be pursued nor prosecuted. Well, except for those cases ensuring that the rights of white people are not being threatened by non-white people. And prosecution of vote fraud cases where the vote(s) went to Hitlary (although it’ll cost more to find those instances than it will to prosecute them).
Sorry, just feeling a tad cynical. I hope Equifax burns (figuratively speaking) and those insider-trading motherfuckers end up serving a bunch of time, along with the motherfuckers who are scamming the populace with this new “free benefit,”
Yeah, six months of “community service” will certainly show them the error of their ways, and prevent recidivism.
ETA: I forgot the three months of probation. Not really aiming all this at you, by the way, just at the system which would codify their rich-people’s privilege.
@SFAW: See me at @OzarkHillbilly: for cynicism.
re: stock sales after incident was discovered – from an attorney I know on social media who specialized in finance/derivatives law:
Yeah, I saw that. You didn’t think I’d actually give you credit (sorry) for that did you? After the way you treated Quinerly, you bastid?
@SFAW: I never get credit, only blame. And your comment is a perfect example. ;-)
OK, I understand all the words used, but someone needs to take a course in writing clearly. Does that mean the SEC did not disclose details? Or the person(s) buying/selling were not to disclose? Or what?
Eats shoots and leaves, genius. [I don’t mean you, RSR.]
This will be the fourth breach in as may years that affects my personal data. May as well just spraypaint the shit on the side of a building for all the good the data holders security does.
The Moar You Know
I’m already on credit monitoring from the OPM breach. I don’t know how these people can fuck up my life any worse than they already have.
At least in theory I could sue Equifax. Can’t sue the US Government.
The only way to fix this is to make any institution that handles personal data wholly 100% financially responsible for any loss of that data. And we all know the odds of that happening are less than zero.
You might consider re-examining your life, in an attempt to find out why everyone blames you.
By the way, where were you on the night of April 14, 1865?
And the result would be that you’d probably see more prison time than any Equifax bozo.
@satby: That is insider trading and Martha Stewart went to the slammer for way less.
The Moar You Know
@ElegantFowl: This does not work. I want to make that very clear to everyone. I’ve been on it for years. In that time, I’ve bought a house and two cars. Nobody had an issue accessing my credit and I was never notified.
@SFAW: Reconsider? I wear the blame as a badge of honor! If I’m pissing off so many people I must be doing something right!
Hmmmmm, I don’t know, that part of my memory is strangely blank.
hedgehog the occasional commenter
I did and I was. To quote Alain, they have screwed all of us.
@PST: I messed up the block quote and then was denied permission to fix it. I wonder why?
@PST: WordPress hates you?
@Cheryl Rofer: I’ve witnessed friends and family members ‘enjoy’ social media, and that has only reinforced my decision to avoid such things, thanks.
@Alain the site fixer:
I don’t think we need a replacement for SSNs, per se, though it might be wise to add a few digits so there are more than a billion possible numbers. What we really need is a rethink of the way we use SSNs. It’s very helpful for everyone to have a unique identifier that can distinguish between them and anyone else who might have the same name, birthday, etc. I would dearly love to have something like that because I know there’s all kinds of incorrect information associated with my name because I share it with so many other people. A government assigned number is a perfectly reasonable way of doing that, especially for interactions with the government.
The problem is that people are using it for both identification (who you are) and authentication (proving that you are who you say you are). You might be able to get away with something like that if you’re using a difficult to forge token, like a passport, but it fails horribly for something intangible like a number. Right now, we’re encouraged to treat our SSNs as secret because knowing somebody’s SSN is treated as arcane knowledge, but they’re used as identifiers in a huge number of systems. We need to start treating SSNs exclusively as identification and stop using them for authentication.
Major Major Major Major
@Roger Moore: all of this, exactly, although I’m sure it’s basically what Alain meant (a replacement for SSN’s as a verification system, rather than a uuid). Maybe in 15 years we’ll have a biometric option, though it’s hard to see a good replacement for keyboard entry.
Da-yum! It’s like I’m talking to a clone of myself!
Considering your use of certain “pharmaceuticals,” I don’t find it “strange” at all. Sic semper pharmacopoea!
@Pharniel: oooOOOoooh, that is some snakey-ass snakiness that would make a real snake blush!
“We fucked up, and it could fuck you up too. We’ll give you this band-aid if you waive what little legal recourse you have.”
Nice catch, thank you for sharing! Also, big THANK YOU to everyone else posting links and info; I’ve learned much about this incident just in this thread, and I really appreciate it!!
I would go much further. The credit rating agencies should not be allowed to make a system that might as well be designed to be as easy as possible for identity thieves so they can charge everyone a bunch of money for security. They should be forced to have secure defaults.
Major Major Major Major
@Roger Moore: at this point they should be pseudo-nationalized. ETA even better would be the development of an international standard, like that’ll happen
They’ll vote to make it illegal to report breaches like this because security by obscurity.
It took me several tries to figure this out, but they give you a date when you should come back to enroll – validation doesn’t necessarily let you enroll automatically. It’s as if they want people to forget.
As it turns out, I’m in the lucky 50% who haven’t been affected by this breach, but my wife is in the unlucky 50%. *sigh*
@The Moar You Know:
I can’t speak for the cars, but when I refinanced I signed some papers giving the bank the right to look at my credit reports. Of course, anyone could sign the same papers with my name.
@Gin & Tonic:
More likely, they got a false positive because they used such a common name. Smith is the most common last name in the US; people surnamed Smith make up more than 1% of the population. There are a million possible 6 digit combinations, and about 137 million people in the database. Therefore we can assume there are about 137 people in the database whose last 6 digits are 123456. If you assume that 1% of the population are named Smith, that gives a 1-0.99^137 ≅ 75% chance one of them is named Smith. If you’re going to check that kind of thing, you need to use a rare name, not a common one.
No. As you should know, if that is proven beyond a reasonable doubt, they’re looking at jail time. There’s a very high probability the Trump/Sessions DOJ will be too busy prosecuting people who inconvenience the rich and powerful to go after white collar criminals.
@Major Major Major Major:
Biometrics are not the answer. They’re OK if and only if the entity doing the authentication has control over the scanner. If you’re depending on the end user scanning their own biometric and submitting the scan, they can be duplicated as easily as a password can, and they can’t be changed. Even if you control the scanner, you have to worry about things like people being coerced.
Well, if you’re going to pick nits: If a jury decides that it is proven beyond a reasonable doubt, …
Because, as they say, one man’s meat is another man’s poisson.
AFAIK, that’s legally exactly what I said. In a jury trial, it is the jury’s job to determine if something has been proven beyond a reasonable doubt. If they don’t convict, from a legal standpoint the point wasn’t proven beyond a reasonable doubt no matter what some outside observer thinks.
I just did their little test, and the website said my data had not been compromised.
But since they lie all the time about everything, how do we know they are not lying now?
@skyweaver: Thanks for the info! I used your link and while it looked like they only gave phone numbers the company names were clickable links right to the security freeze site. Equifax and Experian were very easy to use, charged 5 bucks (OH). TransUnion required me to log in. Turns out I had registered in 2005 and never went back so I needed to reset my password but didn’t remember the answer to my secret question so they locked the account. I had to call and was subject to a dreadful hold message for 20+ min. Each time there was a pause and click that click that seemed to signal someone was taking the call a stupid message was replayed. When I finally got through the person said they were having tech difficulty and things may not work right. I finally got my password reset and submitted my request online but got a message that the action couldn’t be completed. I will have to try again soon.
Major Major Major Major
@Roger Moore: as i said, it’s hard to see it as a good replacement for keyboard entry. (There’s also the issue of technology access)
@Cheryl Rofer: If you check Equifax’s site to see if your data was stolen, you *waive your rights* to sue Equifax or be part of a class action suit.
I don’t think if you check the site you waive anything; they’re not asking for agreement. Don’t know about the subsequent protection they offer – people will have to check the ToS.
But this isn’t just Equifax’s fault, for all that I hate them. Widely accepted authentication methods are unreliable and this is widely known. It is an area where the government ought to have stepped in years ago but, as usual in politics, governments take action after disaster.
Joy in FL
Alain, Thank you for this post. Somehow, this had escaped my notice. I signed up and forwarded the post to others.
Did they tell you that you are good or that it appears you are good?
Of course it’s obvious you understand that it will fuck consumers and protect those assholes who, have made a million or so on blatantly wrong stock sales, because they will wring their hands and blame those 143 million consumers that were the victims here, without actually doing anything at all. First because the republicans in charge are totally incapable of understanding any of this and second because they are fucking republicans.
A few FAQs from the Washington Post.
OK, so it’s a semantics issue. (No, not snarking — I was envisioning a case where the prosecution proves it, but one [or more] of the jurors has a break with reality, a la “Well, yeah, Trump is a sexual predator, and a liar, and a grifter, and probably a Russian asset, and most or all of his businesses have failed, and he’s never accomplished anything on his own, but that Hillary … well I just don’t know, there’s just something about her.” In other words, proved in the eyes of the law, but not in the eyes of the jury, which I viewed as two separate things, apparently incorrectly.)
I checked, of course; the Equifax site says that I am not affected by the data theft, and invited me to sign up for credit monitoring next week. I am already signed up for credit monitoring due to a previous data breach, so I may skip it, or I may do it.
Meanwhile I will check my bank account and other financial sites more frequently.
@Alain the site fixer: Why even bother with using passwords (that is kinda snarky). Be interesting to see what gov’t positions Der Fuhrer offers to the executives who cashed out their stock BEFORE making the announcement about the hack..
@ElegantFowl: I think setting a security freeze on your data in the credit agencies is just about the only thing to do now that will have a good effect. Well, also get online access to your various financial accounts and keep an eye on them. The ‘get-a-monthly-bill’ routine is obsolete.
ETA: The security freeze prevents anyone from opening new credit accounts in your name.
There is something wrong with getting insurance from the firm which injured you.
Mom Says I*m Handsome
@Roger Moore: I bow to your superior stat-fu.
I’ve seen a report saying the Equifax site gives you no information but allows you to sign up for a year’s free credit monitoring – probably one of those “and we’ll auto-renew, FOR YOUR CONVENIENCE, really, not because we think you’ll forget to disable it, and get more unearned money from you” style credit monitoring plans.
Equifax shouldn’t exist after allowing a data breach like this. How can *anything* they say or do be trusted if they can’t fulfill the minimal security obligations for holding this information? It’s like saying “you can trust us with your chauffeuring duties – we even have plans to get driver’s licenses for some of our drivers!”
WTF. The ONLY reason this happens is because companies (large, small and everything in between) refuse to spend the money to secure sensitive data. I worked in IT for 40 yrs, I helped write the agency manual for data security for a Gigantic Federal Agency. Once again, the only reason this happens is because the people in charge won’t spend the money to secure their systems! Yes, it costs a lot to do it, more than a lot really, but geeze people just do it. (Special thanks to Herr Cole for showing me how to rant)
Ms. D. Ranged in AZ
Well, stupid site says I was impacted but then keeps going in circles. Why should I trust these asshats who can’t protect my information and can’t build a simple web form to help to enroll me for protection. What a crock.
@Ms. D. Ranged in AZ:
Not picking on you but how is it that we have gotten ourselves into this situation (OK I know how) where being able to exist in the modern world requires an approval from just 3 companies, that don’t do what they say they will, whose only rational for existing is to screw us out of money, who have the competency of 4 day old toast, and who want us to allow them to protect us from, well basically them?
Talk about shakedowns. The mob was never this bad.
@Cheryl Rofer: My mother’s credit card number was stolen at a restaurant in Chicago and the person who used the number bought designer jeans and two hand made belts. My mother noticed the odd charges that the credit card company didn’t catch, and then questioned whether she was trying to get out of paying. My mom was 83 at the time, has never bought designer jeans and as she said, hadn’t worn a belt since before she had her fifth child in 1964. They apologized and took care of the charges and sent a new card. Since the incident they have been super diligent about monitoring charges.
To anyone arguing about the whole ‘indemnifying themselves from a lawsuit’ nonsense:
Does anyone here remember the Nintendo class action lawsuit?
Successful class action lawsuits that do more than nothing are the rarest of snowflakes.
Mary in Ohio
@Riccardo Cabeza: You can opt-out of the forced arbitration clause by sending your objections in writing. And according to the Ohio Attorney General’s office the clause only applies to the credit monitoring not to the actual breach FYI. http://www.cleveland.com/business/index.ssf/2017/09/equifaxs_arbitration_clause_ra.html