Equifax Breach

Looking at my retired ID card, I now have a DoD ID number that is not my SSN. It is identical to my DoD benefits number. Card issued Nov 2016.

I think the services (at least the AF) have been transitioning to unique identifiers with Common Access Cards. I know over my last few years, most forms have been changed to accept only the last 4 digits to help protect it. I doubt DoD is all the way there yet, but I think they're making progress.
Not too big a lift to build the rest of the SSN, if you have the last four. Treat your last four like the real thing, and any organization using it as an amateur. . .
 
They needed time to dump stock......insider trading will be the nail in the coffin

Has any news surfaced of investigations in to the stock dump yet?

Company says the stock sales were by people who weren't briefed into the problems. Whether true or not, *proving* they knew is a tough nut to crack, unless they *ironically* left a digital trail of communication stored somewhere on a server. :)
 

Reading between the lines, three points:

They still don't know exactly who is affected. A month and a half after the break-in, they now say they hired somebody to help them assess that. So I would ignore whatever their website says, if you check it to find whether you were "impacted."

Months after they should have patched their server software to fix a known vulnerability, they didn't. What were they doing?

Their defenses appear to have been designed so that overcoming just one vulnerability allowed stealing over a hundred million SS numbers with birthdates. Equifax never says these data were protected also by encryption-- why?
 
Last edited:
Probably no sinister reason, just incompetence. Like OPM, and the VA, Social Security, Home Depot, Target, etc.
 
Just froze all three. I guess there's no fee for NY residents, which is one of the few times I can say that living in this state has *saved* me money. :p
 
Their defenses appear to have been designed so that overcoming just one vulnerability allowed stealing over a hundred million SS numbers with birthdates. Equifax never says these data were protected also by encryption-- why?
Because people don't seem to understand defense in depth.
 
Equifax is really screwing the pooch on this one. All of their systems are overwhelmed.

Yesterday, we needed to unlock SWMBO's credit. She entered the proper info into Equifax's system to request the unlock and the system spit out an error code basically telling her to try again later. On top of that, the error code didn't come with a "call this number for help" prompt or anything, and a search of their website didn't identify any numbers where you were going to encounter an actual human to work the problem. So she was stuck with an automated system which didn't address her particular problem. <As it turned out, the error code itself was an error. Her effort to unlock credit was actually successful, we found out later.>

I wouldn't be surprised if an event like this results in the ultimate downfall of the company. People (and businesses which need to check credit) will not put up with this level of incompetence.
 
Reading between the lines, three points:

They still don't know exactly who is affected. A month and a half after the break-in, they now say they hired somebody to help them assess that. So I would ignore whatever their website says, if you check it to find whether you were "impacted."

Months after they should have patched their server software to fix a known vulnerability, they didn't. What were they doing?

Their defenses appear to have been designed so that overcoming just one vulnerability allowed stealing over a hundred million SS numbers with birthdates. Equifax never says these data were protected also by encryption-- why?

They don't have a clue, so they don't have a clue.

They have a "we can't patch because it might break something" mentality internally -- guaranteed. Instead of a "we'd better patch internally and find out if it breaks something and if nothing obvious we'd better get this out to Production immediately."

You assume they designed any defenses. Probably not.
 
Does anyone know how to find out your freeze status with Experian? When I go through the website it just asks if I'd like to add or remove a freeze and then wants $10 and for me enter a CC number. I'm pretty sure I'm frozen, all I want to do is verify that. I cannot find a phone number to call them that works either.
 
888-397-3742 is the number that was published in my local paper. It is an automated line - no live person on the other end. I had to use it to place the hold on my file. Thier web site would not work for me. Now I am waiting on a letter of confirmation to come snail mail.

Did anyone enroll in TrueIdentity from TransUnion? It was free and seemed like a good way to freeze and unfreeze your file.
 
Equifax is really screwing the pooch on this one. <SNIP>
I wouldn't be surprised if an event like this results in the ultimate downfall of the company. People (and businesses which need to check credit) will not put up with this level of incompetence.

I truly hope you are correct. Unfortunately, I see no indications there will be any changes.
 
Pilawt - I had the problem with experian. I went through the sign up process and put in the credit card number. Eventually it errored out and told me to try again. That is when I went to the automated phone number. That seemed to work. TrueIdentity will start working again.
 
Is TrueIdentity a freeze? Or something short of that promoted by TransUnion because it's in their interest for you not to freeze?
 
I truly hope you are correct. Unfortunately, I see no indications there will be any changes.

New York Governor Mario Cuomo has donned his mask and cape and is pushing new regulations to require CRAs to annually register with New York and "subjecting them to strict cybersecurity standards:"

http://www.timesunion.com/7day-stat...dit-reporting-regulation-in-wake-12205808.php

The proposal itself is pretty underwhelming, but it would require CRAs to be in compliance with 23 NYCRR 500, further FAQ'd here, whose requirements are at least better than what Equifax had in place. Banks, credit unions, and other financial institutions that come under New York State regulation have fallen under 23 NYCRR 500 since March 1 of this year. I recall it being adopted with little opposition from the banking industry and generally positive regard from the cybersecurity industry.

My own opinion of 23 NYCRR 500 is that it's not so much a good framework for security as it is a bare-minimum standard, which is all regulations are in any case. A financial services company that is compliant with 23 NYCRR 500 isn't necessarily practicing good INFOSEC, but a company that isn't compliant most certainly is not.

In any event, I can't think of a good reason why CRAs shouldn't come under strict security regulations. They hoard more PII than any single financial services company, so it makes sense that they should implement at least as good INFOSEC. How practical it is to implement these standards at the state level is a whole 'nuther question.

Rich
 
Is TrueIdentity a freeze? Or something short of that promoted by TransUnion because it's in their interest for you not to freeze?

I don't know if it's a "freeze." The site doesn't provide enough information to determine that. I suspect that it's not, at least technically, because otherwise they would call it a "freeze" instead of a "lock."

Also note that the privacy policy states, among other things, that members may receive "targeted offers," at least at the free level. I also suspect that the mobile app requests broad permissions and collects generous amounts of data that could be used for marketing purposes. Because some of those permissions would legitimately be necessary for security and for the app to perform its intended function, denying the permissions would probably render the app useless.

So I guess it basically depends on how a "lock" is defined and how much you trust TU both in terms of safeguarding even more of your data than they otherwise would have, and to use it ethically.

Rich
 
I bet they're storing the freeze data in the encrypted file system. ;) ;) ;) Trade secrets, you know. LOL.
 
I love it!

We have this system that you cannot NOT use (Credit Rating)

Three companies get to "do it" to us. Is that "for us" (Transunion, Equifax, and Experian)

They can manufacture reasons to charge us MORE for something you cannot not use?

Holy hell. I think Experian and Transunion will pay kickbacks to EQ for this run of extra income, and then in 6 months Experian will take the crack hammer and us lemmings will run around paying to protect our useless credit ratings.

Anyone got any Dave Ramsey opinions on this current outrage?
 
Anyone got any Dave Ramsey opinions on this current outrage?

I think he did a rant last week. It'd be on his YouTube feed.

Yup. Here's the show clip the day after.


As I recall, I thought he was too nice to the CEO praising his PR abilities. Later on he talks about the possibility of insider trading but he soft pedals that whole aspect.

You also forgot the necessary kickbacks to legislators in your math. Some percentage of the added revenue from people signing up for these "services" certainly shall go into buying legislative protection via cash donations. And they'll use the added number of people signing up in a panic as part of their marketing numbers. "We have X million people signed up for our monitoring service! X million people _trust_ Equifax to monitor their credit!"

LOL. Marketing. You watch. They'll use that number to get even MORE idiots to do business with them.
 
Later reports say it was a unpatched vulnerability in Apache.

Doesn't matter, there is no way that data should be accessible on a computer that is tied to the internet.
The web server should get that data through a firewalled secondary server. And that secondary server should only have the data required, nothing else.
This would force hackers to break into 2 systems, not just an open source web server!
 
Doesn't matter, there is no way that data should be accessible on a computer that is tied to the internet.
The web server should get that data through a firewalled secondary server. And that secondary server should only have the data required, nothing else.
This would force hackers to break into 2 systems, not just an open source web server!

Ummm, doesn't their business model consist of selling and delivering that same data over -- the internet???
 
Doesn't mean you have to serve it up on a silver platter for hackers to get to.

No disagreement there. They were idiots with regards to security.

Just kinda tough to make data delivered via computer inaccessible via computer.
 
Yup, that'll fix everything.

Well you know, someone had to be on the chopping block. Most companies these days have been very quick to fire top level leadership when ANYTHING major happens to disrupt image. And, quite honestly they should, in addition to anyone else who was negligent.

It was only a matter of time.
 
Well you know, someone had to be on the chopping block. Most companies these days have been very quick to fire top level leadership when ANYTHING major happens to disrupt image. And, quite honestly they should, in addition to anyone else who was negligent.

It was only a matter of time.

Actually, I think they should be criminally prosecuted as accessories to whatever identity theft crimes are proven to have been committed as a result of the breach.

Rich
 
Well you know, someone had to be on the chopping block. Most companies these days have been very quick to fire top level leadership when ANYTHING major happens to disrupt image. And, quite honestly they should, in addition to anyone else who was negligent.

It was only a matter of time.
Except that it does nothing other than soothe the court of public opinion. It does nothing. These chief executives likely had no idea and left it to their employees to do their jobs.

But I wouldn't mind one of those severance packages.
 
Except that it does nothing other than soothe the court of public opinion. It does nothing. These chief executives likely had no idea and left it to their employees to do their jobs.

But I wouldn't mind one of those severance packages.

Hah, everything is about public opinion. It doesn't matter who you are, or what your personal beliefs are, if the public opinion of your company sucks and you're in charge, that's it. Just look at the news, you see mayors being asked to resign for some patrol officer violation, or heads of state universities being asked to quit because of some professor's tweet. People don't care, they want to punish the person in charge, at the top. Got a beef with Walmart about some double-charge on your credit card? Forget blaming the moron that swiped your card twice, punish the store owner, have them quit.

That said, if the executive DIDN'T know about the breach then he/she is either completely incompetent or has no visibility into what his/her subordinates are doing. Neither of which is an excuse. The CEO at my company is responsible for 2000+ employees and I'm on a first name basis with him, but he also knows his entire staff and the numbers better than the analysts do sometimes. Because he's involved, he gets it.

You can't live in an ivory tower and collect your 4M per year and expect people to just "take care of you". You need to ask questions, read articles, get input, or live with the consequences.

Equifax had to know it was a target. It had to know that other places were being breached. Why wasn't the CEO asking the CIO or technical officer questions like, when was our last penetration test, who signed off on us being compliant, when did it happen, who's on the hook if we get breached, etc... Where is it in writing that that person did any of that? Because I'll tell you what, if there is documentation I'd be keeping my job..can't say much about the CIO though.
 
Last edited:
Equifax had to know it was a target. It had to know that other places were being breached. Why wasn't the CEO asking the CIO or technical officer questions like, when was our last penetration test, who signed off on us being compliant, when did it happen, who's on the hook if we get breached, etc... Where is it in writing that that person did any of that? Because I'll tell you what, if there is documentation I'd be keeping my job..can't say much about the CIO though.
That detail was likely being provided... but they don't tell the whole picture. It takes domain specific knowledge to actually understand the reports... and people tend to glance over the stuff that is bad or incomplete. PCI scans look great, but are often meaningless. Pentests by the less-expensive firms tend to be a little short. Compliance? Internal audit said all was ok with some action items! I bet there was plenty of documentation, but the court of public opinion prevailed.

Information security is a funny subject that very few actually understand. Most who think they get it... really don't.
 
That detail was likely being provided... but they don't tell the whole picture. It takes domain specific knowledge to actually understand the reports... and people tend to glance over the stuff that is bad or incomplete. PCI scans look great, but are often meaningless. Pentests by the less-expensive firms tend to be a little short. Compliance? Internal audit said all was ok with some action items! I bet there was plenty of documentation, but the court of public opinion prevailed.

Information security is a funny subject that very few actually understand. Most who think they get it... really don't.

Right but again, that just goes right to executive incompetence. If your business involves that kind of information you have to demand more. Honestly they should axe the whole C level as a matter of course as well as anyone associated directly with the breach itself. Johnny engineer is only going to do what he's told to do. Getting breached due to a KNOWN vulnerability has stupidity written all over it from the IT team responsible for that patch all the way up to everyone who ignored it.

Perhaps its just me, but I'm sick of leaders who refuse to lead. I hate those people who just ride on the shoulders of overworked, underpaid staff and contribute ZERO anything to the company aside from taking credit for the successes of others..

I'll get off my soapbox now :)
 
Back
Top