Credit Reporting Firm Equifax Announces 'Cybersecurity Incident Impacting Approximately 143 Million US Consumers'

Equifax, which supplies credit information and other information services, said Thursday that a cybersecurity incident discovered on July 29 could have potentially affected 143 million consumers in the U.S. "The leaked data includes names, birth dates, social security numbers, addresses and potentially drivers licenses," reports CNBC. "209,000 U.S. credit card numbers were also obtained, in addition to 'certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."

Chairman and Chief Executive Officer, Richard F. Smith said in a statement: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident." Equifax is now alerting customers whose information was included in the breach via mail, and is working with state and federal authorities.

UPDATE (9/7/17): According to Bloomberg, "three Equifax senior executives sold shares worth almost $1.8 million" in the days after the company discovered the security breach. Regulatory filings show that three days after the breach was discovered on July 29th, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099." Meanwhile, "Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2."

Free Credit Reporting?

[Lothsahn]

Do I get free credit reporting for this? Is it from Equifax?

Re:Free Credit Reporting?

[MrLogic17]

You probably know this already, but you already get one free per year from each of the 3 credit reporting agencies. (Thanks Uncle Sam!)

If you time it right, you can pull one every 4 months (rotating agencies, using each one yearly)

https://www.annualcreditreport... [annualcreditreport.com]

Re:Free Credit Reporting?

[slew]

You probably know this already, but you already get one free per year from each of the 3 credit reporting agencies. (Thanks Uncle Sam!)

If you time it right, you can pull one every 4 months (rotating agencies, using each one yearly)

https://www.annualcreditreport... [annualcreditreport.com]

Free credit report != Free fraud alert/monitoring.
Lots of fraud can happen in a 4 month time...

Re:

[Lothsahn]

Very helpful information, but yes I already knew this. I was just being funny. :)

Re:Free Credit Reporting?

[Applehu Akbar]

No, Equifax is going to treat the breach as a "hard pull" on everyone's account and ding your score for it.

Re:Free Credit Reporting?

[Nethemas the Great]

You mean it in humor, but I fear it as fact. 143 million of us just became higher risk.

Don't worry...

[s.petry]

No executives will be fired for this incident.

Re:Free Credit Reporting?

[amicusNYCL]

Don't worry, you'll figure it out when someone uses your personal data that they stole from Equifax to open accounts in your name, which causes your credit rating to go down, which will show up on your credit report. From Equifax.

Anyone want to place wagers on whether or not Equifax will drop your score because people stole your identity with the data they got from Equifax?

So much for all those "security" questions

[execthis]

This breach is why it ROYALLY pisses me off when some websites force me to answer "security" questions such as the name of the street I first lived on. The people responsible for such sites should be held accountable for gross negligence.

This is exactly why I now almost always answer the "security" questions with gibberish.

If my 20-length complex password of random digits, numbers, and special characters isn't enough for security then f it.

Also, it seems like it should be a basic civil right at this point

You must be new here

[s.petry]

On planet Earth.

The people responsible for such sites should be held accountable for gross negligence.

You mean a lackey or two right? No executives are held accountable for their own decisions. In fact, the bigger the screw up the more jumps applied to the Peter Principle.

Also, it seems like it should be a basic civil right at this point to be allowed to change one's SSN. To be forced to deal for the rest of one's lifetime with the consequences of it having been stolen is outrageous.

I'm not sure you know what a civil right is. I would however support legislation which outlaws the use of one's SSN as identification to anyone other than the Government, and perhaps even more specifically the Social Security Agency.

Banks. Schools. Health providers.

[execthis]

What's bad is that many of the offending organizations doing this are banks, educational institutions, and health providers. They must think "because we're a [bank|school|health provider] we need extra security" and then proceed to FORCE all users to answer these stupid questions.

Yes, make a law prohibiting use of SSN except by the SSA.

Re:

[Quirkz]

No, the SSN as identification is fine. Honestly, that's probably what everyone should use. What's wrong is using it as authentication. Nobody should use it for that, but despite that being obvious for decades, everyone continues to use it that way.

Answer with a famous person's info

[raymorris]

I understand your frustration. The purpose of those questions is, of course, as a backup because people forget / lose their password.

> If my 20-length complex password of random digits, numbers, and special characters

Unless you're re-using the same password on all sites (bad idea) and never changing it (another bad idea) you're probably storing them somewhere rather than memorizing a dozen different sets of 20 random characters which means you could lose it. In which case you'll need to use the securit

Re:

[execthis]

I use LastPass. If any of my devices are stolen - which has happened several times - I immediately change the master password.

I know people will say this is not perfect - LastPass itself could be compromised, or someone could potentially access my system and keylog - but it seems to be by far the best practical solution and has been foolproof to date.

However I like the idea of client certificates mentioned by another commenter. Sounds like the way of the future.

Re:

[pnutjam]

Keepass is a better choice, keep your passwords under your own control.

Re:

[execthis]

I'm curious about how this would work. Would each person have one client cert that works with multiple sites? Or would each site require it's own cert? What happens if your phone or laptop with the cert(s) on it is stolen? Would use of the cert on the local device (phone, laptop) require something additional like a fingerprint swipe or iris scan?

Re: TLS Client Certificates

[guruevi]

You obviously haven't used certs as authentication, but they're to be handled just like regular passwords. You have a private and public key, no reason to keep the private key accessible to any sort of theft, you can encrypt them so that any use requires a password however the password doesn't traverse the network but without it the cert is useless. In most cases you can also revoke the cert, LetsEncrypt-style cert providers allow you to both instantly revoke and have a short enough lifespan.

DONT USE THE LOOKUP TOOL

[Anonymous Coward]

It signs you up for a product. READ THEIR TOS. You just waived right to class action and agreed to arbitration...

Scumbag move!

Public Info?

[nealric]

At this point, is there anybody left in the U.S. who has not had their names, addresses, and socials stolen in from a hack somewhere?

Re:Public Info?

[Lab Rat Jason]

NOW can we stop using SS# as a national identifier? Jeez!

Re:Public Info?

[networkBoy]

Why?
It *is* a national identifier. It needs to stop being used as an authenticator.
SSN and Name first, Name last, Name middle should be interchangeable from a data and security standpoint.

The problem is that SSNs have been used as authenticators for the name and that's not what they were designed for.

Re:Public Info?

[Lab Rat Jason]

It is an imperfect national identifier because not everyone in the nation has one. It is an imperfect national identifier because you cannot change it when compromised. It is an imperfect national identifier because the nation allowed it to be hijacked as a commercial identifier. Banks and creditors in general should have to fend for themselves if they want to properly identify a debtor, rather than relying on a number that was issued for a completely different purpose.

Re:

[vux984]

It is an imperfect national identifier because not everyone in the nation has one.

All identifiers are imperfect.

. It is an imperfect national identifier because you cannot change it when compromised.

An identifier can't be 'compromised'; it's not really supposed to be a 'secret'. It's flawed to use it as a secret. Its fine as an identifier.

It is an imperfect national identifier because the nation allowed it to be hijacked as a commercial identifier

How does that have any bearing on its suitability to be an identifier?

r. Banks and creditors in general should have to fend for themselves if they want to properly identify a debtor, rather than relying on a number that was issued for a completely different purpose.

Um... what should they use? And even if they came up with something, it would be a matter of hours before a table of new_bank_id to ssn's was created, and a few hours more before it was leaked, making it a moot point.

Re:

[thegarbz]

It is an imperfect national identifier because you cannot change it when compromised

You're doing exactly what the GP said not to do. An SSN is an identifier, not an Authenticator. It is not possible to compromise an identifier any more than another person who has the same name as you "compromises" your name.

Or should I "compromise" your Slashdot account by going over to soylent news and signing up as Lab Rat Jason?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[networkBoy]

A SSN-PIN.

You are issued a public credential (your SSN) and a private validation token (PIN). PIN can be changed and is offered as a secure authenticated lookup service from the Social Security Administration.

Still not perfect, sure, but a hell of a lot better.

Re:

[KingMotley]

No, it is not since it is not unique

Ah, but it absolutely IS unique. There may be someone else incorrectly claiming that number was assigned to them, and it does happen, but the number absolutely is unique. Your father may "share" a number with someone else, but only one of them is correct.

The SSA attempted a few times to correct these errors, but were shut down by immigration lobbyists. That needs to change. If immigrants want to work here, fine, and if they want or need a SSN, then they should get one rather than just "borrowing" someon

Re:

[jezwel]

It's going to be amusing when we start reusing numbers. We've already exhausted about 460 million of the 988.9 numbers available.

Can you not change it to alphanumeric?

If you started that process now, everything used everywhere would have time to be replaced with updated software that can handle that format - even those places running COBOL or FORTRAN or whatever the flavor was 40 years ago.

Re: Public Info?

[Jesus H Rolle]

Same at least as late as the early 00s. It was printed on every student ID.

Re:

[Sloppy]

It still sounds fine as an identifier. But if anyone is thinking of it as a secret, they probably need to change the combo on their luggage.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Nethemas the Great]

No. States rights; invasion of privacy; {...}; get off my lawn!

Re:

[jmccue]

NOW can we stop using SS# as a national identifier? Jeez!

Well many years ago companies and government was told/encouraged/waned NOT to use the SSN for Id purposes and my original card had something like that printed on it. Of course everyone and their brother ignored that. So here we are.

Re:

[thomst]

NicknameUnavailable predicted:,/p>

More likely it will be an excuse to give everyone chips.

I like the wavy kind ...

Re: Public Info?

[Jesus H Rolle]

Ruffles have ridges!

Re:

[Sloppy]

"143 million U.S. customers" sounds a whole lot like someone's guess as to how many adults live in USA. I don't know if it's correct, but it's gotta be in the ballpark.

I suspect this means that Equifax leaked their entire database.

Re:

[Jarik C-Bol]

This breach is nearly half of the US. At this point, I assume with total confidence that my data is in the hands of someone it should not be.

Re:

[Nethemas the Great]

At this point, I assume with total confidence that my data is in the hands of someone it should not be.

It took you this long...

Re:

[saccade.com]

Probably not. Given a total US population of 320M, leaking data on 143M probably covers most every adult with a credit card.

Re:

[thomst]

Y'know, given that TFS states that 209,000 credit card numbers were compromised, I tend to think that the whole "potentially exposing the data of 143 million customers" hyperventilation is an invention of TFA's author, and that the actual number of customers whose data was exposed was 209,000 or fewer (because of the 182,000 customers' dispute data specifically mentioned thereafter, and assuming that 27,000 of those customers had two credit cards listed in their dispute files).

I'm just sayin' ...

Re:

[dgatwood]

Victims are normally just expected to be diligent about disputing any accounts opened in their name they didn't authorize. No way half the population will get a new SSN.

You see, I think that victims being diligent is just as much the wrong answer as getting a new SSN. It isn't our responsibility to catch bad guys in the act when they use our name and SSNs to obtain credit. It is the credit reporting agencies' responsibility to exercise due diligence in determining whether or not someone should extend cred

Re:

[CaptainDork]

"Illegal," in any legal context has a component of "punishment."

Undocumented immigrants who are "first-timers," are simply given due process and deported.

There is a free ride, meals and accommodations prior to ejection, but there is no punishment.

Because the first-timer is identified and documented, subsequent entry is illegal.

I have one thing to say

[Gerald Butler]

CLASS ACTION LAWSUIT! These companies that want to collect all this personal data of people and fail to protect it need to be sued into non-existence!

Re:

[ichimunki]

If that doesn't work, perhaps a law stating that the person who is the subject of a credit check gets to designate which credit reporting agency is to be used by their potential creditors.

Re:

[AmiMoJo]

This could be a lawsuit goldmine. Not just for the beech, but for errors people will now be able to discover in their reports.

Re:I have one thing to say

[Dutch Gun]

It's funny you mention "gold". During the great California and Alaska gold rushes, do you know who really struck it rich? It was the folks selling mining hardware and other supplies to the miners. The vast majority of miners didn't make much at all.

I think it's an appropriate comparison for modern-day class action suits. These types of lawsuits make lawyers rich, and everyone else gets enough for a free latte or two.

Re:

[BitterOak]

CLASS ACTION LAWSUIT! These companies that want to collect all this personal data of people and fail to protect it need to be sued into non-existence!

What would be the basis for such a suit? In most cases there's no business relationship between the consumer and Equifax, so there is no implied trust here. Equifax never promised, either directly or implicitly, to the consumer to keep their data secure, so there's no real breach of trust here. I don't see how the consumers have any standing to sue. Perhaps the retailers who supplied the data to Equifax may have some standing to sue as there may have been an implied expectation of privacy, but I don't s

Re:

[CaptainDork]

Preach it!

I'm a retired IT guy for some law firms. Management asked me for years, stuff like: WHEN is this spam going to stop?

My reply, for over 20 years was, "Maybe after you use your goddam talents and sue the mother fuckers."

Litigation cures a lot of ills.

Companies will not address security until it falls outside the cost of doing business.

For reference, see litigation regarding fire codes.

Re:

[HeckRuler]

There would certainly be company-sized HOLES that other companies could fill. There would be void and vacuums for periods of time, and there's a real risk that corporate espionage would be a big tool for corporations to simply kill each other. But I don't think any business should be "too big to fail". If they screw up, they should pay. If that brings them under, so be it. Have a fire-sale and let some younger company pick up the pieces and start anew. Hopefully with something that doesn't pollute cy

Re:

[burtosis]

The problems are billion dollar companies are first class citizens with rights. Plebs don't get any rights above them. Hell we plebs are lucky to have any rights, they only exist at the pleasure of these giants among men.

The beating will continue..

[WolfgangVL]

Until accountability is found.

How to fix the broken system?

[gerf]

Obviously having a lifelong single password (SS#) is not enough anymore. But we still want identification that is relatively quickly accessed and verified. Could we reissue with a public and private key pair for each citizen? Could we trust the certs? What options can the slashdot crowd think of?

Re:How to fix the broken system?

[Anubis IV]

Social Security numbers are fine. The problem is that organizations have foolishly been using them for authentication ("Prove you are you!"), rather than merely identification ("Who are we talking about?"), which was all they were ever designed to do. As a means for identification, it generally still works just as well today as it did when it began. As a method for authentication, it was lousy from the start and has been getting worse by the day.

Re:How to fix the broken system?

[fahrbot-bot]

Social Security numbers are fine. The problem is that organizations have foolishly been using them for authentication ("Prove you are you!"), rather than merely identification ("Who are we talking about?"), which was all they were ever designed to do.

Even more narrowly than that. It's original purpose was to track workers solely for use in determining SS benefits - that's it. From The Story of the Social Security Number [ssa.gov]

The Social Security number (SSN) was created in 1936 for the sole purpose of tracking the earnings histories of U.S. workers, for use in determining Social Security benefit entitlement and computing benefit levels.

Obligatory CGP Grey Video

[Daetrin]

"So how did Americans end up with a national ID number that isn't one and a card terribly unfit to identify?"

Social Security Cards Explained [youtube.com]

.

Re:

[AHuxley]

Encryption per request? Everyone who wants access gets logged in and has to provide that weeks per session key, token?
Every data request session has to match up with a real computer in an office with a real human requesting data at a human rate of data access?

Why not?
From a used car sale to a gov/mil contractor seeing if the person's data been reviewed has data on them in their own state database.
The problem with that is then a huge new database exists of who went searching for exactly what, when a

Re: How to fix the broken system?

[gerf]

Or if the private key is a number/letter matrix and the authentication includes only sending a subset of data for authentication. If one subset is compromised, such as 8 random character positions out of a 40x40 matrix, then the whole is not known. Plus a personal changeable pin to salt it each time. New cards would have to be able to be certifiably re-released as well... Maybe only with biometrics.

They sat on this?

[djembe2k]

Wait. TFA says they discovered this on July 29, and that their "private investigation into the breach is complete." Only now are they going public with this? How much damage could have already been done in the month of August? The breach alone creates a huge liability for them. This delay makes it worse, because they can't blame that on some other bad actor.

Re:They sat on this?

[Zxern]

They had to wait for a few execs to complete share sell offs yesterday before releasing the public statement.

Re:They sat on this?

[thegarbz]

This is a good thing. A privacy breach generally goes unpunished. Insider trading on the other hand...

That's it...

[Thelasko]

...society is over. Back to subsistence living and bartering.

Most of their customers have no recourse

[misnohmer]

Typically when a company screws its clients, they risk clients no longer using their service, so usual market forces apply. This is not the case here. Most of their customers never chose to use Equifax or even given any explicit permission for them to collect their data. Yet, they do collect it and sell credit scores. The problem is that market forces don't work here, i.e. those customers who got hurt are not really paying, or even willing, customers and have no choice to opt out of the service, and those who buy credit scores are not really affected much.

As much as I am generally against regulation, this is one area I think they should be held fully liable, including compensating any affected customers for ALL of their expenses, including their time at some reasonable rate at or above what that customer usually makes per hour - that includes any waiting on hold while calling any of the companies to clear things out. Maybe this would cost Equifax its life, so be it, the next company will be much more careful what they do with the data. This would be no different than an airline being held liable for damaging property of killing people because their planes are shedding parts - the people hurt are not airline customers, they are the homeowners who had an aircraft parts crash through their roof into their living room.

Re:

[Fly Swatter]

The breach only effects consumer data, which is not really a client or customer of Equifax. Those would be the banks and lenders that use their data conglomeration services.

The thing about this that bugs me is why in the hell were public facing computers holding access to basically everything someone needs to completely take your identity. Why is that company even allowed to hold anything other than your address, ss# and reporting history ? They shouldn't have credit card or even bank account number info im

Re:

[AHuxley]

Re public facing computers holding access to basically everything someone needs to completely take your identity.
The network and database is secure. Everyone with access is trusted. The data is a format that every one with access can read and have displayed in a useful way.

Re:

[burtosis]

Reminds me of when Experian [krebsonsecurity.com] basically let all thier data be stolen too. The purchased a company that then stole the data. Or when all 3 credit agencies [crn.com] had a breach. But they sure got thier due when the hundred billion dollar fines rolled in!!! Just kidding of course, barely a slap on the Wrist. Nothing is going to happen and Equifax will promise not to do it again - until it happens again in about 18 months.

Re:

[BitterOak]

As much as I am generally against regulation, this is one area I think they should be held fully liable, including compensating any affected customers for ALL of their expenses

The problem is, I'm not sure under what grounds Equifax could be held liable here. When a retailer (such as Target or Home Depot) is hacked, exposing customer data, the customers were able to successfully sue on the grounds that these retailers breached their trust. When a customer hands a credit card over to the retailer, there's an implied trust here: the customer is trusting the retailer not to leak their private info, and when a retailer accepts a customer's credit card, there is an implication that t

Re:

[misnohmer]

Follow my example of an airplane shedding parts causing properties below. There is no implied trust between an air transport company and a homeowner who had a piece of landing gear fall through his roof. There is no business relationship between the air transport company and the homeowner either. Yet, I bet if an engine fell off of a FedEx airplane and damaged someone's home, FedEx would be held liable. IANAL, so you tell me, what would be the grounds FedEx would be held liable for damage their engine cause

Re:

[UnderCoverPenguin]

Except that FedEx will claim that they are not the ones liable, it's the responsibility of the aircraft maintenance company. The maintenance company will then deflect the liability on to the local contractor, who will file bankruptcy and go out of business. Meanwhile, the home owner's insurance company, knowing the preceding, will declare the incident an "act of God", therefore, not covered.

(For those who think this wouldn't happened, something similar did happen to one of my neighbors. The "bucket lift" of

Re:

[BitterOak]

Follow my example of an airplane shedding parts causing properties below.

That comparison isn't valid at all. In that case, the airplane parts are entering someone's property. Same as if I break into someone's house, it doesn't matter if I had a pre-existing business relationship with them or not, I've established a relationship of sorts by entering their property. Same if my plane drops parts on their property. But Equifax didn't trespass on anyone's property or have any interaction with these customers at all. Some information was leaked, but did Equifax have any obligatio

Re:

[xystren]

Until you read the fine print on all those forms that you had signed, pretty much allowing such sharing of said personally identifiable health information. Look through the fine print - odds are you've consented to (likely unknowingly) to that sharing. Sad I know.

Re:

[xlsior]

The difference here is that you are not equifax's customer - you are their product.

Re:

[slew]

The difference here is that you are not equifax's customer - you are their product.

You should remember the fact you are the product every time you do a search on the internet, or partake in a free email provider...

Re:

[Wrath0fb0b]

Consumers are not their customers. Their customers are banks and other entities that want to know whether a person is a good credit risk.

Insofar as they injured any other third parties, they should surely be held liable. But this has nothing to do with whether the individuals whose data was leaked are "customers" of the credit agency. They are clearly not, nor should such a designation even be relevant when assessing liability.

Tips now that your credit info has been stolen

[Poisonous Drool]

Someone filed a fraudulent return for me on March 30 of last year. They had their "refund" sent to a debit card. I've used the same CPA for 30 years, which gives you and idea of how well the IRS detects fraud. I have no idea how my information was stolen. A few points:

1. The best defense is to file early (e.g., February).
2. As a victim of id theft, you should qualify for a free credit freeze. Good luck. Out of six requests (3 each for me and my wife) only one was accepted. You can waste your time

Re:Tips now that your credit info has been stolen

[fahrbot-bot]

Regardless, in most states you can pay $10 -- to each credit bureau -- and freeze your account permanently anyway. I did just that in 2011. When getting a loan or new line of credit, you can ask the company which bureau it will use for the credit check, call the bureau and either (a) unconditionally unfreeze it or (b) unfreeze it with a password or PIN, which they will US mail you -- for a specific number of business days. It's actually fairly painless.

Re:Tips now that your credit info has been stolen

[AlanBDee]

Here is an article from the FTC on freezing your credit: https://www.consumer.ftc.gov/a... [ftc.gov]. I also recommend doing it.

Even though some banks can't process your car loan, or other credit. Your goal in personal finance should be to not need credit and to pay cash for everything. If you don't have the cash then you can't afford that car.

Re:

[jezwel]

If you don't have the cash then you can't afford that car.

It costs me $20 a week to have that car now rather than save up a few years for it. The gas savings from having the more frugal car is around $15-18 per week, so to have this newer car 'on credit' is costing me less than a dollar a day.
Think I'll take that deal.

Next time it may be different as I won't be going from a gas guzzler to an econobox, but even so that $20 a week will be covered by a single year pay rise, let alone the other 4 years for when the car is paid off. Actually by then pay increases will

Re:

[thegarbz]

If you don't have the cash then you can't afford that car.

That is possibly the dumbest comment I've ever seen. The ability to afford is about balancing incoming and outgoing finances, not about accumulating mountains of cash.

If that was your criteria then as a well paid engineer I wouldn't have been able to "afford" my car for the first 6 months of my working life.

(I could and did afford it, along side holidays, other luxury spending and also house repayments).

This is Irony, right?

[burhop]

...if the bad guys use this stolen data and mess up your credit score.

Referencing, my primary "go to" grammar resource, it seems to case #2

http://theoatmeal.com/comics/i... [theoatmeal.com]

Need an ethical hacker?

[paulina james]

Should you need the services of a hacker, i implore you to visit http://www.hackerspod.com/inde... [hackerspod.com] or you should contact liammoore015@usa.com. i hired him for personal exploits early december last year and that was the decision that lit up my christmas and got me set for 2017. try to hire certified veterans for your hacking needs. This guy surely works like an elite, he is efficient,reliable and provides lasting and permanent solutions. He got my DUI records cleared as though it never happened and my credi

in UK and Canada too

[zm]

https://www.equifaxsecurity201... [equifaxsecurity2017.com]

As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps.

Easy fix

[Ryanrule]

1 million per persons data lost. Start by draining the assets of the board and c suite. Put them on the street.

Insider Trading!

[chromaexcursion]

Let's see some federal charges. one count for each share of stock affected.
Make them pay!

Re:

[bongey]

Yep they claim they didn't know about the breach. Sure I believe them , wink,wink.

It's going to get (much) worse

[Teckla]

Regarding computer and data security, it's going to get (much) worse before it gets better. We're currently in the Dark Ages of Computer Security... but we haven't hit bottom yet.

Company culture in this area is just totally, utterly, hopelessly broken. They value speed above all else, so you end up with developers pulling libraries/jars from all over the Internet (many or most with huge security holes), you have companies incentivizing employees to get things done as quickly and cheaply as possible, you hav

Re:

[Marlin Schwanke]

I agree with yor assessment. Capitalism at its finest. Lowest bidder, outsource as much as possible and cut any corner to save a few pence.

this lady doth not protect enough, methinks

[epine]

Wow, it's going to take a long damn time for Equifax to out this tiny blemish from their permanent spot record.

"O, but she'll keep her word."

Actually, sorry Hamlet, cat's entirely out of the bag now.

Criminal Negligence?

[Marlin Schwanke]

Chairman and Chief Executive Officer, Richard F. Smith said in a statement: "This is clearly a disappointing event for our company.”

So it’s all about his company. What about the havoc his company will wreak on millions of consumers via this data breach? These a**holes collect all manner of sensitive personal data, without our permission I might add, and let it get away from them because the lot of it is on an Internet facing server connected to a web app. I think it rises to criminal negligence.

Speaking of crimes, I expect to see criminal insider trading charges and jail time for those executives who scurried off to sell their shares when the breach was discovered but left us vulnerable for weeks.

Re:

[Okind]

These a**holes collect all manner of sensitive personal data, without our permission I might add, [...]

This is the part where I think the US (and the rest of the world too, for that matter) needs a law like the upcoming GDPR in Europe. That would require anyone to obtain explicit & informed consent, protect data properly, and inform the public timely when this protection fails (the 'timely' bit was clearly not done here).

Re:

[account_deleted]

Comment removed based on user account deletion

What a joke

[LeftCoastThinker]

First off, the executives that sold their stocks while withholding negative information should have that money confiscated and be prosecuted for insider trading (seeing as how they were holding back negative news on purpose to profit.) The retiree pension fund should not take the hit that those assholes created in the first place...

Yet another example of the dire need for legal accountability at the federal level of companies that hold private, personal information. The three credit reporting agencies don

It's time to write Congress demanding reform

[PeterM from Berkeley]

Right now, someone who has your information but no real proof of identity can borrow money as "you", and the creditor gets to libel you via the credit reporting agencies when they don't get paid.

This must stop. Please write Congress and demand that creditors no longer have the right to libel you as a non-payer unless they can prove it was actually YOU who borrowed their money and failed to repay as promised instead of just someone who had some information about you, that they didn't bother doing due diligence on to verify.

I've already written Congress about this several times, but now it's literally EVERYONE'S information that has been stolen, and the whole nation must face the fact that they are vulnerable to this sort of thing now.

--PeterM

You mean these guys?

[BarneyGuarder]

http://www.equifacks.com/ [equifacks.com]

Re:

[MightyMartian]

I'm fairly certain if you have applied for credit of any kind, somewhere on the dizzying array of forms in the small print you did indeed consent to sharing your financial information with Equifax. In fact, I doubt there's any kind of main street lender anywhere in the US or Canada that would loan you so much as a penny without consenting to this, so about the only way you could have borrowed money without this consent if it was from a guy in a trenchcoat in a dark alley who went by the name "Vinny the Knif

Re:

[MightyMartian]

Neither did Equifax, I'm sure. They're crime is not securing their systems, which would obviously be a very attractive fruit for any hacker to try to pluck, and in a perfect world Equifax would be fined billions of dollars and its management would rot in prison cells for a very long time. As it is, I'm sure the FCC will do some shoddy little investigation that amounts to a few million dollars in fines, there will be a class action lawsuit that probably will see some small fraction of the victims get some me

Re:

[Dutch Gun]

Company-destroying fines or jail sentences will probably just mean said companies will do anything to cover up this sort of breach. Moreover, these sorts of breaches can occur even when everything is done as correctly as possible due to things like targeted spear-phishing or rogue employees. We want companies to be able to disclose these sorts of things responsibly, even if it was their lack of proper oversight that caused the problem in the first place (and yes, most of the time it DOES seem to be their

Re:

[jeff4747]

I don't recall ever being asked by my bank for permission to share information with Equifax or Transunion.

It's buried in the boilerplate you signed when opening your account(s).

The company names may or may not be there. If they are not there, the paperwork uses something vague like "credit reporting agencies" or even "third parties".

Would it really break the US banking system, if there was a way for us to opt out of having our spending history sent to 3rd parties?

Only in as much as you'd never be able to get a loan, rent a house/apartment or open a new bank account ever again.

Why is there this assumption of agreement for this sharing of information?

Because 1) you agreed to it, and 2) centralized reporting is very handy for creditors.

I don't recall any newspaper articles about a national discussion and debate on this decision?

It's not a law, so there was no national debate. Theoretically, banks do not hav

Re:

[Comrade Ogilvy]

I once had an identity theft incident, nearly 25 years ago, where a couple credit cards were taken over (mailing address changed, and new copies of credit cards shipped) and a few new credit card accounts opened. I caught the problem early enough that the damage was minor, more nuisance than financial.

But a little digging and simple deduction led me to this conclusion: someone gained access to my full name, mailing address, SSI, mother's maiden name, and multiple open credit card account numbers. Now wher

Re:

[93 Escort Wagon]

Baloney. I just did a search for "Anonymous Coward" and got millions of results. Your info is all over the place.

Re:

[burtosis]

If only there were hell to pay. If they lost all that the punishment would be nothing at all.