The Stolen Equifax Data Has Never Been Found, Experts Suspect a Spy Scheme

An anonymous reader quotes a report from CNBC: On September 7, 2017, the world heard an alarming announcement from credit ratings giant Equifax: In a brazen cyber-attack, somebody had stolen sensitive personal information from more than 140 million people, nearly half the population of the U.S. It was the consumer data security scandal of the decade. The information included social security numbers, driver's license numbers, information from credit disputes and other personal details. CEO Richard Smith stepped down under fire. Lawmakers changed credit freeze laws and instilled new regulatory oversight of credit ratings agencies. Then, something unusual happened. The data disappeared. Completely.

CNBC talked to eight experts, including data "hunters" who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen. But none of them knows where the data is now. It's never appeared on any hundreds of underground websites selling stolen information. Security experts haven't seen the data used for in any of the ways they'd expect in a theft like this -- not for impersonating victims, not for accessing other websites, nothing. Most experts familiar with the case now believe that the thieves were working for a foreign government, and are using the information not for financial gain, but to try and identify and recruit spies.

Or they could just be using the Demographic data

[rsilvergun]

to disrupt our political system. A DB like that would be a goldmine for that purpose, and we know just about every hostile nation is meddling in our politics.

Re:

[Narcocide]

No, it makes a ton of sense if you're thinking like someone who has billions of dollars and government supercomputer access. With this data, all they need is some purchasing history to feed into the simulator with it and they can make a full psychological profile on you and everyone you've ever met.

Re:

[ShanghaiBill]

No, it makes a ton of sense if you're thinking like someone who has billions of dollars and government supercomputer access. With this data, all they need is some purchasing history to feed into the simulator with it and they can make a full psychological profile on you and everyone you've ever met.

How does having someone's SSN help you access their purchasing history?

If you have someone's SSN and purchasing history, how does that help you psychologically profile them any better than just having their purchasing history (which they don't have)?

How is the SSN helpful?

How would an SSN help them identify "everyone you've ever met"?

How would "supercomputer access" be helpful?

Re:

[Narcocide]

They use that SSN for a lot of important paperwork throughout your life, from jobs to schools to property ownership to insurance. If you take all these fatuous questions and assume this wasn't the only data breach ever, it really shouldn't take a huge imagination to figure out the types of things they could do by combining it with similar troves of data extracted from various social networks and advertising networks.

Re:

[Narcocide]

Checkmate.

Re:

[viperidaenz]

Why not do both?

Because they likely have addresses

[rsilvergun]

to go with that, so they'd know where, based on financial data, people were in bad or good financial shape and therefore where they could foment anger, frustration and discontent leading to poor decision making.

People in bad shape do not make good choices. Pressure does not make diamonds, it makes garbage more compact. Take somebody who's financially desperate and push the right buttons and they'll do stupid things. Do it to a large number of people in a country where political decisions are made by margins of less than half a percent and you can wreck shit.

Not anywhere close to that level of detail

[rsilvergun]

we're talking the ability to target neighborhoods. Individuals even. Crazy shit becomes possible when you've got a large state with nigh unlimited resources and a monstrous amount of data on their enemy.

How can equifax be in business with this fail?

[Anonymous Coward]

What's the economic cost given the name, birthdate, social security numbers can be used for DECADES to disrupt the US economy?

How can Equifax still be in business?

How can Wells Fargo, identify theft opening fraudulent financial accounts on a mass scale, still be in business?

Is this the USA where you get a monetary fine paid by your errors and omissions insurer and stay in business?

The data losses are like the worst chemical spill times 500.

Re:

[ShanghaiBill]

How can Equifax still be in business?

Because the people responsible have already resigned or been fired. Destroying the company would serve no logical purpose, would harm thousands of innocent people, and reduce competition in the industry.

Re:

[AmiMoJo]

Make Equifax a non-profit for the next decade or two, with any money they make used to deal with identity theft and regulating the other credit reference agencies.

Japan has jail for companies, basically they are not allowed to do any business for a number of days but have to pay staff. It's means tested to avoid making people unemployed and can't be used as an excuse for layoffs etc. Equifax could do a 4 day week for a while.

Re:Or they could just be using the Demographic dat

[rtb61]

You got to be totally delusional, disrupt the US political system, it needs to be fucking disrupted it is entirely corrupt. It is so crooked, any disruption immediately makes it more honest than it currently is. Right now, the rest of the world is content to allow the US to SELF DESTRUCT as long as it leaves the rest of the world alone in the process and there is stops. Maybe just maybe a few countries are using their espionage services to disrupt the corruption by exposing the crimes in the US that the US government routinely ignores, especially high level crimes.

When you disrupt corruption, you do not make it worse, you just reduce it's extent, so hopefully everyone across the globe will work hard at disrupting entirely corrupt US politics, so that it is less corrupt (which would as it fucking turns out, means disrupting the extremely negative, corrupt and very criminal influence of the UK government, the Israeli government and the Saudi government and their disruption of any attempts to make US elections actually democratic and start prosecuting high level corruption).

Re:

[AmiMoJo]

How do you explain Trump then? He came in and disrupted the usual political landscape, a non-politician with no experience in office and few connections within the Republican party. Displaced a bunch of more mainstream, established candidates including Clinton and Cruz...

And yet he is also one of the most corrupt Presidents ever, loves giving jobs to his family and friends, uses the position to enrich himself, and at the very least seems to have surrounded himself with convicted/confessed criminals.

It's gone

[Anonymous Coward]

Maybe they saw how much media attention they got and deleted it out of fear?

The guy died and took the password with him

[registrations_suck]

Maybe they encrypted it all and the guy with the password died, and now they're all fucked because they can't hack into it.

Re:

[Narcocide]

LOL! Now that would be funny.

Re:

[Lab Rat Jason]

I came here to say this... a script kiddie who got in over their head and panicked. Or alternatively, a moderately talented hacker got in over their head trying to sell it to a superpower, and either pulled the rip-cord, or died trying.

Re:

[ShanghaiBill]

Or the NSA swiped the data, and didn't cover their tracks well enough to go undetected.

Re:

[Narcocide]

What's that you say, girl? The data is still in the building? It's trapped in the break room and trying to get out?! Quick girl, go tell Paw!

Re:

[NickHydroxide]

If there's one lesson I've learned about large organizations, it's Hanlon's Razor - never attribute to malice that which can be adequately explained by stupidity.

Just waiting

[chiefcrash]

Perhaps they're just waiting for the heat to die down and those free credit-monitoring programs to expire before using the data....

This data is not needed for recruiting spies

[ffkom]

Foreign agencies only have to wait for the next ritual "shutdown" and make a friendly offer to any government employees no longer paid - e.g. at your locale garage sale or at public soup kitchen.

Re:

[viperidaenz]

The employees got paid.
All the contractors got given a big fuck you.

Re:You believe what you're told

[bobbied]

Not true.. IF you had a funded government contract, you got (or will) get paid for work done/hours worked.

If you got sent home because there was no work to do, too bad you are a contractor but it was your choice. That's the risk of contracting, you can be let go at a moment's notice. Sucks to be you, but I'm not going to cry crocodile tears for your losing 4 weeks worth of work and if you don't have enough resources stashed away for such contract interruptions, you are crazy or inept. IF a contractor lives paycheck to paycheck how on earth will they survive when their contract is not renewed? Not a good idea.

Actually, it's not a good idea to live paycheck to paycheck anyway, I don't care who you are. One should always have 3-6 months of living expenses (not income, minimum living expenses) on hand. Layoffs happen, contacts end, accidents happen and unemployment takes time to get. I can attest that it's not a matter of IF, but WHEN it will happen to you. Nearly all of us will lose a job one or more times in our careers. Be ready. Bankruptcy is a royal pain and ruins your live for a decade. Don't do it.

Re:

[bobbied]

Bravo... I applaud your life choices and financial self sufficiency. Everybody should be like you.

Re:

[liquid_schwartz]

Yup. But when they come to take mine

China isn't going to take your guns. Their fifth column is going to do that in advance of an invasion. That's what the West Coast Wall is about. Make damned sure that when they land there won't be a civilian resistance. And they will have a secure beachhead. The supporters of this need to be investigated for treason.

Yeah, sure. The probability of a Chinese invasion is vanishingly small. But that doesn't excuse the activities of their advance guard.

If you've been to LA you'd know that it would serve them right to be taken over by the Chinese. I might just root for this plan.

You can rule out Russia. It must be China.

[140Mandak262Jamuna]

Russia has its puppet in the white house. They dont need to blackmail anyone into cooperation. Now Russia will take care of Chinese hacker because it needs to protect its asset it has pwned.

Re:

[apoc.famine]

The puppet is temporary. The value of the data will extend far past 4 years. Granted, its value likely decreases as time goes on, but it doesn't have a hard stop.

It's OK

[jetkust]

They'll be able to recover your identity, in 7 years.

Correct

[WillAffleckUW]

Just a point, Social Security numbers and birthdates are not things you can easily change.

It's time to realize the entire concept of credit ratings is deeply flawed and inherently insecure.

Re:

[Lab Rat Jason]

Wish I had mod points for you... this is at the CORE of the issue. It's a rickety and decrepit system that needs to be ripped to shreds and something better and smarter put into place.

Re:

[Luthair]

Really there is no reason they shouldn't be easily changeable or perhaps unique per relationship (e.g. your bank gets a different # than the your employer). As implemented they shouldn't even be allowed to be collected or stored by anyone other than your employer and the government.

Re:

[WillAffleckUW]

Yes. For example, most schools used to use SSN or SIN for IDs and moved away to other IDs over time. The only reason you should have this ID is for taxes, and it should never be stored in your primary customer database, for any reason.

Birthdates can also be problematic. To someone who's 20, they think it's not identifiiable, but someone who's in their 90s knows it's very identifiable.

Re:

[apoc.famine]

Easily changeable seems like a recipe for disaster. If fraud is an issue now, imagine if someone could change your SSN without you knowing.

Unique per relationship seems much, much more useful. Still an issue if someone gets one for a relationship you don't have, but not as problematic since you only have one subset of your credit score, taxes, etc., that you have to untangle, not all of them.

Re:

[ceoyoyo]

You're right! Should rebrand it. Maybe call it something like "social credit." Maybe work with China on implementing it.

Just wait

[ArchieBunker]

Someone is trying to test the idea of changing his birth date. Now that you can change gender and race at any time he is claiming he feels much younger than his age. This is the world that social justice warriors wanted so now they have to accept it.

Re:

[AmiMoJo]

It was a guy in the Netherlands and he lost his case, although I think an appeal was possible.

It's an interesting question. Being transgender is a well established and widely treated (in the developed world) medical condition. That guy just wanted to change his D.O.B. because he thought he was hot but not getting dates on Tinder because people were put off by his age...

Seems like it would make more sense to argue against having to give your age at all, or at least give your actual age as opposed to the one

Re:

[pslytely psycho]

"Our propaganda campaign against China and Russia is in full swing at the moment"

Hahaha, I suppose if 'at the moment' means since WWI...

It's had peaks and valleys, but has remained rather constant since then. We used to call it the 'Red Scare.'

China has risen in power since then of course, so they are a more recent addition, at least since Mao.

Politics needs a big scary enemy to rally around. If they didn't have some ready made ones, they would just create one.

In the absence of such agitators, we could just

Someone is building a US database

[AHuxley]

Of existing US workers.
Of all US mil/gov workers/contractors.
Of all US NGO, think tank, tourist and embassy workers with work globally.
Anyone who ever held a US security clearance.
International travel and hotel use.

By sorting all of them any gov/mil created name placed into retroactive social media accounts, that fake resume can be more easy to detect.
Contact by another nations officials with US spies to set up long term methods of spying.

Who was really at a hotel in Macau years ago and what type o

Re:

[Impy the Impiuos Imp]

An estimated 23 secret agents in Russia were executed because the CIA couldn't be bothered to wonder why one of its top officials was living in a house well beyond his means.

So even if they had the will, they still can't scour personal data without a warrant, and General Warrants are forbidden by the Constitution.

Re:

[AHuxley]

The NSA and FBI would have seen all the database activity in real time.
Expecting bad nations to stay online and attempt to use the vast and powerful search functions to:

1. Put in names of dissidents of interest in the USA.
2. Names used to create fake stories in the USA.
3. Names of people expected to have a split loyalty to the USA in the second and third generation who would work for another nation when asked.
4. Names on US passport they had seen but could not find much data on.

The FBI and CIA w

Re:

[AHuxley]

Considering all the database sets lost over the years? Thats a generations of US data that cant be altered, created, updated by the CIA.
Work history, clearances, mil, education, insurance use, passports, decades of work, years of education and what type of education.
Generations of US data now in use has to be consistent over generations and decades.
How many people who can afford world travel/education with no digital past exist?
A few people in cults and faith groups with not much state/federal ID t

Spies? Really?

[aybiss]

It couldn't possibly be a rival credit monitoring organisation could it?

seems like perfect trove for coverup spies

[Alwin Barni]

Personal detail information including SSN seems like very good data to impersonate legitimate citizens. I am not security specialist, but with existing voting percentages (60% presidential, 40% midterm) seem to me like a very serious problem for the US, which should not be taken lightly.
Considering just the sheer volume of data - all or almost all citizens - seems impossible to control.

Stolen Equifax Data Has Never Been Found

[grep -v '.*' *]

Really? So there's just one of them? -- one data? I guess I really WOULDN'T download a car, then.

Don't worry: it's not the ACTUAL people, it's only some data about them -- y'know, METAdata. No big.

Or is that metapeople? Nope. Datapeople? Maybe. Peopledata? Again, maybe.

Just like all NICs have a unique MAC address*, let's just wait until an evil Russian spy corrupting FaceBook** appears in two different places at once. It should be easy to detect, I'm sure the NSA's computers will all immediat

What about state-level extortion?

[sabbede]

Say it was China that hacked Equifax. We're in trade negotiations with them right now. Maybe they try to demand favorable terms in exchange for not releasing all that data.

Thank God

[Toxiz]

Thank God we can do a free dark web scan at equifax dot com. Otherwise this could have been a disaster.