# Severe Security Breach at Equifax



## Johnny b (Nov 7, 2016)

* Why the Equifax breach is very possibly the worst leak of personal info ever *

https://arstechnica.com/information...ossibly-the-worst-leak-of-personal-info-ever/



> Consumer's most sensitve data is now in the open and will remain so for years to come.


After reading the incredible lack of security and response, it's truly amazing a company with these attitudes, involved in such sensitive data collection, is allowed to be in business.


----------



## Johnny b (Nov 7, 2016)

Some interesting concerns about how Equifax is handling the situation.

https://techcrunch.com/2017/09/07/e...e-questions-than-answers/?ncid=mobilenavtrend



> The company established a website to allow consumers to see if their data was stolen. But it's broken and sets the user up for TrustedID, a credit monitoring service owned by, wait for it, Equifax.
> .......
> 
> The site's terms of service seem to state that by agreeing to use this service, the user is waving their rights to bring a class action lawsuit against Equifax.


The catch:

https://trustedidpremier.com/static/terms



> ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.
> 
> ........
> 
> Notwithstanding anything in this Section, either You or TrustedID, Inc. may bring an individual action in small claims court as long as (i) the claim is not aggregated with the claim of any other person, and (ii) the small claims court is located in the same county (or parish) and state as Your address that You most recently provided to TrustedID, Inc. according to TrustedID, Inc.'s records in connection with this Agreement.


hmm!

https://techcrunch.com/2017/09/07/e...e-questions-than-answers/?ncid=mobilenavtrend



> The site's terms of service seem to state that by agreeing to use this service, the user is waving their rights to bring a class action lawsuit against Equifax.
> 
> We have a note out to the company asking for clarification about this site's capabilities, function and any rights forfeited. Until questions are answered, I would avoid using the site.


----------



## Johnny b (Nov 7, 2016)

*Equifax data breach could create lifelong identity theft threat *

https://www.usatoday.com/story/mone...te-life-long-identity-theft-threat/646765001/


----------



## Johnny b (Nov 7, 2016)

Some very interesting lobbying on the part of Equifax to absolve them from law suits:

http://www.ibtimes.com/political-ca...rule-protecting-victims-data-breaches-2587929



> In one section of the letter, CDIA declares that federal regulators "should exempt from its arbitration rule class action claims against providers of credit monitoring products." The letter asserted that allowing customers to sue companies "would not serve the public interest or the public good" because it could subject the companies to "extraordinary and draconian civil liability provisions" under current law. In another section of the letter, Equifax's lobbying group says that a rule blocking companies from forcing their customers to waive class action rights would expose credit agencies "to unmanageable class action liability that could result in full disgorgement of revenues" if companies are found to have illegally harmed their customers.


----------



## 2twenty2 (Jul 17, 2003)

Equifax blames open-source software for its record-breaking security breach: Report

The credit rating giant claims an Apache Struts security hole was the real cause of its security breach of 143 million records. ZDNet examines the claim.


----------



## Johnny b (Nov 7, 2016)

Security at Equifax is so dismal, one might wonder if it's intentional.

More to their 'ineptitude':

* Equifax's credit-monitoring site also reportedly hackable *

https://www.cnet.com/news/equifaxs-credit-monitoring-site-also-reportedly-hackable/#ftag=CAD590a51e



> The vulnerability could let hackers spoof the site, allowing sensitive data to be siphoned off, ZDNet reports.
> .........................
> A site Equifax set up to help worried consumers create alerts and freeze accounts after the credit-monitoring firm revealed a massive data breach is also vulnerable to hack, ZDNet reported Monday.
> ....................
> A cross-site scripting vulnerability could allow hackers to spoof the site via a malicious link and then siphon off any personal information visitors submit, the CNET sister site reported. Hackers could insert the malicious code in Equifax's web address, tricking the browser into treating the site as secure and displaying the "lock" icon in the browser window, ZDNet reported.


----------



## 2twenty2 (Jul 17, 2003)

https://www.fastcompany.com/4046612...ppeared-from-apples-app-store-and-google-play

Equifax's app has disappeared from Apple's App Store and Google Play


----------



## 2twenty2 (Jul 17, 2003)

http://www.bbc.com/news/technology-41257576

The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations.


----------



## 2twenty2 (Jul 17, 2003)

http://www.marketwatch.com/story/eq...he-companys-chief-security-officer-2017-09-15

Opinion: Equifax CEO hired a music major as the company's chief security officer

When Congress hauls in Equifax CEO Richard Smith to grill him, it can start by asking why he put someone with degrees in music in charge of the company's data security.


----------



## Johnny b (Nov 7, 2016)

*Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop *

https://krebsonsecurity.com/2017/09...t-card-accounts-in-one-fell-swoop/#more-40773



> At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time - when hackers accessed the company's systems in mid-May 2017.
> 
> ...............
> 
> In a non-public alert sent this week to sources at multiple banks, Visa said the "window of exposure" for the cards stolen in the Equifax breach was between Nov. 10, 2016 and July 6, 2017. A similar alert from MasterCard included the same date range.


hmmmm!


----------



## simian (Sep 10, 2017)

400K people in UK affected

https://www.welivesecurity.com/2017...Feed:+eset/blog+(ESET+Blog:+We+Live+Security)


----------



## Johnny b (Nov 7, 2016)

Now there's concern about an earlier March intrusion.

https://www.bloomberg.com/news/arti...suffer-a-hack-earlier-than-the-date-disclosed

https://www.usatoday.com/story/tech...ax-data-breach-second-hacked-march/679474001/


----------



## 2twenty2 (Jul 17, 2003)

Equifax Has Been Sending Consumers to a Fake Phishing Site for Almost Two Weeks

https://gizmodo.com/equifax-has-been-sending-consumers-to-a-fake-phishing-s-1818588764


----------



## 2twenty2 (Jul 17, 2003)

Equifax CEO suddenly 'retires' following an epic data breach affecting up to 143 million people

Richard Smith, CEO and chairman of Equifax, abruptly retired Tuesday following a data breach at the credit-reporting service that affected the personal information of 143 million people.


----------



## Johnny b (Nov 7, 2016)

https://news.slashdot.org/story/17/...ctor-delayed-equifaxs-response-to-data-breach

* The Equifax Hack Has the Hallmarks of State-Sponsored Pros *

https://www.bloomberg.com/news/feat...has-all-the-hallmarks-of-state-sponsored-pros


----------



## 2twenty2 (Jul 17, 2003)

Equifax failed to patch security vulnerability in March: former CEO

*2.5 million additional U.S. consumers may have been impacted by a cyber attack

https://www.reuters.com/article/us-...lnerability-in-march-former-ceo-idUSKCN1C71VY*


----------



## Johnny b (Nov 7, 2016)

* Former Equifax CEO says breach boiled down to one person not doing their job *



> However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice - one person didn't do their job.
> 
> "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.


https://techcrunch.com/2017/10/03/f...oiled-down-to-one-person-not-doing-their-job/


----------



## Johnny b (Nov 7, 2016)

* IRS awards Equifax no-bid, $7.25 million contract after hack *

https://arstechnica.com/tech-policy...-taxpayer-identity-contract-weeks-after-hack/


----------



## Johnny b (Nov 7, 2016)

* Equifax: About those 400,000 UK records we lost? It's now 15.2M *

https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/


----------



## Johnny b (Nov 7, 2016)

Equifax website hacked........ again!

https://arstechnica.com/information...n-this-time-to-redirect-to-fake-flash-update/

* Equifax website hacked again, this time to redirect to fake Flash update *

( edit: update )

* Equifax says it was not breached again, but vendor on site served 'malicious content' *

https://www.usatoday.com/story/tech/news/2017/10/12/equifax-may-have-been-breached-again/758734001/


----------

