Big Equifax Hack

#1  Top Rated Post
Equifax announced today that 143 million US-based users had their personal information compromised this year. Attackers reportedly exploited a vulnerability on Equifax's website to steal names, Social Security numbers, birthdates, addresses, and, in some cases, driver’s license numbers. Credit card numbers for approximately 209,000 people and certain dispute documents with personal identifying information for approximately 182,000 people were also accessed. Although Equifax operates in other countries, it didn't detect any stolen personal information abroad.

The company says it discovered the breach on July 29th this year, and has since plugged the security hole. The company also set up a dedicated website — — for possible victims to sign up for credit file monitoring and identity theft protection.

Data breaches are fairly common, although those impacting Social Security and driver's license numbers are rarer and more serious. The fact that Social Security numbers are included in the breach makes it likely that victims will be targeted for identity theft. Equifax says it's working with both an independent cybersecurity firm and law enforcement to investigate.
Well there goes their credibility.
Thursday, credit-reporting agency Equifax disclosed that hackers had broken into the company’s systems and stolen driver‘s license, Social Security numbers, and credit-card numbers, birth dates, names, and addresses, in a massive security breach that may have affected as many as 143 million Americans. And yet, somehow, the bad news was just beginning. It was quickly revealed that Equifax knew about the hack for more than a month before it told the public; that three senior executives with remarkably good timing had sold $1.8 million in Equifax shares just days after the breach was discovered but weeks before any outsiders knew; and that a Web site set up by Equifax to help people learn if their information had been compromised was also designed to trick everyone who used it into waiving their rights to sue .

And apparently, if Equifax had had its way, it could’ve been a lot

The Wall Street Journal reports that in the months leading up to the attack, the Equifax spent at least $500,000 lobbying federal regulators and Congress to relax regulation of credit-reporting companies. Among the focus of its requests? “Data security and breach notification,” “cyber security threat information sharing,” and the coup de grace: “limiting the legal liability of credit-reporting companies.”

Amazingly, a panel of the House Financial Services Committee convened to discuss the legal liability issue the very same day that Equifax revealed that it may have allowed the financial data for nearly half the country to be compromised. During the hearing, National Consumer Law Center attorney Chi Chi Wu said the proposed legislation—which would cap the statutory damages consumers could be awarded in a suit against companies like Equifax at $500,000—“drastically decreases the consequences for credit bureaus” when laws are broken. Representative Barry Loudermilk, a sponsor of the bill, was apparently totally offended by the characterization, saying the bill was intended “to protect consumers and all Americans.”

In a twist that you may want to sit down before reading, the Journal notes that Loudermilk has received thousands in contributions from Equifax’s political-action committee, which also donated money to all 13 members of the Financial Services Committee during the 2016 election cycle. Equifax told the Journal that its PAC contributions “are made in a legal, ethical, and transparent manner.”

WASHINGTON (Reuters) - Thirty-six U.S. senators on Tuesday called on federal authorities to investigate the sale of nearly $2 million in shares of credit bureau Equifax Inc by company executives after a massive data breach, and one compared their actions to insider trading.

U.S. senator on Equifax hack: 'Somebody needs to go to jail' | Reuters
So where is the ol NSA on this crap? DHS? IRS? FBI? CIA?...the cops?
watching porn?

They gotta screw every average joe in backdoor, but do they ever catch these real crime guys?

They are creating fake crimes to get budget then they pretend to be working by pretending to chase russians.
...and grabbing kid's genitals at the airport.

While criminals right the laws.

"I'm not a crazy ACLU-type. I've had no problem with body-scanners or previous TSA pat-downs. In 2009, a terrorist famously smuggled a bomb in his underwear aboard a U.S. flight. But an agent of the state should probably only touch a citizen's genitals seven or eight times if the agent has reasonable suspicion, and not because a machine is malfunctioning or calibrated, intentionally or unintentionally, to detect explosives on everyone who is tested.
Last edited by Danbones; Sep 13th, 2017 at 05:11 AM..
Cambridge woman launches $550-million class-action lawsuit against Equifax Canada following privacy breach
By Jenny Yuen, Toronto Sun
First posted: Wednesday, September 13, 2017 07:00 PM EDT | Updated: Wednesday, September 13, 2017 07:38 PM EDT
A Cambridge woman is launching a $550-million class-action lawsuit against Equifax Canada after a massive cybersecurity breach may have compromised sensitive identity information of countless Canadians.
The statement of claim, which was filed Tuesday at the Ontario Superior Court of Justice, names Bethany Agnew-Americano as the woman who launched the lawsuit on behalf of any Canadian victims of the hack which took place from May to August.
Atlanta-based Equifax confirmed on its Canadian website the breach compromised names, address and social insurance numbers, however the law firm representing Agnew-Americano said the company issued a press release last week that there was no way for Canadians to find out if they were affected.
“The scope of the privacy breach is unlike virtually any other previous breach,” lawyer Jean-Marc Leclerc, a partner at Sotos LLP — the firm taking on this lawsuit — said Wednesday.
“A social insurance number is probably one of the most sensitive pieces of information someone can get on you. The purpose is to track income and is given to very few people. Having a SIN number can open a vault to virtually all your other financial information — everything is open for scrutiny.”
In the U.S., 143 million Americans had their personal information exposed because of the attack, including consumers’ names, social security numbers, birth dates, addresses and driver’s licence numbers.
The proposed class-action lawsuit is seeking a court order requiring Equifax to notify any Canadians whose information was stored on Equifax databases and was accessed without authorization between May 1-Aug. 1.
The $500-million claim covers damages for negligence, breach of contract, various breaches of the Privacy Act and intrusion upon seclusion (i.e. invasion of privacy). The additional $50 million claim is for punitive damages.
Agnew-Americano could not be reached for comment.
A spokesman for Equifax Canada could also not be reached for comment on the lawsuit Wednesday, however, the company’s website noted the breach was contained and “only a limited number of Canadians may have been affected. We are working on finding out how many.”
The credit monitoring company’s call centre staff say that Canadians who have Equifax accounts in the U.S. could be at risk of having their data compromised, such as those who have lived, worked or applied for credit south of the border. Customers were told that consumers whose credit files were not checked outside of Canada are unlikely to be part of any breach.
The Office of the Privacy Commissioner of Canada said on its website Tuesday that it’s taking a closer look into the hack.
- With files by the Canadian Press
Cambridge woman launches $550-million class-action lawsuit against Equifax Canad
Equifax says 100,000 Canadians may be affected by cyberattack
First posted: Tuesday, September 19, 2017 10:39 AM EDT | Updated: Tuesday, September 19, 2017 10:46 AM EDT
TORONTO — Equifax Inc. says approximately 100,000 Canadian consumers may have had their personal information compromised in the massive cyberattack on the credit data company made public earlier this month.
The company says the investigation is ongoing and the information that may have been breached includes names, addresses, social insurance numbers and in some cases credit card numbers.
It adds that hackers obtained access to files containing the personal information of some Canadian consumers through one of Equifax’s consumer website applications intended for use by U.S. consumers.
Equifax Canada’s president and general manager Lisa Nelson apologized to Canadian consumers whose data may have been compromised in the breach.
On Sept. 7, Equifax announced that it suffered a data breach that may have compromised the personal information of 143 million Americans and less than 400,000 U.K. residents.
Canada’s privacy watchdog announced last Friday that it was probing the data breach and Equifax has committed to notifying those affected in writing as soon as possible.
Equifax says 100,000 Canadians may be affected by cyberattack | Home | Toronto S
Equifax CEO resigns in wake of data breach
Ken Sweet and Michael Liedtke, THE ASSOCIATED PRESS
First posted: Tuesday, September 26, 2017 01:09 PM EDT | Updated: Tuesday, September 26, 2017 05:10 PM EDT
NEW YORK — Embattled Equifax CEO Richard Smith stepped down Tuesday, less than three weeks after the credit reporting agency disclosed a disastrous hack to its computer system that exposed the sensitive personal information of 143 million Americans.
His departure follows those of two other high-ranking executives who left in the wake of the hack, which exploited a software flaw that the company did not fix to expose Social Security numbers, birthdates and other personal data that provide the keys to identify theft.
Smith, who had been CEO since 2005, will also leave the chairman post. Equifax called his departure a retirement, but he will not receive his annual bonus and other potential retirement-related benefits until the company’s board concludes an independent review of the data breach.
Even if the review does find Smith at fault, he could walk away with a retirement package of at least US$18.4 million, along with the value of the stock and options he was paid out over his 12-year tenure.
There is a possibility the board could “claw back” any cash or stock bonuses he may have received, but corporations typically set high thresholds for that type of action.
The 57-year-old executive, who made almost $15 million in salary, bonuses and stock last year, would also be able to stay on the company’s health plan for life.
Paulino do Rego Barros Jr., most recently president of the Asia Pacific region, was named interim CEO. Board member Mark Feidler was appointed non-executive chairman. Equifax said it will look both inside and outside the company for a permanent CEO.
Even with the departures of three top executives, Equifax is still facing several state and federal inquiries and a myriad of class-action lawsuits, including congressional investigations, queries by the Federal Trade Commission and the Consumer Financial Protection Bureau, and probes by several state attorneys general. On Tuesday, the city of San Francisco became the first municipality to sue Equifax for exposing its residents to identity theft. The state of Massachusetts sued Equifax last week.
Three other executives were found to have sold stock for a combined $1.8 million before Equifax disclosed the breach, though the company says they were unaware of it at the time.
Although Wall Street analysts had previously applauded Equifax’s performance under Smith, he and his management team came under fire for lax security and their response to the breach. Confusion over the terms of credit-monitoring protection and jammed phone lines added to public’s ire. The company’s stock has lost a third of its value — a $5.5 billion setback.
Equifax’s board clearly needed to dump Smith, not only as a public show of penance for the breach but also for the company’s bungling since informing consumers their identities are in danger of being stolen, said Bart Friedman, a lawyer specializing in corporate governance issues for Cahill Gordon and Reindel.
“This was like a five-alarm fire, and the lack of an appropriate response by management just poured gasoline on that fire,” Friedman said. “If you are sitting on that board, I don’t know how you could have permitted him to stay in his role. I have rarely seen such a botched response to an existential threat.”
Equifax tried to appease incensed lawmakers, consumers and investors by announcing the unceremonious retirement of its chief security officer and chief information officer last week, who were responsible for managing and protecting the company’s technology. But that wasn’t enough, with lawmakers drawing up bills that would impose sweeping reforms on Equifax and its two main rivals, Experian and TransUnion.
Smith had been scheduled to appear at two congressional hearings next week that would likely have turned into a public lambasting. The House Energy and Commerce committee said in a tweet that it still plans to hold its hearing Oct. 3. A spokeswoman for the Senate Banking Committee said that panel’s Oct. 4 hearing remains scheduled as planned.
Sen. Brian Schatz, a Democrat from Hawaii, said Smith’s departure just days before he was to appear before Congress was “an abdication of his responsibility.” He said he expected Smith to testify before the Banking Committee “regardless of the timing of his retirement.”
The data breach might not have happened if Equifax had responded promptly to a March warning about a known security weakness in a piece of open-source software called Apache Struts. Even though a repair was released, Equifax did not immediately install it. Digital burglars used the crack in Equifax’s computer systems to break in from May 13 through July 30, according to the company’s accounting.
Equifax said it did not fathom the breadth of information that had been stolen until shortly before issuing a public alert on Sept. 7, triggering the wave of withering condemnations that led to Smith’s departure.
The jobs of other Equifax executives could still be in jeopardy. The three executives who sold shares, including Equifax’s chief financial officer, are under scrutiny.
In a hearing Tuesday, the chairman of the Securities and Exchange Commission, Jay Clayton, refused to comment when asked by lawmakers if executives at Equifax engaged in insider trading when they sold their shares. He did not confirm or deny that the SEC was investigating the issue.
However, he opened the door to potentially forcing the executives to return the proceeds of the stock sales, if the company’s six-week delay in disclosing the breach is found to be improper.
Liedtke contributed from San Francisco. Chris Rugaber contributed to this report from Washington, D.C.
Equifax CEO resigns in wake of data breach | World | News | Toronto Sun
Equifax takes down customer service page after ’malicious content’ found
First posted: Thursday, October 12, 2017 04:07 PM EDT | Updated: Thursday, October 12, 2017 07:14 PM EDT
TORONTO — Equifax Inc. is reporting that a third-party vendor the credit rating agency uses to collect performance data on its U.S. Equifax website was serving malicious content.
“Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis,” an Equifax spokesperson said in an emailed statement Thursday.
“Equifax can confirm that its systems were not compromised and that the reported issue did not affect our customer dispute portal.”
Earlier Thursday, Equifax Canada said its U.S. parent company was temporarily taking down one of its customer services pages amid reports that hackers had allegedly altered Equifax’s credit report assistance page so that it would send users malicious software disguised as Adobe Flash.
“We are aware of the situation identified on the website in the credit report assistance link,” Equifax Canada spokesman Tom Carroll said in an emailed statement.
“Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”
Carroll did not respond to direct questions about any potential breach to Equifax Canada’s website.
The news comes as Equifax Inc. continues to deal with the aftermath of a cyber breach earlier this year which allowed the personal information of 145.5 million Americans, and 8,000 Canadians, to be accessed or stolen.
Since news of Equifax’s massive data breach broke last month, the company is facing investigations in Canada and the U.S., as well as at least two proposed class actions filed in Canada.
The massive data breach has also led to a number of high-profile departures at the Atlanta-based consumer credit reporting agency, including its chief executive, chief information officer and chief security officer.
In early October, Equifax revised the number of consumers potentially impacted in the breach — bumping up the total in the U.S. to 145.5 million and reducing the number in Canada from an estimated 100,000 to 8,000.
For these Canadian consumers, Equifax says the information that may have been accessed includes name, address, social insurance number and, in “limited cases” credit card numbers.
On its website, Equifax’s Canadian division says it has not yet mailed out any notices and made clear it would not be making any unsolicited calls or emails about the issue.
In September, Equifax reported that its investigation had shown that hackers had unauthorized access to its files from May 13 to July 30. Equifax Canada said at the time it was working closely with its parent company Equifax Inc. and an unnamed, independent cybersecurity firm conducting the ongoing investigation.
The cyberattack occurred through a vulnerability in an open-source application framework it uses called Apache Struts. The United States Computer Readiness team detected and disclosed the vulnerability in March, and Equifax “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”
With files from The Associated Press.
Equifax takes down customer service page after
Equifax's failure calls for the corporate death penalty, through a rare but vital procedure called judicial dissolution.

Under the law of Georgia, where Equifax is incorporated , the state attorney general may file a lawsuit in state court to dissolve a corporation if the corporation "has continued to exceed or abuse the authority conferred upon it by law." (All 50 states have similar provisions.) State attorneys general don't invoke these corporate death penalty statutes often, especially not against large, well-known corporations.

But Equifax could not have obtained its unusually important position in our economy without the privileges of a corporate charter conferred by law, and it has forfeited its claim to those privileges.

Equifax's entire reason for existence is to collect and maintain private financial data about individuals who are not customers of the company. This isn't like other data breaches, such as the 2012 credit card data breach at Barnes & Noble , or the 2015 hack of frequent-flyer account data at British Airways . Those breaches were bad. But they affected people who had chosen to do business with these companies by buying books or airplane trips. Most of the people whose data was compromised by Equifax's lax security don't even know that Equifax exists, let alone that it maintains their private financial data.

Equifax's conduct after the breach has given little comfort. Before revealing the breach to the public, senior executives sold $2 million worth of stock. Meanwhile, after the breach was made public, Equifax offered consumers free credit monitoring—but tried to force them to accept a mandatory arbitration provision clause buried in the fine print.

In fact, Equifax wasn't even competent enough to close the stable door after the horse had bolted. Over a week after the US breach was revealed, a small computer company in Milwaukee noticed that in one Equifax computer system based in South America, customer records could still be accessed by entering the username "admin" and the password..."admin."


Similar Threads

Hø̈ø̈ters Hack(ed?)
by Tonington | May 20th, 2014
Can You Hack It?
by Locutus | Nov 28th, 2013
The Chinese Google hack
by Locutus | May 21st, 2013
Paul the hack Martin
by Hank C Cheyenne | Oct 3rd, 2005