Jump to content

Equifax Massive Security Breach


sarganaga

Recommended Posts

The masterminds at Equifax managed to allow the personal data of 143 million Americans to be stolen. This includes social security numbers, date of birth, addresses, and other info as described here http://money.cnn.com/2017/09/11/technology/equifax-identity-theft/index.html

 

Been searching for security suggestions. https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/This seems to make sense, but there are inconveniences with credit freezes, even perhaps significant increases in your auto insurance rates if your credit records can't be accessed.

 

FWIW, both my wife and I are affected by this.

 

Anyone have any thoughts or experience in dealing with possible/actual identity theft?

 

 

Link to comment
Share on other sites

I started a thread about this in personal finance.

 

Anyway, I think freezing and signing up for the free service makes the most sense. 

 

From an investment point of view, it may make sense to look at the other two--I think a lot of people, myself included, just started freezing these things, and they get to make $10 per person per freeze/unfreeze every time, which is ridiculous.  So, if they get all these fees, they could have an increase in earnings without the settlement issues of equifax.

Link to comment
Share on other sites

Didn't see your other thread. I agree with your suggestions & possible investment implications.  I signed up today for the monitoring. My wife's signup date is tomorrow & she will signup then. At least Equifax has taken the arbitration condition off.

 

Unfortunately, this seems like a really big deal that will hang like a dark cloud over our finances for many years to come.

Link to comment
Share on other sites

Not much advice, but https://haveibeenpwned.com/ is a legit website to check out if you've been involved in a leak (they can also mail you live updates if leaked data contains your e-mail address). Try entering your e-mail address on the site - scary to see how much data leaks you've been involved in. For me at least ..  ::)

 

Thanks for the info. One email leak for me....for now

Link to comment
Share on other sites

Didn't see your other thread. I agree with your suggestions & possible investment implications.  I signed up today for the monitoring. My wife's signup date is tomorrow & she will signup then. At least Equifax has taken the arbitration condition off.

 

Unfortunately, this seems like a really big deal that will hang like a dark cloud over our finances for many years to come.

 

Yes, this is huge.  We can be compromised for the rest of our lives with this one.  Maybe this will be a catalyst to come up with a different solution than the way SSN and credit checks work (e.g., freezing that is easy to do and not cost anything and requiring that the freeze be honored, at the liability of the issuer)...

Link to comment
Share on other sites

Color me skeptic. Likely nothing will be done, nothing will be changed, Equifax settles class action for pennies and that's pretty much it. Do you guys really think that govt can push through a reform? Or that credit bureaus + financial companies will try to change the credit check solution voluntarily?

Link to comment
Share on other sites

Didn't see your other thread. I agree with your suggestions & possible investment implications.  I signed up today for the monitoring. My wife's signup date is tomorrow & she will signup then. At least Equifax has taken the arbitration condition off.

 

Unfortunately, this seems like a really big deal that will hang like a dark cloud over our finances for many years to come.

 

Yes, this is huge.  We can be compromised for the rest of our lives with this one.  Maybe this will be a catalyst to come up with a different solution than the way SSN and credit checks work (e.g., freezing that is easy to do and not cost anything and requiring that the freeze be honored, at the liability of the issuer)...

 

I really hope this obvious solution has a chance of becoming reality. This  makes sense & should be easy to do. However, the scum that inhabit the halls of congress are richly rewarded for seeing this doesn't happen. If the financial wizards didn't suffer too much for their role in 2008-2009, probably won't suffer too much this time. Equifax should be facing financial death penalty for this.

 

Color me skeptic. Likely nothing will be done, nothing will be changed, Equifax settles class action for pennies and that's pretty much it. Do you guys really think that govt can push through a reform? Or that credit bureaus + financial companies will try to change the credit check solution voluntarily?

 

As noted above, I would like to think something positive and simple could be done, but unfortunately join you in the skeptics camp.

Link to comment
Share on other sites

Color me skeptic. Likely nothing will be done, nothing will be changed, Equifax settles class action for pennies and that's pretty much it. Do you guys really think that govt can push through a reform? Or that credit bureaus + financial companies will try to change the credit check solution voluntarily?

 

Yeah, I don't think it is going to happen.  On the other hand, this really sucks and it sure seems to make sense to make a change.

Link to comment
Share on other sites

Be careful if you are thinking of signing up for their free year of credit monitoring as you give up your right to sue them.

 

The eliminated that little jewel from their terms of service for this breach, although I guess it might apply if/when they screw up the credit monitoring.

Link to comment
Share on other sites

As someone who has gone through the whole identity theft thing, it's a pain, but in today's day and age, it's inevitable and you are better off getting it over with.

 

Long story short, I was getting what I thought were spam calls. Eventually I picked up and it was a collection agency. They said I owed Verizon $1900. I double checked all the info, and sure enough, my social was on file and shortly after I moved from my college apartment to my house, a Verizon account had been established in my name in Brooklyn(I live in North NJ). I confirmed I'd had a continuous account with another provider for a decade, and that I no longer resided at the address on file when the account was opened. I had to file a police report and contact the credit agencies, and that was it. The collection was removed from my credit report and as a result, the credit bureaus had to enroll me in a special program for people who were victims of identity theft. This included an automatic freeze and verification on my accounts upon any new credit inquiries, plus free freeze/unfreeze of access to my credit reports, all for seven years. It's been a slight hassle when applying for new credit, but otherwise I sleep well at night, and thats the point I guess.

Link to comment
Share on other sites

I was recently in a meeting with a mortgage company exec and what he explained opened my eyes to this entire identity world.  I won't share the company's name, but their practice seems fairly common.

 

He said they have invested a ton of money into buying identities and tracking people. 

 

Tracking:

He said if you sign up for information, or visit their website and give ANY information they start to track you.  They use a tool that is hooked into the back ends of a ton of common providers (Lowes, Home Depot, furniture sites, carpet sites).  These companies share who has purchased what, and that's all consolidated back.  This guy said they have a list of every person who's been to their site and then all of their subsequent web activity.  If someone goes to the site and then starts to browse for couches and chairs and paint colors they know the person is curious about buying a house.  They can then get their contact information and start calling them.

 

Identities:

 

The company requires a SSN and name with an application, so they have this stuff on file.  He said with that they can buy identities for most potential clients.  But the real information is linked to a driver license number.  He said a combination of SSN and driver license number unlocks everything about a person.  This company is actively working to acquire as much data as possible.  They don't know what to do with it, but they think they want more.  It's a hording mentality.

 

Security:

 

This was a sub $1b ($800m) mortgage company, so they're pretty small.  The President told me he would hire 'anyone' who could start today and get work done, they're strapped for talent.  I didn't ask about security, but given how shoe string and duct tape this place seemed, and their hiring practices I'm guessing security isn't at the top of their list.  What this means is there's a database sitting out there with millions of people's information, detailed things such as driving records, detailed financial records and no one is making sure it's secure.  It's a sitting duck for being hacked.  This was just one company, now extrapolate this across the country.  At some point you have to realize that nothing is private or secure anymore.

Link to comment
Share on other sites

Didn't see your other thread. I agree with your suggestions & possible investment implications.  I signed up today for the monitoring. My wife's signup date is tomorrow & she will signup then. At least Equifax has taken the arbitration condition off.

 

Unfortunately, this seems like a really big deal that will hang like a dark cloud over our finances for many years to come.

 

Yes, this is huge.  We can be compromised for the rest of our lives with this one.  Maybe this will be a catalyst to come up with a different solution than the way SSN and credit checks work (e.g., freezing that is easy to do and not cost anything and requiring that the freeze be honored, at the liability of the issuer)...

 

I really hope this obvious solution has a chance of becoming reality. This  makes sense & should be easy to do. However, the scum that inhabit the halls of congress are richly rewarded for seeing this doesn't happen. If the financial wizards didn't suffer too much for their role in 2008-2009, probably won't suffer too much this time. Equifax should be facing financial death penalty for this.

 

Color me skeptic. Likely nothing will be done, nothing will be changed, Equifax settles class action for pennies and that's pretty much it. Do you guys really think that govt can push through a reform? Or that credit bureaus + financial companies will try to change the credit check solution voluntarily?

 

As noted above, I would like to think something positive and simple could be done, but unfortunately join you in the skeptics camp.

 

Realistically - it doesn't have to be a government solution. The other two credit ratings agencies and financial institutions should be able to work together to implement a new system.

 

I'm not a security expert, but a multifactor system seems like it could work. How hard would it be to require 2-4 pieces of information from the financial institution pulling your credit before returning a credit report with validation of that data/your identity?

 

Maybe a combo of your social security, driver's license, a bill with your name/address on it, and posession of a credit card on your credit report or simply a customized PIN in addition to your SSN and the ratings agencies ping your phone/email whenever a credit report is pulled and by whom.

 

I'm just spitballing here, but it shouldn't be TOO hard to amend this system to make it more secure now that 140 million SSN security numbers are likely floating around for sale...

 

Link to comment
Share on other sites

Realistically - it doesn't have to be a government solution. The other two credit ratings agencies and financial institutions should be able to work together to implement a new system.

 

I'm not a security expert, but a multifactor system seems like it could work. How hard would it be to require 2-4 pieces of information from the financial institution pulling your credit before returning a credit report with validation of that data/your identity?

 

Maybe a combo of your social security, driver's license, a bill with your name/address on it, and posession of a credit card on your credit report or simply a customized PIN in addition to your SSN and the ratings agencies ping your phone/email whenever a credit report is pulled and by whom.

 

I'm just spitballing here, but it shouldn't be TOO hard to amend this system to make it more secure now that 140 million SSN security numbers are likely floating around for sale...

 

Realistically all three credit agencies just don't give a f&*k. Same for other financial institutions.

 

And that's where we are and gonna be.

 

FYI questions unanswered: https://www.nytimes.com/2017/09/12/your-money/equifax-fee-waiver.html

 

Yeah, I'm afraid this thread is gonna turn into politics thread

Link to comment
Share on other sites

Hey all:

 

There has been some scuttlebutt on the interwebs that the person in charge of security for Equifax has a MFA degree in music composition, undergrad degree is a similar thing.

 

To further complicate the situation, this person's information & credentials is being scrubbed off of Equifax's site & the interweb in general.  Almost kind of like they are trying to cover something up.

 

Please see: http://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15

 

What I want to know is how does somebody with a background and degree in music composition get to the top position of CIO? 

 

What other goofiness is going on over at Equifax?

Link to comment
Share on other sites

What I want to know is how does somebody with a background and degree in music composition get to the top position of CIO? 

 

The articles I saw said that this person had 10+ years experience in industry in security field.

 

Apparently this person indeed had a history of working in cyber security.  HOWEVER, how does one go from a background in music composition straight into cyber security, and relatively high level positions at that?

 

I guess it didn't work out none too good...as the results show.

 

Why was this person allowed to retire?  How come no C-level executives get FIRED? (or relatively few)?

 

Why is the CEO not fired?

 

Finally, if this CIO is eminently qualified, why the coverups & scrubs of the situation?

Link to comment
Share on other sites

What I want to know is how does somebody with a background and degree in music composition get to the top position of CIO? 

 

The articles I saw said that this person had 10+ years experience in industry in security field.

 

Apparently this person indeed had a history of working in cyber security.  HOWEVER, how does one go from a background in music composition straight into cyber security, and relatively high level positions at that?

 

I guess it didn't work out none too good...as the results show.

 

Why was this person allowed to retire?  How come no C-level executives get FIRED? (or relatively few)?

 

Why is the CEO not fired?

 

Finally, if this CIO is eminently qualified, why the coverups & scrubs of the situation?

 

I won't defend the CIO or any other Equifax executives. I think they should have been fired and the consequences to company (and possibly executives) should be way harsher than they are expected to be.

 

However, I find it ironic that we had majority of CoBF dissing formal education and advocating pursuing careers/livelihoods without any formal education in various fields. But now we have complains when someone apparently did exactly that...  8) Maybe I'm not being fair to you though.

 

Peace.

Link to comment
Share on other sites

A lot of the top infosec people don't have formal degrees in the field.

 

I'm not saying that that person was competent or not, I have no more info about that than anyone else. Just saying that some fields are different from others. A neurosurgeon without a medical degree is probably a big problem, but a programmer or security person without a degree in the field, not necessarily. In some fields you need specialized equipment and access to mentorships and customers/patients to practice on and such (ie. inside an hospital), in some fields all the knowledge is out there and all you need is a computer and an internet connection.

Link to comment
Share on other sites

What I want to know is how does somebody with a background and degree in music composition get to the top position of CIO? 

 

The articles I saw said that this person had 10+ years experience in industry in security field.

 

Apparently this person indeed had a history of working in cyber security.  HOWEVER, how does one go from a background in music composition straight into cyber security, and relatively high level positions at that?

 

I guess it didn't work out none too good...as the results show.

 

Why was this person allowed to retire?  How come no C-level executives get FIRED? (or relatively few)?

 

Why is the CEO not fired?

 

Finally, if this CIO is eminently qualified, why the coverups & scrubs of the situation?

 

1. Well, the field was relatively new and if you have the will to learn and you are competent. Then you can get a job. Right now, Cybersecurity is in high demand.

 

2. Save face, but then again look at former SoFi CEO even though he resigned the negative articles will hurt reputation in the long run.

 

3. Don't know

 

4. I think this happens all the time with any scandal. Ideally, you want to tell the truth but it is always the fear of backlash at a larger scale (PR nightmare etc.....) and that a person might lose their job anyway. So why not fix the situation. I think there needs to be a mechanism in place where you can tell the truth without the backlash.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...