It’s time to build our own Equifax with blackjack and crypto | TechCrunch

This article talks about security breach that will affect verty many people in the USA. It can cause need to rethink the current sloppy security practices on many companies – the identifying data many companies use has now leaked out.

The private data of 143 million Equifax “customers” is now available for download. Have no doubt: This means you will be hacked. This means your SIM card can be spoofed. This means someone will try to get into your email and online accounts. This means someone will try to open a credit card in your name. 
First, we cannot allow our most precious data to be accessible via the last four digits of our social security number. 

Further, we must also outlaw SMS two-factor authentication. In fact, thanks to the data stolen from Equifax, that process can be easily broken.

Mistakes happen. Ultimately we must hold these companies that keep leaking sensitive data accountable for their fails. In short, it’s time for those who are careless big data to die.

USA might need to look outside the US for leadership in security. 


  1. Tomi Engdahl says:

    NEVER EVER store sensible data in a DB without proper encryption:
    “Credit-reporting company Equifax shocked investors, and more than a third of America, when it announced on Thursday afternoon that hackers had breached its data systems, compromising the personal information of approximately 143 million U.S. consumers.

    Massive Data Breach At Equifax: As Many As 143 Million Social Security Numbers Hacked

    Credit-reporting company Equifax shocked investors, and more than a third of America, when it announced on Thursday afternoon that hackers had breached its data systems, compromising the personal information of approximately 143 million U.S. consumers. The information accessed “primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.” In other words, pretty much everything that should have been hidden behind an n-number of firewalls, is now available to the dark net’s highest bidder.

  2. Tomi Engdahl says:

    40 days remains an awfully long time for consumers to be kept in the dark

    Equifax breach disclosure would have failed Europe’s tough new rules

    U.S. consumers hearing the news yesterday of a massive Equifax data breach, which the company revealed potentially affects 143 million consumers, and includes data such as names, addresses, dates of birth, social security numbers, drivers’ licenses and — for a subset of hundreds of thousands — credit card information too, not only had to contemplate the horrendous scale of the thing.

    They were also left to grapple with an Equifax ’emergency response line’ that hung up on them, and an Equifax data breach ‘help’ website that appears to raise a lot more questions than it answers

    And that’s before you even consider whether Equifax is trying to use the site’s terms of service to get users to waive their rights to bring a class action lawsuit against it — as appears to be the case. Which would be spectacularly unclassy, to say the least.

    The cherry on this unlovely layer cake is the fact the credit checking company states it found out about the breach on “July 29 of this year” — while the unauthorized access apparently occurred “from mid-May through July 2017”.

    40 days remains an awfully long time for consumers to be kept in the dark about the fact their identities and other highly sensitive personal data might be being traded by hackers, used to compromise other services, and sold to spammers for targeted spearphishing attacks.

    The US does not currently have a federal law requiring companies to inform the public about data breaches

    Over the pond in the European Union the story is different. A single breach notification standard for personal data was agreed at the end of 2015 — and is set to come into force in May 2018, under the incoming GDPR (General Data Protection Regulation).

  3. Tomi Engdahl says:

    And just to rub salt into the 143 million wounds caused by Equifax’s inability to properly safeguard people’s credit information, you have to surrender your legal rights in order to find out if you have been affected. Such companies are big on authority but woefully lacking when it comes to responsibility.

  4. Tomi Engdahl says:

    PSA: no matter what, Equifax may tell you you’ve been impacted by the hack

    Those hoping to find out if their Social Security number and other identifying info was stolen, along with a potential 143 million other American’s data won’t find answers from Equifax.

    In what is an unconscionable move by the credit report company, the checker site, hosted by Equifax product TrustID, seems to be telling people at random they may have been affected by the data breach.

    I was then encouraged on the next line to continue my enrollment in TrustedID Premier. I was not aware I was enrolling in anything simply by giving my information. I had been instructed to add my last name and the last six digits of my Social Security number only to find out if I’d been impacted.

    this made-up person had also been impacted. I tried it over and over again and got the same message.

    The assignment seems random. But, nevertheless, they were still asked to continue enrolling in TrustID.

    there’s no way to tell if you were really impacted.

    It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.

    Earlier it was revealed executives had sold stock in the company before going public with the leak.

    No doubt, those who sold company stock before publicly admitting the issues are going to face some legal trouble of their own as well.

    These actions, and many others, are disgraceful, especially for a company of this size and responsibility and I truly hope Equifax feels the heat they are under for mishandling what is the largest data breach in the history of the U.S.

  5. Tomi Engdahl says:

    Equifax says it won’t bar consumers from joining breach-related lawsuits

    Equifax, which yesterday announced a truly enormous breach, will not require affected consumers to forfeit their right to join a class action lawsuit against the company in order to receive credit protection. The company clarified the forced arbitration clause in its terms of service after outcry by consumer advocates,

  6. Tomi Engdahl says:

    Equifax stock tumbles 14% after credit score hack

    Credit score business Equifax revealed Thursday that 143 million people were compromised in a cyber attack. Social security numbers and other personally identifying information were accessed.

    And guess what, the stock market didn’t like it! The company lost about $2 billion in market cap Friday after tumbling nearly 14%.

    Apparently, the company has known about the hack since July 29, yet the public was just notified yesterday. I’m sure its stock investors will have plenty of questions about the lack of disclosure.

  7. Tomi Engdahl says:

    Tony Romm / Recode:
    House Energy and Commerce Committee, Financial Services Committee, and New York attorney general announce probes into Equifax breach — Meanwhile, New York announces its own investigation. — The U.S. Congress plans to probe a massive data breach at the credit-monitoring service Equifax …

    The U.S. Congress is going to hold two hearings on the massive Equifax data breach
    Meanwhile, New York announces its own investigation.

    The U.S. Congress plans to probe a massive data breach at the credit-monitoring service Equifax that compromised roughly 143 million Americans’ most sensitive information.

    Two panels of lawmakers each announced on Friday they planned to grill the company at an upcoming hearing, the date of which the committees did not share. Still, it’s likely to spell only the start of serious scrutiny for Equifax, where hackers earlier this summer gained access to Social Security numbers, home addresses and some credit card data.

    “This unprecedented data breach could impact tens of millions of Americans and raises serious questions about the security of our personal information online,” said Rep. Greg Walden, the Republican who leads the House Energy and Commerce Committee.

  8. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    The Equifax breach, affecting ~44% of US population, is possibly the worst leak of personal information ever and was handled poorly by the company — Consumer’s most sensitve data is now in the open and will remain so for years to come. — It’s a sad reality in 2017 that a data breach …

    Why the Equifax breach is very possibly the worst leak of personal info ever
    Consumers’ most sensitive data is now in the open and will remain so for years to come.

  9. Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    Equifax’s website for checking if your data was affected by the breach produces confusing or inaccurate results — Several people have confirmed they have mixed or inaccurate results from the Equifax checker. — Something isn’t right about Equifax’s data breach checker.

    We tested Equifax’s data breach checker — and it’s basically useless

    Several people have confirmed they have mixed or inaccurate results from the Equifax checker.

  10. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Equifax breach exposes the problems with using social security numbers as a unique identifiers in the digital age

    The Equifax Breach Exposes America’s Identity Crisis

    One of the most shocking things about Thursday’s announcement of the Equifax data breach is the sheer scale of the numbers involved. Particularly the Social Security numbers. Yes, there have been plenty of large data breaches before—5 million SSNs revealed in a Kansas Department of Commerce leak in July, 80 million in the notorious 2015 Anthem health insurance breach—but with Equifax’s revelation that 143 million Americans may have had their SSNs stolen (along with other sensitive personal information), security experts are pressing for a fundamental reassessment in how, and why, we identify ourselves.

    Considered along with the data stolen from various other breaches, hacks, and leaks, “it’s a safe assumption that everyone’s Social Security number has been compromised and their identity data has been stolen,” says Jeremiah Grossman, the chief of security strategy at the defense and threat monitoring firm SentinelOne. “While it may not be explicitly true, we have to operate under that assumption now.”

    SSNs, which have been around since the 1930s, have only one intended purpose: to track US citizens’ earnings and contributions to the Social Security program.

    Omnipresence Issues

    Problems stem from a number of places. Your Social Security number is supposed to be kept secret, which is an increasing challenge in the digital era. And unlike other, similar secrets (like credit card numbers and passwords), SSNs are extremely difficult to change. The Social Security Administration can issue you a new one in extreme cases of identity theft or abuse.

    “The SSN is used for purposes entirely unrelated to its original purpose. That almost always leads to problems,”

  11. Tomi Engdahl says:

    A perfect storm of corporate idiocy

    A perfect storm of corporate idiocy
    Posted 20 hours ago by John Biggs (@johnbiggs)

    At this point in the game there should be a single page on every corporate website, preferably accessible from its front page, that includes the name and all contact details for the Chief Security Officer, including the last four digits of her social security number. It should be her responsibility to ensure that no one uses this information for nefarious purposes in addition to her daily operations. This honeypot should inspire the this CSO to go to great lengths to protect herself and her company’s data.

    It’s only fair, right?

    This person – who in Equifax’s case was named John Kelley III and earned nearly $3 million for releasing 143 million customer records (about 2 cents per record) – should also be the first to be fired during a breach.

    I think that’s where we are in 2017. Corporate security is an afterthought.

    I propose this for a simple reason: no one else on Equifax’s corporate leadership board works on security. There are plenty of folks dedicate to sales and revenue growth but only Kelley has “has responsibility for legal services, global sourcing, security and compliance, government and legislative relations and more.” He’s a lawyer.

    Breaches are an affront to ethics, customer support, and trust. Breaches are an affront to shareholders and those who depended on Equifax for, arguably, a ridiculous service in these days of trust-less networks and powerful data mining tools.

    In short, Equifax can’t protect your data, can’t build a website, and can’t get its story straight. And this is a publicly-traded company with a century of tradition and trust behind it.

    Almost monthly your family photos, your birth certificate, and your diary are being ransacked or nearly ransacked by criminals. Your valuables are being broadcast to those who would like to steal them. Imagine that the companies you trust with your health, wealth, and privacy are leaking your information almost daily and that the tools used to secure that data are infuriatingly easy to crack as possible.

    until everyone who leaks our data and uses weak tools and methods to secure our data is out of a job, we will not be safe

  12. Tomi Engdahl says:

    We’re all Equif*cked

    Every company is a tech company, and that’s a big problem. Or rather, either every company is a tech company but most suck at it, or most aren’t tech companies but should be. Either way, we’re gonna have a bad time. Stock photo companies oughta be making more images of hackers because that cat burglar / hoodie dude behind a computer isn’t going to cut it when sh*t hits the fan on a weekly basis.

    Somehow, no one seemed to realize that connecting the Internet to everything was a terrible idea despite also being a great idea. We built information super-highways…yay, great…but most businesses forgot the guardrails.

    The Equifax disaster is just warning shot compared to what’s to come.

    Today, the hacks and breaches are hitting banking and credit companies, government databases, voting machines, and public utility infrastructure. That stolen data can’t always be changed, like your date of birth. Unless the government decides to reissue everyone a new social security number, once it’s stolen, it’s permanently vulnerable to exploitation.

    That data could be used to steal people’s identities, take out fraudulent loans, or power social engineering attacks where hackers call your bank or cell phone carrier and use info only you should have to trick them into providing access to your accounts.

    That’s why we need every company to become a good tech company. Double the security budgets, break up sensitive into different databases, stop issuing unrandomized backup passwords. Clamp down with hardcore firewalls and physical security. Always update to the latest operating system security patches. Let us two-factor everything. Train customer service reps to spot social engineering hacks, and make sure every employee knows how avoid phishing attacks.

    Meanwhile, software makers like Microsoft need to step up and take more responsibility for protecting older versions of their operating systems. And governments need to more aggressively punish companies with weak security such that it’s too expensive to risk.

    Europe has set a good example with its new laws coming into effect in 2018 that levy stiff fines against companies that don’t disclose a data breach within 72 hours (with some exceptions). Violators can get slapped with a penalty of up to 2% of their global annual revenue, which would of stuck Equifax with over $60 million in fines.

  13. Tomi Engdahl says:

    Equifax Breach Provokes Calls For Serious Data Protection Reforms

    Equifax’s data breach was colossal — but what should happen next? The Guardian writes:
    The problem is that companies like Equifax are able to accumulate — essentially, without limit — as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches… Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.

    Why do big hacks happen? Blame Big Data

    Equifax, one of the largest credit reporting agencies, revealed on Thursday that it was hacked back in May, exposing the personal data of up to 143 million people. The data accessed by hackers contains extremely sensitive information like social security numbers, birth data, consumer’s names, driver’s license numbers and credit card numbers.

    This breach is a monumental failure of cybersecurity, which raises many pressing privacy concerns. However, beyond those issues, it also illustrates a fundamental problem of the data economy as a whole: databanks like Equifax are too big.

    Consumer credit agencies like Equifax are part of the multi-billion dollar data broker industry, which is based on collecting, analyzing, and selling thousands of data points about individual people. They paint a detailed picture of a person’s life and that profile is used to make decisions with direct impacts on, as I have written elsewhere, “many facets of our lives, from obtaining a loan to finding a job to renting a home.” As a company adds to its hoard of data, the value grows exponentially; so, the imperative for data brokers is to continuously accumulate as much data as possible.

    As epic as Equifax’s hack was, things can get a lot worse. The credit reporting agencies Experian and TransUnion are data giants on par with Equifax and there are thousands of other data brokers that also possess large databanks. Data breaches like this one are not bugs, but rather features of a system that centralizes immense amounts of valuable personal data in one place.

    The vaults of these databanks are impossible to secure, in large part, because the wealth of information they hold is a beacon for hackers. Even the most impenetrable cybersecurity will eventually fail under the pressure of dogged hackers probing for weaknesses to exploit. Better cybersecurity is important, but it is not a solution. It only postpones catastrophic failure.

  14. Tomi Engdahl says:

    The Equifax Breach Exposes America’s Identity Crisis

    Considered along with the data stolen from various other breaches, hacks, and leaks, “it’s a safe assumption that everyone’s Social Security number has been compromised and their identity data has been stolen,” says Jeremiah Grossman, the chief of security strategy at the defense and threat monitoring firm SentinelOne. “While it may not be explicitly true, we have to operate under that assumption now.”

  15. Tomi Engdahl says:

    Apache Struts Flaw Reportedly Exploited in Equifax Hack

    A vulnerability affecting the Apache Struts 2 open-source development framework was reportedly used to breach U.S. credit reporting agency Equifax and gain access to customer data.

    Equifax revealed last week that hackers had access to its systems between mid-May and late July. The incident affects roughly 143 million U.S. consumers, along with some individuals in the U.K. and Canada.

    The compromised information includes names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers. The credit card numbers of roughly 209,000 consumers in the United States and dispute documents belonging to 182,000 people may have also been stolen by the attackers.

    Equifax only said that “criminals exploited a U.S. website application vulnerability to gain access to certain files.” However, financial services firm Baird claimed the targeted software was Apache Struts, a framework used by many top organizations to create web applications.

    “Our understanding is that data entered (and retained) through consumer portals/interactions (consumers inquiring about their credit reports, disputes, etc.) and data around it was breached via the Apache Struts flaw,” Baird said in a report.

    Some jumped to conclude that it was the recently patched and disclosed CVE-2017-9805, a remote code execution vulnerability that exists when the REST plugin is used with the XStream handler for XML payloads. This flaw was reported to Apache Struts developers in mid-July and it was addressed on September 5 with the release of Struts 2.5.13.

  16. Tomi Engdahl says:

    Equifax shares tumble another 8% after credit score hack

    The company saw shares fall 14% on Friday and then on Monday it fell another 8%, costing the company billions of dollars in market cap. Shares closed Monday at $113.12.

    This is considered one of the most impactful cyber attacks in history because nearly half of Americans were breached and personally identifying information like social security numbers, credit scores, and sometimes bank account details were stolen.

    Executives at Equifax also came under fire for selling shares after the company had been made aware of the hacks.

  17. Tomi Engdahl says:

    Senator says Equifax should offer customers free credit security freezes

    Equifax’s handling of the massive data breach that affected 143 million people has been ineffective, Senator Brian Schatz wrote today in a letter to Equifax (embedded at bottom of post). He says what Equifax has offered customers, a one-year complimentary subscription to credit monitoring, is “inadequate for several reasons.”

    One year of credit monitoring, Schatz wrote, is “insufficient given the scope and scale of this data breach,” noting that those affected will be at risk of identity theft for “years to come.” He also notes that credit monitoring isn’t the best solution because it doesn’t actually prevent identity theft. The solution that works best is implementing a credit security freeze, but Equifax is charging customers to do that. Schatz says “it is unacceptable.”

    “If even a fraction of the impacted customers implement security freezes, Equifax stands to make hundreds of millions of dollars from its security failings,” Schatz wrote.

  18. Tomi Engdahl says:

    FireEye pulls Equifax boasts as it tries to handle hack fallout
    Now credit freezes may not even be secure

    FireEye removed an Equifax case study* from its website in response to a recently disclosed mega-breach at the credit reference agency.

    Equifax’s endorsement that FireEye’s tech protected it against zero-day and targeted attacks had more than the whiff of hubris about it once it emerged hackers had successfully pwned the credit reference agency’s systems and accessed all manner of sensitive information.

    Equifax said that hackers exploited an unspecified web application vulnerability to hack into its systems.

    Equifax has reportedly hired incident response experts at FireEye Mandiant to investigate the breach. These experts have also been helping with PR aspects of damage limitation, it seems.

    Brandan Schondorfer of Mandiant registered the domain on Tuesday (5 September), two days before the breach was publicly disclosed, thereby preventing anyone else intent on poking fun at Equifax – or perhaps worse, run phishing attacks – from getting their hands on the domain.

    Other aspects of Equifax’s overall incident response (analysed in depth in a post by security blogger Guise Bule here) have been less assured.

    For example, security experts at Sophos have criticised Equifax’s use of PINs – based on the date and time of when a request was made – to freeze consumer credit files. Crooks have a far better chance of determining these PINs and unfreezing credit files than if they were randomly generated. Worse yet, compromised server logs might be used to determine PINs.

  19. Tomi Engdahl says:

    Apache Foundation rebuffs allegation it allowed Equifax attack
    Timeline explains that either Equifax didn’t patch old bugs, or was zero-dayed

    The Apache Software Foundation has defended its development practices in the face of a report alleging its code was responsible for the Equifax data leak., an outlet run by Atlantic Media, alleged that the hack was the result of an attack on Apache Struts, which as we reported last week was found to have a flaw allowing malware to be injected into corporate networks. The outlet pointed out that the flaw may have been present in Struts for nine years.

    Which has Apache antsy, as it’s not willing to wear responsibility for a hack that took place before it knew it had a problem, or to be labelled as the kind of outfit that lets bugs go un-patched for years at a time.

    Gielen therefore suggests “the attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time [July] – a so-called Zero-Day-Exploit.”

    While nobody wants to have bugs in their code, Apache argued it responded properly to the bugs revealed in September.

    “Regarding the assertion that especially CVE-2017-9805 is a nine year old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years. If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier. But this was actually not the case here – we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP.”

  20. Tomi Engdahl says:

    Shannon Liao / The Verge:
    DoNotPay chatbot, mainly known for aiding with parking tickets, now helps you fill out forms to sue Equifax without a lawyer, for up to $25K in some states — Equifax’s security failure affected 143 million US consumers, or 44 percent of the US population.

    Chatbot lets you sue Equifax for up to $25,000 without a lawyer

    Equifax’s security failure affected 143 million US consumers, or 44 percent of the US population. To add insult to injury, Equifax waited over a month before revealing the security breach it had suffered. If you’re one of the millions affected by the breach, a chatbot can now help you sue Equifax in small claims court, potentially letting you avoid hiring a lawyer for advice.

    Even if you want to be part of the class action lawsuit against Equifax, you can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee.

    Not that the bot helps you do anything you can’t already do yourself, which is filling out a bunch of forms — you still have to serve them yourself. Unfortunately, the chatbot can’t show up in court a few weeks later to argue your case for you either. To add to the headache, small claims court rules differ from state to state. For instance, in California, a person needs to demand payment from Equifax or explain why they haven’t demanded payment before filing the form.

    Equifax seems like it’s going to put up a fight, so help in the form of chatbots can’t hurt. Peter Vogel, a trial and transactional lawyer in Texas, says, “I believe that Equifax will fight class action lawsuits [and] small claims courts actions. That does not mean that Equifax will prevail, but … given the scope of the 143 million individuals, it strikes me that Equifax will want to make this as complicated as possible for consumers.”

  21. Tomi Engdahl says:

    Security researchers finds gross deficiencies on Equifax Argentina site

    As we close in on a week since Equifax announced the massive hack that could potentially have exposed the financial information of 143 million consumers in the US, we have been left with many questions. How could a firm entrusted with our most sensitive financial data allow this to happen?

    According to information supplied to Krebs by security researcher Alex Holden of Hold Security, the company is still leaving user data vulnerable to attacks. This firm began researching Equifax sites in South America, and found almost immediately that it was simple, pimple to get into an employee portal

    Unbelievably, it was “protected” with the user name admin and the password admin. It obviously didn’t take a hacking genius to get inside.

    Incredibly, the user name, which was often just the employee last name, was the same as the password. The researchers also found, because they were granted administrative access, they could add, delete or modify the employee records.

    From there the researchers were able to quickly access consumer complaint records on the site

    it appears with evidence like this that there is gross incompetence involved

  22. Tomi Engdahl says:

    No, a chatbot can’t automatically sue Equifax for $25,000

    Making the rounds today is a chatbot that claims it will let you sue Equifax for thousands of dollars in small claims court without using a lawyer.

    The Verge boldly stated you can claim up to $25,000 dollars, and the chatbot says that it’s the “first case of a fully automated lawsuit.” While it would be cool to fill out a form and get a check a few months later, this isn’t the case.

    In reality, this “fully automated” chatbot is asking for very basic personal information, like your address, and populating it into a PDF that you can use to start the process of taking Equifax to small claims court.

    Here’s where your troubles really begin. Small claims courts are for settling known, documented damages.

    Filing a lawsuit based on information you know to be wrong (i.e. that you have suffered $10,000 worth of damages but have no documentation) may also invite the ire of the court.

    Even if you did manage to get the court to hear it, it’s entirely possible that Equifax would simply move to have the case taken out of small claims court and consolidated in a state or federal court.

  23. Tomi Engdahl says:

    Canadian Class Action Suit Launched Against Equifax Over Data Breach

    A class action lawsuit by Canadian consumers whose data was stolen in a massive hack of US credit bureau Equifax was launched Tuesday, seeking damages of Can $550 billion ($450 billion US).

    The proposed class action includes all residents of Canada whose information was stored on Equifax databases and was accessed without authorization between May 1, 2017 and August 1, 2017, according to a statement by the Toronto-based Sotos law firm.

    The hack was disclosed last week by Equifax, one of the three major credit bureaus that collect consumer financial data, and potentially affects 143 million US customers, as well as an as yet unspecified number of Canadian and British customers.

    The breach is considered one of the worst-ever because of the nature of data collected: bank and social security numbers and personal information of value to hackers and others.

    The claim alleges that Equifax breached its contract with class members as well as their privacy rights and was negligent in handling their information.

    Some reports have suggested Equifax data was being sold on “dark web” marketplaces, but analysts said it was too soon to know who was behind the attack and the motivation.

  24. Tomi Engdahl says:

    Is Equifax Data On The Dark Web? Not Yet, But It Will Be

    Following the security breach of credit reporting firm Equifax that resulted in the personal information of an upwards of 143 million Americans being stolen, researchers are searching to find who executed the hack and where the stolen data will end up—though thus far the clues have been sparse.

    With any data breach, but especially one the size of the Equifax incident, it seems inevitable that the stolen information will end up on the dark web—either sold off to the highest bidder or in bits and pieces that allow black market buyers to purchase and use stolen information.

    The first potential lead appeared early Friday when a dark website called BadTouch appeared online and claimed to be selling a database of data stolen from Equifax.

    The site was set up by an apparent duo of hackers who identify themselves as the PastHole Hacking Team. The collective claims to have access to personally identifying information of more than 140 million people—including social security numbers, driver’s license numbers, dates of birth and addresses—as well as more than 200,000 credit card numbers.

    According to the site, the two supposed hackers identified themselves as just “two people trying to solve our lives and those of our families.” The hacking team claimed to have not expected to gather as much information as they did and have no intention of affecting any individuals but intend to “monetize the information as soon as possible.

    As such, the PastHole team said they were looking for 600 Bitcoin (about $2.6 million) in exchange for the database—a price set based on the nearly $2 million made by Equifax executives who sold shares in the company after the breach was discovered but before it was disclosed to the public.

  25. Tomi Engdahl says:

    Equifax view on dark web:

    The Dark Web explained – what does it mean for online security?

  26. Tomi Engdahl says:

    Dark Web Selling Breached Equifax Data For $2.7 Million

    A hacker duo are asking for 600 Bitcoins ($2.7 million) in exchange for the breached Equifax data that contains 143 million U.S. consumers social security and credit card details.

    The Dark Web portal claims to have the Equifax data, and says that if they do not sell it by September 15th, they’ll publish the database online for free.

    On the portal, the hackers also slam Equifax executives for selling $2 million in stock before the breach was made public.

  27. Tomi Engdahl says:

    Richard Henderson, global security strategist, Absolute:

    “We have to expect that the fallout from this will likely be unprecedented. Many people are going to lose their jobs, including Equifax executives, people will be brought before Congress to explain what happened, and consumer trust in *all* of the credit reporting agencies will be eroded.

    It may be time for us to reconsider exactly how we allow companies to store all of this data. It’s clear that these mega-databases are prime targets for attack, and we may need to take a hard look at legislative changes that will force databrokers and collectors to take security up a few levels.”

    Etienne Greeff, CTO and Co-Founder, SecureData:

    “In response to the breach, Equifax created a website – – that offers free identity theft protection and credit file monitoring to all US customers. However, customers are asked to input additional information into the website that doesn’t even have a valid security certificate. It’s akin to offering contents insurance to a person whose house has already been robbed – and potentially putting them at risk even further. What’s more, Equifax has been relatively tight lipped about the type of information that has been compromised


  28. Tomi Engdahl says:

    Missed patch caused Equifax data breach
    Apache Struts was popped, but company had at least TWO MONTHS to fix it

    Equifax has revealed that the cause of its massive data breach was flaw it should have patched weeks before it was attacked.

    The company has updated its site with a new “A Progress Update for Consumers” that opens as follows:

    Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

    As the Apache Foundation pointed out earlier this week, it reported CVE-2017-5638 in March 2017. Doubt us? Here’s the NIST notification that mentions it as being notified on March 10th.

  29. Tomi Engdahl says:

    Equifax Had ‘Admin’ as Login and Password in Argentina

    The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations. The breach was revealed after security researchers discovered that an online employee tool used by Equifax Argentina was accessible using the “admin/admin” password combination.

    Equifax had ‘admin’ as login and password in Argentina

  30. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Equifax employee portal in Argentina listed 14K names, social security number-like DNIs of customers in plain text until notified by security researchers today

    Ayuda! (Help!) Equifax Has My Data!

    Equifax last week disclosed a historic breach involving Social Security numbers and other sensitive data on as many as 143 million Americans. The company said the breach also impacted an undisclosed number of people in Canada and the United Kingdom. But the official list of victim countries may not yet be complete: According to information obtained by KrebsOnSecurity, Equifax can safely add Argentina — if not also other Latin American nations where it does business — to the list as well.

    Equifax is one of the world’s three-largest consumer credit reporting bureaus, and a big part of what it does is maintain records on consumers that businesses can use to learn how risky it might be to loan someone money or to extend them new lines of credit. On the flip side, Equifax is somewhat answerable to those consumers, who have a legal right to dispute any information in their credit report which may be inaccurate.

    Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.

    It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

  31. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Equifax blames Apache Struts vulnerability that was patched on March 6 for the massive data breach that it says happened in mid-May — Critical Apache Struts bug was fixed in March. In May, it bit ~143 million US consumers. — The Equifax breach that exposed sensitive data …

    Failure to patch two-month-old bug led to massive Equifax breach
    Critical Apache Struts bug was fixed in March. In May, it bit ~143 million US consumers.

    The Equifax breach that exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a Web application vulnerability that had been patched more than two months earlier, officials with the credit reporting service said Thursday.

    “Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” company officials wrote in an update posted online. “We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

    The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

  32. Tomi Engdahl says:

    In a rare public disclosure, Federal Trade Commission says it’s investigating the Equifax hack — WASHINGTON (Reuters) – The Federal Trade Commission said on Thursday it has opened an investigation into the massive data breach at Equifax Inc (EFX.N), in a rare public disclosure …

    FTC probes Equifax; top Democrat likens it to Enron

    WASHINGTON (Reuters) – The U.S. Federal Trade Commission said on Thursday it was investigating Equifax Inc’s (EFX.N) massive data breach, a rare public confirmation, as a top Democrat suggested the credit-monitoring company’s corporate leaders might need to resign.

    Senate Democratic Leader Chuck Schumer also compared Equifax to Enron, a U.S. energy company that was consumed in scandal after revealing in 2001 that it engaged in widespread accounting fraud.

    “It’s one of the most egregious examples of corporate malfeasances since Enron,” Schumer said, calling Equifax’s treatment of consumers afterward “disgusting” and its inability to protect data “deeply troubling.”

  33. Tomi Engdahl says:

    Equifax says web server vulnerability led to hack

    Credit reporting company Equifax Inc blamed a web server vulnerability in its open-source software, called Apache Struts, for the recent data breach that compromised personal details of as many as 143 million U.S. consumers.

  34. Tomi Engdahl says:

    Scammers Offer to Sell Data Stolen in Equifax Hack

    While the large amount of information stolen in the recent Equifax hack might be up for sale somewhere on the dark web, scammers have also set up websites offering the data from the U.S. credit reporting agency.

    Security experts believe the attackers will likely try to sell the data and warned users to be on the lookout for phishing attempts and scams.

    The U.S. Federal Trade Commission (FTC) has launched an investigation into the massive data breach, and released an alert regarding scam phone calls from people claiming to represent Equifax.

  35. Tomi Engdahl says:

    U.S. Watchdog Confirms Probe of Huge Equifax Data Breach

    A U.S. consumer protection watchdog agency said Thursday it has begun an investigation into a massive data breach at credit bureau Equifax that may have leaked sensitive information on 143 million people.

    The Federal Trade Commission joins US congressional committees promising to probe the causes and implications of what could be the worst breach of personal information in the United States.

    “The FTC typically does not comment on ongoing investigations,” said Peter Kaplan, the agency’s acting director of public affairs.

    “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”

    The hack disclosed last week at Equifax, one of the three major credit bureaus which collect consumer financial data, potentially affects more than half the adult population.

  36. Tomi Engdahl says:

    Credit Karma says it will offer credit monitoring for Equifax following this month’s huge breach

    Credit Karma said it will add Equifax to its credit monitoring service as part of its free product, which proactively notifies members of significant changes to their credit report.

    It includes a whole suite of notifications for significant changes in credit queries, such as opening new accounts, a change in the status of an account, new personal information or a hard inquiry or application for credit. You’ll probably find most of this in some other credit monitoring services, but Credit Karma is now looking to offer it for free as it looks to create a more simple tool for consumers to check and monitor their credit scores.

    Credit Karma Adds Equifax to its Flagship Free Credit Monitoring Service

    Personal finance company is the most comprehensive free U.S. online credit monitoring service

  37. Tomi Engdahl says:

    Equifax security and information executives are stepping down

    Top executives at Equifax are retiring effective immediately, according to the WSJ. Susan Mauldin was the company’s chief security officer and David Webb was the chief information officer. The report says the executives are retiring, though, in the wake of the company’s major security breach, “retire” feels like an euphemism for “fired.”

    The company says the personnel changes will happen immediately, with Mark Rohrwasser taking over Webb’s spot as CIO and Russ Ayres becoming the interim CSO.

    Equifax reported last week a leak on July 29 that compromised the data of 143 million Americans.

    Following the report, the company came under fire for its response, which was both lackadaisical and callous. The website that the company set up to assist consumers was at best broken and at worst, a scam. Phone calls to the company followed the same trend, and, since then, Congress is reportedly looking into the issue.

  38. Tomi Engdahl says:

    After Equifax, What Will Credit or Identity Monitoring Really Do For You?

    On the heels of the major security breach at Equifax, millions of Americans are considering signing up for identity and credit monitoring. Equifax is even offering its own version, called TrustedID Premier, for free to all U.S. consumers for a year.

    Free credit and identity monitoring has become the salve that companies and government agencies dole out to consumers in the days after a security breach.

    But there hasn’t been much research to into whether these solutions are actually helpful, or if there are meaningful differences between the 60 or so companies that sell them.

    In March, the U.S. Government Accountability Office issued a 70-page report [PDF] examining credit and identity monitoring services. Of identity monitoring, the report said “its effectiveness in mitigating identity theft is unclear.”

    Credit monitoring alerts consumers to any changes in their credit reports held by the three major U.S. credit bureaus—Experian, Equifax, and TransUnion. Identity monitoring uses algorithms or other techniques to trawl websites for social security numbers, dates of birth, addresses, and other information stolen from consumers.

    In the case of identity monitoring, companies are trying to hit a moving target by scanning the dark web for websites known to deal in stolen identities. “The problem there is that nobody knows how many websites there are, and how many these companies are monitoring,”

    For consumers, identity and credit monitoring services typically cost between $5 and $30 a month. The GAO report noted that two of the largest providers claimed to have a combined total of 5.4 million customers in 2015. “Over the years, we’ve said that these services are not really worth it,” says Blyskal.

    The terms used by the industry can be confusing.

    Credit monitoring services sold in the U.S. generally keep an eye on your credit at three major credit bureaus: Experian, Equifax, and TransUnion.

    But all of this applies only to new lines of credit. It has nothing to do with the accounts you currently hold, including credit cards, investment accounts, and bank accounts. Fraudulent charges to these accounts will not be noted by credit monitoring services

    The good news is that many credit card providers excuse customers from paying fraudulent fees

    The best ways to protect yourself are things you can do for free or low cost, Baird says. Once a year, U.S. citizens can request a free credit report from each of the three major credit bureaus

    Baird also recommends paying $5 to $10 fee to place a credit freeze on your report at each of the three bureaus, which will prevent the bureaus from sharing it with any creditor wishing to issue a line of credit in your name, until you unfreeze it.

    Blyskal also suggests putting a fraud alert on your credit report at all bureaus by contacting any one bureau.

    Several types of identity theft and fraud are simply not captured by credit or identity monitoring services. These include tax refund fraud

    These services also won’t capture medical fraud

    They can’t prevent the theft in the first place, or barge in and prosecute thieves on your behalf. “At best, it detects and alerts,”

  39. Tomi Engdahl says:


    Capping a week of incompetence, failures, and general shady behavior in responding to its massive data breach, Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn’t.

    As the security community processes the news and scrutinizes Equifax’s cybersecurity posture, numerous doubts have surfaced about the organization’s competence as a data steward. The company took six weeks to notify the public after finding out about the breach. Even then, the site that Equifax set up in response to address questions and offer free credit monitoring was itself riddled with vulnerabilities.

  40. Tomi Engdahl says:

    AnnaMaria Andriotis / Wall Street Journal:
    Equifax announces its Chief Security Officer Susan Mauldin and Chief Information Officer David Webb are retiring effective immediately — The departures of the company’s chief information officer and chief security officer come in the wake of a massive data breach

    Two Top Equifax Executives to Retire

    The departures of the company’s chief information officer and chief security officer come in the wake of a massive data breach

  41. Tomi Engdahl says:

    The learned helplessness of Equifax

    It is well understood by every adult American that you must keep your nine-digit Social Security Number absolutely secret, lest someone use it to open accounts in your name and ransack your name, your credit, and your sacred honor. There is a real learned helplessness to this: Americans just take it for granted that this is the way things work, it is the way things have always worked, it is the way things always will work. If your SSN and a few personal details get hacked, as with Equifax, apparently because it negligently leaving its server software unpatched for two months — that’s it, you’re screwed.

    This is, of course, completely insane.

    “But what else could we do?” you might ask. “It’s not realistic for credit rating companies, the grimdark apotheosis of surveillance capitalism, to actually verify someone’s identity before someone opens a new account in their name. Not if that someone has their social security number! What else could possibly be done?”

    What if I told you that the credit rating companies already had a system to verify identities before opening new accounts

    That’s right: a solution to the ongoing insane catastrophe which is the American credit system already exists. The infrastructure and process for it is already in place. But thanks to regulatory capture, an inability to understand the scale of data hacks that modern technology enables, or sheer incompetence, it only exists on a case-by-case, opt-in, short-term solution.

    Obviously everybody should have this verification — “two-factor authentication,” if you will — turned on and kept on.

    The current credit-rating system is insane. But it gets even worse: the current system actually already contains its own solution.

  42. Tomi Engdahl says:

    U.S. Politicians Demand Probe of Equifax After Hack
    By AFP on September 15, 2017

    A senior US senator called Wednesday for a federal investigation of credit rating agency Equifax after the company lost the personal data of 143 million customers to hackers.

    Senator Mark Warner asked the Federal Trade Commission, one of the few bodies with oversight powers over loosely-regulated credit raters, to examine Equifax’s security practices and its “widely-panned response” to consumers potentially impacted by the breach.

    Warner, a member of the powerful Senate Banking Committee, accused the company of “exceptionally poor cybersecurity practices” that continued even after the hack became known.

    He also said the company’s woeful response to people whose data may have been lost — including trying to charge them for protection — was “alarming”.

    “The volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize.”

  43. Tomi Engdahl says:

    Scammers Offer to Sell Data Stolen in Equifax Hack

    While the large amount of information stolen in the recent Equifax hack might be up for sale somewhere on the dark web, scammers have also set up websites offering the data from the U.S. credit reporting agency.

  44. Tomi Engdahl says:

    U.S. Justice Department investigating Equifax execs who dumped shares before announcing breach

    The U.S. Justice Department is said to be investigating the questionable sale of stock by Equifax executives in advance of the company’s public announcement of its massive data breach.

  45. Tomi Engdahl says:

    Sources: DoJ has opened a criminal investigation into three Equifax executives’ stock sales that occurred days after the historic data breach was discovered — U.S. attorney in Atlanta said to lead probe alongside SEC — Managers unaware of breach when they sold stock, company said

    Equifax Stock Sales Are the Focus of U.S. Criminal Probe

  46. Tomi Engdahl says:

    Equifax’s IT leaders ‘retire’ as company says it knew about the bug that brought it down
    Company tried to find and patch vulnerable systems, but we know what happened next

    Equifax’s chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software.

    The retirements and more details about the company’s mega-breach are revealed in a new entry to in which the company describes what it knew, when it knew it, and how it responded.

    The update reveals that the the attack hit the company’s “U.S. online dispute portal web application” and that the source of its woes was CVE-2017-5638, “which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header.” Equifax acknowledges that bug was disclosed in early March 2017.

    The next point on the company’s list says “Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”

    But elsewhere in the statement, Equifax just-about-confesses that those efforts either missed the Struts implementation or failed to patch it properly. The key passages explain that the company “observed suspicious network traffic” on July 29th, “continued to monitor network traffic and observed additional suspicious activity” on the 30th and “took offline the affected web application that day.”

  47. Tomi Engdahl says:

    Let’s take Equifax case. If the value of one person is $30 (as some estimations give), then with 143 million we end up around 4.3 billion dollars. That about the same sum that the value of Equifax has dropper after the details of the leak have been published. Interesting…

    What Is Your Customer Data Worth?

    Combine payment card information with date of birth, which is a common fraud prevention question, and the value jumps to $15 in the US and about $30 in other major countries. Add in the billing address and the username and password for the account, and the price goes up to between $30 and $45.


Leave a Comment

Your email address will not be published. Required fields are marked *