Equifax Takes The Data Breach Cake
On September 7, credit reporting agency Equifax reported one the worst data breaches in history, compromising an estimated 143 million Americans, 44 British citizens, and an uncertain number of Canadians. Read on to learn if your personal information leaked to hackers, and how Equifax is actually making things WORSE with their response to the breach...
What Was in the Equifax Leak?
It's not pretty. Names, addresses, Social Security Numbers, birth dates, and in some cases driver’s license data were leaked. Additionally, the credit card numbers of 209,000 U.S. citizens, and credit-related dispute documents with personal identifying information for approximately 182,000 more U.S. citizens were leaked.
Last year, Yahoo announced over a billion customer accounts were compromised by hackers, but Yahoo doesn’t have so much sensitive data about its users. This breach is a very big deal. That it happened is an outrage that’s getting worse every day, as we learn more.
First, we learned that Equifax knew about the breach as early as July 29, but waited forty-one days to alert the public. Why did Equifax wait so long to alert the public? The company has not bothered to explain. Nor has it revealed whether card PINs were compromised. It seems such information is none the victims’ business.
Next, we learned that three Equifax executives sold $1.8 million of their personal shares in the company a few days after the breach was discovered and a full month before it was revealed to the public. An Equifax spokesperson claimed that none of the execs knew of the breach at the time they sold their stock, a claim that will surely be examined closely by the SEC.
Consumers who went to an Equifax website set up to tell them whether they were affected by the leak were initially required to agree to binding arbitration of any dispute arising from this matter. Equifax, in effect, said to the whole world, “We’re not going to tell you whether we lost your personal financial data unless you agree not to sue us!” That plan went down in flames; within 24 hours, the company eliminated that clause from its site in the face of withering criticism from all corners.
Were You Affected?
The website itself turns out to be a sham, as people who entered the same data multiple times quickly learned. It just returns random answers, “yes, “no,” or “we don’t know if you were affected.”
The site is supposed to let all affected visitors sign up for the Equifax TrustedID Premier credit monitoring service for one year, free of charge. But as of September 10, I was still getting the peculiar response, “Please return here on September 12, 2017, to complete your enrollment in TrustedID.” Entering different data produced different “return” dates, i. e., September 11 or 13. It’s hard to believe there’s anything behind that cloud of smoke, either.
Yes, it can get worse! The site was not even registered to Equifax, according to the Whois database, until the afternoon of September 10. Its implementation of TLS encryption is flawed, so connections to it may not be secure. It’s running on the free version of Wordpress blogging software, which is entirely unsuitable for enterprise-grade secure applications. Those are just the highlights; there are so many security flaws in the site that OpenDNS, the Cisco-owned domain name service, blocked access to EquifaxSecurity2017.com and warned it was a potential phishing scam. Indeed, the site looks very much like something a phishing scammer would put together.
At this point, there's no good way to determine if you were affected. So it's safer to assume you were. The Federal Trade Commission recommends the following for people who may have been affected by a data brech:
- Check your credit reports from Equifax, Experian, and TransUnion. See my article HOWTO: Get Your Free Credit Report Online for details.
- Consider placing a credit freeze on your files.
- Monitor your existing credit card and bank accounts closely for charges you don’t recognize.
Every time I think that Equifax could not possibly have responded to this breach any worse, the company proves me wrong. At this point, I don’t even want to go near Equifax or any site it purportedly owns. I’m just going to order a 55-gallon drum of popcorn via Amazon Prime and watch the rest of this dumpster fire.
I'll update this story when (or perhaps IF) Equifax gets their act together and/or releases any more details to the public.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 11 Sep 2017
|For Fun: Buy Bob a Snickers.|
Can Zello Save You In a Hurricane?
The Top Twenty
Here's Why Your Password is Hackable
There's more reader feedback... See all 50 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Equifax Takes The Data Breach Cake (Posted: 11 Sep 2017)
Copyright © 2005 - Bob Rankin - All Rights Reserved