Breach at Equifax May Impact 143M Americans (https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/)

Read the above then follow the Equifax link to see if you're involved and to begin enrollment for their protection.

Equifax, Experian, TransUnion and Innovis know everything about consumer's credit history and have personal identification information stored in their systems. This is rather incredible that it could occur. In essence, who ever has access to this data can become whoever they wish to be. Has the potential to make all other breaches look like child's play.

:irked:

You also need to do the above for your spouse in addition to yourself.

Three Equifax Managers Sold Stock Before Cyber Hack Was Revealed (https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack)


Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers.

:rolleyes:

SteveH, your link takes one to this:

Equifax Announces Cybersecurity Incident Involving Consumer Information
No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases

I'm skeptical but will investigate.

SteveH, your link takes one to this:

Equifax Announces Cybersecurity Incident Involving Consumer Information
No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases

I'm skeptical but will investigate.

Yeah I understand your skepticism. Equifax announced the breach, then said no evidence of unauthorized access but is providing a year's worth of protection for free. That doesn't add up. Be safe, register for the protection.

I would assume that if anyone is involved Equifax would notify them by mail. I assume.....

BTW Krebs has already updated his article since I first read it. I would expect that he'll continue to do this as the story develops. So check it often.

Equifax website hack exposes data for ~143 million US consumers (https://arstechnica.com/information-technology/2017/09/equifax-website-hack-exposes-data-for-143-million-us-consumers/?comments=1)

a little more information, a discussion on the website URL used for verification and interesting comments

FYI essentially what Lifelock provides
https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

I think they are all basically the same. Discover Card has something now also. I followed the link and it concluded that neither TravelGuy nor I were affected.

They're claiming that those managers had not been informed of the breach which is not the same as saying that they had no knowledge of it. Forgive my skepticism.

A while back I signed up for Credit Karma which is a free service that tracks your credit. They track your Transunion and Equifax and show you the factors that go into them. They monetize this by offering you credit deals tuned to your particular credit situation. I was concerned initially that it might be obnoxious, but I have to say that it's been completely innocuous and I haven't received a single SPAM message from them.

I think for now I'll keep an eye on things in Credit Karma. The whole business of selling people access to information about themselves seems unsavory to me. Providing it as a consolation for exposing you to identity theft and then inevitably marketing it to you when the term ends is worse still. What will that marketing look like? "That's a nice credit rating you've got there. It'd be a shame if anything were to happen to it."

Why the Equifax breach is very possibly the worst leak of personal info ever
(https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/)

This is generally a massive problem and the remedies and solutions offered are wholly inadequate. X year(s) of credit monitoring. They do realize the people who stole this have calendars too? Plus with all these breaches, how much concurrent monitoring do you need?

I recently signed up for a credit card and the change on my credit report was sent to me via Credit Karma. This monitoring should be free and immediate from all of the big 3 credit unions. They make plenty of money hoarding massive power over consumers. They hold all the cards in the dispute process as well as trying to clean up your credit after having your identity stolen is long and difficult.

These breaches are not going to stop and watching my credit for 1 year when people are going to be using the same SSN for decades is unhelpful. BTW, I got a message that I can sign up for monitoring after 9/12 but no message that my data was either in the breach or not. So I guess it wasn't?

If the message you receive did not indicate you weren't affected, assume that you were.

If the message you receive did not indicate you weren't affected, assume that you were.

I tried again, and now it says I was. No ambiguity. Interesting though that last name + last six is enough to be unique.

Looks like Equifax isn't done pulling the wool over their victim's eyes, either:

“By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.”

Source: https://trustedidpremier.com/static/terms

What this means is if you sign up for their "Free Identity Theft Protection and Credit File Monitoring" service, you will be agreeing to the above mentioned arbitration clause. This is not in your best interest. This, frankly, looks like a trap to pull as many people out of the 143 million from taking any part in what will likely be a very large class action suit against Equifax.

Looks like Equifax isn't done pulling the wool over their victim's eyes, either:

“By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.”

Source: https://trustedidpremier.com/static/terms

What this means is if you sign up for their "Free Identity Theft Protection and Credit File Monitoring" service, you will be agreeing to the above mentioned arbitration clause. This is not in your best interest. This, frankly, looks like a trap to pull as many people out of the 143 million from taking any part in what will likely be a very large class action suit against Equifax.

a suit that would make lawyers rich, while those that got impacted would get essentially nothing

Read both articles
Equifax Breach Response Turns Dumpster Fire (https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/)

How I Learned to Stop Worrying and Embrace the Security Freeze (https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/)

a suit that would make lawyers rich, while those that got impacted would get essentially nothing

Which is why it will happen. :) I imagine the "class" will get another year of Equifax credit monitoring in exchange for making more lawyers rich.

https://yro.slashdot.org/story/17/09/10/0128214/techcrunch-equifax-hack-checking-web-site-is-returning-random-results
Assume you were included.

The Equifax Breach: What You Should Know (https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/)

What you should know and what you should do.

Chatbot lets you sue Equifax for up to $25,000 without a lawyer (https://www.theverge.com/2017/9/11/16290730/equifax-chatbots-ai-joshua-browder-security-breach)

Equifax Faces Mounting Anger, $70 Billion Lawsuit (https://www.bankinfosecurity.com/equifax-faces-mounting-anger-70-billion-lawsuit-a-10282)


Equifax already faces multiple lawsuits over the breach, including one filed in Oregon by Mary McHill from Portland and Brook Reinhard from Eugene. Their lawsuit seeks class-action status on behalf of everyone affected by the breach and demands damages of as much as $70 billion. It was filed by law firm Olsen Daines PC, together with Geragos & Geragos, which Bloomberg reports is a law firm known for launching splashy, high-octane class actions.

boom

Ayuda! (Help!) Equifax Has My Data! (https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/)

ineptness on steroids

Failure to patch two-month-old bug led to massive Equifax breach (https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/)

FTC launches Equifax breach probe, warns consumers about credit scammers (https://arstechnica.com/tech-policy/2017/09/ftc-opens-equifax-investigation-says-beware-of-equifax-calling-scams/)

It doesn't fully help, but Equifax is waiving the fee to freeze your credit report.

I've personally contacted my state reps, state AG and federal reps and asked them to consider legislation that makes the fee $0. (Never know, could become a bee in their bonnet.) Kansas has some caps and laws already, one interesting one is if they provide an electronic means to freeze/unfreeze, it must be completed in 15 minutes. A lot of stories I read mention it could take up to 3 days, but Kansas allows that only if you mail your request.

Equifax Faces Mounting Anger, $70 Billion Lawsuit (https://www.bankinfosecurity.com/equifax-faces-mounting-anger-70-billion-lawsuit-a-10282)
boom

A silly number, where would Equifax get $70 billion?

Equifax will not survive fallout from massive breach, says technology attorney (https://www.cnbc.com/2017/09/14/equifax-will-not-survive-fallout-from-massive-breach-says-technology-attorney.html?recirc=taboolainternal)

Yeah, given how lackadaisical they were in handling such sensitive information, they deserve to go down the tubes. Hopefully some of the execs will suffer appropriately for their stock shenanigans.

Massive Equifax hack reportedly started 4 months before it was detected
(https://arstechnica.com/information-technology/2017/09/massive-equifax-hack-reportedly-started-4-months-before-it-was-detected/?comments=1)


Hackers behind the massive Equifax data breach began their attack no later than early March, more than four months before company officials discovered the intrusion, according to a report published Wednesday by the Wall Street Journal.

The comments provide interesting speculation.

Experian Site Can Give Anyone Your Credit Freeze PIN (https://krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-credit-freeze-pin/)


The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!


Authentication for password and PIN resets must be rethought. With so much identifying information available, it will easy to someone in possession of the breached data to pose as anyone else.

http://money.cnn.com/2017/09/20/technology/business/equifax-fake-site-twitter-phishing/index.html

Equifax tweets fake phishing site to concerned customers


The domain, designed to look like a phishing site, was set up to criticize how the company handled the situation.

The official account tweeted links to the same site multiple times since September 9, two days after the breach was first announced. The links have been deleted, but screenshots show it was not a one-time flub.

It's easy to mistake the fake site for the real one: equifaxsecurity2017.com. The company created it earlier this month to share information on the major data breach.

The guy that set up the fake site is not malicious, apparently.

http://money.cnn.com/2017/09/20/technology/business/equifax-fake-site-twitter-phishing/index.html

Equifax tweets fake phishing site to concerned customers



The guy that set up the fake site is not malicious, apparently.

Yeah. He wasn't collecting/allowing anyone to submit any data.

Equifax or Equiphish? (https://krebsonsecurity.com/2017/09/equifax-or-equiphish/)


More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.

Equifax CEO Richard Smith is out after stunning data breach (http://money.cnn.com/2017/09/26/investing/equifax-ceo-richard-smith-out/index.html)