Equifax breach is the worst leak of personal info ever

[jimmy olsen]

 Damn, we're fucked

Click to check out all the links
https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/

Why the Equifax breach is very possibly the worst leak of personal info ever

by Dan Goodin - Sep 8, 2017 3:09pm JST

It's a sad reality in 2017 that a data breach affecting 143 million people is dwarfed by other recent hacks—for instance, the ones hitting Yahoo in 2013 and 2014, which exposed personal details for 1 billion and 500 million users respectively; another that revealed account details for 412 million accounts on sex and swinger community site AdultFriendFinder last year; and an eBay hack in 2014 that spilled sensitive data for 145 million users.

The breach Equifax reported Thursday, however, very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs or both and will remain so indefinitely.

Hacks hitting Yahoo and other sites, in contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number.

What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired.

Amateur response

Besides the severity and scope of the pilfered data, the Equifax breach also stands out for the way the company has handled the breach once it was discovered. For one thing, it took the Atlanta-based company more than five weeks to disclose the data loss. Even worse, according to Bloomberg News, three Equifax executives were permitted to sell more than $1.8 million worth of stock in the days following the July 29 discovery of the breach. While Equifax officials told the news service the employees hadn't been informed of the breach at the time of the sale, the transaction at a minimum gives the wrong appearance and suggests incident responders didn't move fast enough to contain damage in the days after a potentially catastrophic hack came into focus.

What's more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks.

It was bad enough that Equifax operated a website that criminals could exploit to leak so much sensitive data. That, combined with the sheer volume and sensitivity of the data spilled, was enough to make this among the worst data breaches ever. The haphazard response all but guarantees it.

[Eddie Teach]

This is why Ed buys silver.

[alfred russel]

Do any of the other links say that it was the worst leak of data ever?

What you posted is an article that this is "very possibly the worst leak of personal info ever". A material qualifier that unsurprisingly didn't make it into your thread title.

[jimmy olsen]

Do any of the other links say that it was the worst leak of data ever?

What you posted is an article that this is "very possibly the worst leak of personal info ever". A material qualifier that unsurprisingly didn't make it into your thread title.

No need for journalistic wishy-washyness. I'm calling it like it is.

[CountDeMoney]

You don't have a right to credit debt anyway. You have a right to access to credit debt.

three Equifax executives were permitted to sell more than $1.8 million worth of stock in the days following the July 29 discovery of the breach.

DAT MAKES ME SMART

[The Minsky Moment]

Don't know if its the worst ever but if the facts in that article are even close to being true, it's going to be gold rush for plaintiff's lawyers. 

[Berkut]

We simply do not spend enough resources on data security.

We don't spend a tenth what we should be - and there is no organization around it, no standards really, and no oversight.

Companies in general have little incentive to spend the kind of money that they ought to spend on data security.

This is a problem that requires government support. We should be spending, literally, billions a year on researching how to fundamentally secure data in a systematic way. But we don't - instead we have a hodge podge of individual companies with a mess of competing data integrity standards, all sharing the same basic problem that no one company has the resources or incentives to fix.

The free market isn't going to solve this problem in a fashion we can live with, as breach after breach after breach after breach of private and public sector data stores have shown.

This is one of the most important issues of our time, and we are barely paying any kind of focused attention to it.

[grumbler]

Do any of the other links say that it was the worst leak of data ever?

What you posted is an article that this is "very possibly the worst leak of personal info ever". A material qualifier that unsurprisingly didn't make it into your thread title.

Every knowledgeable person I have heard or read on the topic agrees that it is the worst ever, by quite a large margin.

Do you have links to authoritative sources that say it was not the worst ever?

[grumbler]

We simply do not spend enough resources on data security.

We don't spend a tenth what we should be - and there is no organization around it, no standards really, and no oversight.

Companies in general have little incentive to spend the kind of money that they ought to spend on data security.

This is a problem that requires government support. We should be spending, literally, billions a year on researching how to fundamentally secure data in a systematic way. But we don't - instead we have a hodge podge of individual companies with a mess of competing data integrity standards, all sharing the same basic problem that no one company has the resources or incentives to fix.

The free market isn't going to solve this problem in a fashion we can live with, as breach after breach after breach after breach of private and public sector data stores have shown.

This is one of the most important issues of our time, and we are barely paying any kind of focused attention to it.

Agreed.  it should be illegal for any organization to hold personally identifying information (SSNs, DOB, DL numbers, or the like) without meeting strict federally-mandated security precautions that make such data breaches very, very difficult.  Equifax was hoarding personal information for its own profit, without the owners' permission (assuming that you actually own your own private data, which is, unfortunately, not legally clear), and apparently without even the incentive, other than bad press, to protect it.

I can see liability lawsuits coming, but I am not sure on what basis they will succeed.  Can lawtalkers talk here about the obligations Equifax had, and to whom?

[CountDeMoney]

Attended a presentation yesterday at Federal Fantasyland on the safety and security of biological agents in high containment laboratories, how important it is for national security and public health to take security seriously when it comes to little laboratories with little vials filled with little bugs that are not found in nature.  The presenter was an accomplished PhD in the field, the kind that gets on C-Span talking to Congress. 

Brought the PowerPoint in on a flash drive from Best Buy and used someone's laptop to get it on the presentation browser.   A complete and total violation of basic computer security policy, but nothing happens.  Labs are a priority, but laptops aren't, and you see it every day.  That's why the Chinese have everybody's fingerprints, clearance requests and tax returns. 

 

[Malthus]

We simply do not spend enough resources on data security.

We don't spend a tenth what we should be - and there is no organization around it, no standards really, and no oversight.

Companies in general have little incentive to spend the kind of money that they ought to spend on data security.

This is a problem that requires government support. We should be spending, literally, billions a year on researching how to fundamentally secure data in a systematic way. But we don't - instead we have a hodge podge of individual companies with a mess of competing data integrity standards, all sharing the same basic problem that no one company has the resources or incentives to fix.

The free market isn't going to solve this problem in a fashion we can live with, as breach after breach after breach after breach of private and public sector data stores have shown.

This is one of the most important issues of our time, and we are barely paying any kind of focused attention to it.

Agreed.

The problem is that it is easy for a manager to point to low costs, and hard for a manager to justify higher costs because of spending on good data security even if available (and boast of a *lack* of breaches happening during his or her watch).

[CountDeMoney]

Agreed.  it should be illegal for any organization to hold personally identifying information (SSNs, DOB, DL numbers, or the like) without meeting strict federally-mandated security precautions that make such data breaches very, very difficult.  Equifax was hoarding personal information for its own profit, without the owners' permission (assuming that you actually own your own private data, which is, unfortunately, not legally clear), and apparently without even the incentive, other than bad press, to protect it.

Congress should look into passing an act about corporate and auditing accountability, responsibility, and transparency or something like that. 

[CountDeMoney]

The problem is that it is easy for a manager to point to low costs, and hard for a manager to justify higher costs because of spending on good data security even if available (and boast of a *lack* of breaches happening during his or her watch).

That's where the carrot and stick of regulatory compliance kicks in.  When preventive costs are considered optional, the option for Not Spending Money will always be chosen.

[Ed Anger]

This is why Ed buys silver.

And gold. I can buy off the Huns.

[alfred russel]

Every knowledgeable person I have heard or read on the topic agrees that it is the worst ever, by quite a large margin.

Do you have links to authoritative sources that say it was not the worst ever?

Dan Goodin didn't say it was the worst ever in the article Tim posted.

I'm not contending this was not the worst leak ever. I just think that if you are going to start a thread with the only comment, "Damn, we're fucked", the thread title should reflect what the article says. If Tim titles a thread "The Sky is Blue" (or more likely "The Skie is Blew"), and posts a link to an article about how water is wet, with just the comment, "Damn, we're fucked", I'll still complain about the thread title. The accuracy of the statement doesn't change the failure to a) reflect the contents of the article, or b) introduce the topic for discussion.