Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
Names, social security numbers, birthdays, addresses, driver’s license numbers, credit card numbers – this is a very big breach.
Interestingly enough, three executives of the credit reporting agency sold their shares in the company days after the breach was discovered.
Isn’t that practically insider trading?
Only if they actually knew about the breach and it influenced their decision.
People with stock options in their employer as part of their benefits often sell off stock on a semi-regular basis so that they don’t have all their money tied up in one company. Without further background on the individuals, I’d say it’s 50/50 whether it was insider trading or not.
Practically? It’s the definition of Insider Trading.
Company executives regularly sell stock in their companies, true enough. But it’s normally done at pre-scheduled intervals in order to avoid any perception of Insider Trading. These Equifax trades were not announced and not part of an existing routine trade program.
The source journalist at Bloomberg (if your ad-blocker is up to the task):
https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-exe…
An Equifax statement claims the executives, ^aEURoehad no knowledge that an intrusion had occurred at the time.^aEUR And if you believe that…
removed as I didn’t read the parent
Edited 2017-09-09 10:54 UTC
“Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”
Of course not. Hackers tend to sit on that kind of data for years because there’s no rush. People can’t change their social security numbers, drivers license number, birthday, etc., and anything you can change is easily obtainable with the information you can’t.
What I’d like to know is what Equifax is going to do to clean up the mess once people start having their lives ruined. I’ve seen/read reports of erroneous credit files that took the victims 10-15 years or *more* to clear up, all while suffering the consequences in that time.
I hear one of the European countries solves this problem by making their version of the social security number public information, that way anyone can look online an verify if they have the right person. The secret number thing just doesn’t work at all.
In most countries, the SSN isn’t actually an ID number. The problem in America is not with the SSN in and of itself, but with its misuse as an ID number – because for some weird political reason, Americans don’t want mandatory IDs (they’d rather have a deeply insecure and broken SSN used as an effectively mandatory ID as long as it’s not called a mandatory ID because logic).
Edited 2017-09-08 00:50 UTC
You’re always told to protect your SSN with your life, but then you can’t do any banking without revealing it, you can’t get non-emergency medical care, you can’t be registered for school, etc etc etc… It’s ridiculous. And of course these places are always having their data breached.
Here’s the best part.. Once someone has you SSN, they can reverse everything else and essentially become you with *real* id, bank accts, etc. Once you find out they’ve trashed your credit, trashed your accounts, and trashed your life, you have to go on a very long & expensive fight to clear your name. And it’s never truly cleared as if it all never happened. The shit is completely stupid and politicians do absolutely nothing to fix it.
ilovebeer,
You get it. This is one of those things that annoys the hell out of many tech people, but many ordinary people haven’t really considered that the process is fundamentally broken. They view the problem as hackers getting through the defense walls. They think having bigger and stronger walls will keep them out. We know better, but this is how many people think.
Exactly! It drives me nuts whenever I heard this subject being discussed and the `solution` is to just add a bigger/stronger wall like you said. Part of me thinks they don’t actually buy into that as a real solution but rather just a typical kick-the-can-down-the-road type of response.
Because their friends who pay them to ‘represent you and me’ (har har har!) can’t make money off _fixing_ the problem. They make more money by _prolonging_ it.
Also, if you legislated _fixing_ something, then you wouldn’t be able to keep legislating around it, and that keeps you from being able to sneak more legislation in as pork on top of it.
The incentives all around for the US legislation system is to:
* prolong all problems, rather than actual deal with root causes.
* Transfer money from taxpayers to private accounts through legislation of non-solutions for both real and imaginary threats.
There really is no incentive or positive reinforcement for an elected official in the US to actually do the moral and ethical thing.
Thom Holwerda,
I’m a bit confused with what you mean here, how is SSN being misused as an ID number? IMHO the federal government is doing the correct thing by assigning everyone a unique number. The big problem is how private companies are using it and making horribly flawed assumes about SSN security.
In France you can vote, have insurance, open bank accounts without giving a number that is your single unique identifier.
There is a number on your ID card that nobody ever asks. Another number on your passport if you have one (only necessary if you travel out of Europe). You are not legally obliged to get any of these documents.
Another number for social security.
I have not heard horror stories of people getting impersonated.
The downside is that for most procedures you are asked to provide documents justifying that you have been living in some place for 3 months.
Correct, and it usually won’t be used for anything else.
In Germany, also add a tax identification number which will be a “life-long companion” to any person. Again, this number will only be relevant for matters of taxes.
In PL we have personal number “PESEL” which is printed on ID cards and typically required by banks or hospitals …but it seems we avoid the issues plaguing US with its SSN, I think largely because the number is used mostly only as a database key and not a proof of identification/authentication by itself (for that, you need to show the ID card) …though there are exceptions to this – I remember that during 2010 EU-wide census, you could login to the census webpage with nothing more than the personal number, and there were some instances of abuse…
Edited 2017-09-13 22:58 UTC
The problem is not how private companies are using it, it’s that your SSN is the sole ID number you have. Everything traces back to it. Federally issued licenses, real background checks (for security clearance for example), and passports are about the only thing in the US that requires proper identity verification beyond knowing your SSN. As a result, if you get someone’s SSN, you in turn are then able to trivially impersonate them for a large majority of things that actually have an impact on their domestic life.
In contrast, in most countries in Europe, and quite a few other countries, you have either:
1. Some publicly available ID number that is used as nothing more than a database key by most companies and holds little to no weight by itself as a means of identification.
or:
2. Independent ID numbers for most things, with no need to give any of them out when registering for trivial things like library cards that don’t have any reason to require an actual ID number.
ahferroin7,
Yeah, every library card I’ve ever gotten in the US required a federal ID number. We could debate whether or not they need to use a federal ID for their database key. However to be clear they needed to have real proof of identification and residency to open an account, so in this case it’s not like the SSN is the proof. Ironically I think the libraries have a higher security bars than many banks and credit cards.
Edited 2017-09-08 14:24 UTC
While the intention is to be unique, they are not.
https://www.nbcnews.com/technology/odds-someone-else-has-your-ssn-on…
and a quick google will find many more articles.
daveak,
The report is talking strictly about fraud. I’m not denying that’s a problem, but it’s not a problem that has to do with unique numbers in principal.
Consider someone at a hotel staying in room #214 and asks the restaurant to charge dinner to their room. This isn’t uncommon in resorts. However if staff fails to take measures to prevent fraud, then liars could clearly cause a problem by merely claiming to be in room #214, which is someone else’s. One might conclude that unique room numbers are the problem, but that’s silly right? The real problem is not that rooms have unique numbers, but that the number by itself does not prove occupancy.
As I keep maintaining, abstract numbers are great for unique keys, but laughably insecure as proof and it is essential for claimants to provide proof of ownership, otherwise liars can exploit the system. Proof can be something tangible, such as a physical card or cyptographic device, which ideally is cheap for an authentic original but difficult/expensive to clone (ie holograms/PKI).
Even with very strong proof, there remains a risk that a legitimate key can be stolen from the real owner. So in the PKI world we have two different solutions for that, key expiration dates, and key revocation.
Edited 2017-09-09 16:26 UTC
Nope, not just about fraud. The research is http://www.idanalytics.com/blog/press-releases/20-million-americans… and states mainly data entry errors that do genuinely result in multiple people being assigned the same number.
http://www.wptv.com/money/id-analytics-40-million-social-security-n… mentions a non fraud example. Similar name, same birth date, ended up entered as the same number.
While conceptually SSN supposedly being a unique number suggests it is great for a unique key, in practice it isn’t, whether that be fraud, or the most likely, as concluded by the research mentioned, simple human error.
daveak,
Any application that accepts an ID without requiring some kind of proof of ownership is fundamentally insecure. I feel like I’m reiterating the same point over and over again, but the problem isn’t with the unique ids themselves, but with how they are being used.
Edited 2017-09-09 17:26 UTC
You are missing the point. SSN are supposed to be unique. They are not. End of story. There is no problem in having a unique number. They just need to actually bloody be unique.
daveak,
You cited one single example of a SSN mistake in the past 17 years. That’s pretty damn good I dare say it’s probably higher than that and some social security administration mistakes are just going unreported, but it’s nowhere near the exaggerated scales you’ve been citing. The “40 million Social Security numbers associated with more than one person” comes from people submitting invalid IDs on forms rather than errors by the social security administration.
Please try to understand what I’m saying: *everyone* agrees this is a problem but the root cause is the utter lack of security and NOT the unique numbers themselves.
Like the hotel room example, the problem isn’t that rooms have unique numbers, it’s the way we use them without any form of authentication. Someone should not be able to charge things to my room just because they know my room number, likewise someone should not be able to apply for credit in my name just because they have my federal ID number. It’s the same thing, the number isn’t the problem, but the use of it without authentication is.
Edited 2017-09-09 18:08 UTC
If I remember correctly, this video explains it (but I lack the time right now to check it): https://www.youtube.com/watch?v=Erp8IAUouus
The problem is the people that want mandatory IDs want to use it as a platform to “fight voter fraud,” which always means use it as a way to stop people we don’t like from voting.
dark2,
Yes!
It is so stupid for companies to insist on using SSN as proof of authorization. SSN works fine as a form of unique ID, it is extremely useful to have a unique identifier for databases. But it *not* proof of consent and all the businesses using that way need to stop pretending that it is. Frankly if I had a say, I’d pass a law explicitly dismissing any liability for any transactions only backed by this federal ID number without a record of consent. It should be treated as public information.
Too often we just point fingers at the gate keepers for allowing the leak to happen, but what is really needed is to adapt security mechanisms that don’t break when partners get hacked. We have much better security models we could be using if only businesses would stop relying on archaic security solutions. I wish we could collectively move to something more secure like PKI where security is not based on having shared secrets (like SSN, CC#), but alas I’ve been playing the same broken record for two decades now.
Well, there are two types of worry about the SSNs being out there now. The stupidity that with that number and basically a matching name, you can change address, name, bank information, etc.
Then there is the full on Identity theft, but on that side of things to have someone become you is probably a bit less likely, since there are already tons of dead people’s SSNs out there thanks to many years back one of the genealogy sites were posting their SSNs…
But who knows, I’m thinking more than likely the biggest ones at risk for fraud here are the ones who have a high credit rating… And the fact that I don’t think any of us really have a choice whether or not the big three can have our credit history to have that score. So pretty much every grown adult in the US that has any sort of credit history is potentially boned.
Good. World needs to learn that IT security matters. The bigger and worse the incident, the better. That’s the only way people learn these days: through catastrophic incidents. Sadly, I am sure even this incident is not bad enough and big enough for people to learn… But it’s something.
No, people don’t learn. History repeats like a Groundhog Day.
That’s mostly for managers and those with decision power. The ones that usually suffer are the end users.
Most of them hardly understand the idea that their data is stored on someone else’s computer or care enough about it.
The real problem with this one is that it’s completely out of the hands of the ‘normals’. Pretty sure not a single damn one of us really is happy with the credit reporting agencies having our information, it’s just the way it works. How these places can be for profit though…
I am actually happy to hear about such things. People need a hard hit on the head to wake up and smell the reality. A system where single “secret” number is enough to impersonate a person is retarded. A company that pays little to no attention to IT and data security deserves to crash and burn. People who put up with both these things deserve a painful lesson.
Boogaloo,
I agree with your general assessment, but you are very wrong on the last point. You can blame the victims however much you want, but when it is companies that you have no relationship with that are ruining your credit and sending your interest payments skyrocketing, then what do you really expect people can do?
Their options:
1. Spend time and money going to court.
2. Wait in vein for congress to act (we’re in a deregulatory political climate, so good luck with that).
3. Go to each of the three major credit bureaus who are selling your data and pay their fee so they stop selling your data.
https://www.transunion.com/credit-freeze/place-credit-freeze
This is probably the easiest option, but they still technically collect your data and it can still get leaked, they just stop selling it out.
You could argue it’s your data and they have no ethical right to sell it in the first place. But they don’t give a crap if you’re right or wrong because they’re making boatloads of money and congress has done nothing to stop them. Until their activities are banned by law, they’ll continue to do it regardless of what we think.
Always keep in mind when it comes to companies selling personal credit data, you are the product and not the customer. It makes the whole notion of boycotting them completely mute unless you have a way to persuade companies to stop buying credit data. If you think there’s a good way to do that, then please share because many of us would like to see changes.
Edited 2017-09-10 21:46 UTC
And even if it were to be made illegal, they’d still do it on the sly, and with the government’s covert blessing and approval. That’s what you get when corruption is everywhere and encouraged.
darknexus,
Yea, first the laws have to get passed. Quid pro quo dynamics between government and business make this unlikely.
Secondly, the laws have to be enforced. Without enforcement, laws don’t help. Do not call legislation is an example of laws that were supposed to help, but many companies ended up taking advantage of the fact that violating the laws can still be low risk and profitable.
… the personal identifier is used as a key, it contains the date of birth, sex, location of birth combined with a running counter whose size depends on the location (highly populated areas need to support more births per day). There’s also a simple checksum.
With the personal id number one can get the name. With the name one can get the current living address. With the name and address one can get the id number. Oh and the declared income and tax returns, marital status and cars owned too – it’s all available if one really want to find out.
The only problems with this kind of system (except for paranoid people – those that have reason to be paranoid can get their data tagged secret for normal accesses) is in combination in bad systems design.