[TravelTechGuy]

I think you are missing something. Here's what's needed to initiate your TransUnion freeze:

To set up a security freeze with TransUnion, please visit our online form. You should be prepared with the following types of information: 1. Your full name, including middle initial and suffix, such as Jr., Sr. II, III 2. Social Security Number 3. Date of birth 4. Current address 5. All addresses where you have lived during the past two years 6. Email address 7. A copy of a government-issued identification card, such as a driver’s license or state ID card, etc. 8. A copy of a utility bill, bank or insurance statement, etc.

So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

The problem is these companies, who non of us ever chose or nominated to collect our data, are careless with our PII. And until some accountability is added into the system, this will continue.

I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.

[justboxing]

> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.

Nope. Ain't gonna happen. Financial crime pays, big time! No one goes to Jail. They usually have an investigation followed by a hearing in Congress (if it is "BIG" enough), then come back and pay a fine. Media will report the fine as "MILLIONS OF $" but the fine hardly makes a dent in the Bank / Financial institute's coffer.

W.r.t. this particular situation, here's a story that just broke.

Three Equifax Managers Sold Stock Before Cyber Hack Was Revealed (bloomberg.com) => https://news.ycombinator.com/item?id=15196309

It's called INSIDER TRADING.

[ericd]

If they did that because of this, the SEC will likely nail them for it.

[icelancer]

Of the three letter agencies, the IRS and the SEC are particularly ruthless. They can only enforce what Congress will allow, unfortunately, so that leads to bigger fish not being fried up.

[scarmig]

Equifax can handle its internal management and operations however it wants.

Externally, though, I want Equifax to have to pay a fine for every individual whose information was compromised. Identity theft can easily cause five figures worth of damage, so $10k per individual would be fair. Maybe as a warning shot we could lower this to... $1k? $100?

That's the only way to properly align incentives so companies will proactively defend against attacks like this.

[tombrossman]

This thing called "Identity Theft" does cause damage, but it's important to remember that if fraudsters trick a bank into thinking they are you, it is the bank's fault for failing to properly verify it was actually you. Doing so would cost them more money and it is much easier to do cursory checks instead.

No doubt fraudsters impersonating you is a hassle and you must spend some time and money dealing with it if you are targeted, but do not lose sight of why it happens and who is ultimately responsible.

[damnfine]

But you still pay the fees from the banks failings, so it really does hurt everyone even when the bank eats it.

[dmurray]

It hurts everyone foolish enough to still do business with the bank after they jack up their fees to pay for it. Or in jurisdictions where a small number of banks are given a monopoly, or competition is otherwise discouraged, it hurts everyone.

[alexanderstears]

Yes and no.

If a "Too Big to Fail Bank" fails, we all pay. If a credit union in Utah messes up, their customers pay. Let banks compete on operational excellence.

[losteric]

I expect managers to go to jail, in addition to a financial kneecap that forces other companies to vigilantly pressure their management for security.

Well, maybe not expect. This is America... I expect infuriating golden parachutes. But I certainly hope for criminal charges and jail time.

[hysan]

$1k, $100, that's far too low in my opinion even for a warning shot.

As someone who has had their info leaked by two universities before, both of whom subsequently paid for multiple years of credit/fraud protection, the sheer pain and stress of having random credit cards frozen and need to be replaced is worth far more than that dollar amount of my time. This is potentially messing with people's livelihoods with long term lasting effects.

If monetary sums are given out, then I hope a fair amount is given out instead of a warning shot. Those tiny figures won't help at all and effectively send the message that companies are more important than the people they serve.

[scarmig]

$100 per each individual would be 14 billion dollars... Which would definitely put Equifax out of business.

[seanp2k2]

Perfect. If they're in the business of selling access to sensitive information and cannot keep said sensitive information safe, they should not be allowed to continue to leak that sensitive information.

[ceejayoz]

$1k would mean a $146 billion fine in this case. Hardly a "tiny figure".

[toomuchtodo]

I would not doubt a class action lawsuit results from this, and I'd be very surprised if Elizabeth Warren didn't pursue congressional action against them (although not officers of the company unfortunately).

[scarmig]

And then I'll get six months of free credit monitoring from Equifax? Oh boy!!1!

More seriously, this is a breach big enough that Equifax should honestly no longer exist as a company. So call it $100/incident, and I'm happy. Other agencies would still exist, and, although they're just as terrible, it might get them to kick their asses into high gear to fix their security.

[jlcummings]

Maybe, the suggested demise of Equifax, the extreme perpetrator of neglect in this particular case, should lose the ability to print money, much like Symantec and other ssl cert issuers (identity certifies) for their recklessness; perhaps that doesn't go far enough.

Maybe the whole commercial enterprise of credit reporting (and identity verification) needs to be dramatically reworked in a more modern, sane design, with different governance and oversight.

[abawany]

The NYT story states that they are already offering this to affected consumers: https://www.equifaxsecurity2017.com/potential-impact/ .

[stormcode]

I went there and used the site and guess what? It doesn't work. It just said 'Thank You!' and gave me an enrollment date. It gave me no info as to if I was one of the people affected.

[sdenton4]

The number of affected people was 143MM, which I think is numerical shorthand for "everyone we've ever known about."

[icelancer]

Likewise, WTF. I thought you were joking but nope, it returns this text:

-----

Thank You Your enrollment date for TrustedID Premier is: 09/13/2017 Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process.

For more information visit the FAQ page.

[tony101]

That means you are affected. If you enter a non-existent name and SSN, it will say that you are not affected.

[jlev]

Even better, they ask for your last name and the last six digits of your SSN to even check your potential impact. The problem is that the first three digits of your SSN are derived from your state of birth, so the last six give up basically the entire thing. http://www.ssofficelocation.com/social-security-number-prefi...

This whole system is so fucked.

[trapperkeeper74]

The content of the landing page (since it appears broken, here's the content from Reader View):

Equifax Announces Cybersecurity Incident Involving Consumer Information

[Equifax CEO statement] https://youtu.be/bh1gzJFVFLc

No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases

Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Read More

[aptwebapps]

Did that https work for you? For me it redirects to plain http and then OpenDNS blocks it as a phishing site. Why are they using such a scammy looking domain, anyway? Why not just host it on their main site?

Edit: I'm abroad and just tried through a VPN and it worked. Don't know why I tried without it ...

[Scoundreller]

Domain name was registered on August 22nd 2017...

[jstarfish]

> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay.

The issue here is likely related to business units that were acquisitions, with the breached product in question having been developed pre-acquisition by a code farm staffed by interns in some developing nation. I spent a few years trying to unfuck some of those messes and moved on.

It's more a problem with their reckless growth over the last decade than anything. (ed) Due diligence is obviously lacking, but I can personally attest that nobody in senior leadership there willfully ignores matters of security once it becomes known.

[TravelTechGuy]

We don't know if this has anything to do with any acquisitions - this is a conjecture, at best.

At any rate - I don't care. I never gave Equifax permission to collect my personal data. I certainly never gave them permission to store it in a way that it can easily be hacked. If you buy a 3rd party company, "unfuck" and harden their software BEFORE you let the data flow in.

Allowing data to slip out is negligent. If you're in the army, or the intelligence community, you get punished for this. It's about time the private sector felt some sort of accountability.

[damnfine]

This so much. The stream of corporations passing the buck into a black hole of irresponsibility needs to end now. If people arent held responsible, they will continue to make these failings without pause. I hope everyone is writing their legislators and congresspeople right now. They listen more than even my disillusioned self thought. The just might have bigger incentives to act otherwise. But if they dont know, they cant even choose to be corrupt or not, they are ignorant by proxy. Communicate to your leaders, and remember their response when you vote.

[jstarfish]

The only real solution here is that we need consumer privacy laws similar to Germany's-- not more scrutiny of those who participate in the PII trade.

There is no reason beneficial to consumers to be collecting intelligence of this nature.

[pfarnsworth]

The best way to punish them is for us all to organize and create a Proposition that bans them from being a credit bureau, etc. If this passes in California, it will destroy them as a company.

[jstarfish]

The problem here is that they've expanded their core business to be so pervasive, they're no longer reporting on just your credit history-- they've also moved into the employment history, salary history, etc. space. So you kill their financial tentacle, they'll still be collecting intelligence for other purposes.

[jstarfish]

Not really conjecture:

> The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Since core business was unaffected (nobody hacked the mainframe), I guarantee you some crappy product they acquired got compromised.

And like it or not, you do give them permission to collect your personal data every time you authorize a creditor, utility or employer to run a credit check. Never sign up for utilities, loans, credit cards or get a job and then you'd have a case for privacy.

[acdha]

It could also be related to how they sell things. Given how commonly they redistribute this data I wouldn't be surprised if it turned out to be something like a customer portal where they can say it wasn't core because the attacker couldn't have altered data, etc.

[ewhanley]

Oh, good, it wasn't their _core_ business. What a bullshit copout - you acquire a company, you own it, warts and all. Who's worse, the crappy company or the company that acquires it and continues to operate it without fixing it?

[sjg007]

You probably did if you have any sort of bank account or loan or job application or rent. It's pervasive in contracts/agreements that they report to partners and credit agencies.

[maxerickson]

I find it difficult to reconcile your second and third paragraphs.

I guess choosing not to prioritize security (vs profit or whatever) when making acquisitions is different than just ignoring it entirely.

[scarmig]

If that were the case, then who approved the acquisition? Who did due diligence on it?

Suddenly letting a bunch of untrusted, poorly audited code run on your infrastructure is itself a massive security breach. And even that doesn't explain how data was extracted for two months with no one noticing.

[deadmetheny]

>Preferably with their jobs

That's not nearly enough, considering the reach and impact this could potentially have. These people need to be getting life prison sentences before security is finally taken seriously enough by executives.

[TravelTechGuy]

It's high time we had an equivalent law to Sarbanes-Oxley for security.

S-O made sure that when a C-level type guy signs a report, he knows his ass is on the line in case an illegal transaction just occur under his nose. If your company deals with PII, I want that data to be treated as important, if not more important, then company's funds. If you lose it, and you had any say in security (or lack thereof), you should do time.

[sbov]

> So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

Sure, but TU already has all the above information anyways.

[brational]

> So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

To what end? As has been pointed out they have all that info anyway so it's not like you're making the situation worse.

But more importantly, if your credit is frozen who cares? What are they going to do with your SSN? Get a loan? Get a CC? Buy a house?

That's the point of a freeze, it makes your PII less valuable.

The actual concern is about the PIN. Because surely they could go through the trouble of PIN recovery to unfreeze your credit and then make use of it. But considering the numbers game, its not worth their trouble vs all the unfrozen accounts.

[notyourday]

> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.

No. With jail. And go bankrupt.

[ninguem2]

Now there are news that they sold their shares last week.