Millions of Americans are worried that their credit information and Social Security numbers may have been among the 143 million records breached in an unprecedented hack that attacked Equifax, the credit reporting company. But there’s more to the story. While Equifax and the Social Security Administration aren’t talking about it, Equifax was also hired a year ago, on a $10 million contract, to “help the SSA manage risk and mitigate fraud for the mySocialSecurity system, a personalized portal for customers to access some of SSA’s services such as the online statement.”
That's how the company put it in a press release on Feb. 10, 2016. In that announcement, Equifax also boasted that the Social Security Administration “has completed integration with Equifax Inc.”
Despite Equifax’s self-described intimate role in providing security and preventing fraud on the Social Security System’s public access website for current workers and beneficiaries, there has been no indication that the Social Security Administration is concerned about whether weaknesses in Equifax’s own customer portal security -- such as the Apache tool on which the company is blaming the breach -- might have been involved in its security work for the mySocialSecurity portal. ...
... Especially as budget cuts reduce agency staff, the mySocialSecurity portal is where increasing numbers of people check their Social Security earnings record, and what kinds of benefits they can expect to receive on retirement. It's also where they can make decisions like when to file for benefits as well as how they want to receive them (for example, as checks in the mail or by direct deposit to a bank account).
...
The question the Social Security Administration must address is whether the epic Equifax data breach in any way suggests weaknesses in the security work the company did for the SSA under contract for its customer access portal.
... John J. Kelley III, who is responsible for security, compliance and privacy at Equifax, earned $2.8 million last year.
BBC: The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations.
Cyber-crime blogger Brian Krebs said that an online employee tool used in the country could be accessed by typing "admin" as both a login and password.
He added that this gave access to records that included thousands of customers' national identity numbers.
Last week, the firm revealed a separate attack affecting millions in the US.
After being notified of the latest breach, Equifax temporarily shut the affected website.
"We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cyber-security event that occurred in the United States last week," an Equifax spokeswoman told the BBC.
First, the main Equifax.com site was overloaded and intermittently unavailable over the course of Friday, a day after the breach was announced. Would-be users only received the unhelpful message that the server was busy and they should try back after a few minutes.
Next, users who did get through were sent to equifaxsecurity2017.com. Clicking through from there took them to an entirely different URL, trustedidpremier.com
Being routed to a different domain is a classic technique used by phishing scams.
It's especially concerning because scammers had registered at least 194 web addresses designed to lure the unwary into giving up their information as of Friday afternoon. Those addresses included the kinds of easily-made misspellings that people too easily type in.
equifaxsmcurity2017.com
equifaxsocurity2017.com
equifaxsrcurity2017.com
In this case, however, Equifax had registered a separate internet domain to handle inquiries about the cyberattack, so the site was legitimate.
Users who clicked through were told to enter their last name and the final six digits of their nine-digit Social Security numbers. The site would then tell them whether their personal information was compromised.
The six-digit requirement was surprising to many security experts. In fact, some browsers interpreted the request as a potential phishing scam and notified their users to avoid clicking on the link.
"Never give anyone the last 4 digits of your SSN, let alone the last 6," advised Travis Mills, president of LibertyID, an identity theft restoration company. "Do not go onto Equifax.com to give them any more information. They have been compromised and should no longer be trusted."
While Americans have become used to giving out the last four digits of their Social Security numbers to activate credit cards or confirm their identity with billing companies, six digits is significantly more exposure, said Matt Devost, who heads the Global Cyber Defense practice at Accenture Security.
"If you've got the final six, it's not hard to get the first three — and then the genie's out of the bottle," he said.
Trying to speak with someone at Equifax to avoid entering Social Security numbers online didn't help, said Michael Werz, a fellow at the Center for American Progress in Washington D.C.
When he called the help number the company had given out Friday morning, “I got a very nice lady on the line who had no idea what I was talking about.”
He asked to speak to a manager, who told him they were not actually Equifax, just a call center, and had absolutely no information.
Cog wrote:Can you or any lawyer prove that this particular data breach at Equifax resulted in harm to you? My answer is no and which is why I just bought EFX at a two year low.
Your information was out on the web long before this particular data breach.
@onlooker Do not have your wife respond to any phishing attempts by firms saying they can get money for her due to an Equifax lawsuit. In due time, Equifax itself will have to inform you about whether you are a plaintiff. Lawsuits have been filed but there is no reason to jump on board with what is a phishing attempt.
There’s a new wrinkle in the story of one of the largest data breaches in history. The hack of Equifax may have compromised the personal data of one in five Americans. The hackers have now demanded a ransom with the threat of releasing that information to the commercial marketplace (“monetizing the information”).
They are demanding 600 Bitcoins, which is worth about $2.4 million.
"We are two people trying to solve our lives and those of our families. We did not expect to get as much information as we did, nor do we want to affect any citizen. But we need to monetize the information as soon as possible.”
All told that is not a high price for this company, given the stakes. If it is paid, it will happen quietly. And at that point, presumably, the newly minted millionaires will have sold the data back to its rightful owners and will move on with their lives.
careinke wrote:In my study of Cryptocurrencies, Anarchy, Volunteerism, and debt based currencies, I came across this connection to Equifax. Evidently the alleged hackers are demanding a 600 Bitcoin (~2.4 million USD) ransom to destroy the stolen data.
https://fee.org/articles/equifax-hackers-demand-ransom-in-bitcoin/There’s a new wrinkle in the story of one of the largest data breaches in history. The hack of Equifax may have compromised the personal data of one in five Americans. The hackers have now demanded a ransom with the threat of releasing that information to the commercial marketplace (“monetizing the information”).
They are demanding 600 Bitcoins, which is worth about $2.4 million.
onlooker wrote:They'really is now a common refrain that once data is in cyberspace it can never be completely removed. Sounds right to me, what do others think?
Outcast_Searcher wrote:What are the odds these enterprising thieves are the ones who actually took the data?
That was my first question, I don't know. That's for Equifax to decide.
What are the odds that if the ransom is paid, some or all of the data doesn't show up somewhere else, perhaps delayed and reformatted?
What are the odds of it happening if they don't pay? I'd guess 100 percent.
Paying thieves to destroy "data" which could be copied hundreds or thousands of times and sold many times over. Yeah, that scheme should inspire confidence.
No argument from me.
Cog wrote:The information that Equifax has on you, was obtained from the places where you obtained credit. Does a credit bureau have ANY duty to you at all to safeguard this data? The bulk of the profits and cash flow from a credit bureau is obtained from the creditors. Banks, credit unions, credit card companies, etc. Unless you had any sort of contract with Equifax and provided them your personal data, what duty do they have to safeguard this data?
Question for lawyers, judges, and juries to hash out. There is little doubt Equifax has hurt their company's reputation for their actions both before the breach and after it. Their stock value reflects that. But things may not be as grim for them in a legal standpoint as it might appear.
Earlier this month, hackers broke into Equifax's servers and stole 143 million people's personal information, including their Social Security numbers. In response to the attack, Equifax set up a website — http://www.equifaxsecurity2017.com — for possible victims to verify whether they're affected. Because the process involves sharing sensitive information, consumers have to trust they're entering their data in the right place, which can be tricky because the breach-recovery site itself isn’t part of equifax.com. If users end up on the wrong site, they could end up leaking the data they're already concerned was stolen.
Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.
Further research revealed three more tweets that had sent potential victims to the same false address, dating back as far as September 9th. These tweets have also since been deleted.
If you're signing up for Equifax's identity monitoring, requesting a credit freeze, or inputting your personal information anywhere online, double check that you've navigated to the right webpage.
Equifax Inc. has taken part of its website offline after an independent security analyst reported that the site apparently had been hacked. He said clicking a link on the site redirected him to a malicious URL urging him to download malware.
The potential hack comes a month after Equifax revealed that a data breach exposed the Social Security numbers and birthdates of as many as 145.5 million Americans. That earlier hack took place after Equifax failed for several months to fix a software flaw that federal officials had warned about in March.
Late Wednesday night, security analyst Randy Abrams said in a blog post that while he was trying to download his credit report from the Equifax site, he clicked a link that kicked him to a third-party website with “one of the ubiquitous fake Flash Player Update screens.”
Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.
Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screenshot he captured during one visit. He also provided the video below. It shows an Equifax page redirecting the browser to at least four domains before finally opening the Flash download at the same centerbluray.info page.... “We are aware of the situation identified on the equifax.com website in the credit report assistance link,” an Equifax spokesperson said in a statement. “Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”
Return to Open Topic Discussion
Users browsing this forum: No registered users and 25 guests