[onlooker]

Just posting this because my wife received a notice about possibly be entitled to a portion of the settlement from a lawsuit undertaken against Equifax. I think we all knew this was going to happen, it is a suit, attorneys knew almost certainly they would win. So, my wife received this notice which stated "If you received a discharge in a Chapter 7, no asset bankruptcy , you could benefit from a class action settlement". So my wife did file for bankruptcy some years back, however we checked and the year she filed does not correspond to the years in question which are 2002-2009. I guess the data breach must have compromised data for those years. Curious if anybody else has some pertinent personal perspective on this.

[vox_mundi]

How badly did Equifax breach damage the Social Security system?

Millions of Americans are worried that their credit information and Social Security numbers may have been among the 143 million records breached in an unprecedented hack that attacked Equifax, the credit reporting company. But there’s more to the story. While Equifax and the Social Security Administration aren’t talking about it, Equifax was also hired a year ago, on a $10 million contract, to “help the SSA manage risk and mitigate fraud for the mySocialSecurity system, a personalized portal for customers to access some of SSA’s services such as the online statement.”

That's how the company put it in a press release on Feb. 10, 2016. In that announcement, Equifax also boasted that the Social Security Administration “has completed integration with Equifax Inc.”

Despite Equifax’s self-described intimate role in providing security and preventing fraud on the Social Security System’s public access website for current workers and beneficiaries, there has been no indication that the Social Security Administration is concerned about whether weaknesses in Equifax’s own customer portal security -- such as the Apache tool on which the company is blaming the breach -- might have been involved in its security work for the mySocialSecurity portal. ...

... Especially as budget cuts reduce agency staff, the mySocialSecurity portal is where increasing numbers of people check their Social Security earnings record, and what kinds of benefits they can expect to receive on retirement. It's also where they can make decisions like when to file for benefits as well as how they want to receive them (for example, as checks in the mail or by direct deposit to a bank account).
...
The question the Social Security Administration must address is whether the epic Equifax data breach in any way suggests weaknesses in the security work the company did for the SSA under contract for its customer access portal.

New evidence raises doubts about executives’ handling of the Equifax breach

Equifax warning: These phone calls and messages are NOT from Equifax, they are scams

[onlooker]

Great links Vox. Well, I can't say I am surprised in this era where more and more things seem to be topsy turvy. Guaranteed that Govts and Corporations are not worried about the little people. So, while this is big, I am still expecting something bigger along the lines of actually creating physical harm to people.

[Outcast_Searcher]

Maybe Equifax is doing us a favor. MANY breaches continue to expose all sorts of information. It's been a drip drip drip, bleeding us.

This is so blatant it should at least wake most folks up.

I'm busy beefing up security protocols on my accounts where I can, chiding banks to wake up where they don't offer consistent two-factor logon access as an option, at a minimum, and taking a much more serious/active role to check on statements and balances (since if you wait too long, you may have no recourse for fraud).

Given how clueless and useless Capitol Hill is re the financial system and their lobbies, I'm pessimistic that this will bring meaningful change to the industry. Let's hope I'm wrong.

[Cog]

Can you or any lawyer prove that this particular data breach at Equifax resulted in harm to you? My answer is no and which is why I just bought EFX at a two year low.

Your information was out on the web long before this particular data breach.

@onlooker Do not have your wife respond to any phishing attempts by firms saying they can get money for her due to an Equifax lawsuit. In due time, Equifax itself will have to inform you about whether you are a plaintiff. Lawsuits have been filed but there is no reason to jump on board with what is a phishing attempt.

[vox_mundi]

... John J. Kelley III, who is responsible for security, compliance and privacy at Equifax, earned $2.8 million last year.

Equifax had 'admin' as Login and Password in Argentina

BBC: The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations.

Cyber-crime blogger Brian Krebs said that an online employee tool used in the country could be accessed by typing "admin" as both a login and password.

He added that this gave access to records that included thousands of customers' national identity numbers.

Last week, the firm revealed a separate attack affecting millions in the US.

After being notified of the latest breach, Equifax temporarily shut the affected website.

"We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cyber-security event that occurred in the United States last week," an Equifax spokeswoman told the BBC.

Equifax’s post-hack website looked like a phishing threat to some browsers

First, the main Equifax.com site was overloaded and intermittently unavailable over the course of Friday, a day after the breach was announced. Would-be users only received the unhelpful message that the server was busy and they should try back after a few minutes.

Next, users who did get through were sent to equifaxsecurity2017.com. Clicking through from there took them to an entirely different URL, trustedidpremier.com

Being routed to a different domain is a classic technique used by phishing scams.

It's especially concerning because scammers had registered at least 194 web addresses designed to lure the unwary into giving up their information as of Friday afternoon. Those addresses included the kinds of easily-made misspellings that people too easily type in.

equifaxsmcurity2017.com

equifaxsocurity2017.com

equifaxsrcurity2017.com

In this case, however, Equifax had registered a separate internet domain to handle inquiries about the cyberattack, so the site was legitimate.

Users who clicked through were told to enter their last name and the final six digits of their nine-digit Social Security numbers. The site would then tell them whether their personal information was compromised.

The six-digit requirement was surprising to many security experts. In fact, some browsers interpreted the request as a potential phishing scam and notified their users to avoid clicking on the link.

"Never give anyone the last 4 digits of your SSN, let alone the last 6," advised Travis Mills, president of LibertyID, an identity theft restoration company. "Do not go onto Equifax.com to give them any more information. They have been compromised and should no longer be trusted."

While Americans have become used to giving out the last four digits of their Social Security numbers to activate credit cards or confirm their identity with billing companies, six digits is significantly more exposure, said Matt Devost, who heads the Global Cyber Defense practice at Accenture Security.

"If you've got the final six, it's not hard to get the first three — and then the genie's out of the bottle," he said.

Trying to speak with someone at Equifax to avoid entering Social Security numbers online didn't help, said Michael Werz, a fellow at the Center for American Progress in Washington D.C.

When he called the help number the company had given out Friday morning, “I got a very nice lady on the line who had no idea what I was talking about.”

He asked to speak to a manager, who told him they were not actually Equifax, just a call center, and had absolutely no information.

I called Equifax with a simple question. This is what happened.

[onlooker]

Can you or any lawyer prove that this particular data breach at Equifax resulted in harm to you? My answer is no and which is why I just bought EFX at a two year low.

Your information was out on the web long before this particular data breach.

@onlooker Do not have your wife respond to any phishing attempts by firms saying they can get money for her due to an Equifax lawsuit. In due time, Equifax itself will have to inform you about whether you are a plaintiff. Lawsuits have been filed but there is no reason to jump on board with what is a phishing attempt.

Thanks Cog, for that heads up. No doubt this presents opportunities for scams of all types including phishing. Maybe, I could return the favor and say maybe it is a good time to put money into the other two credit reporting agencies instead of Equifax

[careinke]

In my study of Cryptocurrencies, Anarchy, Volunteerism, and debt based currencies, I came across this connection to Equifax. Evidently the alleged hackers are demanding a 600 Bitcoin (~2.4 million USD) ransom to destroy the stolen data.

https://fee.org/articles/equifax-hackers-demand-ransom-in-bitcoin/

There’s a new wrinkle in the story of one of the largest data breaches in history. The hack of Equifax may have compromised the personal data of one in five Americans. The hackers have now demanded a ransom with the threat of releasing that information to the commercial marketplace (“monetizing the information”).
They are demanding 600 Bitcoins, which is worth about $2.4 million.

"We are two people trying to solve our lives and those of our families. We did not expect to get as much information as we did, nor do we want to affect any citizen. But we need to monetize the information as soon as possible.”

All told that is not a high price for this company, given the stakes. If it is paid, it will happen quietly. And at that point, presumably, the newly minted millionaires will have sold the data back to its rightful owners and will move on with their lives.

The due date for the ransom was 16 Sep, I'm guessing Equifax paid and we will never hear about it. I wonder if Equifax could be held liable for damages if they didn't pay the ransom?

A huge Bitcoin buy, 10 million USD, that involved JPMorgan, (probably acting on the request of a client), occurred about two days ago. It basically reversed a huge Bitcoin correction. Lots of speculation on Reddit about this buy being connected to Equifax's ransom demand.

[Outcast_Searcher]

In my study of Cryptocurrencies, Anarchy, Volunteerism, and debt based currencies, I came across this connection to Equifax. Evidently the alleged hackers are demanding a 600 Bitcoin (~2.4 million USD) ransom to destroy the stolen data.

https://fee.org/articles/equifax-hackers-demand-ransom-in-bitcoin/

There’s a new wrinkle in the story of one of the largest data breaches in history. The hack of Equifax may have compromised the personal data of one in five Americans. The hackers have now demanded a ransom with the threat of releasing that information to the commercial marketplace (“monetizing the information”).
They are demanding 600 Bitcoins, which is worth about $2.4 million.

What are the odds these enterprising thieves are the ones who actually took the data?

What are the odds that if the ransom is paid, some or all of the data doesn't show up somewhere else, perhaps delayed and reformatted?

Paying thieves to destroy "data" which could be copied hundreds or thousands of times and sold many times over. Yeah, that scheme should inspire confidence.

[onlooker]

They'really is now a common refrain that once data is in cyberspace it can never be completely removed. Sounds right to me, what do others think?

[careinke]

They'really is now a common refrain that once data is in cyberspace it can never be completely removed. Sounds right to me, what do others think?

True, after all, I doubt you voluntarily gave your personal financial information to Equifax. Equifax gathered information about you on their own, and then sold it to other customers who wanted the information. Heck they will even sell it to you!

But take heart, the company is run by upstanding members of the elite. People who have no problem shorting their own company based on insider information.

[careinke]

What are the odds these enterprising thieves are the ones who actually took the data?

That was my first question, I don't know. That's for Equifax to decide.

What are the odds that if the ransom is paid, some or all of the data doesn't show up somewhere else, perhaps delayed and reformatted?

What are the odds of it happening if they don't pay? I'd guess 100 percent.

Paying thieves to destroy "data" which could be copied hundreds or thousands of times and sold many times over. Yeah, that scheme should inspire confidence.

No argument from me.

My question is does Equifax have a moral obligation to make every effort to protect this information, up to and including paying this ransom. Do they have a right to make that decision for YOUR information???

[Cog]

The information that Equifax has on you, was obtained from the places where you obtained credit. Does a credit bureau have ANY duty to you at all to safeguard this data? The bulk of the profits and cash flow from a credit bureau is obtained from the creditors. Banks, credit unions, credit card companies, etc. Unless you had any sort of contract with Equifax and provided them your personal data, what duty do they have to safeguard this data?

Question for lawyers, judges, and juries to hash out. There is little doubt Equifax has hurt their company's reputation for their actions both before the breach and after it. Their stock value reflects that. But things may not be as grim for them in a legal standpoint as it might appear.

What could plunge Equifax into bankruptcy would be if major creditors started cancelling their contracts with them and stop using their service. The lawsuits would be somewhat irrelevant then as their stock would go to zero in short order.

[careinke]

The information that Equifax has on you, was obtained from the places where you obtained credit. Does a credit bureau have ANY duty to you at all to safeguard this data? The bulk of the profits and cash flow from a credit bureau is obtained from the creditors. Banks, credit unions, credit card companies, etc. Unless you had any sort of contract with Equifax and provided them your personal data, what duty do they have to safeguard this data?

Question for lawyers, judges, and juries to hash out. There is little doubt Equifax has hurt their company's reputation for their actions both before the breach and after it. Their stock value reflects that. But things may not be as grim for them in a legal standpoint as it might appear.

I agree, it will be interesting to watch it unfold. Hopefully a few perp walks on the trading thing.

When I was in the military, it used to bug the hell out of me that we had to have an additional form, every time we collected a SSN, to tell the soldier that we needed the SSN. I never did figure out why we couldn't have signed ONE paper upon enlistment/commission saying they needed our SSN! Talk about wasted paperwork. But it was the LAW!

[vox_mundi]

For weeks, Equifax customer service has been directing victims to a fake phishing site

Earlier this month, hackers broke into Equifax's servers and stole 143 million people's personal information, including their Social Security numbers. In response to the attack, Equifax set up a website — http://www.equifaxsecurity2017.com — for possible victims to verify whether they're affected. Because the process involves sharing sensitive information, consumers have to trust they're entering their data in the right place, which can be tricky because the breach-recovery site itself isn’t part of equifax.com. If users end up on the wrong site, they could end up leaking the data they're already concerned was stolen.

Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.



Further research revealed three more tweets that had sent potential victims to the same false address, dating back as far as September 9th. These tweets have also since been deleted.

If you're signing up for Equifax's identity monitoring, requesting a credit freeze, or inputting your personal information anywhere online, double check that you've navigated to the right webpage.

[Cog]

The market seems to be ignoring whatever problems exist with Equifax in favor of making money.

From a high of $142/share right before the crash, down to $92/share in a week. Then a rise over the last week back to $105/share at the close today. I'm doubtful it will regain its previous share value for a while but might still gain some ground back. I wonder if those executives who sold out right before the crash bought a bunch back at the low? Wouldn't surprise me any.

[Cog]

Equifax current stock value $108.49. Bailed out a dollar ago for a nice profit. Is there more of an upside potential? Almost certainly, but I learned a long while back not to fall in love with a stock but take the profits you are comfortable with. There are always buying opportunities in the market.

Learned a valuable negative lesson from my father a good while back. He didn't worry so much about losses he had incurred, but fretted constantly about profits he could have made by selling early. Screw that noise. Take the sure thing and move on to the next big thing. When blood is in the streets and the CNBC "experts" are telling you to sell, is a signal to buy.

[Outcast_Searcher]

I wonder how good this thing will be for people selling data security stuff in general.

For me, this was (emotionally) the last straw.

I'm using two factor authentication where-ever possible. Some sites, like Vanguard, indirectly permit this if you always say your computer is a public computer (and therefore use a security token step before you log on).

I'm also looking at encryption technology for all my sensitive data like financial statements, tax records, online password hints, etc.

AxCrypt looks like a pretty decent encryption system, balancing safety and ease of use for Windows PC's and macs, for about $30 a year for support, for AES-256 bit military grade encryption. I like that I can encrypt a folder, and all subfolders and files within, with a right click. I like that using the data, once encrypted seems completely natural, with two exceptions. First, for large files or folders, there can be a small delay when encrypting. Second, you must enter your AxCrypt password the first time you access an encrypted file, or request encryption, during each PC session. Oh, I especially like that they claim they don't keep you password anywhere. They encrypt a few small files when you register which they decrypt when you logon to verify your password. That's it. So even if someone breaks in and steals all their data, they only get some encrypted files -- no passwords. The downside is there is no back door to you files (which I like). So if you forget your password, you're toast.

And since I'm really paranoid about computer technology failing after a career in computers, watching them fail frequently, and having to deal with the fallout), I wanted another solution for another copy of my data -- just in case (also in case I have a stroke and forget my AxCrypt password). There are now USB jump drives with LI batteries and keypads which encrypt the data on them and won't let anyone in without the encryption code. So I'm thinking a pair of these with my critical files AND the AxCrypt solution for my PC's and ordinary jump drive backups seems like a reasonably safe / convenient bet. I chose INNOPLUS or Lepin flash drives on Amazon (hardware seems the same) for ease of use and the price.

That way if someone breaks in and, say, swipes my primary laptop, at least the data is encrypted. This gives me time to notify my account providers, change passwords, change account numbers or lock down accounts, etc. -- in case someone actually does break the encryption. Before I'd been far too lazy about that.

Disclosure: I have no relationship with any computer hardware or software firm, aside from long term indirect ownership of stock through broad based mutual funds. This is information for people concerned about their data security, not an ad.

So in making me do things like that, plus more carefully and consistently check on my accounts / statements, I thank Equifax. (As much as I hate the bastards for not securing peoples' data properly).

It's too bad I can't opt out of Equifax, etc. messing with ANY Of my data. But this is the good old USA. Why should I have that right? After all, it's only my data. (And yes, that was sarcasm).

[vox_mundi]

Equifax Website Apparently Hacked - Again!

Equifax Inc. has taken part of its website offline after an independent security analyst reported that the site apparently had been hacked. He said clicking a link on the site redirected him to a malicious URL urging him to download malware.

The potential hack comes a month after Equifax revealed that a data breach exposed the Social Security numbers and birthdates of as many as 145.5 million Americans. That earlier hack took place after Equifax failed for several months to fix a software flaw that federal officials had warned about in March.

Late Wednesday night, security analyst Randy Abrams said in a blog post that while he was trying to download his credit report from the Equifax site, he clicked a link that kicked him to a third-party website with “one of the ubiquitous fake Flash Player Update screens.”



Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.

Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screenshot he captured during one visit. He also provided the video below. It shows an Equifax page redirecting the browser to at least four domains before finally opening the Flash download at the same centerbluray.info page.

... “We are aware of the situation identified on the equifax.com website in the credit report assistance link,” an Equifax spokesperson said in a statement. “Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

[onlooker]

Was just watching how the computer industry is working to make passwords obsolete. This would be good in that passwords have been identified as a major weakness in protecting against hacking. The way to did this would be primarily via Biometrics. So what do the computer savvy people here think about this?