Equifax security breach debacle thickens with improbable denials

Credit to Author: Woody Leonhard| Date: Fri, 08 Sep 2017 06:55:00 -0700

No doubt you’ve heard about the stolen data at credit reporting agency Equifax. The company’s official disclosure appeared yesterday:

Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. … The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.

Note that there’s no mention of whether the stolen data is encrypted or not. If the absconded data is in cleartext, or stored using an easily reversed encryption, more than half of the adult population of the U.S. should expect that their private data is now available — and has been available since mid-May.

Further, Anders Melin at Bloomberg reports that three Equifax execs sold a total of $1.8 million in Equifax stock after the hack was detected on July 29 and before it was disclosed to the public yesterday, Sept. 7.

The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.

Melin later reported on Equifax’s claim that none of the three — the CFO, the president of U.S. information solutions, and president of workforce solutions — knew about the breach when they sold their stock:

The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a spokeswoman for the Atlanta-based company, said in an emailed statement. They “had no knowledge that an intrusion had occurred at the time.”

You can draw your own conclusions.

To determine if your data is at risk, Equifax created a webpage where you can type in your last name and the last six digits of your Social Security number. The insecurity (and absurdity!) of the page is well-documented by Dan Goodin at Ars Technica and dissected in depth by Brian Krebs.

I decided to take the plunge and see what would happen.

Yesterday evening, I typed in my last name and the last six digits of my (real) SSN. Here’s the message I received:

Early this morning, about 10 hours later, I repeated the experiment with the same account — again, using real data — and got this very different message:

When I click on the Enroll button, I see the original message. I can attest (with no small amount of venom) that Equifax has my information on file, under my Social Security number. I have no idea why that same information triggered two different responses from the tracking site.

What should you do? Krebs recommends that you sign up for credit monitoring, then freeze your credit files. He goes on to say:

The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich. Typically, the way these arrangements work is the credit monitoring is free for a period of time and then consumers are pitched on purchasing additional protection when their free coverage expires.

That’s exactly what happened to me when Scottrade files were breached. It’s a dirty win-win for Equifax. Krebs concludes:

The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers.

As you all know, I’ve long harped about data collection — by Microsoft, Google and others — and how consumers have no way of knowing what’s being collected or how it’s being used. There are few options for removing data that’s already been collected, and the tools for examining, challenging and removing data seem feeble to nonexistent. Credit agencies are already highly regulated, and look at what’s happened.

There’s a lesson here.

Commiserate with us on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss