What is the impact of the Equifax cybersecurity breach on American voters?

[stoomart]

This is a big one guys: with 146 million registered voters in the US, losing the SSNs, birth dates, full names, and addresses of 143 million people equates to almost every American voter's sensitive information being compromised. Here are the recommended actions you should take in order of effectiveness, severity, and paranoia:

- Monitor your financial accounts, and ensure they require personal security questions for access.

- Sign up for a credit monitoring service (not owned by Equifax).

- Register with the three reporting agencies for fraud prevention, which requires authorization (usually by phone) to open new accounts.

- Register for a credit security freeze, which prevents new accounts from being opened ("nuculer option").https://securingthehuman.sans.org/b...s-what-to-communicate-about-the-equifax-hack/

https://www.usatoday.com/story/mone...-lawsuits-over-massive-cyberbreach/653909001/

 

[jedishrfu]

This is so sad. No matter what you do to protect your information you are still exposed.

 

[stoomart]

This is so sad. No matter what you do to protect your information you are still exposed.

I suspect this type of incident will eventually usher in a new era of multi-factor identity assurance (combination of something you are, have, and know). All it will take is for someone to publish this information on wikileaks or something like that.

 

[Borg]

I just love (not) how Equifax is trying to profit off of this by offering a 'free' monitoring service that requires a credit card and turns into a paid service automatically after one year. I wonder how hard that will be to turn off.

 

[Greg Bernhardt]

I just love (not) how Equifax is trying to profit off of this by offering a 'free' monitoring service that requires a credit card and turns into a paid service automatically after one year. I wonder how hard that will be to turn off.

Absolutely, even a very small percentage of converts could turn into very big profits. Their stock didn't take nearly a big enough hit. Hoping these lawsuits are successful and put a dent in them. These days data breaches aren't harmful enough to companies. Most people just shrug.

I agree we need a new system. SSNs are clearly a thing of the past. I had my identity stolen and used to open cell phone contracts several years ago. Massive PITA and transunion profited as I had to register for protection for a few years.

Using their free check, it appears my wife and I have been affected.

"The real outrage isn't Equifax's arbitration clause — it's all the others"
http://www.latimes.com/business/laz...uifax-arbitration-clauses-20170912-story.html

 

[dlgoff]

Using their free check, it appears my wife and I have been affected.

Hope all goes well Greg.

 

[Borg]

Hope all goes well Greg.

I checked the same interface and was informed that my data was also 'likely compromised'. With 143 millions records stolen, odds are that you're in the same group as Greg and I.

 

[DS2C]

Thieves are the lowest form of scum. Also wouldn't surprise me if it was an intentional leak. Theyd profit from it in the long run if they don't get hammered with lawsuits.

 

[Mark44]

I just love (not) how Equifax is trying to profit off of this by offering a 'free' monitoring service that requires a credit card and turns into a paid service automatically after one year. I wonder how hard that will be to turn off.

I went to their site (www.equifaxsecurity2017.com) and found that my info was likely exposed -- they didn't say for sure. Due to the widespread outrage over their incompetence and their requirement for getting a credit card, I believe they have eased up on this requirement.

One thing not mentioned already is that a number of higherups sold stock before the public announcement was made. I think we'll hear more about this in the near term.

 

[Greg Bernhardt]

One thing not mentioned already is that a number of higherups sold stock before the public announcement was made. I think we'll hear more about this in the near term.

Which is surprising because they seriously couldn't believe they wouldn't get caught right? Maybe they think the prosecution would be weak and still can get away with it.

 

[Borg]

One thing not mentioned already is that a number of higherups sold stock before the public announcement was made. I think we'll hear more about this in the near term.

I've heard this also. Do you know who the executives were? It would be interesting to look up their SEC filings to see what is being reported as suspicious. I do have a link to all of the insider trades for Equifax but it would help to narrow it down.

 

[Mark44]

I've heard this also. Do you know who the executives were?

Offhand, I don't, but I think this would be relatively easy to find out.

 

[Ygggdrasil]

Using their free check, it appears my wife and I have been affected.

Equifax's free check site is essentially worthless. You can put in made up information and it will tell you your info has been stolen. Likely means that they don't really know what was stolen:
https://techcrunch.com/2017/09/08/p...may-tell-you-youve-been-impacted-by-the-hack/
http://www.zdnet.com/article/we-tested-equifax-data-breach-checker-it-is-basically-useless/
https://www.cnet.com/how-to/psa-equifaxs-hack-checker-is-a-hot-mess/
Essentially, if you have a credit history, you should assume your information was stolen.

Info on the three Equifax executives who sold $2 million in stock ~3-4 days after the breaches were discovered on July 29 (but a month before the breach was publicly disclosed)

Regulatory filings show the three Equifax executives — Chief Financial Officer https://www.sec.gov/Archives/edgar/data/33185/000089924317019691/xslF345X03/doc4.xml, U.S. Information Solutions President https://www.sec.gov/Archives/edgar/data/33185/000089924317019692/xslF345X03/doc4.xml and Workforce Solutions President https://www.sec.gov/Archives/edgar/data/33185/000089924317019702/xslF345X03/doc4.xml — completed stock sales on Aug. 1 and 2.

http://www.npr.org/sections/thetwo-...s-after-hack-that-wasnt-disclosed-for-a-month

 

[Mark44]

Equifax's free check site is essentially worthless.

That's the conclusion I reached, after finding out from their site (www.equifaxsecurity2017.com) that my information "might have been compromised."

 

[stoomart]

Equifax's free check site is essentially worthless. You can put in made up information and it will tell you your info has been stolen. Likely means that they don't really know what was stolen

Just a word of caution from the Oregon AG about Equifax's impact validation site:

Do NOT visit Equifax’s website to find out if your information was exposed or to enroll in Equifax’s credit monitoring service. The website’s terms of service potentially restricts your legal rights. Buried in the terms of service is language that bars those who enroll in the Equifax checker program from participating in any class-action lawsuits that may arise from the incident. And because the hackers gained access to the information through Equifax’s U.S. website, it is unclear whether the information you enter to determine if your information has been compromised (your last name and the last six digits of your Social Security number) will be protected from future breaches.​

https://www.doj.state.or.us/media-home/news-media-releases/equifax-data-breach-need-know/

 

[Vanadium 50]

First, the claim that the executives didn't know about the data breach when they "spontaneously" sold stock is almost worse than insider trading - it's gross malfeasance. The Board should immediately remove them for, by their own admission, incompetence. This won't happen, of course, because they don't care. We aren't their customers. We're their product.

Second, the class action opt-out when checking if you're a victim of the breach. They have a lot of chutzpah if they think that knowing a SSN and a last name is tantamount to a signature when they just released a multimillion line long list of just that.

 

[russ_watters]

Absolutely, even a very small percentage of converts could turn into very big profits. Their stock didn't take nearly a big enough hit. Hoping these lawsuits are successful and put a dent in them. These days data breaches aren't harmful enough to companies. Most people just shrug.

I agree we need a new system.

This one is different from, say, the Target breach because as V50 said, we aren't their customers, we are (our data is) their product. So whereas Target took a big hit when people were scared to shop there anymore, Equifax clearly doesn't care if we're upset because us being upset doesn't affect (and can even enhance) their income/profit.
http://www.cnn.com/2017/09/11/opini...nd-government-act-opinion-schneier/index.html

I suspect they will get hammered in the class-action suits, but in the meantime it is just mind boggling how little they care or perhaps even recognize how serious this is. Along those lines, the insider trading is mind blowing too. How could they possibly expect to get away with that? Anyway, besides the lawsuits, I agree that regulations have to change to make data protection be taken more seriously and in particular to change, regulate or eliminate the credit agencies.

 

[Borg]

I will have to reserve judgement on the three executives. If you look in their transaction history since the beginning of 2015, two of the three have tended to keep their total share ownership hovering around 40,000 shares each and all three are currently in that range. They also tend to execute their transactions in Feb., May, and Aug. throughout that time so an end of July/beginning of Aug transaction isn't out of the ordinary for them.

Yes, $2 million is a lot of money, it looks very suspicious and I fully agree that the trades should be investigated. However, those same three execs sold over an additional $11 million before July of this year. Mr. Gamble alone sold 61,000 shares in May - well before the breech was discovered. His shares had climbed to over 100,000 and those sales brought them back down into the 40,000 range. Mr. Gamble's Aug sale of 6500 shares (~$900,000) was a fraction of the May sales ($8.35 million) and still kept his portfolio in the 40,000 share range.

Long story short - I don't see anything that screams selloff by them. The $2 million in shares that they sold is now worth around $1.6 million for a gain of about $400K divided three ways. However, their remaining 120,000 shares have lost $3.7 million in value during that same period. I have to wonder if people who are worth 10's of millions would risk that to make an additional $130K each.

 

[Vanadium 50]

$400,000 looks pretty good to me. Even split three ways. And remember, Martha Stewart went to jail for a mere $45,000 gain.

 

[Borg]

I didn't know about Martha Stewart going to jail for so little. It's beyond my understanding how people so rich would take such risks for such a small percentage gain on their overall wealth.

 

[Greg Bernhardt]

Equifax blames breach on a server flaw it should've patched
https://www.engadget.com/2017/09/13/equifax-apache-argentina

 

[Drakkith]

I was already at risk from the DoD or VA security breach about a decade ago. Hopefully I don't get screwed from this one as well...

 

[stoomart]

Equifax blames breach on a server flaw it should've patched
https://www.engadget.com/2017/09/13/equifax-apache-argentina

Our Struts servers were getting attacked within hours of that exploit being released, but the web application firewalls stopped them dead in their tracks, same with the last one earlier this month. I suspect Equifax was compromised several months before July based on what I saw coming at out systems.

 

[russ_watters]

Shockingly, Equifax told me I probably was not affected.

 

[Evo]

Nothing is secure. Over the Labor Day weekend, I went into my bank account online, and instead of it going into my account, it was odd, like I had already tried to gain access to my account, and the window that popped up was a screen saying that for my security it was asking me one of my "security questions", well, problem is, the ANSWER to the question was ALSO already correctly filled in and visible! And it's an answer no one would know. So the security company screwed up. I had to wait until the bank opened to report the incident to the bank and they locked my account and I had to reset everything.

 

[Vanadium 50]

While Equifax is going around saying "Golly, we were as surprised as anyone" the fact of the matter is that this breach is a result of business decisions. They could have hired a larger security branch - including a "red team" whose job it is to periodically probe their security. They could have put in place internal controls limiting how many records can be pulled at once. Maybe even they could have hired someone with a background in IT rather than a music major to lead their security enterprise. There are many things that they could have done, but it was decided that they cost too much money compared to the risks.

And they were right.

What are the consequences? They are going to get a "tsk tsk" and a stern talking to, but I don't see their customers leaving. Remember, we're not their customers. And yes, their stock price is down, but it will go up again once time has passed and it's seen that Equifax is making as much money as it ever was.

I don't see that consumers have much power here. About the only thing that would work is a massive boycott of Equifax's actual customers. But I don't see that individuals will buy a Ford when they want a Chevy because the Chevrolet dealer uses Equifax. One could think about the government and a similar boycott, but I can't see them making purchasing decisions based on this either. Plus you have the legal issues - Equifax will fight this tooth and nail.

That said, if data security became an existential issue for credit bureaus, you'd see them taking it seriously.

 

[russ_watters]

There are many things that they could have done, but it was decided that they cost too much money compared to the risks.

And they were right.

I think the lawsuits will have a decent shot.

 

[Vanadium 50]

We'll see. CNBC is talking $300-$325M in costs, which a) seems remarkably precise - less than +/- 5% uncertainty, wow! - and b) is nowhere near what it takes to bankrupt the company. My fear is that $300M is not enough to teach them a lesson.

 

[WWGD]

Didn't Equifax encrypt their data?

 

[stoomart]

Equifax blames breach on a server flaw it should've patched
https://www.engadget.com/2017/09/13/equifax-apache-argentina

Turns out they were indeed hacked in a “separate” incident in March, which is when the Struts vulnerability came out.

https://www.bloomberg.com/news/arti...suffer-a-hack-earlier-than-the-date-disclosed
https://nvd.nist.gov/vuln/detail/CVE-2017-5638

 

[Vanadium 50]

The latest - someone set up a fake Equifax site...and then Equifax linked to it.

So much for "we're sorry...we'll be more careful...this won't happen again..."

 

[Drakkith]

The latest - someone set up a fake Equifax site...and then Equifax linked to it.

So much for "we're sorry...we'll be more careful...this won't happen again..."

It's okay. They still have one more strike till they're out.

...we're talking about baseball, right?

 

[Vanadium 50]

The thing I don't get is the nonchalance of their actual customers. You'd think they would conclude that Equifax's data is unreliable. But somehow they have come to the conclusion that even though Equifax is a collection of incompetent stumblebums, their data on all of us is perfect.

 

[russ_watters]

The thing I don't get is the nonchalance of their actual customers. You'd think they would conclude that Equifax's data is unreliable. But somehow they have come to the conclusion that even though Equifax is a collection of incompetent stumblebums, their data on all of us is perfect.

Where does the implication that their data is unreliable come from?

 

[Vanadium 50]

Where does the implication that their data is unreliable come from?

From the conclusion that if a company is sloppy with X it is sloppy with Y. Yes, it's not necessarily true, but it's a good place to make your bet.

Not every Chipolte has a contamination problem. Not every United passenger gets the snot beat out of him. But the companies still took a drubbing.