• You must be logged in to see or use the Shoutbox. Besides, if you haven't registered, you really should. It's quick and it will make your life a little better. Trust me. So just register and make yourself at home with like-minded individuals who share either your morbid curiousity or sense of gallows humor.

Satanica

Veteran Member
Bold Member!
https://www.theverge.com/2017/9/7/16270808/equifax-data-breach-us-identity-theft
Equifax announced today that 143 million US-based users had their personal information compromised this year. Attackers reportedly exploited a vulnerability on Equifax's website to steal names, Social Security numbers, birthdates, addresses, and, in some cases, driver’s license numbers. Credit card numbers for approximately 209,000 people and certain dispute documents with personal identifying information for approximately 182,000 people were also accessed. Although Equifax operates in other countries, it didn't detect any stolen personal information abroad.

The company says it discovered the breach on July 29th this year, and has since plugged the security hole. The company also set up a dedicated website — www.equifaxsecurity2017.com — for possible victims to sign up for credit file monitoring and identity theft protection.
[....]
Equifax says it's working with both an independent cybersecurity firm and law enforcement to investigate.

You can plug in your last name and last 6 digits of your SSN and find out if you're affected. You will then be able to register for fraud monitoring for free.


Now for the coinkydink of the day.
https://www.bloomberg.com/news/arti...utives-sold-stock-before-revealing-cyber-hack
Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers.

The trio had not yet been informed of the incident, the company said late Thursday.

The credit-reporting service said earlier in a statement that it discovered the intrusion on July 29. Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.

The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a spokeswoman for the Atlanta-based company, said in an emailed statement. They “had no knowledge that an intrusion had occurred at the time.”
[....]
Equifax shares tumbled 13 percent to $123.81 in early trading at 9:04 a.m. in New York.

“I don’t know how the board will allow these executives to continue in their positions,” said Bart Friedman, a senior counsel at Cahill Gordon & Reindel LLP, who advises boards on matters including corporate compliance and enforcement challenges. “Yes, they should have a careful investigation and have an independent law firm interview the executives and review their emails and determine what they knew and when, but the end result is likely clear.”
[....]
 
https://www.wsj.com/articles/equifax-lobbied-for-easier-regulation-before-data-breach-1505169330
Equifax Inc. was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach.

Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies.

That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans.
[....]
Equifax’s credit-reporting peers, TransUnionand Experian PLC, spent at least $128,000 and $690,000, respectively on lobbying in the year’s first half, disclosure records show. They were lobbying on similar issues as Equifax, including liability.

In a statement Monday night, Equifax said it “works closely” with lawmakers and regulators “to ensure that we are communicating the benefits of credit reporting to the U.S. economy, as well as the effects of certain legislation on the financial system.” The company said it believes in “fair industry regulation and advocating for policies that protect consumers’ rights.”
[....]
“This one is a different animal in the sense of the nature of the information that was breached,” Capital One Financial Corp. Chief Executive Richard Fairbank said at a financial-services industry conference Monday. “We have not been through the equivalent of this one.”
[....]
Equifax’s finance chief, was scheduled to speak at the same conference, but canceled.

He and Equifax chief Richard Smith have spoken in recent days, though, with some analysts and investors, according to people familiar with the matter. In those conversations, the executives said the database that was hacked had retained consumer information going back five to 10 years, the people said.
[....]
Messrs. Smith and Gamble also said the hacked database was separate from the credit reports that Equifax sells to consumers and lenders, the people said.

The executives said the company waited more than a month to announce the breach in part because of the need to set up a website for affected consumers and decide on services for them, according to a person familiar with the matter.
[....]
Equifax’s political-action committee made contributions to 13 members of the Financial Services Committee during the 2016 election cycle, according to data from the Center for Responsive Politics. Among the recipients was Committee Chairman Rep. Jeb Hensarling (R., Texas), who received $1,000. Last Friday, he called for his committee’s hearing into the breach.

Rep. Blaine Luetkemeyer (R., Mo.), chairman of the Financial Institutions and Consumer Credit subcommittee that directly handles matters relating to the reporting companies, received $2,000. Also receiving $2,000 was Rep. Barry Loudermilk (R., Ga.), sponsor of the bill that would place a $500,000 cap on the statutory damages consumers could win in a lawsuit against the credit-reporting companies, as well as eliminate punitive damages against them entirely.

The Equifax PAC also gave two additional $1,000 donations to Rep. Luetkemeyer this year, in April and June, according to Federal Election Commission records. The April donation was eight days before Rep. Loudermilk’s bill was introduced.

Equifax said its PAC contributions “are made in a legal, ethical and transparent manner” in accordance with federal laws and regulations. No corporate funds are used in the PAC, which is funded solely by Equifax employees’ voluntary contributions, the company said.
[....]
At last week’s hearing into the liability limits bill and other regulatory overhaul measures, Chi Chi Wu, a staff attorney for the National Consumer Law Center, said the proposed legislation “drastically decreases the consequences for credit bureaus” when they violate the law.

Rep. Loudermilk at the hearing denied the bill was “a credit bureau protection act,” saying it was intended “to protect consumers and all Americans.”

Equifax has also lobbied on changes to rules governing companies that promise to “repair” consumers’ credit. A separate bill pending before the Financial Services Committee would allow credit-reporting companies to offer credit-education and identity-protection services without being subject to rules governing credit-repair companies.

Equifax also lobbied the Consumer Financial Protection Bureau and the Federal Trade Commission in the first half of this year, according to its disclosure reports. Both agencies regulate aspects of credit-reporting companies.
 
Good luck getting a copy of your credit report from annualcreditreport.com or placing freezes. All the sites are overloaded with traffic right now.
[doublepost=1505410105,1505403608][/doublepost]https://arstechnica.com/information...caused-by-failure-to-patch-two-month-old-bug/
Paris_Tuileries_Garden_Facepalm_statue-800x534.jpg

[....]
"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," company officials wrote in an update posted online. "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites. An Equifax representative didn't immediately respond to an e-mail seeking comment on this possibility.

As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don't break key functions on the site.
[....]
Up to now, Equifax has said only that criminals exploited an unspecified application vulnerability on its US site to gain access to certain files. Now, we know that the flaw was in Apache Struts and had been fixed months before the breach occurred.
 
https://www.theverge.com/2017/9/20/16339612/equifax-tweet-wrong-website-phishing-identity-monitoring
[....]
Equifax set up a website — www.equifaxsecurity2017.com — for possible victims to verify whether they're affected. Because the process involves sharing sensitive information, consumers have to trust they're entering their data in the right place, which can be tricky because the breach-recovery site itself isn’t part of equifax.com. If users end up on the wrong site, they could end up leaking the data they're already concerned was stolen.

Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.
[....]
Luckily, the alternate URL Equifax sent the victim to isn’t malicious. Full-stack developer Nick Sweeting set up the misspelled phishing site in order to expose vulnerabilities that existed in Equifax's response page. “I made the site because Equifax made a huge mistake by using a domain that doesn't have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.” Sweeting says no data will leave his page and that he "removed any risk of leaking data via network requests by redirecting them back to the user's own computer," so hopefully data entered on his site is relatively safe. Still, Equifax's team linked out to his page. That isn't reassuring.
[....]
Equifax's entire response to the breach has been a mess. The company's website set off alarms for lawyers who worried it might waive victims' right to sue the company, and the response phone line representatives actually had no information and just directed concerned consumers back to the website.

Although the misspelled link likely wasn't intentional on Equifax's part, it demonstrates just how easy it is for attackers to trick consumers — even the company's own support team was fooled. It also shows a lack of a consistent response strategy. I don't necessarily blame the support team, as they're likely freelancers hired for this breach, but Equifax needs to get its response strategy together.

An Equifax spokesperson says all tweets sent from their account with the wrong URL have been deleted. “All posts using the wrong link have been taken down. To confirm, the correct website is https://www.equifaxsecurity2017.com. We apologize for the confusion.”

If you're signing up for Equifax's identity monitoring, requesting a credit freeze, or inputting your personal information anywhere online, double check that you've navigated to the right webpage.
 
All of the so called credit reporting agencies should be disbanded, they only cause more hurt on top of everything else.

The shit we had to go thru to get crap from a scammer off of our credit report is ridiculous. All of it was coming out of Flint Michigan, a place neither one of us had ever been. We had to prove with mountains of documentation that we weren't there when the several accounts were opened. Nearly $5000 worth of fraud and we were at home, going to work as regular.
 
Same thing happened to my coworker, and it took him many years to straighten out. Like in your case, the identity thief was located in Minnesota or somewhere my coworker had never been.
[doublepost=1507825363,1506014578][/doublepost]https://arstechnica.com/information...n-this-time-to-redirect-to-fake-flash-update/
[....]
For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers.

Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp//:centerbluray.info that looked like this:
first-flash-640x407.jpg

[....]
Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.



Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screenshot he captured during one visit. He also provided the video below. It shows an Equifax page redirecting the browser to at least four domains before finally opening the Flash download at the same centerbluray.info page.
[....]
Malwarebytes flagged the centerbluray.info site as one that pushes malware, while both Eset and Avira provided similar malware warnings for one of the intermediate domains, newcyclevaults.com.
[....]
The group-sourced analysis here and this independent assessment from researcher Kevin Beaumont—both submitted in the hours after this post went live—make a strong case that Equifax was working with a third-party ad network or analytics provider that's responsible for the redirects. In that case, the breach, technically speaking, isn't on the Equifax website. But even if that's true, the net result is that the site is arguably compromised in some way, since administrators can't control the pages visitors see when they're trying to use key functions, some which require visitors to enter Social Security numbers.
[....]
[doublepost=1520025021][/doublepost]https://www.cnbc.com/2018/03/01/equ...-point-4-million-impacted-by-2017-breach.html
Equifax said Thursday that an additional 2.4 million Americans were impacted by last year's data breach, however these newly disclosed consumers had significantly less personal information stolen.

The company says the additional consumers only had their names and a partial driver's license number stolen by the attackers, unlike the original 145.5 million Americans who had their Social Security numbers impacted. Attackers were unable to get the state where the license was issued, the date of issuance or its expiration date.

In total, roughly 147.9 million Americans have been impacted by Equifax's data breach. It remains the largest data breach of personal information in history.

The company says they were able to find the additional 2.4 million Americans by cross referencing names with partial driver's license numbers using both internal and external data sources. These Americans were not found in the original breach because Equifax had focused its investigation on those with Social Security numbers impacted. Individuals with stolen Social Security numbers are generally more at risk for identity theft because of how prolific Social Security numbers are used in identity verification.
[....]

These people will also get letters or whatever so they can sign up for the free monitoring. So sick of this shit.
[doublepost=1521055512][/doublepost]https://www.cnbc.com/2018/03/14/for...ith-insider-trading-ahead-of-data-breach.html
A former Equifax executive faces insider trading charges for dumping nearly $1 million of company stock just days before the credit reporting company announced a massive data breach last summer.

The U.S. attorney in Atlanta said Jun Ying, 42, was indicted Tuesday by a federal grand jury on criminal charges. The Securities and Exchange Commission filed civil insider trading charges on Wednesday.

Ying, who was to become the company's next chief information officer, used confidential information to exercise his vested Equifax stock options and then sell the shares before the company publicly reported a breach that affected more than 145 million people, investigators said.

Because of the trades, Ying was able to avoid $117,000 in losses, the SEC said Wednesday. He sold the equivalent of $950,000 in stock.
[....]
In a statement on Wednesday, Paulino do Rego Barros, Equifax's interim chief executive officer, said the company referred the matter to the government after an internal investigation and was cooperating with the U.S. Attorney and SEC. "We take corporate governance and compliance very seriously, and will not tolerate violations of our policies."

Ying is not one of the Equifax executives who attracted attention for disclosing they had sold $1.8 million of stock just days after the company discovered security issues and weeks before it announced the intrustion.

In November, a special committee of Equifax's board found that the sales, by four executives, were not improper and that none of them knew about the security breach at the time of the sales.
[....]
In the interim, it hired an outside law firm to investigate the activity alongside its internal security department. "Project Sierra," as the investigation was known internally, subjected employees to a trading blackout period regarding the company's stock. A separate team, known as "Project Sparta" was set up to develop a customer website and staff up a call center.
[....]
Ying wasn't a part of either Sierra or Sparta projects but found out about the Equifax breach through a series of internal communications in late August, in which he inferred that it was Equifax itself and not a client that was the subject of the breach, the SEC said.

In the next few days after those communications, Ying researched the stock moves of a competitor company after it announced a data breach. He exercised his Equifax options and sold the shares on Aug. 28, within an hour of researching the stock move in Experian after its September 2015 data breach, the SEC said.

Two days later, an executive told him it was Equifax that was the subject of the breach and advised him not to trade company stock. Equifax shares dropped 14 percent the day after the breach was made public.

Ying was offered the CIO job but that offer was rescinded after his trading activity came to light. In October, the company concluded he had violated its insider trading policy, and he agreed to resign.

Ying will be arraigned on the federal criminal charges later this week, according to Byung J. Pak, the U.S. Attorney in Atlanta.
 
Back
Top