{"id":9171,"date":"2017-09-08T06:30:22","date_gmt":"2017-09-08T14:30:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/08\/news-2944\/"},"modified":"2017-09-08T06:30:22","modified_gmt":"2017-09-08T14:30:22","slug":"news-2944","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/09\/08\/news-2944\/","title":{"rendered":"Equifax security breach debacle thickens with improbable denials"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 08 Sep 2017 06:55:00 -0700<\/strong><\/p>\n

No doubt you\u2019ve heard about the stolen data at credit reporting agency Equifax. The company\u2019s official disclosure appeared yesterday<\/a>:<\/p>\n

Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company\u2019s investigation, the unauthorized access occurred from mid-May through July 2017. \u2026 The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver\u2019s license numbers.<\/p>\n

Note that there\u2019s no mention of whether the stolen data is encrypted or not. If the absconded data is in cleartext, or stored using an easily reversed encryption, more than half of the adult population of the U.S. should expect that their private data is now available \u2014\u00a0and has been available since mid-May.<\/p>\n

Further,\u00a0Anders Melin at Bloomberg<\/a> reports that three Equifax execs sold a total of $1.8 million in Equifax stock after the hack was detected on July 29 and before it was disclosed to the public yesterday, Sept. 7.<\/p>\n

The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.<\/p>\n

Melin later reported<\/a> on Equifax\u2019s claim that none of the three \u2014 the CFO, the president of U.S. information solutions, and president of workforce solutions \u2014\u00a0knew about the breach when they sold their stock:<\/p>\n

The three \u201csold a small percentage of their Equifax shares,\u201d Ines Gutzmer, a spokeswoman for the Atlanta-based company, said in an emailed statement. They \u201chad no knowledge that an intrusion had occurred at the time.\u201d<\/p>\n

You can draw your own conclusions.<\/p>\n

To determine if your data is at risk, Equifax created a webpage<\/a>\u00a0where you can type in your last name and the last six digits of your Social Security number. The insecurity (and absurdity!) of the page is well-documented by Dan Goodin at Ars Technica<\/a>\u00a0and dissected in depth by Brian Krebs<\/a>.<\/p>\n

I decided to take the plunge and see what would happen.<\/p>\n

Yesterday evening, I typed in my last name and the last six digits of my (real) SSN. Here\u2019s the message I received:<\/p>\n

Early this morning, about 10 hours later, I repeated the experiment with the same account \u2014 again, using real data \u2014 and got this very different message:<\/p>\n

When I click on the Enroll button, I see the original message. I can attest (with no small amount of venom) that Equifax has my information on file, under my Social Security number. I have no idea why that same information triggered two different responses from the tracking site.<\/p>\n

What should you do? Krebs recommends that you sign up for credit monitoring, then freeze your credit files<\/a>. He goes on to say:<\/p>\n

The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich. Typically, the way these arrangements work is the credit monitoring is free for a period of time and then consumers are pitched on purchasing additional protection when their free coverage expires.<\/p>\n

That\u2019s exactly what happened to me when Scottrade files were breached<\/a>. It\u2019s a dirty win-win for Equifax. Krebs concludes:<\/p>\n

The credit bureaus \u2014 which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers \u2014 have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers.<\/p>\n

As you all know, I\u2019ve long harped about data collection \u2014 by Microsoft, Google and others \u2014 and how consumers have no way of knowing what\u2019s being collected or how it\u2019s being used. There are few options for removing data that\u2019s already been collected, and the tools for examining, challenging and removing data seem feeble to nonexistent. Credit agencies are already highly regulated, and look at what\u2019s happened.<\/p>\n

There\u2019s a lesson here.<\/p>\n

Commiserate with us on the AskWoody Lounge<\/a>.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 08 Sep 2017 06:55:00 -0700<\/strong><\/p>\n

\n
\n

No doubt you\u2019ve heard about the stolen data at credit reporting agency Equifax. The company\u2019s official disclosure appeared yesterday<\/a>:<\/p>\n

\n

Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company\u2019s investigation, the unauthorized access occurred from mid-May through July 2017. \u2026 The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver\u2019s license numbers.<\/p>\n

To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10525],"class_list":["post-9171","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9171"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9171\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9171"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}