---

@BurgeoningHope wrote:

https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-pote...

 

"...Equifax said it discovered the breach on July 29. Leaked data includes names, birth dates, social security numbers, addresses and potentially drivers licenses. 209,000 U.S. credit card numbers were also obtained, in addition to "certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."..."

 

(Edited to shorten the headline)

---

Holy freaking crap. That is almost ONE HALF of the US population. This means you're more likely to be affected than not, since EQ probably has partial information on almost everyone over 18 years old. 

Cue massive class action suit.

Cue Equifax trying to offer everyone EQ credit monitoring.

Cue another lawsuit demading credit monitoring from another agency. 

Seriously, who can protect you from the people who are supposed protect your identitiy and reputation? People should not stay silent about this. 

This is pretty awful.  I'm exposed and i imagine that most on this board are too.  As someone who works in IT and has to deal with security measures, my questions are:

1.  What was the security breach? (I'm sure they will never discuss details, but I want to know).

2.  How was it discovered?

3.  Why did it take 3+ months to discover?

4.  Did a new patch to close the vulnerability have to be written or did one already exist?  If one existed before, how long was it available from the vendor?

4.  Was the data encrypted?  If not, why not?

5.  Was encrypted or unencrypted data passed to hackers?

Data of this type in this day and age needs to be encrpyted with the highest quality encryption available through the entire chain....databases, middleware, reporting systems, webservers, everything.  Databases need to be firewalled behind the middleware and the middleware(s) needs to be firewalled from the webserver (which is exposed to the Internet).  Then forensic software needs to be installed on all levels to check for strange or unauthorized movement of data from place to place and notify 24/7 staff.  Only transactional data can be accessed....no large data dumps without shutting down the link and notifying security. 

No system is completely foolproof but Equifax is supposed to have the strongest security regime out there....equivalent to major banks and government agencies.  Anything less is a major breach of trust and a class action lawsuit waiting to happen (I'm sure it's already happening).  As for Equifax executives, this is the kind of thing that gets people fired (just look at what happened at Target).  The initial response seems to be appropriate but there are a lot of unanswered questions.

The New York Times and The Washington Post are reporting an Equifax data breach affecting 143 million people's personal data.

Great post...Equifax better get a shared secured loan and a secured open sky credit card. 

The month or so lag was probably reasonable.  It takes time to do a proper forensic accounting of the situation (and in this case, they hired an outside company).  The FBI likely wanted to look at it.  The servers in question had to be scrubbed of any malware (probably rebuilt from scratch).  Software had to be patched to deal with the original vulnerability and any others that had been discovered since the last patching.  All of this likely had entire teams working on the issue round the clock for weeks to solve.  I imagine their security and IT teams haven't gotten a lot of sleep lately.  And they had to make sure no one from the media was tipped off before they were ready to come forward with the problem and what the action plan was, especially to CNN which is also based in Atlanta.

Still, I'm pretty pissed about the whole thing.  And I just got a call from my wife about it.  She has Lifelock since she had a major identity theft situation two years ago but I may have to follow her down that path.