08
Sep 17

Equifax Breach Response Turns Dumpster Fire

I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans.

WEB SITE WOES

As noted in yesterday’s breaking story on this breach, the Web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach — equifaxsecurity2017.com
is completely broken at best, and little more than a stalling tactic or sham at worst.

In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.

phonelaptopequifax

Others (myself included) received not a yes or no answer to the question of whether we were impacted, but instead a message that credit monitoring services we were eligible for were not available and to check back later in the month. The site asked users to enter their last name and last six digits of their SSN, but at the prompting of a reader’s comment I confirmed that just entering gibberish names and numbers produced the same result as the one I saw when I entered my real information: Come back on Sept. 13.

Who’s responsible for this debacle? Well, Equifax of course. But most large companies that can afford to do so hire outside public relations or disaster response firms to walk them through the safest ways to notify affected consumers. In this case, Equifax appears to have hired global PR firm Edelman PR.

What gives me this idea? Until just a couple of hours ago, the copy of WordPress installed at equifaxsecurity2017.com included a publicly accessible user database entry showing a user named “Edelman” was the first (and only?) user registered on the site.

Code that was publicly available on equifaxsecurity2017.com until very recently showed account information for an outside PR firm.

I reached out to Edelman for more information and will update this story when I hear from them.

EARLY WARNING?

In its breach disclosure Thursday, Equifax said it hired an outside computer security forensic firm to investigate as soon as it discovered unauthorized access to its Web site. ZDNet published a story Thursday saying that the outside firm was Alexandria, Va.-based Mandiant — a security firm bought by FireEye in 2014.

Interestingly, anyone who happened to have been monitoring look-alike domains for Equifax.com prior to yesterday’s breach announcement may have had an early clue about the upcoming announcement. One interesting domain that was registered on Sept. 5, 2017 is “equihax.com,” which according to domain registration records was purchased by an Alexandria, Va. resident named Brandan Schondorfer.

A quick Google search shows that Schondorfer works for Mandiant. Ray Watson, a cybersecurity researcher who messaged me this morning on Twitter about this curiosity, said it is likely that Mandiant has been registering domains that might be attractive to phishers hoping to take advantage of public attention to the breach and spoof Equifax’s domain.

Watson said it’s equally likely the equihax.com domain was registered to keep it out of the hands of people who may be looking for domain names they can use to lampoon Equifax for its breach. Schondorfer has not yet returned calls seeking comment.

EQUIFAX EXECS PULL GOLDEN PARACHUTES?

Bloomberg moved a story yesterday indicating that three top executives at Equifax sold millions of dollars worth of stock during the time between when the company says it discovered the breach and when it notified the public and investors.

Shares of Equifax’s stock on the New York Stock Exchange [NSYE:EFX] were down more than 13 percent at time of publication versus yesterday’s price.

The executives reportedly told Bloomberg they didn’t know about the breach when they sold their shares. A law firm in New York has already announced it is investigating potential insider trading claims against Equifax.

CLASS ACTION WAIVER?

Yesterday’s story here pointed out the gross conflict of interest in Equifax’s consumer remedy for this breach: Offering a year’s worth of free credit monitoring services to all Americans via its own in-house credit monitoring service.

This is particularly rich because a) why should anyone trust Equifax to do anything right security-wise after this debacle and b) these credit monitoring services typically hard-sell consumers to sign up for paid credit protection plans when the free coverage expires.

Verbiage from the terms of service from Equifax's credit monitoring service TrustID Premier.

Verbiage from the terms of service from Equifax’s credit monitoring service TrustID Premier.

I have repeatedly urged readers to consider putting a security freeze on their accounts in lieu of or in addition to accepting these free credit monitoring offers, noting that credit monitoring services don’t protect you against identity theft (the most you can hope for is they alert you when ID thieves do steal your identity), while security freezes can prevent thieves from taking out new lines of credit in your name.

Several readers have written in to point out some legalese in the terms of service the Equifax requires all users to acknowledge before signing up for the service seems to include legal verbiage suggesting that those who do sign up for the free service will waive their rights to participate in future class action lawsuits against the company.

KrebsOnSecurity is still awaiting word from an actual lawyer who’s looking at this contract, but let me offer my own two cents on this.

Update, 9:45 p.m. ET: Equifax has updated their breach alert page to include the following response in regard to the unclear legalese:

“In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”

Original story:

Equifax will almost certainly see itself the target of multiple class action lawsuits as a result of this breach, but there is no guarantee those lawsuits will go the distance and result in a monetary windfall for affected consumers.

Even when these cases do result in a win for the plaintiff class, it can take years. After KrebsOnSecurity broke the story in 2013 that Experian had given access to 200 million consumer records to Vietnamese man running an identity theft service, two different law firms filed class action suits against Experian.

That case was ultimately tossed out of federal court and remanded to state court, where it is ongoing. That case was filed in 2015.

To close out the subject of civil lawsuits as a way to hold companies accountable for sloppy security, class actions — even when successful — rarely result in much of a financial benefit for affected consumers (very often the “reward” is a gift card or two-digit dollar amount per victim), while greatly enriching law firms that file the suits.

It’s my view that these class action lawsuits serve principally to take the pressure off of lawmakers and regulators to do something that might actually prevent more sloppy security practices in the future for the victim culpable companies. And as I noted in yesterday’s story, the credit bureaus have shown themselves time and again to be terribly unreliable stewards of sensitive consumer data: This time, the intruders were able to get in because Equifax apparently fell behind in patching its Internet-facing Web applications.

In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services. In 2015, a breach at Experian jeopardized the personal data on at least 15 million consumers.

CAPITALIZING ON FEAR

Speaking of Experian, the company is now taking advantage of public fear over the breach — via hashtag #equifaxbreach, for example — to sign people up for their cleverly-named “CreditLock” subscription service (again, hat tip to @rayjwatson).

“When you have Experian Identity Theft Protection, you can instantly lock or unlock your Experian Credit File with the simple click of a button,” the ad enthuses. “Experian gives you instant access to your credit report.”

First off, all consumers have the legal right to instant access to their credit report via the Web site, annualcreditreport.com. This site, mandated by Congress, gives consumers the right to one free credit report from each of the three major bureaus (Equifax, Trans Union and Experian) every year.

Second, all consumers have a right to request that the bureaus “freeze” their credit files, which bars potential creditors or anyone else from viewing your credit history or credit file unless you thaw the freeze (temporarily or permanently).

I have made no secret of my disdain for the practice of companies offering credit monitoring in the wake of a data breach — especially in cases where the breach only involves credit card accounts, since credit monitoring services typically only look for new account fraud and do little or nothing to prevent fraud on existing consumer credit accounts.

Credit monitoring services rarely prevent identity thieves from stealing your identity. The most you can hope for from these services is that they will alert you as soon as someone does steal your identity. Also, the services can be useful in helping victims recover from ID theft.

My advice: Sign up for credit monitoring if you can (and you’re not holding out for a puny class action windfall) and then freeze your credit files at the major credit bureaus (it is generally not possible to sign up for credit monitoring services after a freeze is in place). Again, advice for how to file a freeze is available here.

Whether you are considering a freeze, credit monitoring, or a fraud alert (another, far less restrictive third option), please take a moment to read this story in its entirety. It includes a great deal of information that cannot be shared in a short column here.

Tags: , , , ,

278 comments

  1. Found you another link that’s not appearing on your front page here, anyway. It’s another long time favorite read with a more techie lean:

    https://www.programmableweb.com/news/how-not-to-be-next-equifax/analysis/2017/09/08

    Impression is that nothing about Apache has crossed their own desk yet because it doesn’t appear to get a mention.

    They’re calculating something that crossed my mind. This has the capability of bankruptcy beyond anything fathomable when it comes to potential fines levied.

    Just caught their blurb about using a mother’s maiden name as an access to password recovery, etc. I NEVER use that. I like that part of my family genealogy and so would like to be able to write about it on the Net occasionally. If you do that, that’s off the table as a “secret”. :)

    PS (Look THAT up in your) Funk and Wagnalls’? That writer just sent me back to the 60’s! 😀

    • Hi Cindy Sue,… sorry to have sent you back to the 60’s. Actually, the Mighty Carnac was still going into the 80’s. You don’t have to go back THAT far.

      David Berlind
      (the author of the other story with the techie lean)

      ps: thanks for the “favorite read” comment. We love getting that kind of feedback. I am about to publish another bit that points back to Brian’s article and covers the timestamp as PIN controversy (as soon as I confirm it).

  2. This dumpster fire is so bright the ISS crew is having to break out the shades.

    1. Use Timpstamps as super sekret pins?. Check [0]
    2. Publish user database on line? Check [1]
    3. Lose 143 million private identities? Double Check [2]
    4. Tell the world how to keep customers data safe? Check and Done [3]

    [0]https://twitter.com/EquifaxInsights/status/768613719769161728
    [1] See above
    [2] See Krebs post yesterday
    [3] https://twitter.com/EquifaxInsights/status/905777736043692032

  3. Perhaps they meant to hire Edelman PR, but looks like the hired Julian Edelman of the (cheating) New England Patriots to do their PR LOL

    IG

    • The real Edelman would never drop the ball, give up an interception, and would fix his errors immediately.

      Nope, this reeks of a Peyton Manning pretending why he has no idea how his wife received his growth hormone.

    • Before you call the Patriots “cheats” maybe you should add some examples ( that haven’t been debunked). BTW ESPN has never admitted lying about deflategate. You people are just jealous! Pboably voted for the Dumpster – how’s that working out for you?

  4. What much of this points to is something I have believed for years: The best protection against identity theft is to have a terrible credit rating. Believing corporate America can secure this data is like believing you can domesticate wild tigers for pets. Sooner or later, you’re going to get bit. At least with poor credit, you beat the bad guys to the punch. Sure, the other side of that is credit rates, but the message there is live in one’s means (not one’s credit rating). Long term, the solution is simple, start treating personal information as though it were copyrighted (you are the author of your PII after all, aren’t you?). Anyone using it without consent (not to mention profiting) will be subject to civil liability.

  5. Fsb hands are on everything.
    blue fsb

  6. Seems to me that Equifax should have to pay ALL the fees associated with Freezing/Unthawing of accounts.

    How is it that _they_ release all my info and then I have to pay to protect myself?

    • They finally agreed to freeze and unfreeze for free. I expect Equifucks to go the way of Arthur Andersen very soon.

  7. I’m so glad to see the invisible hand of the free market did its thing it protecting the sensitive PII of Equifax customers.

    • That is the thing. You are not the customer. You are the product. But what if the product becomes more expensive?

      If you put a freeze on your record, suddenly:
      1. Equifax customers can no longer obtain their product (you)
      2. It will actually help you from getting your identity pwned.

      Yes it is $10 but cheap if they can no longer sell your data.

    • There is no free market since the data owners don’t have a choice not use them. Where is the consumer bureau Obama and the Dems like Warren created? Nothing heard from them about the 6 the breach in 7 years.

      • Don’t count on the CFPB in the long term. Looks like the current administration is trying to essentially get rid of it:

        http://time.com/money/4790486/trump-budget-2018-cuts-cfpb-consumers/

        • They’ve been trying from the start to get rid of the law that created the CFPB, and they weren’t even able to block the posting of the Director – so fat chance they’ll get rid of the bureau. It was at least by action of Consumers Union that we members pushed to get Richard Cordray installed as the first director. If you want to help kick hind end for these egregious actions by modern day robbers like the credit reporting agencies and MANY other bad offenses against the consumer, join the CU action team and help push congress into finally doing something about this mess. CU is fast becoming one of Washington’s most powerful lobbies next to the Pilot’s union, and the NRA. So if you wan’t to become one of the biggest “special interests” to influence congress I highly recommend it. I have just had it up to here with crap like this, and it is time to do something about it! JOIN CONSUMER’S UNION

  8. Equifax site is not accepting my login info and requires Javascript to be enabled to do a credit freeze. Just me or have others had the same experience?

  9. I looked through the site’s js and did some thinking.

    Here’s how it works on the surface…
    If the registration server is busy, you are not impacted. Otherwise you are.

    If you are not impacted there may be a special server response flag that will change that to impacted.

    If the server doesn’t respond at all (super busy?) you are not impacted.

    Honestly I don’t know why this logic is in js and not a view template to begin with lol.

  10. Fvcking assholes lowered my credit score after I used a CC to make $5K downpayment on a new car.
    Even though I NEVER borrowed a penny off the charge and paid $5K back right away JUST to have a $50 cash Back!
    A-holes Dropped my score 50 Fvcking points.
    Blow me credit raters and credit bureaus!

    • Bix
      You are absolutely correct!
      We checked your file and noted your $5K charge…
      on a CC with a 5.5K Credit Limit…
      Hmmmm.
      Giving you a horrendously bad (for you) Utilization Rate of 90.9%.
      Double hmmmm…
      The alarm bells went off in all of your (current) Issuers…
      Time for you to get out of the 1995 “outrage” mindset, and study “credit scoring, 2017”
      Good luck and good hunting to all at your local public library…

    • Bix, the credit bureaus didn’t do anything. YOU did it to yourself by your own admission. You said you used a credit card to make a down payment on a car. Then, you said you didn’t borrow any money. YES, you did – when you used the credit card to make the down payment. DUH! And, when your credit card balances increase or decrease, your credit score will likely change. That’s the way credit scores work. Again, DUH! Don’t blame someone else for your actions.

  11. I sent the credit card # they charged my card I received nothing call they said .I would get 50% of my money back and receive my pills. nothing !!!!

  12. These guys have played fast and loose with consumer’s most sensitive information for years. They do just up to the letter of the law, and work very hard to ensure that the laws are decades behind the times.

    Their response to this is telling, starting with the insider trader by execs to unload their soon-to-be-worthless shares, to hiding behind legalese, PR positioning, and a random-response website.

    If there was really a free-market choice, we could choose which agency reported on us. Who really has much trust in Equifax now? It wasn’t high to begin with, and it’s not going anywhere positive soon. Equifax isn’t even trying, as they don’t see it as germane to their business. It’s well past the simple explanation of “who are they beholden to”. It’s never been the consumer or small business. It’s is about who they can damage, and damage severely, through gross neglect and continued indifference.

    To my fellow Republicans who don’t believe that they can even discuss issues like this: markets can’t function without transparency and trust, credit isn’t extended when fraud is prevalent, and to personalize it a bit more, you will not win re-election when fraud and identity theft hits the majority of voters and costs them money.

    • Totally agree – I’m not going to change parties any day soon, but I may have to go to a town hall meeting and punch someone representing me in the face! It’s the American way, isn’t it? We need to work inside our parties to change things; even if it means voting the bastards out every time they come up for election – even if it is the same party.

  13. This is the 6 breach in 7 years according to DOJ website and they say the company is doing what they have to. So buy the stock in 11 months beacauae many people getting the free monitoring will forget and the company will start charging them automatically. You need a cc # to sign up. There is no punishment for mismanagement of our data that we never control. We aren’t their customers so we can’t do much. I notified my do nothing senator. And haven’t heard anything. I thought the CFPB created by the Democrats was supposed to protect consumers. What a joke.

    • The CFPB won’t necessarily be able to do everything you want until you file a complaint. There has to be proof of damage by the complaint system, so trot on over there and file a complaint! I’ve helped people do that, and it ALWAYS gets a response!!

  14. This is the 6 breach in 7 years according to DOJ website and they say the company is doing what they have to. So buy the stock in 11 months beacauae many people getting the free monitoring will forget and the company will start charging them automatically. You need a cc # to sign up. There is no punishment for mismanagement of our data that we never control. We aren’t their customers so we can’t do much. I notified my do nothing senator. And haven’t heard anything. I thought the CFPB created by the Democrats was supposed to protect consumers. What a joke. You can’t even put an alert on the account since you have to suspect fraud or have a police report.

  15. .You can’t even put an alert on the account since you have to suspect fraud or have a police report. And of course you can freeze you credit with each bureau but I believe it cost to unfreeze.

  16. Hi All,

    I was able to put a freeze on my accounts at Experian and TransUnion, but when I went to Equifax they couldn’t process it online and wanted me to mail in all kinds of personal info, including my DOB and SSN. Like I’d put that in the mail to anyone, much less a company that let itself get hacked. Idiots.

  17. Brian,

    Is it time to go back in time….. paper files, snail mail, and cut the cord to the internet?

    Nothing is safe with a connection to the internet apparently.

    Waiting see this movement start up.

  18. Thank you for the ongoing expert commentary. In a previous post on this issue, you indicated that prior credit freeze information was probably not compromised but that you had no confirmation of this fact. Have you obtained additional information on whether or not prior credit freeze pin numbers were compromised? If so what is the quickest way to obtain a new pin number? Thanks again!

  19. I froze my credit and ran into a problem with the IRS website. When I logged on it told me I need to recertify my account, which I can’t do without lifting the credit freeze because they use Equifax. So I can’t see my transcripts or do anything online at IRS.gov.

  20. A golden parachute is usually the big payout an executive gets for leaving the company they’ve managed, often into a water-filled ditch. From what I understand, none of the three Equifax execs who sold large blocks of Equifax stock shortly after their company’s data breach was identified internally are leaving the company, so not really golden parachutes for them. Rather, it ‘s more properly called insider trading.

  21. I have no respect for this worthless firm.

    When checking to see if one’s account was hacked,
    I entered a name with a phoney SS number twice and
    each time it said yes.

    I hope and pray that this will cost them a near fortune and
    jail time.

  22. Brian – thanks, as always, for the expert commentary. Many must be heeding the advice to initiate credit freezes… systems at Experian, Innovis, TransUnion and Experian. I tried this morning and was only successful with Innovis. Got system errors with the other 3 – likely a capacity issue. Anyway, just sharing with others who may be trying to do the same today … thank you!

    • Addisen, why are not make a credit “freeze” a normal course of business?????

      Most consumers do not need to have their credit files open and if necessary simply have the consumer and the financial institution act in concert.

      This would sharply reduction credit fraud by the hundred-of-thousand.

      But then indolency is king.

  23. “Securities and Exchange Commission (SEC): Request SEC revoke EquiFax certification as a NRSRO”
    change.org petition below

    http://chn.ge/2wpABUP

    • I only saw 29 signatures reported – what is it with that group? I think you’d be better off signing the petition CU is circulating, at least those participants can spell Equifax (instead of Equinox :p) Plus you don’t get put on any email spam list!

  24. I called into each number (for “credit freeze”) of each credit reporting entity and had no problems freezing credit on any of them that route, yesterday morning. …try calling. Have CC on hand to type in info.

  25. I called into each number (for “credit freeze”) of each credit reporting entity and had no problems freezing credit on any of them that route, yesterday morning. …try calling. Have CC on hand to type in info.

  26. Hello, I am one of the people who like Brian received not a yes or no answer to whether my credit information was stolen. However when I went back today to complete registration it changed and now it says it was stolen: “Based on the information provided, we believe that your personal information may have been impacted by this incident.”. So you should check again if they don’t answer yes or no.

  27. one user on a CNET forum puts the breach into perspective best by his comment about the media coverage of Equifax:
    ‘None of this explains how the company allowed a publicly accessible web server full access to all of Equifax’s internal database’

  28. Thanks Brian
    …for the expose on the Experian shark’s entry for tidbits falling from the wounded Equifax shark’s thrashings…
    I hadn’t realized from other news reporters that Experian had silently shown up at the dinner table…

    A rare exposure of the oligopoly’s raw form of primitive capitalism.

    Aside from the sheer gall displayed by Experian, given their track record of magnitude data breaches, to now offer its “secure product”, it is quite instructive.

    The US Consumer is mere chum for these giants…

    Note: Both “Equifax” and “Experian” are still relatively new names adopted after very adverse court judgments on how they run their businesses…

    Who says you can’t “quit this town” and get a new start with old management, in the same town, but with a new name? This is the USA!

  29. I was successful in freezing all four of my credit files this morning. Only Equifax seemed slow. Note that at the moment, Equifax is offering the freeze without a fee.
    How nice….

    It will be interesting to see what Mr. Smith has to say, when he testifies before Congress in a few weeks. I would guess his answers will be very carefully rehearsed,
    and he won’t really answer anything. He will simply obfuscate, which is what these guys do for a lucrative living.

  30. I still don’t understand how they got all that info in the first place. I never remember giving them permission to have my SSN.