Press "Enter" to skip to content

Oh, Equifax, you are just a laugh a minute.

You may have heard that Equifax, one of the three major credit bureaus, let cyberintruders steal data on at least 143 million of their “customers.” (What’s the proper word for people who are in a company’s database whether they want to be or not? “Ccustomer” doesn’t quite describe it.)

If you go the the PR site Equifax has set up in response, you’ll find this “news” bolded at the very top:

No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases

But the moment you dip into the actual statement text you get:

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.

Um … if that’s not part of their core consumer database, what is? One is left to wonder.

But! All is not lost! They’re offering FREE! CREDIT! MONITORING! To practically everybody in the Entire Known Universe!

Oh, lucky, lucky us. All we have to do, either to sign up for the monitoring or check to see whether Equifax gave our personal data to crooks, is … give them our name and 2/3 of our SSN.

Yes, give these sloppy, uncaring a-holes even more for them to hand over to identity thieves. And it seems that unless you were among the 200,000 or so who also had your credit card numbers stolen, this is the only way you’ll learn if you were one of their victims. (News reports differ on this, but some say they don’t plan to notify all the afflicted.)

The fact that they want six digits of your SSN rather than the standard four further suggests that they handed thieves at least that much of 143 million SSNs.

And I call them sloppy, uncaring a-holes not on the basis of this single breach. Not only is this at least their third info giveaway, but among credit watchers, Equifax is notorious for being the unparalleled worst of the three credit bureaus to deal with. Have a dispute with them? Get ready for a “customer” service nightmare. A mistake in the data they hold on you? Good luck getting it fixed. (Of course right now mistakes in your Equifax data might be a blessing in disguise.)

There’s so much that they aren’t saying at the moment.

We do know, apparently, that right after the company discovered the attack on July 29, This happened:

Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered. The shares were not part of a sale planned in advance, Bloomberg reported.

Pity that innocent “customers” and “consumers” can’t so easily dump Equifax.

25 Comments

  1. Bear
    Bear September 8, 2017 7:37 am

    “No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases”

    Yeah, I read that as Gamble et all in the company saying, “Thank god! We weren’t in the breached sections. Sucks to be you, though.”

  2. M
    M September 8, 2017 8:16 am

    I’m affected. As I’ve said elsewhere, I’ve been worried for some time that a breach at one of the major credit agencies or at the Source (SSA) would result in a collapse of the trust model for geographically-distant extensions of credit.

    …Or it could result in a substantially more intrusive method of identity verification.

    Kind of long, but bear with me. I’d have posted in the forum, but I’ve been bad about my renewal and my attendance. 🙂 If this echoes something talked about more in depth there, I’d be glad to hop on and participate further.

    I’ve been mulling over the post regarding the loss of Gooch and others, and reading through George Potter’s writings. I’ve noticed for a while that there’s kind of a division between the people that I think of as the deep thinkers – those that generate thought that really resonates and drives the (very loosely defined) freedom community forward – and those that are good communicators of the kind that can communicate those ideas in a way that reaches people outside the community and actually sticks. Some people straddle both of my mental categories (e.g. Mike Vanderboegh, Aaron Zelman, Marc MacYoung), particularly when restricted to a portion of their material, but most are solidly one or the other.

    The worst immediate thing that I see happening about the slow loss of minds here is the loss of ground in terms of voices. There are plenty of people who are vocal about their dislike of the left boot, at the moment, and plenty who are vocal about their dislike of the right boot, but increasingly few who continue to effectively communicate the dislike of ANY boots on the throat.

    The worst long-term thing that I see is that the slow loss of the knowledge of the idea of freedom in the general sense, and the lack of new ideas and strategies applicable to the current situation. Without this, the communicators get bogged down and are less effective at getting new eyes on the idea.

    Backing away from the general feeling of dread and getting back to Equifax, credit, and identity, there are some good things going on in the free speech and currency worlds with blockchain. I think that a much more intrusive method of “identification” is going to come out of this and other attacks. I desperately hope that an alternative to centrally-controlled, government-enforced “identification” (that would *CERTAINLY* *NEVER* be used to suppress an unpopular individual or group) can be found. A Neal Stephenson solution and world worry me substantially less than a Corey Doctorow solution and world.

  3. Claire
    Claire September 8, 2017 8:35 am

    M — I have re-activated your Cabal membership and would be glad to see you back. So far we aren’t discussing this, but I agree it would be a good (in a bad way) topic.

    Bear — LOL! I think you nailed that one. Yeah, sucks to be all us little nobodies in the age of Big Data.

  4. Claire
    Claire September 8, 2017 9:00 am

    Thanks for the link to the original Bloomberg report, Bibamufu. Suuuuuuuure top execs of the company were unaware of the hack three days after it was discovered. Absolutely puuuuuuuuuuure coincidence they sold off their stock. Nobody could ever imagine otherwise …

  5. larryarnold
    larryarnold September 8, 2017 10:02 am

    What’s the proper word for people who are in a company’s database whether they want to be or not?

    I think voluntary inclusion is pretty much the difference between “customer” and “consumer.” It sure is the reason consumers “need” so much government “protection.”

  6. Claire
    Claire September 8, 2017 10:10 am

    In case anyone is interested in the vast distinction between “No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases” and “The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers” here it is:

    They didn’t get your credit report. They just got all the personal information tied to it.

    Feel better now?

  7. Claire
    Claire September 8, 2017 10:11 am

    I think voluntary inclusion is pretty much the difference between “customer” and “consumer.” It sure is the reason consumers “need” so much government “protection.”

    Actually, larryarnold, I think ” the consumed” would a better term than “consumer.”

  8. jed
    jed September 8, 2017 10:33 am

    The 6 digits seems odd. I wouldn’t take that to mean that they don’t have the full 9. 6 + your name might be all they need to make a unique identifier, but that seems like an odd reason. If you’re in their database, they already have the full 9, so you won’t be giving them anything additional. My guess is that the the vast majority of US citizens are already in their database, so the odds of giving them more data by checking on the breach is pretty low.

    The word for not customer or consumer is “product”.

  9. Claire
    Claire September 8, 2017 11:21 am

    “If you’re in their database, they already have the full 9, so you won’t be giving them anything additional.”

    Yes, Equifax has the full 9. But given that Equifax’s data systems leak like a government agency, entering six digits could be giving the intruders more than they already got. We don’t know whether they got all 9 (though presumably they did) and we don’t know which of Equifaxes marks got hit.

    Then, since the first three digits are the least personal part of the number, but are keyed to the state where you got the card, a bit of number crunching might easily reveal your entire SSN to them.

    I agree that probably most credit “consumers” in the U.S. had their information stolen, but since EQ has info on more than 800 million people around the world and this breach also included people in the UK and Canada, it’s hard to be sure what the intruders got.

    It’s also very telling that EQ has never mentioned “our data was encrypted.” So we know it wasn’t.

    The fact that they finally released this information in the aftermath of one catastrophic hurricane and with another bearing down on the U.S. also says a lot about their intentions.

    One year of free credit monitoring is hardly enough in a case this drastic. They should provide lifetime monitoring and free credit freezes and un-freezes to everyone affected. At the very least. And all banks should stop reporting information to them immediately.

  10. jed
    jed September 8, 2017 12:30 pm

    The breach has already occurred. The query to find out if your data was leaked doesn’t constitute an additional leak, unless Equifax has no data on you, and you’re giving them some, which they will leak at some future time. And it’s unlikely, particularly if you’ve ever used credit of any kind, that you’re not in Experian’s records. Any SSNs that were obtained will have been complete. Perhaps I’m not following you here, but you seem to be worried that using the query system provided will be identifying yourself to the criminals who commited the breach.

  11. Peg Greterson
    Peg Greterson September 8, 2017 12:32 pm

    Hi Claire. Perhaps in this day & age, the correct term for the involuntarily data-based would be “Cuckstomer”

  12. M
    M September 8, 2017 1:53 pm

    Claire – A very grateful thank-you for the re-activation.

    …And a sincere wish that *someone* would hoist the black flag and start slitting:

    “4. AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. […]

    Binding Arbitration. Any Claim (as defined below) raised by either You or Equifax against the other shall be subject to mandatory, binding arbitration. […]

    No Class or Representative Arbitrations. The arbitration will be conducted as an individual arbitration. […]

    Right to Opt-Out of this Arbitration Provision. IF YOU DO NOT WISH TO BE BOUND BY THE ARBITRATION PROVISION, YOU HAVE THE RIGHT TO EXCLUDE YOURSELF. […] You must notify Equifax in writing within 30 days […] Any opt-out request postmarked after the opt-out deadline or that fails to satisfy the other requirements above will not be valid, and You must pursue your Claim in arbitration or small claims court.

    […]

    Payment of Arbitration Fees and Costs. […] You are responsible for all other fees and costs You incur in the arbitration, including attorney’s fees and expert witness fees, except that the arbitrator shall have the authority to award attorney’s fees and costs to the prevailing party; […]

    […]

    Small claims court. Notwithstanding anything in this Section, either You or Equifax may bring an individual action in small claims court as long as (i) the claim is not aggregated with the claim of any other person, and (ii) the small claims court is located in the same county and state as Your address that You most recently provided to Equifax according to Equifax’s records in connection with this Agreement.”

    (Source: http://www.equifax.com/terms/)

    TL;DR: They’re scumbags. They probably knowingly sold stock with insider knowledge. They added a clause to their site that prevents you from being part of a class action lawsuit and locks you into paying for arbitration if you file against them, and did so in a way that’s hidden and has a time limit for opting out of.

    :: unintelligible gibbering ::

    Even lifetime monitoring isn’t going to matter.

  13. jed
    jed September 8, 2017 1:55 pm

    Followup analysis — this is interesting.

    “This is very unusual – most security systems are hard-wired only to reveal the last four digits of an SSN for identification purposes,” said Satya Gupta, co-founder & chief technology officer at Virsec Systems, a cybersecurity firm. “This strongly implies that the typical four digits may have been compromised, and they need additional, previously ‘secret’ information to positively identify customers. This reinforces the conundrum of these breaches – with more information exposed, how do you now prove a person’s identity?”

    This implies the breach was at an outer layer, and that full SSNs weren’t exposed.

  14. Claire
    Claire September 8, 2017 2:09 pm

    “Perhaps I’m not following you here, but you seem to be worried that using the query system provided will be identifying yourself to the criminals who commited the breach.”

    I’m not worried about that in a direct way. But I probably didn’t express my concerns well. EQ holds data on about 800 million people. 143 million of those had their identities exposed. So 657 million did not.

    Monitoring the credit forums this morning it appears that 1/2 to 2/3 of habitual credit watchers have discovered they were among the exposed — meaning somewhere between 1/3 and 1/2 of serious U.S. credit users were NOT exposed despite the scary numbers. Granted, EQ undoubtedly has full nine-digit SSNs (spit!) on all these people. But the thieves didn’t get them.

    Given how criminally careless EQ is, anyone who was NOT already exposed who enters six digits of their SSN may be giving information to current or future hackers who didn’t grab it the first time. The final six digits of an SSN can be relatively easily turned into a full SSN once you have other data on the individual.

    So that’s part of the reason I think EQ is wrong to ask for that much info. The other reason is that it’s EQ’s responsibility to notify those whose data they so recklessly exposed. That they’ve chosen to make these people expose themselves further instead of doing the right thing is yet another example of why EQ is a terrible company that ought to be taken to the nearest mud puddle and drowned.

  15. Claire
    Claire September 8, 2017 2:20 pm

    “TL;DR: They’re scumbags. They probably knowingly sold stock with insider knowledge. They added a clause to their site that prevents you from being part of a class action lawsuit and locks you into paying for arbitration if you file against them, and did so in a way that’s hidden and has a time limit for opting out of.

    :: unintelligible gibbering ::

    Even lifetime monitoring isn’t going to matter.”

    They are scumbags, indeed. And the stock-sellers’ claim that ohmygosh, we didn’t know! is so ridiculous it would make even a politician blush (one of the execs who sold stock three days after the breach was reportedly the CFO).

    I think we’ve finally found a use for Elizabeth Warren. May she spend the rest of her career putting these people away and seeing that this company (and all like it) get as good as they’ve given their “cuckstomers” (LOL, Peg G for that one).

  16. M
    M September 8, 2017 2:33 pm

    “I think we’ve finally found a use for Elizabeth Warren.”

    Ugh. That hits unfortunately close to home, being a MA subject.

    Would it be wrong to hope for one of those cinematic duels where both parties come out of it mortally wounded?

  17. Claire
    Claire September 8, 2017 2:47 pm

    “Would it be wrong to hope for one of those cinematic duels where both parties come out of it mortally wounded?”

    And let’s hope we can actually get that duel and its outcome on film!

  18. Claire
    Claire September 8, 2017 7:22 pm

    A freeze is essential and I agree people should do it. Thanks very much for providing the links, parabarbarian.

    But the amount and kind of information stolen goes way beyond affecting a person’s credit. Identity theft on this level could interfere with jobs, schooling, renting apartments, and all manner of things that are now tied to our SSNs. And these thieves have it all: everything they need to steal identities. It could take years for all the poterntial problems to manifest and longer for victims to untangle the mess.

  19. Claire
    Claire September 8, 2017 10:08 pm

    https://borepatch.blogspot.com/2017/09/what-you-should-do-about-huge-equifax.html

    Borepatch has more on how Equifax botched their response to this mess. Given that EQ is already notorious for its incompetence, perhaps none of this is surprising. But (jed, I’m talkin’ to you), this confirms why I consider EQ’s new website for abused “cuckstomers” to be not only rude, stupid, and inadequate, but potentially also dangerous.

  20. Joel
    Joel September 9, 2017 9:09 am

    “Customers” – Bah! We’re not equifax’s “customers,’ we’re their product. What the hell do they do for us?

    Once many years ago I got my identity ripped off by somebody who really went nuts buying nice things with my name and soc #. Absolutely no question that it was a thief, and not me, who was doing all these crazy things to my credit rating, right? And Month. After. Month I couldn’t get it fixed, because these three credit “reporting” companies kept cross-fertilizing one another with bad info. Each demanded money from me to fix it, and neither would STAY FIXED. Clearly none of them gave one single damn about doing their self-appointed job.

    I have never so genuinely wanted to fix a problem with guns and fire as the one those three companies made for me. “Customers” – ptui. God, it was decades ago and it still pisses me off. I despise Equifax and all its kin.

  21. Claire
    Claire September 9, 2017 11:28 am

    It appears that EQ actually has no idea whose data was affected and whose wasn’t. ZDNet did some testing on the system that supposedly tells you whether you’re affected or okay:

    http://www.zdnet.com/article/we-tested-equifax-data-breach-checker-it-is-basically-useless/

    USA Today has an article on the lifelong impact this could have — far, far, far beyond merely screwing up your credit:

    https://www.usatoday.com/story/money/2017/09/09/equifax-data-breach-could-create-life-long-identity-theft-threat/646765001/

  22. parabarbarian
    parabarbarian September 9, 2017 1:51 pm

    In an ideal world the execs at Equifax would already be wearing orange or, at least, gazing fondly at some jurisdiction that has no extradition treaty with the United States. Unfortunately, we do not live in that world.

  23. Claire
    Claire September 10, 2017 7:56 am

    The chief information security officer of Equifax. She’s a music major.

    https://www.boardroominsiders.com/executive-profiles/1006308/Equifax,-Inc./Susan-Mauldin

    I was going to add that plenty of super-savvy tech people might well have majored in something unrelated in college (one of the most dedicated techies I know has a degree in philosophy) and that she might well have learned her craft from life experience. But clearly Ms Mauldin didn’t learn her craft.

Leave a Reply