Equifax breach exposes 143 million people to identity theft

[TexasBrandon]

By the time a class action suit happens everyone involved will get a whopping .45 cents.

 

[Davetex]

By the time a class action suit happens everyone involved will get a whopping .45 cents.

I'd bet that's pretty accurate.

 

[Shady]

everyone but the law firm doing it they will get 96 million.

By the time a class action suit happens everyone involved will get a whopping .45 cents.

 

[oldag]

You can opt out of the class action lawsuit.

 

[TexasBrandon]

You can and then could file your own but the time, money, and results still wouldn't be worth it in the end.

 

[TAZ]

So you want to fine an organization for being attacked by criminals?

Pretty much. I have 0 issues with fining or jailing folks who through their negligence or greed cause others harm. IMO having your personal info stolen is harm. If it turns out that Equifax has the IT wherewithal of the local Piggly-Wiggly yeah, fine the crap out of them. If it turns out they hid the breech to make a buck yeah, fine the crap out of them or jail the folks making that decision.

How many of these cases do we get where the breech is the result of negligent corporate decision making. TJMax- wasn't that a result of unencrypted wireless transmittal of CC data? Who the hell does that? Yahoo - aren't they being sued for delaying the release of a massive hack for months (years I can't remember)

How often do you need to hear that abc corp was hacked and then find out that their cyber security was from the 1980's before you do something?

As for class action suits. They won't make $$ for the individual. They fine the crap out of losers and make buckets of $$ for the lawyers.

 

[TexasBrandon]

Pretty much. I have 0 issues with fining or jailing folks who through their negligence or greed cause others harm. IMO having your personal info stolen is harm. If it turns out that Equifax has the IT wherewithal of the local Piggly-Wiggly yeah, fine the crap out of them. If it turns out they hid the breech to make a buck yeah, fine the crap out of them or jail the folks making that decision.

How many of these cases do we get where the breech is the result of negligent corporate decision making. TJMax- wasn't that a result of unencrypted wireless transmittal of CC data? Who the hell does that? Yahoo - aren't they being sued for delaying the release of a massive hack for months (years I can't remember)

How often do you need to hear that abc corp was hacked and then find out that their cyber security was from the 1980's before you do something?

As for class action suits. They won't make $$ for the individual. They fine the crap out of losers and make buckets of $$ for the lawyers.

Agreed, penalizing companies for negligence is what should be done. As an IT engineer and a senior instructor, I like to read on how these breaches happen. Most of the time it is from the lack of security and lack of care. In essence, negligence.

Target for example didn't even have a CTO. They were using easy solutions that were never meant for corporate level security. The same has happened with a myriad of other companies. Security engineers in companies tend to lose their jobs when something of this magnitude happens and it sucks. Most of the ones I know continually tell the executives what needs to be done but all they care about is the bottom line and how long they can get away with the status quo.

 

[F350-6]

looks like the DA of NY said that ain't gonna fly and taking their protection you are no longer opting out of a class action.

How does that apply to Texas though? Don't we need a similar statement from our DA?

 

[Darkpriest667]

How does that apply to Texas though? Don't we need a similar statement from our DA?

Equifax clarified their arbitration clause does not effect this breach.

 

[Younggun]

Pretty much. I have 0 issues with fining or jailing folks who through their negligence or greed cause others harm. IMO having your personal info stolen is harm. If it turns out that Equifax has the IT wherewithal of the local Piggly-Wiggly yeah, fine the crap out of them. If it turns out they hid the breech to make a buck yeah, fine the crap out of them or jail the folks making that decision.

How many of these cases do we get where the breech is the result of negligent corporate decision making. TJMax- wasn't that a result of unencrypted wireless transmittal of CC data? Who the hell does that? Yahoo - aren't they being sued for delaying the release of a massive hack for months (years I can't remember)

How often do you need to hear that abc corp was hacked and then find out that their cyber security was from the 1980's before you do something?

As for class action suits. They won't make $$ for the individual. They fine the crap out of losers and make buckets of $$ for the lawyers.

In that case I'll wait to see how it happened before calling for the construction of a gallows. Cyber attacks are a constant and evolving threat. If Equifax was negligent then consequences should follow. Otherwise, it's what we get for settling in to a system that puts so much personal information in one place. Learn from it and go after the criminals.

 

[Shady]

Hard to go after criminals that are on foreign lands.

With that said if there security was not up to par or an employee clicked on a fake UPS notice well then thats on them.

In that case I'll wait to see how it happened before calling for the construction of a gallows. Cyber attacks are a constant and evolving threat. If Equifax was negligent then consequences should follow. Otherwise, it's what we get for settling in to a system that puts so much personal information in one place. Learn from it and go after the criminals.

 

[oldag]

You can and then could file your own but the time, money, and results still wouldn't be worth it in the end.

Depends upon how bad your financial hurt was. A major identity theft problem (e.g., actually occurred, not just the breach itself) could run into six figures. Worth going after, and you can recover legal fees.

 

[Brains]

The fact the hackers were able to acquire sensitive data in an insecure / plain text format proves Equifax was not following best practices. Or even accepted practices. Hell, not even entry level IT pleb practices.

It would be the physical equivalent to putting all of your banking records on printed paper, laminating them for durability, placing them a locked trunk out on your porch, and then hiding the key under the door mat.

 

[POLICESTATE]

Exactly, there is no excuse for this whatsoever. It's bad enough when it is 100 individuals, it's absolutely ridiculous when it's 1 million, and it's just friggin' criminally negligent beyond comprehension when it's 143 million.

This data should have been heavily encrypted and logically segregated to prevent exposure and in the case where exposure were to occur that it would at least be mitigated down to a handful of accounts.

For an organization like Equifax which works on nothing but private information on millions of people day in and day out this is unconscionable.

I cannot see how any merchant that deals with credit and credit checks could rely on Equifax at this point, certainly they should not be sending any additional information to Equifax for the time being and instead do business with one of Equifax's competitors.

One of the things that is most disturbing about this is that an alert and system lockdown did not occur in a timely manner. Not only was their security lax in terms of protection, it was also just as lax when it came to detection and alerts.

The fact the hackers were able to acquire sensitive data in an insecure / plain text format proves Equifax was not following best practices. Or even accepted practices. Hell, not even entry level IT pleb practices.

It would be the physical equivalent to putting all of your banking records on printed paper, laminating them for durability, placing them a locked trunk out on your porch, and then hiding the key under the door mat.

 

[TheDan]

Doesn't matter how good the encryption or security is from external threats as it all has to be unencrypted to be usable at some point. Probably wasn't a "hack" but a disgruntled IT flunky with physical access, root password, and a thumb drive.

 

[TAZ]

In that case I'll wait to see how it happened before calling for the construction of a gallows. Cyber attacks are a constant and evolving threat. If Equifax was negligent then consequences should follow. Otherwise, it's what we get for settling in to a system that puts so much personal information in one place. Learn from it and go after the criminals.

I think we r on the same page. I did not intend to come off as hang them and then find out what went wrong. If they have crappy it security practices they need to pay.

The second part of your concern is probably how we need to attack these threats. Not quite sure how to break this system of centralized data collection/storage. Without the services of credit reporting agencies the accessibility to credit would stop or at least be limited to merchants willing/able to take the risk. Either that or a huge return on lay away programs. Both would cripple our consumer based economy. Either that or HUGE pricing adjustments would need to happen, which would kill the stock market. Neither is a good idea. Aside from a sealed report model where everyone's credit is sealed and nobody has any access without some form of authentication I'm not sure why to truly do. I'm all fine with executing hackers or tomahawk-ing hscking data centers, but I'm not sure what effect that would have.

 

[Vaquero]

I grew up where the bank was local.
Board of directors and investors were local.
Loan managers came out to the farm a few times a year.
Bank manager signed off on loans.

It worked.
It would likely work today, if "corporate" America would let it.

 

[Texas42]

Credit is the most widely marketed item in the US. So much easier to look at a score rather than figuring of a person actually has the ability to pay.

 

[ZX9RCAM]

What methods should be used to determine an individuals ability to pay?

 

[JeepFiend]

The fact the hackers were able to acquire sensitive data in an insecure / plain text format proves Equifax was not following best practices. Or even accepted practices. Hell, not even entry level IT pleb practices.

It would be the physical equivalent to putting all of your banking records on printed paper, laminating them for durability, placing them a locked trunk out on your porch, and then hiding the key under the door mat.

Just out of curiosity, where did you read that the data was unencrypted and in plain text? I follow a lot of security bloggers, and nobody has reported that as far as I'm aware. I'd enjoy reading the article to see what other information they have. From my understanding, Equifax has been fairly tightlipped about the whole incident.

The one thing most agree on is this has turned into a public relations sh!t storm for them.

And while it may have been an internal job, it may have been a simple exploit that allowed system level access behind a 0-day exploit. An administrative backdoor was set up and the private keys were located. I can't speak for y'all, but every time I leave a security conference, I regret choosing an occupation in IT.