Equifax breach ex­poses mil­lions

Crim­i­nals ac­cess data in­clud­ing So­cial Se­cu­rity num­bers and credit info from about 143 mil­lion

The Mercury News Weekend - - FRONT PAGE - By Ethan Baron ebaron@ ba­yare­anews­group.com

Crim­i­nals ac­cessed per­sonal in­for­ma­tion of up to 143 mil­lion Amer­i­cans — roughly 44 per­cent of the U.S. pop­u­la­tion — in a stun­ning data breach at credit-re­port­ing firm Equifax, the company said Thurs­day.

Names, So­cial Se­cu­rity num­bers, birth dates, ad­dresses and some driver’s li­cense num­bers were ac­cessed by crim­i­nals who ex­ploited a web­site vul­ner­a­bil­ity, Equifax said. Also ex­posed to crim­i­nals were credit card num­bers for about 209,000 U.S. con­sumers, along with credit-re­port dis­pute doc­u­ments that iden­tify about 182,000 more peo­ple in the U.S., the company said.

“It’s a rich set of very sen­si­tive iden­ti­fy­ing in­for­ma­tion that doesn’t of­ten get col­lected all in one place,” said Jonathan Penn, direc­tor of strat­egy at cy­ber­se­cu­rity firm Avast. “It goes deep to

the bone in terms of its sen­si­tiv­ity.”

The breach comes as busi­nesses and the tech­nol­ogy in­dus­try are locked in bat­tle with cy­ber­crim­i­nals and na­tion- state hack­ers who are be­com­ing in­creas­ingly skilled at pen­e­trat­ing se­cu­rity and steal­ing data.

The Equifax data is so de­tailed that crim­i­nals could use it to steal a per­son’s iden­tity and take out credit in their name, loot their bank ac­counts or go on a shop­ping spree, Penn said.

Equifax said 143 mil­lion peo­ple were “po­ten­tially” af­fected, but by de­scrib­ing ex­posed data as “in­for­ma­tion ac­cessed,” the company is prob­a­bly in­di­cat­ing that at least 143 mil­lion peo­ple were hit, Penn said.

Bloomberg News re­ported Thurs­day evening that three company ex­ec­u­tives — chief fi­nan­cial of­fi­cer John Gam­ble; Joseph Loughran III, the pres­i­dent of U.S. in­for­ma­tion so­lu­tions; and Rodolfo Ploder, the pres­i­dent of work­force so­lu­tions — sold large amounts of their shares of Equifax stock to­tal­ing nearly $1.8 mil­lion in the days af­ter the breach was dis­cov­ered July 29. The Washington Post con­firmed the sales based on Se­cu­ri­ties and Ex­change Com­mis­sion fil­ings.

The stock trades were not part of a pre­vi­ously sched­uled sale, fed­eral fil­ings show.

A company spokes­woman, Ines Gutzmer, said in an email Thurs­day night, “The three ex­ec­u­tives who sold a small per­cent­age of their Equifax shares on Tues­day, Au­gust 1, and Wednesday, Au­gust 2, had no knowl­edge that an in­tru­sion had oc­curred at the time they sold their shares.”

Equifax CEO Richard Smith noted the irony of the in­tru­sion into a firm whose brand is built on the company’s rep­u­ta­tion as a trust­wor­thy cus­to­dian of highly per­sonal data. At­lantabased Equifax is one of three ma­jor credit re­port­ing com­pa­nies in the coun­try.

“This is clearly a dis­ap­point­ing event for our company, and one that strikes at the heart of who we are and what we do. I apol­o­gize to con­sumers and our busi­ness cus­tomers for the con­cern and frus­tra­tion this causes,” Smith said in a state­ment.

“We pride our­selves on be­ing a leader in man­ag­ing and pro­tect­ing data, and we are con­duct­ing a thor­ough re­view of our over­all se­cu­rity op­er­a­tions. We also are fo­cused on con­sumer pro­tec­tion and have de­vel­oped a com­pre­hen­sive portfolio of ser­vices to sup­port all U.S. con­sumers, re­gard­less of whether they were im­pacted by this in­ci­dent,” he con­tin­ued.

While Ya­hoo’s two data breaches in­volved more vic­tims — the in­for­ma­tion of at least a bil­lion users was com­pro­mised — the data ac­cessed at the credit-re­port­ing firm is much more sen­si­tive and valu­able to crim­i­nals, Penn said.

Equifax “may have fallen be­hind in ap­ply­ing se­cu­rity up­dates to its in­ter­net-fac­ing web ap­pli­ca­tions,” said high-pro­file cy­ber­se­cu­rity ex­pert John Krebs. This was not the first se­ri­ous data breach among the big credit com­pa­nies, Krebs noted in a blog post Thurs­day.

In May, Krebs re­ported that fraud­sters had taken ad­van­tage of “lax se­cu­rity” in Equifax’s pay­roll-ser­vices di­vi­sion. In 2015, a breach at Ex­pe­rian put 15 mil­lion con­sumers’ per­sonal data at risk, and Ex­pe­rian also al­lowed an iden­tity-theft scam­mer to trick the firm into let­ting cy­ber­crim­i­nals view per­sonal and fi­nan­cial data from more than 200 mil­lion Amer­i­cans, Krebs said.

“The credit bu­reaus — which make piles of money by com­pil­ing in­cred­i­bly de­tailed dossiers on con­sumers and sell­ing that in­for­ma­tion to mar­keters — have for the most part shown them­selves to be ter­ri­ble stew­ards of very sen­si­tive data, and are long over­due for more over­sight from reg­u­la­tors and law­mak­ers,” Krebs said.

Although Equifax said it re­ported the “crim­i­nal ac- cess” to law en­force­ment au­thor­i­ties and con­tin­ues to work with them, it waited more than a month to re­veal the in­ci­dent to the public and to po­ten­tially af­fected con­sumers. The company said it dis­cov­ered the breach July 29 “and acted im­me­di­ately to stop the in­tru­sion.”

The crim­i­nals had ac­cess to the per­sonal data from mid-May through July, Equifax said.

Equifax has hired a lead­ing cy­ber­se­cu­rity company to con­duct a “com­pre­hen­sive foren­sic re­view to de­ter­mine the scope of the in­tru­sion, in­clud­ing the spe­cific data im­pacted,” the company said.

The firm will mail no­tices to con­sumers whose credit card num­bers or records of credit dis­putes were ac­cessed, it said.

It has also set up a web­site, www.equifaxse­cu­rity2017.com, that it said would help U.S. con­sumers find out if their in­for­ma­tion was ex­posed, and al­low them to sign up for a year of free credit-file mon­i­tor­ing and iden­tify-theft pro­tec­tion.

The mas­sive and highly in­tru­sive breach should be a wake-up call for Amer­i­cans to check on­line bank and credit card state­ments reg­u­larly, ide­ally ev­ery week, said Matt Schulz, se­nior in- dus­try an­a­lyst for Cred­itCards.com.

“We think noth­ing of check­ing Facebook or In­sta­gram 10 times a day, but many think it is too much to ask to check your bank state­ments once a week,” Schulz said. “It’s not. It’s easy to do, doesn’t take long and can help you spot prob­lems be­fore they get out of con­trol.”

The ef­fects of the Equifax hack could take time to ap­pear, Schulz warned.

“Just be­cause noth­ing looks amiss on your bank state­ments or your credit re­port now, that doesn’t mean you haven’t been com­pro­mised,” Schulz said.

“Bad guys can be very pa­tient, so it’s im­por­tant to keep an eye out long af­ter this story fades from the head­lines.”

Equifax CEO Smith promised that the company would do a better job in the fu­ture of pro­tect­ing Amer­i­cans’ sen­si­tive in­for­ma­tion.

“I’ve told our en­tire team that our goal can’t be sim­ply to fix the prob­lem and move on,” Smith said. “Con­fronting cy­ber­se­cu­rity risks is a daily fight. While we’ve made sig­nif­i­cant in­vest­ments in data se­cu­rity, we rec­og­nize we must do more. And we will.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.