On the Equifax Data Breach

Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It’s an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver’s license numbers—exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, and other businesses vulnerable to fraud.

Many sites posted guides to protecting yourself now that it’s happened. But if you want to prevent this kind of thing from happening again, your only solution is government regulation (as unlikely as that may be at the moment).

The market can’t fix this. Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn’t notice, you’re not Equifax’s customer. You’re its product.

This happened because your personal information is valuable, and Equifax is in the business of selling it. The company is much more than a credit reporting agency. It’s a data broker. It collects information about all of us, analyzes it all, and then sells those insights.

Its customers are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you’d be a profitable customer—everyone who wants to sell you something, even governments.

It’s not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you—almost all of them companies you’ve never heard of and have no business relationship with.

Surveillance capitalism fuels the Internet, and sometimes it seems that everyone is spying on you. You’re secretly tracked on pretty much every commercial website you visit. Facebook is the largest surveillance organization mankind has created; collecting data on you is its business model. I don’t have a Facebook account, but Facebook still keeps a surprisingly complete dossier on me and my associations—just in case I ever decide to join.

I also don’t have a Gmail account, because I don’t want Google storing my e-mail. But my guess is that it has about half of my e-mail anyway, because so many people I correspond with have accounts. I can’t even avoid it by choosing not to write to gmail.com addresses, because I have no way of knowing if newperson@company.com is hosted at Gmail.

And again, many companies that track us do so in secret, without our knowledge and consent. And most of the time we can’t opt out. Sometimes it’s a company like Equifax that doesn’t answer to us in any way. Sometimes it’s a company like Facebook, which is effectively a monopoly because of its sheer size. And sometimes it’s our cell phone provider. All of them have decided to track us and not compete by offering consumers privacy. Sure, you can tell people not to have an e-mail account or cell phone, but that’s not a realistic option for most people living in 21st-century America.

The companies that collect and sell our data don’t need to keep it secure in order to maintain their market share. They don’t have to answer to us, their products. They know it’s more profitable to save money on security and weather the occasional bout of bad press after a data loss. Yes, we are the ones who suffer when criminals get our data, or when our private information is exposed to the public, but ultimately why should Equifax care?

Yes, it’s a huge black eye for the company—this week. Soon, another company will have suffered a massive data breach and few will remember Equifax’s problem. Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014?

This market failure isn’t unique to data security. There is little improvement in safety and security in any industry until government steps in. Think of food, pharmaceuticals, cars, airplanes, restaurants, workplace conditions, and flame-retardant pajamas.

Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative. They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.

By all means, take the recommended steps to protect yourself from identity theft in the wake of Equifax’s data breach, but recognize that these steps are only effective on the margins, and that most data security is out of your hands. Perhaps the Federal Trade Commission will get involved, but without evidence of “unfair and deceptive trade practices,” there’s nothing it can do. Perhaps there will be a class-action lawsuit, but because it’s hard to draw a line between any of the many data breaches you’re subjected to and a specific harm, courts are not likely to side with you.

If you don’t like how careless Equifax was with your data, don’t waste your breath complaining to Equifax. Complain to your government.

This essay previously appeared on CNN.com.

EDITED TO ADD: In the early hours of this breach, I did a radio interview where I minimized the ramifications of this. I didn’t know the full extent of the breach, and thought it was just another in an endless string of breaches. I wondered why the press was covering this one and not many of the others. I don’t remember which radio show interviewed me. I kind of hope it didn’t air.

Posted on September 13, 2017 at 12:49 PM115 Comments


Hamish September 13, 2017 1:14 PM

…”governments can raise the cost of insecurity high enough that security becomes a cheaper alternative”.

To what extent so you feel legislation such as GDPR will help push this forward?

Geoffrey Kidd September 13, 2017 1:17 PM

The problem with government regulation is that it’s a temporary (at best) solution, which quickly becomes a problem in itself. Regulated companies have a strong (to say the least) motivation to neuter regulation by getting people loyal to them in positions of power in the regulatory agency. See the Wikipedia article on Regulatory Capture for a description.

Remember the Interstate Commerce Commission? It was established in the late 1800s and quickly went all cozy with railroad and trucking interests, a situation which lasted right up to its abolition for being too cozy.

The FCC is staffed with former lawyers and lobbyists for AT&T, Verizon, Comcast et al. The FDA has a ton of personnel who worked for Big Pharma. The Federal Reserve is a wholly-owned-and-operated arm of the Banking Cartel. The list grows on.

If we establish a security agency, the same thing will happen because the personnel for such an agency will be drawn from (you guessed it) Equifax, Experian, Transunion, and other companies with a strong interest in maintaining business as usual.

I wish there was a solution that would work and work permanently.

Denton September 13, 2017 1:29 PM

I’ve recently heard an interesting angle on getting web companies to respect privacy and free speech. I don’t know if we can get this to apply to Equifax but I still find it interesting.

As @Geoffrey Kidd pointed out, the FCC has a cozy relationship with ISPs, but for now net neutrality is still being enforced. Net neutrality helps web companies, but hurts ISPs, and removing it will have the opposite impac. So what if consumers threatened to side with ISPs on net neutrality if web companies do not submit to some sort of privacy and free speech guidelines? I think there’s a lot of financial leverage here, though I’m doubtful that something like this could actually happen.

Idea credit: https://www.youtube.com/watch?v=le2R2Ps58pQ

Sean September 13, 2017 1:38 PM

Hopefully this breach will accelerate adoption of blockchain-based distributed ledger technologies in this field.

herman September 13, 2017 1:47 PM

If your data is out there now, then there is nothing you can do about it. Freezing your data at Equifax won’t make any difference to any other service where your data can be misused.

The only practical thing that you can do is change your name and the only sure thing that you can do is to die, which is maybe a bit harsh.

Otherwise emigrate, so that you get a new set of numbers in your new country.

Considering how fast data leaks out, you may need to emigrate to a new country every year or two.

Dan H September 13, 2017 2:10 PM

After the OPM hack (in the past I had a US DoD security clearance) I received my letter from them with a number to call. I never called and have had no negative consequences from it. Hopefully this has the same conclusion.

However, I don’t see more government regulation as an answer. There are regulations for regulations at the present. The fines, if they are levied, are never deep enough to cause harm to the company. How many shareholders did Target lose from their breach? Or JCPenney? Is the government going to levy a fine against themselves, or hopefully put out the closed for business sign if they’re hacked again?

It is a mass surveillance world now, and the population doesn’t either know or care. I’d say they really don’t care. If it doesn’t affect them, then no worries, and tough luck for those who are affected. Nobody is going to stop using Facebook or Google. Nobody has stopped buying at Target, Jimmy Johns, Wendy’s, JCPenney, or the countless other enterprises who were hacked.

Even if you pay all of your bills through the USPS instead of online, even if you use anonymous Internet, pay cash for your sub or burger, you still have to buy a car. That will put your information into the system with data to collect and sell about you.

There is no escaping it.

A “Brave New World” and “1984” have emerged from the pages of fiction to become our reality.

John Pane September 13, 2017 2:15 PM

Why do you call us customers in the first sentence? As you note, we are not customers, simply victims.

vas pup September 13, 2017 2:30 PM

Unfortunately, elected officials do something as soon they do have their own emotional stake in the issue, e.g when senator or congressmen (including their close family) become victim of such data leak and get personal suffering. That is only real motive/trigger to start adopting legislation as Bruce suggested. As more of them are victims, the better chance something would be done.
I see it like a cop fighting crime just as job duty or his family member was killed/raped by gang of criminals. You do see the difference. Are you?
All our decisions emotionally based, then we used logic to justify already made emotional decision.

What kind of legislation we should have? Just adopt European paradigm of privacy protection, There is no need to reinvent the wheel.

Regarding existing privacy policies of data monsters who do have it. It should not be like
statement that you do have privacy and company respect it, then 20 pages of small print of exception which basically negate your privacy altogether.

It should be minimum privacy standard set up by government (I like that Bruce finally accept the idea that self-regulation is not working. It is like elect prison ward out of inmates). Then each company to be more viable on the market could establish higher level of privacy protection then government established. That is how interests of folks and business should be balanced by government. Unfortunately, in pipe dreams only. Why? I agree with @Geoffrey and @Danton on that.

agent_orange September 13, 2017 2:31 PM

Market failures like this can only be solved through government intervention.

Or pitchforks and torches.

You allude to this when you say, “They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.”

But, not everyone can afford a legal team. Especially once his or her identity is stolen and bank account drained. Pitchforks and torches are cheaper than lawyers, and much scarier than lawsuits.

Traceroute September 13, 2017 2:40 PM

@ Bruce

“I can’t even avoid it by choosing not to write to gmail.com addresses, because I have no way of knowing if newperson@company.com is hosted at Gmail.”

Of course you can. Use https://ssl-tools.net
Type in the email address and see where your data travels. The Gmail servers will be visible in the traceroute output.

Bucktoothed Billy Bob Bodice September 13, 2017 2:56 PM


I won’t watch the video, but from your description it sounds like an empty threat. Suppose “web companies” as a whole call the bluff and unanimously decide to invest all of $0 into security infrastructure. Are consumers now going to submit themselves to a double whammy by revoking whatever net neutrality protections are left? And wouldn’t “web companies” who are owned by ISPs (Hulu) practically wet themselves at this opportunity? This is a terrible idea.

micha8s September 13, 2017 3:02 PM

In 2016, we got notified by a local hospital system that they’d had a breach, and it included our social security numbers. (Myself, Spouse, 2 adult children, 1 minor child).

Early March, we got a letter from the IRS. Some helpful stranger was trying to pay it forward by filing our taxes for us. IRS was suspicious and informed us; we were able to stop the IRS from any further action on the fraudulent filing. They also filed in a state we don’t live in (but that state sent us a letter acknowledging another fraudulent filing.) I couldn’t file early…we have one stupid investment and that company doesn’t have to get us their final data until March 31.

A day after we filed in early April, spouse got a letter from the IRS, indicating they now suspected unauthorized access to tax data through the IRS FAFSA tool.

Because the IRS caught it, it was more an adventure than a pain. I was not out any money, and because I took it seriously, the federal and state governments involved also should not be out any money.

One thought… the key is the SSN. Other information stolen is annoying but whatever. The email account I’ve given your comment tool is a yahoo account. So some attacker has an email address and password. if they dig, the’ll learn my “real” email account. It has a different password. SSN allows a hacker to do many things.

Yes, I think it’s time for the government to step in.

There’s no reason for ANYBODY besides the SSN holder and the federal government to disclose an SSN. If I want to finance a car, then I should be required to enter the SSN myself into a webpage form. That SSN then gets strongly protected (think HMAC-SHA-512), and transmitted in that fashion to Equifax. Equifax then performs a lookup and says “match” or “no match”.

It’s time for the Federal Government to step up and say “we own the SSN. If you choose to use it, any disclosure, whether deliberate or accidental, without the permission of the SSN holder AND the Federal Government will result in a fine of not less than 1 million dollars per SSN disclosed.”

I think a 143-Million dollar fine would get the attention of Equifax.

Mike September 13, 2017 3:21 PM

I concur that the only solution is government intervention. What needs to be regulated is not necessarily data security, but instead how data is used to effect identity verification. As long as one can open a line of credit with merely a name, address SSN and DOB, the consumer will always be the one feeling the pain of a data breach and not the company exposing the consumer’s data.

Coffee, Hot September 13, 2017 3:24 PM


For the most part I think you’re spot on. This is where the free market has more than failed; it has sold us out. The cost of our convenient cashless economy is the collection, analysis, and sale of our aggregate and personal spending habits. Big fill-in-the-blank Business is addicted to this incredibly detailed consumer knowledge and has no interest in living without it.

I don’t share your faith in the ability for government to do anything thing about it. Businesses will fight tooth and nail using lobbyists and/or any other means available to not only resist privacy movements but to expand the surveillance. Any feeble attempt at privacy legislation will be quickly shut down or gutted either by elected^h^h^hpurchased officials on any side of the aisle.

That, of course, assumes the ignorant masses could pull themselves away from the bread or circus long enough for government to take note. Like that will ever happen.

Denton September 13, 2017 3:26 PM

@Bucktoothed Billy Bob Bodice

Yeah the guy in the video refers to it as “Digitally Assured Destruction” and it’s basically an internet Sampson option. It’s not a good idea, but it’s one of the few ones left that might actually work.

Bob P September 13, 2017 3:52 PM

So what’s the ultimate solution to the Equifax breach and other future breaches that expose personally identifiable information that can be used for impersonation? In my view, the only viable solution is that it should no longer be legal for service providers to accept self-asserted, unauthenticated personal information such as a SSN to conduct certain kinds of transactions, such as opening a new line of credit. Instead, a secure authentication token such as a crypto public/private key pair needs to be associated with a SSN, so that a particular SSN can’t be used for identification purposes without authentication of the SSN by means of the token. Our personal information has not been truly “secret” for some time, and the Equifax breach makes that reality very clear. There should be no reason that our SSNs, or any other personal identifiers, need to be kept secret. Instead, let’s make sure that someone claiming a particular SSN is truly the person who owns that SSN. Let’s accept the reality that personal identifiers can’t be kept secret, and focus on ways to better authenticate claims to those identifiers.

vas pup September 13, 2017 3:54 PM

@Dan H
We have “1984” on steroids meaning Big Brother not only watched you by himself, but utilized mass data collection by private data brokers, businesses sharing customer information, you name it. They are exempt from FOIA and are not properly regulated. That combo Big Brother (government) with private business creates multiplying negative effect on your privacy.

May be rules similar to HIPAA should be applied to financial (other) personal information.

On SS#: Each company should utilized their own unique ID for customers. This ID could use SS# as seed for generation unique hash customer ID which is stored in DB, not SS#(seed). In such case it could be difficult to do x-ref on multiple data bases for the same person.

paul September 13, 2017 4:03 PM

It seems to me that involving the government is just introducing another third-party. The lobbyists and the government will work out their own deal, and I’ll still be the victim.

I would think I’d be better off if I actually had control of my own data.

GiantRat September 13, 2017 4:11 PM

Amusingly (disturbingly?), if you follow the FTC’s suggestion to solicit protection/oversight from Equifax and determine if you “may” have been exposed, you need to give them all of that data all over again (name, address, previous address, phone number, and, of course, SSN). Fortunately, we know we can trust Equifax to keep that data safe….

CallMeLateForSupper September 13, 2017 4:23 PM

“The [DoNotPay]bot, which launched in all 50 states in July, is mainly known for helping with parking tickets. But with this new update, its creator, Joshua Browder, who was one of the 143 million affected by the [Equifax] breach, is tackling a much bigger target, with larger aspirations to match. He says, “I hope that my product will replace lawyers, and, with enough success, bankrupt Equifax.”

“Chatbot lets you sue Equifax for up to $25,000 without a lawyer”

Tony September 13, 2017 4:27 PM

The most useful thing the government could do at this point is a new law on identity theft that shifts all responsibility for fraudulent accounts to the company that opened them. So a person who finds an account that isn’t theirs do no more than declare “not my problem”, and it is then up to the business to find out if it is. While they investigate the account shouldn’t be reported in any way that would negatively affect the victim.

Equifax and their co-conspirators in the data business need to invent something new to replace the social security number that underpins everything they do. As a “secret” that only the owner knows it has never been a good choice. Maybe this time the data leak is big enough to convince them that it is entirely worthless.

Iggy September 13, 2017 4:36 PM

I predict our banks will shake their heads when this is mentioned to them by a customer, marvel at how much crime there is out there, and then go right back to doing what they’ve always done, which is to just ask for “the last four of your social” to “verify” your identity over the phone? Until it happens to the bank president, nothing will change.

Iggy September 13, 2017 4:47 PM

@Paul, agree. New Day One means we are all issued brand new, completely different SSNs. It is now a criminal offense to even ask for it. Only the IRS and you know it. All commerce must issue you its own unique ID number for its tracking purposes.

Of course, until we turn back the court ruling that made our names and addresses public information available to anyone and everyone who bothers to ask or look up, we’re still the livestock.

It’s hard to get outraged and organized enough to pitchfork and torch march on City Hall when you’re working 40 hours a week. Perhaps we should pay those here illegally to just walk off the job for the day and march for us, because they’ll still keep their jobs.

And the band plays on….

who_done_it September 13, 2017 5:25 PM

No premature finger pointing? I suppose the usual suspects would have simply purchased the leaked data..?

Mike Barno September 13, 2017 5:38 PM

@ Herman,

… the only sure thing that you can do is to die, which is maybe a bit harsh.

But no harsher, and no less certain, than it was before this breach.

See? Bright side!

Otto B. Alaw September 13, 2017 5:38 PM

All personal electronic data should be made personal intellectual property by law and thus have monetary value, become insurable and protected by the Constitution.

Of course that’s not going to happen because of our dysfunctional government that has been bought and paid for by rapacious corporations and their lobbies many times over.

Go ahead and give Equifax a nice fee for collecting and distributing your data, right after you stop banging your head on the wall. Both are self-defeating and harmful.

Julia September 13, 2017 6:07 PM


This, of course, doesn’t catch mail delivered to GMail by email forwarders.

Most obviously Spam Gourmet which works by forwarding a limited number of emails to a real account. The real address behind a public address could quite easily be at GMail.

Email forwarded from a published domain email address to another provider. It used to be quite common for web hosts to forward email to addresses at the domain to another email address nominated by the customer. Recently I discovered that the free web hosting service 000Webhost still does this.

Then, of course, there’s always the people who forward your email to others.

G September 13, 2017 6:18 PM

Market can solve it through liability not regulations. The problem right now is that there is no real liability associated to disclosure of the data. We have liability for personal injury or death.

If you put a dollar amount for disclosing such information (e.g. 20% of the net worth of an individual), Equifax and others in the business would have an incentive to protect the data, an incentive to buy insurance (with the associated diligence from the insurer), or they would get out of that business.

Milo M. September 13, 2017 7:13 PM


“Some helpful stranger was trying to pay it forward by filing our taxes for us.”

Too funny. Nice that you can laugh at it.




“As the IRS enters the 2013 filing season, we now have more than 3,000 employees working identity theft issues. Despite these efforts, the IRS continues to see a growing number of identity theft cases.”

Seems like the fake filers trying to steal others’ refunds would need some inside information. How do they know that you’re due a refund? And how do they get W-2s and 1099s? As a devoted Luddite, I’m still filing paper returns, so maybe e-filing makes the theft easier.

Some good advice from Consumer Reports:


Note that a fraud alert is free, unlike a credit freeze.

Rhys September 13, 2017 8:26 PM

@G and @not one iota

When TRW owned most of what Equifax acquired, it was pen-tested by multiple, isolated internal groups. Internal networks (multiples) had multiple, independent firewall configs and not all IPv4. Extensive use of sandboxing, particularly for exfiltration. Nothing encrypted that could not be decrypted and scanned was permitted. Nothing. Perturbation of DNS & gateways to illuminate asymmetric truth tables. No in-band device command sets permitted. Network clock… So much more.

All trimmed out by technophobes after acquisition.

Market only works where ownership of assets is clear. Ownership was deliberately muddled here in USA for oligarchy benefit sanctioned by Government.

Your data was equivocated to where “data” on storage media is a different asset than the personal information itself. A legal fiction for industry “conversion”. And facilitating the ‘Fagan’ business models of these businesses.

Unless you, and others, strike (‘freeze’ your credit) and work without further credit, they believe you are too highly leveraged to pursue alternatives. Alternatives would be an indication of a healthy, free market. The fact that alternatives don’t exist should be prima facia its not a free market. And liability is diffused to ensure tort recovery is battle of attrition.

At least, don’t reward Equifax by using their monitoring service.

AND DO NOTE: Equifax asks you to provide the last 6 digits of your social security number to see if your a candidate. Leaving only 3 digits for hackers to solve for. And across your computer or cell phone, network, and provider giving them more plausible deniability that if you are identity cloned- proving that Equifax was the sole source will be more complicated. Strict & proportional liability is lengthy discussion.

James September 13, 2017 9:55 PM

I’m sure that there is a possible state of the world in which government regulation corrects the problem of data breaches. However, since the SSN was created, the government has created thousands of pages of regulations for companies to comply with. Those regulations have not prevented any of the data breaches that have actually happened. These are just facts.

Does it seem likely that the government will create some regulation in the future that will prevent data breaches? We all know the answer on this one.

Of course there is a market based solution to these data breaches. Companies could stop using government assigned identification numbers, which would eliminate the threat associated with data breaches that exposre the numbers. Unfortunately companies cannot implement this market based solution because they are reguired, by regulations, to use those government assigned numbers to identify their customers.

Drone September 13, 2017 9:59 PM

“Market failures like this can only be solved through government intervention.”

Nonsense, add Big Government to the “Market Failure” as you call it, and all you get is a fuming rancid stew comprised of “Market Failure” PLUS incompetent and corrupt “Big Government”.

This problem will never be “fixed” until the users demand it…

Here’s how your typical social media addict responds to warnings that they are being tracked 24×7, and how it will harm them sooner or later:

“It never harmed me, plus I like the targeted ads, and their service is free. So stop bothering me!”

That right-there folks is akin to Impenetrable Armor when it comes to behavior modification tactics.

Until these complacent users are actually harmed in a serious and massive way – the problem isn’t going away.

Unfortunately the bad actors that abuse stolen user data know this too, so they’re careful and milk their benevolent Data Cow over and over over time. They don’t slaughter it for one massive feast.

Winston Smith September 13, 2017 10:04 PM

Equifax’s first reaction was to provide for credit monitoring but with the caveat that you indemnified them from responsibility (you can’t sue for their breach):

Then it was revealed that once you placed a freeze on your credit report, the PIN they provided to lift the freeze was nothing more than a timestamp:

Only today will Equifax now offer free credit report freezes, whereas prior to today, these freezes were costing the individual:

But the free credit report freeze is temporary:

Equifax reveals brazen ineptitude and contempt for the citizen. And no one will care in a month from now. Altogether, disheartening.

Ari Trachtenberg September 13, 2017 10:55 PM

You may not be using facebook or twitter or google+ … but your blog interfaces with these to providers to allow them to track your reader’s interest.

Government regulation is a terrible approach, in that it hardly ever works well. Why not:
* insurance industry-promoted regulation (like the UL for devices)
* enable lawsuits for data breaches

Clive Robinson September 13, 2017 11:48 PM

@ Bob P,

Instead, a secure authentication token such as a crypto public/private key pair needs to be associated with a SSN, so that a particular SSN can’t be used for identification purposes without authentication of the SSN by means of the token.

Whilst I agree the current situation is not acceptable, what you are proposing is just as wrong but in the other direction.

History even recent hitory shows us it can and almost certainly will be used as a way of “official” persecution in one way or another. Worse it will be implemented in a realy bad way and become a centralised target for criminals etc.

The other issue is take a look at the history of Crypto and identity security. The crypto algorithms that get used have not lasted for various reasons DES did not realy make it to “it’s comming of age”, various hash algorithms have been found to have problems and the use of them depreciated. We are now scrabling around for “Quantum Computer Proof” algorithms because the PubKey systems we use curently are “assumed” to be vulnerable to Quantum Computing[1].

But underpinning all crypto security is an assumption, that there are truely random events in the physical world that can not be determined in advance or based on previous events. Thus the keys etc on which the security of crypto algorithms rests –when in use–, can be securely generated. The simple fact is whilst it might be true determaning what is truely random from what is somehow determanistic is at best difficult. Which history has shown can be quite embarrassing when an attacker can guess your keys etc, with considerably less effort than was assumed possible. As a matter of engineering truely random bit generators are very difficult to make and test. Those built into computer chips are more an act of faith than anything else. It’s suspected that the recent issue with Estonia’s cards are down to faulty random bit generators on the smart cards.

Looking at the history of electronic bank and smart cards, they have not been a resounding success longevity wise either. Their greatest success realy is demonstrating just how little attention gets paid by politicians, civil servants, managment and even engineers to the design of security systems. Likewise as we know from the usage of credit cards and checque cards, those responsible for checking the card against the person holding it will for a multitude of reasons fail to make adequate checks. Likewise we know that passport checking is actually quite a failure for similar reasons, hence the push to biometrics that are hoped will be a little bit more reliable.

But worst of all any such security system will suffer from the same “usage creep” that happend to Social Security Numbers, that were never designed to be a method of security or identity in the first place. It will quickly become “overloaded” in use and in effect become a “National ID Card” the carrying of which at all times will become a legal requirment enforced by draconian fines and imprisonment. To aid this new revenue stream the cards will almost certainly have some form of “Near Field Communications” thus making any doorway you walk through not just a detector for finding those to be fined but also tracking everybody else. Thus making the implementation of a Police State several steps easier.

[1] It has been reasoned that many algorithms that currently take prohibitively long periods of time –such as searching/factoring etc– will become practical with Quantum Computing (QC). Such algorithms are used in certain types of crypto algorithms because of the prohibitively long times gives a significant work factor to an attacker thus increases security. If QC becomes practical many systems that are curently assumed to be secure because of the work factor will quite suddenly become very very much less secure.

Thomas Sewell September 14, 2017 12:29 AM

If you can sue Equifax for all damages resulting from your data being revealed and have that lawsuit’s damages (individual or class action) decided in a timely manner by a jury, then the problem becomes largely self-correcting via incentives.

Working for one of the two most security-regulated industries in the country (and my opinions are my own, not my employers), I can tell you that while there are a ton of financial information security requirements from the feds, many of them make little sense (reset your letter/number/symbol passwords every 60 days, install all patches immediately no need for much testing) and the rest are either things which would be done anyway, or have massive compliance costs (patch everything every month, instead of every quarter!) which mostly serve to reduce competition from financial institutions not large enough to afford them.

It’s seems a big silly to say that the government created a national identifier, then it’s a market failure when it fails to protect it or prevent it’s misuse. The existence of the SS# as a trusted personal identifier is the root failure here.

But at the end of the day, how many people will actually be damaged by this breach? Effectively, this may affect every adult American. At that point, will credit issuers stop using the information these store as a way to allow credit to be granted? If not, then for some reason the government is allowing them to get away with hurting you when you never contracted with them (that was the fraudster, not you). Solve that problem instead and then it doesn’t matter if the info is sufficiently protected or not, because it never will be, offense beating defense in these matters.

matteo September 14, 2017 2:15 AM

be careful because seems that equifax offers a “free money monitoring service” but to use it you are FORBIDDEN TO SUE THEM IN A CLASS ACTION.

i’m not american so i’m not 100% sure but i find this unfair.

Clive Robinson September 14, 2017 4:42 AM

@ matteo,

i’m not american so i’m not 100% sure but i find this unfair.

It is, and may not even be legal.

It can probably be easily shown that Equifax was entirely at fault for this loss. They realising this have gone down into a poor defensive strategy of jump in a hole and blindly fire in all directions. As a secondary line of defence they are also trying to avoid any liability.

The US justice system is one where both sides pay their own costs, which would normally alow a large corporate to flick away claims from ordinary people by a whole load of legal tactics repeated over and over for each case. Thus the point about a class action suit is to “redress the balance” to give more “equity at arms” as well as providing the individuals with a degree of protection[1] and importantly not tie the slender resources of the court system up for an indefinate period.

Thus Equifax will try just about every trick they can to prevent a class action that they could easily lose big on if the jury decides they have been not just at fault but also negligently / willfully / maliciously so.

The scary thing is that Equifax will probably profit from this mess they have engineered.

[1] One problem individuals face when taking action against a corporate, is the corporate may well go digging for dirt any which way they can and that alone can cause the individual problems with employment, family, etc even if there is no dirt to be found or invented.

Tim Spellman September 14, 2017 5:35 AM

To avoid identity theft, make sure your SSN is a combination of numbers, upper- and lower-case letters, and special characters. And change it every 90 days.

Ph September 14, 2017 6:30 AM

Great article.

Finally someone who understands that people don’t want to jump through many hoops just to try to minimise the harmful effects of careless companies that are mainly focused on making money for themselves and don’t care about others people’s lives.

Ollie Jones September 14, 2017 6:56 AM

If the events of the past few years have taught us anything, it’s this: nobody can keep a cache of secrets forever. Not even state actors with a focus on infosec and unlimited funding (NSA) can do that.

So we need to rethink this whole space.

There’s an English common law concept called “strict liability.” If a farmer has a bull, and the bull escapes the farmer’s field and does damage in the village, the farmer is liable. The farmer is liable whether or not he was negligent in allowing the bull to escape.

If I have a pond on my property with a well -constructed and -maintained dam holding it place, and the dam breaks, and my neigbor’s car is ruined by the water, I owe her a new car. I am strictly liable for damage done by the water I impounded on my property.

The bull and the water are inherently dangerous. They inevitably escape. So, if they’re mine, and they escape, under common law I’m strictly liable for damages. It doesn’t matter whether I was sober or drunk, awake or asleep, or letting my nutty nephew play toreador. I’m responsible when the bull busts up the china shop on main street. The china shop owner does not have to prove I’m negligent to get compensated.

A cache of secrets is inherently dangerous. The more secrets there are in the cache, the more dangerous the cache is. A government personnel-records system is dangerous. So is a credit bureau’s list of subjects, or a state actor’s cache of day-zero exploits against common operating systems.

The organizations holding this information need to be held strictly liable if the secrets they hold are revealed.

Farmers manage their risk by keeping their bulls far from the village, and not keeping more bulls than they need.

IT Organizations need to manage their risk by keeping fewer secrets in smaller caches. And they need to plan to compensate persons who are harmed if those secrets escape.

This is the way workers’ compensation works, and the way the fund that compensates people injured by vaccines works. It needs to be the way data-leak damage works.

JonKnowsNothing September 14, 2017 7:28 AM


Companies could stop using government assigned identification numbers , which would eliminate the threat associated with data breaches that exposre the numbers. Unfortunately companies cannot implement this market based solution because they are reguired, by regulations, to use those government assigned numbers to identify their customers.

Companies already DO have such numbers, “lots and none at all”.

Inserted into data packets by “some big ISPs” (and Im sure others) are universal identifiers assigned by them to you. You won’t know it, cannot change it, cannot opt out or remove, delete etc. etc. etc.

Its the perfect next hack*… because you have no way of ever fixing it.

  • Depending on one’s definition of hacking and who is doing it, it’s already in progress.

Marc-André Servant September 14, 2017 7:54 AM

“I have no way of knowing if newperson@company.com is hosted at Gmail” Actually you do, you can check the MX records for company.com using dig. But this is hugely inconvenient, not only because you don’t want to open a shell every time you write an email, but also because Google is so widespread that you often can’t find a way to communicate that doesn’t go through Google. I know Google’s motto is “Don’t be evil”, but the fact that they could turn evil if they wanted to (and you’d have no alternative) is still quite scary.

François September 14, 2017 7:57 AM

Did you know that the GDPR law applies to you, US guys, while you are present on the soil of EU?
So next time there is a big data breach while your on holiday here, you can complain to our instances and they might hit the responsible with a mega fine…

fdsa September 14, 2017 8:01 AM

I didn’t know the full extent of the breach…I kind of hope it didn’t air.

I think we all know that feeling

JonKnowsNothing September 14, 2017 8:08 AM


There’s no reason for ANYBODY besides the SSN holder and the federal government to disclose an SSN.

The original paper SSN issued by the US Government states

“Not to be used for identification”.


… think a 143-Million dollar fine would get the attention of Equifax.

I think Equifax would jump on that deal. A SWAG is that’s about 10 minutes of revenue for them.

Think bigger and then… think “AT&T, IBM, Microsoft…”

Nothing happened and nothing changed.

What’s worn under a kilt? Nothing. It’s all in perfect working order.


de La Boetie September 14, 2017 8:31 AM

@Ollie Jones – exactly, the emphasis on common law is way more effective than regulation.

The “rotten burough” of the way the law is currently operating is a huge part of the problem. We see in many areas, the law is made for people who harm others on a large scale, but who get away free with their bonuses and often job intact. People and organisations playing fast and loose with other people’s information without consent, and harming them by their carelessness, to make money. Color me old fashions, that used to mean fraud, these days, it’s corporate profit.

I’d go further – it’s not the organisations that need to be hit with big fines – it’s the Directors in jail and having their bonuses & remuneration clawed back as a result of these breaches.

If the state can’t enforce the common law, it’s not good for anything.

Peter Nayland Kust September 14, 2017 9:17 AM

Regulations on security matters are invariably the barn door that closes after the horse is gone.

Regulations are by nature reactive. They aim to prevent the next crisis, not solve the present one. In most realms, that is sufficient, but in data security it is merely an exercise in futility. Threats are constantly changing, and while regulations are reactive, security, in order to succeed, must be proactive. What regulations are not and can never be, security must be.

After the 1929 stock market crash, among the reforms that were instituted on Wall Street were the Glass-Steagall restrictions that separated investment banking from deposit banking. Essentially, banks could no longer gamble with customers’ deposits.

The only way to prevent the next Equifax-style data breech is a Glass-Steagall for data. Personal information must no longer be collected and sold, at the very least without the explicit consent of the individual and preferably not at all. Eliminate the massive centralized stores of personal data and the threat of a massive data breach vanishes.

blablablaginger September 14, 2017 9:22 AM

In my view the biggest risk to the general public from this mess is credit fraud, and on that front maybe the breech might have a silver lining. Now that all the forms of information that creditors generally use to authenticate borrowers is potentially public and untrustworthy, creditors will have to do a proper job of authenticating the borrowers and assessing risk themselves. Just having the DOB, name and SSN of a good risk will no longer be enough to borrow. Lenders will have to see verifiable evidence like actual pay stubs or bank statements — something that Equifax didn’t have in the first place — before issuing credit. For someone who doesn’t need or want new credit, I think it may actually decrease the risk, because the info lost by Equifax will simply not be enough to effectively get credit in the future.

parabarbarian September 14, 2017 9:26 AM

When regulations become contrary to a business’s interests, the first thing bought will be the regulators. Asking to get government to fix something it broke in the first place is — well — foxes and hen-houses come to mind.

If we are dreaming, then a good place to start would be to repeal the stupid laws that allowed the SSN to become a universal identifier. Return the number to its original function as an account number for the individual’s Social Security account. Then make it illegal to even ask for it outside the context of Social Security. Then do the same with the Driver’s License number. Then make it absolutely illegal to use any government issued number as an identifier outside of its original context.

If the credit companies, banks, and Google want a unique identifier, let them create one (or many) and pay for all the associated costs themselves. Only an idiot still believes the taxpayers should subsidize their own subservience.

HJohn September 14, 2017 9:31 AM

Even if regulations protecting PIIA worked perfectly, PII would still be disclosed. The whole purpose of personally identifying information is so people can use it to identify themselves as a person. IOW, there will always be situations where the information must be disclosed, and there will always be untrustworthy people that come across it.

The root of the problem is we have taken a never changing unique identifier and we try to use it as an authenticator. That is inherently problematic. It would be like granting access to a network using just a user ID that never changed and that we tried to keep secret, but we had to tell people what it is from time to time to prove we are who we said we are.

The real problem is the information is simply too easy to use. If it were harder to use, it wouldn’t be as valuable and breaches wouldn’t be as devastating.

I don’t know exactly what the solution would be, but I do know that treating a never changing identifier such as a social security number as a private password always has been and always will be destined to fail.

Mike S. September 14, 2017 11:30 AM

When the dust settles, Equifax will agree to offer affected consumers one year of free credit monitoring. This is pretty much what as offered as a result of the OPM breach.

I am already paying for identity theft protection. At an absolute bare minimum, they should be required to pay for a year of the service I already have.

Equifax should be penalized thousands of dollars per affected consumer – make it really hurt them. Maybe make it bankrupt them. Maybe the executives should spend a decade in prison – real prison, not Club-Fed minimum security prison.

It is all about incentives. Right now, there are insufficient incentives to get large companies to protect consumer data.

Julie September 14, 2017 11:39 AM

We dont choose to have a #SS. We are assigned one by our government. It is a requirement. It makes no sense that this same government doesn’t already regulate the usage and storage of this number.

The problem with enforcing govt control at this point is HALF of all SS#s are out in the wild. The system is broken. Bandaids are all we can throw at it now. A new system is needed. One that takes the modern computer age into account, not the paper world of our grandparents.

Every single victim of this breach should request(/demand) a new SS#. That might get the attention of the govt.

BTW, anybody notice the url of the Equifax page with the form that tells if you might have been compromised is “…/eligibility”?

Marvin September 14, 2017 11:48 AM

I respectfully submit to you that the government is the root cause of these problems, not the solution. The government brands us with a Social Security Number at birth whether we want it or not, which then becomes our de facto national ID number. Because we’re stuck with it for life, stealing it is very valuable to criminals. By using the government’s system and its corresponding moral hazard (namely, SSNs) on our credit files, multiple industries and corporate leaders have opened the floodgates to these hackers to steal the very valuable national ID numbers forced upon us by the government.

We need regulation, but it must be genuinely market-driven regulation, not more of the legislative regulation which gave us these problems. If government wants to do something productive to stop these problems from continuing, it should begin by abolishing Social Security Numbers, which will then undercut criminals and force corporations to figure out different, more secure ways to handle credit files.

Matt September 14, 2017 11:53 AM

As bad as it is for Americans, it’s worse for Canadians. We can’t even validate whether or not our data was part of the breach, and Equifax Canada is being even less co-operative than its US parent company. According to the parent company, Canadian data was leaked, but we don’t know how many people were affected. Even if we did know, we have zero clout to force a US company to change its practice. Once the data crosses the border, we’re screwed.

Winter September 14, 2017 12:28 PM

The new EU GDPR would have made Equifax take notice:

In Equifax’s case its 2016 operating revenue was ~$3.145BN. So — under the GDPR regime — the company might have faced a fine of around $62.9M if it hadn’t reported this data breach multiple weeks sooner than it chose to. (Indeed, it’s expecting its full year 2017 revenue to be even higher, between $3.395BN and $3.425BN, so this theoretical fine inflates to as much as $68.5M.)


vas pup September 14, 2017 1:33 PM


The main task of ZITiS is to break into networks and to break encryptions – those are things that you can only do by exploiting security gaps,” he said. “This agency’s task is not to close these gaps, but to use them. But computer technology will only become safer if you close these gaps – it’s actually quite sick. ZITiS should be shut down before it’s opened.”

Richmond2000 September 14, 2017 1:54 PM

it is interesting to talk about “market failure” when I would say it is a roaring success
there is a full “ecosystem” of data miners/brokers data markets all so successful that robbery( data theft-hacking) IS an actual risk and like OTHER successful markets the government regulators are more interested in profiting and OR prevent ABUSE and the POLICE investigate AFTER the BANK WAS ROBBED not BEFORE

and the US SSN is “perfect” as an identifier for the VERY reasons ot is SO DANGEROUS to “lose control” of as it IS PERMANENT and issued to ONE person ONCE

Bob September 14, 2017 4:23 PM

An important immediate note on credit freeze:
Do not try and do a credit freeze to the 3 bureaus during prime time. A relative of mine got stuck at the Experian site. It said to mail in the documents and proof of identity. Once that happens, your profile is stuck like that. You can not go back another day to upload proof of identity documents.

  • Do not know if this is a permanent policy in place because their servers can not handle the bandwidth. Try doing this during business hours, not primetime.
  • You are sending critical documents(hopefully cert return receipt) snail mail. Consider the physical security implications and work visas handling your sensitive documents.
  • I hope Experian’s PO Box is the size of a warehouse. No one could upscale for this situation. This is part of the fallout.

I needed explicit details about the breach because trustedidpremier looked like one huge wanip scrape for profile association. Define security breach for me. If they let this happen for months, how do they technically identify a compromised account. I am questioning their competence. We can fill in the blanks for possibilities, or we can demand a better explanation. Their stock was ditched before this happened.

Finally, these credit bureaus have customer reps in another country. Since they do not trust US citizens for employees, they let the rest of the world see our plastic debt crisis. That is an interesting security policy.

Bob September 14, 2017 5:45 PM

@Winston Smith
Regarding the Techcrunch link, that news post is confusing people. Credit Freezes are permanent until you pay again to unfreeze, or pay a little more for single party whitelisting. It is the fraud protect, which they are also giving for free, which generally lasts only around 90-days regardless. That particular fraud protect is temporary and not as strong as the freeze. On top of that, they are pushing account guard/watch services which is apart from those.

People should just do the credit freeze, which is strong, whereas the fraud protect thing is sort of a joke. I think the techcrunchies are mincing concepts. Equifax is giving both for free, feeling guilty, but the other bureaus will still charge based upon state:
Has a link to per-state fees

If you are job interviewing, leave the freeze, and tell the company. You must choose to unfreeze or whitelist for a little more cash.

Logic: do the freeze anyways. None of those three options above would probably protect against an Ed Snowden-style data siphon. My gripe is not knowing if it was internal. Since this is technically a regulated, offloaded industry control, I feel the people deserve disclosure. We have seen Congressional Committee or judication cover up the truth.

Chad C. Mulligan September 14, 2017 7:26 PM

I see that they are going to issue us old folks new Medicare numbers, not use our SSN anymore. But not until next spring, says the report.

Louis September 14, 2017 9:28 PM

I usually keep my posts short, but having recently gone to a GDPR training, and actively involved in a compliance project, I feel there are a few things to cover, so sorry for the long post.

First off, my view: EFX messed up really bad (infuriatingly so), and at the same time, they are trying to get off easy. There is a lot of spin and PR, and obviously, there was a lawyer in the room as well.

A few facts/notions are worth mentioning,

EFX does not have 145 M customers, it has a few thousand financial institutions as clients. But it has the responsibility and accountability to process the personal data of 145 M data subjects. That’s us… We are data subjects, as it is our information that is now being pawned on the dark web.

I say responsibility, because they are gathering this information from the agreements they have signed with financial institutions that also consume their processing. I worked at an FI, when a contract was being signed with one of those big names, and we were insisting on all ISO 27000 controls, and more, like geographic location of data.

I say accountability, because the banks are the ones that asked us for the personal data, and in those forms we sign, they make the promise to protect our personal data. The consent forms also mentions they will share the data with third parties, and EFX is one of them.

You are a customer of the FI’s and they send your data to EFX.

So here is the money train: EFX signs with FI’s, gets their transactional data and gathers it to profile consumers and their transactional habits. In turn, they sell back the value added analysis to the FI’s (basically, your profile) to enable them to make sound decisions on your requests for loans, etc.

I find that Europe is way in advance from North American legislators, and more gutsy with their fines; France’s CNIL can impose jail time for personal data breach, imagine that with Rick Smith being pulled away by policemen at the end of his video.

So GDPR is EU’s newest such regulation that will ensure data brokers like EFX are kept in line.
In my view, for this breach and all the ensuing blatant mistakes, Equifax would be fined the maximum right away, 4% of their global turnover, which I read was 3BN$, so make that 120M$ fine. This would be enough to plummet the shares. Enough for C-Suite to understand the compliance risk is real.

Come to think of it, FI’s and EFX would be declared joint controllers, so the FI’s would also receive a 4% fine…
Someone at EFX can thanks the heavens this breach took place this year, not 2018 when GDPR is actively enforced…

For fun, let’s take a look at what possible GDPR requirements EFX has failed:

Breach notification 72hrs. They obviously took a lot of time to prepare that wordpress site, right ? I think the PR and spin doctors had signed NDA’s and were reeling in the consultant fee’s during those 40 days. I wouldn’t be surprised if the most common expression was « what’s the strategy here »…

Another related question would be who else knew about the breach. Surely they advised their real customers, the FI’s. After all, don’t we all put those terms in the contracts.

Privacy by design, there has to be consideration for the data subject’s interest. Clearly, having those reports so close to the Internet-facing web server’s reach is a failure in that respect. And lack of means to uncouple the data at the low level…

Data minimization, if the core systems were not affected, then what was it ? Was it some kind of report generator tools that should have limited access to the last year’s information or possibly was it a stash of PDF’s like the Panama Papers… Surely, there was too much information lying around on those non-core systems.

GDPR states that data controllers (FI’s and EFX) must protect the data from unauthorized access. This is clearly stated. Using technical and organisational means, also clearly stated. EFX saying that core systems were not affected seems like a strategy to comfort people their core systems are rock solid, yet it shows culpable practices in the non-core. Have it any way Rick wants, they infringed something, period

The EFX breach will become the textbook case in GDPR studies

Bardi September 14, 2017 10:36 PM

As obscene as it used to be, there used to be a procedure to post a decapitated head on a pike at the entrance to a town with something describing that which brought about such an indignity. Our culture has fallen out of that kind of notification. Perhaps we should reconsider. I am certain our culture could come up with something with similar effect that would not require decapitation, or, maybe, Trump’s Cabinet Appointee unjustly kicking people out of their houses come to mind. I read that it worked well in the past.

I took a credit CEO to Europe some thirty years ago. While talking, he revealed that his company made several hundred million per day just on the float. I think many “Americans” have no idea how much money these guys make each day. A fine should be no less than 10 percent of the gross, nothing less. That might replace the “head on a pike” message.

Toby September 14, 2017 10:51 PM

Our technology and security standards have and continue to evolve. NOW seems like the perfect opportunity to start shifting the onus of better identity verification to companies that rely on this information. If Bank of America lends money to the Prince of Kenya thinking he was me, I shouldn’t be on the hook to repay it – their mistake. Any company the solely relies on publicly available information (all of equifax) to “prove” my identity is negligent and I wonder if they’d have any claim on me when they come to collect. We can then stop trying so hard to protect data that is bound to be hacked and exposed.

Drone September 14, 2017 11:16 PM

“Equifax could have prevented the data breach two months before it happened”


The timeline

  • On March 7, the Apache Software Foundation released a patch for the vulnerability that Equifax has confirmed caused the breach. Both the vulnerability and the patch were widely known within the industry.
  • The breach itself began in May, with exposure continuing into July. Equifax discovered the breach on July 29.
  • Equifax announced the breach affecting approximately 143 million consumers on Sept. 7.

What the experts are saying

The Apache Software Foundation: “The Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner.”

Michael September 15, 2017 8:59 AM

Anyone want to talk about the requirement that filing US Income Taxes we are required to file electronically through one of the companies that Offers Income Tax Services. All because we can trust one of many private companies in that biz.

Nick September 15, 2017 9:02 AM

All the points you make are correct, but to be fair, there’s already gov’t regulation for security-it’s called FedRamp. Currently, FedRAMP certification is quasi-optional for selling your SaaS products to gov’t agencies, but still, from FedRamp we can know roughly how a gov’t regulation on security would look.

And FedRAMP is a catastrophe. Hundreds of pages of totally irrelevant forms are required. They refuse to identify any concrete steps that must be taken to secure products (like setting an HSTS header), and instead demand you have “annual security training” without any conditions on the content therein. The employees of FedRAMP are not technical and refuse to offer guidance about the vague requirements outlined in their templates.

Bad regulation is worse than no regulation, and history suggests that we’ll get bad regulation.

Erik September 15, 2017 9:59 AM

The root of the problem is that in the US we continue to treat widely used and known identifiers as if they are secret. Especially the SSN is often used in whole or in part as the code for pre-creating or bootstrapping account creation and recovery. Although many in the tech community abhor government administrated ID schemes, such schemes appear to be a better path forward than the futile attempt to make the SSN secret through regulation.

We already have state laws regulating issuance of birth certificates (as I understand making it illegal for others to vouch for this information). The states are therefore a natural place to start. Nordic countries have shown that there are multiple approaches, with varying splits of responsibilities between governmental and corporate entities, for creating and running voluntary electronic ID schemes. Whether the schemes are rooted in biometric identifiers or verification of a trusted ID card should be allowed to vary, such that multiple robust and secure methods are available if one later fails.

Although no scheme will be perfect, neither are the ID schemes routinely used by enterprises. To maintain the ability for individuals to opt out, it should be mandatory that there is at least one alternative secure process for bootstrapping identification during account creation (likely more cumbersome and slower) for those that so desire.

We still need privacy legislation to limit scope for entities to compile and sell information about individuals as a precondition for receiving services.

Bob September 15, 2017 10:40 AM

I would like to remind people to discern speculation in news posts. I just picked apart Threatpost’s latest entry on this:

I have read Threatpost for a while now, and know them to be guilty of feeding readers speculation in order to pretend they are on the leading edge of the story when no one has official statements. None of the people referenced in that news post were close to the situation. That means they were not in the Equifax cubicles when this went down, even if someone from Apache said EFX did not update their servers for months. That does not mean that is what really happened. Logic games.

I am concerned about another discrepancy in that post. Brian Krebs posted:
Holden Security associates from Argentina caught an Argentina EFX server with admin:admin credentials.
(1) Krebs posted date is Sep 17. That day hasn’t happened yet, and commenters were from days ago. This dating obfuscation is not professional journalism. Would you know if news were pre- or post-dated?
(2) Krebs has no weight. He is a journalist by trade, not a tech. He has notoriety for leading the Stuxnet story. How so if that was a govt op? He was spoon fed. How did a Hungarian security firm run the tests so quick like? Exactly. BS factor.

The fact that Krebs worked for Washington Post doesn’t indemnify him to anything but PBS NewsHour intellect… shallow.

It is as if they read my prior posts and decided on a cover to see how well it spreads. People saying things.

This is called anti-information warfare. Most journalism is fake, payed-fors, or purchased from the AP or other press corps outlet. They don’t have the inside scoop unless they are part of the problem in the information chain. Since there are no official statements as of yet, I would stop reading news on it. Notice how Bruce is genuine in his post and what he chooses to write about. No inflation or speculation; just professional opinion based on concepts.

CallMeLateForSupper September 15, 2017 11:13 AM

“(1) Krebs posted date is Sep 17. That day hasn’t happened yet, and commenters were from days ago.”

Erm… no. That article is dated 12 SEP 2017. You read “17” as DAY; 17 is the two least-significant digits of YEAR. Don’t feel bad; others have been thrown by Brian’s interesting date format.

The first comment to that story is dated 13 SEP 2017, the day after the story went live.

Bob September 15, 2017 12:19 PM

Thanks for the format clarification.

Also note that most IT professionals are under non-disclosure, especially in the security department. So who is Holden to spew out information to Krebs? Someone I do not want to associate with.

People pick up the phone and figure out how to run hot potato diversion. Let’s blame it on foreigners. That will create some distance.

Right now, the govt has to figure out how to protect the Equifax CEO, CIO, and CSO from getting beat up in the grocery store parking lot.

Jeff Woods September 15, 2017 12:41 PM

For many years I have gone to the trouble to provide a unique email address to each entity (business, etc.) with which I interact online. (These days I use SneakEmail to manage these addresses.) In February 2013 I started getting recurring spam from multiple sources addressed to the email address I used only with Equifax. I placed a support request with Equifax explaining that the evidence indicated that either they had sold my information to a disreputable customer, or they had been hacked. I received only assurances that neither was possible. I strongly suspect that Equifax has been hacked more than once and that they have been leaking information to hackers for years but only recently discovered it (or perhaps just now have finally decided to go public with their failures).

In my opinion, the FTC should regulate them right out of business and prove that “too big to fail” is no longer an option. However, I’m enough of a realist to know that big data and big money are big power and in the long run nothing will improve this situation in the current sociopolitical climate. Fixing what’s wrong with America will probably have to wait until enough people are sufficiently fed up that emphatically invoking the Second Amendment resets the status quo. If the founding fathers were here today they would already be busy refreshing the tree of liberty with the blood of patriots fighting tyrants.

fp September 15, 2017 1:39 PM

“Regulated companies have a strong (to say the least) motivation to neuter regulation by getting people loyal to them in positions of power in the regulatory agency.”

Sure they do, but that’s not the problem. That they are able to do it is.

The American system is one ruled by Predatory Corporations for corporations,with the public just a mass to be exploited that has n protection within it.

fp September 15, 2017 1:57 PM

As was predictable, there will be no systemic reforms to PREVENT breaches and to protect consumers if they occur. All Elizabeth Warren could come up with is making the credit freezing after breaches free.

Esthetic changes for public consumption. It works.

Douglas Coulter September 15, 2017 2:02 PM

“Right now, the govt has to figure out how to protect the Equifax CEO, CIO, and CSO from getting beat up in the grocery store parking lot.”

Some responsible person should dox them and provide pictures of them and their families so we’ll know who to protect in which parking lot. The cops can’t be everywhere…

fp September 15, 2017 2:04 PM

“they have been leaking information to hackers for years”

If I were in their place I would too — good way to trigger marketing campaigns for monitoring services for billions.

Bob September 15, 2017 2:22 PM

@Jeff Woods
But who do you trust? I don’t think any citizen would like the govt to directly control our credit score, and the govt doesn’t want the liability or hassle. So legislators walk this fine line. Once again, security became that gray zone.

I suspect they created 3 bureaus similar to TMR memory; a three input voting system for credit dispute. I can not conceive of anything better. It is a monster any way you look at it. I think it is important that people posted about the EU regs. It shows that Europe at least tries, whereas Wallstreet wants hands-off free extortion (i.e. the gutting of the Frank-Dodd Act).

I read that Elizabeth Warren wants free credit freeze for anyone all the time. That is nice, but doesn’t touch on the problem. Even DSS has proven they can not enforce communication policy with politicians.

So, this hack has the largest potential scope in malware history? I bet the Equifax execs take a long vacation at a Singapore timeshare, next to the crypto coin tards hiding their stash.

Ed September 15, 2017 4:54 PM

@Winston Smith

We’ve had security freezes on our accounts for many years. Upon reading your post, I decided to check our passwords – sure enough, they look like time stamps, corresponding to the date on the physical letters. My wife’s is three minutes apart from mine. Wow.

I just read a story on Marketwatch where Equifax hired a music major as their chief security officer. I’m speechless at this point…

Matthew... September 15, 2017 5:39 PM

Complete agree gov regulation is needed, good regulation though.

Its just that that is a horrible thought. It is kind of like hoping cyber security insurance will save the day too!

Our governments are awful at good regulation. And what good has the insurance industry ever done.

Nick P September 15, 2017 8:14 PM

@ Nick

“and history suggests that we’ll get bad regulation.”

That almost implies we shouldn’t do it. Cryptome said something similar about Bruce’s post on an Internet Security Agency. I countered it and anti-regulators with this comment:

“As usual, another discussion of regulation of software safety or security ignores real-world, past/present schemes regulating software safety or security. Regulations that worked in terms of vastly improving both. Then, after ignoring that, the author claims no benefit to government stepping in with regulations. Let’s quickly look at those instead to see what was done.

For security, Walker’s Computer Security Initiative mandated the DOD would only buy computer systems if they were secure to an appropriate level. The initiative included (a) guidance for improving security through whole lifecycle, (b) an evaluator (NSA) that would have to certify that guidance was followed w/ pentesting of anything claiming high-security, and (c) a requirement that vendors wouldnt get paid unless their products were certified. Lo and behold, the market suddenly produced half a dozen products with vastly better security than before plus a few that seemed free of vulnerabilities even down to covert leaks of information. The TCSEC had issues but fundamentals were sound of picking something businesses could understand, evaluating it, ensuring assurance of correctness, and financially incentivizing them. The bribes companies paid to Congress to get a change to COTS acquisition, uncertainty in export restrictions, NSA competiting with private sector under MISSI, and no demand in mass market for things that were actually secure killed the market for high-assurance security. Got watered down to mostly paperwork in Common Criteria w/ very few systems going for the standards that are actually secure (EAL6/7) and usually for select components in systems. Yet, the process worked with security improvements across the board w/ a few, highly-secure systems delivered.

On safety side, let’s look at DO-178B (now C) for aerospace. They require carefully documented requirements, design, and so on with code proven to match it with code review and rigorous testing. It has to pass certification with no problems for them to make money on it. Re-certification is expensive. That led to vendors throwing as much QA as possible at their code which they simplified as much as possible. A whole ecosystem sprang up for safe languages, drivers, protocols, and so on. Also, tools for automating testing, supporting reviews, semi-automated generation of code, etc. The quality of all of this is much, much higher than typical of mainstream proprietary or FOSS apps. So, again, the sensible regulations worked.

That’s twice it’s happened. It could happen again for Internet security if it was a combination of reasonable protection profiles for certain classes of devices with focus on assurance of design, implementation, configuration, and maintenance like in TCSEC or high EAL’s of Common Criteria. Just requiring memory-safe languages, POLA, safe/secure-by-default configuration, using components with few CVE’s, fuzz testing, and secure authentication for admins would go a long way. On ISP side, the ability to detect DDOS’s and temporarily throttle or cut off the nodes sending them until they’ve gotten their act cleaned up. This filtering could be done right in the ISP’s modems or routers.

So, we can do a lot more than the OP lets on. Regulation on safety and security has worked twice. It’s still working on safety side. We should do it again on security minimizing paperwork, expensive evaluations, etc to focus on minimum subset of features and assurance activities that get most of the results. 80/20 rule. Also, allow new methods or tools so long as they’ve previously proven to work on whatever they claim to do.”

Bob September 16, 2017 1:00 PM

Well, our federal govt has evolved into a sprawl list of agencies that either slap companies on the wrist with joke-able fines, or they simply gather information but do not necessarily do anything with it. Reports get wrapped up to the relevant Congressional Committee and Whitehouse, then they disappear. There are some good people in these agencies but it doesn’t matter. Furthermore, we have lived with the falsehood that what happens at the top will never reach our dinner table.

Quite simply, they are letting Equifax hide under corporate status. What we consider a basic security firewall ruleset(credit freeze), they try to sell as a product and service. When the govt sat down and figured out the 3 bureau system, they had to figure out how to keep it alive without using taxation. I am mystified at why investors feel compelled to buy or sell the stock at any given moment. Like cryptocoin investment, it is a pure game to leverage the game. It will either have high risk because no one is buying their services, or it is so flat and non-characteristic at any volume that it will not earn you anything when you cash out. Wallstreet lets this happen like a basic body function, but it is ill-conceived. This is why I feel it beyond bad regulation to include mechanical/logical fail-point.

I am interested now in what Europe does with credit, as a socialized democracy has dramatically reduced discretionary income. We saw what happened to Greece when they took on plastic and cheap labor.

Bob September 16, 2017 1:38 PM

I still need proof something happened, that an account was damaged, directly attributed to this recent security breach.

Nothing happened. Alex Holden happened. Information plants. Nothing has ever been corroborated concerning Hold Security claims. I think Symantec will back me up on this.

Data that could have been stolen, passwords that might have been lifted, imaginary hackers that never got caught or sent to court. He does PR covers and damage control.

I keep re-profiling Holden; last time in 2014. It means something. Him and his tag team partner. Now, the next time he pops his head up, I am going to take some more notes. I see real IT security firms turning their backs.

My problem with this is that it is a credit bureau, so the story has freaked everyone out. In 7-14 days, this whole thing will be glossed.

Mark S September 16, 2017 4:27 PM

Google said they’ll stop scanning Gmail messages for ads. Does this change anything?

Sure, you can tell people not to have an e-mail account or cell phone

This is different from “you can tell people to assume all emails and SMS messages are public information and tell them to use e2e messaging apps like Signal or Wire for private communication”, no?

Instant communication is useful even when people are aware that what they say in those messages are spied on by companies or governments.

EvilKiru September 16, 2017 7:50 PM

I’ve seen a lot of Experian ads on YouTube over the weekend, all offering to check to perform a one-time free scan of the dark web to see if my personal information can be found.

Well, of course you’ll be able to find our personal information on the dark web. After all, you’re the nincompoops who let it escape your custody and end up there in the first place, aren’t you?

No thanks, Experian. Buzz off!

JOHN W RUPLEY September 17, 2017 11:51 AM

Here is a little different twist on the enormity of the Equifax Breach and how it monetarily benefits the three credit bureaus and ultimately impacts all of us that have had our unauthorized personal information released. Equifax was hacked and the personal information of over 143 million Americans was stolen. My wife and I happen to be two of those people. Last night I went out (as recommended by cybersecurity experts) and attempted to set up a credit freeze on my accounts with Experian, Transunion and Equifax. What a wake-up call!!! Transunion, Equifax and Experion want to charge you $20 per month to set up a credit freeze. Think about it. Each of these companies has taken your personal information without your consent, stored it, and in all likelihood subjected it to theft as happened to Equifax. The cost of the credit freeze for two people would be $20 x 12 mo x 2 people = $480 x 3 credit bureaus = $1,440 per YEAR. I should mention here that since Equifax was hacked, Equifax is offering the credit freeze for free for 30 days which is totally useless since the thieves have your data forever and your name and social security number can never be changed.

The cost of the three credit freezes over 20 years would be $28,800 for two people or $14,400 per person. Let’s say that only 50% of the 143 million accounts had average or above credit (the assumption is that half of the people have less than average credit and might not care enough to put a credit freeze on their accounts). The total revenue generated from the theft of their stored information for the thee credit bureaus would be $1,440 x 72 million or $103 billion PER YEAR. Does anyone, but me smell a rat in the woodpile? In my opinion, this is a gross conflict of interest on the part of the credit bureaus. These companies should not be allowed to make one penny from a criminal act against their company for data that they are responsible for protecting even if they were not the company that was hacked. This, to me, is an absolute outrage. It is in the best interest of the three credit companies to have the data stolen because it is very lucrative.

I am not sure exactly where we need to take this issue. Senator Elizabeth Warren is apparently trying to introduce legislation that would prevent these companies for charging for credit freezes, but in my opinion, it is going to take a mass campaign to force the issue of charging fees for credit freezes.

Now, you may ask “why should I care”? The answer is that anyone with a credit record and personal data stored at any credit bureau is at huge financial risk and risk of ruined credit which means that it will be almost impossible for you to get any kind of credit, if your credit is hacked and later used to secured any type of credit. The thieves sell the data and the recipient of the stolen data can apply for credit under your name. Mortgages, Credit Cards, Bank Loans, etc., can all be applied for with your name, address and social security number. The only way to half-way protect yourself is with a credit freeze. The credit bureaus who stored your data without your consent and subjected it to hacking, now stand to profit substantially from your misery which was not of your own making.

Bob September 17, 2017 1:18 PM

Sorry John, but that represents a typical response from people. Any per month charge is not related to a credit freeze. I have to do my best to correct peoples’ confusion because there are 3 primary types of service and not one journalist is explaining it.

This will provide links to what your state is lets the bureaus charge for credit freezes, neither more nor less. It is kind of like a state auto inspection charge:

(1) A credit freeze is permanent until you pay again to unfreeze it. You can also pay a little more for single-party unfreeze, what I call whitelisting. Credit freeze provides your best brickwall.

(2) Fraud protect lasts between 30-90 days and is considered to not do much in the way of account brickwall.

(3) There are bureau proprietary guard services that they are trying to sell.

(4) There are third-party companies that you pay to do this stuff for you, as a layer of abstraction. Those companies do not have a score card and could also probably resell your data to the cloud, regardless of what they say or guarantee. Too many monkeys.

Like I said above, just do the 3 credit freezes, but do not try this during prime time hours. News outlets and myself have reported they are backlogged. Experian’s system holds on to your request, but then forces you to mail in sensitive copies of proof. Imagine the risk there. Do this before you go to work, before lunch, or in the dead of night for server access.

ab praeceptis September 17, 2017 1:31 PM


Not even that is really needed. A simple grep over (or a look at) the “Received” email headers should show it.

Bob September 17, 2017 2:48 PM

And somebody tell Krebs xss[dot]cx is not evidence that holds up in court or anywhere. Teh journalists trying to be CSI on the front line.

Some people need formal govt/Equifax presskit. That means federal agents need to be crawling through office space. “Security news” is not valid release outlet, so no, Krebs is not the go-to guy. Just spincycle until something real. No youtube apologies either. So get real.

jay September 18, 2017 8:01 AM

The government hardly has a clean record as far as this goes. They’ve been hit by a number of high profile incidents.

Security is NOT like fire codes, for instance. Fire works the same way year in year out. Effective safety measures that worked ten years ago still work now (though new ones may be better). With security, there’s a rapidly moving target, with some very smart people (both criminals and government) spending a lot of time trying new things. By contrast, government rule making is painfully slow (of necessity to some degree) and cannot respond quickly at all.

Stricter punishments may not do much. The punishments for reckless and drunk driving are severe, but it does little to stop those who don’t expect to get caught. By the same token, making the charges so broad as to in hindsight cover anything probably will keep a lot of good people out of those jobs…. who wants to take a job where a hacker’s clever new ploy can wind you in jail?

One way the government could help is a form of hashed authentication service, so that this critical information is never kept on a corporate server, and even the government would only have the hash values.

Clive Robinson September 18, 2017 8:59 AM

@ Jay,

With security, there’s a rapidly moving target, with some very smart people (both criminals and government) spending a lot of time trying new things. By contrast, government rule making is painfully slow (of necessity to some degree) and cannot respond quickly at all.

You are in danger of falling in the “legislation is slow so all rule making is sloe” myth/trap.

The EU often takes a diferent way to the US for good reason.

The US tends to “regulate by legislation” rather than “legislate for regulation”. That is US legislation embeds all sorts of things within it that it realy should not, because it can only be changed or updated by legislation. If however you have legislation to appoint a standards body to come up with regulation then you end up with a much faster changes and updates. It also seperates the legal from the technical which has the same advantage as seperating the state from religion.

It’s one of the reasons I talk avout legislating for standards frameworks which the EU system is closer to.

Bob September 18, 2017 10:56 AM

Well, my final thoughts are this: Mandiant has forensic people trained from law enforcement. It is a great idea. The problem is that FireEye-Mandiant has responsibility(non-disclosure) to their client, not the US citizens.

If I am going to have someone lie to me, let it be an organization that bears some liability to the people. This is not just some corporation, it is a credit bureau. Federal agents from some forensic unit could at least nod their heads for the record. You can not obviously use a second security firm without non-disclosure and more doubt. The client, Equifax, gets to pick words. Federal agency needs to bear part of this liability.

There are hurricane victims that need the bottom line, not non-disclosure or gumshoe journalists. No offense to FireEye but this is (should be) a special case. We also don’t need Equifax trying to sell services on their own failure, like that actually solves something. A youtube apology and a sales pitch is disingenuous.

As far as not trusting federal agency, where do you think half of Mandiant came from? It comes down to that disclosure problem.

The salient point is that when people no longer trust Equifax, they went digging dirt at security news sites which actually do not have the truth and only add fog with speculation. It is the worst thing to do, yet that is everyone’s knee-jerk.

john yates September 18, 2017 11:56 AM

While there are a variety of individuals, institutions, and government entities that can be blamed for problems with the current system, I’m becoming more interested in the variety of large government penalties that are incurred by targeted companies, organizations, etc., the process by which the penalties are determined (equally-applied? / fairly-determined?), and the beneficiaries who receive the proceeds of penalty payments (regulators?).

I’m not familiar with the processes involved, but it seems like the government may have an interest in the current system remaining in place if they are receiving (or diverting) proceeds from the penalties they exact. If someone understands the penalty and payment process, I’d like to hear more about how it works.

Bob September 18, 2017 2:17 PM

I would research what happened to the 2014 JP Morgan Chase thing. I assume you are talking about time lost and fees for individuals to clear credit and identity theft. I guess that would be the court case if anything.

Lawyers are the beneficiaries. Check for leeches. If there is not a class action for compensation, then nothing happened.

Bob September 18, 2017 3:27 PM

Yeah. I also found out the free reports are actually not complete detailed reports with entries and whatnot. I pay for full reports, not the abbreviated things. Screw your score, you need more.

What I remember with a fake class action vs. Toyota/Takata, is that if you get into a class action early and the lawsuit bombs, the prosecution is on the hook for court fees. That gets passed on to the victims that got conned.

It will be required that damages be validated. I wouldn’t pre-emptively run to a lawyer unless you really got screwed. There are a lot of class actions lined up for this. Entire cities are jumping in, but it is all pre-emptive right now. They can fall off when the victim validation kicks in. The money train will be cut down without solid proof of damage.

Understand that just for a local court visit to a judge, you can dish out 10g a pop, never mind lawyer fees. Some of this might not be recouped, even by a class action.

I got a Treasury check once. I bought pizza with it.

Now I remember the JPM case. That same year of the breach, their investors won a huge class action on not-so-liquid accounts. Supposedly, their compensation was obligatory but I never read the end of it. Concerning multiple institutions, the story magically disappeared amid a flurry of speculation.

Bob September 18, 2017 3:59 PM

Nobody has mentioned this: since the trustedidpremier site is not proof of damage, a hacker could use stolen data years away from now. That means any valid class action suit will have to grow Lovecraftian tentacles into the nether regions. It would be important to read about this in the future… if journalists don’t get short-term memory loss.

HelpDesk September 18, 2017 4:39 PM

(Ceiling Payout – Lawyers)/victims = $0.05 per person
They will not bury Equifux. Prepare to lose hitpoints.

Steve September 18, 2017 4:57 PM

@micha8s – Good idea, but you blew the punchline!

It’s time for the Federal Government to step up and say “we own the SSN. If you choose to use it, any disclosure, whether ?deliberate or accidental, without the permission of the SSN holder AND the Federal Government will result in a fine of not less than 1 million dollars per SSN disclosed.”

I think a 143-Million dollar fine would get the attention of Equifax.

143 million SSNs disclosed times $1 million fine each comes to a $143 trillion dollar fine… and I’d have no problem with that.

Gerard van Vooren September 19, 2017 5:31 AM

@ Clive Robinson,

It’s one of the reasons I talk avout legislating for standards frameworks which the EU system is closer to.

Could you elaborate, please?

Clive Robinson September 19, 2017 7:38 AM

@ Gerard van Vooren,

Could you elaborate, please?


Have a look at the way RT&TTE is regulated under EU legislation. Basically the RT&TE directive indicates that equipment must meet other directives such as the LVD and standards drawn up by the various EU international standards bodies. Thus the legislation says it must meet the required standards prior to the equipment being given a CE mark and being “placed on the market”. It even alows for Nations to have diferent standards from another directive. Which alows the likes of France to retain spectrum it originally dedicated to the millitary which most other nations use for callular radio service.

You will not realy find any directly actionable tests in the regulations they are devolved down into the international standards from CCITT CEN/CENLEC etc. Who in turn pull in standards from national bodies such as BSI etc.

It’s generally only at the bottom level of the standards that you find testing requirments (but usually no test types).

The US in environmental legislation have been known not to just include testing requirments but the type and method of the test. Which unsuprisingly has been superceaded in the field of endevor by better standards of testing, but are still legaly required to do it the old way…

Bob September 19, 2017 1:39 PM

If we had more people thinking like that. You can scream for holistic framework and legal maintenance until you are blue in the face. There are a lot of mindsets that prevent this:

1) Pile higher and deeper legislation: examples would be immigration and tax code
2) Agency boundaries: FTC, FCC, State Dept., Law Enforcement
3) Broad-scoped Legislation: CALEA and inarticulation
4) Maintenance: re-upping EOL Acts with little review
5) Agenda Bills that overlay and take power away from respective agency: Patriot
6) Judicial Precedence: a cop-out for articulate legislation which I don’t believe in. This takes away impetus to legislate.
7) Killing ancient law and framework: legal detritus. I hate to use the Coal Mining Act for this, but it says our govt can’t tell coal mining to stop. I am sure there are a ton of laws like this. Hands-off self-regulation.
8) Gerontocracy: Strom Thurmond-itis. Brickwalls that are too old to move fast or care. Their heads are duct taped in the upright position.
9) Lobby and special bus interest

Sorry for the lack of non-IT reference. I’m looking for a political revolution that allows for more than two parties. We need options and transparency. Politicians with not just spine, but analytical capacity. I would vote for an astute engineer, programmer, applied scientist.

Clive Robinson September 19, 2017 2:34 PM

@ Bob,

There are a lot of mindsets that prevent this:

Usually standing there with their hand out one way or another…

Those that do real work are finding their slice of the economic pie shrinking due to “rent seeking” and “special interests” which boil down to “Benifits for those with enough clout to bribe politicos”.

As others have noted the democracy in the US is bought and payed for… Which leaves no room for alternatives currently.

Bob September 19, 2017 9:42 PM

None of those points I made would be fixed without campaign finance reform and correcting Congressional and Bill procedure. That Mr. Smith goes to Washington to brickwall passage is the worst way to go.

What if campaign contributions went to the party and not the individual? Would that send nepotism and despotism underground or would it provide an actual purpose to party politics? I feel parties are juxtaposed to real issues, talking points crossing boundaries and frustrating voters. We have politicians obligated to do what their overlords ask, so how do we destroy that?

My whole deal is people at that top don’t need credit. They pay cash. Screw a platinum/uranium card or whatever. Our credit allows us to borrow because our paychecks are a joke. It keeps the CPI high. The interest goes to parasites that feed on your core productivity while they play with portfolios. It reinforces cheap labor and our country bombs without it. Hatin’

Mike Barno September 20, 2017 8:11 PM

The September 20 issue of the New York Times has an article about a fake Equifax domain set up by a researcher … a site that got mistakenly promoted by EFX’s tech support!


“Equifax, however, did just that after Nick Sweeting, a software engineer, created an imitation of equifaxsecurity2017.com, Equifax’s page about the security breach that may have exposed 143 million Americans’ personal information. Several posts from the company’s Twitter account directed consumers to Mr. Sweeting’s version, securityequifax2017.com. They were deleted after the mistake was publicized.”

Well then. I guess that certainly makes me trust Equifax more. Sure, here’s my ten dollars for more protection like that.

David Robarts September 26, 2017 2:25 PM

I’d like to see the credit reporting agency responsible for authentication of the individual requesting credit (paid for by entity requesting a credit check, not the individual identified in the report). Simply make a credit reporting agency that issues a credit report to a lender liable for the line of credit extended if the applicant was someone other than the individual identified in the report. I’m sure the credit reporting industry could figure out a way to fix the identity theft problem if the liability fell on them. The root of the problem is that the credit industry generally treats knowledge of a few facts about a person (including SSN) as authentication that you are the person.

Mark September 29, 2017 2:57 PM

More of a legal point/question: The 143M people whose data was compromised did not willingly provide that data to Equifax. Rather, Equifax collected the data (and charged a fee to the creditors), stored it in an obviously non-secure manner, and allowed it to be stolen.
Do the people whose data Equifax handled so carelessly have legal/monetary recourse beyond the “Credit Block” Equifax offers?
Even if there is no obvious, immediate impact to individuals, their information is now out there, for sale and abuse at any time in the future.

Clive Robinson September 29, 2017 4:38 PM

@ Mark,

Do the people whose data Equifax handled so carelessly have legal/monetary recourse beyond the “Credit Block” Equifax offers?

Outside of the US probably, inside the US orobably no chance.

In the US in effect the person who collects information who owns it. To get anything out of them you would have to prove not just that you suffered harm but they were neglegent in their actions to the point where they would know it would cause that harm. As they sell the data anyway “legaly” all that can realy be shown is that they have come to harm due to lost revenue etc. Not the person who’s data has been taken.

Yes there will probably be a class action, but by a couple of leagle maneuvers they will limit to around ten or twenty dollars to each person, and not even cash but equivalent service, such as a month ot two of credit freeze…

Thus they will in effect walk away intact the effected people will end up loosing any gains due to legal fees etc, and a few lawyers will get new private jets…

Such is the libertarian free market dream. People tend to forget that the “great American Dream” only works with unlimited near zero cost raw materials that get in effect stolen. As the resources become limited then the whole dream becomes a criminal activity based on Peter Robs Paul to pay off Saul, who rent seeks every which way possible.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.