Equifax filing reveals hack was somehow even worse than previous estimates

The 2017 hack of Equifax, already among the largest ever recorded, just got bigger. Well, they’re admitting that it was bigger than they had previously, which amounts to the same thing. Documents filed with the SEC reveal that more people, more IDs, and more info in general was stolen when the company utterly failed to protect its “users,” many of which didn’t even know they were in the database.

The company revealed various numbers around the time it disclosed the hack, though one it neglected to include was how many millions of dollars in stock were sold by executives before publicly disclosing it. But let’s not linger on their past crimes. I’m sure they’re very sorry!

Amanda Werner, dressed as Monopoly’s Rich Uncle Pennybags, sits behind Richard Smith, CEO of Equifax, during a Senate hearing.

Today’s information was filed with the Securities and Exchange Commission as part of the company’s disclosures regarding the hack. It provided first a handy table listing what was stolen as raw strings of data from Equifax’s inadequately protected databases:

  • Full name: 146.6M
  • Date of Birth: 146.6M
  • Social Security number: 145.5M
  • Full address: 99M
  • Gender: 27.3M
  • Phone number: 20.3M
  • Driver’s license number (incl. 2.4M partials): 17.6M
  • Email address: 1.8M
  • Credit card numbers (with expiration dates): 209,000
  • Individual Tax Identification Number (ITIN/Tax ID): 97,500
  • Driver’s license state: 27,000

Previous estimates of driver’s license numbers leaked were around 10.9 million, and total affected put at 143 million. Sure, the difference between 143 million and 146.6 million is relatively small, but it’s still 3.6 million people.

Secondly the filing includes a table listing images stolen by the attackers. These were “uploaded to Equifax’s online dispute portal by approximately 182,000 U.S. consumers,” the document says.

  • Driver’s license: 38,000
  • Social Security of Taxpayer ID Card: 12,000
  • Passport or Passport Card: 3,200
  • Other: 3,000

It’s unclear why these don’t add up to 182,000, but the images could also have been non-valuable things like forms or pictures of assets.

Imagine the kind of havoc you could wreak with even a few isolated data points from this set. Phishing teams and other scammers must be having the time of their lives: with so much official data to use, it’s that much easier to convince someone that a service or email is legitimate. Images of licenses and passports could lead to more sophisticated fraud at borders or in other government situations as well.

<a href=”https://techcrunch.com/tag/equifax-hack/” target=”_blank” rel=”noopener”><img src=”https://techcrunch.com/wp-content/uploads/2017/09/eq-uifax-hack-banner.png” /></a>

Equifax breach exposed millions of driver’s licenses, phone numbers, emails

On May 7, executives of Equifax submitted a “statement for the record” to the Securities and Exchange Commission detailing the extent of the consumer data breach the company first reported on September 7, 2017. The data in the statement, which has also been shared with congressional committees investigating the breach, reveals to a fuller extent how much personal data was exposed in the breach. Millions of driver’s license numbers, phone numbers, and email addresses were also exposed in connection with names, dates of birth, and Social Security numbers—offering a gold mine of data for identity thieves and fraudsters.

Equifax had already reported that the names, Social Security numbers, and dates of birth of 143 million US consumers had been exposed, along with driver’s license numbers “in some instances,” in addition to the credit card numbers of 209,000 individuals. The company’s management had also reported “certain dispute documents” submitted by about 182,000 consumers contesting credit reports had been exposed as well, in addition to some information about British and Canadian consumers.

But the exact details of the nature of these documents and information had not been revealed, in part because Equifax felt it did not have a legal obligation to disclose those details. “With respect to the data elements of gender, phone number, and email addresses, US state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access,” Equifax’s management asserted in the SEC letter.

Read 6 remaining paragraphs | Comments

Equifax taps former GE exec Mark Begor as its new CEO

It’s been seven months since a major data breach sent shares of Equifax tumbling, and the company is still pulling itself together. On Wednesday, the credit bureau announced it was appointing former GE exec Mark Begor to take over the troubled company’s affairs.

The hire comes six months after Equifax’s former CEO Richard Smith resigned and left  Paulino do Rego Barros, Jr. leading in the interim. He will “retire” from Equifax early next year as Begor takes over the role from him next month.

Most recently, Begor was at Warburg Pincus LLC, a US private equity firm, which he joined after 35 years at General Electric where he operated in a variety of roles including as CEO of GE Energy Management and CEO of GE Capital Real Estate.

Begor comes aboard as the company attempts to build back public trust or at least stay out of the news long enough for people to forget about their incompetence. Equifax shares have surprisingly only dipped around 18 percent since the admission of a massive breach which had released the personal data of over 140 million customers. The company’s public image has taken a much heavier hit.

Earlier this month, an exec was hit with insider trader charges, alleging he used non-public information of the undisclosed hack to sell $1 million in shares before the company’s admission sent the stock price tumbling.

“The team has made meaningful progress in the last several months to address a number of well-publicized issues while continuing to focus on delivering differentiated new products and advanced analytics to support our customers, Begor said in a statement released by Equifax. “…we will continue to invest in and strengthen our IT and data security. As a custodian of consumer and customer information, protecting that data is a central priority for Equifax and for me personally.”

Senior Equifax executive charged with insider trading

Federal authorities have charged a senior Equifax executive with insider trading for allegedly selling almost $1 million worth of company stock 10 days before officials disclosed a website hack that exposed sensitive information for more than 143 million US consumers.

Jun Ying was CIO of Equifax’s United States Information Systems business unit in the months leading up to Equifax’s bombshell announcement on September 7 that the breach exposed Social Security numbers, birth dates, and other sensitive data for as many as 143 million people. According to a complaint filed Wednesday by the US Securities and Exchange Commission, Ying’s first indication his employer had been breached came on August 25 when he and colleagues received an email alerting them to a “very large breach opportunity” that would require additional capacity from IT systems to process. To keep the Equifax breach confidential, the email and subsequent discussions didn’t name Equifax as the victim and instead suggested it involved an Equifax client.

Putting 2 and 2 together

Ying only needed a few hours, however, to suspect his employer was the one that had been breached, prosecutors said. At 5:27 that afternoon, after speaking privately with the CIO of the main Equifax company, Ying allegedly sent a text message to one of his employees that read: “On the phone with [global CIO]. Sounds bad. We may be the one breached… Starting to put 2 and 2 together.”

Read 8 remaining paragraphs | Comments

Equifax exec charged with insider trading, selling shares ahead of hack news

Former Equifax exec Jun Ying has been charged with insider trading, according to the Securities and Exchange Commission. He allegedly knew that Equifax had been hacked and sold his company shares before the public was notified.

Ying, who was “next in line to the be company’s global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach,” says the SEC release. He is accused of selling $1 million in shares and avoiding a potential loss of $117,000.

Following the revelation of a widespread hack at the credit reporting agency, Equifax shares took a tumble on the stock market. Shares were above $142 and quickly fell to beneath $93 in the subsequent days.

Ying wasn’t the only employee who sold shares, resulting in several execs getting accused of insider trading. TechCrunch wrote something at the time about different executives, and received this defense from Equifax, particularly with regards to the CFO.

“As announced in the press release, Equifax discovered the cybersecurity incident on Saturday, July 29. The company acted immediately to stop the intrusion.

The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares.”

Equifax, still having problems computering, releases credit locking app that doesn’t [Updated]

On Wednesday, the beleaguered credit reporting agency Equifax launched a new service to protect people from the risks of identity theft that the company vastly magnified with a breach of over 145 million people’s credit records last year. The service, called Lock & Alert, is fronted by a mobile application and a Web application. It is intended to allow individuals to control access to their credit report on demand.

“Lock & Alert allows You to lock and unlock your EIS credit report (‘Equifax credit report’),” the services’ terms of service agreement states. “Locking or unlocking your Equifax credit report usually takes less than a minute.”

Except when it doesn’t.

Read 4 remaining paragraphs | Comments

Equifax launches its credit locking app and extends free credit freezes through June

 Today was supposed to be the deadline for Equifax’s free credit freeze offering, but the company has decided to extend the service to consumers for another five months. Now, Equifax customers can request a credit freeze through June 30.
Still, January 31 is the last day to cash in on free credit monitoring through Equifax’s TrustedID Premier program, assuming you still trust the… Read More

How To Keep Personal Data Safe When Companies Can’t (Or Won’t)

Organizations came under fire in 2017, a year of reckoning for businesses on how they managed corporate and personal data. The increase in cyberattacks, and in particular the use of ransomware, has become so pervasive that an underground ransomware market has developed in strength.

According to Carbon Black, the number of ransomware applications available for purchase, which currently accounts for approximately 45,000 different ransomware products, has grown from US$250,000 in 2016 to US$6.25 million in 2017. A staggering 2,500 per cent increase.

The stats continue with ransomware payments from affected individuals and organizations totaling close to $1 billion dollars in 2016, up from $24 million in 2015. Ransomware is becoming sophisticated, easy to access and, most important of all, the best way to make a profit out of malware.

One thing is clear: cyberattacks, in their many forms, are here to stay.

But the question remains are organizations incentivized to prioritize our safety, or are they more driven by self-preservation?

A tale of two cyber gaffes

Equifax and Uber were two high-profile cases last year that rocked consumer confidence and suggested the latter — self-preservation. The lack of privacy management processes shown by the two companies before, during and after the breaches have resulted in them facing serious financial and legal consequences that have significantly hindered both their profits and their credibility.

These are lessons worth learning for other businesses. Thinking of other long-lasting implications, such as loss of customer trust and reputational damage, some companies may be forced to close their doors completely. We are living in a new world of cybersecurity and privacy awareness and we need to evolve in the way we do business today and into the future.

If public safety were their number one priority, they would have ensured they were protected.

Equifax’s main downfall was that they were not prepared with comprehensive policies and processes outlining specifically how to handle a breach response. Instead, their approach appeared careless. Ranging from directing worried customers to a questionable domain separate from their website to check whether their information had been compromised, to high-level executives selling their stocks days before the breach announcement. That does not do much to soothe the worries of thousands and indicates a lack of risk management structure being in place. Thus, their response, instead of eliminating doubt and quickly resolving the issue, actually further damaged credibility and exacerbated the situation.

Then there is Uber: another important example of a lack of transparency at a time when arguably it is needed most. More often than not, the truth will come out and the lengths that Uber went to pay off hackers to delete the data and keep the breach secret were a huge violation of public trust. The case with Uber is worsened by the very nature of the personal information the company has access to and was unfortunately exposed: names, email addresses, phone numbers, and driver’s licenses. Therefore, if public safety were their number one priority, they would have ensured they were protected not only from a security standpoint but from a privacy management one too. With the appropriate steps laid out clearly, that would not only extinguish the fire but most importantly, would minimize damage to customers.

Consumer impact: another important consequence of a data breach

Data breaches can have very hefty financial implications for a consumer. A consumer will spend on average about 20 hours and $770 on lawyers and time lost to resolve the case when they find themselves on the receiving end of a data breach.

According to PwC’s Consumer Intelligence Series, 92 per cent of customers want companies to be proactive about data protection. Although consumers want both companies and government to be involved in data protection, over half of respondents believe companies bear the larger share of responsibility. In industries as wide-ranging as finance or tech, businesses are playing catch-up when it comes to enforcing an effective privacy framework.

The most dangerous misconception consumers can have when it comes to data privacy is eschewing their share of the responsibility. Consumers have a stake in how they control their personal data and they need to act on it.

Lessons to learn

These are some of the takeaways on what to do if you find out your personal data has been compromised by a cyberattack or a privacy breach incident:

Stay alert and be proactive

First and foremost, make sure you know what businesses have your data and how they use it. If you receive letters or emails from companies you don’t recognize, call them and ask them how they obtained your information.

If a company informs you of a breach, change your account passwords, be mindful of phishing emails and if you believe your credit or debit card numbers have been compromised, reach out to the credit card company or banking institution and request a new card. Keeping an eye on your credit score for a period of time doesn’t hurt, either.

Protecting personal data is paramount in moving forward to continue fostering this trust and loyalty.

Make a complaint to the appropriate regulators

In Canada, there are different regulators responsible to ensure that personal data is managed appropriately. If you feel a company is not using your personal data as per your expectations or if you believe your data has been compromised, you have the right to reach out to the Office of the Privacy Commissioner of Canada or to the local privacy authorities in your province.

In the case of complaints around email communications, the Canadian Anti-Spam legislation (CASL) is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC) and they take these complaints very seriously.

Ask the organization for identity theft monitoring services

When there is a data breach and an organization gives you notification, in most cases they offer identity theft monitoring services. If they don’t, demand that they provide such services since you are certainly at a higher risk of identity fraud and the implications that this conveys. Identity theft monitoring usually includes insurance that will cover any costs related to an identity theft incident so it is very important to ensure you are protected.

Request the organization to erase your data

If you experience a breach and you don’t feel you will do business with this company due to lack of trust or simply because you are not interested anymore, ask them to erase whatever personal data they have that belongs to you to ensure that if an incident occurs in the future, you are not impacted by it again.

More from HuffPost Canada:

Moving forward in the cyber world

The digital world has provided great opportunities for organizations and consumers to work with each other more efficiently. When done right, this dynamic can help establish long lasting loyalty from consumers whose lives are made easier by companies that provide them with personalized products and services.

However, protecting personal data is paramount in moving forward to continue fostering this trust and loyalty. The world of cyberattacks is here to stay, and my advice to consumers is to stay vigilant — and remember that you have options. Ultimately, protection of your personal data is in your hands.

Follow HuffPost Canada Blogs on Facebook

Also on HuffPost: