Betrayal and Swindle

In another, "You had one job..." scenario, Equifax bastiches, charged with protecting people's private information, including SSNs, (SINs, in Canada), failed to invest money to keep their security up to par, or to employ competent I.T. staff, and had a data breach in 2015.

Equifax Hit With $70 Billion Lawsuit After Leaking 143 Million Social Security Numbers

Jumping the Gun

Bloomberg reports yet another fraud in connection with the theft, but just can't wait to jam in an exoneration of the managers who "dinknow nuffin." Before that claim is made, it requires an investigation, not a blind assertion.

Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers.

The trio had not yet been informed of the incident, the company said late Thursday.

This goes by the name, "insider trading," and is supposed to be illegal. Bloomberg jumps the gun to exonerate "the trio," carefully not mentioning any names, mind.

They were quickly cleared in a criminal probe, but the company knew about the breach days before. At the very least, they should have to return the proceeds from the sale and buy the stock back, because nothing they say matters, since it's still a breach of fiduciary duty. Either they knew, or didn't know, but should have known.

Chief of Security Mauldin

Back in 2017, this blog called it:

After losing private data on 143 million (or more) Americans [and, somehow, Canadians], its stock price fell to about $93, which is the stock value of about 3½ years ago, and is on its way back up! It must be that someone has reassured those buyers that Equifax, which has proven itself a perfectly useless, untenable concern, is going to "weather the storm," and survive. Meaning, it will still receive government and banking industry support and succor.

The IRS Hired Equifax To Safeguard Taxpayer Data

And so, despite its catastrophic failure to safeguard any of the private information of 143+ million people, it was tapped as trusted repository.

The IRS will pay Equifax $7.25 million to verify taxpayer identities and validation for the government agency under a no-bid contract issued on September 29, [2017] three days before a Congressional hearing [into the Equifax data breach].
As one site pointed out, despite Equifax's reassurances, it can take years to uncover the full scope of a data breach.
stinky Equifax bond

Court Case

The Settlement received final approval from the Court on January 13, 2020. This farce resulted in a win of, if you can even get it, up to a measly $125, which doesn't cover your time spent, in reading up on the situation, checking your eligibility, and applying for the "compensation."

One guy tried to sue personally, and it was tossed out of court, though he did reserve the right of later action against the company. The effort was basically a waste of time, even though, presumably, he had been harmed.

A Reddit comment makes it clear:

First, Equifax isn't just some random company that you may or may not have an account with, they are one of the three major credit bureaus in the United States. And you do not have a choice about whether or not they collect information on you - If you have a bank account, a credit card, utility bills, student/car/home/other loans, you are in Equifax's data.

Second, what was stolen is different than in any prior data breach. With few exceptions (like NARA and Anthem, and they were nowhere near as bad as Equifax), breaches result in some minor inconvenience - You need to replace your credit card, maybe change a bank account number, your email password, that sort of thing. What Equifax gave out to hackers was nothing less than the very information financial institutions use to prove you are you. And these are details you can't change, like your birth date, SSN (technically you can get your SSN changed, but it is very, very hard), list of addresses, in some cases even pictures of you (like from your driver's license or passport), etc. With this particular breach, identity thieves can now do a better job of proving they're you than you can (Oh, you don't remember the street address of that apartment you rented one summer in college? Equifax does!)

Bloomberg has a nice article.

Besides amassing data on nearly every American adult, the hackers also sought information on specific people. It's not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value...

Some investigators within Equifax reached the conclusion that they were facing Chinese state hackers relatively quickly after analyzing the Moloch [tool suite] data, according to a person briefed on those discussions. If the Equifax breach was a purely criminal act, one would expect at least some of the stolen data, especially the credit card numbers that were taken, to have showed up for sale on the black market. That hasn’t happened.

But it came down to one simple, easily avoidable blunder on Equifax's part, according to CSO Online.
Equifax had tools that decrypted, analyzed, and then re-encrypted internal network traffic, specifically to sniff out data exfiltration events like this. But in order to re-encrypt that traffic, these tools need a public-key certificate, which is purchased from third parties and must be annually renewed. Equifax had failed to renew one of their certificates nearly 10 months previously — which meant that encrypted traffic wasn’t being inspected.

Bottom line? Same thing we've been preaching on this blog since forever. The company should have been dissolved, all the assets distributed to the breach victims, the execs forbidden from working in the industry for at least five years. Consider the cautionary effect this would have on the other credit bureaus. It's the only thing that makes any sense.


Popular Posts