back to article Equifax reveals full horror of that monstrous cyber-heist of its servers

Equifax has published yet more details on the personal records and sensitive information stolen by miscreants after they hacked its databases in 2017. The good news: the number of individuals affected by the network intrusion hasn't increased from the 146.6 million Equifax previously announced, but extra types of records …

  1. corestore

    And how...

    If we're sufficiently angry about this, can we tell Equifax "I don't trust you to hold my data; I require you to delete every piece of data you hold on me"?

    It would seem a reasonable request in the circumstances - but is it possible? If not, data protection laws are worth very little. We need the ultimate sanction, as individuals, of being able to easily compel companies and organizations to delete all identifiable data they hold on us.

    1. Jusme
      Unhappy

      Re: And how...

      Even if you could, and they did, good luck getting credit / buying a house / car / burger once you have no credit references.

      1. corestore

        Re: And how...

        Well if it's possible for anyone to delete their data, the presence or absence of that data can no longer be relied upon; it'll break entirely away from the 'everyone leaves a data footprint' way of thinking that seems to have grown up with remarkably little question or oversight.

      2. Mark 85

        Re: And how...

        Nope...there's two other companies just a big who do the same thing. So there's a 1 on 3 chance of some company saying "no" if they only check Equifax. If the company says "no", then tell them to check the other two if they want your business.

      3. Anonymous Coward
        Anonymous Coward

        Re: And how...

        @Jusme

        Why are people down voting you? Do people not understand how credit reference agencies work? Have people not been to burger king lately? I went the other day and it was £7.15 for a burger meal (basic whopper, Lancaster services), I only go to burger king every so often to remind myself why I don't go to burger king, same with McDonalds.

        1. Doctor Syntax Silver badge

          Re: And how...

          "Have people not been to burger king lately? I went the other day and it was £7.15 for a burger meal"

          And why should you need Equifax or its lookalikes for that? There are totally anonymous credit reference services you can use provided by the Bank of England and the Royal Mint.

          1. Anonymous Coward
            Anonymous Coward

            Re: And how...

            @Doctor Syntax

            Quoting the original comment "buying a house / car / burger" was my reasoning for the burger reference. Equinefax because it's probably horse anyway,

            1. Woodnag

              Equinefax...

              Equinefax... because their data management is the horse's arse.

        2. not.known@this.address
          Trollface

          Re: And how...

          Maybe try a 'proper' Bugger King shop rather than the overpriced abominations that you find at "service" stations (although I suppose DIS-service stations, whilst much more accurate, would not be good for their business model)?

          I've never really found the cost of the meal* to be a particular reason for avoiding fast food chains - the taste and texture (or lack thereof) provide much more compelling reasons...

          *Here in the UK we have a load of adverts telling us that "Kiddie X" wants "Product Y" from The Golden Arches but "Mommy Z" isn't sure that it's safe - cue Doctor Devidence showing us that the cows really are cows, the chickens really are chickens and the fries... funnily enough, they don't get mentioned (I'll leave you to draw your own conclusions on that).

          I'm sure it's all perfectly safe really (as long as you're a penguin or have an infinite number of limbs) but I cannot help wondering if C.M.O.T. Dibbler might not have gotten in the food chain somewhere...

        3. Jtom

          Re: And how...

          Some of us have absolutely no need for credit. I have the funds to but new cars, condos, even Whoppers from Burger King. What I don't want is getting harrassed from debt collectors trying to collect on debt resulting from ID theft.

          1. Jellied Eel Silver badge

            Re: And how...

            What I don't want is getting harrassed from debt collectors trying to collect on debt resulting from ID theft.

            Agreed. I've had that happen a couple of times, and it's painful. Letter arrives saying I owe X and pay now, followed by calls. Calls ask for me to confirm my security details, ie supply some random caller with personal information they may not be entitled to, or trusted with. I told the last one that I wanted all communications in writing, starting with a detailed explanation of why they thought I owed them money, ie copy of any contract. When I told them not to call again, they said that 'was not going to happen', and it took a little convincing to point out that the ICO/Ofcom could make that happen.. Although that would require them to actually take action against scumbag DCAs

          2. Eddy Ito

            Re: And how...

            The freeze system we currently have seems to be working nicely for me. I've had a company ask if I would allow them to access my report "for identity check purposes". My response was to say I'd be happy to allow them access to Experian, TransUnion, or Innovis but not Equifax. Oddly they managed without it and I didn't have to unlock any of the reports. I'm thinking this whole credit bureau system is just a way for companies to be lazy but when pressed they really don't need it or find a way around. It's starting to look a bit like the emperor's new clothes to me.

            @AC, £7.15, really? I must be out of touch but then I stopped going to such places when the "milkshakes" started to resemble soft pykrete.

    2. Mr Dogshit

      Re: And how...

      If you live in the European Union, after 25th May, that's exactly what you'll be able to do.

      That's exactly what I'm going to do.

      1. tip pc Silver badge

        Re: And how...

        I’ll be writing to all 3 telling them to send me all they know about me and then delete it all.

        1. Herring` Silver badge

          Re: And how...

          It's difficult to see what legal basis they would have for refusing a "right of erasure". There's no statutory reason for them holding the data (that I'm aware of) they are holding it under "legitimate interest" so it can be deleted.

          The thing is, the credit reference agencies have managed to insert themselves into the finance industry as a necessary part of the process. If they can no longer be depended upon, then that changes things for a lot of companies - some companies do a credit check on recruitment even. GDPR + this data breach could have some fairly wide-ranging impacts.

          1. Anonymous Coward
            Anonymous Coward

            Re: And how...

            because banking is my guess.

            1. Adam 52 Silver badge

              Re: And how...

              At the conferences I've been too the banks have been taking a much firmer line than everyone else. They argue that they are required by banking regulations to prevent fraud and verify identity, and using a credit reference agency is a means to do that, so they are covered by the legally required reason for processing. The hole in that argument is what other data they share.

              One particular (American owned) bank openly said that they'd carry on exactly the same as before and ignore GDPR because all of their processing was necessary.

              If anyone wants to feel a bit sad, have a look at the AA's new GDPR terms and see what they consider legitimate interest.

              1. Doctor Syntax Silver badge

                Re: And how...

                "If anyone wants to feel a bit sad, have a look at the AA's new GDPR terms and see what they consider legitimate interest."

                Any company who decides that what they consider legitimate interest is going to have to persuade the relevant regulator that they agree. Remember that it's trying to bend the rules that brings the really big fines.

              2. Anonymous Coward
                Anonymous Coward

                Re: And how...

                They, like everyone else, can claim legitimate interest. However, they need to be able to back this up with documentation that the ICO, or body in other EU countries, will consider is acceptable and that the interest is not overriding that of the data subject. Short version: the interests of the data subject can override the interest of the organisation. Quite a lot of shit will hit quite a lot of fans until these idiot companies actually understand the legislation.

          2. DaveTheForensicAnalyst

            Re: And how...

            "It's difficult to see what legal basis they would have for refusing a "right of erasure". There's no statutory reason for them holding the data (that I'm aware of) they are holding it under "legitimate interest" so it can be deleted."

            They can hold the data without consent under "legitimate interests", as long as your fundamental rights or freedoms aren't obscured.

            On top of that, there are government loopholes at a UK level.

          3. kernelpickle

            Re: And how...

            Well, your silly little GDPR doesn't give you the ability to exist outside of society--and whether you like it or not, modern society has been built upon CRA's like Equifax, Experian, and TransUnion.

            If you were to allow people to apply these insane rules to every organization that they don't trust, you'll have the foil hat brigade telling the police, and other government agencies that they don't trust them--which opens a loophole for all sorts of ne'er do wells to disappear of the official radar.

            What about creditors? If someone owes money to someone they don't trust, what would stop them from filing a request to effectively block them from being able to collect on debts that are owed?!

            Clearly, that simply cannot be how this ridiculousness is intended to function. I don't care how progressive you Europeans think you are, there's just no way that any government, let alone all of your collective governments, would agree to give citizens the right to avoid debts and law enforcement by filing some paperwork.

            It would also break the secondary market for debts as well, because if companies can't share that information, they can't sell your debts to anyone else--which is an annoying and sketchy practice to be sure, but it's big business and big business usually wins over private citizens.

            If indeed you are correct in your interpretation of the law, clearly it was an oversight, and will surely break the system. It would literally plunge the EU into the dark ages, because you'll all have to live without credit and switch to using hard or cryptocurrency for any/all transactions--good luck with that!

            1. Pascal

              Re: And how...

              > "It would also break the secondary market for debts as well, because if companies can't share that information, they can't sell your debts to anyone else"

              Oh, the humanity! What would we ever do if that insane, mafia-like "secondary debt market" system disappear? We'd have to shutdown society or something.

              Secondary debt racketeers are just about as useful to society as pedophiles and murderers, and should be treated the same.

            2. Extreme Aged Parent

              Re: And how...

              Although I do not like what you say, you are correct, and right in saying it.

              We at the bottom of the 'food chain' have no say in what or how we are ruled, e.g. the UK is called a democracy, but really we are in an elected dictatorship, which might or not change every 5 years, and we those of us at the bottom have very little real say in what happens.

              These Equifax companies are run by big business, they control the money, ergo they control us.

              You want out, they have got you covered in all ways, so no way out for you my friend!

              1. Anonymous Coward
                Anonymous Coward

                Re: And how...

                "Let us control the money of a nation, and we care not who makes its laws"

          4. c1ue

            Re: And how...

            I'm no fan of banksters, but credit reliability is very much a "social good" in financial terms.

            The individual who has bad credit is highly incentivized to kill all such data, for example.

            And if you say that this can be compensated for - it can, but the cost is treating all people with little or no credit history as bad credit. This penalizes those who legitimately are just starting their financial histories (usually young people).

            The management of fraud and other criminal activity is another legitimate use case although personally I think credit ratings enable far more than disable. Many of the more sophisticated criminals know very well how to jack up credit ratings artificially.

            1. Anonymous Coward
              Anonymous Coward

              Re: And how...

              > I'm no fan of banksters, but credit reliability is very much a "social good" in financial terms.

              This is true - that credit reliability is a good thing. But Equifax do much more than provide a credit reference check once in a blue moon when you take out a loan or another credit card.

              They sell 'anonymised' data to anyone that wants it. If, for example, MacDonalds want to open a new restaurant in my area they can go to Equifax and buy socio-economic data to see if the area is going to be profitable or not. The only way Equifax can service that request is by keeping tabs on my salary, my mortgage and other loans every month; and do the same for everyone in the area.

              That is nothing to do with providing a credit reference service and just because they have a nice profitable sideline business doesn't mean that they have a legitimate interest in my and my neighbours' data.

          5. Skoorb

            Re: And how...

            Yeah. There is a statutory basis for CRAs to hold your data, that's the thing.

            The ICO rejected complaints that this breached the DPA because CRAs only had consent to hold account information for the duration of the credit account. It said that the retention of such data was permitted under paragraph 6 of Schedule 2 to the DPA because it was necessary for the purposes of the legitimate interests of lenders (so that they could make informed lending decisions) and the information was not retained longer than was necessary for that purpose (i.e. 6 years).

            Similar wording is being placed into the "new" Data Protection Act that is going to replace the old DPA on May 25th to be GDPR complaint.

            The ICO issued a note on this back in 2006.

      2. DaveTheForensicAnalyst
        Facepalm

        Re: And how...

        There is a "Legitimate Interests" loophole under Regulation (EU) 2016/679 (47) which will allow them to reply with a nice "Go away and pester us no more" letter I'm afraid.

        1. Doctor Syntax Silver badge

          Re: And how...

          There is a "Legitimate Interests" loophole under Regulation (EU) 2016/679 (47) which will allow them to reply with a nice "Go away and pester us no more" letter I'm afraid.

          And if the interests they cite aren't legitimate that's a letter that gets forwarded straight to the ICO or whatever you local regulator is.

          1. Adam 52 Silver badge

            Re: And how...

            "And if the interests they cite aren't legitimate that's a letter that gets forwarded straight to the ICO or whatever you local regulator is."

            Trouble is, the ICO is going to be getting thousands of these on May 28th and is going to have to triage in some way. The banks are already regulated by the FCA so I expect them to be way down on the list.

        2. corestore

          Re: And how...

          I think you miss part of my point.

          This is a case where the company has very publicly demonstrated failure to keep some very important personal data safe; that's _why_ the story has been such a big deal.

          I'm asserting that, quite apart from the general principle, such cases are ones where 'severe breakdown in trust' _overrides_ any concept of 'legitimate interests' and would (or should) allow the subject to compel the deletion of data. It's especially egregious in the case of credit reference agencies, as the subject has NO direct contractual relationship with the agency; they're not in any sense a 'customer' of the agency, and they're not free to 'take their business elsewhere' in a free market.

          That's why credit reference is an example of a special case where 'legitimate interests' is (or should be) FAR less compelling even under existing law.

        3. Anonymous Coward
          Anonymous Coward

          Re: And how...

          It is not a loophole, they need to be able to prove why it is a legitimate interest, and why the data subjects interest do not override that interest. This is all part of the regulation, try reading it.

          1. DaveTheForensicAnalyst

            Re: And how...

            From the ICO...

            "It is our view that the condition for processing below covers the sharing of account

            data with the credit reference agencies for the duration of a contract and six years

            beyond."

            “The processing is necessary for the purposes of legitimate interests pursued by the

            data controller or by the third party or parties to whom the data are disclosed, except

            where the processing is unwarranted in any particular case because of prejudice to

            the rights and freedoms or legitimate interests of the data subject.”

            "We take a wide view of the legitimate interests and we consider that it is in the

            interests of other creditors to make informed lending decisions. It is important to note

            here that the fact that the processing may be seen by some to prejudice a particular

            individual (for example, someone with an adverse entry on his credit reference file

            may not be able to obtain credit facilities) does not necessarily render the whole

            processing operation prejudicial to all individuals."

        4. Anonymous Coward
          Anonymous Coward

          Re: And how...

          There is a "Legitimate Interests" loophole under Regulation (EU) 2016/679 (47) which will allow them to reply with a nice "Go away and pester us no more" letter I'm afraid.

          A legal test case may be required to see where that 'legitimate interest' stops. For example, if I apply for a loan, the bank wanting to provide that loan has a legitimate interest in my credit worthiness. However the company providing the credit worthiness service doesn't - on the grounds that their relationship is with the bank not with me.

      3. Anonymous Coward
        Anonymous Coward

        Re: And how...

        they will laugh in your face (politely) and tell you to fuck off. There's a large number of gateway clauses in that well-meaning EU fart, generally to do with "unless required for the purpose of organization"

        ...

        Here, long live wikipedia:

        "Data may not be processed UNLESS there is at least one lawful basis to do so

        (...)

        Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.

        (...)

        i.e. you want mortgage? Sign here, here and here. And here are the terms and conditions, if you care to read them. You're not under obligation to sign, mind you!

        Here's another one:

        (unless)

        "Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child."

        You think your interests as a "data subject" or fundamental rights and freedoms override the "purposes of the legitimate interests pursued by the controller or by a third party"? - such as exifucks? Sure, go squeal to high heavens, TAKE. YOUR. TIME. Or sue us, and we'll look at your mortgage application again, say, in 2038. Morning or afternoon?

        On top of which there are those endless exceptions about terrorism, the wonderful catch-all, i.e. "Lawful interception, national security, the army, the police, justice". But that's a different matter.

        1. Benjamin 4

          Re: And how...

          And if I didn't want a loan, or car finance, or a credit card or any other credit related product and asked them to remove my details accordingly then what would they do then?

          1. Anonymous Coward
            Anonymous Coward

            Re: And how...

            "And if I didn't want a loan, or car finance, or a credit card or any other credit related product and asked them to remove my details accordingly then what would they do then?"

            Probably ask you if you didn't need insurance of any kind (car, life, property, etc). You'd be surprised by the amount of non-credit stuff that credit reference agencies are used for these days.

        2. katrinab Silver badge

          Re: And how...

          "necessary for the performance of a contract"

          is not the same as it's in the contract.

          In order for them to collect your mortgage payments, and hand back the title deeds when you finish paying it, is it necessary for the bank to tell Equifax every month that you made your mortgage payment on time, or not as the case may be?

          1. Killfalcon Silver badge

            Re: And how...

            To be honest, the chances are that the US credit agencies *will* just delete any EU citizen's data on request - it's not their primary market, and probably not a fight worth having.

            If you have the misfortune of living within the US credit market, you're going to have a bad time.

            1. fidodogbreath

              Re: And how...

              To be honest, the chances are that the US credit agencies *will* just delete any EU citizen's data on request

              These companies don't delete, they "delete." Data is a fetish for them, like the 'souvenirs' that serial rapists keep.

              They'll just add a flag to not surface your records in response to external queries. Rest assured that your data will still be sitting in the same poorly secured database, waiting for some script kiddie to steal it using a five-year-old vuln...

      4. Aitor 1

        Re: And how...

        Good luck buying a house.. and I rather doubt they will comply.

    3. ToddRundgrensUtopia

      Re: And how...

      It's possible from the 25th May, yes. One of the basic tenets of the GDPR

    4. bombastic bob Silver badge
      Stop

      Re: And how...

      considering that we never really gave permission to Equifax to collect all this crap, but rather OUR BANKS DID IT FOR US, who can you blame?

      I think "they" have too much power. WAY too much.

  2. Anonymous Coward
    Anonymous Coward

    These hackers need to up their game and start stealing peoples debt. Why that's a nice 2k loan you have there it would be a shame if someone cleared it off. They have the details now.

    1. Anonymous Coward
      Anonymous Coward

      In Project Mayhem

      We have no names.

    2. gnasher729 Silver badge

      Great idea. "We couldn't help noticing that you owe £213,417 on your mortgage. For payment of 2 bitcoins, we will reduce that amount to £113,417"

  3. Mark 85

    I do believe that Equifax should a) send letter to everyone who's data was taken along with a check for say... $100. That alone (just the letters) would cost them a small fortune. b) When they're done with the letters, nuke the whole damn company (make sure to get board and officers) from space. They don't deserve to exist.

    1. David Nash

      "I do believe that Equifax should a) send letter to everyone who's data was taken along with a check for say... $100."

      They already did...the letters at least. I received one. They outlined my options, which don't amount to much really, so I haven't done anything.

      1. Jtom

        Yeah, I got the letter, too. Didn't you love the irony of it? We have the option of getting free credit monitoring service from another company. We just have to provide that company with our name, date of birth, address, Social Security number, driver's license number, account numbers, etc.....and pray that having that info in yet ANOTHER database doesn't cause problems in the future.

        No thanks.

        1. Eddy Ito

          I think that must be a UK only or maybe EU thing. Here in the US I didn't get a letter but still showed up in the online check and I know several others in the US who never got a letter either.

  4. Anonymous Coward
    Anonymous Coward

    I am not sure but...

    Is it actually possible to function without a credit reference agency unless I live off-grid in a commune somewhere?

    Never mind credit cards, getting a phone, or broadband, bank account to pay my pittance into all attract their eye, and indeed backfeeds of my perceived performance.

    I looked at my credit file in the 90's or early 2000's (cant recall precisely) when these outfits were first told to "share" It was, I have to say very "complete" and that was just the financial bit. Indeed they are in a far better position to calculate my tax return than I ever will be. Nowadays they collect all sorts of additional info. Experian, Equifax, Call Credit etc. all have their own focus and data interests.

    Maybe I'll ask again for my records, but I am not at all sure I want to be deleted. These organisations provide a de-facto identity (virtual) card that I am not sure I can do without.

    1. katrinab Silver badge

      Re: I am not sure but...

      They don't have details your income, which is kind of important if you want to complete a tax return. National Hunter (owned by Experian under a separate ICO registration) has details of whatever you put in credit application forms, which often includes income, but that isn't necessarily accurate enough for a tax return.

      1. Woodnag

        S'nuthin

        I got a dump of my data from The Work Number some years ago, and they had every single pay amount from Freescale for whom I have worked, which Freescale voluntarily gave them as part of the network. No, I wasn't asked if it was ok to pass across the highest possible granularity of my pay to a 3rd party data aggregator.

    2. Anonymous Coward
      Anonymous Coward

      Re: I am not sure but...

      WIth no credit reference history just means loans are more expensive.

      ...And more limited in where you get them from (easy for bank your wages go into, outgoings leave from as they can see your financial state, more awkward anywhere else).

      In our partnership all loans have been in my name - because I have a credit history I get offered better interest rates than partner who has never had any loan (except a mortgage) - despite partner earning more, being in a high job security occupation etc.

    3. heyrick Silver badge

      Re: I am not sure but...

      "but I am not at all sure I want to be deleted"

      Would you object to getting a copy of your information and then copy-pasting it here?

      Because that's what it comes down to. A disastrous inability to keep private information private. To be honest I really don't understand how they can suffer a breach of this scale and still be operating. We, as customers, should be holding our banks responsible, for that's where the information originally would have come from; and the more everybody mumbles "credit references" and "anti-terrorism", the more nothing will happen. Screw the many excuses, why are we tolerating doing business with any company that continues to use such an untrustworthy outfit?

    4. Anonymous Coward
      Joke

      Re: I am not sure but...

      > Maybe I'll ask again for my records, but I am not at all sure I want to be deleted. These organisations provide a de-facto identity (virtual) card that I am not sure I can do without.

      If you find it to be a problem, just send them back the records they sent you and ask them to restore it!

  5. jms222

    but a cheque

    but it should be a cheque definitely not a check. They do enough "checking" as it is.

    Unfortunately I can see banks filling the hole left by credit reference agencies. I'd like to be able to claim that they can't possibly get it wrong.

    It's really only them and the land registry that the best handle on what I own and how much money I may or may not have.

  6. Anonymous Coward
    Anonymous Coward

    took them some time to figure out what data they hold

    I suppose it'll take some time for the lifters to figure out what they lifted. Unless they're more organized....

  7. Chairman of the Bored

    Ok, I will bite...

    ...and ask why they've got the driver's licenses and passport information? Tax ID I can almost see, but why the primary ID documents? Maybe I don't want to know.

    1. Doctor_Wibble
      Terminator

      Re: Ok, I will bite...

      They want as many confirmed-unique identifiers as they can, on the off-chance that if one or more of these appears in their data somewhere it can be tied to your specific record as an exact match. It's better than having to mess about with the address-matching algorithm trying to understand that a house called 'goes to eleven' is in fact 13a.

      But more to the point it stands a good chance of opening the door to a longer history than three years of gas and electricity bills - up to ten years from your current passport and if there's a note somewhere about your previous passport number that's another decade of history there.

      New icon needed: machine overlord in a black helicopter...

    2. Anonymous Coward
      Anonymous Coward

      Re: Ok, I will bite...

      The bigger question is why you think the right to drive a motor vehicle identification and the identification required to enter another country (the right to leave and return to your country of origin is enshrined in the UN declaration of human rights) are suitable primary ID documents (ignoring just how many people have neither)? That is merely an abuse of these IDs which should never have started. Why? Because the abuse of their purpose leads to Equifax and friends having them and also leads to an increased risk of identify fraud, you trust random employer inc. to keep your data secure after you hand them over at an interview?

  8. McIntyre

    Medical records also

    With the data they acquired they have been able to get into medical records also. I hope to be able to delete my Equifax data someday. A nice payment for all of the spam calls and email would be nice also. When the Government fines these big companies why don't they have to split the fines with the people who suffered damages? Why does the Government get to keep all the money? Something tells me that corrupt politicians and lawyers are involved.

    1. Doctor Syntax Silver badge

      Re: Medical records also

      "When the Government fines these big companies why don't they have to split the fines with the people who suffered damages?"

      Because the fines are part of criminal law and damages are part of civil law.

      1. DaveTheForensicAnalyst

        Re: Medical records also

        ...unless you specifically go to the case and ask for a Criminal Compensation Order to be made.

  9. macaroo

    SSN

    Social Security Numbers worry me. That number is not easily change as it is assigned for life sometimes at birth.

    1. MJB7

      Re: SSN

      It shouldn't; what should worry you is all those idiot organizations that think your SSN is a secret. It's perfectly fine as a unique identifier (at least, if you only want to deal with legal US residents), but it's an absolutely appalling secret.

    2. Anonymous Coward
      Anonymous Coward

      Re: SSN

      It isn't so bad, there are good odds you are not the only person with that SSN. Maybe they are improving your credit score. (before the downvotes start, google a little bit)

  10. Doctor Huh?

    Why on Earth are the clowns still in business?

    This really should be a complete deal-breaker for anyone. It should be the end of the company. I keep hearing how litigious Americans are, and yet these incompetent morons haven't been sued into oblivion!?!?!

    If only personally identifying information were guarded as closely as the Coca-Cola formula or the Colonel's fried chicken recipe (although the original gravy recipe is the true gem).

    1. DuncanT

      Re: Why on Earth are the clowns still in business?

      BEcause credit reference agencies can afford more lawyers. Suing but business is mostly pointless, other than making lawyers rich. It's like the lottery - sure, somebody somewhere gets some money, but on average you're screwed.

      Class action suits are even worse, for most people.

  11. SVV

    Blame the developer again

    "The cyber-break-in occurred because Equifax ran an unpatched and therefore insecure version of Apache Struts, something it blamed on a single employee."

    Astonishing level of arrogance and incompetence. Management not fit to run a bath, let alone a major credit rating business. No, that's not the fault of a single employee. It's the fault of lack of comprehensive, well researched system architecture, effective code reviews, failure to take responsibility at higher levels, inadequate network, database and application security, both internally and externally, non encrypted storage of personal data, general fuckwittery and many more reasons too in all likelihood.

    Even attempting that crappy excuse to cover up such an appalling systematic set of failures should disqualify the ompany from any more financial services work ever again.

  12. jms222

    > because Equifax ran an unpatched and therefore insecure version of Apache Struts

    Only partially.

    Software like Struts will always have problems like this.

    The question is how is it that the database server's outgoing data rate jumped from its normal level to something to complete an entire export in (guess) hours and nothing got tripped to put the brakes on ?

    At the very least there must suddenly have been queries for more than individual records. How were these even allowed ? We're not talking about an organisation that doesn't have the resources to implement traps for such things even if the implementation was done with trained monkeys.

  13. low_resolution_foxxes

    Perhaps an interesting angle that few have mentioned, assuming this was a genius hack completed successfully, how does a hacker behave? They must be fearful of public trading, with a very small pool with access to the data. Or did they sh*t themselves and delete?

    Wildcards include Russia/Mossad/Beijing/Iran fishing for data on prominent us politicians/businessmen?

    1. fidodogbreath

      They must be fearful of public trading, with a very small pool with access to the data. Or did they sh*t themselves and delete?

      You're assuming that they stole the data for financial purposes. If it was a nation-state attacker, they might be looking for private data / blackmail material on a limited number of high-value intelligence targets. Stealing the whole database obscures the actual targets.

      Combining the Equifax data with other government hacks such as OPM could reveal illuminating info.

  14. Anonymous Coward
    Anonymous Coward

    Yet Equifax will continue raking in the bucks

    Such a massive hack due to gross negligence by Equifax should put them out of business and the executive level administrators should go to prison but instead those whose data was hacked will suffer for years if not decads and Equifax will continue raking in the bucks.

  15. Sgt_Oddball
    Paris Hilton

    why is no one....

    Seriously kicking them for either allowing 1 member of staff to control updates/patching or alternatively making only one member of staff responsible?

    Even in the smallest place I've worked in at least 2 of us cross checked for securiry updates periodically and ensured we regularly migrated to platforms with continuing long term support.

    For a company handling that much data, it's hideously incompetent to allow that to happen ('hit by a bus' is my goto response for having more than one person responsible and knowledgeable about these things. Cancer is another, very real unfortunately argument as well)

  16. smallseo

    Encryption, encryption, encryption ...

    Yes, the break-in was due to unpatched holes, but the data-theft was only possible because customer data wasn't enrypted.

    It should be illegal not to encrypt cutomer data.

    1. tip pc Silver badge

      Re: Encryption, encryption, encryption ...

      It doesn't matter if the data is encrypted at rest if an internal machine that has access to the encrypted data is compromised and does the data extraction.

      this type of security requires many virtual rings to protect the data.

  17. Anonymous Coward
    Anonymous Coward

    Germans wil f&^k em up with GDPR first

    That is all...

  18. rmstock

    Equifax CEO Collected $90 Million

    Equifax wiki : "Equifax Workforce Solutions is one of the 55 contractors hired by the United States Department of Health and Human Services to work on the HealthCare.gov web site.[15] [15] USAtoday, front page October 24, 2013, “Hot seat for stealth website builders" So this was one of the IT companies which designed and runs Obamacare, hired by the Obama Administration. Next a single member of the company's security team misses to apply a patch for Apache Struts security vulnerability CVE-2017-5638 which landed in March 2017. Equifax CEO Rick Smith was forcibly retired for this later "Equifax CEO Richard Smith Who Oversaw Breach to Collect $90 Million" http://fortune.com/2017/09/26/equifax-ceo-richard-smith-net-worth/ . This stinks from high heaven. All this happened while President Trump was trying to fix health-care in US Congress. This has all the hallmarks of a secret service job attempting to bring American Healthcare in serious trouble.

  19. DerekCurrie
    FAIL

    Irresponsible Business That Damages The Citizenry? Shut It Down.

    Businesses are allowed to run for the benefit of the citizenry. If they do the opposite, it is the responsibility of every government to protect the citizenry and shut down the detrimental business.

    What comes next depends upon circumstance. But in this case, Equifax can have its services sold off to other competing services then have the business entity erased. That's what should happen. But seeing as the US government has been corrupted into a blatant corporatocracy that, in general, serves to abuse the citizenry for the sake of parasitism, not capitalism, I suspect worthless Equifax will be allowed to abuse onward.

    Corporatocracy <--Destroy that. And please don't go reactionary and think loon-level liberalism is any better. Benefit the people, as in ALL the people, within a viable, sustainable system of fairness, ideal capitalism.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like