the Equifax breach

by Michael Werneburg
on 2017.09.23

You are here:
Risk topics
» Risk topics blog
November, 2017
· the unsafe workplace and the body's response

October, 2017
· ISACA article is live

September, 2017
· published
· the Equifax breach
· Tracking Vulnerability Fixes to Production

August, 2017
· evaluating third party cyber risk

July, 2017
· getting it wrong with R
· de-identifying health information
· that's a lot of tracking!

June, 2017
· gaming Google news
· privacy in this day and age
· another record breach
· writing an industry standard
· ISACA article accepted

May, 2017
· Covey time-management quadrants
· safe harbor de-identification of health data
· an ISACA article

April, 2017
· my guide on managing third party risk
· PMP for five years
· metrics that matter
· 720 reads in 48 hours
· I lost my job

March, 2017
· farewell, SIRA board
· the message and the medium
· an interesting take on consulting

February, 2017
· the ever-expanding sh*tlist
· claiming professional expenses in Canada
· get cyber safe
· the flight of the wealthy

January, 2017
· virtual kidnapping
· financial industry vendor management

November, 2016
· securing your life
· yet another reason to patch


more...

I've gotten questions from a variety of people about the Equifax breach, and what it means to them in terms of potential ID theft.

In my opinion, it's clear that Equifax—and by extension, one can assume all of the credit bureaus haven't invested in adequately securing the data. I'd like to say I'm surprised, but it's clear that they are incompetents with a parasitic view on society and view their account-holders as a nuisance (more on that below).

Assuming you have not already experienced identity theft, there are two simple precautions you can take.

1) Contact all of the credit bureaus in the country and have them put a "freeze" on your account (here's the Equifax link). This will mean that anyone trying to open credit in your name has to phone you. This isn't the default behavior at the credit bureaus because it slows down the shower of free money that is the credit bureau business model.

2) Open an account with a small company called Credit Karma to get alerts when something shady happens on your account. It's free. As a bonus, you get to see your "Beacon" score. They use the credit system of TransUnion. They can offer free services because they have advertisements for things like credit cards directly inside the reports they offer.

3) Check your credit report at each of the credit bureaus. You'll almost certainly find some mistakes (it's on us to clean these up) and this security mess just makes it more necessary.

It's a shame that securing this data is beyond Equifax and its ilk, but this incident has laid bare what monsters these people really are. The vulnerability that allowed this breach was published by researches in March, and Equifax did nothing. The breach occurred in May, but Equifax didn't notice until the end of July.

Equifax then delayed advising its US cattle I mean "clients" for six weeks following the breach, apparently so that their executives could sell stock in advance of the inevitable hit to the stock price. In Canada, the Equifax website currently says "We will be proactively contacting impacted customers by mail"—a funny use of the term "proactive", given it's been two months, and a funny use of the slowest possible medium of sharing news.

They initially tied the "free" credit alerting service they flog to waiving the right to join a class action suit (attracting the attention of the attorney general's office). They've now dropped it, but they're still flogging a $20/month monitoring and alerting service that does the same things as the free service from Credit Karma.

When they were through with securities fraud and their summer vacations, Equifax set up a site so that people could determine if they'd been impacted, but sent people to a bogus site set up by a well-intentioned individual (who I suspect will just get himself sued). Why a new site? I guess it's the sort of thing that happens when you've fired your CISO.

I've been ignoring writing about this mess, but the questions have kept coming, so I thought I'd write something. All of this was gleaned from public sources. Mistakes and ill-temper are my own.

current
big list
first