LEAKED: Worst Data Hack in US History Gets Worse

What else has Equifax not disclosed yet?

The Equifax hack just keeps getting worse. The first revelations were made on September 7, that Equifax had discovered on July 29 that it had been hacked sometime between “mid-May through July,” and that the crown jewels of consumer data, including Social Security numbers, on 143 million US consumers was stolen. The tally has since been raised to 145.5 million consumers. In terms of quantity and sensitivity, it was the worst consumer data hack in US history.

“In some instances” driver’s license data were also stolen, the company disclosed at the time. Driver’s license data includes license number, name, address, data of birth, and basic physical features of the person. This is important and valuable data for identity thieves and other fraudsters and fills in some gaps in the other data that had been stolen.

But without telling consumers, Equifax went around and told its customers – mainly banks and credit card companies – that the tally of driver’s license data that had also been stolen, previously minimized with the phrase “in some instances,” amounted to driver’s licences of 10.9 million consumers.

This wasn’t an announcement disclosed by the company in a vapid and robotically apologetic press release, but was leaked by “people familiar with the matter,” and reported today by the Wall Street Journal.

The fact that consumers whose DL data had been stolen and who’d become more vulnerable to some fraud didn’t need to be informed about it fortifies the simple fact that, for Equifax, consumers are just the lowly product – and dealing with that product is just an expense.

How did Equifax even get this driver’s license data in the first place?

In many cases, Equifax asked consumers for their driver’s license number when they contacted the company, claiming it was needed to verify their identity. In other cases, Equifax asked for the DL number at its website set up to resolve credit-report discrepancies. The Wall Street Journal:

The dispute-resolution page appears to have been at least one avenue hackers used to access the company’s systems. This was done by hackers exploiting a security vulnerability in software that ran on the dispute portal’s web application.

Former CEO Richard Smith said during the congressional hearings last week that Equifax had seen a public notification of this vulnerability, for which a patch already existed. He then blamed one sole and solitary employee and a system scan for the whole fiasco, claiming that this employee failed to tell others to patch this vulnerability, and that a system scan failed to detect the missing patch.

So this information of the stolen driver’s license data of 15.9 million US consumers was leaked by “people familiar with the matter.” At the same time in the UK today, the company did disclose an additional whopper.

During the September 7 disclosure, the company said that “limited personal information for certain UK and Canadian residents” has also been compromised. A week later it said that about 400,000 consumers in the UK may have had their personal data stolen in the hack. Today, in a UK disclosure, Equifax added some detail what “certain” and “400,000” really meant…

Turns out data of 15.2 million UK consumers has been stolen. That’s 30% of the UK population aged 20 and over. The file that was compromised contained records dating from 2011 through 2016. The company claims that records of 14.5 million of these consumers contained only the name and date of birth and didn’t contain data that would put consumers at risk. But sensitive information was stolen that put the remaining 693,665 consumers at risk.

Where there’s a crisis, there’s opportunity – for fraudsters. Here are some of the Equifax scams now underway – and how to protect yourself. Read…  Beware – the Equifax Scams Are Coming

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  34 comments for “LEAKED: Worst Data Hack in US History Gets Worse

  1. truth always says:

    Here is a solution:

    Facebook buys Equifax. “We can protect you better than anyone else since we already know your behavior; just missing a few details which Equifax purchase gets us”.

    Facebook – we offer iPhone X for identity protection if you use as exclusively for signing on to the web or elsewhere digitally.

    Your face is your identity!

    • chip javert says:

      Solution #2- business will not pay attention to this until it becomes existentially expensive:

      1) If a commercial/governmental enterprise gets hacked, it must publicly report the incident within 15 days of detection (certain exceptions granted if extra time allows hackers to be caught in the act);
      2) Commercial/governmental enterprise must notify affected individuals by USPS that their data has, or probably has, been stolen;
      3) Commercial/governmental enterprise is liable for 5years of free credit protection all hacked individuals, plus an additional $500 to anyone proving direct loss resulting from stolen data.

      If this were in force for Equifax, 143M stolen ID @ $25 (free credit protection) = about $3 Billion; if 10M can claim direct damage, that’s another 10M @ $500 = $5 billion. THAT will get people’s attention.

      • chip javert says:

        I almost forgot:

        Equifax currently has retained earnings of $4.7B – Solution #2 would bankrupt them.

        • fajensen says:

          Why is that a problem? Let them die to clear the space for someone more competent. That is how it should work, in a normal world.

          Capitalism has cancer, probably in “stage 2/3” and the odds of survival without a radical treatment regime are not good.

          The cancers are: Incompetence, Corruption and Fraud.

          Fraud is the malignant melanoma of the bunch: When there is no enforcement, Fraud will outcompete all other businesses because with fraud one essentially provides nothing for something, which is not easy to beat.

      • Kraig says:

        Loss of UK data under the data protection act will make the disclosers criminally liable.(and the executives too if they have not been trying to prevent/stop it).hope they are prosecuted and carted off to jail in high profile case. That will make them take notice.

    • robt says:

      I will assume you are being sarcastic.
      Mass data centralization is contradistinctive to the concept of security.

  2. curious cat says:

    Well, Equifax is not telling the truth? Imagine.

    And who cares?

    From the movie “The Big Short”

    “Truth is like poetry.
    And most people f___ing hate poetry.”

    Nice to see that Richard Tahler won the Nobel Prize in economics. He is one of the few economists (the behavioralists) who understand that people act irrationally. Companies that understand that, and which study the ways in which they act irrationally, are able to fleece the flock. Equifax just got sloppy.

    But consumers are more outraged about kneeling at football games than having their identities stolen. It’s a really interesting world.

    • chip javert says:

      Curious cat

      “But consumers are more outraged about kneeling at football games than having their identities stolen”

      I disagree. The millions upset by kneeling are reducing TV viewership, not buying football tickets, and probably cord-cutting to strangle ESPN. So far, they’re having some impact.

      Exactly what is it we can do about Equifax? Stand at their front gate and boo as employees drive to work in the morning?

      • TJ Martin says:

        Millions upset by whats going on with NFL players ? Try more like barely thousands but more like hundreds with that minuscule minority having little or no impact what so ever on what was already a ( rapidly ) declining TV viewership and ticket buyers . Fact not bloviated fiction

        As for Equifax and what we as consumers can do about it ( along with every other digital platform ) ?

        Simple …. come to the very real conclusion that the only thing you can be secure about when it comes to internet / digital security is that there is no such thing as internet / digital security . Why ?

        Code Breaking 101 – Any code written or devised by a human being or a machine created by a human being can be broken with relative ease by another human being or machine created by a human being assuming there is enough motivation to justify the effort and adequate gain to be had . Period !

        • LS says:

          Sorry – you are wrong. Go study the work of Claude Shannon during WWII. His mathematical work on encryption was declassified by the Truman administration in 1947.

  3. TEM says:

    Thank you for your excellent articles on the Equifax credit breach and information regarding implementing a credit freeze. I was unaware that a a fourth credit reporting agency, Innovia existed. A credit freeze should be requested at this bureau as well as Experian and TransUnion. A credit freeze can be invoked online at their website for no cost.
    https://www.innovis.com/securityFreeze

    • Wolf Richter says:

      There are a lot of smaller credit bureaus out there, and many of them may NOT have your data. By asking them to do a credit freeze, you have to supply them your data. Now they have something they didn’t have before, and you would have been better off NOT contacting them.

      Hence I’m not recommending a credit freeze at the smaller credit bureaus, including Innovis, but I’m also not recommending against it. This is a toss-up to be evaluated carefully.

  4. zoomev says:

    “…He then blamed one sole and solitary employee and a system scan for the whole fiasco, claiming that this employee failed to tell others to patch this vulnerability…”

    So there internal business processes are such that 140+ million accounts are vulnerable to a single mistake by a single employee?

    This is full admission that their top leadership are culpable…such freaking arrogance.

    • FunkyTown says:

      Exactly… even a primitive software QA / security organization institutes processes with checks and balances so they do not fail due to one person’s mistake. This implies that (a) they had immature processes and (b) the senior management was clueless; both astounding given their business sector.

  5. AlbieOK says:

    Until there are prosecutions it will continue to be “same as it ever was.”

  6. Anon1970 says:

    Some senior executives at Equifax need to be prosecuted and sent to prison for a few years. There is no point in destroying the company and causing thousands of low level employees to lose their jobs and a big chunk of their 401k plans.

    • IdahoPotato says:

      Departing Equifax CEO Richard Smith will collect $72 million this year and $17.9 million over the next few years.

    • polaris says:

      Agreed! I guess all those white hats that Companies routinely label as “failing to be team players; disgruntled, morale robbing Debbie Downers,” who ere stupid enough to take their jobs seriously and honestly!

    • polecat says:

      Absolutely NO softy Club Fed prison for these execs ! .. let them stew in a real panopticon, like the lowly shlubs ..

    • Frank says:

      Really no point!
      I don’t agree.
      Employees are just as culpable as their employer.
      There is a great quote from the Western Lonsome Dove,
      “You ride with the outlaw,you die with the outlaw,”

  7. Polaris says:

    How about we enforce the laws on the books.Liquidate this damned company, put their officers and Directors on trial, and if found guilty – put them in JAIL like they did in Iceland! Only the REAL threat of jail will stop these MFers!!

    • Gershon says:

      Only the REAL threat of jail will stop these MFers!!

      True, but ‘Muricans vote for members of the Republicrat duopoly who are captured by Wall Street, who then appoint AGs like Eric Holder who are there to provide a veneer of legitimacy while ensuring no members of the Big Club need ever fear criminal consequences for breaking the law. And who are handsomely rewarded by plum Wall Street jobs after their “public service.”

      “All animals are equal, but some animals are more equal than others.”

      — George Orwell, ANIMAL FARM

  8. Realist says:

    Check out the EU data protection directive. That is some serious stuff, although I don’t know wether Britain ever will implement it or not.

    • Stevedcfc72 says:

      Hi Realist,

      I can vouch that whether the UK will be following the EU data protection directive. I worked for a company who held a lot of client data.

      If any of that was ever leaked in whatever way we would have been in serious trouble – we would have been closed down.

      I fully expect with the data breach in the UK that Equifax UK operations should be shut down.

  9. raxadian says:

    This sounds a lot like the Yahoo hack in that they at first tried to minimise it.

    Most likely Future news, ALL DATA WAS STOLEN! If you didn’t get your credit freeze do it already.

  10. Enrique Bermudez says:

    You give drivers’ license data to these vultures when requesting a credit freeze, no?

    That favourite underlying point of mine aside, I can envision a Pandora’s box of litigation/other legal consequences flowing out of this for years on end. Hopefully resulting in a re-ordering of the entire consumer credit reporting system.

    Not holding my breath here by any means, but the way things have been done in the US as far as this goes never was particularly efficient or effective. Perhaps a good catalyst here for junking it all.

    Of course the endgame probably results in some utterly horrific entity such as Google or Facebook being in charge of this process on some level. Or, file under “watch what you wish for.”

  11. Miss Lacy says:

    I wonder – and worry – about the “provide security for the IRS” contract which Equifax recently received from Con-gress. Is that contract in addition to the one which Lockheed Martin currently has for “data entry?” Will the Equifax contract be cancelled? Why are we paying these guys?

    • polecat says:

      ‘We’ aren’t the ones paying for these bogus contracts. Our fraudulent government betters are with your tax-donkey proceeds.

      It’$ the Peter Principle on a grand scale !

  12. Jim Graham says:

    Enrique Bermudez wrote:

    “”That favourite underlying point of mine aside, I can envision a Pandora’s box of litigation/other legal consequences flowing out of this for years on end. Hopefully resulting in a re-ordering of the entire consumer credit reporting system.””

    While reading the post by Enrique Bermudez I had a crazy thought.

    With the severe debt load we now have – which may become unserviceable in the near future – there will be only two classes of people – those that live within their means and have cash on hand and do not need credit in any shape, way or form – and those that have gone bankrupt and have nothing…..

    IF you want to borrow money you are automatically turned down because you have not been prudent with your financial affairs….

    Ergo, there will be no need for a credit reporting system of any type..

    • junior_kai says:

      Basically thats what I’m evolving to – if I need to borrow I probably shouldnt but it.

      And I’ve always longed for a rule that values an average human in dollar terms – I think they do this based on wrongful death suits – but reverse it and have a law that says for if you steal or damage an amount X in dollar terms that is some multiple of what a person’s life is worth, the punishment is a function of that. So if a person is worth 2M, and you steal or cause the equivalent damage of say 4M, thats the equivalent of killing 2 people and you get the same punishment as someone who killed 2 people. We would finally rein in the out of control (((white collar criminals))).

  13. TheDona says:

    Their customer help page had been hacked all along. LOL

    Looks like they hired a third party to help with the increased web traffic and make an easier “freeze” page. Or make an easier information hijack page as it were.

    https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update/?comments=1

  14. Kenny Logins says:

    So as a UK resident who only has a bank account/cc with that same bank, and no credit elsewhere, do I need to worry?
    I’ve never used any credit checkers bar those done on my behalf, mostly when looking at a car and seeing what deals they can do (usually min credit to get max contributions)

    This is what is annoying. It seems consumers now have to educate themselves and clean up the (potential) mess!

    I dare not even use a credit checker to check my credit in case I’m putting data out there that isn’t already.

    Sigh!

  15. Pete says:

    what really pisses me off is that all the financial and other institutions that utilise these credit reference agencies have been deathly silent. In other words they don’t give a frig.
    It would be very simple for them to identify and support their affected customers by sending them a warning that they are at risk, but also to set flags against their accounts to be extra vigilant against fraud. Even better migrate those accounts to new ones for those customers, to reduce likelihood of fraud on those accounts.

Comments are closed.