Archive for Equifax

Yahoo And Equifax Apologize To Congress For Being Pwned In Epic Fashion

Posted in Commentary with tags , on November 8, 2017 by itnerd

Equifax and Yahoo are two companies that have been pwned in spectacular fashion over the years. And in both cases, they really haven’t fully stepped up to take responsibility for that pwnage. Today both Marissa Mayer who is the ex-CEO of Yahoo and Richard Smith who is the ex-CEO of Equifax along with current CEO Paulino do Rego Barros, Jr. were in front of Congress today in the public flogging known as a Congressional Hearing to say “sorry”:

Mayer opened her testimony with an apology, pointing out that Yahoo had been hit by a sophisticated attack from Russian hackers, one that even the best security couldn’t have stopped.

“These thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users,” Mayer said.


Equifax’s interim and former CEO apologized for the company’s failures and touted all the tools it’s offered to victims affected by the breach. That includes a credit-monitoring app that will be available in January and free credit locks from the company.

“We did not meet the public’s expectations, and now it’s up to us to prove that we can regain their trust,” Barros said.

However, sorry doesn’t cut it with Congress. When mid-term elections are a year away, it REALLY doesn’t cut it as evidenced by this:

Seemingly unsatisfied by most of the solutions offered by the company—beefing up their security and improving customer relations—Sen. Nelson insisted more work was required. “It’s going to take an attitude change among companies such as yours, that we’ve got to go to extreme limits to protect our customers’ privacy.”

Well no kidding. I’ve said for a while that if a company gets pwned and data gets stolen, the company must face some sort of penalty that not only severely hurts the company in question, but sends a message to other companies that pwnage is not acceptable. The question is, will that actually happen. I guess if you’re American, it’s time to call your Congressman and Senator to make sure it does because the next epic hack will happen unless companies are forced to beef up their defenses.


Equifax Won’t Be Getting That $7 Million Contract From The IRS….. For Now

Posted in Commentary with tags on October 13, 2017 by itnerd

Politico is reporting that the $7 million dollar contract that the IRS gave Equifax to do fraud prevention…. Yes that same Equifax that was pwned in epic fashion…… Has been suspended:

The IRS plans to continue reviewing the security of Equifax’s systems during the suspension. The agency had previously said its hands were tied and it had to keep the contract with Equifax.

“The IRS emphasized that there is still no indication of any compromise of the limited IRS data shared under the contract. The contract suspension is being taken as a precautionary step as the IRS continues its review,” agency spokesman Matthew Leas said in a statement.

What could they possibly be reviewing? This is a company that had such craptastic IT practices that it was on the wrong end of the most epic pwnage in history. If that’s not of a reason to steer clear of them, I do not know what would be.

Sometimes, you have to just shake your head.

Equifax Pwnage Gets Worse…. Much Worse

Posted in Commentary with tags on October 12, 2017 by itnerd

The hits keep coming from the saga of Equifax getting pwned in epic fashion. First up is this story that a reader pointed me towards:

Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain that looked like this:

He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he’d see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.

Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. 

Wow. Now when the post that I linked to went online, the attacks stopped. So it is possible that Equifax got control of things again. But the fact that this even happened suggests that these clowns have learned nothing from being pwned.

But I’m not done yet. It now seems that as part of the epic pwnage of Equifax 10.9 million U.S. driver’s licenses were stolen: 

10.9 million U.S. driver’s licenses were stolen in the massive breach that Equifax suffered in mid-May, according to a new report by The Wall Street Journal. In addition, WSJ has revealed that the attackers got a hold of 15.2 million UK customers’ records, though only 693,665 among them had enough info in the system for the breach to be a real threat to their privacy. Affected customers provided most of the driver’s licenses on file to verify their identities when they disputed their credit-report information through an Equifax web page. That page was one of the entry points the attackers used to gain entry into the credit reporting agency’s system..

The higher amount of UK customer info that was swiped was something that I told you about yesterday. But the 10.9 million drivers licenses is new. That sort of information could cause havoc for years. I truly feel that we are still just learning how bad this pwnage was and perhaps (though unlikely) not even Equifax truly knows how much they were pwned. And we may never find out for sure. But every detail that does come out shows that this is bad….. And getting worse.

Equifax Now Says 700,000 UK Citizens Affected By The Epic Pwnage

Posted in Commentary with tags on October 11, 2017 by itnerd

According to The Telegraph, the number of UK Citizens that were affected by the pwnage of Equifax has increased to 700,000 from 400,000. The source of this info? Equifax:

Equifax has admitted that almost double the number of UK customers had their information stolen in a major data breach earlier this year than it originally thought, and that millions more could have had their details compromised. 

The credit rating firm said it is contacting nearly 700,000 customers in the UK to alert them that their data had been stolen in the attack, which was revealed in September.

The company originally estimated that the number of people affected in the UK was “fewer than 400,000”. 

But on Tuesday night it emerged that cyber criminals had targeted 15.2 million records in the UK. It said 693,665 people could have had their data exposed, including email addresses, passwords, driving license numbers, phone numbers. The stolen data included partial credit card details of less than 15,000 customers.

Hackers potentially compromised a further 14.5 million records that could have contained names and dates of births. 

Things keep going from bad to worse when it comes to this situation…. For the consumer. This is yet another reason why these clowns need to punished in the most server way possible. Companies cannot be allowed to think that they can be complacent with information security and control customer information at the same time.

#Fail: Equifax Made Work & Salary Histories Available To Anyone With Your SSN and DOB

Posted in Commentary with tags on October 10, 2017 by itnerd

The dumpster fire that is Equifax flared up again with news that Equifax had a site that allowed one to get salary and work histories with as little as a Social Security Number and a date of birth. Details via Brian Krebs:

In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.

At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that “Your personal information is protected.”

“With your consent your personal data can be retrieved only by credentialed verifiers,” Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits.

Sadly, this isn’t anywhere near true because most employers who contribute data to The Work Number — including Fortune 100 firms, government agencies and universities — rely on horribly weak authentication for access to the information.

This is another reason why there needs to not only severe punishment for this stupidity, but there have to be strict regulations to ensure that this stupidity doesn’t happen. We’re seeing what can happen in the absence of both and this isn’t a nice place to be.

IRS Awards $7 Million Fraud Prevention Contract To Equifax…. WTF?

Posted in Commentary with tags on October 4, 2017 by itnerd

I am not sure that the IRS got the memo, but Equifax was pwned in spectacular fashion not too long ago. Thus you have to wonder what the logic is behind the IRS giving them a $7 million fraud prevention contract:

The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans. A contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year. The credit agency will “verify taxpayer identity” and “assist in ongoing identity verification and validations” at the IRS, according to the award. The notice describes the contract as a “sole source order,” meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract. Lawmakers on both sides of the aisle blasted the IRS decision.

This is truly a WTF moment as it makes no sense to give a contract like this to these clowns who have proven to be totally and completely inept when it comes to protecting personal information. The humans at the IRS who thought that this was a good idea need to be called onto the carpet to explain why this decision isn’t from some alternate reality.

Ex Equifax CEO To Congress: It’s Not My Fault That We Got Pwned

Posted in Commentary with tags on October 3, 2017 by itnerd

It seems that Richard Smith who was the CEO of Equifax until they got pwned by hackers in epic fashion and then “retired” very quickly started attending a variety of Congressional hearings today. In his testimony today, he issued an apology but deflected any blame for this epic pwnage:

During the hearing, Smith gave an inside perspective on how Equifax lost all that data. He opened with an apology, taking responsibility for the breach and the botched response. 

The door was opened for the breach earlier this year. Equifax had learned in March about a weak spot in the Apache Struts software in a key computer system, but never patched it. Smith said Equifax did everything it was supposed to, but still failed to protect its data.

In his testimony, Smith laid the blame on a faulty scanner for not flagging the vulnerability on March 15 and on a single Equifax staffer responsible for mishandling patches on March 9. He did not name the person.

“Both human deployment and the scanning did not work. But the protocol was followed,” Smith said. 

Wait… He was the CEO at the time. That means the buck stops with him as he is the leader of that company. Right? Isn’t that was leadership is about? I guess he doesn’t see it that way. I should note that he somehow didn’t ask if customer data was swiped and he couldn’t remember when he had spoken to people about the epic pwnage. None of that passes the smell test.

Oh, there was also this tidbit.

The company, which has 9,900 employees, only had one person in charge of its patching process, Smith said.

Clearly security wasn’t a focus for this company despite the fact that they handle all sorts of personal information. #EpicFail. One politician summed it up this way:

Several House committee members suggested federal laws to regulate credit monitoring companies like Equifax. [(R) Rep. Greg] Walden bluntly noted that it would be difficult to stop cyberattacks from human errors like the one Equifax suffered.

“I don’t think we can pass a law that fixes stupid,” Walden said.

No, but I think you can pass a law that punishes stupid stuff like this.