Bloomberg: Three Equifax execs sold $1.8 M in stock days before hack was announced

Topic

New Reply

You know about the hack, yes? Equifax has officially disclosed: Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impactin
[See the full post at: Bloomberg: Three Equifax execs sold $1.8 M in stock days before hack was announced]

4 users thanked author for this post.

SueW, wdburt1, AJNorth, Elly

Reply | Quote

Replies

Advice to all:  Freeze your credit with all four agencies right now.  If you had it frozen already, take steps to make sure it stays frozen.

https://krebsonsecurity.com/2015/11/report-everyone-should-get-a-security-freeze/

The links on that page for the four agencies are a bit out of date.  Here are the correct URL’s:

Equifax:  https://www.freeze.equifax.com

Experian: https://www.experian.com/ncaconline/freeze

Innovis:  https://www.innovis.com/personal/securityFreeze

Transunion: https://freeze.transunion.com

 

~ Group "Weekend" ~

2 users thanked author for this post.

SueW, Elly

Reply | Quote

“Equifax has established a dedicated website, http://www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.”

The problem is that the Equifax mea culpa article is self-referential:  The above-mentioned link simply refers back to the article itself.  So it doesn’t provide any way of discovering whether a particular customer has been impacted.

4 users thanked author for this post.

AJNorth, Elly, BobbyB, Lori

Reply | Quote

https://www.equifaxsecurity2017.com/ has links to be able to find out more information, and to enter your name and parts of SSN’s to check if you are impacted.
Maybe this has been updated since you reported its lack of functionality?

2 users thanked author for this post.

Elly, BobbyB

Reply | Quote

Exactly. You have to click the “Enroll” button at the bottom. And wait until the date that’s posted. A real mess.

Reply | Quote

The website tell you nothing.  As Woody said, you put  your last name in and 6 digits of SSN  and it gives you a date next week to sign up through a twisted path on a specific date for credit monitoring. But you get no information

After a full day of trying to get through on the phone I did get through on the phone and they tell you nothing.  I was told to call back in 72 hours.  I asked 72 hours from when the breach was announced or from my phone call.  She said my phone call.  I said if I call back in 72 hours will I be told the same thing?  She said no.  I asked how she knew that since she had not taken any information from me and made no notes in a file.  She had no answer.

This is just a joke and has been handled/ is being handled very poorly especially since more than a month has passed since the breach was found and it is just being announced now and dealt with.

Reply | Quote

Does anyone besides me think that visiting a site with a domain equifaxsecurity2017.com that then takes you to a site hosted on domain trustedidpremier.com where you’re supposed to enter your name and most of your SSN smells like a phishing scheme?

What reason do we have for trusting ANY of those sites?

My advice: Don’t provide any more personal information to anyone as a result of this breach. And CERTAINLY don’t sign up for something that will ultimately cost YOU.

Also, my hope: Something as serious as this could get the DoJ, Congress, the Senate – heck even the President – taking a hard look, and maybe we might see some legislation that reins in the stupidity.

-Noel

7 users thanked author for this post.

HiFlyer, walker, ryegrass, SueW, Pepsiboy, DrBonzo, wdburt1

Reply | Quote

I agree.

Why would I send any info to a company that has just demonstrated an utter inability to keep that sort of info safe.

In case any of you don’t know, the 1st 3 digits of an SSN are the easiest to get/guess because they are determined by one’s place of birth and year of birth. I’m not exactly sure how that works, but I would advise everyone to resist the urge to send the last 6 digits of their SSN to anyone.

Another thing you might want to consider is setting up an account on the Social Security Administration web site. You’ll have to weigh how secure you think they keep your data against the fact that if someone knows enough about you, they likely could set up a fake account in your name with your SSN. (Whether or not you set up an account, realize your data is in an SSA database that could conceivably be hacked anyway.) If you set up your account, at least you will have set it up first and that will deter a crook from setting up a fake one. Crooks are also less likely to attempt tax return fraud if they see you already have an account at the SSA website.

I’m thinking right now that the thing to do is to request a Fraud Alert and I’m not even too sure about that. Otherwise just keep a really close eye on your accounts.

Reply | Quote

This not good at all!!! yeah you can check but your revealing details to get details, so understandably theres an element of Paranoia at play here. The worst of this is if your details have been compromised it may happen today or many years down the road that you find out to your detriment.
What makes it worse is that your SSN (US) SIN (CAN) Nat. Ins. (UK) are virtually impossible to change or if you can in at least a couple of the jurusdications mentioned its a real pain when it comes to Pension or anything else you may be entitled to or need with these unique numbers in the comming years. Of course with ident. theft any other details on your file just serve to reinforce the illusion that a fraudster may actually be the genuine article.
I guess I will have to try the Web site or Phone line (if it isnt crashing or permanently busy due to volume of queries). Basically I suspect, like most, that we have no idea which Data base we are on or where our details have ended up.
Times like these that “Luddism” as a philosophy takes on a strange allure in this HiTech world we live.

3 users thanked author for this post.

Cybertooth, Elly, HiFlyer

Reply | Quote

This hack will likely facilitate many ID thefts by criminals and illegal immigrants in the US, UK and Canada, ie the sale of the stolen personal ID data by the hackers, eg US$1 per stolen ID = US$143 million for the hackers.

1 user thanked author for this post.

Cybertooth

Reply | Quote

I haven’t figured out the point Krebs was trying to make by providing a bogus name to Equifax when checking if the provided partial SSN was among the impacted group.  The notion that providing some disinformation when dealing with Equifax somehow protects me doesn’t fill me with a tremendous sense of comfort.   Or maybe its just intended to point out that the request is meaningless?  I’m still wondering.

I have to laugh at the trivial distinction between providing an entire SSN for impact checking versus “the last six digits” of a nine digit number!  How long would it take to iterate through the remaining three digits to discern a valid SSN?  And considering that security was already lax enough to permit this data breach how is this protecting me?

The credit reporting agencies already have massive files on all of us that don’t live off the grid.  Equifax’ self-serving promotion of it’s own services as a response to its failure is revolting at best.

Reply | Quote

in other words, it doesn’t matter what information you enter, no actual checking is being done, you’re just signing up to (1) agree never to sue [read the EULA – sign up, you can never file suit] and (2) get spammed for a paid credit monitoring account after the free one runs out.
problem: equifax is hacked, revealing personal information of millions of people.
solution: ask millions of people to reveal personal information to equifax.
my better idea: every time someone pays equifax for my personal information, I get half the money…

Edit to remove HTML. Please convert to plain text before cut/paste

2 users thanked author for this post.

Noel Carboni, Cybertooth

Reply | Quote

Woody, thanks for the heads-up.  I see this is as part of a pattern of operating on the edge of the law, as demonstrated by the credit reporting agencies’ poor record of performing their legal obligations when asked to correct errors in the information they disseminate..

Fundamentally, they deal in what so-and-so-says-about-you.  If they had been held to the same standards as ordinary people under libel law, they would have developed differently.

I continue to say that hacking is the single greatest downside to the various spying/telemetry/data-gathering schemes afoot.

3 users thanked author for this post.

Noel Carboni, NetDef, woody

Reply | Quote

I would like to know what the Credit Card Companies are doing about this. They obviously work hand in hand with these credit checking companies, so what is their position on these inadequate and insecure processes? Is Equifax still an accredited business partner considering the manner and time frame with which they handled informing the public about the hack?

Consumers have no way of stopping this company from collecting and storing their personal data, but their business partners do. We see businesses distancing themselves from the vile policies and actions of their government, but now it is time for them to do the same with their business partners. The Executives who cashed in knowing that the stock would go down when the hack was revealed, are no less than scum. If MasterCard, Visa, AMEX etc., are willing to do business with scum like this, then they are spineless hypocrites and care little about their own integrity.

Reply | Quote

“I would like to know what the Credit Card Companies are doing about this.”

Breathing a collective sigh of relieve that the breach didn’t occur at one of their data centers while they line up to point the finger at Equifax.  “It was him, not me!”

Reply | Quote

Supposedly, per preliminary reports, the Equifax website if your personal data was breached is not properly TLS secured and may pose a risk. I would watch for more information before giving them more personal data to find out if you have been exposed by their data breach. This again raises material questions regarding business models based upon harvesting consumer personal data to later be monetized at the discretion of the owner. The opacity of the practices coupled with lack of “opt in” requirements leaves individuals heavily exposed to the unknown security protocols used by these companies.

Reply | Quote

Last week, a guy used a fake driver license with my real data,. license number and my real signature to open a new bank account far from where I live, then get a credit card and steal more than 10 000$. I was appalled to see how unprofessional the bank (which I never was a customer for) handled that. It didn’t occur to them it was weird a guy goes in person to a bank far from the address on the driver’s license to open an account. They didn’t have a copy of the driver’s license with the picture or anything to give to the police. Someone probably just got a bonus for signing up a new customer. And since I have good credit, they don’t check for security as much, they said… because you know people with bad credit have a lot more money available to steal, I guess?

Doing my own inquiry, I came up to the conclusion the data was stolen from one of the two credit agencies or my bank because there was something very particular about this theft. They used info that was wrong but that has been entered by mistake at my bank years ago and somehow made its way to Equifax, but nowhere else because I corrected it right away at that moment. So I was quite scared to see that maybe Equifax handled my data so poorly. I am always careful with these things, I always sign a fake signature to trace the source of theft if it is something where it doesn’t require my real signature. I look for problems with the credit card machines, I make a mental note when something is weird. I never got anything stolen before.

I absolutely did nothing to have my identity stolen like this and I had to spend a full day on the phone to try to limit damages. Equifax couldn’t correct my file unless I sent them more personal data using the fax, which I didn’t really feel like doing because they can add anything you give them to your file. All of this before this announcement of a breach…

I can’t understand this in theory simple service is left to an oligopoly of people who manage risk by just selling their stock if something really bad happens and hope for the best while they carelessly handle security issues. To me, if it is not criminal negligence, it is not far. To add insult to injury, they offer an obscenely expensive credit monitoring service that is not really useful, but apparently very difficult to cancel once you signed up. Maybe they will even make money out of this after offering free credit monitoring for a year and then making it very hard for customers to cancel. Seeing on Google review Equifax had a bit more than one star (the minimum) even before the announcement of the breach was quite telling.

High barrier to entry prevents this industry from having real competition. Pressure to generate more money and reduce costs certainly is no stranger to being lax with security. The stakes are too high for the government to just ignore that and let those companies handle your personal data. Unfortunately, not many people understand to which extent this is bad and unacceptable, so it might just be forgotten after the headlines get old a bit. This is very unfortunate for all people affected now and those who will be by the next breach.

They might not have had patched their web application and they were looking for a CISO. Really?

4 users thanked author for this post.

SueW, wdburt1, Noel Carboni, NetDef

Reply | Quote

The announcement of the Equifax breach poses serious threats to the US financial and healthcare systems. If the Government, financial and healthcare institutions thought there was a lot of fraud already, this breach will dramatically increase the amount of fraud. All the bureaus acknowledge that their databases do contain a lot of synthetic and fraudulent “identities”, but they do not know how many or which they are. This massive breach will only make this matter worse.

Also nobody wants to talk about the costs and hardships to the innocent individuals impacted by this event. Through no fault of their own they will spend countless hours and huge sums of money cleaning up their credit and fixing their financial, healthcare, employment history, reputation, and other public and private facets of their life. Who will compensate them? It is astonishing to have so much high-value private data accumulated by a handful of companies, with very little control and oversight and apparently not very good cybersecurity practices! It is even worse when you consider that all this information is private data credit card companies, financial institutions, retailers and other entities provide to credit bureaus for a fee, then the credit bureaus charge everybody to get access to that data and the person who should own and have control over that data not only has to pay to get access to it, but gets penalized for errors and inaccuracies introduced by all the various entities.

The model needs to be changed and identity needs to be managed by the individual, along with all the history and associated data. That is possible with today’s technology, but is there the will to make the shift? Identity needs to be linked to the actual, real, physical person (the carbon unit) and not to credentials which can be stolen, fabricated, and abused. The data the bureaus have collected do not represent identities. They are simply knowledge/information with the claim that it represents a specific individual. In reality, the bureaus have no way of knowing which is the actual individual (the carbon unit) linked to a set of data. Identity can only be established through physical characteristics which are unique to only one individual.

Credentials and information do not identify a person and they are cause of fraud, since they can be easily stolen, as evidenced by this breach, and used for identity theft and to build synthetic or fake identities.

Edit to remove HTML. Post may not be as original intended.
Please convert to plain text before cut/paste from Word.

2 users thanked author for this post.

wdburt1, Noel Carboni

Reply | Quote

Since this breach was with one of the three main credit reporting companies, which should have among the best security available to prevent this kind of theft, and the kind of information the thieves got is the kind they can use to your detriment for the rest of your life, then Equifax should be required to provide lifetime free credit monitoring for everyone affected. There should be no question about that.

Also, when banks and other financial institutions open accounts without making absolutely certain that the person opening the account is the real person and not an identity thief, that institution should be required by law to fully reimburse all costs incurred by the victim, including time lost at work, etc., to get everything corrected. And those reimbursements should not be tax deductible for that institution. There should be no question about that either.

3 users thanked author for this post.

SueW, grayslady, Cybertooth

Reply | Quote

Zack Whittacker, Security Editor at zdnet.com, has tweeted a Public Service Announcement (#PSA) on the Equifax check website (which I haven’t successfully located in checking):

PSA: If you check Equifax's site to see if your data was stolen, you *waive your rights* to sue Equifax or be part of a class action suit. pic.twitter.com/p4AlmmLQ3r

— Zack Whittaker (@zackwhittaker) 8 September 2017

4 users thanked author for this post.

walker, MrBrian, Noel Carboni, BobbyB

Reply | Quote

How to find out if you’re affected by the Equifax hack
by Katie Lobosco | September 8, 2017

 
To enroll, go to http://www.equifaxsecurity2017.com and click on the Check Potential Impact tab. You must submit your last name and last six digits of your Social Security number there. At that point you’ll be given a date when you can return to the site and sign up for the service.

The site says once you’ve submitted your information you will receive a message indicating whether you’ve been affected. But it’s unclear when or how you will receive that message.

Some are being told: “Based on the information provided, we believe that your personal information may have been impacted by this incident.”

But even in that case, Equifax is not offering the credit monitoring service until next week at the earliest. Monday is the first day you can sign up.

If you do choose to sign up for the credit monitoring service, you must agree to submit any complaints against Equifax to arbitration. You can’t sue on your own behalf, and you can’t join a class-action case or benefit from any class-action settlement that Equifax agrees to.

 
Read the full article here

3 users thanked author for this post.

walker, Noel Carboni, BobbyB

Reply | Quote

yeah you can check but your revealing details to get details, so understandably theres an element of Paranoia at play here.

Yeah just as I quoted not a very altruistic or even contrite thing to say, especially in the light of thier apparent gross negligence. I had a feeling that in the light of potentialy multi Billion dollar ramifications there would be an element of Corperate damage limitation, such is the litigous world in which we live. Yet not a word on any potential recourse to restitution should the unthinkable ever occur as a result. Mind you I am not really surprised or holding my breath.

Reply | Quote

From wptavern.com, a write-up which discusses many angles of the check site:

Equifax Launches WordPress-Powered Site for Consumers Affected by Security Breach
Sarah Gooding | September 8, 2017

 
Due to how the site was set up, it appeared to many consumers and researchers as Equifax’s way of stalling or perhaps even scamming those who may have been affected by the breach. Various browsers flagged it as a phishing threat, and some consumers found they were given different answers from the form based on whether they checked with desktop or mobile devices. In responding to the incident with a website that appears to have been hastily implemented for its own convenience and corporate interests, Equifax has missed an opportunity to reclaim any remaining consumer confidence from the public.

 
Read the full article here

1 user thanked author for this post.

Elly

Reply | Quote

Update from Zack Whittacker:

Update from Equifax PR just landed in the inbox. pic.twitter.com/EPVSwqJLWZ

— Zack Whittaker (@zackwhittaker) 8 September 2017

Linked PR graphic shows “You can determine your status immediately” & “No waiver of rights for this cyber security incident”.

2 users thanked author for this post.

walker, SueW

Reply | Quote

The Better Business Bureau is a joke. The Consumer Protection Agency is hopeless.

Any company can collect, store and use-or-sell your personal data without your consent.

An identity thief can take out a mortgage to buy a house in your name. The bank will come after you for the mortgage payments even though the bank issued the loan to the fraudster. You are accountable and have to prove it was not you. The credit reporting company will hit your credit rating if you refuse to pay until the issue is resolved. It usually takes up to a year or more to get it back to where it should be and there is no guarantee that the credit reporting company has your records properly sorted. The bank gets to repossess the house the crooks bought in your name. There is no skin off their nose and you will be left with an enormous legal bill – you have to pay the lawyer too.

1 user thanked author for this post.

Elly

Reply | Quote

It sounds like you speak from experience of identity theft…

anonymous wrote:

Any company can collect, store and use-or-sell your personal data without your consent.

In many jurisdictions, it is necessary to seek a person’s permission to save personal data, let alone do anything with it. There are local requirements where data can only be used for the purpose for which it was collected, but this needs to be universal.

From my security concerns, I think the time will surely come where anyone collecting data will also be required to keep it securely and encrypted. I’m hoping it’s soon!

5 users thanked author for this post.

walker, Elly, ryegrass, Noel Carboni, BobbyB

Reply | Quote

That time will not come until the law requires that such data must be stored and used only as the owner specifies, with penalties for violation.  In other words, it becomes a matter of contract.  Watch EULAs sharpen up when that happens.  They are useless now because everyone recognizes that they are one-sided and often immune from challenge.  Give the consumer some enforceable rights to his or her data and things will change.

This is a bit like health care.  Until the consumer becomes an active party to the negotiation, we’ll keep going in the same circles.

“Local jurisdictions” have had about as much influence on this issue as they have had on immigration.

Reply | Quote

About Equifax …
Equifax is a global information solutions company that uses trusted unique data, innovative analytics, technology and industry expertise to power organizations and individuals around the world by transforming knowledge into insights that help make more informed business and personal decisions. The company organizes, assimilates and analyzes data on more than 820 million consumers and more than 91 million businesses worldwide, and its database includes employee data contributed from more than 7,100 employers.

1 user thanked author for this post.

SueW

Reply | Quote

Not a lot of commentary here about the egregious delay in reporting the hacking breach.  July 29 to September 7.  Long enough to permit the executives to sell their stock before disclosing the problem.  That isn’t the main problem.  Waiting more than a month to tell the world what you knew about it is the problem.  How many people were affected in that time?  What kind of negligence does this exhibit?  Class action, here we come.  Justice would be for the company to be sold for pennies on the dollar and a few executives to be thrown in jail.

Reply | Quote

From Equifax Lobbied To Kill Rule Protecting Victims Of Data Breaches:

“If you want to know if you were one of the 143 million people whose data was breached in a hack of Equifax’s data, the company has a website you can use to find out — but there appears to be a catch: To check, you have to agree to give up your legal right to sue the company for damages. The outrage that clause has now generated could complicate the company’s efforts — backed by Republican lawmakers — to block an imminent rule that would ban companies from forcing customers to agree to such provisions.”

1 user thanked author for this post.

walker

Reply | Quote

It appears they have changed their mind about the arbitration, if their press release is to be believed:

Kirsty wrote:

Linked PR graphic shows “You can determine your status immediately” & “No waiver of rights for this cyber security incident”.

Reply | Quote

May or not be connected but is in the same time frame.  I had a card not used since before the hack.  Then on July 12th I had a small $10 Apple I-Tunes charge that I didn’t make.

I had it checked and they said a lot of bogus charges from the same source, on other cardholders.  Had the card cancelled and replaced.

The tip they gave was to watch for small innocuous charges first, as the hackers/thieves are just testing that they have access to the card before taking all they can.  You might not catch the charges if it is something small on something you have used in the past.

I had all my credit reports frozen today.  I have all the credit I need and can do without the worry at least for now, the freeze is permanent or 5 yrs depending on the company.

1 user thanked author for this post.

SueW

Reply | Quote

Re: “About Equifax” (posted by Anonymous 132778)…

” … and its database includes employee data contributed from more than 7,100 employers”.

Why would employers be contributing employee data to Equifax? I know that my company has my address, SSN, telephone number, tax info, marital status, birth date, spouse’s name, kids’ names and ages, my work record and education status. If I got hacked by this latest cyber attack at Equifax, a fraudster could pretend to be me. Talk about identity theft – this would be body snatcher kind of stuff. I was originally just concerned about my financial safety, now I am concerned about me being stolen.

1 user thanked author for this post.

Elly

Reply | Quote

Senators press for answers on Equifax executives who sold stock after breach

http://thehill.com/policy/technology/350143-senators-want-answers-on-the-equifax-executives-who-sold-stock-after-breach

Equifax says that it will waive credit freeze fees for 30 days

https://finance.yahoo.com/news/equifax-says-waive-credit-freeze-164806460.html

This is about as useful as a partridge in a pear tree. Once the date of birth, home address for two years and social security number are out there, unencrypted, you are endangered for life. 30 days just does not cut it. There are some things you can’t or would be crazy to try to change.

Worse, in many States, you not only have to pay to get a credit freeze, but even if you can get your credit unfrozen in a timely manner (not guaranteed with these companies) you have to pay for each “credit thaw” as well as each re-freeze. That can really add up if you are a financially active household.

EDITORIAL: Stop companies from spreading your house keys all over town

http://chicago.suntimes.com/opinion/editorial-stop-companies-from-spreading-your-house-keys-all-over-town/

This is one of the best and most succinct editorials I have yet read, summarizing the full extent of what has happened with Equifax.

Congress needs to act, and they say they are planning on doing so. But as we saw in 2008 with the mortgage crisis, having regulations does not mean having enforcement of those regulations.

Who’s watching the Watchers?

-- rc primak

2 users thanked author for this post.

SueW, walker

Reply | Quote

Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed

1 user thanked author for this post.

Elly

Reply | Quote

CNBC reports today 9/26/17

Richard Smith, CEO and chairman of Equifax, abruptly retired Tuesday (9/26) following a data breach at the credit-reporting service that affected the personal information of 143 million people, according to the company’s board.

Equifax shares fell 1.6 percent in early trading on Tuesday. They have fallen 27 percent in September after the company revealed the breach.

Seems the rats are abandoning ship!

Reply | Quote