Credit details of 143 million US Citizens comprimised

[Donut417]

5 hours ago, Kobathor said:

It should be criminal for the higher-ups to hold that information from the public so that they could sell all of their shares to save their bank accounts.

 

Thank God I don't have a credit card!  

 

5 hours ago, TidaLWaveZ said:

I think it is... Pretty sure this is insider trading and totally illegal.

Insider trading deals with buying stocks when you have knowledge of new products are services or know the company is going to hit a rough patch and selling your shares, generally concerns people who work at the company such as executives who tend to know the whole picture. 

 

According to a speaker that came  in at the EMU college of Business, for the business conference we have every year, its not illegal for companies to not disclose if they are hacked. Companies are hacked all the time, 1000's of times, they dont have to disclose. In this case, due to the massive amount of data they disclosed. Because the law suit would have been worse if they didnt. I would venture to guess that they would have to report all intrusions to the FBI as its the FBI's job to investigate this type of crime. 

 

Though Im so sicken and tired of this shit happening. Executives should  be imprisoned for their lack on not giving a shit or being incompetent. 

[Dylanc1500]

37 minutes ago, TigerHawk said:

Why does the locked thread have a nice ars technica link to the news and this one has a crappy fucking no name website in german?

Because I'm awesome like that and was to nervous to make a post about it myself, if I am entirely honest lol. So I let @DocSwag do it with his awesome skills.

This is the link by the way.

 https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/

[SpaceGhostC2C]

8 hours ago, ScratchCat said:

The fact that the CEO himself and other executives have sold large amounts of shares following the breach gives an indication on what the potential imact on Equifax will be.

Oh, Equifucks... 

 

3 hours ago, TigerHawk said:

this one has a crappy fucking no name website in german?

The ignorance is strong in this one

 

Btw, the site has a name. His name is Robert Paulson. 

[Donut417]

Welp. I put a security freeze on my credit at all 3 agencies till this shit blows over. 

[ionbasa]

Just received this from our Information Security Officer, good steps to follow:

Quote

Dear *************
 
Everyone works very hard to try and keep their personal information personal.  However, it was reported late yesterday that one of the “big three” credit reporting agencies - Equifax - suffered a data breach affecting over 143 million people.  Although there have been breaches affecting a larger number of people, the Equifax breach is particularly daunting because of the type of data that was exposed.  Equifax is a credit reporting agency and the data lost could contain virtually all the information a bad actor would need to take over a person’s identity - social security number, date of birth, a history of jobs and residences, and even driver’s license numbers.
 
We encourage all ********* to take the following precautions to protect themselves.
 
How to protect yourself:
 
·        In the hours after Equifax made the data breach known to the public, a website was announced by Equifax which could be used to request free credit monitoring.  Unfortunately, there appears to be potential security issues with that site as well.  Therefore, we recommend you contact Equifax directly by phone at 1-800-525-6285 and place a fraud request on your credit files.  This will allow creditors to contact you prior to any new accounts being opened in your name.
 
·        Additionally, request a free copy of your credit report from each major credit bureau (Equifax, TransUnion and Experian). This can be done when placing the fraud alert or you may call at 1-877-322-8228.  All consumers are entitled to a free credit report annually and the report is provided by all three major credit reporting agencies.
 
·        In the event your information is used to open fraudulent accounts, contact your local police department and file a report right away. If thieves are caught, police reports must be exist for prosecution.
 
·        Once a police report has been filed, contact the creditor(s) for any accounts created by phone and request to speak with the security or fraud department.  Inform them you have been the victim of identity theft and you are not responsible for the account opened in your name by the bad actor.
 
·        Additionally, if you are the victim of identity theft, California identity theft victims with a police report of identity theft are entitled to receive a free monthly credit report for 12 months following the date of the initial police report.  The process for this is different for all three agencies:
 
o   Experian:  Make a single request to receive all of your free monthly reports.  Mail your request for 12 free monthly reports to Experian at P.O. Box 9554, Allen, TX 75013. Enclose a copy of the police report of identity theft, a copy of a government-issued identification card (such as driver’s license, state or military ID), and a copy of proof of current mailing address (utility bill, bank or insurance statement showing name, current mailing address, and date of issue).  Also provide your full name including middle initial (and generation such as Jr., Sr., II, III), previous addresses for the past two years, social security number and date of birth.
 
o   TransUnion:  Write or call in your request each month. Mail to TransUnion, P. O. Box 6790, Fullerton, CA 92834.  Or call the toll-free number printed on your most recent TransUnion credit report. Provide your full name including middle initial (and generation such as Jr., Sr., II, III), social security number, date of birth, and proof of residence (such as utility bill or bank statement).
 
o   Equifax:  Write or call in your request each month. Mail to Equifax, P.O. Box 740241, Atlanta, GA, 30374.  Or call the toll-free number printed on your most recent TransUnion credit report.  Provide your full name including middle initial (and generation such as Jr., Sr., II, III), social security number, date of birth, and proof of residence (such as utility bill or bank statement).
 
For additional information regarding identity theft, please perform a web search for “California Attorney General Identity Theft Victim Checklist”.
 
In the short time since the Equifax notification, over 190 website domains with fake names were registered (possibly by attackers to be used in phishing attacks).  Example fake domains registered include:  equifactssecurity2017[.]com, eequifaxsecurity2017[.]com, equifax3ecurity2017[.]com, and many more. Please do not fall victim to these attempts. The best course of action is to call the credit bureau.
 
What can you do to avoid Phishing?
 
The following tips can help you avoid exploitation by phishing both at work and at home:
 
·        As a general practice, use extreme caution when clicking on a web link sent through email as it is becoming a very common method of spreading malicious software, unless you are completely confident of the sender.
 
·        If you receive an email which appears suspicious or is unexpected, it probably is.  Always feel free to contact the person sending the email personally to ensure they actually sent it and they verify it is a valid link. 
 
·        Also, as a general practice, hesitate before clicking on links or attachments which are embedded in emails without verification from the sender.
 
·        Both at home and at work, keep backups of important data, documents, pictures, etc.  Make certain those backups are not stored on your computer or device.
 
·        If two-factor authentication is available to you such as Duo MFA, Google Authenticator, SMS, etc., this is one of the best means to prevent the effects of a phishing campaign.
 
Thank you for your vigilance. I am happy to answer any questions.
 
Sincerely,

**********

(Some information redacted with *)

 

What I find interesting is the number of fake and phishing sites that popped up immediately, over 190 fake domains setup. Please stay vigilant everyone! I'd recommend everyone to put a security freeze on their accounts for the foreseeable future, that way no new credit accounts can be opened without a credit reporting agency contacting you directly.

[bcredeur97]

these people deserve to be put out of business... like seriously. 

 

i wonder if I'm compromised. No real way to know. I am for sure not using their stupid site

 

 

I don't have any credit cards at least...

[ionbasa]

1 minute ago, bcredeur97 said:

these people deserve to be put out of business... like seriously. 

 

i wonder if I'm compromised. No real way to know. I am for sure not using their stupid site

Please do not use their site, read the above notification I got from our Information Security Officer, their site still has security holes. Best way to contact them is either over telephone or by writing in via mail.

 

EDIT: While you may not have any credit cards, your information could still be potentially on record as a driver's license number, SSN from a bank account (checking/saving) or even from a utility bill (cell phone, water, gas, power, Internet service). Thus requesting a credit freeze makes sure no unauthorized new accounts are opened.

[bcredeur97]

1 minute ago, ionbasa said:

Please do not use their site, read the above notification I got from our Information Security Officer, their site still has security holes. Best way to contact them is either over telephone or by writing in via mail.

wait a second... I have never had nor do I have a credit card. 

 

does this mean I'm fine? lol

[ionbasa]

Just now, bcredeur97 said:

wait a second... I have never had nor do I have a credit card. 

 

does this mean I'm fine? lol

While you may not have any credit cards, your information could still be potentially on record as a driver's license number, SSN from a bank account (checking/saving) or even from a utility bill (cell phone, water, gas, power, Internet service). Thus requesting a credit freeze makes sure no unauthorized new accounts are opened.

[Donut417]

Just now, bcredeur97 said:

wait a second... I have never had nor do I have a credit card. 

 

does this mean I'm fine? lol

If you have ever bought or leased a car from a dealership, gotten a phone, cable, Internet, etc. You have credit. That means they have your info. Pretty much unless you have lived in a cave and used cash for every purchase, your info is out there. 

[bcredeur97]

12 minutes ago, ionbasa said:

While you may not have any credit cards, your information could still be potentially on record as a driver's license number, SSN from a bank account (checking/saving) or even from a utility bill (cell phone, water, gas, power, Internet service). Thus requesting a credit freeze makes sure no unauthorized new accounts are opened.

gotcha. Will do that! 

So basically just have to ask for a "fraud request" on your files, if they exist, when you call? And I just have to assume they actually do that? lol

10 minutes ago, Donut417 said:

If you have ever bought or leased a car from a dealership, gotten a phone, cable, Internet, etc. You have credit. That means they have your info. Pretty much unless you have lived in a cave and used cash for every purchase, your info is out there. 

no, no, no, no, etc?

 

I have bank accounts, cryptocurrency exchange accounts, and a driver's license though so I'm a bit concerned lol

 

still have parents paying my phone bill and im currently using their internet soooooo.... at least I'm good there. def have to make sure they are good tho for their sake (And maybe mine)

[ionbasa]

2 minutes ago, bcredeur97 said:

gotcha. Will do that! 

So basically just have to ask for a "fraud request" on your files, if they exist, when you call? And I just have to assume they actually do that? lol

no, no, no, no, etc?

 

I have bank accounts, cryptocurrency exchange accounts, and a driver's license though so I'm a bit concerned lol

 

still have parents paying my phone bill and im currently using their internet soooooo.... at least I'm good there. def have to make sure they are good tho for their sake (And maybe mine)

You can request a credit freeze for 90 days that has to be renewed manually. They give you a pin number from each credit reporting agency. You can also do a fraud request.

[Donut417]

15 minutes ago, bcredeur97 said:

gotcha. Will do that! 

So basically just have to ask for a "fraud request" on your files, if they exist, when you call? And I just have to assume they actually do that? lol

no, no, no, no, etc?

 

I have bank accounts, cryptocurrency exchange accounts, and a driver's license though so I'm a bit concerned lol

 

still have parents paying my phone bill and im currently using their internet soooooo.... at least I'm good there. def have to make sure they are good tho for their sake (And maybe mine)

You have a bank account. Banks issue credit cards. If you have a debit card then it has a credit card logo. Im sure your in the credit reporting agencies files. Thought you can contact the 3 credit agencies and have them put a security freeze on your account. This will make it nearly impossible for any credit related items to be put in your name. As it will restrict who has access to your credit report. Thought any one that currently has access can still access your credit report. 

 

Should also mention the freeze costs $10 per agencies. 3 agencies so $30 to do this. 

[ionbasa]

14 minutes ago, Donut417 said:

You have a bank account. Banks issue credit cards. If you have a debit card then it has a credit card logo. Im sure your in the credit reporting agencies files. Thought you can contact the 3 credit agencies and have them put a security freeze on your account. This will make it nearly impossible for any credit related items to be put in your name. As it will restrict who has access to your credit report. Thought any one that currently has access can still access your credit report. 

 

Should also mention the freeze costs $10 per agencies. 3 agencies so $30 to do this. 

It's also possible to have the fee waived. Depends on state-to-state as laws vary, and also depends on the rep you talk to (if you can convince them). It's free to request an Initial Fraud Report though.

[handymanshandle]

Fun stuff.

 

Honestly besides stronger security I think SSNs should be made way more secure like more ways to verify that it's actually you using that number. I understand people who are concerned about privacy might not like it but if we are to commit to using a number for identification then we better make that number more intended for identification purposes. Because SSN is not meant to be used as id but it is used that way.

[Donut417]

53 minutes ago, wcreek said:

Fun stuff.

 

Honestly besides stronger security I think SSNs should be made way more secure like more ways to verify that it's actually you using that number. I understand people who are concerned about privacy might not like it but if we are to commit to using a number for identification then we better make that number more intended for identification purposes. Because SSN is not meant to be used as id but it is used that way.

The issue is you got these anti government types who dont want a national ID card. Why not have a national ID card? I mean, it would make things a lot easier. Next year you have to have an approved enhanced licence or passport to go thru an airport. I mean, come on, lets just have a national ID. I mean you already require a drivers license or state ID card in most cases. 

[ionbasa]

7 minutes ago, Donut417 said:

The issue is you got these anti government types who dont want a national ID card. Why not have a national ID card? I mean, it would make things a lot easier. Next year you have to have an approved enhanced licence or passport to go thru an airport. I mean, come on, lets just have a national ID. I mean you already require a drivers license or state ID card in most cases. 

Don't passports serve as national IDs? We have Passport Cards available in addition to an actual Passport booklet. CA has had enhanced IDs and Driver's Licences for a while. National IDs seem redundant if I already have an DL from my state, would I have to carry two IDs around now (or three since I keep my passport card in my wallet)? Just seems redundant with the current way things are set up.

[handymanshandle]

6 minutes ago, Donut417 said:

The issue is you got these anti government types who dont want a national ID card. Why not have a national ID card? I mean, it would make things a lot easier. Next year you have to have an approved enhanced licence or passport to go thru an airport. I mean, come on, lets just have a national ID. I mean you already require a drivers license or state ID card in most cases. 

I appreciate privacy and I think it's a right everyone deserves but yeah agreed. 
Using something not designed for identification purposes as identification creates the issues we've seen in the past and continuing and getting worse today. Mexico has a consular ID card that has an EMV chip in it, the Philippines will be using EMV and Biometrics which I'm even more a fan of but considering the concern for violating the fifth amendment and possibly other things I can understand why to not be in favor of that. Though I do hate the phrase "Only wrong doers need be concerned." That's a clear example of a slippery slope type deal.  

 

Honestly though I like the idea of going to an airport or a border crossing like at the US/CAN border and just inserting a card into a machine and declare what I needed to declare either through the machine or to a border agent though I think a recent development in American law is that border agents can search you phone/computer or possibly request for passwords to social media or whatever and that I do not like one bit and kinda makes me not want to travel to Canada just because that's something that I like to keep private for the most part. The current PM of Canada makes me not want to travel to Canada tbh.

[handymanshandle]

6 minutes ago, ionbasa said:

Don't passports serve as national IDs? We have Passport Cards available in addition to an actual Passport booklet. CA has had enhanced IDs and Driver's Licences for a while. National IDs seem redundant if I already have an DL from my state, would I have to carry two IDs around now (or three since I keep my passport card in my wallet)? Just seems redundant with the current way things are set up.

Yeah but you can't use a passport to apply for a credit card and your bank doesn't use ask for your passport, and employers they ask for Social Security to check criminal history and possibly financial history.

[ScratchCat]

11 hours ago, TigerHawk said:

Why does the locked thread have a nice ars technica link to the news and this one has a crappy fucking no name website in german?

Well it does have an English translation site but this article was not up there at that point.

 

Also just because it is unknown to most English readers doesn't mean it is a poor source , would you call Facebook a good source?

The website does a large number of reviews on devices and their analysis is impeccable , anandtech level detail.

[Dylanc1500]

Here is the easiest way to keep your SSN safe as a tip from someone that has been around the financial industry for years. If any institution asks for SSN then they should be cross referencing with some second or even third form of I.D. Per FDIC laws Banks, Lenders, credit unions, and so forth, must have at least two forms of I.D. and one has to be Valid photo I.D. 

[Ithanul]

Seems companies still lacking in having a decent IT security department or at least good security practices.  My info already been compromised three times (yah for the military losing it several times).  I just keep doing what I was already doing.  Keep an hawkeye on all my accounts and keep changing passwords on a regular basis.

 

Then again, there are quite a few sites that allow one to find some of this information like a darn search engine.  Had a vehicle sales person show me one that anyone could access.  Site would show address, family members, phone numbers (even past ones), and State.  Pretty much one should always keep an eye on their accounts and do good security practices.

[Tao]

In Canada we have the "Personal Information Protection and Electronic Documents Act" (PIPEDA) protecting us by regulating how organizations gather and handle our personal information.

This act outlines how private organizations handle personal information.  Among other things, these organizations MUST have express consent from us to collect personal information on us (4.3 of Schedule 1), MUST comply with any requests we make to them to list IN DETAIL whatever personal information they have on us (4.9 of schedule 1), and MUST inform us if our personal information was breached.

I am double checking with the Office of the Privacy Commissioner if these credit bureaus have any sort of exceptions, but from what I know about this law, credit bureaus have been made effectively illegal in Canada unless we give them express consent to gather information on us, and we give institutions express consent to send our information to them.

4.9 "Principle 9 — Individual Access" of Schedule 1 of The Canadian Personal Information Protection and Electronic Documents Act. 
http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-11.html#h-26

20 hours ago, Zodiark1593 said:

Soon, what do we do on an individual level beyond just keeping an eye on statements?

 

I recommend that people send Equifax Canada a formal request under PIPEDA (remember to cite this legislation) to ask if their information was breached, and what information was leaked.  Equifax has been 'offering' 'services', but these are tricks to get people agree to be subject to binding arbitration and giving up their rights to be a part of a class action suit.  I would not make any agreements with Equifax, and simply make requests under PIPEDA.  If Equifax fails to comply with these requests, then lodge a FORMAL complaint with the Office of the Privacy Commissioner.

https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/

[Juanitology]

22 hours ago, Kobathor said:

 

Yes, yes it is.

not if they waited to sell those shares till after the hack was made public

[AlwaysFSX]

Ahhh credit, such a stupid system.