Something that really ticks me off...the Equifax breach

[Arcadian]

I'm unsure how many people have heard about it considering the 2 back to back hurricanes in the US, but you all might want to start locking your credit reports as it affects 143 million people or so.

Here's the thing, they may or may not have gotten credit card numbers. They DID in fact get SS numbers, home addresses, telephone numbers, the stuff that makes it easier to GET that credit.
So I took some steps to protect myself:

I Opted out of credit offers for 5 years https://www.optoutprescreen.com
Go to Equifax https://www.equifax.com/personal/ and fill out their information you'll find out if you're affected or not
Transunion go to my free identity protection https://www.transunion.com/
Experian will make you pay. And of course you can lock your credit report but if you don't buy their bundled package for 24.99 a month, it will cost you to unlock it (5-10 dollars a pop depending on the state you're in) I can't say the nasty names I'm thinking in polite company about their "product". But good to know they'll be making lots of money off this.
http://www.experian.com/consumer-products/identity-theft-and-credit-protection.html


Some reasons why this is so messed up:
https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

https://arstechnica.com/information...caused-by-failure-to-patch-two-month-old-bug/

"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," company officials wrote in an update posted online. "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

Basically somebody(s) got lazy and due diligence wasn't followed.

 

[ksinger]

Luckily (??) I was caught in the OPM breach and thus still have free credit and security monitoring on Uncle Sam.

Seriously, our world is panning out just like several near-future dystopian sci-fi novels, I find I'm no longer surprised by any of it. More like amazed at how close the fiction-writing prognosticators have gotten it.

 

[Karl_K]

This is a direct result of outsourcing and treating IT like an after thought.
Totally patching this would take a long time for a huge operation, longer than they had.
Blocking it on the front end of a properly designed software stack would take a few hours for an admin who has a handle on the system in place even with thousands of front end servers. Due to outsourcing and using contractors they in all likelihood do not have anyone with that understanding.
That one of their sites had a password of admin/admin while not related to this leak is criminal.

 

[Queenie60]

Thank you Arcadian, for the information. I will surely take the steps that you have advised and will pass on to my friends and co-workers.

 

[redwood66]

Thank you! It looks like I might have been compromised but DH has not.

 

[ksinger]

This is a direct result of outsourcing and treating IT like an after thought.
Totally patching this would take a long time for a huge operation, longer than they had.
Blocking it on the front end of a properly designed software stack would take a few hours for an admin who has a handle on the system in place even with thousands of front end servers. Due to outsourcing and using contractors they in all likelihood do not have anyone with that understanding.
That one of their sites had a password of admin/admin while not related to this leak is criminal.

And I never worked anywhere that didn't resent the hell (to one degree or another) out of the cost associated with IT. I mean, they mostly don't make money for a business - or government - and staff is costly, as is chasing change and keeping updated.

But never fear, in a few decades, maybe less, humans doing coding and making errors will be ancient history. Skynet will doing it all for us. (And while that is tongue in cheek, the overtaking of humans doing work - even highly educated mental work, by AI, is on the foreseeable horizon, so not really hyperbole)

 

[AdaBeta27]

I'm not so sure that I believe that popup box if it says "you're not impacted." I just watched it say "not" and then about a minute later refresh itself and say "impacted." So I started over and the same thing happened. Also, if it says "not" and then you click the orange box to start enrollment, that will make the popup box refresh itself to say "impacted." So, which is it, Equifax? More b.s.because Equifax still has no idea of the real extent??

 

[OoohShiny]

Possibly dumb question - the advice applies to all people in all countries? Or just those in the US?

 

[telephone89]

Possibly dumb question - the advice applies to all people in all countries? Or just those in the US?

Some canadians have been effected, but I think they said it was only ones with 'dealings' in the US. I'm not really sure what that means lol.

 

[Arcadian]

I'm not so sure that I believe that popup box if it says "you're not impacted." I just watched it say "not" and then about a minute later refresh itself and say "impacted." So I started over and the same thing happened. Also, if it says "not" and then you click the orange box to start enrollment, that will make the popup box refresh itself to say "impacted." So, which is it, Equifax? More b.s.because Equifax still has no idea of the real extent??

What chafs me is not only did they get hacked with all of our information that we never gave them, we have to now give them that information to be protected.

I don't really know if they're totally sure. So you know WHY I'm under a deadline and back to work so soon after a hurricane? Because we were told to move to a more secure server situation because we handle PII.

@OoohShiny, at the moment they're saying US but it might affect other countries, I haven't really read anything aside from the one about Argentina. (admin/admin....lawd....)

@Karl_K You sound like someone who's been in IT.

 

[Arcadian]

Some canadians have been effected, but I think they said it was only ones with 'dealings' in the US. I'm not really sure what that means lol.

Thanks, this is good to know!

 

[Karl_K]

@Karl_K You sound like someone who's been in IT.

20 years, My main job was outsourced to India and do to obvious health issues no one wants to hire me so I struggle to get clients on my own and get by.....

 

[ringo865]

Are the people who have Baja affected by this breach supposed to be notified by mail (or some other means)?

Or is everyone with a SSN supposed to log on to some (encrypted?) website to find info about the status of their own identity?

 

[Gussie]

I really don't trust the equifax "not affected". I am skeptical about any credit watching too. I have a cc that allows me to check credit score at any time for free. Do yall think this is good enough if I personally check it daily/weekly? What is really messed up is that if your credit is affected I understand that equifax really won't do much about it. Technology will be the end of it.

 

[lilmosun]

I have a cc that allows me to check credit score at any time for free. Do yall think this is good enough if I personally check it daily/weekly?

I am not an expert in the field but from what I have heard..

There are a lot of factors that go into your credit score....so someone could apply for a credit card in your name and you might not realize it until your credit score tanks. Whereas from a credit report, you can see the transactions going into your credit score....and the catch is that the thoroughness/accuracy of credit reports can vary.

My understanding is that the best protection is to put a credit freeze with the major credit bureaus (transunion, experian and yes, equifax). That way your credit check won't go through if someone tries to get credit as you. You release the freeze with a PIN when you want to apply for credit.

While it's frustrating as hell, I've come to the conclusion that avoiding identity theft is a matter of luck as much as caution. And while, companies who are responsible for protecting your credit should be above reproach when it comes to security, I suspect that the degree to which your personal identity is at risk would surprise you - no matter how cautious you are.

 

[texaskj]

.




clark.com

has some excellent advice and information on the whole mess

 

[Arcadian]

I really don't trust the equifax "not affected". I am skeptical about any credit watching too. I have a cc that allows me to check credit score at any time for free. Do yall think this is good enough if I personally check it daily/weekly? What is really messed up is that if your credit is affected I understand that equifax really won't do much about it. Technology will be the end of it.

Checking the score isn't like checking whats actually on your report or, getting alerts anytime you apply for credit. Its a nice to have an a bit of a barometer as to how well you use credit. And scores can jump around month to month, they don't have a "memory" so to speak. I've had scores jump or dump as much as 12pts month to month, depending on what I was doing at that time and which report I looked at.

As much as I don't tend to like credit Karma, you can see at least 2 reports there for free. Used to be you could just pull a free one and be done. With this, its so different.

 

[azstonie]

I've had my credit frozen when these breaches first started (8 years). If I need to give a possible lender access to my credit file, they get a one-time use PIN good for however long I choose: 1 day, 5 dats, etc.

It costs $5 to freeze, and $5 every time you open via PIN.

 

[redwood66]

Hey @Arcadian did you sign up at the links you provided? I read an online discussion somewhere and now cannot find it that a part of the terms required when you sign up was that you waive all rights to class action suits as part of the Terms. I do not remember seeing that. I really have no problem with that as long as my identity and credit are protected. Class action suits when there was no harm to me are a waste of time and lawyers out for money IMO. But I wanted to see if you or anyone else had seen this. Thanks!

 

[Dee*Jay]

Red, I believe that the original sign-up offer from Equifax required that you waive your rights but that was struck down pretty immediately and is no longer the case.

I did sign up for the credit monitoring and it's a two step process that has too occur on separate days. Ironically the second part requires that you click on a link and put in a bunch of personal info to prove you are you. As I was doing it all I could think of was what a perfect forum for identity theft! If I were a clever hacker I could send out fake second links and get people to give me all the info I needed. But maybe my mind just works in suspicious ways.

 

[redwood66]

Oh good. Thank you! I could not remember where I read it and the people discussing were arguing to beat all. I signed up also and had to do all of that. You are definitely right about the perfect opportunity for hackers.

 

[Dee*Jay]

Here's an article on it Red. Apparently the backlash was so great they had to take away that restriction.

https://www.gomn.com/news/equifax-w...ass-action-lawsuit-rights-for-using-trustedid

 

[mary poppins]

And then there's this. Grr. Hopefully the investigation will reveal reason to change Rich Smith's status from retired to fired for cause.

Equifax CEO Richard Smith Who Oversaw Breach to Collect $90 Million

By Jen Wieczner
Sep 26th, 2017 6:01 PM ET
The CEO of Equifax is retiring from the credit reporting bureau with a pay day worth as much as $90 million—or roughly 63 cents for every customer whose data was potentially exposed in its recent security breach.

Richard Smith, 57, is the third Equifax executive to retire under pressure following the company’s massive data breach revealed earlier this month, putting the personal information of as many as 143 million people at risk.

Equifax (EFX, -1.42%) said Tuesday that as a condition of Smith’s retirement, he “irrevocably” forfeits any right to a bonus in 2017, an amount that under normal circumstances would have totaled more than $3 million—the bonus he received in 2016—according to the company’s retirement policy.

But the CEO is still set to collect about $72 million this year alone (including nine months’ worth of his $1,450,000 salary), plus another $17.9 million over the next few years. That’s when the rest of Smith’s stock compensation hits a few important milestones or “vests,” allowing Smith to essentially put it in his bank account. Altogether, it adds up to a total potential paycheck of more than $90.1 million, according to Fortune’s calculations based on Equifax securities filings.

After all, the main benefit of Smith retiring from Equifax, as opposed to being fired for cause—besides preserving his dignity—is that he’ll get to continue earning his unvested stock compensation, including options and performance-based awards, as though he were still working at the company, according to Equifax policy. That perk, however, could still be revoked.

In announcing Smith’s retirement, Equifax said it reserved the right to change the “characterization of Mr. Smith’s departure” following the completion of an independent review of the data breach and the company’s handling of it. That means that if the review finds fault with Smith’s actions leading up to and following the hack, Equifax could still retroactively switch his official reason for leaving from “retired” to “fired.”

That’s what happened last year with former Wells Fargo executive Carrie Tolstedt, who led the company’s community banking division responsible for the creation of millions of phony accounts. Several months after Tolstedt announced her voluntary retirement in July 2016, Wells Fargo decided to terminate her employment for cause.

In Tolstedt’s case, Wells Fargo (WFC, +0.31%) also later recouped tens of millions of dollars in compensation from her and former CEO John Stumpf through so-called “clawback” practices. But it’s not clear Equifax CEO Smith’s pay would be similarly vulnerable. While Wells Fargo had broad clawback provisions in place, Equifax’s policy only specifies that it can seek clawbacks “in the event of a material restatement” of its financial results, and if it determines that an employee’s “misconduct” contributed to such a restatement.

While Equifax’s data breach is expected to impact its financial results going forward (given the anticipated legal costs and other expenses), the hack, which was discovered at the end of July, is unlikely to have an effect on previous financial reports.

And even if Smith is ultimately fired for cause, he’ll still get to keep much of the paycheck he is owed anyway. For starters, Smith, who has been the CEO of Equifax since 2005, has accumulated about $18.5 million in retirement benefits that he’ll receive no matter what. Then there’s the Equifax stock he owns that was worth about $23.6 million as of Tuesday’s market close, which Smith is now free to sell as he pleases now that he’s no longer CEO. And that’s on top of the stock he already dumped earlier this year for proceeds of nearly $19 million (before taxes). Add to that his prorated salary of more than $1 million, and the total still comes to almost $62 million.

On the other hand, if Smith ends up just retiring as planned, there’s one other reason that could put some of his compensation at risk: If Equifax’s stock price, which has fallen more than 25% since the company announced the breach, fails to recover. Of Smith’s total $90 million paycheck, nearly $22 million is performance-based compensation tied to Equifax’s three-year stock performance, and Smith won’t receive the full amount for which he is eligible unless Equifax’s stock significantly outperforms the S&P 500 over that time period.

Either way, Smith himself seems resigned to his fate. “The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right,” he said in a statement announcing his retirement. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”

 

[mary poppins]

Well my post above was kind of a Debbie Downer, so on a lighter note, did you see Monopoly Man photobomb Richard Smith's congressional hearing? So funny!

Here's a video of Monopoly Man, who is actually a binary transwoman attorney, activist and professional troll named Amanda Werner. https://www.nbcnews.com/video/equifax-hearing-photobombed-by-monopoly-man-1062590019660

Here's an interview of Amanda Werner:

Here's Amanda Werner answering questions during an AMA (Ask Me Anything) today on reddit:https://www.reddit.com/r/IAmA/comments/74nyxw/im_the_monopoly_man_that_trolled_equifax_ama/