Equifax: Difference between revisions
→2016 advance-warnings of insecure systems: fix the motherboard attribution |
|||
Line 57: | Line 57: | ||
=== 2016 advance-warnings of insecure systems === |
=== 2016 advance-warnings of insecure systems === |
||
According to an October 2017 report from [[Motherboard (website)|Motherboard]], around December 2016, a security researcher examining Equifax's servers observed an online portal, apparently created for Equifax employees only, was accessible to the open Internet. |
According to an October 2017 report from [[Motherboard (website)|Motherboard]], around December 2016, a security researcher examining Equifax's servers observed an online portal, apparently created for Equifax employees only, was accessible to the open Internet. |
||
{{Quote|text="I didn't have to do anything fancy," the researcher told Motherboard, explaining that the site was vulnerable to a basic "forced browsing" bug. The researcher requested anonymity out of professional concerns. ""All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app," they said. In total, the researcher downloaded the data of hundreds of thousands of Americans in order to show Equifax the vulnerabilities within its systems. They said they could have downloaded the data of all of Equifax's customers in 10 minutes: "I've seen a lot of bad things, but not this bad."|sign=|source=[[ |
{{Quote|text="I didn't have to do anything fancy," the researcher told Motherboard, explaining that the site was vulnerable to a basic "forced browsing" bug. The researcher requested anonymity out of professional concerns. ""All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app," they said. In total, the researcher downloaded the data of hundreds of thousands of Americans in order to show Equifax the vulnerabilities within its systems. They said they could have downloaded the data of all of Equifax's customers in 10 minutes: "I've seen a lot of bad things, but not this bad."|sign=|source=[[Motherboard (website)|Motherboard]]}} |
||
The same types of sensitive private information of American consumers (names, birth dates, social security numbers, etc.) were exposed as in the May–July breach, according to Motherboard. Additionally, the security researchers said they were able to gain [[Shell (computing)|shell]] access on Equifax's servers and discovered and reported to Equifax additional vulnerabilities. According to the reporting, despite receiving this warning from the security researcher, the affected portal was not closed until six months later in June, well after the March and May–July breaches had begun.<ref>{{Cite news|url=https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning|title=Breaking: Equifax Knew of Security Flaws Months Before It Was Hacked|date=2017-10-26|work=Motherboard|access-date=2017-10-29|language=en-us}}</ref> Moreover, the employee portal was reportedly not the same server targeted in the later breaches, which Motherboard speculates may suggest multiple breaches by more than one party may have occurred. |
The same types of sensitive private information of American consumers (names, birth dates, social security numbers, etc.) were exposed as in the May–July breach, according to Motherboard. Additionally, the security researchers said they were able to gain [[Shell (computing)|shell]] access on Equifax's servers and discovered and reported to Equifax additional vulnerabilities. According to the reporting, despite receiving this warning from the security researcher, the affected portal was not closed until six months later in June, well after the March and May–July breaches had begun.<ref>{{Cite news|url=https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning|title=Breaking: Equifax Knew of Security Flaws Months Before It Was Hacked|date=2017-10-26|work=Motherboard|access-date=2017-10-29|language=en-us}}</ref> Moreover, the employee portal was reportedly not the same server targeted in the later breaches, which Motherboard speculates may suggest multiple breaches by more than one party may have occurred. |
||
Revision as of 15:35, 31 January 2018
Company type | Public company |
---|---|
NYSE: EFX S&P 500 Component | |
Industry | Credit risk assessment |
Founded | 1899 (as Retail Credit Company) |
Headquarters | 1550 Peachtree St. & One Atlantic Center, , |
Area served | Worldwide |
Key people | Rego Barros Jr. (interim chief executive)[1] |
Revenue | US$ 3.144 billion (2016)[2] |
US$ 817.9 million (2016)[2] | |
US$ 488.8 million (2016)[2] | |
Total assets | US$ 6.664 billion (2016)[2] |
Total equity | US$ 2.662 billion (2016)[2] |
Number of employees | 9,500 (2016)[3] |
Divisions | Equifax Canada Equifax Workforce Solutions |
Website | equifax.com |
Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. Founded in 1899 and based in Atlanta, Georgia, it is one of the three largest credit agencies along with Experian and TransUnion (known as the “Big Three”).[4] Equifax has US$3.1 billion in annual revenue and 9,000+[3] employees in 14 countries. It is listed on the NYSE as EFX.
Aside from offering credit and demographic related data and services to business,[5] Equifax sells credit monitoring and fraud-prevention services directly to consumers.[6] Like all credit reporting agencies, the company is required by US law to provide consumers with one free credit report every year.[7]
Equifax was the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company.[8]
In September 2017, Equifax announced a cyber-security breach, which it claims to have occurred between mid-May and July 2017,[9] where cybercriminals accessed approximately 145.5 million U.S. Equifax consumers' personal data, including their full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. Equifax also confirmed at least 209,000 consumers' credit card credentials were taken in the attack. The company claims to have discovered evidence of the cybercrime event on July 29, 2017. Residents in the United Kingdom and Canada were also impacted.
History
Equifax was founded in Atlanta, GA, as Retail Credit Company in 1899. The company grew quickly and by 1920 had offices throughout the US and Canada. By the 1960s, Retail Credit Company was one of the nation's largest credit bureaus, holding files on millions of American and Canadian citizens. Even though the company continued to do credit reporting, the majority of their business was making reports to insurance companies when people applied for new insurance policies including life, auto, fire and medical insurance. All of the major insurance companies used RCC to get information on health, habits, morals, use of vehicles and finances. They also investigated insurance claims and made employment reports when people were seeking new jobs. Most of the credit work was then being done by a subsidiary, Retailers Commercial Agency.
Retail Credit Company's extensive information holdings, and its willingness to sell them to anyone, attracted criticism of the company in the 1960s and 1970s. These included that it collected "...facts, statistics, inaccuracies and rumors… about virtually every phase of a person's life; his marital troubles, jobs, school history, childhood, sex life, and political activities." The company was also alleged to reward its employees for collecting negative information on consumers.[10]
As a result, when the company moved to computerize its records, which would lead to much wider availability of the personal information it held, the US Congress held hearings in 1970. These led to the enactment of the Fair Credit Reporting Act in the same year which gave consumers rights regarding information stored about them in corporate databanks. It is alleged that the hearings prompted the Retail Credit Company to change its name to Equifax in 1975 to improve its image.[10]
The company later expanded into commercial credit reports on companies in the US, Canada and the UK, where it came into competition with companies such as Dun & Bradstreet and Experian. The insurance reporting was phased out. The company also had a division selling specialist credit information to the insurance industry but spun off this service, including the Comprehensive Loss Underwriting Exchange (CLUE) database as ChoicePoint in 1997. The company formerly offered digital certification services, which it sold to GeoTrust in September 2001. In the same year, Equifax spun off its payment services division, forming the publicly listed company Certegy, which subsequently acquired Fidelity National Information Services in 2006. Certegy effectively became a subsidiary of Fidelity National Financial as a result of this reverse acquisition merger (See Certegy and Fidelity National Information Services for further information).
In October 2010, Equifax acquired Anakam, an identity verification software company.[11]
Equifax purchased eThority, a business intelligence (BI) company headquartered in Charleston, South Carolina in October 2011. eThority is partnering with TALX, a St. Louis-based business unit of Equifax, and will remain in Charleston.[12]
Equifax Workforce Solutions is one of the 55 contractors hired by the United States Department of Health and Human Services to work on the HealthCare.gov web site.[13]
Products
For most of its existence, Equifax has operated primarily in the business-to-business sector, selling consumer credit and insurance reports and related analytics to businesses in a range of industries.[citation needed] Business customers include retailers, insurance firms, healthcare providers, utilities, government agencies, as well as banks, credit unions, personal and specialty finance companies and other financial institutions. Equifax sells businesses credit reports, analytics, demographic data, and software. Credit reports provide detailed information on the personal credit and payment history of individuals, indicating how they have honored financial obligations such as paying bills or repaying a loan. Credit grantors use this information to decide what sort of products or services to offer their customers, and on what terms. Equifax also provides commercial credit reports, similar to Dun & Bradstreet, containing financial and non financial data on businesses of all sizes. Equifax collects and provides data through the NCTUE, an exchange of non credit data including consumer payment history on telco and utility accounts.
In 1999, Equifax began offering services to the credit consumer sector in addition, such as credit fraud and identity theft prevention products. Equifax, and other credit monitoring agencies are required by law to provide US residents with one free credit file disclosure every 12 months; the Annualcreditreport.com website incorporates data from US Equifax credit records.
Equifax also offers fraud prevention products based on device fingerprinting such as "FraudIQ Authenticate Device".[14]
Security failings
2016 advance-warnings of insecure systems
According to an October 2017 report from Motherboard, around December 2016, a security researcher examining Equifax's servers observed an online portal, apparently created for Equifax employees only, was accessible to the open Internet.
"I didn't have to do anything fancy," the researcher told Motherboard, explaining that the site was vulnerable to a basic "forced browsing" bug. The researcher requested anonymity out of professional concerns. ""All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app," they said. In total, the researcher downloaded the data of hundreds of thousands of Americans in order to show Equifax the vulnerabilities within its systems. They said they could have downloaded the data of all of Equifax's customers in 10 minutes: "I've seen a lot of bad things, but not this bad."
The same types of sensitive private information of American consumers (names, birth dates, social security numbers, etc.) were exposed as in the May–July breach, according to Motherboard. Additionally, the security researchers said they were able to gain shell access on Equifax's servers and discovered and reported to Equifax additional vulnerabilities. According to the reporting, despite receiving this warning from the security researcher, the affected portal was not closed until six months later in June, well after the March and May–July breaches had begun.[15] Moreover, the employee portal was reportedly not the same server targeted in the later breaches, which Motherboard speculates may suggest multiple breaches by more than one party may have occurred.
March 2017 security breach
On September 18, 2017, Bloomberg News reported that Equifax had been the victim of a "major breach of its computer systems" in March 2017, and that in early March it had begun "notifying a small number of outsiders and banking customers" about this attack.[16]
According to Bloomberg's report, a person familiar with the breach believed this early-March intrusion may have been carried out by the same party who breached Equifax's computer systems again in May. According to Bloomberg, Equifax enlisted Mandiant (owned by FireEye, Inc.) to assist in investigating the March attack. The same cybersecurity firm was hired following the May–July breach.[16]
May–July 2017 data breach
[The Equifax breach] very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be.
— Dan Goodin, Why the Equifax breach is very possibly the worst leak of personal info ever. (Ars Technica, 2017)[17]
On September 7, 2017, Equifax announced a cybercrime identity theft event potentially impacting approximately 145.5 million U.S. consumers.[18] Information on an estimated range of under 400,000 up to 44 million British residents as well as 8,000 Canadian residents were also compromised.[19][20][21][22][23] VentureBeat called the exposure of data on 140 million customers "one of the biggest data breaches in history."[24]
Though the attack was stated to have begun in mid-May, the breach was not observed until July 29, according to Equifax CEO Rick Smith and a subsequent report by Equifax.[9][18][25] Information accessed by the hacker (or hackers) in the breach included first and last names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers were also accessed.[26][25]
Equifax stated in a September 15 statement that it hired the services of Mandiant on August 2 to internally investigate the intrusion. The statement did not however record in its timeline exactly when government authorities ("all U.S. State Attorneys General" and "other federal regulators") were notified of the breach, although it did assert "the company continues to work closely with the FBI in its investigation."[25]
Equifax shares dropped 13 percent in early trading the day after the breach was made public.[27]
Numerous lawsuits have been filed against Equifax as a result of the breach.[28][29] In one suit the law firm Geragos & Geragos has indicated they would seek up to $70 billion in damages, which would make it the largest class-action suit in U.S. history.[28]
Numerous media outlets advised consumers to request a credit freeze to reduce the impact of the breach.[30][31][32][33]
Equifax said the breach was facilitated using a flaw in Apache Struts (CVE-2017-5638).[34] A patch for the vulnerability was released March 7, yet the company failed to apply the security updates before the attack occurred 2 months later.[35][36] However, this was not the only point of failure: contributing factors included the insecure network design which lacked sufficient segmentation,[37] potentially inadequate encryption of personally identifiable information (PII),[38] and ineffective breach detection mechanisms.[39]
On September 15, Equifax issued a press release with bullet-point details of the intrusion, its potential consequences for consumers, and the company's response. The statement further commented on issues related to criticism regarding its initial response to the incident. The company also announced the immediate departures and replacements of its Chief Information Officer and Chief Security Officer.[25][40]
Three days after Equifax revealed the May–July 2017 breach, Congressman Barry Loudermilk (R-GA), who had been given thousands of dollars by Equifax,[41][42] introduced a bill to the US House that would reduce consumer protections in relation to the nation’s credit bureaus, including capping potential damages in a class action suit to $500,000 regardless of class size or amount of loss.[43] The bill would also eliminate all punitive damages.[43][44] Following criticism by consumer advocates, Loudermilk agreed to delay consideration of the bill "pending a full and complete investigation into the Equifax breach."[43]
On September 28, 2017, new Equifax CEO Paulino do Rego Barros Jr. responded to criticism of Equifax by promising that the company would, from early 2018, allow "all consumers the option of controlling access to their personal credit data," and that this service would be "offered free, for life."[45]
On October 2, 2017, Equifax revealed that the estimated number of affected Americans was 2.5 million more than previously reported. This brought the total number of potentially impacted Americans to 145.5 million.[46]
On October 10, 2017, Equifax stated that 15.2m UK customers had their records compromised in the breach,[47][48] of which 693,665 had sensitive personal data disclosed.[49][50][47][51][48]
Also around October 10, 2017, the number of drivers' licenses breached in the attack was reported to be 10-11million.[52][53][54]
Criticism
Following the announcement of the May–July 2017 breach, Equifax's actions received widespread criticism. Equifax did not immediately disclose whether PINs and other sensitive information were compromised, nor did it explain the delay between its discovery of the breach in July and its public announcement in early September.[55] Equifax stated that the delay was due to the time needed to determine the scope of the intrusion and the large amount of personal data involved.[56]
It was also revealed that three Equifax executives sold almost $1.8 million of their personal holdings of company shares days after Equifax discovered the breach but more than a month before the breach was made public.[57] The company said the executives, including the chief financial officer John Gamble,[58][27] "had no knowledge that an intrusion had occurred at the time they sold their shares".[59] On September 18, Bloomberg reported that the US Justice Department had opened an investigation to determine whether or not insider trading laws had been violated.[60]
When publicly revealing the intrusion to its systems, Equifax offered a website (https://www.equifaxsecurity2017.com[61]) for consumers to learn whether they were victims of the breach. Security experts quickly noted that the website had many traits in common with a phishing website: it was not hosted on a domain registered to Equifax, it had a flawed TLS implementation, and it ran on WordPress which is not generally considered suitable for high-security applications.[17] These issues led Open DNS to classify it as a phishing site and block access.[17] Moreover, members of the public wanting to use the Equifax website to learn if their data had been compromised had to provide a last name and six digits of their social security number.[62]
The website set up to check whether a person's personal data had been breached (trustedidpremier.com) was determined by security experts and others to return apparently random results instead of accurate information.[62] As with https://www.equifaxsecurity2017.com, this website, too, was registered and constructed like a phishing website, and it was flagged as such by several web browsers.[63]
The Trusted ID Premier website contained terms of use, dated September 6, 2017 (the day before Equifax announced the security breach) which included an arbitration clause with a class action waiver.[64][65] Attorneys said that the arbitration clause was ambiguous and that it could require consumers who accepted it to arbitrate claims related to the cybersecurity incident.[65] According to Polly Mosendz and Shahien Nasiripour, "some fear[ed] that simply using an Equifax website to check whether their information was compromised bound them to arbitration".[66] The equifax.com website has separate terms of use with an arbitration clause and class action waiver, but, according to Brian Fung of The Washington Post, "it's unclear if that applies to the credit monitoring program".[67] New York Attorney General Eric Schneiderman demanded that Equifax remove the arbitration clause.[68] Responding to arbitration-related concerns, on September 8, Equifax issued a statement stating that "in response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."[68] Joel Winston, a data protection lawyer, argued that the announcement disclaiming the arbitration clause "means nothing" because the terms of use state that they are the "entire agreement" between the parties.[68] The arbitration clause was later removed from equifaxsecurity2017.com.[68]
Responding to continuing public outrage,[69] Equifax announced on September 12 that they "are waiving all Security Freeze fees for the next 30 days".[70]
Equifax has been criticized by security experts for registering a new domain name for the site name instead of using a subdomain of equifax.com
. On September 20, it was reported that Equifax had been mistakenly linking to an unofficial "fake" web site instead of their own breach notification site in at least eight separate tweets, unwittingly helping to direct a reported 200,000 hits to the imitation site. A software engineer named Nick Sweeting created the unauthorized Equifax web site to demonstrate how the official site could easily be confused with a phishing site. Sweeting's site was upfront to visitors that it was not official, however, telling visitors who had entered sensitive information that "you just got bamboozled! this isnt [sic] a secure site! Tweet to @equifax to get them to change it to equifax.com before thousands of people loose [sic] their info to phishing sites!" Equifax apologized for the "confusion" and deleted the tweets linking to this site.[71][72][73]
2017 exposure of Argentinian consumer data
In September 2017, Brian Krebs revealed that an Argentinian arm of Equifax had left private data from approximately 14,000 consumers, and more than 100 staff members, available to anyone who entered "admin" as both the username and password for one of its online systems.[74][75]
2017 withdrawal of vulnerable mobile apps
On September 7, 2017, the same day as Equifax announced a large security breach, Equifax removed its official mobile apps from the Apple App Store and from Google Play.[76] While these apps themselves were not reportedly connected to that breach, they had security flaws of their own, being vulnerable to man-in-the-middle attacks owing to some parts using HTTP instead of HTTPS.[77]
2017 exposure of American salary data
On October 8, 2017, Krebs reported that The Work Number, a website operated by Equifax's TALX division, exposed the salary histories for employees of tens of thousands of US companies to anyone in possession of the employee's Social Security Number and date of birth.[78][79] For roughly half the US population, both of the latter pieces of data are known to be in possession of criminals, following Equifax's May–July 2017 security breach.[78][79]
Website malware
On October 12, 2017, Equifax's website was reported to have been offering visitors malware via drive-by download.[80][81] The malware was disguised as an update for Adobe Flash.[80][81][82][83] At that time, only 3 out of 65 top anti-malware products provided protection against the particular malware, meaning that many visitors were at risk of having their computers infected if visiting the Equifax website.[82]
On October 13, 2017, the attack was revealed to have been performed by hijacking third-party analytics JavaScript from Digital River brand FireClick.[84][85]
Also on October 13, 2017, the US Internal Revenue Service was reported to have suspended a $7.2 million contract with Equifax, as a result of the attack.[86]
Lawsuits and fines
The company has been fined by the Federal Trade Commission on two occasions for violating the Fair Credit Reporting Act. In 2000, Equifax, along with Experian and TransUnion, was fined $2.5 million for blocking and delaying phone calls from consumers trying to get information about their credit. In 2003, the FTC took Equifax to court for the same reason and settled its lawsuit with the company for a fine of $250,000.[87][88]
In July 2013, a federal jury in Oregon awarded $18.6 million to Julie Miller of Marion County against Equifax for violations of the Fair Credit Reporting Act.[89] In her lawsuit, Miller alleged Equifax had merged her credit reports with another person with a different Social Security number, date of birth, and address. Miller contacted Equifax repeatedly in writing and over the telephone, but Equifax refused to delete dozens of false collection accounts from Miller’s credit report.[90] The award included $18.4 million in punitive damages, and $180,000 in compensatory damages. Miller’s lawyer, Justin Baxter, explained that the false reporting damaged Miller's reputation, she was denied credit, and her private information was given to businesses Miller had no relationship with.[91] The jury’s verdict is believed to be the largest award in an individual case under the Fair Credit Reporting Act.[92] An Equifax spokesperson said that Equifax is considering appealing the jury’s verdict.[93] A federal judge reduced the award to $1.62 million in 2014.[94]
In 2014, Equifax and Heartland Bank were sued by Kimberly Haman of the St. Louis area for reporting she was dead.[95][96] A Heartland Bank spokesperson said the bank "immediately investigated and contacted the credit reporting agencies after Haman reported" she was still alive.[95] An Equifax "spokesperson told the Post-Dispatch that Equifax blocked the Heartland account information from appearing on Haman’s credit report after a reporter’s inquiry."[89][95]
In April 2014, Equifax was sued in New York federal court by God Gazarov, who claimed the company erroneously reports him as having no credit history because of his unusual first name.[97]
On November 4, 2015, it was reported that a group of five Oklahomans had sued the company, claiming that Equifax "violated laws which require financial institutions to protect the security of their customers' personal information."[98] Equifax selected the law firm DLA Piper to work on the case in D.C. It had turned to Edelman for earlier crisis control after the October 2017 privacy breach.[99]
See also
- Compuscan
- Credit bureau
- Credit score
- Experian
- Fair Credit Reporting Act
- Identity theft
- Innovis
- Privacy laws of the United States
- Talx
- The Work Number
- TransUnion
References and footnotes
- ^ Surane, Jennifer; Melin, Anders (September 26, 2017). "Equifax CEO Richard Smith Resigns After Uproar Over Massive Hack". Bloomberg.com. Retrieved September 27, 2017.
- ^ a b c d e "Equifax Reports Fourth Quarter and Record Full Year 2013 Results". investor.equifax.com. Equifax. Retrieved December 8, 2014.
- ^ a b "Company Profile". equifax.co.uk. Equifax. Archived from the original on December 25, 2014. Retrieved December 8, 2014.
{{cite web}}
: Unknown parameter|deadurl=
ignored (|url-status=
suggested) (help) - ^ "How to protect yourself against the theft of your identity". The Economist. September 14, 2017. Retrieved September 15, 2017.
- ^ "All Products and Solutions | Business | Equifax". Equifax.com. Retrieved September 23, 2017.
- ^ Equifax. "All Credit Score, Credit Report & Identity Theft Products | Equifax". Equifax.com. Retrieved September 23, 2017.
- ^ "Free Credit Reports". Consumer Information. March 26, 2013. Retrieved September 23, 2017.
- ^ "The Dizzying Number Of CFPB Complaints Against Equifax Since 2012 Should Infuriate You". Fast Company. September 18, 2017. Retrieved September 18, 2017.
- ^ a b Equifax (September 7, 2017), Rick Smith, Chairman and CEO of Equifax, on Cybersecurity Incident Involving Consumer Data., retrieved September 12, 2017
- ^ a b Separating Equifax from fiction, Wired, September 1995, retrieved September 13, 2007
- ^ "Equifax Blog - Equifax Acquires Anakam". Anakam.equifax.com. July 17, 2012. Archived from the original on July 17, 2012. Retrieved September 10, 2017.
{{cite web}}
: Unknown parameter|deadurl=
ignored (|url-status=
suggested) (help) - ^ Kearney, Brendan (October 4, 2011). "Equifax buys local eThority: Company to stay, grow in Charleston, founder says". The Post and Courier.
- ^ USAtoday, front page October 24, 2013, “Hot seat for stealth website builders
- ^ "FraudIQ Authenticate Device Product Description ("Anonymous device properties are processed by a pattern matching engine to recognize the device")" (PDF).
- ^ "Breaking: Equifax Knew of Security Flaws Months Before It Was Hacked". Motherboard. October 26, 2017. Retrieved October 29, 2017.
- ^ a b Riley, Michael, Anita Sharpe, and Jordan Robertson, "Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed", Bloomberg News, September 18/19, 2017.
- ^ a b c "Why the Equifax breach is very possibly the worst leak of personal info ever". CNBC. Retrieved September 10, 2017.
{{cite news}}
: Italic or bold markup not allowed in:|publisher=
(help) - ^ a b Haselton, Todd (September 7, 2017). "Credit reporting firm Equifax says cybersecurity incident could potentially affect 143 million US consumers". cnbc.com. Retrieved September 8, 2017.
- ^ Shepardson, David. "Equifax failed to patch security vulnerability in March: former CEO". reuters.com. Reuters. Retrieved October 3, 2017.
- ^ Hern, Alex (September 8, 2017). "Equifax told to inform Britons whether they are at risk after data breach". The Guardian. Retrieved September 11, 2017.
- ^ Isai, Vjosa (September 7, 2017). "Canadians among 143 million people affected in Equifax hack". The Toronto Star.
Hackers targeted names, Social Security numbers, birth dates, addresses and driver's licence numbers, Equifax said in a statement. "Limited personal information" from residents in Canada and the U.K. was also accessed, it said.
{{cite news}}
: Italic or bold markup not allowed in:|publisher=
(help) - ^ "Equifax confirms Britons hit by breach". BBC News. September 15, 2017. Retrieved September 16, 2017.
- ^ Ligaya, Armina (September 19, 2017). "Equifax says 100,000 Canadians affected by cyberattack". CTVNews. Retrieved September 21, 2017.
- ^ "The end of the cloud is coming", VentureBeat, Victor Charypar, November 4, 2017
- ^ a b c d "Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes". investor.equifax.com. Retrieved September 16, 2017.
- ^ "Cybersecurity Incident & Important Consumer Information | Equifax". Cybersecurity Incident & Important Consumer Information. Retrieved September 7, 2017.
- ^ a b Melin, Anders (September 7, 2017). "Three Equifax Managers Sold Stock Before Cyber Hack Revealed". Bloomberg.com. Retrieved September 8, 2017.
- ^ a b Mills, Chris (September 8, 2017). "Equifax is already facing the largest class-action in history". bgr.com. Retrieved September 8, 2017.
- ^ Thadani, Trisha (September 13, 2017). "Lawsuit against Equifax filed in federal court in San Jose". SFGate.com. Retrieved September 13, 2017.
- ^ "A Guide to Surviving the Equifax Data Breach". CNET. Retrieved September 12, 2017.
- ^ Lieber, Ron (September 10, 2017). "After Equifax Breach, Here's Your Next Worry: Weak PINs". The New York Times. Retrieved September 12, 2017.
- ^ "How to freeze your credit after a data breach". The Verge. Retrieved September 12, 2017.
- ^ Fung, Brian (September 9, 2017). "After the Equifax breach, here's how to freeze your credit to protect your identity". Washington Post.
- ^ "CVE-2017-5638 - Apache Struts2 S2-045 #8064". GitHub. March 7, 2017. Retrieved September 16, 2017.
- ^ Whittaker, Zack. "Equifax confirms Apache Struts flaw it failed to patch was to blame for data breach". ZDNet. Retrieved September 14, 2017.
- ^ "Failure to patch two-month-old bug led to massive Equifax breach". Ars Technica. Retrieved September 14, 2017.
- ^ Newman, Lily Hay. "How to Stop the Next Unstoppable Mega-Breach—Or Slow It Down". WIRED. Retrieved September 29, 2017.
- ^ Gallagher, Sean. "Equifax hackers stole data for 200k credit cards from transaction history". Ars Technica. Retrieved September 29, 2017.
- ^ Lomas, Natasha. "Equifax breach disclosure would have failed Europe's tough new rules". TechCrunch. Retrieved September 29, 2017.
- ^ Shaban, Hamza (September 15, 2017). "Two Equifax executives will retire following massive data breach". Washington Post. ISSN 0190-8286. Retrieved September 17, 2017.
- ^ Levin, Bess. "Equifax Lobbied to Gut Regulations Right Before Getting Hacked". Vanityfair.com.
- ^ "Equifax Inc Contributions to Federal Candidates, 2016 cycle". Opensecrets.org.
- ^ a b c Weisbaum, Herb, “Republicans in Congress Want to Roll Back Regulations on Credit Bureaus”, NBC News, September 11, 2017, Retrieved September 18, 2017
- ^ Lazarus, David (September 19, 2017). "Despite Equifax hack, GOP lawmakers want to deregulate credit agencies". Los Angeles Times. Retrieved September 20, 2017.
- ^ "New Equifax CEO offers "sincere and total apology" to consumers". Retrieved October 20, 2017.
- ^ Weise, Elizabeth; Bomey, Nathan (October 2, 2017). "Equifax breach hit 2.5 million more Americans than first believed". USA Today. Retrieved October 4, 2017.
- ^ a b "Equifax says 15.2 million UK records exposed in cyber breach". Reuters. October 10, 2017. Retrieved October 11, 2017.
- ^ a b "Latest information on the Equifax cyber incident - NCSC Site". www.ncsc.gov.uk. Retrieved October 13, 2017.
- ^ "Equifax Hackers Stole Info on 693,665 UK Residents — Krebs on Security". krebsonsecurity.com. Retrieved October 11, 2017.
- ^ Staff; agencies (October 11, 2017). "Personal details of almost 700,000 Britons hacked in cyber-attack". Theguardian.com. Retrieved October 11, 2017.
- ^ "Equifax hack hit 694,000 UK customers". Bbc.co.uk. October 10, 2017. Retrieved October 11, 2017.
- ^ "Equifax Breach Exposed Driver's License Data for 11 Million Americans". www.msn.com. Retrieved October 13, 2017.
- ^ Chin, Monica. "On top of everything else, Equifax hackers got 10 million driver's licenses". Mashable.com. Retrieved October 13, 2017.
- ^ "Equifax hackers took driver's license info on 10M Americans". Cnet.com. Retrieved October 13, 2017.
- ^ "6 Unanswered Questions For Equifax After A Massive Data Breach Of 143-Million Americans' Personal Information". Retrieved September 8, 2017.
- ^ "Cybersecurity Incident & Important Consumer Information". equifaxsecurity2017.com. Equifax. 2017. Retrieved September 13, 2017.
- ^ Melin, Anders (September 7, 2017). "Three Equifax Managers Sold Stock Before Cyber Hack Revealed". Bloomberg.
{{cite web}}
: Cite has empty unknown parameter:|dead-url=
(help) - ^ Solon, Olivia (September 7, 2017). "Credit firm Equifax says 143m Americans' social security numbers exposed in hack". The Guardian. Retrieved September 11, 2017..
- ^ Morley, Katie (September 8, 2017). "Equifax hack: 44 million Britons' personal details feared stolen in major US data breach". The Daily Telegraph. Retrieved September 9, 2017.
- ^ "Equifax Stock Sales Are the Focus of U.S. Criminal Probe". Bloomberg.com. September 18, 2017. Retrieved September 18, 2017.
- ^ Bahney, Anna. "6 Equifax hack rumors fact-checked". CNNMoney. Retrieved September 12, 2017.
- ^ a b "Equifax's hack checker is a hot mess -- here's what to do". Cnet.com. Retrieved September 10, 2017.
- ^ Krebs, Brian. "Equifax or Equiphish? — Krebs on Security". krebsonsecurity.com. Retrieved October 13, 2017.
- ^ Chacos, Brad (September 8, 2017). "Equifax hack: How to know if you're affected". PCWorld. Retrieved September 13, 2017.
- ^ a b Robertson, Adi (September 8, 2017). "Can you join a class action suit if you use Equifax's free identity theft protection?". The Verge.
{{cite news}}
: Italic or bold markup not allowed in:|publisher=
(help) - ^ Mosendz, Polly; Nasiripour, Shahien (September 8, 2017). "Equifax's Hacking Nightmare Gets Even Worse For Victims". Bloomberg.com. Retrieved September 13, 2017.
- ^ Fung, Brian (September 8, 2017). "By signing up on Equifax's help site, you risk giving up your legal rights". chicagotribune.com. Retrieved September 13, 2017.
- ^ a b c d "Equifax finally responds to swirling concerns over consumers' legal rights". The Washington Post. Retrieved September 8, 2017.
- ^ "What Equifax owes us all: A free credit freeze at all agencies, for starters, and loads of answers". New York Daily News. September 12, 2017. Retrieved September 13, 2017.
- ^ Kirsch, Melissa (September 12, 2017). "Equifax Is Waiving Their Credit-Freeze Fees for 30 Days". lifehacker. Retrieved September 13, 2017.
- ^ Astor, Maggie (September 20, 2017). "Someone Made a Fake Equifax Site. Then Equifax Linked to It". The New York Times. ISSN 0362-4331. Retrieved September 21, 2017.
- ^ "Equifax sends breach victims to fake notification site". Ars Technica. Retrieved September 21, 2017.
- ^ Morse, Jack. "Equifax has been directing victims to a fake phishing site for weeks". Mashable. Retrieved September 21, 2017.
- ^ "Equifax reportedly used 'admin' as password in Argentina". Cnet.com. Retrieved September 16, 2017.
- ^ "Equifax suffers fresh data breach". BBC News. September 13, 2017. Retrieved September 16, 2017.
- ^ "Equifax's app has disappeared from Apple's App Store and Google Play". Fastcompany.com. September 11, 2017. Retrieved September 16, 2017.
- ^ "Here's Why Equifax Yanked Its Apps From Apple And Google Last Week". Fast Company. September 15, 2017. Retrieved September 16, 2017.
- ^ a b "Equifax Breach Fallout: Your Salary History — Krebs on Security". krebsonsecurity.com. Retrieved October 11, 2017.
- ^ a b "Equifax will give your salary history to anyone with your SSN and date of birth / Boing Boing". boingboing.net. Retrieved October 11, 2017.
- ^ a b Goodin, Dan (October 12, 2017). "Equifax website hacked again, this time to redirect to fake Flash update". Ars Technica. Retrieved October 12, 2017.
- ^ a b Schroeder, Stan. "Equifax may have been hacked again and it's not even funny anymore". Mashable. Retrieved October 12, 2017.
- ^ a b Humphries, Matthew. "Equifax Website Hacked Again". PCMAG. Retrieved October 12, 2017.
- ^ Puzzanghera, Jim; Raab, Lauren (October 12, 2017). "Equifax website is apparently hacked". Los Angeles Times. ISSN 0458-3035. Retrieved October 12, 2017.
- ^ Goodin, Dan. "Equifax rival TransUnion also sends site visitors to malicious pages". Ars Technica UK. Retrieved October 13, 2017.
- ^ Kovacs, Eduard. "Malicious Redirects on Equifax, TransUnion Sites Caused by Third-Party Script | SecurityWeek.Com". www.securityweek.com. Retrieved October 13, 2017.
- ^ David, Kravets (October 13, 2017). "After second bungle, IRS suspends Equifax's "taxpayer identity" contract". Ars Technica. Retrieved October 16, 2017.
- ^ Equifax Fined $250,000 Fine By FTC Archived October 7, 2008, at the Wayback Machine, NBC 10, August 3, 2003, retrieved September 13, 2007
- ^ "Equifax to Pay $250,000 to Settle Charges". ConsumerAffairs.com. July 30, 2003. Archived from the original on August 17, 2007. Retrieved July 23, 2007.
{{cite news}}
: Unknown parameter|deadurl=
ignored (|url-status=
suggested) (help) - ^ a b Patrick, Robert (February 8, 2014). "'Excuse me, I'm not dead' St. Louis County woman pleads to her bank". St. Louis Post-Dispatch. Retrieved February 18, 2014.
- ^ "An $18 Million Lesson in Handling Credit Report Errors". The New York Times. August 2, 2013. Retrieved August 2, 2013.
- ^ "Equifax must pay $18.6 million after failing to fix Oregon woman's credit report". The Oregonian. Archived from the original on July 29, 2013. Retrieved July 26, 2013.
{{cite news}}
: Unknown parameter|deadurl=
ignored (|url-status=
suggested) (help) - ^ "Jury Awards $18.6M For Equifax Credit Report Mix-up". Archived from the original on December 15, 2013. Retrieved July 29, 2013.
{{cite web}}
: Unknown parameter|dead-url=
ignored (|url-status=
suggested) (help) - ^ "Equifax weighs appealing $18.6M award to consumer". Ajc.com. Retrieved July 31, 2013.
- ^ "Judge cuts Oregon woman's award in Equifax case". Oregonlive.com. Retrieved February 3, 2015.
- ^ a b c Weiss, Debra Cassens (February 11, 2014). "Woman sues in effort to prove she is alive". ABA Journal. Retrieved February 18, 2014.
- ^ Gershman, Jacob (February 10, 2014). "Woman Listed as Deceased Files Lawsuit Claiming She's Alive". Wall Street Journal Law Blog. Retrieved February 18, 2014.
- ^ White, Martha C. (April 11, 2014). "God Just Wants Some Credit, So He's Suing Equifax". NBC News. Retrieved April 22, 2014.
- ^ "Oklahomans File Lawsuit Against Equifax", NewsOn6, November 4, 2017
- ^ "Equifax Picks DLA Piper", Kevin McCauley, O'Dwyer's, October 23, 2017
External links
- Company website
- Annual Credit report, free.
- Equifax Consumer Identity Protection website
- Yahoo! Finance - Equifax Inc. Company Profile
- Business data for Equifax: