The Register-Guard: How Chinese military hackers allegedly pulled off the Equifax data breach. “The criminals identified a flaw in the credit agency’s security system, executed a plan of attack to penetrate it and devised a scheme to cover their tracks on their way out, according to a criminal indictment unsealed Monday. Those alleged criminals, four members of the Chinese military, exploited a flaw in software that allowed U.S. consumers to dispute problems with their Equifax credit reports. That gave the hackers access to Americans’ personal information, according to the indictment.”
CNET: You’re running out of time to submit your Equifax data breach claim — here’s how. “You have just a few days to file your claim if you’re among the 147 million people whose data was exposed in the 2017 Equifax data breach. The Federal Trade Commission said you have till Jan. 22 to submit a claim to recover money you spent or lost as a result of the massive database hack.”
Ars Technica, with a side of eyeroll: Equifax claims administrator says victims must provide more info to claim cash. “If you’re one of the millions of Americans who received an email this weekend from the Equifax breach settlement administrator, you’re not alone. Nor are you alone if you were surprised or confused by the message, as more than a half-dozen Ars readers who forwarded theirs were. The message, however, is entirely legitimate, and the information it seeks is part of the claims process.”
USA Today: Equifax data breach settlement: How to file a claim for $125 or free credit reporting. “If you were affected by the 2017 Equifax data breach, you can now file a claim for a piece of the settlement. The credit-reporting company has agreed to pay between $575 million and $700 million to settle state and federal investigations related to a massive security incident that exposed the personal information of more than 147 million Americans two years ago.” The site includes a form where you can enter your last name and the last six digits of your social to see if you are entitled to claim. I looked myself up and GUESS WHAT….
CNET: Equifax will pay $700 million for data breach, report says. “Equifax is reportedly close to reaching a $700 million settlement with the US Federal Trade Commission and other government agencies over its massive data breach in 2017. The money would also go towards resolving a consumer class-action lawsuit against the company, The Wall Street Journal reported Friday afternoon.”
The Verge: Former Equifax executive sentenced to prison for insider trading prior to data breach. “The Security and Exchanges Commission charged [Jun] Ying with insider trading last year. The Department of Justice says that in August 2017, after learning about the breach, he began researching the impact that a similar breach had on another company’s stock price. Later that morning, he promptly exercised and sold all of his stock options, earning nearly a million dollars from the sale. In doing so, he avoided a loss of $117,000 that he otherwise would have incurred when the company’s stock price dropped after the disclosure.”
Krebs on Security: MyEquifax.com Bypasses Credit Freeze PIN. “Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.”
The Register: And it’s go, go, go for class-action lawsuits against Equifax after 148m personal records spilled in that mega-hack. “In a series of orders handed down in a Georgia federal district court on Monday, the evocatively named Judge Thomas Thrash Jr said that legal challenges from payment card issuers and ordinary citizens can proceed against Equifax. A class-action lawsuit brought by ten ‘small businesses’ – which included corporations and limited liability companies – was denied, though. The small biz owners can join in with the consumers.”
The Register: Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory . “A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure. The 96-page report (PDF) from the Committee of Oversight and Government Reform found that the 2017 network breach could have easily been prevented had the company taken basic security precautions.”
ZDNet: US government releases post-mortem report on Equifax hack. “The Government Accountability Office (GAO) has published a report to detail how the Equifax hack went down and how the credit reporting company answered during and after the incident.”
VT Digger: Randolph librarian wins surprise judgement against Equifax
. “In a small claims court ruling that surprised even the victor, a self-described member of the ‘librarian resistance’ has won a $600 judgment against Equifax, the credit ratings agency that collects financial data on nearly a billion consumers and businesses worldwide.” I have been a Jessamyn West fan for 20 years!
TechCrunch: Equifax filing reveals hack was somehow even worse than previous estimates. “The 2017 hack of Equifax, already among the largest ever recorded, just got bigger. Well, they’re admitting that it was bigger than they had previously, which amounts to the same thing. Documents filed with the SEC reveal that more people, more IDs, and more info in general was stolen when the company utterly failed to protect its ‘users,’ many of which didn’t even know they were in the database.”
Los Angeles Times: Equifax finds its big data breach hit an additional 2.4 million people. “Equifax Inc. said Thursday that an additional 2.4 million Americans were affected by last year’s data breach, although not as much personal information was stolen from them. The credit reporting company said the attackers stole only the names and partial driver’s license numbers of these additional people, unlike the previously disclosed 145.5 million Americans whose Social Security numbers were obtained. Attackers were unable to get the state where the licenses were issued, the date of issuance or expiration dates, Equifax said.”
Los Angeles Times: Equifax hack exposed more information than we thought, documents show. “… Atlanta-based Equifax Inc. recently disclosed in a document submitted to the Senate Banking Committee, which was shared with Associated Press, that a forensic investigation found criminals accessed other information from company records. That included tax identification numbers, email addresses and phone numbers. Details, such as the expiration dates for credit cards or issuing states for driver’s licenses, were also included in the list.”
Motherboard: Equifax Was Warned. “Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack that later compromised the personal data of more than 145 million Americans, Motherboard has learned. Six months after the researcher first notified the company about the vulnerability, Equifax patched it—but only after the massive breach that made headlines had already taken place, according to Equifax’s own timeline.”