Bloomberg: Equifax Had A Data Breach In March, Too. More Questions Result

Equifax logo According to news reports, Equifax experienced another data breach earlier this year before the massive data breach it announced on September 7th where criminals gained unauthorized access to Equifax's systems and computers from May through then end of July, 2017. Bloomberg reported:

"Equifax Inc. learned about a major breach of its computer systems in March -- almost five months before the date it has publicly disclosed, according to three people familiar with the situation... Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said..."

Two major data breaches? What's happening? A news report by Bank Info Security may clarify things:

"... the Bloomberg story is "attempting to connect two separate cybersecurity events and suggesting the earlier event went unreported." Instead, Equifax says the breach described by Bloomberg was a "security incident involving a payroll-related service." The incident, which Equifax refers to as the "March event," was reported to customers, affected individuals and regulators, as well as covered by the media, it says. "Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related."

Equifax appears to refer a breach involving TALX its payroll, human resources, and tax services subsidiary formally known as Equifax Workforce Solutions. The Bank Info Security news report explained:

"In early March, Equifax began notifying individuals whose employers use TALX for payroll services that it had detected unauthorized access to its web-based portal. Employees use the TALX portal to access their W-2, which is the annual income reporting form that U.S. employees need to file their federal tax return. That's also a key document for fraudsters, because it puts them one step closer to being able to fraudulently file and claim a tax refund in someone else's name.

In the March attack, hackers had luck accessing TALX accounts by guessing registered users' personal questions, according to Equifax's breach notifications. By answering the questions correctly, fraudsters were able to reset a PIN needed to access an account. With the fresh PIN, they were able to obtain an electronic copy of victims' W-2. The unauthorized access incidents occurred between April 17, 2016, and March 29, 2017, Equifax says..."

It's frightening that the TALX breach went undetected for almost a year. Also, the Krebs On Security blog reported in May about the Equifax-TALX breach. However, the Bloomberg news report explored another hacking method criminals might have used in March:

"... one goal of the attackers was to use Equifax as a way into the computers of major banks, according to a fourth person familiar with the matter. This person said a large Canadian bank has determined that hackers claiming to sell celebrity profiles from Equifax on the dark web -- information that appears to be fraudulent, or recycled from other breaches -- did in fact steal the username and password for an application programming interface, or API, linking the bank’s back-end servers to Equifax.

According to the person and a Sept. 14 internal memo reviewed by Bloomberg, the gateway linked a test and development site used by the bank’s wealth management division to Equifax, allowing the two entities to share information digitally."

So, there was a breach in March. Was it the TALX hack, the hack via a bank, both, or something else? If the Bloomberg report is accurate, then the post-breach consequences listed probably apply:

"... will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives. If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading... New questions about Equifax’s timeline are also likely to become central to the crush of lawsuits being filed against the Atlanta-based company. Investigators and consumers alike want to know how a trusted custodian of so many Americans’ private data could let hackers gain access to the most important details of financial identity... the revelation of an earlier breach will likely raise questions for the company’s beleaguered executives over whether that [March] investigation was sufficiently thorough or if it was closed too soon. For example, Equifax has said that the hackers entered the company’s computer banks the second time through a flaw in the company’s web software that was known in March but not patched until the later activity was detected in July."

If true, then consumers are left with more questions: which bank(s)? What fixes have been implemented so this doesn't happen again? Why wasn't this disclosed sooner? How many consumers were affected? Exactly how did the hackers gain access? Was it the same or a different group of hackers? Which consumers' data elements were accessed/stolen?

The cynic in me wonders if Equifax executives are using its TALX breach as cover -- to avoid having to admit to another massive (and embarrassing) data breach.

Regardless of which news report is accurate, there are plenty of reasons for consumers to feel uneasy about Equifax's breach(es), data security protections, and breach notifications. Equifax is a custodian of extremely valuable and sensitive information about consumers. It makes money selling that information to potential lenders, and consumers have a right to have their questions answered fully.

Maybe the various investigations and inquiry by 31 states will provide answers for consumers. Or maybe Congress needs to hold hearings. It's been done before. What do you think?


Facebook Enabled Advertisers to Reach ‘Jew Haters’

[Editor's note: today's guest post, by the reporters at ProPublica, is part of its Machine Bias series. After being contacted by ProPublica, Facebook removed several anti-Semitic ad categories and it no longer allows advertisers to target groups based upon self-reported information. Today's post is reprinted with permission.]

By Julia Angwin, Madeleine Varner, and Ariana Tobin - ProPublica

Facebook logo Want to market Nazi memorabilia, or recruit marchers for a far-right rally? Facebook’s self-service ad-buying platform had the right audience for you.

Until last week, when we asked Facebook about it, the world’s largest social network enabled advertisers to direct their pitches to the news feeds of almost 2,300 people who expressed interest in the topics of “Jew hater,” “How to burn jews,” or, “History of ‘why jews ruin the world.’”

To test if these ad categories were real, we paid $30 to target those groups with three “promoted posts” — in which a ProPublica article or post was displayed in their news feeds. Facebook approved all three ads within 15 minutes.

After we contacted Facebook, it removed the anti-Semitic categories — which were created by an algorithm rather than by people — and said it would explore ways to fix the problem, such as limiting the number of categories available or scrutinizing them before they are displayed to buyers.

“There are times where content is surfaced on our platform that violates our standards,” said Rob Leathern, product management director at Facebook. “In this case, we’ve removed the associated targeting fields in question. We know we have more work to do, so we’re also building new guardrails in our product and review processes to prevent other issues like this from happening in the future.”

Facebook’s advertising has become a focus of national attention since it disclosed last week that it had discovered $100,000 worth of ads placed during the 2016 presidential election season by “inauthentic” accounts that appeared to be affiliated with Russia.

Like many tech companies, Facebook has long taken a hands off approach to its advertising business. Unlike traditional media companies that select the audiences they offer advertisers, Facebook generates its ad categories automatically based both on what users explicitly share with Facebook and what they implicitly convey through their online activity.

Traditionally, tech companies have contended that it’s not their role to censor the Internet or to discourage legitimate political expression. In the wake of the violent protests in Charlottesville by right-wing groups that included self-described Nazis, Facebook and other tech companies vowed to strengthen their monitoring of hate speech.

Facebook CEO Mark Zuckerberg wrote at the time that “there is no place for hate in our community,” and pledged to keep a closer eye on hateful posts and threats of violence on Facebook. “It’s a disgrace that we still need to say that neo-Nazis and white supremacists are wrong — as if this is somehow not obvious,” he wrote.

But Facebook apparently did not intensify its scrutiny of its ad buying platform. In all likelihood, the ad categories that we spotted were automatically generated because people had listed those anti-Semitic themes on their Facebook profiles as an interest, an employer or a “field of study.” Facebook’s algorithm automatically transforms people’s declared interests into advertising categories.

Here is a screenshot of our ad buying process on the company’s advertising portal:

Screenshot of Facebook ad buying process

This is not the first controversy over Facebook’s ad categories. Last year, ProPublica was able to block an ad that we bought in Facebook’s housing categories from being shown to African-Americans, Hispanics and Asian-Americans, raising the question of whether such ad targeting violated laws against discrimination in housing advertising. After ProPublica’s article appeared, Facebook built a system that it said would prevent such ads from being approved.

Last year, ProPublica also collected a list of the advertising categories Facebook was providing to advertisers. We downloaded more than 29,000 ad categories from Facebook’s ad system — and found categories ranging from an interest in “Hungarian sausages” to “People in households that have an estimated household income of between $100K and $125K.”

At that time, we did not find any anti-Semitic categories, but we do not know if we captured all of Facebook’s possible ad categories, or if these categories were added later. A Facebook spokesman didn’t respond to a question about when the categories were introduced.

Two weeks ago, acting on a tip, we logged into Facebook’s automated ad system to see if “Jew hater” was really an ad category. We found it, but discovered that the category — with only 2,274 people in it — was too small for Facebook to allow us to buy an ad pegged only to Jew haters.

Facebook’s automated system suggested “Second Amendment” as an additional category that would boost our audience size to 119,000 people, presumably because its system had correlated gun enthusiasts with anti-Semites.

Instead, we chose additional categories that popped up when we typed in “jew h”: “How to burn Jews,” and “History of ‘why jews ruin the world.’” Then we added a category that Facebook suggested when we typed in “Hitler”: a category called “Hitler did nothing wrong.” All were described as “fields of study.”

These ad categories were tiny. Only two people were listed as the audience size for “how to burn jews,” and just one for “History of ‘why jews ruin the world.’” Another 15 people comprised the viewership for “Hitler did nothing wrong.”

Facebook’s automated system told us that we still didn’t have a large enough audience to make a purchase. So we added “German Schutzstaffel,” commonly known as the Nazi SS, and the “Nazi Party,” which were both described to advertisers as groups of “employers.” Their audiences were larger: 3,194 for the SS and 2,449 for Nazi Party.

Still, Facebook said we needed more — so we added people with an interest in the National Democratic Party of Germany, a far-right, ultranationalist political party, with its much larger viewership of 194,600.

Once we had our audience, we submitted our ad — which promoted an unrelated ProPublica news article. Within 15 minutes, Facebook approved our ad, with one change. In its approval screen, Facebook described the ad targeting category “Jew hater” as “Antysemityzm,” the Polish word for anti-Semitism. Just to make sure it was referring to the same category, we bought two additional ads using the term “Jew hater” in combination with other terms. Both times, Facebook changed the ad targeting category “Jew hater” to “Antisemityzm” in its approval.

Here is one of our approved ads from Facebook:

Screenshot of approved Facebook ad for ProPublica

A few days later, Facebook sent us the results of our campaigns. Our three ads reached 5,897 people, generating 101 clicks, and 13 “engagements” — which could be a “like” a “share” or a comment on a post.

Since we contacted Facebook, most of the anti-Semitic categories have disappeared.

Facebook spokesman Joe Osborne said that they didn’t appear to have been widely used. “We have looked at the use of these audiences and campaigns and it’s not common or widespread,” he said.

We looked for analogous advertising categories for other religions, such as “Muslim haters.” Facebook didn’t have them.

Update, Sept. 14, 2017: This story has been updated to include the Facebook spokesman's name.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Experts Say the Use of Private Email by Trump’s Voter Fraud Commission Isn’t Legal

[Editor's note: today's guest post is by the reporters at ProPublica. It is reprinted with permission.]

By Jessica Huseman, ProPublica

President Donald Trump’s voter fraud commission came under fire earlier this month when a lawsuit and media reports revealed that the commissioners were using private emails to conduct public business. Commission co-chair Kris Kobach confirmed this week that most of them continue to do so.

Experts say the commission’s email practices do not appear to comport with federal law. "The statute here is clear," said Jason R. Baron, a lawyer at Drinker Biddle and former director of litigation at the National Archives and Records Administration.

Essentially, Baron said, the commissioners have three options: 1. They can use a government email address; 2. They can use a private email address but copy every message to a government account; or 3. They can use a private email address and forward each message to a government account within 20 days. According to Baron, those are the requirements of the Presidential Records Act of 1978, which the commission must comply with under its charter.

"All written communications between or among its members involving commission business are permanent records destined to be preserved at the National Archives," said Baron. "Without specific guidance, commission members may not realize that their email communications about commission business constitute White House records."

ProPublica reviewed dozens of emails to and from members of the commission as well as written directives on records retention. The commissioners appear to have been given no instructions to use government email or copy or forward messages to a government account.

Commissioner Matthew Dunlap, the secretary of state for Maine, confirmed that he’d received no such directives. "That’s news to me," he said, when read the PRA provision governing emails. "I think it would be a little cleaner if I had a us.gov email account."

Dunlap’s account is disputed by Andrew Kossack, the executive director of the commission. Kossack said attorneys from the Government Services Administration provided training on the PRA before the commission’s first meeting on July 19. Kossack provided a copy of the PowerPoint presentation. However, the word "email" appears in only a single slide — with no mention of anything relating to the use of government email.

Notably, the commission did not receive any training in records retention until the July 19 meeting, even though the commission was formed in May and had been actively engaged in commission business.

Indeed, the commission had kicked into high gear on June 28, when it sent a letter to all 50 secretaries of state requesting publicly available voter rolls. The response was swift and negative, and commissioners began receiving a wave of messages from election officials and the public.

Despite this, the commissioners were offered no instructions then on how to preserve communications. Baron said such messages would presumptively be considered presidential records, and "the obligation to preserve such records would have arisen on day one."

In a statement, Kossack denied there is an obligation to provide commissioners with government email addresses. He maintained that the commission is required only to "preserve emails and other records related to work on commission matters, regardless of the forum on which the records are created or sent, which the commission and its members are doing."

After the commission’s most recent meeting, on Tuesday, Kobach confirmed that he plans to continue to use his personal Gmail account to conduct commission business. Using his Kansas secretary of state email address, he said, would be a "waste of state resources" as he’s acting as a private citizen on the commission and not in his role as secretary of state.

Dunlap has interpreted the requirements differently. He’s trying to ensure his state email account is used so that emails can be made available to constituents under Maine state law. Even this is a struggle, he said, asserting that commissioners continue to email him at his personal account despite multiple requests that they send email to his government account.

"I really don’t understand why they keep using my personal Gmail account instead of my official state email. But I’m saving everything!" Dunlap wrote to himself on August 7, when he forwarded a communication from the commission to his government address. He has, it appears, continued to immediately forward all emails sent to his personal address by the commission to his state address.

At ProPublica’s request, Dunlap shared every email he has received or sent relating to the commission. The majority went to personal email accounts.

At their recent meeting in New Hampshire, Kossack provided commissioners printed instructions on how to retain their own emails related to a lawsuit filed against the commission by the Lawyers Committee for Civil Rights Under Law.

Dunlap said these instructions are the only written set of instructions on records retention he recalls receiving. (The instructions leave records retention entirely to the discretion of each member of the commission, which Dunlap said concerns him.)

Past commissions with similar missions were not allowed such wide discretion. The Presidential Commission on Election Administration, formed by the Obama administration in March 2013, provided ethics and records retention training days after commissioners were nominated. Each commissioner was provided with a federal email address that automatically archived all messages. PCEA documents show extensive, specific instructions on records retention and compliance with FACA.

Richard Painter, who served as the George W. Bush administration’s chief ethics lawyer from 2005 to 2007, expressed shock that the current commission is being allowed to rely on personal email accounts (which are to be forwarded to Kossack at their discretion). "This is just sloppy," he said, adding that waiting more than two months to offer ethics training was just another sign that the Trump administration "doesn’t take ethics training seriously."

One footnote: Among the emails provided by Dunlap was a message from Carter Page, a former policy adviser to the Trump campaign who has reportedly attracted the attention of investigators probing the Russia imbroglio. Page sent an email on July 5 to three accounts associated with Kobach and cc’d Dunlap, New Hampshire Secretary of State Bill Gardner and Indiana Secretary of State Connie Lawson. In it, he implored the commission to investigate "the Obama administration’s misuse of federal resources of the Intelligence Community in their unjustified attacks on myself and other volunteers who peacefully supported [Trump’s] campaign as private citizens."

"The work of your commission offers an essential opportunity to take further steps toward helping to further restore the integrity of the American democracy following their abuses of last year," he wrote.

There is no evidence this email was forwarded to a federal email account. Page, Kossack and Kobach did not respond to requests for comment about the email.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


31 States Sent Joint Letter Demanding Equifax Provide Free Services And Better Support For Consumers

On Friday, September 15, the attorneys general in several states sent a joint letter to Equifax as a result of the credit reporting agency's response to a massive data breach affecting about 143 million persons in the United States. The participating attorneys general are concerned about the impacts and costs to consumers. They want Equifax to respond better to the needs of consumers, extend the duration of the sign-up period for breach victims, and waive the fees of certain services. Perhaps most importantly, they are concerned about Equifax benefiting unjustly due to a situation it created.

The joint letter explained:

"... Chief among the issues causing confusion and concern are the inclusion of terms of service that required consumers to waive their rights, the offer of competing fee-based and free credit monitoring services by Equifax, and the charges consumers incur for a security freeze with other credit monitoring companies like Experian, TransUnion, and Innovis.

Initially, in order to enroll in the free credit monitoring that Equifax offered to all Americans, it appeared that Equifax attached certain conditions to the offer, including mandatory arbitration, among other things. The fact that Equifax’s own conduct created the need for these services demands that they be offered to consumers without tying the offer to complicated terms of service that may require them to forgo certain rights. It was not until after urging from our offices and public condemnation that Equifax withdrew these objectionable terms from its offer of free credit monitoring.

We remain concerned that Equifax continues to market its fee-based services to consumers affected by its data breach. Consumers who view Equifax’s homepage are offered both Equifax fee-based credit monitoring services, as well as its services offered at no cost. Again, at the urging of our offices and following criticism in the media, Equifax made its offer of free credit monitoring services more prominent so that it can be more easily found by consumers. Although these changes are an improvement over the site’s original offering, which presented a much less prominent link when compared to Equifax’s fee-based offering, they do not address all of our concerns.

We believe continuing to offer consumers a fee-based service in addition to Equifax’s free monitoring services will serve to only confuse consumers who are already struggling to make decisions on how to best protect themselves in the wake of this massive breach. We object to Equifax seemingly using its own data breach as an opportunity to sell services to breach victims. Selling a fee-based product that competes with Equifax’s own free offer of credit monitoring services to victims of Equifax’s own data breach is unfair, particularly if consumers are not sure if their information was compromised.

Equifax cannot reap benefits from confused consumers who are likely only visiting Equifax’s homepage because they are concerned about whether the breach affects them and their families. If there is any substantial benefit consumers can obtain by purchasing the fee-based services over the free credit monitoring, then we strongly suggest that Equifax upgrade its free credit monitoring service to provide equivalent protection. On the other hand, if the services are equivalent, then we fail to understand why Equifax continues to offer its fee-based services to those affected by the breach if equivalent services are obtainable at no cost. Either way, we request that Equifax disable links to its fee-based services until the sign-up period for the free service has ended. Additionally, the cutoff date of November 21, 2017 for consumers to avail themselves of the free services provided appears to us to be rather short-sighted and we suggest that date be extended to at least January 31, 2018.

Our offices are also receiving complaints from proactive consumers who have requested a security freeze. Although Equifax is not charging consumers a fee for its own security freeze service, these consumers are furious that they have been forced to pay for a security freeze with other companies, such as Experian and TransUnion, when this privacy breach was no fault of their own. We agree with these consumers that it is indefensible that they be forced to pay fees to fully protect themselves from the fallout of Equifax’s data breach.

Accordingly, we believe Equifax should, at a minimum, be taking steps to reimburse consumers who incur fees to completely freeze their credit..."

The participating attorneys general are from Alabama, Arizona, Connecticut, Delaware, Georgia, Hawaii, Illinois, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, Nevada, North Dakota, Oklahoma, Ohio, Oregon, South Carolina, South Dakota, Pennsylvania, Virginia, West Virginia, and the District of Columbia. Read the announcement by Christopher S. Porrino, the State of New Jersey Attorney General. A copy of the joint letter is also available here (Adobe PDF).


The Equifax Breach: Several Investigations Underway

The Office of the Attorney General (AG) for the State of Nevada announced yesterday an investigation into the Equifax data breach. About 143 million persons were affected. The announcement stated:

"The breach, which took place from mid-May through July of this year, neglected to keep important personal identifying information safe and allowed hackers to access names, Social Security numbers, birth dates, addresses and even some driver’s license numbers. As a result of this breach, approximately 209,000 individuals throughout the country are estimated to have had their credit card numbers stolen."

Nevada AG Adam Paul Laxalt said:

"As a part of my commitment to safeguard the identities and personal information of Nevadans, my office will be working diligently with other states to investigate the cause of the Equifax breach... I encourage Nevadans to contact Equifax to determine whether their data was compromised, and to consider taking additional steps to protect themselves."

The statement did not mention the other states the Nevada AG's Office is working with. Residents of Nevada should read the announcement which lists specific actions consumers in that state should take to protect themselves.

The Attorney General for the State of New York announced on September 8 both an investigation into the Equifax data breach and a consumer alert:

"Under New York law, businesses with New York customers are required to inform customers and the Attorney General’s Office about security breaches that have placed personal information in jeopardy. The Attorney General’s Office investigates data breaches to determine if customers were properly notified of the breach and if the entity had appropriate safeguards in place to protect customers’ data..."

The consumer alert portion of the announcement:

"1) Check your credit reports from Equifax, Experian, and TransUnion by visiting annualcreditreport.com. Accounts or activity that you do not recognize could indicate identity theft. This is a free service; 2) Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. It will not prevent a thief from using any of your existing accounts; 3) Monitor your existing credit card and bank accounts closely for unauthorized charges. Call the credit card company or bank immediately about any charges you do not recognize; and 4) Since Social Security numbers were affected, there is risk of tax fraud. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Consider filing your taxes early and pay close attention to correspondence from the IRS."

Annulacreditreport.com is the official site for free credit reports.  The U.S. Federal Trade Commission (FTC) issued new rules in 2010 which addressed consumer confusion in the marketplace about sites offering free credit reports. When using unofficial sites, some consumers found the "free" credit reports weren't truly free because they included expensive subscriptions to credit monitoring services.

On September 11, the New York AG's issued a warning about cyber attacks resulting from the Equifax breach:

"In addition to taking measures to protect their credit cards and bank accounts, New Yorkers should also think twice before clicking on any suspicious [e-mail] links claiming to be from Equifax or financial institutions... Hackers are resourceful criminals who are constantly looking to exploit any vulnerabilities... New Yorkers should be on the lookout for these possible attacks: a) Phishing emails that claim to be from Equifax where you can check if your data was compromised; b) Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information; c) Calls from scammers that claim they are from your bank or credit union..."

Also, the Los Angeles Times confirmed an investigation by the U.S. Federal Trade Commission (FTC):

"The FTC’s disclosure of an ongoing probe is highly unusual, underscoring the enormous stakes involved in the incident affecting what amounts to half the country."

The news report cited comments by Peter Kaplan, the agency’s acting director of public affairs. So far, little is known which aspects of the breach the FTC is investigating.

No doubt, there is more news to come.


What Sources Do You Use For Balanced, Unbiased News?

A friend asked the following on the Facebook social networking site:

"Who would you consider to be the most balanced, bi-partisan or "fair" news source for American politics?"

My response: there is no single, balanced source. There are no shortcuts. It takes time and effort to stay informed.

There's no substitute for consumers actively reading a variety of sources. I read news wires (Associated Press (AP), United Press International (UPI), Reuters, McClatchy DC), some "left" leaning sources (e.g., The New York Times, National Public Radio, Slate), some "right" leaning sources (e.g., Fox News, Breitbart News), and foreign sources (e.g., BBC, Guardian UK).

For news about a specific federal, state, or local government agency I visit that agency's website: Federal Trade Commission (FTC), Federal Communications Commission (FCC), Department of Justice (DOJ), Securities & Exchange Commission (SEC), Consumer Financial Protection Bureau (CFPB), Department of Labor (DOL), and the attorney general in each state.

One needs a variety of news sources in order to maintain a WORLD view... and not a myopic USA-only view... and not a myopic view slanted by a political party. With so much free content online, there is no excuse for consumers to read a variety of sources.

A key problem I often see in sites claiming to be news sites: video content without accompanying transcripts.. This is poor reporting for several reasons. First, transcripts provide readers with the opportunity to fact check, check spelling, and follow embedded links to learn more. Some might call that critical thinking. I view sites which fail to provide transcripts with video as untrustworthy.

Second, the lack of transcripts favors sighted readers. Some online users have disabilities (e.g., blind, hearing loss). The lack of video transcripts makes it difficult to impossible for them to consume this content. Maybe this is a by-product of the "mobile first design" strategy with website development. Or maybe it is plain laziness. Regardless, it's unacceptable.

I found it somewhat unsettling that the person asking this question used "who" instead of "what." That may imply a personality-driven or celebrity-focused view of news sources.

What do you think? What do you read?


Equifax Data Breach: 11 Reasons Why It Is Worse Than You Think

Equifax logo Equifax, one of the three major credit reporting agencies, announced on September 7 a massive data breach where criminals accessed the company's computer systems. How bad is it? It is instructive to analyze the text of Equifax's breach announcement:

"... a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed."

First, this is huge. Do the math 143 million persons is about 44 percent of the United States population of 325 million on July 4, 2017. So, almost half of the population was affected. Not good. But, there's more to this than size.

Second, the announcement stated "approximately." So, the true number could be lower or higher. The vagueness suggests that Equifax doesn't really know exactly how many consumers were affected. Not good. And, other details support this assumption that Equifax really doesn't know.

Third, the announcement stated "accessed." During the 10+ years I've written this blog, I've read dozens or hundreds of breach announcements. Many use this term. While the term may accurately describe what's Equifax knows, it also can be misleading. Criminals don't access companies' systems simply to window-shop or read files. They access systems to download and steal valuable information they can either use to make money, or resell to others. It's what online criminals do.

Fourth, the data elements accessed stolen allow criminals to do a lot of damage. That might include: a) obtain fraudulent loans or credit in breach victims' names; b) impersonate breach victims (it's called pretexting) to access online accounts; c) with online access withdraw money from victims' bank accounts; and much more. With online access, criminals can change passwords and take over victims' accounts effectively locking out victims.

Fifth, the breach investigation isn't finished:

"Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company's investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks."

The announcement didn't state when Equifax expected the investigation to be finished. Days? Weeks? Months? Not good.

Equifax hired an outside, independent technology firm to investigate its breach. That's what companies usually do during their post-breach response. This tiny bit of good news is quickly overshadowed by the bad. Without a completed breach investigation, Equifax can't really know whether the breach was caused by a technical systems problem, employee error, management oversight lapses, a sloppy or incompetent subcontractor, something else, or a combination of items. Only after a completed breach investigation can Equifax implement one or several fixes so this won't happen again. Not good.

Sixth, without knowing how criminals accessed their systems it is unlikely Equifax also can't know with certainty what data elements about consumers were stolen. More data elements could have been stolen, perhaps entire credit reports. Not good.

Seventh, it seems that Equifax's intrusion detection systems failed. Just look at the timeline. The breach started in mid-May and Equifax discovered it near the end of July. So, criminals had at least 2 full months to steal whatever they could find. Not good. Plus, after discovering the breach it would take Equifax another 5 weeks later to announce it. Why the delays? The breach announcement doesn't explain why. Not good.

Eighth, Equifax seems to take shortcuts with its breach notification:

"Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection."

Setting up a website to convey breach updates to consumers is a good thing, but using the site to notify consumers about the breach is not good for two reasons: a) the site requires consumers to enter many of the same sensitive, valuable data elements criminals want to steal; and b) it forces consumers to trust that the breach site is secure, when we know that the breach investigation is incomplete. This is a breach notification failure.

In the 10+ years I've written this blog, trustworthy companies notify breach victims via postal mail. Why won't Equifax notify all breach victims directly via postal mail? It has consumers' residential addresses in its databases. (That is a benefit for its lending customers.) So, the lack of data is not an excuse. Plus, the credit reporting agency is willing to notify some consumers directly:

"In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted."

Rather than notify all breach victims directly, Equifax seems to want to take shortcuts. Maybe it is to save money, laziness, or poor decisions by its executives. The announcement doesn't explain why, so consumers are left to draw their own conclusions. Not good.

Ninth, technologists have questioned the security of Equifax's new breach site. Ars Technica reported:

"... the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details..."

Reportedly, the domain name registration problem was fixed on Sunday. Still, Equifax's post-breach response appears amateurish. Meanwhile, data security problems persisted in its main website. According to Ars Technica:

"... in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks."

So, Equifax hasn't completed its breach investigation, doesn't know how its systems were hacked, has vulnerabilities in its main site, but wants consumers to trust that its breach site is secure. Not good.

Tenth, the Equifax announcement promoted its credit monitoring service (emphasis added):

"Equifax has established a dedicated website... to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers - all complimentary to U.S. consumers for one year."

One year? Are Equifax executives serious? Stolen consumers' credentials don't magically lose value after one year. Criminals will use stolen credentials (e.g., name, address, Social Security Number, birth date, etc.) as long as they can. Criminals will resell stolen data to other criminals as long as the data has value. In my opinion, Equifax should provide complimentary lifetime credit monitoring indefinitely to all breach victims.

Why lifetime? Because the data elements accessed stolen have ongoing value. The cynical part of me wonders if some finance executives have done the math. As long as credit reporting agency executives believe that one year of free credit monitoring will appease breach victims, it's cheaper to pay that cost (plus a few out-of-court settlements), rather than implement more robust data security.

Eleventh, there is a history of questionable decisions by Equifax executives. In 2007, it paid a $2.7 million fine for violating federal credit laws. In 2009, it paid a $65,000 fine to the state of Indiana for violating the state's security freeze law. In 2012, Equifax and some of its customers paid $1.6 million to settle allegations of improper list sales. Earlier this year, Equifax and TransUnion paid $23.1 million to settle allegations of deceptive advertising about credit scores.

This history provides some context to news reports that three Equifax executives sold about $1.8 million in stock after the breach was discovered and before the public breach announcement. Equifax stock fell about 13 percent after the breach announcement. The company said on Thursday that these executives didn't know about the intrusion when they sold shares. Even if true, the optics of this look absolutely terrible.

The whole sordid affair should be a reminder to consumers that we are the product. Credit reporting agencies' true customers are lenders - the companies that lend money and make loans to consumers. Equifax makes its money selling credit reports to lenders.

What to make of this? I see several considerations for consumers:

  1. Assume the worst. Every time you hear or read the word "accessed" by Equifax, replace it with "stolen." Then, make your data security decisions accordingly.
  2. If you don't trust the security of Equifax's breach site, then call the company instead via the hotline listed in the breach announcement (preferably using a landline phone) to see if you are affected.
  3. Carefully consider the advantages and disadvantages of Equifax's offer of free credit monitoring and identity theft protection. Equifax has been criticized for forcing arbitration on consumers who accept the free credit monitoring offer. In a September 11th update in its breach site, Equifax reversed course and said the arbitration clause and class-action waiver don't apply in this incident. Regardless, read the fine print before signing up. They may try to re-insert it later. If you don't know what it is, learn about arbitration. A variety of companies have inserted these clauses into their user agreements policies. You'll need to learn about arbitration anyway in order to make informed purchase decisions about other products and services.
  4. If you don't need credit, consider a Security Freeze to lock down your Equifax credit reports. Then, Equifax can't sell your credit report to lenders. You can do this at all three major credit reporting agencies. I did this several years ago after a data breach by a former employer. Know that a Security Freeze is not a cure-all, since it won't stop data breaches and it won't stop all forms of identity theft and fraud. To learn more, this blog has plenty of information about credit reporting agencies, credit monitoring services, fraud alerts for your credit reports, and security freezes.
  5. If you dislike Equifax's post-breach response, then contact your elected officials and demand that they pressure Equifax to do the right thing: a) notify all breach victims directly via postal mail; and b) implement better data security.
  6. Equifax's post-breach response makes me question whether the company is really up to the data security task -- it's responsibility -- to adequately protect consumers' sensitive information. All credit reporting agencies are high-value targets by criminals. If Equifax's executives didn't understand this before, they should now -- and take actions to demonstrate to consumers they realize the seriousness of the breach. Words are not enough.
  7. Consumers lack choices. Citizens cannot opt in nor opt out of the data collection by credit reporting agencies. (Consumers can opt out of pre-approved credit offers, but can't opt out of the data collection. There's a difference.) Also, the Equifax breach highlights the hypocrisy of pundits and politicians who object to the mandate within Obamacare (e.g., the Affordable Care Act) legislation -- some called it socialism -- while remaining remain silent about a similarly socialistic mandate with credit reporting.

While writing a post recently about misdeeds at Wells Fargo, I asked the question: "How much damage can one bank do?" Now, I find myself asking a similar question about Equifax: "How much damage can one company do?" Credit and lending are essential to the United States economy. In my opinion, all credit reporting agencies should have NSA-level data security for their networks and computer systems. The data they archive is that critical.

And: if you can't protect it, don't collect it. It's that simple.

As more issues emerge about this breach, I will address them in subsequent posts. What are your opinions of the Equifax breach? Did you lock down your credit reports with a Security Freeze?


What We Know -- And Don't Know -- About Hate Crimes in America

[Editor's Note: today's guest blog post explores the problem of hate crimes. Recent surveys about harassment found that what happens online often doesn't stay online. Hopefully, future reports by ProPublica will explore the linkages. Today's blog post is reprinted with permission.]

By Rachel Glickhouse, ProPublica

"Go home. We need Americans here!" white supremacist Jeremy Joseph Christian yelled at two black women -- one wearing a hijab -- on a train in Portland, Oregon, in May. According to news reports, when several commuters tried to intervene, he went on a rampage, stabbing three people. Two of them died.

If the fatal stabbing was the worst racist attack in Portland this year, it was by no means the only one. In March, Buzzfeed reported on hate incidents in Oregon and the state's long history as a haven for white supremacists. Some of the incidents they found were gathered by Documenting Hate, a collaborative journalism project we launched earlier this year.

Documenting Hate is an attempt to overcome the inadequate data collection on hate crimes and bias incidents in America. We've been compiling incident reports from civil-rights groups, as well as news reports, social media and law enforcement records. We've also asked people to tell us their personal stories of witnessing or being the victim of hate.

It's been about six months since the project launched. Since then, we've been joined by more than 100 newsrooms around the country. Together, we're verifying the incidents that have been reported to us -- and telling people's stories.

We've received thousands of reports, with more coming every day. They come from cities big and small, and from states blue and red. People have reported hate incidents from every part of their communities: in schools, on the road, at private businesses, in the workplace. ProPublica and our partners have produced more than 50 stories using the tips from the database, from New York to Seattle, Minneapolis to Phoenix. Some examples:

Univision, HuffPost, and The New York Times opinion section identified a common thread in the reports we've received in which people of color are harassed "Go back to your country." This type of harassment affects both immigrants and U.S. citizens alike, reporters found.

Several stories published by our partners focused on racial harassment on public transportation, using tips to illustrate something officials were also seeing. The New York City Commission on Human Rights observed a 480 percent increase in claims of discriminatory harassment between 2015 and 2016, according to The New York Times Opinion section. The Massachusetts Bay Transportation Authority recorded 24 cases of offensive graffiti through April, compared to 35 in all of last year, the Boston Globe found. Univision covered multiple incidents involving Latinos targeted in incidents on the New York City subway.

Combing through our database, Buzzfeed discovered there were dozens of reported incidents in K-12 schools in which students cited President Donald Trump's name or slogans to harass minority classmates. This echoed a pattern Univision had reported on: In November, the Teaching Tolerance project at the Southern Poverty Law Center received more than 10,000 responses to an educator survey indicating an uptick in anti-Semitic, anti-Muslim and anti-immigrant activity in schools.

Our local partners reported on how hate incidents affect communities across the country: anti-Semitic graffiti in Phoenix, Islamophobia in Minneapolis, racist vandalism and homophobic threats in Seattle, white supremacist activity at a California university, racist harassment and vandalism in Boston, racism in the workplace in New Orleans, and hate incidents throughout Florida.

There are a few questions for which answers continue to elude us: How many hate crimes happen each year, and why is the record keeping so inadequate?

The FBI, which is required to track hate crimes, counts between 5,000 and 6,000 of them annually. But the Bureau of Justice Statistics estimates the total is closer to 250,000. One explanation for the gap is that many victims -- more than half, according to a recent estimate -- don't report what happened to them to police.

Even if they do, law enforcement agencies aren't all required to report to the FBI, meaning their reports might never make it into the national tally. The federal government is hardly a model of best practices; many federal agencies don't report their data, either -- even though they're legally required to do so.

We'll spend the next six months continuing to tackle these questions and more. And we and our partners will keep working our way through the tips in our database, telling people's stories and doing our best to understand what's happening.

There are ways that you can help us move the project forward:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Wells Fargo: 1.4 Million More Fake Accounts Found By Latest Investigation

Wells Fargo logo Just before the long holiday weekend, Wells Fargo Bank announced in an August 31 news release the latest results of a third-party investigation into its retail bank account practices since 2009:

"The original account analysis reviewed 93.5 million current and former customer accounts opened in an approximately four and half year time period – from May 2011 through mid-2015 – and identified approximately 2.1 million potentially unauthorized accounts. The expanded analysis reviewed more than 165 million retail banking accounts opened over a nearly eight-year period – from January 2009 through September 2016 – and identified a new total of approximately 3.5 million potentially unauthorized consumer and small business accounts... In connection with these 3.5 million potentially unauthorized accounts, approximately 190,000 accounts incurred fees and charges, up from 130,000 previously identified accounts that incurred fees and charges, and Wells Fargo will provide a total of $2.8 million in additional refunds and credits on top of the $3.3 million previously refunded as a result of the original account review... a review of online bill pay services, as required by the Sept. 8, 2016, consent orders... the analysis identified approximately 528,000 potentially unauthorized online bill pay enrollments and Wells Fargo will refund $910,000 to customers who incurred fees or charges. "

To summarize: the latest investigation went two years further back in time, found about 1.4 million more phony accounts, found more customers affected by unauthorized bank accounts, and found possibly more phony online bill-pay enrollments. In a settlement agreement last year with the Consumer Financial Protection Bureau (CFPB), Wells Fargo paid a $185 million fine last year for alleged unlawful sales practices with the number of phony accounts known then.

Of course, the bank tried a different spin in its news release about the investigation's findings:

"... the completion of its previously announced expanded third-party review of retail banking accounts dating back to the beginning of 2009. Combined with a recent class action settlement and ongoing broad customer outreach and complaint resolution, the completion of the analysis further paves the way for making things right for Wells Fargo customers who may have been harmed by unacceptable retail sales practices."

Yeah, right. That sounds like some wayward teenager wanting praise for providing a complete list of damage to the family car which they didn't have permission nor a license to drive in the first place.

Much of Wall Street has seen through the spin. Some financial experts advise investors to sell Well Fargo shares and buy other banks' shares instead. One of the world's largest fund managers withheld support for three of the bank's directors. Some news headlines focused on the growing estimate of phony accounts uncovered. MSN Money listed reasons why the bank may not survive the growing scandal.

There is plenty of bad news. The Los Angels Times reported a lawsuit by former bank executives who claimed they were scapegoated and fired earlier this year after reporting unethical sales practices. News reports broke earlier this month about alleged insurance abuses of the bank's auto-loan customers.

Well, we now know more about the bank's retail banking practices. The latest announcement makes one wonder, a) how much damage one bank can do, and b) how many more phony accounts would have been uncovered if the investigation started before 2009. What are your opinions?


The Consequences From Unchecked Development Without Zoning Laws

While there has been plenty of news about hurricane Harvey and the flood in Houston, there hasn't been much news about an important, related issue which affects all taxpayers. This report by the QZ site highlights the consequences of unchecked development while ignoring environmental concerns:

"... Houstonians have been treating its wetlands as stinky, mosquito-infested blots in need of drainage. Even after it became a widely accepted scientific fact that wetlands can soak up large amounts of flood water, the city continued to pave over them. The watershed of the White Oak Bayou river, which includes much of northwest Houston, is a case in point. From 1992 to 2010, this area lost more than 70% of its wetlands, according to research (pdf) by Texas A&M University."

Unchecked development affects all taxpayers when federal bailout money is spent to repair the damage in areas subject to repeated, frequent floods:

"... the flooding caused by Hurricane Harvey has raised water levels in some parts of the watershed high enough to completely cover a Cadillac. The vanished wetlands wouldn’t have prevented flooding, but they would have made it less painful, experts say. The Harvey-wrought devastation is just the latest example of the consequences of Houston’s gung-ho approach to development. The city, the largest in the US with no zoning laws, is a case study in limiting government regulations and favoring growth—often at the expense of the environment. As water swamps many of its neighborhoods, it’s now also a cautionary tale of sidelining science and plain common sense..."

The consequences from lax laws favoring unchecked development:

"Wetland loss... The construction of flood-prone buildings in flood plains is another one: The elderly residents of La Vita Bella, a nursing home in Dickinson, east of Houston, were up to their waists in water before they got rescued. The home is within the Federal Emergency Management Agency’s (FEMA) designated flood zone... too few people have flood insurance. Although federal rules require certain homeowners to carry it, those rules are based on outdated flood data. Only a little over a quarter of the homes in “high risk” areas in Harris County, where Houston sits, have flood insurance."

So, not everyone who should be is paying their fair share (via flood insurance). And, it seems that things will get worse. All of the above was:

"... before [President] Trump came into office and started removing layers of regulation. Just 10 days before Harvey struck, the president signed an executive order that rescinded federal flood protection standards put in place by his predecessor, Barack Obama. FEMA and the US Housing and Urban Development Department, the two federal agencies that will handle most of the huge pile of cash expected for the rebuilding of Houston, would have been forced to require any rebuilding to confirm to new, safer codes. Now, they won’t."

Lax laws allowing the repair and construction of new buildings in high-risk areas subject to repeated flooding sounds foolish. It's basically throwing taxpayers' hard-earned money out the window. Do you want to pay for this? I don't. A few local developers may get rich, but at the expense of taxpayers nationwide.

There are always consequences -- intended and unintended. Be sure to demand that your elected officials consider and understand them.


Neighbor Spoofing: What It Is And The Best Way To Stop It

A friend recently posted on social media:

"I get five to seven phone calls daily from a 617-388-(random) number. I keep blocking them but new ones keep calling. My number is a 617-388- number. I've called a few back and they're actually people's personal mobile numbers. What is going on?! Anyone know how to stop it?"

This is neighbor spoofing... where robocallers pretend to be neighbors with familiar looking phone numbers. NPR explained neighbor spoofing is:

"... when callers disguise their real phone numbers with a fake phone number that has the same area code and prefix as yours. The idea is you might be more likely to pick up because maybe you're thinking, this call could be my neighbor or my kid's school, someone I know... Even the chairman of the Federal Communications Commission, Ajit Pai, cannot escape... The calls have gotten so aggravating to Pai, he is doubling down and making the fight against spoofers a top priority for the FCC. Robocalls and telemarketers are the No. 1 complaint the agency gets from the public. New technology has made spoofing easier to do and harder to detect. Last year, people received about 2.5 billion robocalls every month...this spring, the FCC started investigating ways to let phone carriers block calls from spoofers..."

The best solution is a system where phone companies authenticate callers. That would stop or block neighbor spoofing. Until then, the FCC is using deterrence. Back in June, the FCC proposed a $120 million fine against a habitual robocall scammer, Adrian Abramovich, based in Florida:

"Over the course of several years, Abramovich's companies disrupted emergency services, bilked vulnerable consumers out of thousands of dollars and hurt legitimate businesses, the FCC contends... TripAdvisor was deluged by consumer complaints about robocalls that the company had not initiated or authorized. After conducting an internal investigation, TripAdvisor determined that the offending calls were linked to a Mexican hotel and resort chain that had contracted with Abramovich for advertising services."

Consumers interested in something they could do might consider Nomorobo, which works (landline or mobile) with many service providers. Users of Apple and Andorid OS phones might investigate Hiya. Windows and BlackBerry phone users can check the CTIA Wireless Association's guide for free (or low-cost) mobile apps to block robocalls.

Robocalls from schools, physicians, airlines, and law enforcement are helpful, while robocalls from scammers aren't. The best solution -- true authentication -- can't come fast enough. Consumers and businesses are suffering.

While I don't wish anything bad on anyone, I am happy that FCC Chairmann Pai is also directly feeling the pain. Perhaps, now he knows how consumers feel. The loss of broadband privacy and Pai's push to kill net neutrality annoy consumers almost as much as neighbor spoofing.