Equifax takes down web page after reports of new hack

(reuters.com)

240 points | by SirLJ 2359 days ago

15 comments

  • Posibyte 2359 days ago
    I feel like this has to do with Equifax basically not being punished in any major way over the last breach. Their stocks are still priced reasonably well, most of their board is still intact, and US citizens are still required to work with them for credit reasons.

    And the worst part is, I have no idea how I as a person could say "I don't want to do work with Equifax because I don't trust them." And if anybody has suggestions on that, I'm totally open, because if Equifax was a dripping faucet, they'd be flooding the house by now.

    • rdtsc 2359 days ago
      > Their stocks are still priced reasonably well,

      Exactly. And everyone is watching and learning a lesson from it - "If this goes unpunished, heck, we can get away with it too, screw all the security mumbo jumbo"

      In an investing and finance forum I saw people were gearing up to buy Equifax after the breach was announced. The idea was that price would dip then it would go back up. Maybe enough people did that.

      • ModernMech 2359 days ago
        If that's the case, it seems like the executives at Equifax who were dumping stock after they learned of the breach (but before it was reported) were jumping the gun. They should have just held on to it!

        "Three senior executives including the company’s chief financial officer sold $1.8 million in shares three days after the company learned on July 29 hackers had breached personal data for up to 143 million Americans."

        http://fortune.com/2017/09/29/equifax-board-executive-stock-...

        • astura 2359 days ago
          That's short sighted - how you make money is sell when high, buy when low.

          So you sell right before the dip and then buy again at the bottom of the dip. They knew there was going to be a dip.

          • leggomylibro 2359 days ago
            Unfortunately, the SEC might notice if those executives sold a bunch of shares on insider info, quit, and then bought more shares after the crash.

            I guess they probably wouldn't do anything, but they might notice.

            • astura 2359 days ago
              They absolutely should notice and investigate (and I think they are) even the initial sale, I don't see how that's not insider trading.
              • leggomylibro 2359 days ago
                It pretty clearly is, I just mean that in reality that sort of thing isn't going to be prosecuted or pursued.
                • poooogles 2359 days ago
                  That is incorrect. The SEC regularly pursue people for insider trading [1]. It's one of the things that's normally pretty clear cut and hard for politicians to lean on.

                  1. https://www.sec.gov/news/pressrelease/2016-212.html

                  • leggomylibro 2359 days ago
                    I guess I'm just getting jaded about the scale; when you reach a certain dollar amount, there don't seem to be consequences at all. I'm sure I would get busted for insider trading if I tried it, but my company's CEO damned sure wouldn't.

                    Not that it'd be easy since you have to schedule big sales like that with the feds in the first place, but I mean...come on. The sheer blatancy.

      • Simulacra 2359 days ago
        Stock price seems to be the driving factor for corporate change in America. Until that price dips, or tanks, companies appear to use that as a barometer of their behavior.
      • fny 2359 days ago
        How are their stocks priced reasonably well? They lost almost 1/3 of their value after the hack.
        • astura 2359 days ago
          Still over $100 a share.
          • nodesocket 2359 days ago
            Absolute price has nothing to do with company value. For example BRK.A is $279,383.00 a share.
            • nhhehewr7 2359 days ago
              I read it as "stock should be 0, as they should be shutdown."

              But please, do explain economics for us. We really need to hear about markets again. #coolmemebro

      • baby 2359 days ago
        > The idea was that price would dip then it would go back up. Maybe enough people did that.

        It's always the idea, unfortunately you can never predict if it's going to bounce enough to go back up hard, or if it's going to bounce and go down again deep...

    • rgbrenner 2359 days ago
      freeze your credit report with Equifax, and then if any company requests it, they'll be denied (because you have to request it be unfrozen for them to receive it).

      If any company uses Equifax, you'll then be denied credit or they'll ask you to unfreeze it.. either way, you can complain to them, and make it clear you won't work with Equifax.

      Of course, in practice, this will mean you'll get denied credit from any company that has a contract with Equifax.

      • StanislavPetrov 2359 days ago
        Unfortunately you have no way to protect your tax returns from Equifax, which now has a contract with the IRS thanks to the infinite wisdom of our government.

        http://fortune.com/2017/10/04/equifax-irs-contract-hackers/

        • bogomipz 2359 days ago
          From your link:

          >"The Internal Revenue Service signed a $7.25 million contract with Equifax last month. The no-bid contract, first reported by Politico, is for Equifax to provide the IRS with taxpayer and personal identity verification services. The contract stated that Equifax (EFX, -1.34%) was the only company capable of providing these services to the IRS, and it was deemed a “critical” service that couldn’t lapse."

          The IRS in the US needs Equifax to provide tax payer and verification services? Seriously what does that even mean? The IRS bas no other way to verify citizens?

          • bald 2359 days ago
            AFAIK in the US, you're not required to check in with local authorities when you move to a new city (contrary to many European countries where you need to notify them, else you'll be fined), so there's no official register the IRS could use to find all taxpayers... maybe that's the background.
            • bogomipz 2359 days ago
              The IRS can use the previous year's filing address for all tax payers. They should be able to use the US Post Office to get address updates.

              In the US people generally file a change of address when they move in order to automatically receive mail at their new address.

              The fact that the IRS granted Equifax a 7 million dollar contract amounts to the US tax payer paying Equifax to put their identity at risk and cause them harm. It really boggles the mind.

              • kevin_thibedeau 2359 days ago
                USPS address forwarding is only good for six months.
                • bogomipz 2358 days ago
                  The point is not how long mail forwarding is good for but rather the USPS already has up to date mailing address information for US citizens.

                  If the IRS is using Equifax for proper address verification as the OP states, then that information is already available via the USPS which is a government agency with real oversight.

          • trhway 2359 days ago
            I'd guess it is just outsourcing of a government function, you know as a way to save taxpayers money and increase government efficiency ... like those private prisons, private torturers, private plutonium processors, etc.
          • Terretta 2359 days ago
            This is for something like the security questions when you reset your password except based on your financial records.

              - Do you recognize this street name?
              - Have you bought from this store?
              - How many mortgages did you co-sign?
            
            Answering a set of these “knowledge” based questions is considered statistically probable proof that you’re you.
            • sneak 2359 days ago
              They’re derived from public records. Anyone who wants to hire the staff for legwork and pay all the individual municipalities for access can compile the same database.
            • bogomipz 2359 days ago
              But why would this any better or more effective than asking someone to verify information on their previous years tax filings such as specific line items etc?
        • geofft 2359 days ago
          This contract is a renewal of a previous contract with Equifax (which is why it was a "critical service that couldn't lapse"), and it involves Equifax giving data to the IRS, not the IRS giving your tax returns to Equifax.
          • StanislavPetrov 2359 days ago
            The IRS is most certainly giving Equifax data or they wouldn't have sent inspectors there to verify the integrity of IRS data.

            >Chief information officer Girza said the IRS sent inspectors to make sure no IRS data was compromised in the Equifax breach

            http://www.snopes.com/2017/10/05/equifax-contract-irs/

            • geofft 2359 days ago
              That is nowhere close to evidence that Equifax had tax returns.
          • bloaf 2359 days ago
            So I wonder what would happen if the IRS attempted to Eminent Domain-ify the data they needed.
          • jlarocco 2359 days ago
            Meanwhile, thanks to Equifax's amazing security, everybody else can get the same data for free ;-)
      • djb_hackernews 2359 days ago
        Doesn't this require you to trust Equifax to enforce and honor the freeze? I think the solution is "I don't want my report or any of my data in any sort of control or possession of Equifax". Where is that solution?
        • munin 2359 days ago
          What is "your data" exactly? And in the limit, how far does this go?

          Here's a question: who owns your drivers license? Here's a hint: it isn't you. Can you "own" you mailing address? Copyright and trademark it, make everyone ask permission from you before they write it down? What about your salary? Should your employer have to ask every time they use your salary number in some way, say in aggregate statistics or reporting?

          What about information about how you interact with your credit card company? Who owns that, you, or the credit card company? Do the two of you have some kind of joint ownership?

          We've made some of these decisions about health data and it has far-reaching consequences, some of them undesirable. It's also been very difficult to enforce. Do you want to extend that kind of regime to every piece of information about a person? Society might grind to a halt, we would be inundated with virtual and physical pop-ups asking "your landlord wants access to your phone number to place a call to you, will you allow it?" And what process would mediate this access control anyway, and how would we trust it?

          • pathseeker 2359 days ago
            >virtual and physical pop-ups asking "your landlord wants access to your phone number to place a call to you, will you allow it?"

            I would grant the landlord access to contact me while I still have a business relationship with her.

            This dire scenario you are trying to paint frankly doesn't sound that bad. I don't need a company to know my entire life's history to exploit my past to deliver a targeted ad.

          • code_duck 2359 days ago
            As far as copyright, small snippets of information or sentence fragments are not copyrightable, but collections of data are.

            >Society might grind to a halt, we would be inundated with virtual and physical pop-ups asking "your landlord wants access to your phone number to place a call to you, will you allow it?"

            That is how messaging works on many newer systems like Facebook or Instagram, and people appear to find that level of control desirable, not annoying. The only reason the phone system works with public numeric IDs that anyone can dial is that whole thing is a relic from 50 years ago.

          • donogh 2358 days ago
            If you're curious about the future of privacy, while flawed in some ways, the GDPR (General Data Protection Regulation) comes into effect in the EU next May. Here's their definition of personal data [1]:

              "Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. This can be a very wide definition depending on the circumstances."
            
            And then we have this:

              "Right to change or remove your details
            
              If you discover that a data controller has details about you that are not factually correct, you can ask them to change or, in some cases, remove these details.
            
              Similarly, if you feel that the organisation or person does not have a valid reason for holding your personal details or that they have taken these details in an unfair way, you can ask them to change or remove these details.
            
              In both cases, you can write to the organisation or person, explaining your concerns or outlining which details are incorrect. Within 40 days, the organisation must do as you ask or explain why they will not do so."
            
            It's true that enforcement is difficult -- I imagine it'll be more reactive than proactive. That said, a breach is handled quite well, assuming the law is enforced:

            https://www.dataprotection.ie/docs/Data-Security-Breach-Code...

            The GDPR is a solid step in the right direction, and a model for a better approach to privacy.

            [1] https://www.dataprotection.ie/docs/A-guide-to-your-rights-Pl...

          • mattnewton 2359 days ago
            The issue is that I am responsible for people using this data, but don’t own it like you mentioned. If the banks were responsible for giving out fraudulent loans and there was an easier way to prove that they were fradualent without this PI, then I wouldn’t care. But I have to care right now.
          • mulmen 2359 days ago
            "My data" is data about me because without me it wouldn't exist.
            • TeMPOraL 2358 days ago
              And this is my comment, which wouldn't exist without me, and I don't give you permission to read, link to, or reproduce it.
              • mulmen 2357 days ago
                Except you have a choice to leave a comment where I don't have a practical choice to not give my information to a credit agency.
            • nightski 2359 days ago
              You can essentially opt out. Just never apply for credit in your life. Good luck.

              At the end of the day you do consent to this through participating in the banking/credit system.

              While the data may not exist without you, you are not the one recording it. Why does it not make sense to assign ownership to the one recording/creating the data in the first place?

              • Spivak 2359 days ago
                You consent to X when you do Y, where Y is not explicitly consenting to X, is not a valid argument.
                • hacking_again 2358 days ago
                  It's valid if X is having your picture taken and Y is being in public.
                  • Spivak 2358 days ago
                    I agree that people make themselves vulnerable to someone taking their picture by going outside, but I strongly disagree that people consent to having their picture taken.
                    • hacking_again 2358 days ago
                      Well, maybe it's more accurate to say that it's impossible to consent because no consent is required to take someone's picture in public. People generally exercise control by choosing not to be in public. You could say that having your picture taken is part of the terms of service of using public space. When you agree to something, you also agree to all of the consequences. Just because they are implicit doesn't make them invalid.

                      Don't get me wrong, I don't particularly like having my picture taken without my explicit consent. In the end, consent is all rather arbitrary because it's not like you can choose not to live in human society on Earth.

              • mulmen 2359 days ago
                Because I am the one carrying the risk, not the people collecting the data.
      • nodesocket 2359 days ago
        Freezing your credit can come back to bite you if you'd like to buy a house, lease an apartment, buy a car, or open a new credit card within the next 6 months.
        • yorwba 2359 days ago
          Only if you aren't willing to save the money for that up front. Of course most people prefer to get the stuff they want when they want it instead of when they can afford it (and going from renter to owner paying a mortgage does tend to be cheaper), but if you really wanted to, you could live without credit.
      • toomuchtodo 2359 days ago
        I submitted a complaint to the CFPB requiring [1] Equifax to remove my credit record, due to their proven incompetence at protecting that data (citing their breech, several congresspeople grilling their CEO on CSPAN, etc). Its been 9 days and I haven't heard back from the CFPB yet (Equifax has 15 days to respond and up to 60 days to provide a final response), but Equifax has my complaint and even if it goes nowhere, it gives me something to hand over to Elizabeth Warren's office to show I have no control over my personal data and I have no control over having it removed regardless of how incompetent Equifax is.

        Fingers crossed someone with Equifax's data dump starts dumping the data of Equifax senior management.

        [1] Hat tip to patio11 on the language; don't use "I demand", professionals use "I require"

        • KGIII 2359 days ago
          As for verbiage, you may want try the phrase you later used in a follow up post. It's not really your personal data. After all, it was data from an interaction with another entity which makes it their data as well.

          So, personally identifiable information (PII) is a less-debatable phrase and more legally defensible.

          In the first case, if you do business with a bank then the data from that belongs to the bank as much as it belongs to you. They are reporting their information, namely that you interacted with them. Thus, that information would belong to them.

          In the second case, it is personally identifiable information - which is something that's difficult to dispute. This also gives you interest in that data which is a stronger point to stand on.

          As mentioned before, I am not a lawyer and this is not legal advice. However, I have extensive experience with the justice system due to my career and have taken quite a few classes concerning the law.

          Also, the word 'shall' has stronger implications than 'will.' I am not sure why but it is handy to know. The defendant will comply vs. the defendant shall comply.

          Best of luck.

        • simcop2387 2359 days ago
          Do you have more information on how to do this? I'm thinking that doing the same thing makes sense going forward.
      • astura 2359 days ago
        That's not quite how credit freezes work, if they pull Equifax and only that bureau is frozen then they will usually just pull from another credit bureau. People who churn credit cards use this to their advantage - they often freeze the report with the most recent inquiries (usually Experian) to spread out inquiries more evenly over the three bureaus. I've never heard of anyone getting flat out denied for credit (besides mortgages) because they had a single bureau frozen. Sometimes it requires a phone call but usually its just automatic.

        You also can't prevent them from reporting information about you to Equifax.

        Anyways, you aren't really hurting anyone by denying yourself the ability to get credit, you're only hurting yourself.

        • rgbrenner 2359 days ago
          Remember, these companies are paying Equifax for your credit report.

          The point isnt to prevent any credit reporting.. but to prevent equifax specifically from earning money.

          And no one is "denying themselves the ability to get credit" by refusing to unfreeze an equifax report. If the lender doesn't want to use one of the other credit agencies, then most people can find another lender. Those businesses need to know they'll lose business as long as theyre loyal to equifax.

          It is unfortunate we don't have more leverage... this does leave a lot of avenues open for Equifax to continue making money. But every bit helps.

          • astura 2359 days ago
            > If the lender doesn't want to use one of the other credit agencies, then most people can find another lender. Those businesses need to know they'll lose business as long as theyre loyal to equifax

            lol, yeah, good luck with that when you go to get a mortgage.

            Mortgage lenders pull all 3 reports, not just one. There is a ton of laws around mortgage underwriting that need to be followed. They technically may be able to underwrite a mortgage with only two credit reports but I doubt any mortgage lender actually will or if they did they'd be charging outlandish interest rates. If you're hiding a report they will assume its because you're hiding something negative that's on the report.

            Things don't work like you would like in the real world, only in theory. You are delusional if you believe Chase having to pull Experian instead of Equifax once every million credit applications is going to somehow effect Equifax's bottom line.

            If your landlord uses a background checking service that uses Equifax and the background check service comes back with "frozen report" and you say "I demand you use a different background checking service that doesn't use Equifax" then your landlord is just going to say lol and rent to the person who isn't being extremely difficult, as its a sign you're going to be a difficult tenant.

    • code_duck 2359 days ago
      For this new issue, the problem is that by the time you're even halfway through the sentence "part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware", 90% of people I have decided that it's over their head and stopped listening.
    • discoursism 2359 days ago
      I agree that the situation is bad, but I do want to call out a technicality here. You don't have to work with them. Everyone around you chooses to work with them, because they believe that doing so is safer than not. And this impinges on you, because if they have bad info on you, it can hurt your interactions with people around you.

      There is little that you personally can do to control the sources others use to gather information about you. That's something that's only within the power of a legal framework. The statement, "I don't want to work with Equifax because I don't trust them," is meaningless, because you do not work with Equifax.

      • throw-away-521 2359 days ago
        Comments like this are why people stop reading the comment section.
    • PatientTrader 2359 days ago
      This has nothing to do with punishment. This is the result of a broken system. Most fortune 500 companies pay the ransomware price and the public is never aware of any breach. The idea of storing information on a connected network is the problem. We need to return to the brick and mortar way of storing data, i.e. Tightly guarded central facilities. Nobody should be able to steal 148 million accounts with the click of a button.
    • Florin_Andrei 2359 days ago
      I would argue that having a single occurrence of a hack, isolated, seems unlikely.

      If a site got hacked, chances are they suck at security - and then subsequent hacks are actually more likely to happen over the near future.

      It takes time to turn corporate culture around, and security depends a lot on culture.

      Would be great to see some statistics that would either support or disprove my assertion.

    • hacker_9 2359 days ago
      "Too big to fail"
    • dsgfhasgjklas 2359 days ago
      > And the worst part is, I have no idea how I as a person could say "I don't want to do work with Equifax because I don't trust them."

      Freeze your account and complain to the service that uses it.

      Of course, you're not wrong—you have essentially zero leverage.

      • astura 2359 days ago
        Freezing your account doesn't prevent you from data breaches, your account still exists in their database, they just say "its frozen" when someone requests it.
        • dsgfhasgjklas 2359 days ago
          That's true, but that's also true of anywhere that uses social security numbers for identity verification (which is an atrocious pattern considering how poorly ssns are anonymized).
    • hodgesrm 2359 days ago
      > And the worst part is, I have no idea how I as a person could say "I don't want to do work with Equifax because I don't trust them."

      A good start might be never employ anyone who has worked in Equifax IT. There should be some sort of professional repercussions for being involved with an organization as incompetent as this lot seem to be.

      • KGIII 2359 days ago
        Why is that a good start? They are ex employees. Perhaps they are no longer there because they quit due to bad leadership, bad security, bad company ethics, or maybe they were fired for continually reporting their security flaws?

        I get that some people like meting out punishment, but it seems like a good idea to limit it to the people responsible.

        • hodgesrm 2356 days ago
          Your and other comments are good responses. My comment was mean-spirited and (worse) wouldn't solve the problem.

          A lot of the problems we are seeing can be traced back to the fact that the leadership who make decisions suffer little or nothing in the way of personal consequences. It seems past time for us to change the law so that this is no longer the case. That's about the only way things will change. It's dispiriting to see security breaches and misuse of personal data happening again and again.

      • neilparikh 2359 days ago
        I'm sure there was some incompetance at the individual level, but I think it's more likely that the key issue was that the management de-prioritized security, which lead to the IT team either not having staff on hand to fix issues that came up, or being assigned tasks other than fixing the security issues.

        In that case, ruining the career of a low-level employee seems misplaced, especially when they most likely weren't the cause of these issues.

      • monsieurbanana 2359 days ago
        You can't see it, but I'm rolling my eyes fast at your comment.
      • warent 2359 days ago
        More specifically their IT executive team. Odds are that the lower level tech staff are treated horribly
  • noddy1 2359 days ago
    Solution to the Equifax debacle:

    1) If the value of the individual damages related to this breach are in excess of the market cap of the equifax company, all company stock should be seized and distributed equally among those affected by the breach.

    2) In the future, if a company controls this amount of sensitive data, they should have mandatory breach insurance. This means that they are covered for a government mandated amount based on the legal liability if all their data was lost. This will mean that the insurers will do in-depth audits of the data security of the company, and they will be incentivized year-to-year to ensure their security practices are top notch. The present system incentivizes each CEO to have a head-in-the-sand approach to data security where a hack is considered a long-tail event unlikely to happen during the ceo's 3-5 year tenure and therefore is not really worth paying attention to. In addition, it would ensure that if the potential damage done if data is leaked exceeds the value of the business storing the data, the insurance will be prohibitively expensive and the company will not be able to continue with this line of business - as it should be.

    • benmowa 2359 days ago
      1) stock siezure would kill the market. no one wants to invest in a company if the company stock can get yanked anytime. also, a share of stock is worth what someone will pay me for (ie when i want to convert that stock to cash). who will buy this from me if all of a sudden a bunch of people will take the JG wentworth option and cash out now.

      2) i absolutely agree with the insurance companies being on the hook. They alone will drive insurance rates that are through the roof if the company cant prove pen-testing, employee background checks etc... Unfortunately teh key to making insurance company care, is setting a high standard for breach victim payouts. ie if it only ends up costing an average of $0.10 per individual victim, i dont need to insure equifax for that much?

    • mattnewton 2359 days ago
      I don’t understand how that would work, do you mean liquidate the company? If you mean actually take the shares from shareholders, wouldn’t the value of the stock go to near zero? Who would buy stock that could do that? But I agree with the general idea: they should go out of buisiness and whatever they have should be sold to reemburse people affected.
      • leggomylibro 2359 days ago
        I wonder if the Feds could simply seize the company and issue treasury bonds to shareholders to cover the costs of their stake at the market's price. Eminent domain, or whatever legal term is latin for "we have the guns."

        Then, yeah, liquidate everything and distribute the proceeds amongst the victims. It would be expensive, but...so what? The budget is $2T, and if the fine vastly outweighs the value of the company, then it is clearly a grave situation that demands an unusual response.

        Maybe they could actually issue a realistic fine, and let the company deal with it. But the company would probably just distribute any remaining assets amongst their executives, fire everyone, and declare bankruptcy or something.

        • idbehold 2359 days ago
          > issue treasury bonds to shareholders

          who aren't members of the board

          • Spivak 2359 days ago
            There's really no reason to exclude board members other than spite. If you're going to fine them then just fine them.
            • idbehold 2357 days ago
              Okay, their fine is the value of their stock/options in the company. I think companies would care more about security if the board members were the ones we make examples of in cases like this.
          • leggomylibro 2359 days ago
            Yeah, they'd obviously have to issue a different sort of bonds for the board.
      • paulddraper 2359 days ago
        The situation would be massive liability, so you'd probably go into bankruptcy proceedings.
  • jgladch 2359 days ago
    We're just getting into an era where everything is hackable. We haven't even begun to understand the ramifications...! Privacy has been dead for a long time (did it ever exist?), but we're only just now being confronted with what this means. We have a choice to make: make the world work for everyone, or perish!
    • samfriedman 2359 days ago
      I agree: I think we have been blessed with a long period of innocence concerning the security of our services and devices. A period that is now coming to an end with increased attacks by increasingly powerful entities.

      The dot-com-bubble showed us that businesses should not be valued simply because they leverage hot new technology (hold your AI comparisons...). These high-profile hacks and security failures will hopefully show us that businesses should not be considered secure simply because they stack up to other measures of value.

      I would hope that in the future, a fault in a company's infrastructure security is considered as seriously as a fault in its core business model.

    • camus2 2359 days ago
      > We're just getting into an era where everything is hackable

      It's true, however there seems to be a pattern incompetence when it comes to Equifax. When the first hack happened, if my memory serves me well, they started blaming Apache struts for the security breach, which might or might not be true, however the security patch was available for month when the hack occurred.

  • g051051 2359 days ago
    Yes, this was discussed earlier today: https://news.ycombinator.com/item?id=15456221

    And debunked...it wasn't a hack of the Equifax web site, but a malware package delivered by 3rd party analytics company, Fireclick.

    • tyingq 2359 days ago
      Not exactly. Equifax has hardcoded references to an akamai cache of a domain (hints.netflame.cc) in their own pages[1].

      That domain was owned by Fireclick (né Digital River) at one time, but changed ownership on November 15, 2016. The current owner is a Thai national using a personal Gmail address as the registration info.

      Equifax should be responsible for what 3rd party domains it is referencing in their pages.

      [1]https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js

      • g051051 2359 days ago
        That script was provided by Fireclick, so they're the ones that hardcoded it. It even specifically says "Please do not modify this code".
        • tyingq 2359 days ago
          I'm not sure that bit matters, it's hosted on an Equifax server and served in their pages. And pulling in a script from a very sketchy domain.
          • g051051 2359 days ago
            The script they hosted was legitimate. The Akamai content that it loaded, was legitimate. But Fireclick let the domain lapse, and someone else is now impersonating them and serving malware, and not just to Equifax, either. Why is the story "Equifax hacked again" instead of "Akamai serving content from known spammer site"?
            • tyingq 2359 days ago
              I'm reasonably sure the whole Fireclick infrastructure was abandoned, probably years ago. So Equifax's part was not having some mechanism in place to remove 3rd party references for 3rd parties that aren't delivering anymore. I strongly suspect that predated the change in ownership of the domain, which was almost a year ago. The fireclick.com domain is gone. The parent company (Digital River) doesn't mention offering any kind of analytics service.

              So, yes, technically the vector wasn't directly an Equifax server. But it was only a vector because nobody removed the reference.

              Right now, they also reference crazyegg.com in their pages. If crazyegg goes belly up, the domain will be dormant, and when it expires, somebody might take it over. Does Equifax have an onus to deal with that, or can they blame someone else?

              • g051051 2359 days ago
                I don't know, how can you reasonably defend from that sort of domain hijacking/repurposing? We fundamentally have to trust DNS at some level, but domain names are somewhat transient in nature. Is it fair to single out Equifax here, or is this just an example of an unsolved problem in the industry?
                • tyingq 2359 days ago
                  Somebody used to log into the backend that showed them the statistics. Surely they noticed when it disappeared?

                  Security scans also usually include breakdowns of 3rd party stuff.

                  But yes, there's ways it could go wrong. On the other hand, Equifax is one of very few places that has so much important data. I'd expect them to be leaders in this space, not lackluster followers. Subresource integrity, perhaps more due diligence on partners...stick with bigger players for code that shows up on your site, etc.

                  • g051051 2359 days ago
                    I'd have to guess that someone cancelled the analytics at the business level, but never bothered to write up a change request to tell the devs to take it out.
    • hamiltonkibbe 2359 days ago
      Don't worry, we only blindly pull in and execute "good" third-party code in your browser.
    • criddell 2359 days ago
      That's pretty interesting. Would users running ad blockers be protected from this kind of thing?
      • tyingq 2359 days ago
        Only if they blocked an akamai url that was caching a netflame.cc url
  • cag_ii 2359 days ago
    Something's doesn't sound quite right over at Equifax, I would have thought that with the scale of the last breach a full and thorough audit of all existing systems would have been a major priority!
    • grasshopperpurp 2359 days ago
      Why would you think that?

      >Hack Will Lead to Little, if Any, Punishment for Equifax

      https://www.nytimes.com/2017/09/20/business/equifax-hack-pen...

    • StanislavPetrov 2359 days ago
      >I would have thought that with the scale of the last breach a full and thorough audit of all existing systems would have been a major priority!

      Why would you think that? Equifax hasn't suffered for its poor security - you have. Indeed, Equifax was rewarded with a massive IRS contract for its malfeasance. Its very much like what we see in the banking sector, where even when the banks get caught stealing, at worse they are fined only a fraction of what they stole, leaving them with a hefty profit. That's what crony-capitalism looks like. Why would Equifax or any other corporation change their very profitable business practices if they don't suffer any downside for their wrongdoing?

    • appleiigs 2359 days ago
      Just a normal, slow moving, bureaucratic corporation.

      But even if they were faster, I'm sure an audit of all existing systems is not as simple as making sure all the doors and windows are locked around the house.

      • yawz 2359 days ago
        You can hire a good group of independent pen testers or security companies, and let them hammer your public facing sites. They don't lack the necessary financial resources. At least they would have discovered that type of problems. It's not difficult when there's a will.
        • ionforce 2359 days ago
          Knowing your vulnerabilities, fixing them, and caring about them at all are all different things.
  • linarism 2359 days ago
    The incompetence is mindblowing. Could this be a good argument for software engineers to get their professional license?
    • Arubis 2359 days ago
      It seems abundantly clear that Equifax's incompetence is _systemic_. Under the presumption that they could have hired better engineers, I fully believe they would have managed them into submission.
      • sidlls 2359 days ago
        The kind of licensing here would (or should) provide significant negative consequences for malpractice, possibly including revocation or suspension of the license (and therefore prohibition of working on projects requiring licensed engineers) and even civil or criminal penalties. It also carries credibility and protection: a licensed engineer has a duty to report employers' attempts to circumvent rules like Equifax hypothetically would have done, and legal protection for his livelihood when he does so.

        It may not prevent truly unscrupulous or spineless engineers from capitulating, but it's better than the current situation.

        • nrhk 2359 days ago
          Or you know punish the managers for once instead of the footsoldiers...

          When Wells Fargo had their credit scandal the salesmen shouldn't have been punished, their managers should've.

          These things start at the top. When deadlines are pushed onto you, you don't have time to write unit tests, refactor, update dependencies.

          • sidlls 2359 days ago
            Licensing empowers the engineer to refuse to do something that violates sound engineering practice according to the license and have legal recourse against retaliation.

            It isn't perfect, and the imbalance of power will certainly still be an issue. But that doesn't mean we shouldn't try.

            • camus2 2359 days ago
              > Licensing empowers the engineer to refuse to do something that violates sound engineering practice according to the license and have legal recourse against retaliation.

              It would just put most legal liabilities on engineers vs the org. It's a great way to protect management, that's the only thing it's going to do. That's exactly how dumb traders end up being scapegoated with each financial scandal. Any engineer who would dare report any wrong doing would be blacklisted for life from the IT industry.

              Business like Equifax already have legal requirements at the org level, let's not shift all responsibility onto engineers.

      • macintux 2359 days ago
        I'd be amazed if the average/combined skill level of engineers at any large company exceeds the average/combined skill level of the people trying to compromise its security.

        And that's not taking into account the bureaucratic overhead necessary to make changes in such an environment. There are very good, and very bad, reasons why upgrading insecure software and fixing other security holes takes too much time and effort.

        Equifax just happens to be a very attractive target. I don't know how any such target can stay truly safe.

        (Having said that, they clearly screwed the pooch in a lot of ways, so I won't shed a tear if they're dismantled.)

        • sidlls 2359 days ago
          Libraries, frameworks, and other security systems don't have to be developed in-house. It's just like basic data structures and algorithms: few ought to be rolling their own and should instead be using libraries.
          • macintux 2358 days ago
            All of those are insecure, so it's still a matter of staying ahead of attackers. And avoiding social engineering. And making certain the code that glues those libraries and frameworks together is secure. And making sure people don't accidentally leave an S3 bucket unsecured. And making sure every 3rd party contractor on-site doesn't take advantage of softer internal security. And making sure employees aren't bribed by competitors.

            And making sure the business can still function while doing your best to limit functionality.

          • gaius 2359 days ago
            Yes and no; it was Apache code that was exploited. The failure tho' wasn't technical really; it was the lack of urgency in patching once the flaw was known, which is 100% on management
      • jpk 2359 days ago
        Or managed into finding another job, most likely.
      • tyingq 2359 days ago
        This particular site looks like it might not have been touched for a decade or more.

        So there is also the argument of "any engineers at all" vs "better engineers".

    • camus2 2359 days ago
      A professional license for what? CRUD apps? a CS education doesn't even make one a web security specialist. What's next? forcing corporations to use Microsoft technologies to stifle competition and innovation? like big vendors never release insecure products? like big consultancies never develop insecure apps?
    • duncan_bayne 2358 days ago
      No, because then you get things like this happening:

      https://www.clickondetroit.com/news/fake-architect-sentenced...

      Also, consider how much of the software you use on a regular basis would not exist, if mandatory licensing were in place.

    • wan23 2359 days ago
      I'm not sure requiring a license to practice software development is a good idea, but it does seem that we could use some rules around development and maintenance of important applications. Perhaps legally mandated security audits for anyone storing things like financial data would be useful.
  • kumarski 2359 days ago
    What % of Fortune 500 companies are already paying ransomware fees unbeknownst to their users/customers?
  • ashark 2359 days ago
    The Web has gotten so much worse since we started putting serious stuff on it. It's kind of a population-terrorizing monster, at this point.

    Could we, like... not do that? I seem to remember the world turning just fine when you couldn't push the right sequence of buttons and steal the personal data of half a country's citizens from the comfort of your home.

  • Apocryphon 2359 days ago
    Is Equifax particularly bad for a credit bureau, or are the other guys just as bad? This is cause for worry towards all of these organizations.
  • racecar789 2359 days ago
    After recently freezing credit at all three bureaus...Transunion does it right. Free acct can toggle a freeze anytime. They show a little ad when logging in, but that is fine.

    Experian has no free acct login. Equifax will next year.

  • plandis 2359 days ago
    Where is the action from the federal government? Are any representatives working on legislation for better data protection / handling regulations?
  • Simulacra 2359 days ago
    Someone must not be having a good day over at Equifax. Where is the breaking point for a company like this?
  • pnathan 2359 days ago
    The credit services seem like a good candidate for nationalization or high levels of regulation.
  • flachsechs 2359 days ago
    it's amazing how much the finance industry can get away with. like honest-to-goodness amazing.

    it's really impressive how these people can have such a death-grip on society. honestly, i'm more curious than mad. how is such a thing even possible? i mean, wow.

    • kolbe 2359 days ago
      It's not "finance" per se. It's anyone granted a carte blanche privilege of some rent to exploit. This is almost always granted either directly or indirectly by the government.

      How has finance made it possible? By getting the government to subsidize the industry for all existing entrants at the expense of people who may have better, more progressive ideas about how to manage the financial system. Also at the expense of people in general.

    • Florin_Andrei 2359 days ago
      The big moneybags are always above the law.

      This seems to become one of the biggest problems of modern civilization. Until it's fixed, all sorts of issues like this, and bigger, will continue to occur.

    • dbmikus 2359 days ago
      Avoiding repercussions for bad security is pretty much consistent across all industries.
    • Ascetik 2359 days ago
      Because of our corrupt banking system and the politicians in bed with them.
      • KirinDave 2359 days ago
        Having been in that system, the reality is so much more bizarre than that.

        The actual reality I observed is that the government inspectors and regulators are lawyers and older industry people who simply don't understand technology. Since the US government has limited technical expertise they rely on FIs to adhere to standards and propose self-regulatory measures.

    • chaostheory 2359 days ago
      The finance industry as a whole spends a few billion dollars on lobbying. They spend the most on lobbying compared to every other sector. imo this is one of the things the tech industry hasn't fully optimized yet
      • aeorgnoieang 2359 days ago
        Neither of your first two sentences seem to be true:

        - [Lobbying Spending Database | OpenSecrets](https://www.opensecrets.org/lobby/top.php?showYear=2017&inde...)

        And note that "Education" isn't spending that much less!

        > imo this is one of the things the tech industry hasn't fully optimized yet

        How would the tech industry "optimize" lobbying? Or even just lobbying by finance?

        • chaostheory 2359 days ago
          You're kind of right. I misread the decimal as a comma in $248,785,615.00. Pharma / Health is the next highest spending industry at around $144,778,982, about $100 million less than finance. Finance is the top lobby. Tech lobbying is at $68,403,203 which isn't even half of what finance officially spends on lobbying.

          The OpenSecrets lobbying data also doesn't include lobbying money that isn't officially lobbying money. A lot of politicians, at least in the US - including state level legislators, have non-profit foundations with sketchy ledgers. With many of these foundations, little of the money dontated actually goes towards their publicly stated causes. Most of it is spent on miscellaneous expenses such as trips and dinners or on political ads.

          https://nonprofitquarterly.org/2015/02/09/politics-and-the-u...

          https://www.bostonglobe.com/opinion/2013/08/03/how-end-polit...

          https://www.publicintegrity.org/2013/06/12/12794/state-legis... - oversight doesn't usually happen when it's not public funds being directed into the non-profits

          If you include the finance industry's donations to sketcy non-profits that are closely tied to politicians, then I'm guessing it would dwarf what we're seeing compared to just official lobbying money

          Tech would 'optimize' not just by spending more, but also in offering benefits that finance can't offer such as better data for say elections as an example

    • walrus1066 2359 days ago
      Well, these guys are simply too big to fail. Equifax cannot go bust, otherwise loads of consumer credit (mortgages, car loans etc) would freeze up, causing huge harm to the economy.

      The market likely knows this, hence the stable stock price.

      • raisedbyninjas 2359 days ago
        Genuine question, how are Equifax's services functionally different from the other credit bureaus? What is to stop the federal gov from shutting them down to protect national security forcing any business partners to move to the other providers.
      • gaius 2359 days ago
        Equifax cannot go bust, otherwise loads of consumer credit (mortgages, car loans etc) would freeze up

        Nope - there are two others who will gladly take up the slack.

        • walrus1066 2358 days ago
          My company would be really hampered if Equifax went bust. We do use two other credit bureaus, but some functions depend on data only Equifax provides.

          We also use the different bureaus together for cross checking, often one bureaus file will be out of date or have errors, while the other is fine. So we'd have a much harder job of calculating risk if one of the big bureaus went out of business, simply because we'd be losing a major data source that drives our business.

          I am very sure this case applies to other financial institutions as well.

  • whipoodle 2359 days ago
    Pretty sure this is just how it is now.