[gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

Tue Feb 13 16:45:21 UTC 2018

Undeterred by the fact that noone has responded to my last post, I offer 
the following update to the Equifax breach to further illustrate my 
point.  As many companies have found out, you don't find out what you've 
got till it's gone.....a further reason for data minimization and short 
retention periods.

To: 	

http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/

*Equifax hack worse than previously thought: Biz kissed goodbye to card 
expiry dates, tax IDs etc*
Pwned credit-score biz quietly admits more info lost
By Iain Thomson in San Francisco 13 Feb 2018 at 02:13

Last year, Equifax admitted
https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/
hackers stole sensitive personal records on 145 million Americans and 
hundreds of thousands in the UK
https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/
and Canada.

The outfit already said cyber-crooks "primarily" took names, social 
security numbers, birth dates, home addresses, credit-score dispute 
forms, and, in some instances, credit card numbers and driver license 
numbers. Now the credit-checking giant reckons the intruders snatched 
even more information from its databases.

According to documents provided by Equifax to the US Senate Banking 
Committee,
and _revealed this month by Senator Elizabeth Warren (D-MA)_,
https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc
the attackers also grabbed taxpayer identification numbers, phone 
numbers, email addresses, and credit card expiry dates belonging to some 
Equifax customers.

Like social security numbers, taxpayer ID numbers are useful for 
fraudsters seeking to steal people's identities or their tax rebates, 
and the expiry dates are similarly useful for online crooks when linked 
with credit card numbers and other personal information.

*Contradictory*

"As your company continues to issue incomplete, confusing and 
contradictory statements and hide information from Congress and the 
public, it is clear that five months after the breach was publicly 
announced, Equifax has yet to answer this simple question in full: what 
was the precise extent of the breach?" Warren fumed in a missive late 
last week.
https://www.warren.senate.gov/?p=press_release&id=2317

Equifax spokeswoman Meredith Griffanti stressed to The Register today 
that the extra information snatched by hackers, as revealed by Senator 
Warren, belonged to "some" Equifax customers. In other words, not 
everyone had their phone numbers, email addresses, and so on, slurped by 
crooks just some. How much is some? Equifax isn't saying, hence Warren's 
(and everyone else's) growing frustration.

The senator is a cosponsor of the _proposed Data Breach Prevention and 
Compensation Act, _
https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/
which, if passed, would impose computer security regulations on credit 
reporting agencies, with mandatory fines that would have led to Equifax 
coughing up $1.5bn for its IT blunder.

Some regulation or punishment is obviously needed.

No senior Equifax executives were fired over the attack instead the CEO, 
CSO and CIO were all allowed to retire with multi-million dollar golden 
parachutes. The US government's Consumer Financial Protection Bureau 
promised a full investigation into the Equifax affair, and then gave up. 
On February 7, an open letter [PDF]
https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf
from 32 senators to the bureau asked why the probe was dropped, and the 
gang has yet to receive a response. ®
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/ad17552e/attachment.html>