Senin, 02 Juli 2018

Sponsored Links

Equifax used 'admin' for the login and password of a non-US database
src: fm.cnbc.com

Equifax Inc. is the consumer credit reporting agency. Equifax collects and gathers information on over 800 million individual consumers and over 88 million businesses worldwide. Founded in 1899 and based in Atlanta, Georgia, this is one of the three largest credit institutions along with Experian and TransUnion (known as the "Big Three"). Equifax has US $ 3.1 billion in annual revenue and 9,000 more employees in 14 countries. Registered on the NYSE as EFX.

In addition to offering credit and demographic-related data and services to businesses, Equifax sells credit monitoring and fraud prevention services directly to consumers. Like all credit reporting agencies, companies are required by US law to provide consumers with one free credit report each year.

Equifax is the subject of over 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints related to incomplete, inaccurate, outdated, or misinformed information owned by the company.

In September 2017, Equifax announced a cyber security breach, claimed to occur between mid-May and July 2017, where cybercriminals access about 145.5 million personal data of US Equifax consumers, including their full name, Social Security number, birth date, address, and, in some cases, SIM numbers. Equifax also confirmed at least 209,000 consumer credit card credentials taken in the attack. On March 1, 2018, Equifax announced that an additional 2.4 million US customers were affected by the breach. The company claims to have found evidence of a cybercrime event on July 29, 2017. Residents in the UK and Canada are also affected.


Video Equifax



Histori

Equifax was founded by Cator and Guy Woolford in Atlanta, GA, as a Retail Credit Company in 1899. The company expanded rapidly and in 1920 had offices throughout the US and Canada. In the 1960s, the Retail Credit Company was one of the largest credit bureaus in the country, which stores files on millions of Americans and Canadians. Although companies continue to report credit, most of their businesses report to insurance companies when people apply for new insurance policies including life, car, fire and medical insurance. All major insurance companies use RCC to get information on health, habits, morale, vehicle use and finances. They also investigate insurance claims and make employment reports when people are looking for a new job. Most of the credit work is then performed by a subsidiary, Retail Commercial Agency.

The extensive ownership of information from the Retail Credit Company, and its willingness to sell it to everyone, drew criticism against the company in the 1960s and 1970s. This includes collecting "... facts, statistics, inaccuracies and rumors... about almost every phase of a person's life, his marital problems, work, school history, childhood, sex life, and political activity." The company also allegedly rewarded its employees for collecting negative information about consumers.

As a result, when the company moved to computerize its records, which would lead to the wider availability of private information held, the US Congress held a hearing in 1970. This led to the enactment of the Fair Credit Reporting Act of the same year. which grants the consumer rights regarding the information stored about them in the company's data bank. It alleged that the trial encouraged the Retail Credit Company to change its name to Equifax in 1975 to improve its image.

The company then developed into a commercial credit report on companies in the US, Canada and the UK, where it competes with companies like Dun & amp; Bradstreet and Experian. Insurance reporting has been removed. The company also has a division that sells specialist credit information for the insurance industry but separates this service, including the Comprehensive Loss Underwriting Exchange (CLUE) database as ChoicePoint in 1997. The company previously offered digital certification services, which were sold to GeoTrust in September. 2001. In the same year, Equifax separated the payment services division, forming Certegy, a listed public company, which acquired Fidelity National Information Services in 2006. Certegy effectively became a subsidiary of Fidelity National Financial as a result of this reverse acquisition merger. > (See Certegy and Fidelity National Information Services for more information) .

In October 2010, Equifax acquired Anakam, an identity verification software company.

Equifax purchased eThority, a business intelligence firm (BI) headquartered in Charleston, South Carolina in October 2011. eThority is partnering with TALX, a St. Equifax-based business unit. Louis, and will remain in Charleston.

Equifax Workforce Solutions is one of 55 contractors hired by the US Department of Health and Human Services to work on the HealthCare.gov website.

Maps Equifax



Products

For most of its existence, Equifax has operated primarily in the business-to-business sector, selling consumer credits and insurance reports and related analyzes for businesses in various industries. Business customers include retailers, insurance companies, healthcare providers, utilities, government agencies, as well as banks, credit unions, private and specialized finance companies and other financial institutions. Equifax sells business credit reports, analytics, demographic data, and software. The credit report provides detailed information about personal credit and individual payment history, which shows how they respect financial obligations such as paying bills or repaying a loan. The lender uses this information to decide what type of product or service is offered to their customers, and what are the conditions. Equifax also provides commercial credit reports, similar to Dun & amp; Bradstreet, contains financial and non-financial data for businesses of all sizes. Equifax collects and provides data through NCTUE, non-credit data exchange including consumer payment history on telecom accounts and utilities.

In 1999, Equifax began offering services to other consumer credit sectors, such as credit fraud and identity theft prevention products. Equifax and other credit monitoring agencies are required by law to grant US citizens a one-time disclosure of free credit files every 12 months; Annualcreditreport.com's website combines data from US Equifax credit records.

In 2016, Equifax partnered with CreditMantri, a Chennai-based credit facilitator, to offer credit scores and free loan reports to its customers.

Equifax also offers fraud prevention products based on fingerprint devices such as "FraudIQ Authenticate Device".

Equifax Breach Under GDPR - Base 10 Ventures
src: www.b10v.com


Security failures

2016 early warning of insecure system

According to a report in October 2017 of the Motherboard, around December 2016, a security researcher examining the Equifax server observed an online portal, made only for Equifax employees, accessible to the open Internet.

"I do not have to do anything fancy," the researcher told Motherboard, explaining that the site was vulnerable to basic "force exploring" bugs. Researchers asked for anonymity due to professional problems. "All you have to do is enter a search term and get millions of results, right away - in clear text, via web applications." In total, researchers downloaded hundreds of thousands of Americans in To demonstrate to Equifax vulnerabilities in the system. They said they could download the data of all Equifax customers in 10 minutes: "I've seen a lot of bad things, but it's not that bad."

The same type of sensitive personal information from American consumers (name, birth date, social security number, etc.) Exposed as in May-July violations, according to Motherboard. In addition, security researchers say they can gain shell access on Equifax servers and find and report to Equifax additional vulnerabilities. According to reports, despite receiving these warnings from security researchers, the affected portals were not closed until six months later in June, both after the March and May-July violations began. Additionally, employee portals are reportedly not the same servers that are targeted at later violations, which speculate the Motherboard may suggest multiple violations by more than one party may have occurred.

March 2017 security breach

On September 18, 2017, Bloomberg News reported that Equifax had been the victim of a "massive breach of its computer system" in March 2017, and in early March had begun "telling a small number of outsiders and banking customers" about this. attack.

According to a Bloomberg report, someone familiar with the offense believes that the disruption early in March may have been perpetrated by the same party that violated the computer system of Equifax again in May. According to Bloomberg, Equifax requested Mandiant (owned by FireEye, Inc.) to help investigate the March attack. The same cybersecurity company was hired after the May-July offense.

May-July 2017 data breach

On September 7, 2017, Equifax announced a cybercrime identity theft event that could potentially impact around 145.5 million US customers. Information on estimates of less than 400,000 to 44 million Britons and 8,000 Canadians were also compromised. VentureBeat is called data exposure at 140 million subscribers "one of the biggest data violations in history."

Although the attack was declared to have started in mid-May, the offense was not observed until July 29, according to Equifax CEO Richard F. Smith and subsequent reports by Equifax. Information accessed by hackers (or hackers) in violations includes first and last name, Social Security number, date of birth, address and, in some cases, SIM numbers. Credit card numbers for about 209,000 US customers, and certain disputed documents with personally identifiable information for about 182,000 US consumers are also accessed.

Equifax stated in a Sept. 15 statement that they hired Mandiant services on August 2 to investigate intrusions internally. But the statement did not record the timing precisely when government authorities ("all US Attorney General" and "other federal regulators") were notified of the violation, although it affirmed "the company continues to cooperate with the FBI in the investigation."

Equifax shares fell 13 percent in early trading a day after violations were announced to the public.

Many lawsuits have been filed against Equifax as a result of the breach. In one setting, Geragos & amp; Geragos has indicated that they will seek up to $ 70 billion in damages, which would make it the biggest class action suit in US history.

Many media outlets advise consumers to request a credit freeze to reduce the impact of the violation.

Equifax said the breach was facilitated using defects in Apache Struts (CVE-2017-5638). A patch for vulnerability was released March 7, but the company failed to implement a security update before the attack occurred 2 months later. However, this is not the only point of failure: contributing factors include unsafe network design that lacks sufficient segmentation, potentially inadequate encryption of personally identifiable information (PII), and ineffective infringement detection mechanisms.

On September 15, Equifax issued a press release with details of intrusion points, potential consequences for consumers, and company response. The statement further commented on issues relating to criticism of the initial response to the incident. The Company also announced the immediate departure and replacement of the Chief Information Officer and Chief Security Officer.

Three days after Equifax reveals a May-July 2017 offense, Congressman Barry Loudermilk (R-GA), who has been awarded thousands of dollars by Equifax, introduced a bill to the US House of Representatives that would reduce consumer protection in relation to the national credit bureau. , including limiting potential losses in class action lawsuits to $ 500,000 regardless of class size or amount of loss. The bill will also eliminate all punitive damages. After criticism by consumer supporters, Loudermilk agreed to postpone the consideration of the bill "awaiting a complete and complete investigation of the Equifax offense."

On September 28, 2017, the new Equifax CEO Paulino do Rego Barros Jr. responding to Equifax's criticism by promising that the company will, from early 2018, allow "all consumer options to control access to their personal credit data," and that this service will be "offered free, for life."

On October 2, 2017, Equifax revealed that the estimated number of Americans affected was 2.5 million more than previously reported. This brings the total number of Americans potentially affected to 145.5 million.

On October 10, 2017, Equifax stated that 15.2m UK customers had their records compromised in violation, of which 693,665 sensitive personal data had been disclosed.

Also around October 10, 2017, the number of driver licenses violated in the attack was reported to be 10-11million.

In September 2017, Richard Cordray, then director of the Consumer Financial Protection Bureau (CFPB), authorized an investigation into a breach of data on behalf of affected consumers. However, in November 2017, Mick Mulvaney, head of President Donald Trump's budget, who was appointed by Trump to replace Cordray, was reported by Reuters to "pull back" on the investigation, along with Cordray's plan shelves for on-the-ground tests about how Equifax protects data. The CFPB also rejected bank regulators at the Federal Reserve Bank, the Federal Deposit Insurance Corporation and the Currency Supervisory Office who offered to assist the onsite credit bureau test. Senator Elizabeth Warren, who released the Feb. 7, 2018, report on Equifax's maze, was critical of Mulvaney's actions, saying "We are opening this report while Mick Mulvaney kills the investigation of a consumer agent in an Equifax offense. Mick Mulvaney fired his middle finger again to the consumer. "

Since October 2017, hundreds of consumers sued Equifax for data breaches, some winning small claims cases in excess of $ 9,000. including actual damage, future damage, anxiety, monitoring costs, and punitive damages.

Criticism

After the May-July 2017 violation announcement, Equifax's actions received widespread criticism. Equifax did not immediately disclose whether PIN and other sensitive information were compromised, nor did it explain a delay between the finding of a violation in July and a public announcement in early September. Equifax states that the delay is due to the time it takes to determine the scope of the intrusion and the large amount of personal data involved.

It also revealed that three Equifax executives sold nearly $ 1.8 million of their private ownership of the company's shares a few days after Equifax found the violation but more than a month before the breach was announced. The company said executives, including chief financial officer John Gamble, "did not know that interruptions had occurred when they sold their shares". On September 18, Bloomberg reported that the US Department of Justice has opened an investigation to determine whether insider trading laws have been violated. "As noted by Bloomberg, these transactions are not scheduled trading and they took place on August 2, three days after the company learned of the hack."

When the public discloses intrusion into its system, Equifax offers a website (https://www.equifaxsecurity2017.com) for consumers to see if they are the victims of the violation. Security experts quickly noted that websites have much in common with phishing websites: they are not hosted on domains registered in Equifax, have incorrect TLS practices, and run on WordPress which is generally not considered suitable for high security. application. This problem causes Open DNS to classify it as a phishing site and block access. In addition, community members who wish to use the Equifax website to learn whether their data has been compromised must provide their last name and six-digit social security number.

Websites that are set up to check whether a person's personal data has been infringed (trustedidpremier.com) is determined by security experts and others to return apparently random results instead of accurate information. As with https://www.equifaxsecurity2017.com, this website is also registered and created like a phishing website, and flagged by multiple web browsers.

The Trusted Premier ID website contains terms of use, dated September 6, 2017 (the day before Equifax announces a security breach) that includes an arbitration clause with classroom action exceptions. The lawyer said that the arbitration clause is ambiguous and that it could prompt the consumer who accepts it to mediate claims related to the cybersecurity incident. According to Polly Mosendz and Shahien Nasiripour, "some fear [that] only use the Equifax website to check if their information infiltrated them to arbitration." The equifax.com website has separate use terms with an arbitration clause and the removal of class action, but, according to Brian Fung of The Washington Post , "it is unclear whether it applies to a credit monitoring program". New York Attorney General Eric Schneiderman demanded that Equifax remove the arbitration clause. Responding to arbitration-related issues, on September 8, Equifax issued a statement stating that "in response to consumer inquiries we have made it clear that the arbitration clause and the elimination of class actions included in the terms of use of Equifax and TrustedID Premier do not apply to this cybersecurity incident." Joel Winston, a data protection lawyer, argues that the announcement that rejects the arbitration clause "does not mean anything" because the terms of use state that they are the "whole agreement" between the parties. The arbitration clause is then removed from equifaxsecurity2017.com, and the terms of use of equifax.com are amended on 12 September to certify that they do not apply to www.equifaxsecurity2017.com, www.trustedidpremier.com, or www.trustedid.com and to exclude claims that arise of such sites or security breach of arbitration.

Answering the ongoing public outrage, Equifax announced on September 12 that they "waive all Security Freeze fees for the next 30 days".

Equifax has been criticized by security experts for registering new domain names for site names instead of using equifax.com subdomains. On September 20, it was reported that Equifax had mistakenly linked to an unofficial "fake" website rather than their own infringement notification site in at least eight separate tweets, unwittingly helping direct 200,000 reported visits to mock sites. A software engineer named Nick Sweeting created an unauthorized Equifax website to show how an official site can easily be confused with phishing sites. Sweeting's site upfront to visitors that it's unofficial, however, tells visitors who have entered sensitive information that " you just bamboozled! This is not a safe [sic] site! Tweet to @equifax to get them to change it to equifax.com before thousands of people loosen their info [sic] to phishing sites! "Equifax apologizes for" confusion "and deletes tweets linking to this site.

2017 Argentina consumer data exposure

In September 2017, Brian Krebs revealed that the Equifax arm from Argentina has left personal data of about 14,000 consumers, and more than 100 staff members, available to anyone who enters "admin" as a username and password for one of his online systems.

2017 withdrawal of vulnerable mobile app

On September 7, 2017, the same day that Equifax announced a major security breach, Equifax removed its official mobile app from the Apple App Store and from Google Play. Although these apps themselves are not reported to be connected to the breach, they have their own security flaws, vulnerable to human attacks in the middle because some parts use HTTP instead of HTTPS.

2017 American payroll data

On October 8, 2017, Krebs reported that the Employment Number, a website operated by the Equifax TALX division, reveals a salary history for employees of tens of thousands of US companies to anyone with a Social Security Number and date of birth. For about half the US population, the last two pieces of data are known to have criminals, following Equifax's security breach May-July 2017.

Malware website

On October 12, 2017, the Equifax website is reported to have offered malware visitors via a drive-by download. The malware was disguised as an update to Adobe Flash. At the time, only 3 of the top 65 anti-malware products provided protection against certain malware, which meant that many visitors were at risk of being infected with their computers if they visited the Equifax website.

On October 13, 2017, the attack was revealed to have hijacked a third party analytics analysis of the Digital FireClick brand.

Also on October 13, 2017, the US Internal Revenue Service was reported to have suspended a $ 7.2 million contract with Equifax, as a result of the attack.

Equifax Breach: Criticism From Lawmakers, What People Can Do
src: kelolandassets.azureedge.net


Lawsuits and penalties

The company has been fined by the Federal Trade Commission on two occasions for violating the Fair Credit Reporting Act ("FCRA"). In 2000, Equifax, together with Experian and TransUnion, was fined $ 2.5 million to block and postpone phone calls from consumers trying to obtain information about their credit. In 2003, the FTC took Equifax to court for the same reason and settled its lawsuit with the company with a $ 250,000 fine.

In July 2013, federal jury in Oregon awarded $ 18.6 million to Julie Miller of Marion County against Equifax for violation of the Fair Reporting Law Act. In his lawsuit, Miller suspects Equifax has combined his credit report with others with different Social Security numbers, dates of birth, and addresses. Miller contacted Equifax repeatedly in writing and over the phone, but Equifax refused to remove dozens of fake accounts from Miller's credit report. The award includes $ 18.4 million in damages, and $ 180,000 in damages. Miller's lawyer, Justin Baxter, explained that the false report damaged Miller's reputation, he was denied credit, and his personal information was given to businesses that had nothing to do with Miller. The jury's verdict is believed to be the largest ruling in individual cases under the Fair Credit Reporting Act. An Equifax spokesman said that Equifax was considering appealing the jury's verdict. A federal judge reduced the award to $ 1.62 million in 2014.

In 2014, Equifax and Heartland Bank are sued by Kimberly Haman of St. Louis for reporting that he had died. A Heartland Bank spokeswoman said the bank "immediately investigated and contacted the credit reporting agency after Haman reported" he's alive. An Equifax spokesman told the Post-Dispatch that Equifax blocked Heartland's account information from appearing on Haman's credit report after a journalist's inquiry. "

In April 2014, Equifax was sued in New York federal court by God Gazarov, who claimed that the company mistakenly reported that he did not have a credit history because of his unusual first name.

On November 4, 2015, it was reported that a group of five Oklahoman had sued the company, claiming that Equifax "violated a law requiring financial institutions to protect the security of their customers' private information." Equifax chose the Piper DLA law firm to handle the case at D.C. This has been transformed into Edelman for crisis control earlier in the aftermath of a privacy violation in October 2017.

Consumer lawsuits claiming damage under FCRA have succeeded in a small claims court.

Equifax and other credit reporting companies could get surprising ...
src: www.latimes.com


See also

  • Compuscan
  • Credit bureau
  • Credit score
  • Experian
  • Fair Credit Reporting Act
  • Identity theft
  • Innovis
  • United States privacy law
  • Talx
  • Job Number
  • TransUnion

Equifax will offer free credit freezes for five more months
src: ssl.cdn.turner.com


References and footnotes


What Equifax Hack Victims Can Learn From The Wells Fargo Scandal ...
src: media.brstatic.com


External links

  • Company website
  • Annual credit report, free.
  • Equifax Identity Consumer Protection Site
  • Yahoo! Finance - Equifax Inc. Company Profile

Source of the article : Wikipedia

Comments
0 Comments