More News About the Equifax Hack

From The Wall Street Journal, we learn that Equifax was probably hacked in early March:

Hackers roamed undetected in Equifax Inc.’s computer network for more than four months before its security team uncovered the massive data breach, the security firm FireEye Inc. said this week in a confidential note Equifax sent to some of its customers.

I’m an Equifax customer… I mean, right? (Aren’t we all, whether we want to be or not?) Why didn’t I get that confidential note?

I did finally freeze my credit report with all three of the credit bureaus, although Krebs on Security warns that Experian makes it really easy for anyone with your personal data to unfreeze your credit:

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

Equifax, meanwhile, is still telling people to visit non-existent websites. From The Verge:

In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.

Further research revealed three more tweets that had sent potential victims to the same false address, dating back as far as September 9th. These tweets have also since been deleted.

It turns out that it was more like eight tweets, not three.

As you might recall, this is the second incorrect website Equifax has tweeted to customers. The first incorrect URL, securityfreeze2017.com, went to a “this site cannot be reached” page until Brian Krebs (of Krebs on Security) bought the domain and turned it into a “how you can protect yourself after the Equifax breach” guide.

The second incorrect URL had already been claimed by Monadical startup cofounder Nick Sweeting in order to prove how easy it would be for someone to create a website that looked almost identical to the real Equifax website, in the hopes that consumers would mistype the URL and give the fake site their personal information. (Sweeting wasn’t trying to collect anyone’s personal information; his site was designed as an educational tool to warn both consumers and Equifax that hackers could be doing the exact same thing.)

Anyway, turns out that the person who mistyped the URL worked at Equifax.

Equifax just linked customers to my fake phishing version of their site by accident. 😱😱😱 https://t.co/kXQdwKys71

— Nick Sweeting 🚲 (@thesquashSH) September 20, 2017

Oh, and the NYT thinks that Equifax will get off easy. Read the article for a point-by-point summary of why no one will go to jail or get fined or shut down over this, or take this as your tl;dr:

The worst anyone connected with Equifax may end up facing is a tongue-lashing from Congress — many hearings are already scheduled — except for the outside chance that the aggrieved public gets its own day in court. But that could be years from now.

Support The Billfold

The Billfold continues to exist thanks to support from our readers. Help us continue to do our work by making a monthly pledge on Patreon or a one-time-only contribution through PayPal.