So I’m guessing you’ve all seen the massive data breach over at Equifax in the news/social media/coworker chat about how they lost 143 million people’s critical data. If not, go google it and stop living under a rock :). Cliffs, if you’ve done anything with credit or insurance in the last 10 years there’s a real good chance Equifax just lost your SSN, license number, date of birth, name, address and credit score.
Curious what steps you guys are taking? For now I’m taking their year of free monitoring and hoping the lawyers/government get involved and mandates some longer term solution. A year of monitoring doesn’t do much good now that they’ve compromised your SSN, license number and DOB that don’t change the rest of your life.
Hopefully this also forces a conversation about SSN’s in general. The concept of a number you get when you’re born that you can’t change that’s critical to your credit and financial life really doesn’t work in this age of massive data breaches. It needs to be more like a credit card number that when it gets compromised you simply cancel it and get a new one.
I use CreditKarma which gives me alerts when any new accounts get opened…I had considered freezing all mine but it seems like a giant pain since im going to be looking for a new house shortly.
Surprised they didn’t do a better job at security their CISO was rated like #5 in the country :lol:
I’m also waiting for Mandiant who is doing IR for this to claim it was China.
I guess in NY you can freeze your credit for free. Still debating that one. I don’t think we’ll be doing anything soon that will require a credit pull so it’s probably a good idea.
Also, I saw a meme today showing the CSO over at Equifax has a BA and Masters in Music Composition and assumed it was a photoshop but no, here’s her linkedin page.
I realize IT security is one of those constant learning things but man, it looks bad when the person at the top of your security pyramid is a music major and you just committed the worst data breach the country has ever seen.
You can sign up at the same site listed above, and the deadline to do so is Nov. 21.
Initially, though, there was a catch — signing up would also commit you to binding arbitration with the credit monitor, which would mean giving up your right to sue. Several politicians and consumer groups have criticized this provision. Democrats in the House and Senate called on the company to pull back that requirement. Late Friday, Equifax said the arbitration language that appears on its website “will not apply to this cybersecurity incident.”
Vulnerabilities in Apache Struts have been the cause for a handful of other very large breaches over the past few years.
Security has vastly improved in the last few years for fortune 100 companies. If someone was motivated enough they could still get into most major companies and obtain some sort of goal(transfer money out, steal trade secrets, etc) just depends on how well your funded and what kind of time you have.
Updated - - -
I meant the people who hacked them gave Equifax a dead line to pay for the data or they would release it.
Am I wrong in thinking this is the biggest breach ever though? At least one that leaked so much critical info including SSN, DOB, Name, Address. Basically all the ingredients you need to really fuck up someone’s financial life.
Target had a huge breach but it was basically just credit card numbers. Couple minutes at americanexpress.com and 2 days later I had a new card and that problem was solved. This is SOOOO much worse because there isn’t an easy fix for 143 million people.
It’s been good for a while now…If I had to guess it will be that way for another 10+ years for enterprise security.
The nice thing is you can really branch out now since everything has a computer and is hooked to the internet. I did a full car security assessment for a vendor earlier this year.
Medical Equipment
Cars
Home Appliances
Industrial Control Systems
Home automation
Smart Phones
etc
The place im at now we mainly focus on long term(3 months or more) threat simulations. For example you’re a major bank and you want to know if someone can hack you and wire transfer money out or if you’re in oil and gas and want to see if someone can blow up an oil rig. The oil rig deal we got far enough to access and use the control system that managed the rig and then built a lap with the same equipment to prove out being able to blow stuff up and change the data reporting back to look normal.
“I highly recommend Susan, she is outstanding at directing and motivating people to achieve solid results. Susan has a strength in building relationships throughout an enterprise in support of the overall goal. During our work together she continued to produce outstanding teams and great results. As a sidenote, you might want to keep an eye on her as she’s a fucking train wreck when it comes to the security of your company’s data archives and the sensitive personal information of millions upon millions of your client’s. Other than that, she’s a fucking gem who can carry a tune like nobody’s business”.
I’ve been proactive long ago in avoiding this situation by installing a Dilithium crystal re-digitizer piggybacked onto a Furian Flux capacitor with dual quad mastificators. It’s proven to be more than effective in plugging the vulnerabilities in Apache Struts.
Existing companies you have accounts with can still access your credit but nothing new is allowed. It’s a great way to keep your credit safe but it’s kind of a pain in the ass if you’re expecting to apply for any loans, credit cards or even shop around for insurance in the near future.
Anyone gotten a response from Equifax after signing up for their monitoring service? I think they said it would be a couple days, but still no response after a week.
