The company said the exposed data include names, birth dates, Social Security numbers, addresses and some driver's license numbers, all of which Equifax aims to protect for its customers.

- Three Equifax executives sold shares in the company days after the breach was discovered.

SEC filings show that three Equifax executives – Chief Financial Officer John Gamble Jr., workforce solutions president Rodolfo Ploder and U.S. information solutions president Joseph Loughran – sold nearly $2 million in shares in the company days after the cyberattack was discovered. It was unclear whether their share sales had anything to do with the breach. An Equifax spokeswoman didn't immediately respond to a request for comment.

Equifax said it has set up a website -- www.equifaxsecurity2017.com -- to help consumers determine if their information has been compromised and to allow them to sign up for a complimentary slate of credit-monitoring and identity-theft protection. The company also has established a dedicated call center for consumers.

Equifax, which supplies credit information and other information services, said Thursday that a data breach could have potentially affected 143 million consumers in the United States.

The population of the U.S. was about 324 million in 2017, according to the Census Bureau estimates, which means the Equifax incident affects a huge portion of the country.

5 Ways to Protect Your Finances After Equifax Data Breach

For those who think their information may have been breached, checking credit reports and other steps can protect their data

Sept. 7, 2017

Credit-reporting company Equifax Inc. EFX 0.94% said it was the target of a security breach, which has potentially compromised the personal information of about 143 million U.S. consumers.

Hackers gained unauthorized access to files from mid-May through July, according to the company, which offers credit-monitoring and identity-theft protection products to guard consumers’ personal information. But Equifax said it hasn’t found evidence of unauthorized activity on its consumer or commercial credit-reporting databases.

For those who think their information may have been breached, here are steps they can take to protect their data.

Check Credit Reports

Consumers should check their credit reports with Equifax but also with the other major companies, Experian and TransUnion. The reports are available free annually via creditreport.com. Consumers may not detect any unauthorized activity yet, but they should be on the lookout for any accounts they don’t recognize, says Eva Velasquez, chief executive and president of Identity Theft Resource Center, a San Diego nonprofit established to protect victims of identity theft and broaden education around cybersecurity and data breaches.

Consider a Credit Freeze

A credit freeze will prevent new lines of credit from being issued, but it is a complicated step. Consumers must contact each credit agency and follow their procedures. Doing so will mean consumers won’t be able to open credit cards or take a mortgage or car loan themselves, and unfreezing the credit may take some time.

“A credit freeze is one of the most robust and proactive steps that you can take,” Ms. Velasquez says. “But because of the added level of complexity, some people don’t see it as a good fit.”

Check Bank Statements and Credit Card Statements

Consumers should check their bank statements and credit-card statements for any unauthorized activity.

Take the Credit Monitoring Offered

Equifax has established a website -- www.equifaxsecurity2017.com -- help consumers determine if their information has been affected and to sign up for credit-file monitoring and identity-theft protection. The offering, called TrustedID Premier, includes credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity-theft insurance; and internet scanning for Social Security numbers. The service is free to U.S. consumers for one year, the company said.

Such programs should let customers know if someone makes a change to a credit account or makes a credit inquiry in their names, Ms. Velasquez says. Identity monitoring may also scrape public databases or scan the dark web to see if information is being sold, she says.

Visit the Identity Theft Resource Center

Those who believe they may have been the victim of identity theft can learn more about how to protect themselves at ID Theft Resource Center 888-400-5530. They can also call the center’s toll-free number (888-400-5530) for advice on how to resolve identify-theft issues. All of the center’s services are free.

Equifax is offering a dedicated call center for consumers who have additional questions: 1-866-447-7559. It is open every day, including weekends, from 7 a.m. to 1 a.m. Eastern time.

The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.

A Brief History Of Equifax Security Fails

Sep. 8, 2017

The leak of data on as many as 143 million Americans, announced by Equifax yesterday, was not the first rodeo for the credit monitoring and (irony alert) breach recovery firm. It's had problems protecting its customers' information dating back years.

In one case, it had to change its ways following a class action lawsuit over an alleged lapse in security. That suit related to a May 2016 incident in which Equifax's W-2 Express website had suffered an attack that resulted in the leak of 430,000 names, addresses, social security numbers and other personal information of retail firm Kroger. Lawyers for the class action plaintiffs argued Equifax had "wilfully ignored known weaknesses in its data security, including prior hacks into its information systems."

Equifax sought to have the case thrown out with prejudice (i.e. the matter would be closed permanently), arguing the plaintiffs were basing their demand for compensation, as much as $5 million, on "speculative and hypothetical injuries." In the end, the case was dropped without prejudice (i.e. the claims could be brought again), with the stipulation that Equifax fix a glaring security issue. The flaw was the result of an Equifax decision to have client employees access their data with the use of default PIN numbers. The PINs, according to the plaintiff complaint, consisted of the last four digits of an individual's social security number and their four-digit year of birth. A determined hacker could gather such information by scouring the web, or duping a target into coughing up the information. In closing the case, Equifax agreed to stop using those default PINs.

But problems with PINs appeared to have continued after that settlement in September last year. As independent cybersecurity reporter Brian Krebs reported in May 2017 an Equifax note to customers that hackers had used personal information to guess personal questions of employees in order to reset the 4-digit PIN given and stolen tax data. In its disclosure, Equifax said the unauthorized access to the information occurred between April 17 2016 and March 29 the following year.

In January 2017, Equifax was forced to confess to a data leak in which credit information of a "small number" of customers at partner LifeLock had been exposed to another user of the latter's online portal.

Going further back four years, Equifax reported to the New Hampshire attorney general of a breach, admitting that between April 2013 and January 2014, an "IP address operator was able to obtain the credit reports using sufficient personal information to meet Equifax's identity verification process." There were other smaller data leaks reported by Equifax to the AG, though they only appeared to affect a handful of people.

Skip forward to 2016 and a security researcher found a common vulnerability known as cross-site scripting (XSS) on the main Equifax website, according to a tweet from a researcher who goes by the name x0rz. Such XSS bugs allow attackers to send specially-crafted links to Equifax customers and, if the target clicks through and is logged into the site, their username and password can be revealed to the hacker.

Old tech, new problems

Now, other security researchers, intrigued by Equifax's admittance that the just-announced hack exploited a vulnerability on its website, are probing the company's infrastructure and turning up what they claim are worrying finds. The good-guy hackers have found myriad old technologies running the Equifax site, many of which could be vulnerable to cyberattack. Researcher Kenneth White discovered a link in the source code on the Equifax consumer sign-in page that pointed to Netscape, a web browser that was discontinued in 2008. Kevin Beaumont, a British security pro who's spent 17 years helping protect businesses, found decade-old software in use.

"It really looks like they don't care about security on their website - not surprised they got breached, certainly easily," x0rz added. Though there's no evidence the software could allow a serious breach of Equifax data, x0rz noted: "Old IT systems could indicate lack of 'renewal' procedures, old and unpatched software."

Another cybersecurity engineer, using the name Zemnmez, said Equifax shouldn't have allowed so much information to be accessible via a breach of its public-facing web applications. "It definitely should not be possible to do what happened if security was sound." He said Equifax servers were using out-of-date Java software.

The company said it wouldn't comment outside of what was in Thursday's press release. But in announcing the breach Thursday, Equifax CEO Richard Smith admitted the firm needed to do more to boost its security, adding: "I've told our entire team that our goal can't be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we've made significant investments in data security, we recognize we must do more. And we will."

A Congressional inquiry imminent?

Equifax is going to have plenty of questions to answer in the coming months, possibly from government. Congressmen and women are now looking at the issue. "This hack into sensitive information compiled and maintained by Equifax is one of the largest data breaches in our nation's history and someone has to be held accountable," said representative Maxine Waters.

"Given the important role credit scores play in the lives and financial futures of hardworking Americans, Congress must diligently examine the way our credit reporting agencies are operating and impose additional statutory and regulatory reforms to protect the integrity of the country’s credit reporting system."

On Twitter, California representative Ted Lieu questioned the decision of Equifax executives to sell stock in the months after the firm was aware of the breach, on July 29, though a spokesperson for the company told Gizmodo the senior employees didn't know of the incident when they sold. He also pondered Equifax's time to disclose: "Why did Equifax wait 6 weeks before letting the public know about the massive security breach? Seems like an unreasonable delay by Equifax."

With politicians paying close attention to the latest in Equifax's long list of security incidents, it can expect more heat than it's experienced after past breaches.

If you want help from Equifax, there are strings attached

September 8, 2017

Equifax is offering help for people whose personal information was hacked -- but there are big strings attached.

The credit reporting agency announced Thursday that the personal information of as many as 143 million people was compromised in a data breach between May and July. The stolen data includes names, Social Security numbers, birth dates, addresses and driver's license numbers.

If your information was exposed, Equifax is offering free identity theft protection and credit file monitoring services. But the offer comes with some conditions that may make you think twice.

You can't get help right away. When people enter their last name and part of their Social Security number on the site to see whether they were affected, some are being told: "Based on the information provided, we believe that your personal information may have been impacted by this incident."

But even in that case, Equifax is not offering the credit monitoring service until next week at the earliest. Monday is the first day you can sign up.

You could be giving up some of your rights to sue. At first, Equifax said anyone who gets the credit monitoring service, TrustedID, must agree to submit any complaints about it to arbitration. Those people wouldn't be allowed to sue, join a class-action suit, or benefit from any class-action settlement.

After public pressure, Equifax added an opt-out provision on Friday. Customers can get out of the arbitration requirement by notifying Equifax in writing within 30 days of accepting the monitoring service.

And Alex Southwell, a privacy lawyer at Gibson Dunn and a former federal prosecutor in New York, said the original rules still left room for people to sue Equifax over the original hack, even if they can't sue over the credit monitoring.

The federal Consumer Financial Protection Bureau recently published rules against these kinds of arbitration requirements by banks and credit card issuers. The rules will apply to credit rating services such as Equifax. But they don't take effect until next year, and Republicans in Congress want to roll them back.

Equifax isn't promising help fixing your credit: Equifax will agree only to monitor your credit, not help you fix any problems arising from the hack. "We do not offer, provide, or furnish any products, or any advice, counseling, or assistance, for the express or implied purpose of improving your credit record, credit history, or credit rating," the company in its 7,200-word terms and conditions. "By this we mean that we do not claim we can 'clean up' or 'improve' your credit record, credit history, or credit rating."

Equifax did not immediately respond to a request for comment Friday.

PSA: no matter what, Equifax may tell you you’ve been impacted by the hack

by Sarah Buhr (@sarahbuhr)

Those hoping to find out if their Social Security number and other identifying info was stolen, along with a potential 143 million other American’s data won’t find answers from Equifax. In what is an unconscionable move by the credit report company, the checker site, hosted by Equifax product TrustID, seems to be telling people at random they may have been affected by the data breach...

So then I decided to test the system with a different last name and six random numbers. I used the more popular English spelling of my last name for this purpose, entering “Burr” instead of “Buhr” and entered six random numbers I don’t even remember now. Sure enough, this made-up person had also been impacted. I tried it over and over again and got the same message. The only time I did not get the message I’d been impacted was when I entered “Elmo” as the last name and “123456” as my Social Security number.

Some of my colleagues also tried to fool the system and came up with different outcomes. Sometimes, after entering a made-up name, the site said they had been impacted. A few times it said they were not. Others have tweeted they received different answers after entering the same information.

The assignment seems random. But, nevertheless, they were still asked to continue enrolling in TrustID...

Equifax Lobbied for Easier Regulation Before Data Breach

In months before hack, Equifax was lobbying lawmakers, agencies to limit legal liability of credit-reporting companies

Sept. 11, 2017

Equifax Inc. was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach.

Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies.

That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans.

Equifax has also lobbied Congress and regulatory agencies on issues around “data security and breach notification” and “cybersecurity threat information sharing,” according to its lobbying disclosures.

The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company’s reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.

Equifax’s credit-reporting peers, TransUnion and Experian PLC, spent at least $128,000 and $690,000, respectively on lobbying in the year’s first half, disclosure records show. They were lobbying on similar issues as Equifax, including liability.

In a statement Monday night, Equifax said it “works closely” with lawmakers and regulators “to ensure that we are communicating the benefits of credit reporting to the U.S. economy, as well as the effects of certain legislation on the financial system.” The company said it believes in “fair industry regulation and advocating for policies that protect consumers’ rights.”

The size of the hack at Equifax is second only to the breach of user information disclosed last year by Yahoo Inc. But the Equifax attack is potentially more damaging given the gatekeeper role it and other credit-reporting companies play in how U.S. consumers go about getting loans.

The Equifax data breach revealed a slew of personal information—names, addresses, dates of birth, Social Security numbers and in some cases driver’s license information—in one swoop. This made the exposure far broader than other hacks that revealed, say, a consumer’s name and credit-card number.

“This one is a different animal in the sense of the nature of the information that was breached,” Capital One Financial Corp. Chief Executive Richard Fairbank said at a financial-services industry conference Monday. “We have not been through the equivalent of this one.”

John Gamble, Equifax’s finance chief, was scheduled to speak at the same conference, but canceled.

He and Equifax chief Richard Smith have spoken in recent days, though, with some analysts and investors, according to people familiar with the matter. In those conversations, the executives said the database that was hacked had retained consumer information going back five to 10 years, the people said.

That, the executives said, was part of the reason so many people were affected. They added that a portion of the affected database included people who had contacted the firm to dispute information in their credit reports, the people familiar with the matter said.

Messrs. Smith and Gamble also said the hacked database was separate from the credit reports that Equifax sells to consumers and lenders, the people said.

The executives said the company waited more than a month to announce the breach in part because of the need to set up a website for affected consumers and decide on $ervice$ for them, according to a person familiar with the matter.

Equifax’s political-action committee made contributions to 13 members of the Financial Services Committee during the 2016 election cycle, according to data from the Center for Responsive Politics. Among the recipients was Committee Chairman Rep. Jeb Hensarling (R., Texas), who received $1,000. Last Friday, he called for his committee’s hearing into the breach.

Rep. Blaine Luetkemeyer (R., Mo.), chairman of the Financial Institutions and Consumer Credit subcommittee that directly handles matters relating to the reporting companies, received $2,000. Also receiving $2,000 was Rep. Barry Loudermilk (R., Ga.), sponsor of the bill that would place a $500,000 cap on the statutory damages consumers could win in a lawsuit against the credit-reporting companies, as well as eliminate punitive damages against them entirely.

The Equifax PAC also gave two additional $1,000 donations to Rep. Luetkemeyer this year, in April and June, according to Federal Election Commission records. The April donation was eight days before Rep. Loudermilk’s bill was introduced.

Equifax said its PAC contributions “are made in a legal, ethical and transparent manner” in accordance with federal laws and regulations. No corporate funds are used in the PAC, which is funded solely by Equifax employees’ voluntary contributions, the company said.

Staff for Reps. Hensarling, Luetkemeyer and Loudermilk couldn’t be reached for comment.

At last week’s hearing into the liability limits bill and other regulatory overhaul measures, Chi Chi Wu, a staff attorney for the National Consumer Law Center, said the proposed legislation “drastically decreases the consequences for credit bureaus” when they violate the law.

Rep. Loudermilk at the hearing denied the bill was “a credit bureau protection act,” saying it was intended “to protect consumers and all Americans.”

Equifax has also lobbied on changes to rules governing companies that promise to “repair” consumers’ credit. A separate bill pending before the Financial Services Committee would allow credit-reporting companies to offer credit-education and identity-protection services without being subject to rules governing credit-repair companies.

Equifax also lobbied the Consumer Financial Protection Bureau and the Federal Trade Commission in the first half of this year, according to its disclosure reports. Both agencies regulate aspects of credit-reporting companies.

Equifax had 'admin' as login and password in Argentina

2 hours ago

The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations.

Cyber-crime blogger Brian Krebs said that an online employee tool used in the country could be accessed by typing "admin" as both a login and password.

He added that this gave access to records that included thousands of customers' national identity numbers.

Last week, the firm revealed a separate attack affecting millions in the US.

After being notified of the latest breach, Equifax temporarily shut the affected website.

"We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cyber-security event that occurred in the United States last week," an Equifax spokeswoman told the BBC.

"We immediately acted to remediate the situation, which affected a limited amount of information strictly related to Equifax employees.

"We have no evidence at this time that any consumers or customers have been negatively affected, and we will continue to test and improve all security measures in the region."

The discovery came less than a week after Equifax revealed that a separate breach meant about 143 million US consumers and an undisclosed number of British and Canadian residents might have had personal details exposed.

The firm took six weeks to make the discovery public after first learning of a problem.

On Tuesday, 36 US senators called for a federal investigation into how three company executives came to sell nearly $2m (£1.5m) worth of shares in the company in the interim.

Equifax is also facing dozens of legal claims over the matter.

Mr Krebs wrote that the Argentine matter involved Equifax's local business Veraz.

Specifically, a web application - referred to as Ayuda, the Spanish for "help" - appears to have been weakly guarded.

"[It] was wide open, protected by perhaps the most easy-to-guess password combination ever: admin/admin," wrote Mr Krebs.

The discovery was made by the US cyber-security firm Hold Security, which Mr Krebs advises.

Its researchers explored the portal and within found a list of more 100 Argentina-based employees the blogger disclosed.

Using this list they were able to uncover the workers' company usernames and passwords, which turned out to be matching words in each instance.

Each example amounted to either solely the worker's last name or a combination of their surname and their first initial, which made them fairly easy to guess anyway, Mr Krebs added.

Extraordinary'

"But wait, it gets worse," he blogged.

"From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports.

"The site also lists each person's DNI [documento nacional de identidad]- the Argentinian equivalent of the social security number - again, in plain text."

All told, there were more than 14,000 such records, Mr Krebs said, concluding that the firm had been "sloppy".

Unlike social security numbers in the US, DNIs are publically available in Argentina.

But one UK-based cyber-security expert agreed the case raised questions about how Equifax protects the data it holds.

"This kind of security vulnerability is extraordinary as even the most basic of checks should reveal this," Prof Alan Woodward from the University of Surrey told the BBC.

"It's outrageous that any organisation that holds such sensitive personal data can build a portal with this kind of basic security vulnerability.

"It simply shouldn't happen and responding that they have now fixed the issue is not the point: it puts a huge question mark over whether Equifax have been applying the appropriate resources to online security elsewhere."