Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax EFX, -3.81% said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax’s international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax’s IT operation, will replace Mauldin.

Equifax says almost 400,000 Britons hit in data breach

Sep. 15, 2017

The UK arm of the organisation said files containing information on "fewer than 400,000" UK consumers was accessed in the breach.

Last week, Equifax revealed details of the hack and said data on more than 143 million Americans was taken.

The US Federal Trade Commission is investigating how the data was stolen.

Information released when details of the breach were disclosed suggest that hackers got at Equifax's internal systems between mid-May and the end of July this year when the company discovered it had been penetrated.

n a statement, the UK office of Equifax said an internal investigation had shown that data on UK consumers was accessed during the hack.

It said data on Britons was being held in the US due to a "process failure" which meant that a limited amount of information was stored in North America between 2011 and 2016.

The information held included names, dates of birth, email addresses and telephone numbers. No addresses, passwords or financial data was involved.

Equifax said that because the data on UK citizens was limited it was "unlikely" that those affected would suffer identity theft.

It said it would contact those affected and offer them free ID protection services that would alert them to any attempt to carry out fraud with their details.

"We apologise for this failure to protect UK consumer data," said Patricio Remon, president at Equifax's UK office, in the statement.

"Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward," he added.

It said it was co-operating with the Financial Conduct Authority and the Information Commissioner's Office on their investigations.

What to do if your identity has been stolen

• Contact the fraud departments of the three major credit bureaus. Select the following link for Credit Bureau Contact Information.
• Place a security alert on your ChexSystems consumer file.
• Contact all financial institutions where you have accounts that an identity thief has taken over or that were created in your name but without your knowledge.
• Cancel those accounts, place stop-payment orders on any outstanding checks that may not have cleared, and change your Automated Teller Machine (ATM) card, account and personal identification number.
• File a police report and get a copy of the report to be used if need to show proof of the crime.
• Contact the Federal Trade Commission (FTC) to file a complaint.
  • Access the FTC’s ID Theft website
  • Call toll-free at 877.IDTheft (877.438.4338)
  • TDD at 202.326.2502
  • Send mail to Consumer Response Center, FTC, 600 Pennsylvania Avenue, N.W., Washington, DC 20580
• You may also want to contact the US Postal Inspection Service at U.S. Postal Inspector Service or the Social Security Administration at 800.629.0271.
  

Equifax acknowledges a second security 'incident' happened in March

• Equifax got hacked at least twice this year.
• The company retained FireEye-owned Mandiant to investigate both breaches.

Your next worry after the Equifax breach: Fake tax returns

• Tax-related identity theft is one of the IRS "Dirty Dozen" top tax scams.
• Victims of the Equifax breach may not qualify for IRS ID-theft precautions like an identity protecting PIN.
• Getting organized now can help you file your return earlier next year.

Sep. 19, 2017

After the Equifax data breach, year-end tax planning may be even more important.

Social Security numbers were among the data exposed in the Equifax hack, which affects up to 143 million people. Immediate to-dos have focused on fraud alerts, credit freezes and monitoring to curtail thieves' ability to open new accounts in victims' names. But experts say consumers should also start thinking ahead to tax season — when criminals could potentially use those stolen Social Security numbers to file fraudulent tax returns and snare refunds.

Having a credit freeze or other monitoring in place doesn't prevent tax-related identity theft, which is among the top scams on the IRS "Dirty Dozen" list. The agency estimates that during the first nine months of 2016, beefed up safeguards helped it stop 787,000 fraudulent returns totaling more than $4 billion — but it still paid out $239 million in "suspect" refunds.

It's still unclear what impact the Equifax breach could have on the 2018 filing season.

"The IRS continues to review and assess this serious situation to determine necessary next steps," an IRS spokesman said to CNBC in an e-mailed statement.

So what can you do?

First, some bad news. IRS protections currently in place — filing an identity-theft affidavit or obtaining a filing PIN (more on that, below) — are specifically for victims of tax-related identity theft. Having your Social Security number exposed in a data breach isn't enough. As the IRS notes in its taxpayer resource, "not every data breach results in identity theft, and not every identity theft is tax-related identity theft."

But there are still some steps you can take to mitigate the risks ahead of tax time:

Prepare to file early

"Our motto is, file first and beat the crooks," Velasquez said. "It does have an impact. You are not giving them an open window."

"File early" doesn't mean rush to file (and risk underreporting income or having to file an amended return later), Gagnon said. Some taxpayers can't file right at the start of the season — investment 1099s for dividends and interest can show up in mid-February, and taxpayers with partnership income may still be waiting for their K-1s for last season's returns, he said.

The prep you can do is more about getting organized so that you're ready to go ASAP:

• Review your most recent tax return. That can provide a good framework for this year, in terms of deductible expenses to tally and official documents (W-2s, 1099s, etc.) to expect, Gagnon said. Note any changes, say, if you switched jobs, or opened a new investment account.
• Make a list of key documents you'll need, so you can check them off as they arrive and see at a glance what you are still waiting on. Be proactive about calling or emailing to track down a late document, he said.
• If you have moved this year, reach out to any of the employers, financial institutions and other entities sending you key forms, to make sure they have your current mailing address and contact information, he said.
• Start gathering receipts and records for potentially deductible expenses, like charitable donations or business expenses.
• Monitor online accounts, Gagnon said. Some entities only make tax documents available online, rather than mailing a copy; others offer online access well before they send paper copies in the mail.

Monitor your tax record

The IRS offers online access that lets taxpayers see details of their tax account, said certified public accountant Andy Mattson, tax partner at Moss Adams in Campbell, California.

"It's a good way to monitor your account, if you're concerned about it," he said. You'd be able to see if someone files a return in your name and take action more quickly.

But signing up is no easy feat. The IRS requires a slew of personal information, and the process is so stringent that less than half of those who try to register actually succeed, Mattson said.

Adjust your withholding

If you're a victim of tax-related identity theft, untangling the problem can take months, said Velasquez — who described the time frame as "wildly inconsistent." That's a tougher wait if you were anticipating a refund windfall. (The average this year was $2,769, according to IRS filing statistics.)

"[Tax-related identity theft] has less of a day-to-day impact for folks who aren't relying on, waiting on or counting on a refund," she said.

Even if you're not a victim, safeguards put in place could delay your refund. In its 2016 report to Congress, the IRS National Taxpayer Advocate estimated that some filters used to detect fraudulent returns and identity theft had false positive rates exceeding 50 percent.

"These incorrect selections delayed approximately 1.2 million tax returns associated with about $9 billion in legitimate refunds for more than an additional 30 days on average," the IRS noted in the report.

Your best defensive move: Revisit your W-4, the form that tells your employer how much federal income tax to withhold from your paycheck, Gagnon said. Changing allocations can keep more in your paycheck now, and even out your tax bill.

"You want as little a refund as possible, so you're least exposed," he said. "It's better to wait for $100 to come in than $1,000."

But be careful with this strategy, Mattson said. It's not always easy to estimate tax liability, and you'll need to have cash set aside in case you end up owing at tax time.

"The cure might do more harm than the disease," he said. "People could end up owing money they weren't expecting to."

Consider a PIN

The IRS does offer so-called identity protecting PINs, or IP PINs, to prevent someone from filing a fraudulent return with your Social Security number. Participants get a new six-digit number each year, without which your e-filed return will be rejected and a paper return, significantly delayed.

"The PIN makes perfect sense," Mattson said. "But right now you can only get a PIN if you're a victim of tax identity theft, if someone files a return using your Social."

Currently, IRS guidelines only allow you to get an IP PIN if you filed last year's return with a home address in Florida, Georgia or Washington, D.C., where the government is running a pilot program. Or if the IRS invites you to apply — which, as Mattson points out, generally only happens if you have already been a victim of tax-related identity theft.

(Another point for would-be applicants: According to IRS documents, "If you've placed a credit security freeze with Equifax, you must contact Equifax to have the freeze temporarily removed to allow us to verify your identity.")

PIN protection isn't foolproof, Velasquez said. The IRS PIN system has itself been subject to cyberattacks , she said. Earlier this year, the Treasury inspector general for tax administration released a report noting inconsistencies in IRS processes that left some victims without PINs.

Watch for fraud flags

Fraudulent tax returns aren't the only tax-time identity theft issue to keep an eye on. The IRS warns that receiving certain tax documents or IRS notices — like a CP2000 to verify unreported income or a 1099 from an employer you haven't worked for — can be a red flag for employment-related identity theft.

Equifax's credit report monitoring site is also vulnerable to hacking

The site has at least one vulnerability that allows a hacker to trick users into turning over sensitive data.

September 12, 2017

Equifax's site used to set up credit account monitoring in the wake of last week's security breach is also vulnerable to hackers, ZDNet has learned.

In the aftermath of the breach, the going recommendation has been to set up alerts and freezes on any and all credit accounts. Countless are thought to have flocked to the websites and the credit rating agency phone banks to protect themselves from hackers.

The problem is that that Equifax's site used to set up alerts on individual's credit rating history can be easily spoofed, security researcher Martin Hall told ZDNet.

The site is used to request a 90-day fraud or active duty alert for credit report holders -- thought to be the majority of Americans.

But vulnerabilities in the site can allow hackers to siphon off personal information of anyone who visits.

The site is vulnerable to a cross-site scripting (XSS) attack, which lets an attacker run malicious code on a legitimate website or web application, such as Equifax's site.

In this case, a hacker can trick a user into loading the site from a malicious link, which prompts for the consumer's social security number and other personal information.

That data could be seen by a malicious actor as soon as the information is submitted.

Because the malicious code is included in Equifax's web address, the malicious prompt will be part of the Equifax domain. The browser thinks that the site is still secure, and displays the "lock" icon in the browser window. That also means that it's difficult to spot from a spam or phishing email because the code is loaded from Equifax's legitimate domain.

Anyone with knowledge of the code can use it in phishing emails to trick unaware consumers into turning over personal information to an attacker -- even though the link and the page appear to be Equifax's domain.

"I looked at the code and noticed that I could break out of the developers code into my own," said Hall. "This gives me full permission to change the page to say or load any content I want."

"Do you trust Equifax with your details? The problem is that post breach they are asking people to enter their personal details all over again while they still have many insecure sites and pages," he said.

Hall said that he reached out to Equifax's security team about several flaws across the company's site but didn't hear back.

Troy Hunt, a security expert who runs the data breach notification site Have I Been Pwned, told ZDNet that it was "alarming" that the flaw existed in the first place, but, "even more alarming that the researcher hasn't been able to get a response when attempting to report it."

Cross site scripting, he said, "enables an attacker to run their own arbitrary JavaScript in a victim's browser which gives them an enormous amount of control over how a vulnerable website behaves."

"They can rewrite the page, change where forms post data to (consequently grabbing any information entered into the page), load external content into the browser and even deliver malware to the victim," said Hunt.

At least one other XSS security issue has been found. It's not known if hackers are actively exploiting the website vulnerability.

Because the website is vulnerable, we can't recommend breach-affected consumers use the Equifax website to set up alerts or credit freezes for the time being until the security flaw is resolved.

An Equifax spokesperson did not return a call or email at the time of writing. If that changes, we'll update.

Equifax tweets sent victims to phishing site

• The company has since deleted the incorrect tweets.
• The mistake comes amid other misinformation or confusion among consumers

Published 1 Hour Ago

Put another check in the Equifax goof column.

As if consumers weren't already confused enough when they tried to find out if they were part of the credit reporting company's massive data breach, at least some of them were misdirected to a phishing website by Equifax itself, according to various published reports.

Over the last couple of weeks, tweets from the official Equifax account and signed by "Tim" directed a handful of Twitter users to a fake site instead of to the official Equifax site set up specifically to help concerned consumers, Equifaxsecurity2017.com.

The fake site used an address similar to the valid Equifax site. Instead of offering help, the site mocks Equifax for "using a domain that's so easily impersonated by phishing sites."

Equifax has since deleted the tweets.

"All posts using the wrong link have been taken down," a company spokesperson said. "We apologize for the confusion."

Equifax has said that the personal information of 143 million consumers was potentially compromised in the cyberattack revealed by the company Sept. 7.

The takeway from all this: You need to triple check that you've landed on the right webpage.

House Finance Committee delves into unusual Equifax options trades: CNBC

September 20, 2017

NEW YORK (Reuters) - The House Financial Services Committee is seeking information about certain Equifax Inc (EFX.N) options trades made weeks before the credit reporting company disclosed a data breach, according to CNBC report on Wednesday.

Equifax options drew an unusually large trade less than three weeks before Sept. 7, when Equifax disclosed that personal details of as many as 143 million U.S. consumers were accessed by hackers between mid-May and July.

On Aug. 21, 2,500 put contracts betting on Equifax shares dipping below $135 by Sept. 15 traded for a total price of about $181,000.

By end of trading on Sept. 8, these puts were worth about $2.6 million, according to options analytics firm Trade Alert data.

Buying of put options conveys the right to sell shares at a fixed price in the future and indicates a bearish bias, while selling puts would imply a bullish outlook.

Options activity has been known to spike before the public announcement of information that moves stock prices, and the U.S. Securities and Exchange Commission has in the past announced enforcement action for alleged insider trading involving options.

A spokeswoman for the U.S. Securities and Exchange Commission declined to comment.

Experian Site Can Give Anyone Your Credit Freeze PIN

Sep. 17, 2017

An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.

“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).

The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.

In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze.

After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.

Here’s a sample of the KBA questions the site asked one reader:

1. Please select the city that you have previously resided in.

2. According to our records, you previously lived on (XXTH). Please choose the city from the following list where this street is located.

3. Which of the following people live or previously lived with you at the address you provided?

4. Please select the model year of the vehicle you purchased or leased prior to July 2017 .

I understand if people who place freezes on their credit files are prone to misplacing the PIN provided by the bureaus that is needed to unlock or thaw a freeze. This is human nature, and the bureaus should absolutely have a reliable process to recover this PIN. However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.

This is yet another example of how someone or some entity other than the credit bureaus needs to be in put in charge of rethinking and rebuilding the process by which consumers apply for and manage credit freezes. I addressed some of these issues — as well as other abuses by the credit reporting bureaus — in the second half of a long story published Wednesday evening.
Experian has not yet responded to requests for comment.

While this service is disappointing, I stand by my recommendation that everyone should place a freeze on their credit files. I published a detailed Q&A a few days ago about why this is so important and how you can do it. For those wondering about whether it’s possible and advisable to do this for their kids or dependents, check out The Lowdown on Freezing Your Kid’s Credit.

Equifax CEO Richard Smith to Exit Following Massive Data Breach

Paulino do Rego Barros Jr. named interim leader as the board searches for a successor

Sept. 26, 2017 10:19 a.m. ET

Equifax Inc. said Chairman and Chief Executive Richard Smith will step aside and the embattled credit-reporting firm will begin a search for a replacement as it continues to grapple with the aftershocks of its massive hack.

Paulino do Rego Barros Jr., who was most recently Equifax’s president for the Asia-Pacific region, has been appointed interim CEO. He was one of a handful of senior executives that Mr. Smith had been grooming as a possible successor in recent years, according to people familiar with the matter. Current director, Mark Feidler, will serve as the nonexecutive chairman.

“The board remains deeply concerned about and totally focused on the cybersecurity incident. We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again,” Mr. Feidler said in the company’s statement.

“Speaking for everyone on the board, I sincerely apologize.” He added that the board has formed a special committee to focus on “the issues arising from the incident and to ensure that all appropriate actions are taken.”

Mr. Smith, who the board said would retire as of Tuesday, had been due to appear next week before two congressional committees. Mr. Smith is still expected to testify next week before the House Energy Committee, according to a person familiar with the matter. It isn’t clear if he will also appear before the Senate Banking Committee. Equifax said Mr. Smith will continue as an unpaid adviser to the company during the transition.

“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right,” Mr. Smith said in a statement issued by the company. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”

Before the breach, Mr. Smith had told people he didn’t plan to leave the company for at least the next two years, according to a person familiar with the matter. Even after the hack disclosure, Mr. Smith shared that he didn’t want to leave the company until he had helped resolve the problem, the person added.

When Mr. Smith took over as CEO in 2005, Equifax was a staid, slow-growing credit-reporting company, according to remarks he made last month at an event. He set about to transform the company by expanding the amount of data it stored about consumers and monetizing it.

Mr. Smith did so by acquiring companies that had information about consumers’ employment histories, salaries and savings while also expanding internationally to places like Australia and India. The result was that by 2016, credit-reporting activities accounted for less than a third of revenue versus about 80% a decade earlier.