Tag: equifax

IRS hands fraud prevention contract to Equifax despite massive hack

You’d think that government agencies would be reticent to work with Equifax given that it just exposed the private info of more than 145 million people through a preventable hack , but a massive data breach apparently isn’t enough of a deterrent. The Internal Revenue Service recently awarded Equifax a fraud prevention contract that will have it verifying taxpayer identities. And crucially, it was a no-bid, “sole source” contract — Equifax was deemed the only company capable of fulfilling demand. In practice, officials didn’t have much of a choice. Credit reporting in the US is dominated by three large companies (Equifax, Experian and TransUnion), and Equifax is arguably the powerhouse of the bunch. However, that only underscores the problem here: the IRS had to trust a crucial anti-fraud system to a company that not only had sloppy online security practices, but has been reluctant to take full responsibility for its mistakes. There’s a real chance that the hack will get Equifax to clean up its act in time to improve its handling of IRS data. We wouldn’t count on it, though, and there’s always the possibility that the IRS will fall afoul of the kind of data breach that prompted this anti-fraud contract in the first place. Via: Politico Source: FedBizOpps.gov

Follow this link:
IRS hands fraud prevention contract to Equifax despite massive hack

A series of delays and major errors led to massive Equifax breach

Enlarge / A monitor displays Equifax Inc. signage on the floor of the New York Stock Exchange (NYSE) in New York on Friday, September 15, 2017. (credit: Michael Nagle/Bloomberg via Getty Images ) A series of costly delays and crucial errors caused Equifax to remain unprotected for months against one of the most severe Web application vulnerabilities in years, the former CEO for the credit reporting service said in written testimony investigating the massive breach that exposed sensitive data for as many as 143 million US Consumers . Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability . “We at Equifax clearly understood that the collection of American consumer information and data carries with it enormous responsibility to protect that data,” Smith wrote in testimony provided to the US House Subcommittee on Digital Commerce and Consumer Protection . “We did not live up to that responsibility.” Read 6 remaining paragraphs | Comments

Taken from:
A series of delays and major errors led to massive Equifax breach

Equifax CEO Richard Smith suddenly decides to ‘retire’

Equifax has been in the news lately for all the wrong reasons, following a chain of blunders and mismanagement after it revealed that a security breach leaked the personal data of 143 million people . This morning, the CEO of Equifax and chairman of its board, Richard Smith, retired effective immediately. In a release, Equifax stated that it has appointed Paulino do Rego Barros, Jr., as interim CEO. He’s been with the company for seven years and most recently was the president of Equifax’s Asia Pacific division. Smith will stay on as an unpaid advisor to oversee a smooth transition. He cites the reason for his departure as the data breach: “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward, ” he said. Smith is the latest casualty of the epic breach (their Chief Security Officer and Chief Information Officer also “retired” ), which has been catastrophically mishandled by Equifax. The company’s failure to patch a well-known security hole is the reason hackers were able to gain access to the data. The company’s executives are also under DOJ investigation for suspiciously timed stock sales that occurred after Equifax realized the breach had occurred but before it disclosed information to the public. And their credit freeze pins had security issues of their own . It’s unclear whether new management will ease Equifax’s woes, after how mishandled this entire breach has been from the start. Senators have called for credit report changes , allowing for consumers to have more power over their information. It makes sense; credit agencies should be held accountable when they make terrible errors in judgment and don’t take action to protect the sensitive personal data they handle every day. Via: CNBC Source: Equifax

Read More:
Equifax CEO Richard Smith suddenly decides to ‘retire’

Equifax tries to explain its response to a massive security breach

A day after announcing that hackers stole personal information tied to 143 million people in the US , Equifax’s response to the breach has come under scrutiny. Language on the website where people could find out if they were affected seemed to say that by signing up they would waive any right to join a class action suit against the company — something New York Attorney General Eric Schneiderman said is “unacceptable and unenforceable.” The company has since explained it does not apply to the data breach at all, but that hasn’t stopped misinformation from spreading. After conversations w my office, @Equifax has clarified its policy re: arbitration. We are continuing to closely review. pic.twitter.com/WcPZ9OqMcL — Eric Schneiderman (@AGSchneiderman) September 8, 2017 Equifax: In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident, Of course, considering the extent of what has leaked and the number of people affected, a hyperbolic reaction to anything surrounding this incident is understandable. Still, there are a few steps that people can and should take, now that we know someone has stolen more than enough information to perpetrate identity theft on a massive scale. Now that the language has been clarified, it appears legally clear to use Equifax’s website to check things out. Among Engadget staff, a few of us received notices that we aren’t among those impacted, but most weren’t so lucky. Still, there are questions about how secure the site itself is, since it requests the last six digits of each person’ social security number (and guessing first three isn’t as hard as you might think). Also, it doesn’t appear to work particularly well , responding to test and “gibberish” input with a claim that it’s part of the breach also. The best information on how to respond is available from the FTC . The government agency lays out solid next steps, like checking your credit report for any suspicious entries, as well as placing a freeze (there’s more advice on that here ) and/or fraud alert on your account with the major credit bureaus. This will make it harder for a thief to create a fake account for you and should force creditors to verify your identity. Finally, it’s important to file your taxes early, before a scammer potentially can. Source: Equifax , FTC

View article:
Equifax tries to explain its response to a massive security breach