2017 Equifax data breach

From HandWiki
Short description: Major cybersecurity incident

The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

In February 2020, the United States government indicted members of China's People's Liberation Army for hacking into Equifax and plundering sensitive data as part of a massive heist that also included stealing trade secrets, though the Chinese Communist Party denied these claims.[1][2]

Data breach

A key security patch for Apache Struts was released on March 7, 2017 after a security exploit was found and all users of the framework were urged to update immediately.[3] Security experts found an unknown hacking group trying to find websites that had failed to update Struts as early as March 10, 2017 as to find a system to exploit.[4]

As determined through postmortem analysis, the breach at Equifax started on May 12, 2017 when Equifax had yet to update its credit dispute website with the new version of Struts.[5][6] The hackers used the exploit to gain access to internal servers on Equifax' corporate network. The information first pulled by the hackers included internal credentials for Equifax employees, which then allowed the hackers to search the credit monitoring databases under the guise of an authorized user. Using encryption to further mask their searches, the hackers performed more than 9000 scans of the databases, extracted information into small temporary archives that were then transferred off the Equifax servers to avoid detection and removed the temporary archives once complete.[7] The activities went on for 76 days until July 29, 2017 when Equifax discovered the breach[8][9][10] and subsequently, by July 30, 2017, shut off the exploit.[4] At least 34 servers in twenty different countries were used at different points during the breach, making tracking the perpetrators difficult.[7] While the failure to update Struts was a key failure, analysis of the breach found further faults in Equifax' system that made it easy for the breach to occur, including the insecure network design which lacked sufficient segmentation,[11] potentially inadequate encryption of personally identifiable information (PII),[12] and ineffective breach detection mechanisms.[13]

Information accessed in the breach included first and last names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers for an estimated 143 million Americans, based on Equifax' analysis.[9] Information on an estimated range of under 400,000 up to 44 million British residents as well as 8,000 Canadian residents were also compromised.[14][15][16][17][18] An additional 11,670 Canadians were affected as well, later revealed by Equifax.[19] Credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personally identifiable information for approximately 182,000 U.S. consumers were also accessed.[20][10]

Since the initial disclosure in September 2017, Equifax expanded the number of records they discovered were accessed. In both October 2017 and March 2018, Equifax reported that an additional 2.5 and 2.4 million American consumer records were accessed, respectively, bringing the total to 147.9 million.[21][22] Equifax narrowed its estimate for UK consumers affected by the breach to 15.2 million in October 2017,[23][24] of which 693,665 had sensitive personal data disclosed.[25][26][23][27][24] Equifax also estimated that the number of drivers' licenses breached in the attack to be 10-11 million.[28][29][30]

Security experts expected that the lucrative private data from the breach would be turned around and sold on black markets and the dark web, though as of May 2021, there has been no sign of any sale of this data.[1] Because the data did not immediately show up in the first 17 months following the breach, security experts theorized that either the hackers behind the breach were waiting for a significant amount of time before selling the information since it would be too "hot" to sell that close to the breach, or that a nation-state was behind the breach and planning on using the data in a non-financial manner such as for espionage.[31]

Disclosure and short-term responses

On September 7, 2017, Equifax disclosed the breach and its scope: affecting over 140 million Americans.[32] VentureBeat called the exposure of data on 140+ million customers "one of the biggest data breaches in history."[33] Equifax shares dropped 13% in early trading the day after the breach was made public.[34] Numerous media outlets advised consumers to request a credit freeze to reduce the impact of the breach.[35][36][37][38]

On September 10, 2017, three days after Equifax revealed the breach, Congressman Barry Loudermilk (R-GA), who had been given two thousand dollars in campaign funding from Equifax,[39][40] introduced a bill to the U.S. House of Representatives that would reduce consumer protections in relation to the nation's credit bureaus, including capping potential damages in a class action suit to $500,000 regardless of class size or amount of loss.[41] The bill would also eliminate all punitive damages.[41][42] Following criticism by consumer advocates, Loudermilk agreed to delay consideration of the bill "pending a full and complete investigation into the Equifax breach".[41]

On September 15, Equifax released a statement announcing the immediate departures and replacements of its chief information officer and chief security officer.[10][43] The statement included bullet-point details of the intrusion, its potential consequences for consumers, and the company's response. The company said it had hired cybersecurity firm Mandiant on August 2 to investigate the intrusion internally. The statement did not specify when U.S. government authorities were notified of the breach, although it did assert "the company continues to work closely with the FBI in its investigation".[10]

On September 28, new Equifax CEO Paulino do Rego Barros Jr. responded to criticism of Equifax by promising that the company would, from early 2018, allow "all consumers the option of controlling access to their personal credit data", and that this service would be "offered free, for life".[44]

On October 26, Equifax appointed technology executive Scott A. McGregor to its board of directors. In announcing the change, the board's chairman noted McGregor's "extensive data security, cybersecurity, information technology and risk management experience".[45][46] The Wall Street Journal reported that he joined the board's technology committee, which has duties that include oversight of cybersecurity.[47]

Litigation

Numerous lawsuits were filed against Equifax in the days after the disclosure of the breach.[48][49] In one suit the law firm Geragos & Geragos has indicated they would seek up to $70 billion in damages, which would make it the largest class-action suit in U.S. history.[48] Since October 2017, hundreds of consumers have sued Equifax for the data breach, some winning small claims cases in excess of $9,000, including actual damages, future damages, anxiety, monitoring fees and punitive damages.[50]

In September 2017, Richard Cordray, then director of the Consumer Financial Protection Bureau (CFPB), authorized an investigation into the data breach on behalf of affected consumers. However, in November 2017, Mick Mulvaney, President Donald Trump's budget chief, who was appointed by Trump to replace Cordray, was reported by Reuters to have "pulled back" on the probe, along with shelving Cordray's plans for on-the-ground tests of how Equifax protects data. The CFPB also rebuffed bank regulators at the Federal Reserve Bank, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency who offered to assist with on-site exams of credit bureaus.[51] Senator Elizabeth Warren, who released a report on the Equifax breach in February 2018, criticized Mulvaney's actions, stating: "We're unveiling this report while Mick Mulvaney is killing the consumer agency's probe into the Equifax breach. Mick Mulvaney shoots another middle finger at consumers."[52]

On July 22, 2019, Equifax agreed to a settlement with the Federal Trade Commission (FTC), CFPB, 48 U.S. states, Washington, D.C., and Puerto Rico to alleviate damages to affected individuals and make organizational changes to avoid similar breaches in the future. The total cost of the settlement included $300 million to a fund for victim compensation, $175 million to the states and territories in the agreement, and $100 million to the CFPB in fines.[53] In July 2019, the FTC published information on how affected individuals could file a claim against the victim compensation fund using the website EquifaxBreachSettlement.com.[54]

Perpetrators

The United States Department of Justice announced on February 10, 2020 that they had indicted four members of China's military on nine charges related to the hack, though there has been no additional evidence that China has since used the data from the hack.[55][56][57] The Chinese government denied that the four accused had any involvement with the hack.[1]

Criticism

Following the announcement of the May–July 2017 breach, Equifax's actions received widespread criticism. Equifax did not immediately disclose whether PINs and other sensitive information were compromised, nor did it explain the delay between its discovery of the breach in July and its public announcement in early September.[58] Equifax stated that the delay was due to the time needed to determine the scope of the intrusion and the large amount of personal data involved.[59]

It was also revealed that three Equifax executives sold almost $1.8 million of their personal holdings of company shares days after Equifax discovered the breach but more than a month before the breach was made public.[60] The company said the executives, including the chief financial officer John Gamble,[61][34] "had no knowledge that an intrusion had occurred at the time they sold their shares".[62] On September 18, Bloomberg News reported that the U.S. Justice Department had opened an investigation to determine whether or not insider trading laws had been violated.[63] "As Bloomberg notes, these transactions were not pre-scheduled trades and they took place on August 2, three days after the company learned of the hack".

When publicly revealing the intrusion to its systems, Equifax offered a website (https://www.equifaxsecurity2017.com[64]) for consumers to learn whether they were victims of the breach. Security experts quickly noted that the website had many traits in common with a phishing website: it was not hosted on a domain registered to Equifax, it had a flawed TLS implementation, and it ran on WordPress which is not generally considered suitable for high-security applications. These issues led Open DNS to classify it as a phishing site and block access.[65] Moreover, members of the public wanting to use the Equifax website to learn if their data had been compromised had to provide a last name and six digits of their social security number.[66]

The website set up to check whether a person's personal data had been breached (trustedidpremier.com) was determined by security experts and others to return apparently random results instead of accurate information.[66] As with https://www.equifaxsecurity2017.com, this website, too, was registered and constructed like a phishing website, and it was flagged as such by several web browsers.[67]

The Trusted ID Premier website contained terms of use, dated September 6, 2017 (the day before Equifax announced the security breach) which included an arbitration clause with a class action waiver.[68][69] Attorneys said that the arbitration clause was ambiguous and that it could require consumers who accepted it to arbitrate claims related to the cybersecurity incident.[69] According to Polly Mosendz and Shahien Nasiripour, "some fear[ed] that simply using an Equifax website to check whether their information was compromised bound them to arbitration".[70] The equifax.com website has separate terms of use with an arbitration clause and class action waiver, but, according to Brian Fung of The Washington Post , "it's unclear if that applies to the credit monitoring program".[71] New York Attorney General Eric Schneiderman demanded that Equifax remove the arbitration clause.[72] Responding to arbitration-related concerns, on September 8, Equifax issued a statement stating that "in response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident".[72] Joel Winston, a data protection lawyer, argued that the announcement disclaiming the arbitration clause "means nothing" because the terms of use state that they are the "entire agreement" between the parties.[72] The arbitration clause was later removed from equifaxsecurity2017.com,[72] and the equifax.com terms of use were amended on September 12 to state that they do not apply to www.equifaxsecurity2017.com, www.trustedidpremier.com, or www.trustedid.com and to exclude claims arising from those sites or the security breach from arbitration.[73][74]

Responding to continuing public outrage,[75] Equifax announced on September 12, 2017, that they "are waiving all Security Freeze fees for the next 30 days".[76][77]

Equifax has been criticized by security experts for registering a new domain name for the site name instead of using a subdomain of equifax.com. On September 20, 2017, it was reported that Equifax had been mistakenly linking to an unofficial "fake" web site instead of their own breach notification site in at least eight separate tweets, unwittingly helping to direct a reported 200,000 hits to the imitation site. A software engineer named Nick Sweeting created the unauthorized Equifax web site to demonstrate how the official site could easily be confused with a phishing site. Sweeting's site was upfront to visitors that it was not official, however, telling visitors who had entered sensitive information that "you just got bamboozled! this isnt [sic] a secure site! Tweet to @equifax to get them to change it to equifax.com before thousands of people loose [sic] their info to phishing sites!" Equifax apologized for the "confusion" and deleted the tweets linking to this site.[78][79][80]

See also

References

  1. 1.0 1.1 1.2 "Data from Equifax credit hack could "end up on the black market," expert warns". CBS News. February 11, 2020. https://www.cbsnews.com/news/china-denies-responsibility-in-equifax-breach-after-doj-charges-four-military-members/. 
  2. "Four Members of China's Military Indicted Over Massive Equifax Breach". The Wall Street Journal. February 11, 2020. https://www.wsj.com/articles/four-members-of-china-s-military-indicted-for-massive-equifax-breach-11581346824. 
  3. "CVE-2017-5638 - Apache Struts2 S2-045 #8064". GitHub. March 7, 2017. https://github.com/rapid7/metasploit-framework/issues/8064. 
  4. 4.0 4.1 Ng, Alfred (September 7, 2018). "How the Equifax hack happened, and what still needs to be done". CNet. https://www.cnet.com/news/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/. 
  5. Whittaker, Zack. "Equifax confirms Apache Struts flaw it failed to patch was to blame for data breach" (in en). https://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-failed-to-patch-was-to-blame-for-data-breach/. 
  6. "Failure to patch two-month-old bug led to massive Equifax breach" (in en-us). September 14, 2017. https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/. 
  7. 7.0 7.1 Bomey, Nathan (February 10, 2020). "How Chinese military hackers allegedly pulled off the Equifax data breach, stealing data from 145 million Americans". USA Today. https://www.usatoday.com/story/tech/2020/02/10/2017-equifax-data-breach-chinese-military-hack/4712788002/. 
  8. Equifax (September 7, 2017), Rick Smith, Chairman and CEO of Equifax, on Cybersecurity Incident Involving Consumer Data., https://www.youtube.com/watch?v=bh1gzJFVFLc, retrieved September 12, 2017 
  9. 9.0 9.1 Haselton, Todd (September 7, 2017). "Credit reporting firm Equifax says cybersecurity incident could potentially affect 143 million US consumers". https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html. 
  10. 10.0 10.1 10.2 10.3 "Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes" (in en). https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832. 
  11. Newman, Lily Hay. "How to Stop the Next Unstoppable Mega-Breach—Or Slow It Down". WIRED. https://www.wired.com/story/how-to-stop-breaches-equifax. 
  12. Gallagher, Sean. "Equifax hackers stole data for 200k credit cards from transaction history" (in en-us). Ars Technica. https://arstechnica.com/information-technology/2017/09/equifax-hackers-stole-data-for-200k-credit-cards-from-transaction-history/. 
  13. Lomas, Natasha. "Equifax breach disclosure would have failed Europe's tough new rules" (in en). TechCrunch. https://techcrunch.com/2017/09/08/equifax-breach-disclosure-would-have-failed-europes-tough-new-rules/. 
  14. Shepardson, David (October 2, 2017). "Equifax failed to patch security vulnerability in March: former CEO". Reuters. Reuters. https://www.reuters.com/article/us-equifax-breach/equifax-failed-to-patch-security-vulnerability-in-march-former-ceo-idUSKCN1C71VY. 
  15. Hern, Alex (September 8, 2017). "Equifax told to inform Britons whether they are at risk after data breach". The Guardian. https://www.theguardian.com/technology/2017/sep/08/equifax-told-to-inform-britons-whether-they-are-at-risk-after-data-breach. 
  16. Isai, Vjosa (September 7, 2017). "Canadians among 143 million people affected in Equifax hack". The Toronto Star. https://www.thestar.com/business/2017/09/07/equifax-says-data-breach-may-affect-143-million-people-in-us.html. "Hackers targeted names, Social Security numbers, birth dates, addresses and driver's licence numbers, Equifax said in a statement. "Limited personal information" from residents in Canada and the U.K. was also accessed, it said." 
  17. "Equifax confirms Britons hit by breach" (in en-GB). BBC News. September 15, 2017. https://www.bbc.com/news/technology-41286638. 
  18. Ligaya, Armina (September 19, 2017). "Equifax says 100,000 Canadians affected by cyberattack" (in en-CA). CTVNews. http://www.ctvnews.ca/business/equifax-says-100-000-canadians-affected-by-cyberattack-1.3596081. 
  19. "Equifax doubles number of Canadians hit by breach, now more than 19,000 | CBC News" (in en-US). CBC. https://www.cbc.ca/news/business/equifax-canadians-affected-update-1.4424066. 
  20. "Cybersecurity Incident & Important Consumer Information | Equifax" (in en-US). https://www.equifaxsecurity2017.com/. 
  21. Weise, Elizabeth; Bomey, Nathan (October 2, 2017). "Equifax breach hit 2.5 million more Americans than first believed". USA Today. https://www.usatoday.com/story/tech/2017/10/02/equifax-breach-hit-2-5-million-more-americans-than-first-believed/725100001/. 
  22. "Equifax Data Breach Lawsuit", Morgan & Morgan.
  23. 23.0 23.1 "Equifax says 15.2 million UK records exposed in cyber breach". Reuters. October 10, 2017. https://www.reuters.com/article/us-equifax-cyber/equifax-says-15-2-million-uk-records-accessed-in-cyber-breach-idUSKBN1CF2JU. 
  24. 24.0 24.1 "Latest information on the Equifax cyber incident - NCSC Site". https://www.ncsc.gov.uk/information/latest-information-equifax-cyber-incident. 
  25. "Equifax Hackers Stole Info on 693,665 UK Residents — Krebs on Security". https://krebsonsecurity.com/2017/10/equifax-hackers-stole-info-on-693665-uk-residents/. 
  26. Staff; agencies (October 11, 2017). "Personal details of almost 700,000 Britons hacked in cyber-attack". https://www.theguardian.com/technology/2017/oct/11/personal-details-of-almost-700000-britons-hacked-in-cyber-attack. 
  27. "Equifax hack hit 694,000 UK customers". October 10, 2017. https://www.bbc.co.uk/news/business-41575188. 
  28. "Equifax Breach Exposed Driver's License Data for 11 Million Americans". https://www.msn.com/en-us/money/us/equifax-breach-exposed-driver%E2%80%99s-license-data-for-11-million-americans/vp-AAtiY9c. 
  29. Chin, Monica (October 11, 2017). "On top of everything else, Equifax hackers got 10 million driver's licenses". http://mashable.com/2017/10/11/equifax-hackers-got-drivers-licenses/. 
  30. "Equifax hackers took driver's license info on 10M Americans". https://www.cnet.com/news/equifax-hackers-took-10-million-americans-drivers-license-info/. 
  31. Fazzini, Kate (February 13, 2020). "The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme". CNBC. https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-data.html. 
  32. Mathews, Lee. "Equifax Data Breach Impacts 143 Million Americans" (in en). https://www.forbes.com/sites/leemathews/2017/09/07/equifax-data-breach-impacts-143-million-americans/. 
  33. "The end of the cloud is coming", VentureBeat, Victor Charypar, November 4, 2017
  34. 34.0 34.1 Melin, Anders (September 7, 2017). "Three Equifax Managers Sold Stock Before Cyber Hack Revealed". Bloomberg.com. https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack. 
  35. "A Guide to Surviving the Equifax Data Breach". CNET. https://www.cnet.com/uk/how-to/a-guide-to-surviving-equifax-data-breach/. 
  36. Lieber, Ron (September 10, 2017). "After Equifax Breach, Here's Your Next Worry: Weak PINs". The New York Times. https://www.nytimes.com/2017/09/10/your-money/identity-theft/equifax-breach-credit-freeze.html. 
  37. "How to freeze your credit after a data breach". The Verge. https://www.theverge.com/2017/9/8/16276194/credit-freeze-equifax-how-to-data-breach. 
  38. Fung, Brian (September 9, 2017). "After the Equifax breach, here's how to freeze your credit to protect your identity". The Washington Post. https://www.washingtonpost.com/news/the-switch/wp/2017/09/09/after-the-equifax-breach-heres-how-to-freeze-your-credit-to-protect-your-identity/. 
  39. Levin, Bess (September 12, 2017). "Equifax Lobbied to Gut Regulations Right Before Getting Hacked". https://www.vanityfair.com/news/2017/09/equifax-lobbied-to-gut-regulations-right-before-hack. 
  40. "Equifax Inc Contributions to Federal Candidates, 2016 cycle". https://www.opensecrets.org/pacs/pacgot.php?cmte=C00143867&cycle=2016. 
  41. 41.0 41.1 41.2 Weisbaum, Herb, “Republicans in Congress Want to Roll Back Regulations on Credit Bureaus”, NBC News, September 11, 2017, Retrieved September 18, 2017
  42. Lazarus, David (September 19, 2017). "Despite Equifax hack, GOP lawmakers want to deregulate credit agencies". Los Angeles Times. https://www.latimes.com/business/lazarus/la-fi-lazarus-republican-credit-agency-bills-20170919-story.html. 
  43. Shaban, Hamza (September 15, 2017). "Two Equifax executives will retire following massive data breach" (in en-US). The Washington Post. ISSN 0190-8286. https://www.washingtonpost.com/news/the-switch/wp/2017/09/15/two-equifax-executives-will-retire-following-massive-data-breach/. 
  44. "New Equifax CEO offers "sincere and total apology" to consumers". September 28, 2017. https://arstechnica.co.uk/tech-policy/2017/09/equifax-ceo-apology/. 
  45. "Equifax Names Scott McGregor as New Independent Director" (Press release). Atlanta, Georgia: Equifax. October 26, 2017. Retrieved June 20, 2020 – via PRNewswire.
  46. "Cybersecurity Expert Scott McGregor Joins Equifax Board" (in en). November 6, 2017. https://www.equilar.com/blogs/329-cybersecurity-expert-scott-mcgregor-joins-equifax-board.html. 
  47. Nash, Kim S.; Lublin, Joann S.; Andriotis, AnnaMaria (January 10, 2018). "Boards Seek Bigger Role in Thwarting Hackers: Equifax breach triggered broad reassessment of cybersecurity oversight, experts say". The Wall Street Journal. https://www.wsj.com/articles/boards-seek-bigger-role-in-thwarting-hackers-1515596400. 
  48. 48.0 48.1 Mills, Chris (September 8, 2017). "Equifax is already facing the largest class-action in history". bgr.com. http://bgr.com/2017/09/08/equifax-hack-lawsuit-class-action-how-to-join/. 
  49. Thadani, Trisha (September 13, 2017). "Lawsuit against Equifax filed in federal court in San Jose". SFGate.com. http://m.sfgate.com/business/article/Lawsuit-against-Equifax-filed-in-federal-court-in-12192966.php. 
  50. "People are taking Equifax to small-claims court — and winning". https://finance.yahoo.com/news/people-successfully-suing-equifax-almost-10000-app-193607932.html. 
  51. Patrick Rucker, “U.S. consumer protection official puts Equifax probe on ice”, Reuters, February 5, 2018, Retrieved February 16, 2018
  52. Stewart, Emily (February 7, 2018). "Elizabeth Warren warns Equifax could "wiggle off the hook" for users' credit data getting hacked". https://www.vox.com/policy-and-politics/2018/2/7/16984522/elizabeth-warren-equifax-data-breach-cfpb. 
  53. "Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach" (in en). July 19, 2019. https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related. 
  54. "Equifax Data Breach Settlement" (in en). July 11, 2019. https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement. 
  55. Benner, Katie (February 10, 2020). "U.S. Charges Chinese Military Officers in 2017 Equifax Hacking". The New York Times. https://www.nytimes.com/2020/02/10/us/politics/equifax-hack-china.html. 
  56. Mariam, Baksh. "Chinese Military Officers Hacked Equifax, Justice Department Says". Defense One. https://www.defenseone.com/technology/2020/02/chinese-military-officers-hacked-equifax-justice-department-says/163013/?oref=d-river. 
  57. "The US says the Chinese military hacked Equifax. Here's how". https://www.technologyreview.com/2020/02/10/349004/the-us-says-the-chinese-military-hacked-equifax-heres-how/. 
  58. "6 Unanswered Questions For Equifax After A Massive Data Breach Of 143-Million Americans' Personal Information" (in en-US). September 8, 2017. https://www.inc.com/joseph-steinberg/6-unanswered-questions-for-equifax-after-a-massive.html. 
  59. "Cybersecurity Incident & Important Consumer Information". Equifax. 2017. https://www.equifaxsecurity2017.com/frequently-asked-questions/. 
  60. Melin, Anders (September 7, 2017). "Three Equifax Managers Sold Stock Before Cyber Hack Revealed". Bloomberg.com. https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack. 
  61. Solon, Olivia (September 7, 2017). "Credit firm Equifax says 143m Americans' social security numbers exposed in hack". The Guardian. https://www.theguardian.com/us-news/2017/sep/07/equifax-credit-breach-hack-social-security. .
  62. Morley, Katie (September 8, 2017). "Equifax hack: 44 million Britons' personal details feared stolen in major US data breach". The Daily Telegraph. https://www.telegraph.co.uk/technology/2017/09/08/equifax-hack-britons-data-watchdog-investigates-ukimpact-major/. 
  63. "Equifax Stock Sales Are the Focus of U.S. Criminal Probe". Bloomberg.com. September 18, 2017. https://www.bloomberg.com/news/articles/2017-09-18/equifax-stock-sales-said-to-be-focus-of-u-s-criminal-probe. 
  64. Bahney, Anna. "6 Equifax hack rumors fact-checked". CNNMoney. https://money.cnn.com/2017/09/11/pf/equifaxmyths/index.html. 
  65. "Why the Equifax breach is very possibly the worst leak of personal info ever". CNBC. https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/. 
  66. 66.0 66.1 "Equifax's hack checker is a hot mess -- here's what to do". https://www.cnet.com/uk/how-to/psa-equifaxs-hack-checker-is-a-hot-mess/. 
  67. Krebs, Brian. "Equifax or Equiphish? — Krebs on Security". krebsonsecurity.com. https://krebsonsecurity.com/2017/09/equifax-or-equiphish/. 
  68. Chacos, Brad (September 8, 2017). "Equifax hack: How to know if you're affected". https://www.pcworld.com/article/3223142/security/equifax-hack-how-to-know-affected-data-breach.html. 
  69. 69.0 69.1 Robertson, Adi (September 8, 2017). "Can you join a class action suit if you use Equifax's free identity theft protection?". https://www.theverge.com/2017/9/8/16276572/equifax-hack-protection-class-action-lawsuit-terms-of-service. 
  70. Mosendz, Polly; Nasiripour, Shahien (September 8, 2017). "Equifax's Hacking Nightmare Gets Even Worse For Victims". https://www.bloomberg.com/news/articles/2017-09-08/equifax-s-hacking-nightmare-gets-worse-thanks-to-arbitration-clause. 
  71. Fung, Brian (September 8, 2017). "By signing up on Equifax's help site, you risk giving up your legal rights". https://www.chicagotribune.com/business/ct-equifax-data-breach-website-arbitration-20170908-story.html. 
  72. 72.0 72.1 72.2 72.3 "Equifax finally responds to swirling concerns over consumers' legal rights" (in en-US). The Washington Post. https://www.washingtonpost.com/news/the-switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-website/. 
  73. "Frequently Asked Questions - Cybersecurity Incident & Important Consumer Information | Equifax". https://www.equifaxsecurity2017.com/frequently-asked-questions/#consumer-faqs. "When were the Terms of Use for TrustedID Premier updated? ... We updated the Equifax product Terms of Use on www.equifax.com on September 12, 2017 to state that those terms do not apply to the TrustedID Premier product or the cybersecurity incident" 
  74. "Terms of Use". September 12, 2017. https://www.equifax.com/terms/. 
  75. "What Equifax owes us all: A free credit freeze at all agencies, for starters, and loads of answers". September 12, 2017. http://www.nydailynews.com/opinion/equifax-owes-article-1.3490673. 
  76. Kirsch, Melissa (September 12, 2017). "Equifax Is Waiving Their Credit-Freeze Fees for 30 Days". http://lifehacker.com/equifax-is-waiving-their-credit-freeze-fees-for-30-days-1805663077. 
  77. Hatmaker, Taylor. "Equifax says that it will waive credit freeze fees for 30 days". https://techcrunch.com/2017/09/12/will-equifax-waive-credit-freeze-fees/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAD2zpeNQ6JWn5CgncoI7SXayxN9_H9fkOEoIl3lf7AlVsjo2AII1jpwdfqu9QH8VEBieAgXT-qqarxAz-bpkdZQE4A8yhlv_b-Fil6EbrCOy6eaduSVx90vhsLeiKcXKmb2a-Eh2HCymKTu-nDrIqSrOALLGokFK-XXaXC8AnNgO. 
  78. Astor, Maggie (September 20, 2017). "Someone Made a Fake Equifax Site. Then Equifax Linked to It." (in en-US). The New York Times. ISSN 0362-4331. https://www.nytimes.com/2017/09/20/business/equifax-fake-website.html. 
  79. "Equifax sends breach victims to fake notification site" (in en-us). https://arstechnica.com/information-technology/2017/09/equifax-directs-breach-victims-to-fake-notification-site/. 
  80. Morse, Jack. "Equifax has been directing victims to a fake phishing site for weeks" (in en). Mashable. http://mashable.com/2017/09/20/equifax-twitter-phishing-site-facepalm. 



Retrieved from "https://handwiki.org/wiki/index.php?title=2017_Equifax_data_breach&oldid=3375142"