The Equifax Data Breach

The news broke late last week that hackers have taken almost 150mm records from Equifax. These records include name, address, social security number, birthdate, and in some cases driver license information.

This is an identity thief’s treasure trove.

So what should we do about it?

I read Ron Lieber’s suggestions in the New York Times yesterday and did all of that for our family this morning.

That includes putting a freeze on our records at the big four credit agencies:

– Equifax


– TransUnion


And putting a fraud alert on file for the next 90 days at the big three:

– Equifax

– Experian


That took the better part of an hour as you need to do each of these things for each social security number you want to “protect.”

I also went ahead and pulled credit reports for our social security numbers to see if any new credit had been taken out in our names. Hackers may have had this information for quite a while.

None of this feels particularly protective to be honest. We’ve made it harder for someone to take out loans in our names, but I don’t think we’ve made it impossible.

Lenders and others are going to have to get more diligent about detecting and protecting themselves (and us) from identity theft in the wake of this and many other data breaches.

Name, address, social security number, and birthdate should not be considered sufficient information to prove identity and access credit or confidential information any more. This has likely been true for some time, but this breach certainly is the nail in the coffin for that approach (and possibly the credit bureau business model).

It’s time for new approaches to security, identity, and the protection of our financial information. Thankfully, there are a lot of them out there, mostly in startup land.

#hacking finance

Comments (Archived):

  1. BillMcNeely

    i give plasma and to prove my identity they use my finger print to log in

  2. karen_e

    Facial recognition is coming right up — in the next iPhone, as I’m sure most readers here know. What else is on offer?

    1. jason wright

      credit options for the $$$$ price. apple is now rent extracting.

  3. William Mougayar

    Video calls are emerging as a practice in ICO land as part of the KYC staircase.There are definitely scores of blockchain related companies working on this. I’ve seen half a dozen in my inbox.

  4. William Mougayar

    Equifax/Transunion/Experian should be on the most hated companies list. Have you ever tried to talk to someone there or figure out how they assess you or report on you, or tried to correct something? They hold so much power over disseminating information about us to all kinds of credit related parties, and you have to pay them $20/month to get access to the full information with credit alerts. So, WE have to pay to see OUR information. Amazing. I hope that model becomes extinct soon.

    1. PhilipSugar

      Could not agree more. We have been thinking about this for more than a decade:…We call it TACT….I know another acryonmTransparencyAdded ValueControlTrust

    2. awaldstein

      No question.Best tweet of yesterday went something like:”5 years ago I missed a cc payment and can’t buy a house.153m records hacked and they trade pre the news and make a profit.Would love to see people go to jail.

      1. LE

        The ‘5 years ago I missed a cc payment and can’t buy a house’ part of that tweet is obviously some kind of gross exaggeration. Way overboard in trying to make a point by the tweeter.It is up to the lending institution to decide how they want to use credit scores. They are well aware of how they are formulated and the problems with them. There is little to prevent them from putting in the effort to see beyond the scores (if flawed) or consider special circumstances. That’s lender laziness. Blaming the credit bureaus in this way (by the tweeter; and I’ve questioned the accuracy of the claim to begin with) isn’t productive to solving any problems. [1] [2][1] Yes they have flaws, something must be done. But by not focusing on the real issues much less will get done. It’s just a distraction. You don’t go to court and argue points that can be easily disproven as it will take away from the valid points you might be trying to make.[2] This is also similar to blaming the college board and SAT’s when the issue really is colleges reliance on the SAT’s as well as test scores and the entire legacy system. And of course, as I always like to mention, college ranking lists.

        1. awaldstein

          You miss the metaphor of the language.It was just that.

          1. LE

            I didn’t miss it at all. I don’t like when people write shit like that and in that way. To me it isn’t productive. And you are wrong in assuming that everyone who reads that tweet will think like you do at your educational level.Do you think the same when people go mouthing off and saying racist and/or offensive things about women? In that case everything that comes out of their mouth is taken 100% seriously as a fact. You don’t want to hear ‘of it’s a metaphor’ or ‘oh I was only joking/kidding’. And no that isn’t a third rail either.Separately w/o knowing who or where the tweet came from it’s not possible to even prove your point either. People say shit like that all the time when it’s ‘pile on time’. There have been plenty of stories bandied about each trying to top the other in terms of ‘bad guy things’. We see this with airlines, the police, and every time someone gets into some jam they just exaggerate and often outright lie.

        2. Susan Rubinsky

          You vastly underestimate the power these companies have.I was declined by numerous rental agencies two years ago because of my credit score. I contacted over 20 rental agencies to rent an apartment. Not one would touch me because of my credit report despite my having zero debt and the cash to pay. I ended up with only one landlord willing to work with me. I had to prove I owned over $100K in liquid assets and submit three years of income tax forms. All to rent a five room apartment in Bridgeport, CT. The only reason I found an apartment was because I found one that was being managed by the owner who only owns a handful of properties and is a member of the local community to where I was moving to.The banks and other entities do use these reports to make their decisions without regard to whether they are accurate or whether they accurately reflect your true financial worth.

          1. LE

            You vastly underestimate the power these companies have.Not at all and yes I feel bad for what happened to you.But once again the problem is with the people that are making the decisions and not with the fact that companies provide these scores and how that entire business works. But yes it’s bad.In the market that I rent properties in I recently rented to a therapist (commercial property) that had a 600’s score. Newly divorced woman. She pays late every month and pays a fee for doing so. [1] In other cases with commercial properties I basically evaluate just seat of the pants. Why? Because I am lucky to even get a tenant. It’s not NYC (or Bridgeport; don’t know the market there). In another case a guy who had just graduated from dental school (with, I assume, a mountain of debt) wanted to rent a place and I essentially just verifed that he got a job and went with it just like that. Saw his dad was a dentist but didn’t make him sign.Funny one of my medical tenants continued to pay rent after they had moved out! True story that actually happens. Didn’t even check their credit when they moved in. [2]When my daughters had to rent in NYC of course it’s much different. All sorts of personal guarantees. Is that the fault of the landlords? Or is it the fault of all the people who want to rent (what I call the honest competition) that agree to do what the landlord requires? So sure the competition changes things here, right?And you know my daughters could have gotten jobs someone else where the landlord wouldn’t have done what they do in NYC. But that wouldn’t be good for them.That said I am not operating at scale. So what I do is going to be different than a large landlord that has been burned.And you know if you deal with enough ‘good people’ you will get burned and then change your ways. Even I realize that I learned it in the 80’s in a different business. Person who burned us? A family friend where we didn’t check D&B.[1] And very stupid also. She is 15 days late every month and predictably pays the late fee. She apparently can’t get her act together enough to just be 10 days earlier (5 days grace) and save the late fee.[2] So here is the seed of the problem. The people who work for lenders aren’t me and don’t have the same brain and ability. So they (at scale) can only rely on scores. They are ‘single function’ machines. They follow formulas. These are everyday people. No system in the world is going to get you beyond sucky mediocre everyday people.

          2. William Mougayar

            So many stories like yours, i’m sure.

          3. awaldstein

            so so so many.if you own a startup that has a lot of capital float on cc, this rolls back up hill and bites you as well.

      2. William Mougayar

        and they are a double-sided marketplace. they charge businesses for each credit inquiry.

        1. awaldstein

          Yup–they print money at the customers expense.Truly horrid.How to unpack this monster without it hurting us all is the issue.

        2. Sudha Lakshmi

          What’s the second side of the marketplace? Businesses on one side, of course, but who’s on the other side? People like us, whose credit is being assessed, of course. But none of us ever formally became their customers, obviously. So they’re simply using our data anyway, entirely without our consent. Completely infuriating – ugh!

          1. William Mougayar

            yup, but they also offer paid services if you really want to see your complete data.

    3. Kirsten Lambertsen

      We may have found something that everyone here can agree on! The big three credit reporting agencies (in fact purveyors of consumer data and mailing lists) are the spawn of Satan, and Sata is FICO. Biggest racket going.They make money on selling my data and then have the audacity to charge me a fee to look at my own data. Pigs.I pay for regular access to my actual credit reports (not the FAKE free ones advertised on TV), and none of them have sent me a notification about this. None.Damn FICO and all who sail in it.

      1. JLM

        .Not only that, they are going to charge $5-12 to freeze each account.JLMwww.themusingsofthebigredca…

        1. William Mougayar

          Highway robbery.

    4. jason wright

      it’s a SCAM

      1. awaldstein

        It is also life.

        1. gCat

          life’s a scam

          1. awaldstein

            Life is a kick. Work is honestly more exciting than ever.Watching the credit and health industries get disrupted will be a huge pleasure.

    5. ShanaC

      it also isn’t a good system for assessing risk. which is why companies like SoMa came into being.

  5. JamesHRH

    You would think that a multipoint witness authentication would be easy:- you are verified by 2 people that you list as people you trust to witness you- those people are video called

  6. wwwshare

    Fred, what is UV doing to assure its portfolio companies give priority to data security?; as many startups notoriously low prioritize such effort? Even BIGTech most recent astounding oversights, see, @Verge this week, simple ultrasound takeover of Siri, Alexa Google ‘intelligent assistants’ #newoxymoron?

    1. fredwilson

      we have security and trust and safety as key items in our portfolio network efforts, in addition to the customary stuff like product management, engineer, sales, marketing, HR, etc

  7. LIAD

    Did it cost you anything to perform those procedures?Whole thing stinks to me. Last week’s scam where just by checking if you’re information has been compromised means rescinding any future claim against them. Then over the weekend where putting fake data leads to a positive result for being compromised and they push you to register for fraud monitoring. Execs sitting on news of leak for weeks whilst they dumped stock.Lazy, rent-seeking incumbents taking the piss.

    1. obarthelemy

      Yes, at least an hour, which at his income level in non-pocket money.

    2. LE

      means rescinding any future claim against themFrom what I read (in all fairness) not true:…That said nobody is getting involved in a lawsuit against them as a matter of practicality. And even if you are part of some class action you aren’t going to get anything of significance from being a member of the class anyway. Not even a toaster.

  8. obarthelemy

    Maybe making companies responsible for their screwups ? Especially when their segue is to try to get you to to sign away your right to sue them ?Private corps have been proven so bad at handling ID and security that at this point, a government-run systems probably wouldn’t be worse. At least those, we can vote away. Equifax et al will still be fumbling their way to getting paid to give us grades in decades.

    1. Susan Rubinsky

      Dun and Bradstreet now runs gov’t ID and their systems, frankly, suck. I had a municipality mistakenly send me to collections for taxes on a business that I had closed. The town never correctly entered the data into their systems so they kept charging me tax for a business that was defunct and for which I had correctly filed the paperwork. The town sent it to collections because I never received any notices because the business and it’s location were no longer in service. I have been trying for over three years to rectify this situation to no avail. Dun and Bradstreet won’t accept or post any changes from me. Dun and Bradstreet only will update their system when they get a notification from the municipality, state or federal gov’t. These updates go to Dun and Bradstreet only when the government agency decides to update it — some update quarterly, some update yearly. It’s a freaking nightmare.

      1. Rob Underwood

        Part of the problem is the incredible complexity to all of “this.” Take what you describe — a corner case from a product management and engineer standpoint. But all of these corner cases accumulate to such a point that it seems like virtually no one or business can pass through all these processes without triggering a corner case, an exception.

  9. creative group

    CONTRIBUTORS:A free board lends a hand in assisting anyone in navigating understanding the complex area of credit. Showing you how to self help in writing proven samples that work, repairing credit and establishing it both for personal and business.www.creditboards.comYour welcome in advance…Captain Obvious…

  10. William Mougayar

    One European development to watch for is the upcoming GDPR (General Data Protection Regulation) standards which will include:- Requiring the consent of subjects for data processing- Anonymizing collected data to protect privacy- Providing data breach notifications- Safely handling the transfer of data across borders- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance…

    1. fredwilson

      we’ve been working with our portfolio to get them ready for this. it’s a lot of work to comply

      1. William Mougayar

        Yup, I’m aware of it via my work with European companies (9 trips this year to Europe). From a consumer view, I think one of the biggest beneficial outcome will be the rights for Data Portability across competing services. For example, if you don’t like your insurance company, you have the right to move to another one with your own data.Update to my comment: I do agree this is a heavy handed solution targeting existing centrally controlled services. Contrast with a blockchain startup view on this, which is that the data starts by being decentralized, so it’s always within the user’s control. With GDPR, they are de-coupling it after the fact, therefore it’s a lot of work to comply.

  11. Seine

    Should nt Equifax be put out of business? After all their core business is to secure our data.Is there any reglementation to sanction Equifax or are they too big as Ebay was?Is nt it time to think about new reglementation in this area.

  12. David C. Baker

    In an unlikely and unforeseen alliance with scum-sucking class action attorneys, I find myself cheering them on to somehow slay this three-headed dragon of a beast and take them down while we all cheer in the background.I’ll suspend my belief in tort reform just long enough for these big-three as$holes to be scorched from the sky like a scene from the GoT.

    1. PhilipSugar

      Could not agree more.

    2. Kirsten Lambertsen

      Along with FICO, that’s the real head of this dragon.

  13. Peter Bloom

    Fred nailed it but there is a fourth credit bureau called Innovis that is business to business focused. Without a specific credit freeze there you are still vulnerable. Here is the link to freeze your Innovis record.

    1. fredwilson

      thanks Peter. i added that link to my post.

  14. John Pepper

    Fred et al, what are your thoughts on LifeLock? We’ve had it for at least 5 years and felt it was helpful for moments like these. They had been quiet until yesterday when they sent an email to all members. To be honest, I’m skeptical of its value despite having paid for it for a few years. Any thoughts?Can’t copy email in here but here’s a link to similar message they posted.…John Pepper

    1. creative group

      seabird37:LIFELOCK reportedly scammed, lobbied and advertised to their initial entry into the marketplace. (You decide)Amazing you were drawn to them by the advertising and didn’t do your due diligence on the company. Go straight to controversies.Because of VC’s participation in funding all is clean now that Symantec acquired LIFELOCK.…(tone erased)

      1. John Pepper

        Minus the tone, this is a helpful response. Thank you.

          1. John Pepper

            LOL. That all said, I am a believer that all business is personal.

  15. creative group

    CONTRIBUTORS:Know your Consumer Protection Rights. (Even as those lobbyist pay off Republican law makers to weaken them packaged as giving the consumer power (bs)).https://www.consumerfinance

  16. Frank W. Miller

    I think you may be hinting that blockchains can help. I’ll jump right in and point out that had all this data been in a fully distributed, ungoverned block chain, it would have been worse. All the data would be gone, you probably wouldn’t even know about it and if you did, there’d be no way to clean it up.

    1. Girish Mehta

      Thanks. Curious if anybody here has a counter-argument to this assertion…?

    2. jason wright

      please elaborate

    3. Ryan Berryman

      Actually, the data would be there (blockchains are immutable) and there would be no central point to breach. In a blockchain scenario, every single consumer would have a separate private key and would control access to their private information. If there were to be a breach, it would affect a single consumer, not 143 million.

      1. LE

        No central point of breach?…Online web wallets, like, Coinbase, etc. In generally, all wallets which keep the private key on their servers.Self explanatory as far as potential for future problems. And I do not think anybody is doing an audit or certifying what they do either to protect.And there is another risk that nobody talks about. Let’s say you have $x in bitcoin and you are storing your own keys. What if something happens to you and you don’t even remember your passwords or where the keys are kept or you are dead? What happens then? How many people are protecting themselves against this happening? My guess: near zero. Human nature.If you have money in a bank or in stocks that is all taken care of and there is a well oiled machine when someone passes away and/or can’t access their funds or is otherwise incapacitated.Now in the case of using a third party service it’s possible for something similar to be put in place. But if people truly are ‘controlling access to their private info’ then unless they have shared that info with a few other people in some way they stand the chance of losing it.And it doesn’t have to be death either. It can be some medical condition that doesn’t allow you to have the mental capacity to even know where you hid the info or where it even exists.

        1. Ryan Berryman

          I agree, you cannot distribute and centralize security at the same time. Either you manage it, or you let somebody else do it for you likely a centralized service.In attempting to make things more usable, companies use non-blockchain technology to “help you out” (as they have with bitcoin and other blockchain currencies), by storing your private keys centrally, usable through their websites and mobile apps and often stored in a traditional database of some form. They are NOT blockchain in the same way as a password manager software or a mobile device is not your bank. If your password manager gets hacked, that is not due to the security of your bank. The blockchain itself by definition cannot be centrally breached in this manner, only the “helpers” in the ecosystem can.I am confident that blockchain can better secure such things as private records. But it’s not just security that’s needed as you point out – it’s also usability. What needs alot of fleshing out, as you correctly point out, is the corner-cases and usability issues. There are some tools in the blockchain world which may be able to help out with some of these, such as multi-signature accounts (analogous to joint accounts) and smart contracts (if event xxx happens, do yyy).[there is one notable exception to all of this, and that is the 51% attack on a block chain where a bad actor accumulates enough computing power to control the algorithm / mining process – I assuming that this is out of bounds of this particular discussion, but worth noting and considering the implications]

  17. JLM

    .This is a nightmare of gargantuan proportions. Even more important, there is speculation it happened quite a while ago and was just verified.In the credit reporting business, the identify of the account reporting is unmasked — credit card numbers — at the instant of reporting.What a mess.JLMwww.themusingsofthebigredca…

  18. Vendita Auto

    An option ? Palo Alto Networks is repositioning itself as a platform for others to build security apps:

  19. Kirsten Lambertsen

    The entire FICO apparatus and its ecosystem needs to be burned to the ground.

  20. Rob Underwood

    It would also help – a lot – if the UI/UX for these sites was no so bad coupled with really unacceptable problems with Javascript pop-ups not working, etc. It’s very frustrating to use these sites. I hope the startup community disrupts them, and with decent UI/UX, very soon.

  21. jason wright

    imagine if this happened at the same scale in crypto.EDIT 17:38 GMT;…and why centralised storage of crypto currencies (a Coinbase-type business model) is such a huge potential vulnerability for the ecosystem.

  22. Shalabh

    i have been using for the last 1.5 years now. it does a pretty good job of alerting you of any activity reported on any of the three major credit bureau reports. i would recommend it.

  23. LE

    Taking the other side of this (as I often do) I wonder the actual scope of the threat is here.After all if so many identities are stolen it’s hard to believe there are that many criminals that are skilled enough to use the information to their advantage. Even over time since the info as the info will be sold and repackaged. Plus there are obvious barriers to getting benefit from this even if you have this information. Not saying it doesn’t happen (sure it does) or that it isn’t a bad situation when it happens to you, just questioning the exact threat here to any individual (vs. other threats every day ‘baseline radiation’).It’s easy to break into any house, trivial. Yet most houses aren’t broken into, right?This page (.gov page) says that ‘17.6 MILLION U.S. RESIDENTS EXPERIENCED IDENTITY THEFT IN 2014’ experienced identity theft in 2014.That sounds like a very high number (7% of the population). And it is.But if you read the page it says they include people who reported fraudulent credit card charges. That is not even ‘identity theft’ in my book.The good news is that this is actually a good event because if the momentum keeps up the entire system will be evaluated for other flaws. Problem is the momentum won’t keep up this will be forgotten and won’t be a hot button issue in a month.

    1. scottythebody

      Two credit cards of mine hit already — maybe (but by no means certainly) as a direct result of this breach.And I was hit with “identity theft” (well, my wife was) before, too. The thief opened a ton of cards in our name(s) and then proceeded to run quasi-legit businesses with them (mostly auto repair). Dude even used Amex checks to pay off balances via a fraudulent Amex. This was a guy operating by stealing mail. He wasn’t “sophisticated”, but he figured out how to operate in a “low tech” manner. He cased properties that were for sale and had auto parts that he ordered on fraudulent cards sent there so he could pick them up. So I’m guessing just about every neighborhood has a few “skilled enough”, and times are changing for sure.

      1. scottythebody

        What I mean by “times are changing” is that just as the guy I described above was able to operate, there are other people who know how to access the dark web and buy credit card numbers, turn them into actionable items, and sell them on the street to people who want to buy school clothes for their kids.Another example, my iTunes password was compromised (I fell for a really stupid phishing attack — totally my fault, it was YEARS ago) and somebody sold it to a Chinese iPhone user who proceeded to operate an iPhone and buy content (really shitty taste in music, BTW). Apple was great and reversed all the charges, but all of this terrible content is still hanging out in my iTunes library.In short, criminals are always going to find a way to exploit every type of vulnerability. And just because they are criminals, one must never assume they aren’t clever or very motivated to learn skills.Another example: how many people do you know who figured out how to do torrents, NNTP (news groups), RAR files, complicated utilities, and more just to pirate porn, movies or music?

    2. scottythebody

      I work in security, and I know that the scope of the potential threat is immense, but, obviously, I have no information on which threat actor accomplished this attack. The risk is fairly great, too, although can be mitigated by improved identity assertions and better (I say LEGISLATED) personal data controls. I say pass a law that mandates that the true owner of the product (my personal data) “full control” over what any marketer or business wants to do with it and unlimited freeze/unfreeze capability for credit actions such as checks, creation, etc.If we don’t fix this, I don’t know how dramatic to be about it. I mean, in principle, the free and easy credit culture of America is pretty damned good fuel for the economy. But my gut tells me it’s going to burn us again and again.I live in Europe, but I’m American and lived there most of my life. The banks here are very risk averse when it comes to personal credit. They don’t even really offer true balance carry credit cards for the most part, and any mortgage is going to require 30% down unless you can sweet talk them, join the right “tribe”, or know the right people, in which case you’re going to get 20% down payment. No fixed rates of long term, either. Just very tight. I work with a private bank here and they even said which specific measures they were going to implement to hedge against my loan! Not quite the same song I was sung when brokers would call me out of the blue and offer me credit on my house for no real reason other than “I might need cash someday.”

  24. Erin

    Should Canadians do this too?

    1. William Mougayar

      Equifax says Canadians aren’t affected.

      1. Salt Shaker

        Damn, you Canadians always seem above the fray. Never embroiled in controversy like your southern cousins.

        1. William Mougayar

          ha…we are more risk averse or conservative; but it’s not always such a good thing.

          1. JLM

            .Is actually true. The Canadian banks are so much better run than their American relatives.JLMwww.themusingsofthebigredca…

      2. Erin


  25. Salt Shaker

    Read the NYT’s piece, but to freeze your data you basically have to input a lot of the same info that was supposedly breached. How can one feel comfortable or trust doing this when the original source has been compromised? Concerned that I’d just be feeding the trough, so I’m on the fence w/ the recommended bandaids.

    1. LE

      I would not rush to do this right now if you have not done so already.My personal pet peeve with this industry? Getting literally a dozen offers per month if not more from credit card companies with attached checks in my name. Even though I have never ever had a balance on a credit card. Ever. But they keep sending them so I can ‘transfer a balance’ or borrow money.The problem? I end up having to shred all of that paper.It actually wouldn’t surprise me if someone were able to use a pre-printed check with someone’s name in order to social engineer a clerk into providing access to some other info that they needed. And it also wouldn’t surprise me if a third party was able to use a check to actually get money from someone that was under the radar. For example it was a common technique way back to use someone else’s fedex number under the assumption, say, that a large law office (only one example) wouldn’t know all of the legit charges and would just rubber stamp anything that wasn’t super high.

      1. Salt Shaker

        You mean you never have an outstanding balance, correct? Presume you have credit cards and pay off in full each month (like I do). Hard to function in this world w/ out. CC rates are borderline usury.

    2. Vasudev Ram

      What does “freeze your data” mean in this context?

      1. Salt Shaker

        Precludes access.

  26. george

    Credit reporting agencies need to be held financially responsible for this violation of individual privacy. These hacks are happening all too often now; the rule of law needs to be updated, since information has become the most valued currency in today’s digital world.

  27. Chimpwithcans

    From a listed company performance perspective – ESG Ratings may be starting to roughly account for this sort of mess up: Check out MSCI’s plug to that effect

  28. OurielOhayon

    A blockchain based solution would be so much better….Don’t you think? When i see what Civic is doing for eg…or uPort

  29. Rob Underwood

    Whole system feels like1. Firefighter by day / arsonist by night.2. A protection racket. “I’d hate for something to happen to that nice credit of yours.”

    1. LE

      What you are describing is actually the entire security industrial complex.This is where there is increasing pressure (by white hat hackers) to make everything security wise out in the open and transparent. Under the premise of being able to fix things. But what it actually does is make it easier for systems to be hacked.The entire industry is self serving in that way. And profits greatly from disclosure of any and all flaws. Also by teaching how to hack things. All that free and available info out there. Don’t think that makes it so much easier than if someone had to figure it out on their own?Sadly some, if not most of them, actually believe that by having such a robust system of disclosure that things are better. Because (they say that) companies are then forced to make things more secure. But all it really does is make it easier for more people to break into things. And more of a game for them. All sorts of prizes and rewards. Nobody considers the downside to all of this open disclosure. And that disclosure is exactly what allows hacks of this nature to be pulled off in the end.Sure if even if there wasn’t disclosure there would be hacking. But by allowing easy available tools and information to proliferate it makes it much more likely for an adverse event to occur. Less barrier to operate means more likely to happen. Plain and simple.

      1. scottythebody

        I see what you’re saying, but I don’t agree. I really do believe that disclosure makes things better. I didn’t always, but I’ve been in the trenches long enough to have formed that opinion.The real problem is, of course, that nothing is designed to be secure in the first place. That’s why keeping pressure on the companies and vendors to constantly fix their shit is perhaps a perverse way of incentivizing them to do it correctly in the first place.Disclosure is NOT what allows hacks to take place, obviously. Everyone is able to write any tool they want to probe any system the desire to find vulnerabilities and exploit them. Not having a group of defenders conducting the same activity is just illogical.

        1. LE

          What do you mean by this:Everyone is able to write any tool they want to probe any system the desire to find vulnerabilities and exploit them

          1. scottythebody

            That disclosure might aid somebody conducting that activity (just as you described), but whether there is disclosure or not, they will still do it. That’s all.

  30. Tom Labus

    All done with no consent on my part for using info. They had the balls to sell their shares after the fact too.

  31. Salt Shaker

    Shouldn’t access to one’s financial data be permission based? Where/how do credit tracking services have the rights to your data, and to market that data, without your permission? Prob part of TOS w/ credit card companies and banks (e.g., ability to share/market w/ 3rd parties) but I hope this breach leads to mandatory legislation allowing you to opt out of such sharing.Credit scores and how they are interpreted are also inherently discriminatory.

    1. scottythebody

      I think legislation is definitely needed. Always have.I lived in Atlanta for a long time and Equifax is an old arch enemy of mine. I have tried so many times in the past to fix incorrect items in my credit report (such as cards I never opened or things from other people without even similar names) and they make it SO difficult.In fact, I’d be in favor of something like a personal data assurance act which mandates, under penalty of very heavy fines, that all people have the right to delete, transfer, open, lock, and in pretty much all ways control their data.But in the short term, I’d take a bill that mandates credit reporting companies maintain web-based tools to allow unlimited reports, freezes, disputes, and unlocks by the original “owners” (people) of the credit bureau’s products.

      1. ShanaC

        i’m surprised there hasn’t been a class action against them yet

    2. ErikSchwartz

      What is particularly galling is that the media insists on calling us Experian’s “customers”.We are not. We are their product.

      1. Salt Shaker

        That is spot on!

      2. Vasudev Ram

        >We are their product.For those who don’t know what it means:”If you’re not paying for the service, you are the product.”

    3. Vasudev Ram

      >Shouldn’t access to one’s financial data be permission based? Where/how do credit tracking services have the rights to your data, and to market that data, without your permission?Is the situation on this better in Europe? I’ve been reading related discussions (about data privacy) on HN, and seem to remember some saying so.

      1. scottythebody

        European countries were all different. Austria, where I live, has crazy-stringent privacy laws. Newspapers aren’t even allowed to use criminal suspects’ last names. I still have a bank account with no name attached to it (just like a Swiss account used to be). In Germany, every citizen has the right to blot out the imagery of their home (even if it’s an apartment in a building) on Google Maps Street View. Now the EU has taken up the cause as well for EU-wide privacy assurances.

  32. sigmaalgebra

    Data breach? Gee, could that EVER happen? You’re kidding, right?Joe: A data breach? Maybe I’ve seen some articles about those.Tom: Yes, lots of articles. And over the years, lots of examples. Some of the examples had seriously bad financial results.Okay, what can be done?Ah, since I want to bring a Web server on-line (am now in system administration mud wrestling), I subscribe to e-mail newsletters on computer security from Cisco and Microsoft. I keep the newsletters and have big collections.From those newsletters there’s a simple fact: Nearly each week both Cisco and Microsoft announce new computer security threats.So, there lots of threats, have been for years, and they are continuing.Maybe tomorrow or next week Cisco and Microsoft will block all the threats for all time. Maybe. But I’m skeptical, yes, I’m skeptical.So, the threats promise to continue.Broadly, some of the threats get detected, diagnosed, analyzed, and then blocked in some way. Cisco and Microsoft seem to be blocking threats each week. E.g., some of the threats depend on some special data particular to the threat, and analyzing that data can find bit patterns that can serve as signatures of those threats. So, to block those threats, some people write software to look in the data for the signatures.Then what are left are the new threats, never seen before. Maybe soon they, too, will get detected, diagnosed, analyzed, and blocked, and in the meanwhile, “Who’s the next big company to lose $1 billion? Step right up. There’s room for all! Don’t be shy; you, too, can lose $1 billion!”.Problems never seen before are often called “zero day” problems likely because so far the number of days they’ve been seen is zero.So, for zero day problems, we begin to come to a question: How the heck are we to detect a zero day problem?So, the network and server farm are sitting there, cooling fans spinning, data moving, some lights flashing, a lot of programs running, etc. So, what do we do now?Well, each attack in progress will be different in some senses from what we want. So, we can try to detect such differences.But, the equipment is fully capable of doing new and different things right along, and in many contexts such things are what we want.So, detecting “new and different” risks stopping a lot of work we do want.So, now what?Well, we can hope that Cisco and Microsoft, Linux, etc. clean up their acts so that there won’t be anymore such problems …, but we already discussed that and know that we can’t wait for such progress.So, we are back to what the heck to do.Well, if we have a big network and server farm doing important work in production for a big organization, then we have a possibility: In some sense that work is stable, not suddenly new or different, so that we have a shot at detecting what is new or different from what is stable.Then since zero day attacks in progress are different, we have a shot at detecting the attacks.Okay, beyond just a “shot”, what can we do?Ah, for a while I was in an IBM Watson lab AI project automating monitoring and management of large networks and server farms.I wasn’t thrilled (uh, I confess, it was an upchuck) with the AI theme and approaches so cooked up something based on some original applied math. Yup, I published it, in an Elsevier journal.So, how the heck?Well, easily enough, as we monitor trying to detect, we have two ways to be wrong, (A) false alarms where we say that the site (network or servers) is sick when it is healthy and (B) missed detections of real problems where we say that the site is healthy when it is sick.This is not nearly the first situation where we have the two ways to be wrong, (A) and (B). In response, broadly the approach developed over the last 100+ years is (I) collect some data, (II) assume that the situation is normal (healthy) and, with that assumption, calculate the probability of getting data like we collected. If that probability is high, then we conclude that the situation is normal.But if that probability is quite low, then either (i) the situation is normal but rare or (ii) the situation really is different. If the probability we calculate is really low, then we have a tough time believing (i) so conclude (ii).When we conclude (ii) maybe first all we do is start diagnosis, collect more data, do more tests, etc., work too expensive and maybe too intrusive or disruptive to do without some evidence of something wrong. Also, likely our monitoring effort can focus this work on diagnosis. So, our effort at monitoring can be seen as letting us decide when to do diagnosis and helping us focus the work on diagnosis.So, we are starting to make some progress.Some people would call this progress AI. I’d say that IMHO AI so far is 99 44/100% junk and we should not insult good work by calling it AI when that work is much, much better than AI! Nearly the same for machine learning.So, as we do monitoring, we are faced with the possibilities of (A) false alarms or (B) missed detections.Then, over time we will have rates in, say, incidents per month, of false alarms (sometimes called false positives or Type I errors) and of missed detections (sometimes called false negatives or Type II errors).Now we find that, like many before us in work of very wide variety, we have been pushed hard into the field of statistical hypothesis testing. The “hypothesis” is what we mentioned above, the assumption that the situation was normal (healthy); broadly, that assumption is where we do our main trick, pull the cat out of the bag, because it is that assumption that gives us enough in mathematical assumptions to calculate the probability we mentioned.There are books, lots of books, e.g., from E. Lehmann long at BerkeleyE. L. Lehmann, Testing Statistical Hypotheses, John Wiley.E. L. Lehmann, Nonparametrics: Statistical Methods Based on Ranks, ISBN 0-8162-4994-6, Holden-Day.Sidney Siegel, Nonparametric Statistics for the Behavioral Sciences, McGraw-Hill.The probability of a false alarm is called the significance level of our statistical hypothesis test and is denoted by alpha.When we get a false alarm, we are saying that the hypothesis that everything is normal (the null hypothesis, null for nothing or nothing wrong) is false, i.e., are rejecting the hypothesis. So, with Google searchtest alpha significance we can seeBefore you run any statistical test, you must first determine your alpha level, which is also called the “significance level.” By definition, the alpha level is the probability of rejecting the null hypothesis when the null hypothesis is true. As the Google quote implies, commonly we get to select the probability (essentially the rate) of false alarms in advance and get that rate exactly in practice.This stuff about a statistical hypothesis test, also from that same Google search, is very close to P values which have been said are the most heavily used of anything in statistics and a pillar of bio-medical, social science, and other research, even physics.So, we’re not the first to consider statistical hypothesis tests to detect something wrong.So, back at IBM, I thought that in our monitoring work, we should be doing at least statistical hypothesis tests with the false alarm rates known, etc. At least that.Well, the AI work was saying nothing about false alarm rates. The traditional workhorse technique in site monitoring was thresholds, (e.g., if a disk drive gets over 90% full, then maybe it is about to fill up and stop some production work; the 90% is the selected threshold). Again, threshold detectors said nothing about false alarm rate.Well, while the monitoring was saying nothing about false alarm rates, the people doing the monitoring in the site network operations center (NOC) and bridge certainly were: False alarm rates too high were the bane of system management and for those people a total pain in the back side.And low quality monitoring can cost, right, billions. The recent attack is not nearly the first such.So, in monitoring sites, we want to make use of statistical hypothesis testing. Basically we want to have each test applied continually in close to real time and have some, maybe large, number of such tests.So, we can dig into the technical books and peer-reviewed papers and, gads, come up frustrated. E.g., we hear a lot about the Gaussian distribution then look at our terabytes of data and see little or no such.Or as world class statistician Ulf Grenander in the Division of Applied Mathematics at Brown once explained to me, computer performance data is very different from the data in, say, bio-medical research, long so common in applications of statistics. He was right.So, from just the titles of the books I listed above, the world of statistical hypothesis testing divides into parametric (e.g., where in the hypothesis we assume a Gaussian distribution for the data — called parametric due to the parameters of probability distributions assumed in the hypothesis, e.g., mean and variance, of the Gaussian, arrival rate in the exponential, etc.) and all the rest non-parametric.As in the book titles above, usually the non-parametric tests have been based on sorting the data into ascending order and considering ranks.Now, for one statistical hypothesis test, for the data, that has essentially always been on just some one variable, e.g., CPU busy, disk space used, system paging rate, I/O rate, data rate in an Ethernet card, database transactions per second, users served per second, user arrivals per second, etc.Well, it’s easy to get fewer false alarms! It’s even easy to get zero false alarms — just turn off the detectors! Alas, then also we get no detections.So, we are also interested in how well we do making detections. Then, with Google searchtest alpha significance power beta [popular subject –“About 13,900,000 results”]withThe power of any test of statistical significance is defined as the probability that it will reject a false null hypothesis. Statistical power is inversely related to beta or the probability of making a Type II error. In short, power = 1 – ß.May 31, 2010 statistical power | Effect Size FAQs So, again, alpha is the probability of saying that the site is sick when it is healthy, and beta is the probability of saying that the site is healthy when it is sick. Or alpha is the probability of a Type I error, and beta is the probability of a Type II error — of course, both of these are conditional probabilities, that is, have a “given” that the site is healthy (false alarm, Type I) or sick (missed detection, Type II).So, we want both alpha and beta to be small. Actually, for any particular statistical hypothesis test, alpha and beta are in conflict, present us with a trade-off, where lowering one of those two raises the other one.So, really, to get the lowest rate of missed detections (the highest detection rate) we can, for a given test, what we want to do is select, for that test, the highest false alarm rate we are willing to tolerate, that is, to accept the waste and pain of diagnosis efforts that are chasing phantoms.Better than that, what we want is just a better statistical hypothesis test so that we can do better on both alpha and beta at the same time — there will still be a trade-off between the alpha and beta for this new test but it will be a better trade-off.Well, as above, for good tests, due to the messy nature of the site data, we have to go for non-parametric tests. Then for more, as is easy enough to see, it would be better if somehow in one test we could make good use, jointly, of several of the many variables on which we can collect data. So, we want a test that is both non-parametric and uses several variables, is multivariate, is multidimensional.Non-parametric is also called distribution-free because a non-parametric test makes no assumptions about the probability distribution of the data when the site is healthy.So, we want tests that are multidimensional and distribution-free.Halt! Tilt! Those books above have no such tests.So, I worked up a big collection of such tests, and that’s what is in my paper. Yes, they are hypothesis tests and permit selecting false alarm rate and, then, give that rate exactly in practice. And the tests are not trivial; I used a classic result of S. Ulam to prove that.For doing something about zero day problems at sites, my paper is some of the best news there is.Alas, so far there’s very likely no one, not even one, person in business or venture capital at all interested in such tests.Well, maybe one: The NASDAQ site in Trumbull, CT had me over for lunch, and I gave them a talk on my paper.For IBM’s Watson lab? They didn’t have anyone good enough at math to read my paper!For a startup? Naw, the startup I’m doing now is much easier to do and potentially much more valuable!If major companies want to keep losing $1 billion now and then from zero day attacks detected too late, then that’s their business. I worked up a good solution (tool, to help but not guaranteed to be perfect) and wrote and published the paper. If they don’t care, then that’s their problem. A $1 billion here and a $1 billion there, after a while it adds up to real money!Ah, maybe if I continued the research, then some computer science or statistics department would offer me a job as a prof.Then I could return to the last time I was a prof (in an attempt help my sick wife by having her near her home and having time to help her) when I could not afford to buy a house, start a family, or replace the cars I bought new when my career was doing well before grad school. No thanks! I took no vow of poverty!Who’s the next major company to lose $1 billion to a zero day attack detected too late!

  33. David

    Breaches of our data has been occurring for years (MySpace, LinkedIn, Dropbox, Home Depot, Target, Anthem, on and on). This is simply one more reminder that your data is likely already out there in the wild (dark web, deep web), and you should be taking steps all the time to protect yourself.

  34. LaVonne Reimer

    Two reactions. First, Equifax demonstrates why GDPR properly encompasses cybersecurity/breach disclosure requirements and data privacy. Underlying both is the same problem of hording data. I won’t go into the vagaries of legitimate business interest but note that GDPR will protect EU citizens and not US though we can hope Equifax and the others, all multinational companies, will conclude it’s wisest to establish a consistent data governance model across all jurisdictions which leads me to . . . Second, the credit bureaus enjoy a unique place in the market because massive capital flows are intertwined with their models. But make no mistake, the first wave of big data startups is/has been ALL about garnering as much data as possible. I have lost track of the billions in venture capital that has flowed into these deals. And that’s not counting debt funding for loan pools. Repeating myself (of earlier sermons) but consent agreements notwithstanding, when your valuations are driven by volume of data that will lead to conflict between the data holder/broker/trafficker and the subjects of the data. Some of us have been toiling a very, very long time to secure sufficient capital to launch platforms that address the issue. Instead of data governance aiming toward preserving the massive asset on behalf of the organization, data governance for the uses and benefits of the subjects. I’m sure we have struggled to find funding for a mix of reasons. That is always true. But the objection I have heard many times is we undermine our control of the data when we give data subjects new controls. I have also ended up in heated debates with VCs over whether anything is wrong with credit bureaus. I don’t believe this is a failure to identify with the common man. Rather, I believe it is tacit recognition that you attack the Equifax et al model and you unravel an entire capital system including flows that find their way into limited partners and thence to VCs. I am worried about my Equifax score but hoping that this is a wake-up call of much more strategic significance.

    1. JLM

      .Excellent, insightful comment. Slip in a paragraph from time-to-time for the visually impaired.JLMwww.themusingsofthebigredca…

      1. LE

        Tip from someone used to make money from typography.Using long line lengths and not using paragraphs and other separators is a great way to slip something by a counterparty to a transaction (consumer or otherwise). People have a low tolerance level for the type of effort required to follow things that are not easy to read and will typically wear out and and just sign where required. Common tactic hence ‘fine print’.Along the same lines I am always surprised at how attorneys will send a word document instead of a pdf. The word document practically screams ‘edit me and make changes’ while the pdf puts up a small barrier to doing so. Just one of those ‘professional’ courtesies that attorneys give each other that non-attorneys can often work around. And why not?

  35. Alex Iskold

    Since I got hacked, I’ve been thinking about this problem a lot. I completely agree that we need a new security systems, and they need to be completely different. We are committed to incubating and funding several security startups at Techstars in 2018.1. Help people post identity theft. Lets be real, no near term measure can stop hacks from happening, so we need a company that will help AFTER the hack. Having experienced this myself I know how humiliating and helpless one can feel. We need a combination of smart software and humans to deal with the after math of identity theft.2. Re-think security from ground up. We need to invent conversational, interactive, historical and biometrics based security. Computers need to get involved and evolve to recognize us like our friends, family and people who know us do – i.e. interactively and based on historical experiences we’ve had together.This is such a serious and growing issue, and it can’t be ignored. I really hope we can make significant progress in 2018.

  36. Alex Iskold

    Also, I think A LOT more needs to be done in addition to credit freezes. I wrote about some of the things people should think about, like credit card alerts. 1password, bank protection and more here =>

  37. DJL

    What is most incredible about this as that these same organizations are the ones that sell identity theft insurance! So you have a company that has one of the largest breaches in history, and the recommended “Action Plan” involves making their business grow! Only in America, folks.The problem with security is that people (and companies) are focused on technical magic bullets. I guarantee that this – like most of these mega breaches – was caused by some basic security principles were not followed. VC’s are missing the boat and throwing billions of dollars at the wrong solutions. Security is about people – not another AI-driven super magic bullet. Not sure how many millions will be lost before people catch on.

  38. Alfonso C. Betancort

    Don’t do shit, don’t waste your time or money trying to solve someone else big mess.If were the case of a few stolen identities, those persons would have a problem, but it’s not. And with 150 mm stolen identities, the Whole System (Credit Rating Reporting, Financial, RealState and many other sectors that rely on the information the former gather) have got themselves a mess of 150 mm identities.They don’t have any other choice that to solve it or the whole system will collapse in front of their noses because the public will lose confidence in it. And that isn’t good for business, then you can be sure that both, government and business, will do anything and everything at any cost to avoid that scenario.

  39. Sudha Lakshmi

    What incenses me more than anything else is the fact that I’m not even their f-ing customer! I never enrolled with them, and I never authorized their access to any information about me. Yet they accessed my data and seriously compromised my security. And they didn’t just do this to me – they did it to half the country!I really do think we need legislation that allows us to own/control our own data. Nothing short of this will do.

  40. Gregory Magarshak

    “It’s time for new approaches to security, identity, and the protection of our financial information. Thankfully, there are a lot of them out there, mostly in startup land.”The solution to decentralized authentication and identity is actually pretty straightforward. The challenge is getting from here to there.THE SOLUTION:* Apps on personal devices store private keys in the OS keychain, which is now stored in the secure enclave (iOS) or secure element (Android) and ideally the user locks the device with their biometrics.* Devices provision other devices using QR codes and so on.* Websites allow a way to authenticate using secure oAuth with such an “identity providing app” on user’s device* Identity is done by referencing signed identity claims, posted on other sites. Like Keybase but decentralized!* Each identity claim can contain extra info including preferred apps to use for authentication, how many devices (N) to use for approval of new accounts or revocation of keys, and so on.GETTING FROM HERE TO THERE** Going further, each user should have an different id in each website, so they can’t be tracked across websites as easily. But their apps should seamlessly manage their identity across communities. When they join a new communty they should seamlessly discover friends who allow then to see their identity. And see the content those friends posted, making an instant social experience. They should also get notifications when new friends join in a community.* Friends means contacts in your address book, which never leaves your phone (except to be encrypted and synced in iCloud, which – you better trust your mobile phone provider for that one!)* In our own framework we went further and allow an instant personalized experience on any site without revealing your identity to the site, or that of your friends.And so on. This is one building block in our company’s vision for the new decentralized web.Communities running their own social networks.People maintaining decentralized identity across communities.A crypto-currency that’s architected like the internet (we call it intercoin) that combines the best of deflationary bitcoin and inflationary smart-money inside communities (think complementary currencies like Bristol Pounds or Berkshares).Third party apps built on our platform that incorporate the local commerce alongside the current monetary systems (Stripe, PayPal). A bit like WeChat but decentralized!And so on.IDENTITY can really only be securely proven in real time with a device. If you lose your device, you can use other devices. If you lose ALL your devices, paper wallets, etc. you can use “something you are” (biometrics) and/or “something you know” (a passphrase + N friends who you gave friend keys to) to bootstrap your identity again. If you’re Jason Bourne and don’t know who your friends are you may be SOL :)But how often does that happen?

  41. aroyalcrime

    Thanks for walking us through this. A few days ago, I checked on the Experian site and was told that they “think” my data has been breached. Today, I’ve tried to put a freeze on my account and none of the three was able to complete my request. Are they overloaded?

    1. DJL

      Yes – I had a feeling that would happen. They are not staffed for this type of crisis.

  42. ShanaC

    More obvious questionWhat should be a better identity setup given how insecure the one we have is?

  43. Lou Pugliese

    All c redit report sites time out while trying to initiate a freeze

  44. Susan Rubinsky

    I was just catching up on my blogs and came across this. Thought some people here would find it interesting given the discussions that were happening the other day…When a Person’s Character Trumps Their Credit Score”Now that lenders mostly decide on applications using a person’s credit score, which doesn’t typically include regularly paid items that lower-income families pay, such as rent, utility bills, and the like, it’s more difficult to build wealth. And far from gaining an even footing, those who were kept out of the system during the days of character lending continue to face hardships building credit.””When we were doing character loans through community banks back then [pre-1990’s], banks weren’t going under, we weren’t losing a lot of money.”…

  45. Nipun Gupta

    Thanks to Fred and AVC for bringing this breach to the attention of the VC / startup world. I have worked in cybersecurity for around 8 years and I firmly believe that it is one of the most under-invested industries. By under-invested, I mean that security was never important at the board level so the CISO (if the company had a position like that) would have to make do with dismal head counts and put some engineering hacks together to create the IT security organization. In the long term, lack of alignment of cybersecurity and business goals has always led to a massive breach with sever hit to a company’s reputation. For example – Equifax, LifeLock (funny that their core business was to protect ID theft), Experian, HBO, Target, Sony, and the list goes on and on. As a matter of fact, it is very likely that if an investor is reading this, their startup has been breached. Feel free to search on https://www.privacyrights.o…. This website can even help you to slice / dice data to see how bad / good this problem is, depending on your perspective.Also, it is likely that you personal information has been leaked in a breach already. You can check on haveibeenpwned dot com, one of my favorite security researchers Troy Hunt maintains this website.For this breach, I cannot find anything better than the advice given by Brian Krebs. Read this entire post as it contains gems –…. In a nutshell – Credit bureaus or any company who stores your SSN cannot be trusted to keep it safe, so put a freeze on (you get an additional factor of authentication), check your annual report / bank accounts, and chill out.I can keep on writing but it is time to end on a philosophical note. The internet was created with the goal of information sharing by mostly nice people, however the information protection or security was never a consideration. As much as I wish we could rebuild the internet from scratch to be a secure, we will have to make-do by adding layers of security technology on top of the existing protocols. This would take a lot of hands, heads, and $. If you are an investor, cybersecurity needs be one of your top priorities in this fund. It is the same thing as investing in clean tech startups Even though we had to endure a relatively insecure internet, we can contribute to making the internet a trustworthy place for our kids.PS: You do need to have spent some serious time in the industry as a professional to know what is vaporware vs real technology in cybersecurity. If you are looking to invest in cybersecurity startups and think I could be of help, feel free to reach out to me on LinkedIn.

  46. Vasudev Ram

    People could still misuse the public info.