Tag: Equifax

The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme

  • Equifax’s data breach on Sept. 7, 2017, stunned markets and American consumers, but where the data of those 143 million people disappeared to has remained a mystery.
  • CNBC talked to experts, intelligence officials, dark web data “hunters” and Equifax to discover where they expect the data has gone, and what it is being used for.
  • The prevailing theory today is that the data was stolen by a nation-state for spying purposes, not by criminals looking to cash in on stolen identities.

On Sept. 7, 2017, the world heard an alarming announcement from credit ratings giant Equifax: In a brazen cyberattack, somebody had stolen sensitive personal information from more than 140 million people, nearly half the population of the U.S.

It was the consumer data security scandal of the decade. The information included Social Security numbers, driver’s license numbers, information from credit disputes and other personal details. CEO Richard Smith stepped down under fire. Lawmakers changed credit freeze laws and instilled new regulatory oversight of credit ratings agencies.

Then, something unusual happened. The data disappeared. Completely. CNBC talked to eight experts, including data “hunters” who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen.

But none of them knows where the data is now. It’s never appeared on any hundreds of underground websites selling stolen information. Security experts haven’t seen the data used in any of the ways they’d expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.

But as the investigations continue, a consensus is starting to emerge to explain why the data has disappeared from sight. Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies.

One data hunter dives in

The missing Equifax data has been a 17-month-long obsession for Jeffrey, a cybersecurity analyst at one of the world’s largest banks. To him, it represents a sort of professional Lost City of Atlantis or Holy Grail.

Jeffrey is not the analyst’s real name. He asked to remain anonymous because he was not authorized to speak to the media. He also asked that his bank remain anonymous, because he’s one of such a narrow pool of a specific type of employee that even the name of his bank could be used to identify him.

Jeffrey is a “hunter” on the bank’s “hunt team,” and his job is searching for data on the dark web or darknet — a set of web sites that can only be accessed with special software that protects the user’s anonymity. The dark web can be used for many purposes, but most prominently serves as the internet’s underground black market, where criminals buy, sell and trade credit card data, personal information and criminal services.

Jeffrey trolls the dark web for stolen personal data that looks like it might be brand new, especially if it looks like it might belong to customers of the bank or its rivals. He is often one of the first to know that another company has been breached, and his team is often among the first to inform the victims that their systems have been breached.

So Jeffrey was surprised when he learned about the Equifax breach at the same time as everybody else, when the company announced it to the world.

Stolen consumer information usually goes up for sale immediately after a company is hacked, he explains. Criminals aim for speed so they can sell the data before a company’s tripwires ever detect it was stolen. The longer they wait, the more likely the victims and the institutions will make changes to render the data useless. This is especially true with credit card numbers, which can quickly be canceled once fraudulent charges start cropping up on them. Or when Social Security numbers — like those stolen in the Equifax breach — start getting flagged for fraud.

READ MORE: https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-data.html

Freezing Credit Will Now Be Free. Here’s Why You Should Go for It.

07MONEY-1-master768

Consumers will soon be able to freeze their credit files without charge. So if you have not yet frozen your files — a recommended step to foil identity theft — now is a good time to take action, consumer advocates say.

Security freezes, often called credit freezes, are “absolutely” the best way to prevent criminals from using your personal information to open new accounts in your name, said Paul Stephens, director of policy and advocacy with Privacy Rights Clearinghouse, a consumer advocacy nonprofit group.

Free freezes, which will be available next Friday, were required as part of broader financial legislation signed in May by President Trump.

Free security freezes were already available in some states and in certain situations, but the federal law requires that they be made available nationally. Two of the three major credit reporting bureaus, Equifax and TransUnion, have already abandoned the fees. The third, Experian, said it would begin offering free credit freezes next Friday. To be effective, freezes must be placed at all three bureaus.

The Federal Trade Commission says that when the law takes effect, its identity theft website will provide links to each bureau’s freeze website.

A security freeze makes it harder for criminals to use stolen information to open fraudulent new accounts, or borrow money, in your name. Credit bureaus house records of your accounts and payment history, which card companies and lenders use to decide whether you are likely to pay your bills. If you freeze your file, the bureaus will not provide information to lenders unless you “thaw” the freeze first, using a special personal identification number.

Free security freezes are becoming available more than a year after a huge data breach was discovered at Equifax. The breach compromised the personal information, including Social Security numbers, birth dates and other sensitive details, of more than 145 million people — nearly half the population of the United States.

Despite the scale of that breach, and a steady stream of other incidents, security freezes have not really caught on. An AARP survey of about 2,000 adults found that just 14 percent had frozen their credit files. (The survey, conducted in July by GfK Group using a probability-based online panel, has a margin of sampling error of plus or minus two percentage points.)

In-depth interviews with 24 consumers by researchers at the University of Michigan School of Information found that many people knew about the Equifax breach, but few had taken the step of freezing their credit files as a result.

Consumers suffer from “optimism bias,” the researchers found. They realized that the breach created risk, but did not think anything would happen to them personally. “People tend to underestimate their own risk,” said Florian Schaub, an assistant professor at the school and one of the study’s authors.

Others incorrectly assumed that because they had poor credit or little wealth, they would be unattractive targets for identity thieves. “They think: ‘I don’t have much money. I have nothing to lose,’” Mr. Schaub said. “But that’s not how identity thieves operate.”

People interviewed also cited the cost of freezes as a barrier. It can cost as much as $10 per bureau to place a freeze, and a similar fee is charged to thaw it temporarily when you want to apply for credit.

Consumer advocates hope that making freezes free will spur more consumers to use them. (The new law requires that a thaw must also be free.)

But the freeze process is not as easy as it could be, said Mike Litt, consumer campaign director for U.S. PIRG, the consumer advocacy group. He would prefer credit files to be “frozen” by default, and thawed on request. As it stands, consumers must place freezes separately at all three bureaus, and keep track of three PINs.

And because it’s not always possible to know in advance what credit bureau a lender will use, consumers typically must lift the freezes at all three bureaus when they want to apply for new credit.

Brett Merfish, a lawyer in Austin, Tex., said she froze her credit at all three bureaus several years ago, after her personal information was used to open “a steady flow” of fraudulent credit card accounts. The freeze process was “tedious,” she recalled, but ultimately effective because she no longer has problems with fake accounts. “It’s worth it to do it,” she said.

One credit bureau, TransUnion, introduced a smartphone app, myTransUnion, this month that consumers can use to more easily freeze and thaw their credit. The app is available for both Apple and Android phones. Mr. Stephens, of the Privacy Rights Clearinghouse, said he had not seen the app, but cautioned consumers to tread carefully, in case it is used to market other, fee-based products and services.

The credit bureaus also offer something called a credit “lock,” which they promote as a more convenient way to protect your information. But some offerings carry fees, and consumer advocates prefer freezes because the rules are set by law, rather than by the credit bureaus.

One other less-protective option is a fraud alert, which requires credit bureaus to contact you to verify your identity when a company requests your credit file. Under the new law, initial fraud alerts must last for one year once established. Fraud alerts are free, and, unlike the freezes, an alert placed at one bureau is automatically placed at all three.

U.S. PIRG also recommends freezing your file at a lesser-known reporting agency known as the National Consumer Telecom and Utilities Exchange. The exchange provides credit information to some cellphone, pay television and utility companies. (Some consumers have reported having cellular accounts opened in their names, even though they had placed freezes on their credit reports at the main bureaus.)

The website for the utilities exchange says its database is “housed and managed” by Equifax. But the exchange is a “distinct” entity that requires its own freeze, said Craig Caesar, outside counsel to the exchange. “A separate request to N.C.T.U.E. is required because it is a separate database,” Mr. Caesar said in an email. There is no cost for a freeze, he said.

The new law also requires credit bureaus to allow parents to create and freeze credit files for their children under 16, to prevent their identities from being misused. The Federal Trade Commission offers information on what to do.

Freezes will not protect you from other types of fraud, like someone using the number of a credit card you already have, or impersonating you online to claim your Social Security benefits. To help prevent those types of theft, Mr. Litt recommends checking your credit card statements regularly for suspicious charges, and setting up and monitoring an online Social Security account, to prevent criminals from opening one first and diverting your benefit checks. A PIRG report suggests other helpful steps as well.

Checking your credit report periodically is also wise. You are entitled to one free copy each year from the big three bureaus at annualcreditreport.com. (A security freeze will not prevent you from getting your free annual report, the F.T.C. says.)

Here are the websites to visit to set up security freezes:

TransUnion: transunion.com/credit-freeze

Experian: experian.com/freeze/center.html

Equifax: www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

National Consumer Telecom and Utilities Exchange: www.nctue.com/Consumers