Equifax Statement for Small Claims Court
May 16, 2018
I have three points.
- Equifax acted recklessly and negligently.
- This affected me in many negative ways.
- Money won’t make it right, but it will help with some of the hassles I have already encountered and those I anticipate.
Equifax’s breach revealed
- 145.5 million social security numbers
- 99 million addresses
- 20.3 million phone numbers
- 17.6 million driver’s licenses
- 1.8 million email addresses
- 209,000 credit card numbers
- 97,500 Tax ID numbers
as well as images which may have included driver’s licenses, passports, and social security numbers. Mine were among them.
I am a freelance technologist, librarian, and small business owner in Vermont. I filed this case on September 12.
My mom died in late July 2017. This is, of course, not Equifax’s fault but the timing wasn’t great. It meant that right around the time of the data breach, I had to manage and transmit a lot of sensitive paperwork including my SSN, my sister’s SSN and my late mother’s SSN. I now own multiple investments with my sister whose financial life is combined with my own. I started two small businesses in 2017, one of which I own with several other people.
I had a lot of issues that may or may not have had to do with the breach. Here are two examples:
- I was unable to open a bank account with an online bank because my “challenge questions” answers (which go to “a credit bureau”) were not accepted.
- I could not set up a new inherited IRA account (while my sister could, with identical information) without providing additional information to the bank and when I asked why my account was flagged the banker just shrugged and said it had to do with “risk factors” and a score they got from the company that does risk assessment. I have an impeccable credit score.
There is no way for me to tell if these or many other similar financial services hassles are due to the breach, but they have become more prevalent since last summer. I was on hold with Equifax’s understaffed support lines for hours. I tried to load their constantly-crashing websites for days. I am eternally vigilant about any change to my bank accounts, credit scores or even incoming postal junk mail. It’s exhausting.
This vulnerability was disclosed in March. There were clear and simple instructions of how to remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly — Bas van Schaik, researcher at Semmle
A typical bank would have patched this critical vulnerability within a few days — Pravin Kothari, CEO of CipherCloud
Consistent with Equifax’s patching policy, the Equifax security department required that patching occur within a 48 hour time period. This did not happen. — Richard F. Smith retired CEO of Equifax
May — July — Hackers gain access to data via a vulnerability in the Apache Struts software, used by the web server. Security experts call this “the highest level of risk that can be associated with a vulnerability.” Equifax has confirmed that attackers entered its system in mid-May through a web application vulnerability that had a patch available in March. According to PCIDDS standards (Payment Card Industry Data Security Standard — for anyone who holds credit card data, this includes Equifax who holds over 209,000 credit card numbers), all critical patches must be applied within 30 days (Equifax took 146). The vulnerability allows hackers access to the web server and then hackers gained additional access, over time, from there. This would not have been possible if many other good practices in data security — such as not giving excessive access to whoever “owned” the web services — had been followed.
July 29 — Equifax notices & stops the breach
Aug 1 — 2 — Four top managers at Equifax sell two million dollars worth of stock
August 15 — Equifax legal department told all employees to stop trading company stock
September 7— Equifax announces breach to the public
September 9 — Equifax website tells users they have to opt out of being a possible member of a class action lawsuit if they accept Equifax’s offer of a year of free credit monitoring (they later fixed this)
September 12 — Equifax apologizes
September 14 — Federal Trade Commission begins an investigation
September 25— CEO Richard Smith “retires” forfeiting a three million dollar bonus and still collecting approximately 70 million dollars in 2017
October 4 — 5 — CEO Smith testifies before Congress as “an unpaid advisor to the company” His testimony is where I got many of these facts from.
Equifax’s security practices company wide were so bad as to be considered reckless and negligent by people who work with technology for a living. The people who were responsible for Equifax’s technology, from the person who was responsible for patching software all the way up to their Chief Security Officer, were unqualified for their jobs. Some examples:
Equifax’s social media arm tweets out a URL people can go to in order to verify if they’ve been affected but sent people to securityequifax2017.com, instead of equifaxsecurity2017.com. The wrong URL goes to a phishing site. They tweet it at least four times.
PINs that were generated if you wanted to take advantage of a credit freeze via TrustedID were clearly a function of the data/time they were submitted: a freeze issued on September 8, 2017 at 2:15 p.m. generated the number 0908171415. This is not good practice. This is not secure.
The data which hackers gained access to was unencrypted (plain text). This is not good practice. This is not secure.
Equifax’s employees in Argentina manage credit report disputes via an online portal. This portal, in September, still had a default login/password combination of admin/admin. The passwords to employee accounts were in the web page codes in plain text. Anyone who complained or disputed Equifax’s credit reports had their information stored in this same database which included 14000 SSN equivalents in plain text. This is not good practice, this is not secure.
PCI DSS (Payment Card Industry Data Security Standard) is an internationally accepted standard of controls which, when applied at the most basic levels, can reduce the risk of a breach and guide ongoing risk mitigation. Things like keeping financial information separate from billing etc. Equifax kept them all in one server. This is not good practice, this is not secure.
This is not the first go-round for Equifax. They run another company called TALX which does payroll services and was alerted that people were getting unauthorized access to people’s W-2s and other information over a period of nearly a year between April 2016 and March 2017. People’s private information was protected by a four digit PIN. This is not good practice, this is not secure.
Equifax’s chief security officer Susan Mauldin who also retired in September studied music composition in college and had no security degree. This is well outside of industry standard practices.
By all accounts, a single person was responsible for patching the software vulnerability and there was no oversight into whether that person had done their job. This is not good practice, this is not secure.
The 200,000 credit card numbers Equifax hackers stole belonged to “historical transaction data”, which means Equifax violated PCI security standards
Vermont’s Security Breach Notification Act requires that a “data collector” must notify the Attorney General within 14 days of notice or discovery of a breach. Consumers need to be notified within 45 days. Consumers were notified within 40 days. To the best of my knowledge the Attorney General was not notified any sooner.
Vermont’s Social Security Number Protection Act requires treatment of SSNs in more secure ways (encryption especially for transmission) than Equifax employed.
Freeze my credit? Sure.
There are three consumer credit bureaus in addition to Equifax. Experian, Innovis and Trans Union. Freezing credit is somewhat complicated and puts the burden for security on the consumer.
Equifax has also set up a “shadow credit reporting agency” called National Consumer Telecommunications and Utilities Exchange (NCTUE) in which data of people who have credit freezes on their account can still be accessed. Equifax is the sole contractor. The site is being served with an invalid certificate, making it inaccessible via Google Chrome (the company made this chance in April 2017, this is not a new thing), one of the most popular web browsers.
Equifax also runs a salary verification service called The Work Number which requires a separate freeze/opt-out.
Security experts call Equifax and their legacy of poor security and incident response “digital dinosaurs” and I do not want to have any more interactions with them than ones that are strictly necessary.
My question for Equifax is the same as Farhad Manjoo in the New York Times “Now that you have failed at your one job, why should you be allowed to keep doing it?”
I argue their conduct goes beyond just being lazy or shoddy but heads over into recklessness and negligence. The multiplier effect of that negligence is causing low-level constant harassment via small “Not sure if this is Equifax’s fault or something else” indignities in my financial life that I anticipate continuing to follow me for years.
I keep my private information secure — using two-factor authentication, not reusing passwords, teaching classes on practical privacy — but I am a public person and there are risks. If I don’t want to take Equifax up on their offered remedy, comparative options are
Identity Theft — $240/year
Lifelock — $360/year
I would like Equifax to provide me money for these monitoring services for myself, my sister, and my jointly-owned business, for five years, not the one they have offered with their own in-house monitoring. A low end cost of $3600.
I would like Equifax to reimburse me for my pain and suffering because of their negligence having to deal with all of this nonsense when I had more important stuff going on. I didn’t have time to make multiple phone calls, sit on hold for hours, or reload a website zillions of times. I’m sure many didn’t. I would like a token payment of $1000
I would like Equifax to reimburse me for court, travel, and reproduction costs of $250.
How did it go?
The tl;dr is that this all really hinged on the idea of “speculative damages” (i.e. I was asking for money I would have to spend in the future, not money I’ve already spent). In a small claims case, your time and hassle are worth basically zero. The judge tried to help me along, but I haven’t really spent a lot of actual cash on this other than court costs. So while there was no right-then decision and the judge was going to wander off and research some things, it didn’t really look like it was going to go my way.
Which, to be honest, was about what I was expecting. I maybe could have documented some more stuff, I could have started paying for credit monitoring beforehand on spec, I guess. I’m pretty happy overall with how this went. Their lawyer (a paralegal really) was a decent, honest person who got all all-expense paid trip to Vermont in the height of springtime. I spent a few hours here and there assembling my case and got to take a write-offable trip to one of my favorite adorable courthouses and had a good story to tell.
If you like to read in Twitter-thread format, you can do that.
small town librarian sues megacorporation, the story thus farmedium.com
- CNN — Equifax says March breach not related to major hack
- The Register —Equifax execs sold shares before mega-hack reveal. All above board — Equifax probe
- NY Mag — Equifax is a superfund Site
- USA Today — Equifax CEO: ‘We will make changes’
- Fortune — Equifax CEO Richard Smith Who Oversaw Breach to Collect $90 Million
- NYTimes — Seriously, Equifax? This Is a Breach No One Should Get Away With
- Popular Science — Your social security number probably got leaked and that’s very, very bad
- NBC News — Equifax Execs Resign; Security Head, Mauldin, Was Music Major
- CBS News — Equifax ex-CEO: Hacked data wasn’t encrypted
Security & Tech Coverage
- Graceful Security — Equifax Breach Timeline
- Krebs on Security — Ayuda Help Equifax Has my Data
- Krebs on Security — Equifax Breach What You Should Know
- Krebs on Security — Another Credit Freeze Target NCTUE.com
- Wired — Equifax Officially Has No Excuse
- The Verge — For weeks, Equifax customer service has been directing victims to a fake phishing site
- CompliancePoint Blog — The Equifax data breach, PCI, and you
- Cisco’s Talos Intelligence — Content-Type: Malicious — New Apache Struts2 0-day Under Attack
- Krebs On Security — Equifax Breach Response Turns Dumpster Fire
- Krebs on Security — Fraudsters Exploited Lax Security at Equifax’s TALX Payroll Division
- HealthIT Security — Tech Company Agrees to $264K Vermont Data Breach Settlement
- TechCrunch — Former Equifax CEO says breach boiled down to one person not doing their job
- The Work Number
- TALX (Now Equifax Workforce)
- C-Span Coverage/Testimony of Richard Smith, former Equifax CEO
- United States Senate Committee on Banking, Housing, and Urban Affairs — Testimony of Richard Smith (pdf)
- Vermont Legislature 9 V.S.A. § 2435 Security Breach Notice Act
- Vermont Legislature 9 V.S.A. § 2440 Social Security Number Protection Act