Yesterday Equifax, one of the big three US credit bureaus, disclosed a breach affecting 143 million people, for the most part Americans, but a smaller number of Canadians and British subjects as well. Among the information lost (and lost it was—this is a case of known unauthorized access, not merely exposure) are names, Social Security Account Numbers, dates of birth, and addresses. Large subsets of the affected individuals also lost credit card numbers, dispute documents, and driver's license numbers.
Equifax said an unspecified flaw in its website was exploited by the hackers. (Many speculate that a known but unpatched vulnerability was exploited.) The company said it noticed the breach on July 29th, forty-nine days before yesterday's disclosure. (This strikes observers as about thirty-days delinquent.)
Equifax is offering free credit monitoring and identity theft protection; it also says its core credit-record databases were uncompromised. Essentially no one regards this as mitigation: indeed, the company's public response strikes most as tone deaf. The Twitterstorm over the incident is massive and utterly unsympathetic. The company's share price is dropping dramatically, and the future of the entire credit-monitoring industry is being called into question.
Three senior Equifax executives sold their company's shares between discovery and disclosure. The company's statement says the three were unaware of the incident at the time of their trades.
WikiLeaks offered another dump from Vault7 yesterday. It involved no cyber tools, but rather a missile control system.
And the ShadowBrokers are back to announce they now plan semi-monthly releases.