Firewall Wizards mailing list archives
Re: Equifax Canada
From: "Adrian Grigorof" <adi () grigorof com>
Date: Mon, 20 Jun 2005 00:27:43 -0400
Apparently this was caused by "improper use of a customer's access codes and security password". Can Equifax force its customers (basically all the credit institutions and many others) to use a method of authentication stronger than a user id/password combination? To quote a recent post from Marcus J. Ranum:
How many of you could tell your customers *that*?! People scream and whine over the idea of putting firewalls in (still) - now, attempting to enforce a local policy against a business partner - that's patently ridiculous. Right? Well, technically it's NOT ridiculous, but everyone has basically blown it off.
It is surely cheaper to call 600 customers once a year (ok, make that twice a year) than enforcing an expensive authentication infrastructure. Is it not a basic principle in IT security that the cost of securing same data should be less than what that data is worth? It is true, they loose some credibility but since they have almost monopoly on the credit checking business (there is only one other company) that's still cheaper than changing the authentication process. Some heads will probably roll but I doubt there will be any major changes and I expect they will be in the news again sometime in the future... Besides, compared to 40 million credit cards, 600 credit reports are not that bad, eh? Go Canada ;) If I am not mistaken, the previous incident (March 2004) was a case of "criminals masquerading as credit grantors" but I bet the firewall guy(s) were again the scapegoats:( Regards, Adrian Grigorof www.firegen.com ----- Original Message ----- From: "Paul D. Robertson" <paul () compuwar net> To: <firewall-wizards () honor icsalabs com> Sent: Sunday, June 19, 2005 9:33 PM Subject: [fw-wiz] Equifax Canada
"For the second time in about a year, the credit reporting company Equifax Canada Inc. has suffered a security breach that has given criminals access to personal financial information of hundreds of Canadians. The latest case came to Equifax Canada's attention several months ago, but was made public only yesterday. Criminals that breached the firewall gained access to 605 consumer files, which contain personal information ranging from names and addresses to type of bank loans and credit cards, payment obligations and social insurance numbers." 605 Canadians, that's like 300 Americans, right? ;) Sounds like someone needs remedial INFOSEC training- sheesh 2nd time in a year? Paul --------------------------------------------------------------------------
---
Paul D. Robertson "My statements in this message are personal
opinions
paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Equifax Canada Paul D. Robertson (Jun 19)
- Re: Equifax Canada Adrian Grigorof (Jun 20)
- Re: Equifax Canada Paul D. Robertson (Jun 20)
- Re: Equifax Canada R. DuFresne (Jun 20)
- Re: Equifax Canada Paul D. Robertson (Jun 20)
- Re: Equifax Canada Mark Teicher (Jun 22)
- RE: Equifax Canada Brian Loe (Jun 22)
- Re: Equifax Canada Adrian Grigorof (Jun 20)
- <Possible follow-ups>
- RE: Equifax Canada Monkman, Brian (Jun 20)
- RE: Equifax Canada Paul D. Robertson (Jun 20)
- Re: Equifax Canada Keith A. Glass (Jun 20)
- RE: Equifax Canada Ames, Neil (Jun 29)