An Article from Aaron's Article ArchiveEquifax Security Breach (i.e. Equifax Leaked My Private Information)?
Photo: Desert FlowerIPv4You are not logged in. Click here to log in.
Use Google to search aarongifford.com:
Equifax Security Breach (i.e. Equifax Leaked My Private Information)?
Friday, 23 December 2011 3:16 PM MST
It seems that Equifax, one of the three giant credit reporting agencies, and also a company that offers various "security" products (as I think of them) that may alert you to potential problems appears to have leaked my private information.
You see, in December 2007, I signed up for Equifax Credit Watch monitoring because it was free for me (because the Workers Compensation Fund of Utah had a data breach which may have compromised some of my data and offered this service for some months for free). I signed up and provided Equifax my private information, including my Social Security number. I also gave Equifax an email address to reach me, a custom address created new exclusively for the Equifax Credit Watch service. The address was unique, and I only gave it to Equifax. Nobody else knew it, or even knew it existed. And the address was very unlikely to have been guessed at random using a brute force dictionary attack.
So imagine my surprise when I get in my mailbox, addressed to this Equifax-only-knows email address, junk mail advertising "No cost coupons for local Restaurants". How did this spammer know the email address?
I suspect that Equifax has leaked it. Either directly (i.e. perhaps there's been a security breach at Equifax that leaked my email address), or indirectly (i.e. Equifax shared my information with a third party and that party has suffered a data breach). Either way, I consider Equifax responsible for leaking my information. And this drastically worries me. Was my Social Security and other important private information leaked too? Or just my email address?
Equifax, I would have sent a message to your security officer about this problem, but I cannot find any publicly available contact information. Therefore you get a 'blog post.
So many organizations, institutions, and individuals trust Equifax. Should we really trust them if they can't keep even a simple email address private?
On 01 Jan. 2012, Steven Bernstein commented:
Subject: Confirming your theoryOn 05 Jan. 2012, Dale commented:
Hello. I, too, own my domain and provided a unique email address to Equifax. And I just noticed that I have received about 35 pieces of spam mail to that address, starting on 2 Dec 2011 and up to today. It was one per week at first, and then increased in frequency. I can provide email headers if you request it.
The only other email I received to that Equifax-only address was back in Feb 2011, where a "legit" piece of mail from them tried to sell me my credit score (since, as the email pointed out, they had only provided my credit "rating", not "score"). Charming.
I did a google search in the past month for "equifax security breach" and your blog popped up. There's strength in numbers.
Subject: Happened to me alsoOn 06 Jan. 2012, the article author and web site owner, Aaron D. Gifford added:
I also used an email address unique to Equifax and started receiving spam around the same time. How can we take this public to get real answers about what was leaked?
Subject: Oh, the irony!On 11 Jan. 2012, Matt commented:
It's ironic that Equifax offers a Data Breach Service. Were I looking for help for such a problem, after discovering that Equifax appears to have data breach problems of its own, I don't think I would dare trust their services, at least until they come clean and track down and publicly disclose what happened.
The fact that after posting this article, in the first week of January two others have shared with me that they too have experienced a similar recent leakage of personal information lends credence to my suspicions and conclusions.
Subject: Me tooOn 18 Jan. 2012, someone calling himself/herself Equifax commented:
Yeah, same deal here. Own domain. Custom addresses for every site. Getting spam now on the unique equifax address. Interesting that there aren't any news stories on this. Really makes me not trust equifax because either they don't know or they are trying to keep the story from getting out. Either way not good.
Subject: Equifax acknowledges data breachOn 18 Jan. 2012, the article author and web site owner, Aaron D. Gifford added:
Like others who've posted here, I've been getting spam to an address known only to Equifax. When I contacted their Customer Care department, I got the following response:
"We are aware of this situation and our Security Department is investigating. What we can reassure you of is that there has been no internal or external access to your Equifax account. This is limited to an external exposure of email addresses. We are working to put measures in place to ensure this does not happen again."
Take this with however many grains of salt you wish.
Subject: Re: Equifax acknowledges data breachOn 24 Jan. 2012, Duane commented:
Someone contacted Equifax, and even sent them the URL to this 'blog posting and received back the very same response, that they were investigating, that it was only an external exposure of email addresses (implying no other information was leaked, though not stating such exactly), and that they were indeed working to ensure this would not happen again. It was probably the exact same quote Mr./Ms Equifax quoted above.
As for "...there has been no internal or external access to your Equifax account."—One need not access an account, neither internally nor externally, for information related to that account, even private information, to have been leaked. Account access is quite distinct from information leakage. Hence my comment that this statement implies no other information was leaked, but does not state definitively that such is the case.
I too attempted to contact Equifax. Sadly, when I did so, I got a canned link to a web page that was utterly and completely unrelated to this issue. I wish I'd received the sort of response Mr./Ms. Equifax received.
Subject: Equifax Account ProfileOn 15 Apr. 2012, mpa shared:
Same here. Own domain. Custom addresses for every site. Getting spam now on the unique equifax address. Can't figure out how to complain to Equifax about it. I did go into my account profile at Equifax and chose to "exercise your right to instruct us not to provide your non-public personal information to non-affiliated third parties, except as permitted by law." I will see if that stops the SPAM sent to my custom Equifax E-mail address.
Subject: Hate to do a "me too"...butOn 17 Apr. 2012, article author and web site owner Aaron Gifford added:
Same story here. I was going through mail logs and noticed that an address created for an Equifax perhaps a decade ago (and not ever given out anywhere else) is now getting SPAM. It may have been happening for years, I'm not sure, as I've archived everything but the past 4 months.
As a side-note: Its nice to know that I'm not the only one who does this. I've been creating new email addresses for each different vendor and contact for 15 or 16 years now. The all-time winner is Dialpad.com. 13 years later, I still occasionally get SPAM to an email address stolen or sold by them.
Subject: Other LeaksOn 27 Jun. 2012, SIngh commented:
I had something similar happen for the second time with Fidelity as well. Unlike Equifax, I've actually heard back from humans at Fidelity and it appears they're taking the problem seriously.
And further back in the past, Vonage and Zions Bank managed to leak my unique email addresses.
Sadly, and ironically, it seems that it's financial companies that leak most often. Although I haven't yet 'blogged it, I started getting junk mail to my unique Scottrade address shortly after I recently had them liquidate my account and send me a check, bringing my balance to zero there. Prior to taking that action, I had never had a problem for many years with them.
I have not yet encountered any problems with the social networking companies that so often we members of the public worry about with regard to the vast amount of personal information they collect. Google, Facebook... Zero spam to the unique addresses I use for those, and those get used far, far more often.
If it weren't for the fact that I have hundreds of unique email addresses that are spam-free and have been for years, many that I use far more often than those I've mentioned that have leaked out, I might wonder if somehow my own database had been compromised and leaked. But since these others, the majority, appear secure and spam-free still, I strongly suspect any and all leaks are elsewhere.
Subject: No subject
I have exactly the same problem with Equifax. I am receiving about 150 spam emails a day now. Its been 2 months now. Does anyone know of a solution to solve this problem?