Equifax is in the news for a massive data breach. I’ve actually been aware that at least some Equifax customer data was stolen years ago. I don’t know who else knew, but if you want to know how I knew, read below.
If you are a typical Internet user you have probably signed up for dozens of accounts at various sites on the Internet. More and more, these sites want to identify you with an email address. It’s easier for you to remember than a user name, and it is something unique to you. Over time, your email address has been grabbed by spammers and you probably get a few stray scam emails that make it through your email provider’s spam filter. You’ll never know how the “Yahoo boys” or whoever got your email address, but I have a simple way of tracking that.
I run my own email server. An email server can handle email for many domains, and if you run it yourself, you can do a lot of things that most people cannot. Let’s say that I own the domain theredpen.tld (this is not a real domain, just an example). I can configure my mail server to forward all email to any address at that domain to my one inbox. So if you sent an email to genius@theredpen.tld or fucknut@theredpen.tld, both would arrive to me. The addresses don’t even have to be something I created. The technical term for the part of an email address before the “@” sign is the “local part” and any local part regardless of content would be accepted as mail to me.
As a result, when I sign up at a web site, I give it a local part tailored to the site. When I signed up at the news analysis site Stratfor, I gave it an email address like, stratfor@theredpen.tld. Yesterday, I got a scam email claiming to be from the “Microsoft Store” and informing me that I had to pay an invoice. It was addressed to stratfor. Not only have I not bought anything from the Microsoft Store, but had I done so, I would have given them an address like microsoft-store@theredpen.tld. The scam is no surprise as it is well known that Stratfor’s user information was stolen years ago. If I had only one address, I would have no idea how the scammer got it, but in this case, I know that this scammer is using the list stolen from Stratfor. Sometimes I get the same scam to multiple addresses, which tells me that they are using several aggregated stolen lists.
On that note, I should also point out that I get six or seven copies of Democratic fundraising emails, each addressed to a different local part. That’s because if you give to a candidate, they will sell your email for fundraising. Right now, I get two copies of Daily Kos emails — one to the address I gave Daily Kos and one the address I used to sign up for Acadia electric (at the suggestion of a Daily Kos email). I spend a lot of time unsubscribing for the reason “I already get this at another address.”
At this point it should be obvious how I know that Equifax was breached. That’s right, at some point, years ago, I had to create an account at Equifax to get a report. Then, some time in the last few years, I began receiving spam to the specific address I gave only to Equifax. I can’t recall when this started, but it was definitely years ago.
The spam was bad enough that I added it to my email server’s “kill list.” I have no spam filter because I have a professional interest in seeing what spams and scams are going around. Sometimes, however, the volume of spam to a particular address becomes tiresome and I configure the server to “bounce” mail to that address. I added “equifax@” to that list a while ago.
Did Equifax know they were breached? They might not have. Or maybe they didn’t want to tell anyone. “Mandatory Reporting” laws have been going into effect of the last decade or so, and it’s possible that they didn’t have a regulatory duty to report the breach even if they did know about it. Mandatory Reporting laws vary from state to state. At the Federal level, they cover health care information (due to HIPAA) and some financial institutions, such as banks. Even so, I know that some companies will avoid reporting anyway — if they think they won’t get caught.
Did I tell Equifax? No, I didn’t. I hate Equifax, and telling them wasn’t going to undo the breach. On a more practical level, it can be difficult to figure out who to tell. Sending a message to customer care often goes nowhere, so I became discouraged and stopped reporting these. When I did get a response, it was frequently a claim that no breach had occurred and that the email was obtained somewhere else. This is despite my efforts to explain that there was nowhere else to obtain the particular email address.
I also had the strong suspicion that they wouldn’t have taken the information seriously. Since they hadn’t reported a breach, they probably didn’t want anyone to know. I’ll bet that this latest disclosure is due to a Mandatory Reporting law that was passed between the breach I detected and the current one. Finally, seeing as how the first order of business on this latest breach was selling their stock, I think I was right about Equifax management.