We tested Equifax's data breach checker — and it's basically useless

(Image: ZDNet)

Something isn't right about Equifax's data breach checker.

In case you missed it: The credit rating giant admitted hackers had targeted the company in the past few months, stealing records on as many as 143 million consumers. The company went into disaster management mode (albeit with a six-week head start) and flubbed the incident response. Not only did the company botch the roll out of the support site, it also threw potential victims into legalistic chaos with nobody knowing for sure for hours whether or not the site was automatically opting out customers from a future class action suit.

Add one more thing to the dumpster fire of this incident response "omni-shambles."

The checker, hosted by TrustedID (a subsidiary of Equifax) that millions of users are checking to see if their private information has been stolen doesn't appear to be properly validating entries.

In other words: it is giving out incorrect answers.

Earlier, in a tweet from a tipster, we noticed that you can enter some clearly incorrect information into the checker. We entered "Test" as the surname and "123456" as the social security number.

The system validated the entry and said that the person "may have been impacted."


It's possible that there are several test entries in the database used to validate consumers' data.

But the problem with the checker validating a seemingly random surname and social security number means that it's impossible to know for sure if the checker is returning accurate information when an actual victim puts in their information.

We've seen other people complain about the data checker's validation.

Two people tweeted that they checked their records twice and got two different answers.

Another tweet we saw cited her boss, who entered a fake name and his infant son's real social security number -- a result that came back as a positive match. He tried it again with his daughter's name and the same social security number, and it was the same result.

"I don't think Equifax knows exactly who's been affected," Gabrielle Taylor told us by Twitter message.

One person we spoke to tried entering "gibberish," and in several cases got a positive match on a record that he made up. "Sometimes it says it was compromised and sometimes it was safe," said Vsem Yenovkian, in a Twitter message. He recorded and posted a video of one entry, which we also verified using the dummy social security number he used.

We reached out to Equifax for comment, but did not hear back. If that changes, we'll update.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More



from Latest Topic for ZDNet in... http://ift.tt/2f9UCIV