Wow, this document is extremely short. The disaster is very palpable in this format.
> names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million U.S. consumers (since updated)
OK, so who is going to be the grown-up in this situation?
It's obvious now that these numbers can no longer be treated as secret or, in most cases, as identifying instruments.
Who will lead the effort to deprecate them and migrate all of the documents and accounts which rely on them?
Why is it so difficult to imagine a coherent, sober response from government and mega-corporate entities which have until now, been using SSNs as identifying data?
They're already trying to change "bank fraud" into "identity theft" and defer liability to the person whose info is being used, vice the old way of the bank being fully liable.
Ironically, for a lot of industries they're better off just giving it the see-no-evil-hear-no-evil-speak-no-evil treatment and ignoring that those numbers can/will be stolen.
It's a little bit like the opposite of the way everyone is doing facial recognition and biometrics these days - plausible identifiability, when it's to their interest not to notice that the person doesn't match the id.
I want to see us move away from SSNs and OLNs (driver license numbers) as identifying instruments. But this comment seems a little naive.
There is massive infrastructure built entirely around the use of SSN as the sole and final arbiter of who is who. You can change your social, yes, but many many systems ignore that entirely because it's for the part rare and something that happens 0-1 times in a person's life.
The government cannot just say "hey that whole SSN thing yeah we're not doing that anymore" without a decade or more of lead time. Companies like Equifax and other not-quite-as-dumpster-fire ones who rely on something like SSN can't just create their own and can't just use everything but.
It needs to change but it will take years if not decades to fully extricate it from the system, and that's if the government decides today that it needs to be done, which itself isn't clear right now.
I saw an apparently authentic local post on Facebook from a woman who received a call from someone in law enforcement. She had apparently missed a jury summons, and the official was trying to help her sort out the mess. He asked her about her address (turned out to be an older address) and knew her occupation, told her to meet him somewhere.
Something seemed odd to her, called the police and established that no one by that name worked for them, may have dodged a kidnapping attempt.
To make an incoherent and possibly bogus story short: this felt to me like a possible outcome from the Equifax data breach. Random stranger knows your (previous) address, knows what you do for a living, knows your phone number. There could be even worse outcomes than identity theft from this.
A more more direct anecdote: I just got a replacement social security card by mail. All it took to do it online was information from my credit report.
Thanks to this breach, the only defense against someone getting my social security card fraudulently is that it has to be mailed to my current address.
Just have to add that in circumstances like this a corporate death penalty seems appropriate. Equifax is an entity that you are not able to be removed from in any way. When you look at the financial and security ramifications of the breach and what was released and the response, seems appropriate. The kicker is that Equifax also offers credit monitoring for fraud prevention as a product to line their coffers.
I hope you're being specific in your wish for Equifax to be shut down and not the whole consumer credit reporting industry. That industry solves a very, very real problem for consumers, and countries without credit reporting also don't have consumer access to credit, making, among other things, finding mortgage loans virtually impossible.
The privacy angle is minuscule compared to the human costs of not having consumer debt.
The corporate death penalty here would not fix the problem. The data are already exposed.
Equifax market cap is currently $13.5B. Corporate death penalty would hurt owners of that stock, maybe funds in your own 401K account. Thousands of people would lose their jobs.
Would it have a preventive effect? Maybe but doubtful. There are too many systems with too much data that are too old and too interconnected to think that it's even possible to secure them all. If it wasn't Equifax it would have been someone else, eventually. Most of what Equifax exposed was probably already exposed in other leaks anyway.
Better solution should be developing new, secure methods of proving identity, where leaks don't matter because it's not possible to leak anything of value. All the old ways are now forever broken.
Don't forget, if you want to change your social security number, here's the process[1]:
1. Prove you meet the conditions for changing it (you must show proof of identify _theft_ and how it disadvantages you)
2. Show up at an office, in person, with original documentation.
Sounds like a great startup idea: make fixing 143M citizens' identities as easy as ordering a pizza. Or create the Uber for people who will stand in line for you at the Social Security office.
Problem is data theft doesn't meet the criteria of identify theft. You can't change your SSN until you have proof of identity theft, not a data breach.
The problem is that SSNs are not secret to begin with. They are a unique identifier that is in hundreds of systems already. They provide no security. We need another common system to confirm people's identities.
Cool idea. YMMV with this, though. The government accidentally assigned me someone else's SSN (had the same first/last name as me and was born in the same hospital) and it took about 2 years to rectify.
Serious question: at what point does it not matter that your identity has been stolen simply because everyrone's has been stolen? I mean, we're approaching that point, right? The size and scope of this breach basically encompasses the entire adult population of the US, does it not?
We're certainly at the point where there's no reason to believe that your data has not been exposed. Whether it's been used to commit fraud is another matter. The odds are in your favor by sheer numbers but who knows for how long.
It has been eight months since the data breach was announced (nine since it was discovered). This is the first time we are getting a full reckoning of what data was accessed. (We knew it was ~150 million SSN's, but we didn't what else it included--e.g. address history, income, debt, etc.) I'll admit, Equifax actually exceeded my expectations in this regard, I was skeptical that they would be able to create a document like this at all. Still, the impact of the data breach was magnified by the fact that they have so little oversight over their own systems that reconciling records took more than half a year.
Any time there's a privacy issue nowadays, I like to play "What if GDPR?" GPDR would have required this document be filed to the relevant authority in three days (Article 33). And the work to compile this document would have mostly been front-loaded by complying with the documentation requirements in Article 30. I don't think GDPR would have made a direct impact on preventing the breach (other than maybe causing someone to look at the towering pile of paperwork and consider thinking of the data as a liability), but affected users would have been much better prepared to know how they might have been affected and how to respond.
In three days (where possible). Equifax would have said it was not possible. The benefit of GDPR is that you could request that they delete any data they have on you. I also believe they wouldn't be able to collect this personal information in the first place since you don't have a business relationship with them.
[+] [-] jMyles|8 years ago|reply
> names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million U.S. consumers (since updated)
OK, so who is going to be the grown-up in this situation?
It's obvious now that these numbers can no longer be treated as secret or, in most cases, as identifying instruments.
Who will lead the effort to deprecate them and migrate all of the documents and accounts which rely on them?
Why is it so difficult to imagine a coherent, sober response from government and mega-corporate entities which have until now, been using SSNs as identifying data?
[+] [-] jaggederest|8 years ago|reply
Ironically, for a lot of industries they're better off just giving it the see-no-evil-hear-no-evil-speak-no-evil treatment and ignoring that those numbers can/will be stolen.
It's a little bit like the opposite of the way everyone is doing facial recognition and biometrics these days - plausible identifiability, when it's to their interest not to notice that the person doesn't match the id.
[+] [-] tomglynch|8 years ago|reply
[+] [-] pc86|8 years ago|reply
There is massive infrastructure built entirely around the use of SSN as the sole and final arbiter of who is who. You can change your social, yes, but many many systems ignore that entirely because it's for the part rare and something that happens 0-1 times in a person's life.
The government cannot just say "hey that whole SSN thing yeah we're not doing that anymore" without a decade or more of lead time. Companies like Equifax and other not-quite-as-dumpster-fire ones who rely on something like SSN can't just create their own and can't just use everything but.
It needs to change but it will take years if not decades to fully extricate it from the system, and that's if the government decides today that it needs to be done, which itself isn't clear right now.
[+] [-] macintux|8 years ago|reply
Something seemed odd to her, called the police and established that no one by that name worked for them, may have dodged a kidnapping attempt.
To make an incoherent and possibly bogus story short: this felt to me like a possible outcome from the Equifax data breach. Random stranger knows your (previous) address, knows what you do for a living, knows your phone number. There could be even worse outcomes than identity theft from this.
[+] [-] macintux|8 years ago|reply
Thanks to this breach, the only defense against someone getting my social security card fraudulently is that it has to be mailed to my current address.
[+] [-] rbankston|8 years ago|reply
[+] [-] vinceguidry|8 years ago|reply
The privacy angle is minuscule compared to the human costs of not having consumer debt.
[+] [-] ams6110|8 years ago|reply
Equifax market cap is currently $13.5B. Corporate death penalty would hurt owners of that stock, maybe funds in your own 401K account. Thousands of people would lose their jobs.
Would it have a preventive effect? Maybe but doubtful. There are too many systems with too much data that are too old and too interconnected to think that it's even possible to secure them all. If it wasn't Equifax it would have been someone else, eventually. Most of what Equifax exposed was probably already exposed in other leaks anyway.
Better solution should be developing new, secure methods of proving identity, where leaks don't matter because it's not possible to leak anything of value. All the old ways are now forever broken.
[+] [-] schainks|8 years ago|reply
1. Prove you meet the conditions for changing it (you must show proof of identify _theft_ and how it disadvantages you)
2. Show up at an office, in person, with original documentation.
Sounds like a great startup idea: make fixing 143M citizens' identities as easy as ordering a pizza. Or create the Uber for people who will stand in line for you at the Social Security office.
[1]: https://faq.ssa.gov/link/portal/34011/34019/Article/3789/Can...
[+] [-] WhiteSource1|8 years ago|reply
[+] [-] xeonoex|8 years ago|reply
[+] [-] xtony|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] wmeredith|8 years ago|reply
[+] [-] ams6110|8 years ago|reply
[+] [-] lmkg|8 years ago|reply
Any time there's a privacy issue nowadays, I like to play "What if GDPR?" GPDR would have required this document be filed to the relevant authority in three days (Article 33). And the work to compile this document would have mostly been front-loaded by complying with the documentation requirements in Article 30. I don't think GDPR would have made a direct impact on preventing the breach (other than maybe causing someone to look at the towering pile of paperwork and consider thinking of the data as a liability), but affected users would have been much better prepared to know how they might have been affected and how to respond.
[+] [-] kingnothing|8 years ago|reply
[+] [-] eyeareque|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] dgroves|8 years ago|reply
[deleted]