I'm most disappointed in the Canadian gov't and their lack of action. This would have been the perfect opportunity to mandate change - We don't have to send data on all of our people and their credit history to this American company. Or at least without actual legislation and rules around governance, security, and actual penalties for breaches.
Instead we let them get away with - no more than a handful of Canadians were affected - followed by - oops, yup lots of Canadians - followed by - holy heck, how many Canadians are there way up there?
We don't need to go along with this. Yet it never seems to get better.
I met with my MP over the weaponization of autonomous systems. I've put a ton of work into understanding where all this is headed. I spoke up[0] at the hearing on electoral reform about the cybersecurity risks of computerized elections, but I'm only one man. I've been able to get some things through, like pressuring the Liberal Government to put up more resources[1] but political will lags public outcry. If you want something changed you can't just complain online in your little bubble.
[0] I was one of only two people that spoke up about it and it was added to the final report. The world is changeable. What it takes is showing up and pushing hard.
(The extra bit of irony is that when you move from canada to the us you have zero credit history, and have to bootstrap from some cruddy credit card that you're never allowed to close afterwards, lest you impact your credit rating...)
The illusion of Democracy while running on Capitalism. Sooner or later this will have to change. Capitalism simply just motivates businessman to pursue profit and neglect everything else. That includes updating to a more secure Java Web Framework, funny to even think that being a priority in today's mega corps.
The correct response should have been for credit card holders to sue their credit card companies. We have a relationship with the card companies, and they chose to share data with a third party, so the credit card companies are responsible. This class action suit did not happen as far as I know. Why not?
If we're so outraged and thus there's a market for it, why didn't banks start offering their own credit cards with guarantees not to share your data with any third parties?
Also, why should it be risky for someone to know your name, address, and social security number? Yes, I agree it is risky, but it shouldn't be. Those things are not me. They're not even secrets. Knowing those things should not give you superpowers.
> The correct response should have been for credit card holders to sue their credit card companies
Why? Why should it be the victims job to find and prosecute criminals?
Should victims also be responsible for breaking up monopolies? Or cleaning up oil spills? Or to keep hospital patient records private? How much time and money should victims be required to invest in lawsuits, to bring justice against illegal mistakes made by entities with thousands of people and million/billions of dollars?
Wouldn't it be better if we had government agencies draft and strictly enforce regulations to prevent this. Like say, an EPA for environment, or HIPAA for healthcare, or GDPR for consumer/business data?
> We have a relationship with the card companies, and they chose to share data with a third party, so the credit card companies are responsible.
When people sign up for credit cards they agree to the terms and conditions, and sharing data with credit scoring agencies is one of them.
Equifax is the one to sue -- they are the ones who let the data become public.
And frankly there are a good reasons we have credit scoring agencies. Getting rid of them would make it more difficult for creditworthy people to prove they are creditworthy in order to obtain credit. If there were not credit scoring agencies, lenders would need to rely on methods of determining creditworthiness that are more invasive of privacy than credit histories. Getting a credit card would be like getting a mortgage, and lenders would demand bank statements, pay stubs, proof of past payments, etc.
It upsets me a lot how these financial institutions have complete power over us. God forbid a bank writes a loan to a scammer in your name, cause to them it's your fault. Absurd!
Yes!
The only real change that needs to happen is that banks needs to be liable for loans they write in your name fraudulently. If they accept stolen data without verifying it is actually you, it needs to be their fault.
The current system of it being your fault makes no sense.
If an average individual had done this, they would face charges (and they should.) But mysteriously when it is done tens of thousands of times it somehow becomes legitimate. I'm a pretty liberal person but I am deeply disappointed in the previous US administration for not pursuing this scandal towards justice.
Equifax really isn't a financial institution. But yeah, in a capitalist system, it shouldn't be surprising that capital has power over you just like in a monarchy, the monarchs have power over you.
This it's why we needed GDPR. The courts have been totally unwilling to combat this kind of corporate malpractice, assessing the costs of a breach to be puny.
My opinion is, if your business is sensitive data then being careless with it should be an existential threat to that business.
GDPR is not enough unfortunately to stop the abuses of credit check agencies. As far as I understand it, them sucking up all your data is a legitimate business use, and you do have to give consent for it.
What we really need is regulation to limit the amount of information that can be used for credit checks (and insurance premium calculations while we're at it). Actually that is partly done in the UK - e.g. gender cannot be used while calculating car insurance premiums. But sadly they can still ask for your profession, marital status, etc.
We don’t need GDPR. We need sane penalties for data breaches caused by incompetence. The last thing Canada needs is to put ourselves at any more disadvantage with the US market.
> This it's why we needed GDPR. The courts have been totally unwilling to combat this kind of corporate malpractice
It should come as no surprise that the legislative enforcement arm is unwilling to also. I know you dream of laws like the GDPR working, but it doesn't and neither did its predecessor. Instead of asking for new laws, why are you not asking for enforcement of existing ones? And what makes you think a new law will be magically enforced where current ones aren't?
At least the US, and probably other countries as well, have the issue of no reliable means of /authentication/. I feel like this won't be solved until a proper national ID replaces the thing that __everyone__ is forced to use as one even though it isn't supposed to be; 'social security' numbers. That method would need to be secure, reliable, and traceable.
All contracts / inquiries that require use of the identity signature would also need to register that use; ideally the government would run an observation oracle that mirrors the publicly published signatures each agency hosts on their own (which would be a defacto place to check for use/abuse of the signatures).
This would also oblivate the need for services like equifax to exist at all.
> That method would need to be secure, reliable, and traceable.
And that's why it will never happen. This is one of my biggest complaints about the Hacker News community: so many of us are engineers who see a problem and immediately think "here's a solution, technical or otherwise."
We can't "solve" humanity -- it's pure hubris to think otherwise. Any national ID will run the same risks the befall SSNs, passports, licenses, passwords, or any other form of identification. Which, simply put, is that the weakest link is always the person behind them. All it takes is one screw-up -- your passport falls out of your bag on a busy street, a thief breaks into your home and steals the safe with your SSN card inside, someone accidentally makes a list of password hashes public -- and the "secure, reliable, traceable" goes out the window.
I don't have a solution. But I think those of us who are engineers owe it to the general public to stop kidding ourselves into thinking we can come up with "solutions" -- technical or otherwise -- that aren't (1) flawed in some other fashion, (2) unacceptable due to societal norms, or (3) require the elimination of personal freedoms and liberties that at least we in the U.S./Canada/Europe seem to enjoy.
Agree, too often we are using drivers licenses #s (which btw, are public record often), address, phone numbers, and worst case SSNs and foolish "security questions" in the US for identity. None of these are appropriate authenticators of a person, and almost all of this data has been leaked in the past.
I think if there is anyone who is well suited to tackle this, it's.. banks. There are so many bank locations, most people have an existing relationship with a local bank.
If we allow tellers in banks responsible for verifying identity of people (the same way a social security office or DMV office verifies a person: birth certs and records checking), they could be be paid to be the hands and feet of something like national ID system.
I think the availability of digital authentication methods significantly varies by country.
E.g. here in Finland TUPAS (https://en.wikipedia.org/wiki/TUPAS) is used by both government sites and private companies. It relies on two-factor bank credentials that almost everyone here has. Two-factor has been standard since online banking became a thing in the 90s and all banks are part of the ~10 bank groups so there aren't any small unsupported banks that I'm aware of. Government sites also support ID cards but no-one uses that option.
I believe some other countries have working, but different, digital authentication schemes as well. Maybe Estonia and Belgium?
These don't work over the phone, though, and asking for address and your identity code (or some part thereof) remains a common over-the-phone "verification" method, at least here. So the identity code / social security number issue still exists, at least to some extent.
I'm not following how authentication obviates the need for record-keeping.
Credit reporting agencies are basically a data warehouse for financial event history. If such a thing didn't exist in some form, how would a lender check whether you made previous payments on time? They can't contact every possible creditor that you could have interacted with.
Maybe a better architecture is possible than storing all the data centrally and creating a massive single point of failure, though.
It is so damn difficult to prove substantial damages to be directly attributable to a specific data leak. It isn't right, but it also isn't reasonable to attribute a specific identity theft incident to a specific leak. My data has been compromised by at least 1 dozen corporations in the past 3 years. Whom is to be held accountable if my identity is compromised or my opinion influenced maliciously as a result of a breach?
It isn't as it this data has some chain of custody that can show which actor sold it to another and whom used it for a spearfishing campaign. Our secrets are laid bare to whomever has the will to partake of them.
Sometimes I wonder why it is considered immutable that human malice is an unstoppable force. I want my kids to live in a world where those who leak data and those that use it to malign others are rare and held accountable in a manner that is truly commensurate with their cost.
Tell that to my coworker who spent all day on the phone last week fighting identify fraud with his bank. The impacts will be intermittent lightning strikes on random people at random times. To everyone else, business as usual.
Since much of the information doesn't change easily it is my understanding the identity thieves will sit on the information and use it intermittently for years.
Revised revised headline: A year later, we do not have a full accounting of the impact of the data breach, but this weird blog quotes a fraud prevention company saying they saw big increases in online fraud rates: https://www.paymentssource.com/slideshow/data-fraud-after-th...
Ha, how will you know how the leaked information is being used ? This is the problem, once your data is out there there is no way to know how it will be used. Everyone i know had to take active steps to lock the credit history including me. This is the major blunder they got away with..unbelievable!
Put your money where your mouth is. Publish your info and see what happens. If you later have a problem, how will you be able to show that it was because you published your info?
Pfft. They've been required to offer credit account locking and unlocking services without charging individuals for the privilege. That's a serious blow to executive bonuses. Surely they'll all have moved on to other companies with a more encouraging compensation structure, leaving Equifax a shell of its former self.
This is the same case like big banks during financial crisis. I can’t believe they are still a running company after such a big blunder. Worst part is I as an individual never wanted my social security and personal data be mined by such companies let alone have it hacked. We have no say in this.
They didn't lose anyone's data. They just made accidental public backups.
(Seriously though, the use of the same word to describe data loss and data theft is problematic; depending on the nature of the data, one well typically be far more serious than the other.)
What I don't see anyone actually asking is who was behind the breach given the sophistication of the attack and the measures they went to to avoid detection. This wasn't the case of a database just sitting in the open that they could access.
The actual report makes for better reading than Tech Crunch.
This will really only end when the credit rating agencies become irrelevant. Large purchases should be based on ability to pay, which is different than credit rating.
You can have a credit rating of zero just because you don't use credit - even though you have plenty of money in the bank.
If you are running a business, why not avoid equifax and other credit raters and use a different mechanism?
If you are looking to startup a business - doesn't this look like an area that needs disruption?
Wikipedia has more of this guy's greatest hits. I especially love this one: "In January 2018, Mulvaney canceled an investigation into a South Carolina payday lender that had previously donated to his congressional campaigns."
Great find! I like the "Mulvaney submitted a quarterly budget request for the [Consumer Financial Protection Bureau] to the Federal Reserve for $0."
And after trying to shut down the database of consumer complaints, turns out "8 of the 10 firms with the most complaints about them had contributed to Mulvaney's campaigns."
It's interesting there is more concern and discussion regarding social media privacy but very little discussion of this PII information that consumers are not able to control at the moment. Why should consumers not be able to control who can access this PII data and when they can request it be deleted? They can do so with social media data, so why not this? If they do choose to delete it with a given company another company can retain it who has exercised more fiduciary responsibility by keeping consumers secure. If the company changes and fixes the holes then consumers should be able to start sharing data again with that company from that point forward.
This is disturbing, but, really, is it surprising? The GOP is in control of all three branches of government in America, and they're always very pro-corporate power. Equifax's data breaches were caused by criminally-insufficient security controls, by a company large enough to know better. They could have secured the data and chose not to. They could have brought in third-party auditors, yet chose to not spend the money. So it's on them. Hopefully, we can hold Equifax accountable at some point, when the politics become a little more consumer-friendly again. Right now, it's almost 100% on the side of corporate rights.
[+] [-] the_unknown|7 years ago|reply
Instead we let them get away with - no more than a handful of Canadians were affected - followed by - oops, yup lots of Canadians - followed by - holy heck, how many Canadians are there way up there?
We don't need to go along with this. Yet it never seems to get better.
[+] [-] 3pt14159|7 years ago|reply
Did you meet with them?
These things only get fixed when people speak up.
I met with my MP over the weaponization of autonomous systems. I've put a ton of work into understanding where all this is headed. I spoke up[0] at the hearing on electoral reform about the cybersecurity risks of computerized elections, but I'm only one man. I've been able to get some things through, like pressuring the Liberal Government to put up more resources[1] but political will lags public outcry. If you want something changed you can't just complain online in your little bubble.
[0] I was one of only two people that spoke up about it and it was added to the final report. The world is changeable. What it takes is showing up and pushing hard.
[1] https://www.cbc.ca/news/politics/budget-billion-cyber-securi...
[+] [-] sdenton4|7 years ago|reply
[+] [-] profalseidol|7 years ago|reply
[+] [-] branchless|7 years ago|reply
[deleted]
[+] [-] cat199|7 years ago|reply
https://en.wikipedia.org/wiki/Calgary_Internet_Exchange
[+] [-] ARothfusz|7 years ago|reply
If we're so outraged and thus there's a market for it, why didn't banks start offering their own credit cards with guarantees not to share your data with any third parties?
Also, why should it be risky for someone to know your name, address, and social security number? Yes, I agree it is risky, but it shouldn't be. Those things are not me. They're not even secrets. Knowing those things should not give you superpowers.
[+] [-] maxsilver|7 years ago|reply
Why? Why should it be the victims job to find and prosecute criminals?
Should victims also be responsible for breaking up monopolies? Or cleaning up oil spills? Or to keep hospital patient records private? How much time and money should victims be required to invest in lawsuits, to bring justice against illegal mistakes made by entities with thousands of people and million/billions of dollars?
Wouldn't it be better if we had government agencies draft and strictly enforce regulations to prevent this. Like say, an EPA for environment, or HIPAA for healthcare, or GDPR for consumer/business data?
[+] [-] twblalock|7 years ago|reply
When people sign up for credit cards they agree to the terms and conditions, and sharing data with credit scoring agencies is one of them.
Equifax is the one to sue -- they are the ones who let the data become public.
And frankly there are a good reasons we have credit scoring agencies. Getting rid of them would make it more difficult for creditworthy people to prove they are creditworthy in order to obtain credit. If there were not credit scoring agencies, lenders would need to rely on methods of determining creditworthiness that are more invasive of privacy than credit histories. Getting a credit card would be like getting a mortgage, and lenders would demand bank statements, pay stubs, proof of past payments, etc.
[+] [-] iamdave|7 years ago|reply
Yes it did. The complaint can be found below.
https://images.law.com/contrib/content/uploads/documents/398...
[+] [-] p49k|7 years ago|reply
Which we won't be able to do at all in a few years thanks to the ubiquitousness of forced arbitration clauses?
[+] [-] seangrant|7 years ago|reply
[+] [-] tryptophan|7 years ago|reply
[+] [-] nightcracker|7 years ago|reply
[+] [-] TuringNYC|7 years ago|reply
Amongst many things, recall how banks got away with a slap on the wrist for the whole Robo-Signing scandal. (see: https://en.wikipedia.org/wiki/2010_United_States_foreclosure...)
If an average individual had done this, they would face charges (and they should.) But mysteriously when it is done tens of thousands of times it somehow becomes legitimate. I'm a pretty liberal person but I am deeply disappointed in the previous US administration for not pursuing this scandal towards justice.
[+] [-] qubax|7 years ago|reply
[+] [-] mrhappyunhappy|7 years ago|reply
[+] [-] jimnotgym|7 years ago|reply
This it's why we needed GDPR. The courts have been totally unwilling to combat this kind of corporate malpractice, assessing the costs of a breach to be puny.
My opinion is, if your business is sensitive data then being careless with it should be an existential threat to that business.
[+] [-] IshKebab|7 years ago|reply
What we really need is regulation to limit the amount of information that can be used for credit checks (and insurance premium calculations while we're at it). Actually that is partly done in the UK - e.g. gender cannot be used while calculating car insurance premiums. But sadly they can still ask for your profession, marital status, etc.
[+] [-] lwansbrough|7 years ago|reply
[+] [-] kodablah|7 years ago|reply
It should come as no surprise that the legislative enforcement arm is unwilling to also. I know you dream of laws like the GDPR working, but it doesn't and neither did its predecessor. Instead of asking for new laws, why are you not asking for enforcement of existing ones? And what makes you think a new law will be magically enforced where current ones aren't?
[+] [-] mjevans|7 years ago|reply
All contracts / inquiries that require use of the identity signature would also need to register that use; ideally the government would run an observation oracle that mirrors the publicly published signatures each agency hosts on their own (which would be a defacto place to check for use/abuse of the signatures).
This would also oblivate the need for services like equifax to exist at all.
[+] [-] tonysdg|7 years ago|reply
And that's why it will never happen. This is one of my biggest complaints about the Hacker News community: so many of us are engineers who see a problem and immediately think "here's a solution, technical or otherwise."
We can't "solve" humanity -- it's pure hubris to think otherwise. Any national ID will run the same risks the befall SSNs, passports, licenses, passwords, or any other form of identification. Which, simply put, is that the weakest link is always the person behind them. All it takes is one screw-up -- your passport falls out of your bag on a busy street, a thief breaks into your home and steals the safe with your SSN card inside, someone accidentally makes a list of password hashes public -- and the "secure, reliable, traceable" goes out the window.
I don't have a solution. But I think those of us who are engineers owe it to the general public to stop kidding ourselves into thinking we can come up with "solutions" -- technical or otherwise -- that aren't (1) flawed in some other fashion, (2) unacceptable due to societal norms, or (3) require the elimination of personal freedoms and liberties that at least we in the U.S./Canada/Europe seem to enjoy.
[+] [-] spydum|7 years ago|reply
I think if there is anyone who is well suited to tackle this, it's.. banks. There are so many bank locations, most people have an existing relationship with a local bank. If we allow tellers in banks responsible for verifying identity of people (the same way a social security office or DMV office verifies a person: birth certs and records checking), they could be be paid to be the hands and feet of something like national ID system.
[+] [-] AnssiH|7 years ago|reply
E.g. here in Finland TUPAS (https://en.wikipedia.org/wiki/TUPAS) is used by both government sites and private companies. It relies on two-factor bank credentials that almost everyone here has. Two-factor has been standard since online banking became a thing in the 90s and all banks are part of the ~10 bank groups so there aren't any small unsupported banks that I'm aware of. Government sites also support ID cards but no-one uses that option.
I believe some other countries have working, but different, digital authentication schemes as well. Maybe Estonia and Belgium?
These don't work over the phone, though, and asking for address and your identity code (or some part thereof) remains a common over-the-phone "verification" method, at least here. So the identity code / social security number issue still exists, at least to some extent.
[+] [-] adrianmonk|7 years ago|reply
Credit reporting agencies are basically a data warehouse for financial event history. If such a thing didn't exist in some form, how would a lender check whether you made previous payments on time? They can't contact every possible creditor that you could have interacted with.
Maybe a better architecture is possible than storing all the data centrally and creating a massive single point of failure, though.
[+] [-] reilly3000|7 years ago|reply
It isn't as it this data has some chain of custody that can show which actor sold it to another and whom used it for a spearfishing campaign. Our secrets are laid bare to whomever has the will to partake of them.
Sometimes I wonder why it is considered immutable that human malice is an unstoppable force. I want my kids to live in a world where those who leak data and those that use it to malign others are rare and held accountable in a manner that is truly commensurate with their cost.
[+] [-] harryh|7 years ago|reply
Nearly all of the dire predictions made at the time of the breach have been wrong to date.
[+] [-] darkerside|7 years ago|reply
[+] [-] yurrzz|7 years ago|reply
[+] [-] sehugg|7 years ago|reply
[+] [-] cryptozeus|7 years ago|reply
[+] [-] paulie_a|7 years ago|reply
It wasn't inadvertently, they made decisions and said "eh whatever"
[+] [-] tomohawk|7 years ago|reply
[+] [-] wu-ikkyu|7 years ago|reply
[+] [-] delinka|7 years ago|reply
Pfft. They've been required to offer credit account locking and unlocking services without charging individuals for the privilege. That's a serious blow to executive bonuses. Surely they'll all have moved on to other companies with a more encouraging compensation structure, leaving Equifax a shell of its former self.
[+] [-] cryptozeus|7 years ago|reply
[+] [-] cperciva|7 years ago|reply
(Seriously though, the use of the same word to describe data loss and data theft is problematic; depending on the nature of the data, one well typically be far more serious than the other.)
[+] [-] tarr11|7 years ago|reply
[+] [-] dwd|7 years ago|reply
The actual report makes for better reading than Tech Crunch.
https://www.warren.senate.gov/imo/media/doc/2018.09.06%20GAO...
[+] [-] tomohawk|7 years ago|reply
You can have a credit rating of zero just because you don't use credit - even though you have plenty of money in the bank.
If you are running a business, why not avoid equifax and other credit raters and use a different mechanism?
If you are looking to startup a business - doesn't this look like an area that needs disruption?
[+] [-] paulddraper|7 years ago|reply
[+] [-] sebazzz|7 years ago|reply
[+] [-] cheriot|7 years ago|reply
https://www.reuters.com/article/us-usa-equifax-cfpb/exclusiv...
Wikipedia has more of this guy's greatest hits. I especially love this one: "In January 2018, Mulvaney canceled an investigation into a South Carolina payday lender that had previously donated to his congressional campaigns."
https://en.wikipedia.org/wiki/Mick_Mulvaney#Tenure_2
[+] [-] andirk|7 years ago|reply
And after trying to shut down the database of consumer complaints, turns out "8 of the 10 firms with the most complaints about them had contributed to Mulvaney's campaigns."
[+] [-] blondie9x|7 years ago|reply
[+] [-] amarand|7 years ago|reply
[+] [-] b0rsuk|7 years ago|reply
[+] [-] goshx|7 years ago|reply
[+] [-] mrnobody_67|7 years ago|reply
Just like all the big banks in 2008.