www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Data of 143 million Americans stolen from Equifax
By Thom Holwerda on 2017-09-07 23:45:22

Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

Names, social security numbers, birthdays, addresses, driver's license numbers, credit card numbers - this is a very big breach.

Interestingly enough, three executives of the credit reporting agency sold their shares in the company days after the breach was discovered.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-38
.
RE[3]: Public social security numbers
By benoitb on 2017-09-08 06:35:45
In France you can vote, have insurance, open bank accounts without giving a number that is your single unique identifier.

There is a number on your ID card that nobody ever asks. Another number on your passport if you have one (only necessary if you travel out of Europe). You are not legally obliged to get any of these documents.

Another number for social security.

I have not heard horror stories of people getting impersonated.

The downside is that for most procedures you are asked to provide documents justifying that you have been living in some place for 3 months.
Permalink - Score: 2
.
Comment by XKCD
By XKCD on 2017-09-08 07:25:51
Good. World needs to learn that IT security matters. The bigger and worse the incident, the better. That's the only way people learn these days: through catastrophic incidents. Sadly, I am sure even this incident is not bad enough and big enough for people to learn... But it's something.
Permalink - Score: 1
.
RE: Comment by XKCD
By Kochise on 2017-09-08 08:23:54
No, people don't learn. History repeats like a Groundhog Day.
Permalink - Score: 2
.
RE: Comment by PJBonoVox
By ahferroin7 on 2017-09-08 12:20:47
Only if they actually knew about the breach and it influenced their decision.

People with stock options in their employer as part of their benefits often sell off stock on a semi-regular basis so that they don't have all their money tied up in one company. Without further background on the individuals, I'd say it's 50/50 whether it was insider trading or not.
Permalink - Score: 2
.
RE[3]: Public social security numbers
By ahferroin7 on 2017-09-08 12:31:53
The problem is not how private companies are using it, it's that your SSN is the sole ID number you have. Everything traces back to it. Federally issued licenses, real background checks (for security clearance for example), and passports are about the only thing in the US that requires proper identity verification beyond knowing your SSN. As a result, if you get someone's SSN, you in turn are then able to trivially impersonate them for a large majority of things that actually have an impact on their domestic life.

In contrast, in most countries in Europe, and quite a few other countries, you have either:
1. Some publicly available ID number that is used as nothing more than a database key by most companies and holds little to no weight by itself as a means of identification.
or:
2. Independent ID numbers for most things, with no need to give any of them out when registering for trivial things like library cards that don't have any reason to require an actual ID number.
Permalink - Score: 3
.
RE[3]: Comment by XKCD
By Alfman on 2017-09-08 13:34:09
XKCD,

> Good. World needs to learn that IT security matters. The bigger and worse the incident, the better. That's the only way people learn these days: through catastrophic incidents. Sadly, I am sure even this incident is not bad enough and big enough for people to learn... But it's something.

Yea well we'll see, I remain doubtful because if history is any indication, nothing will change.


Parang,

> Well, who does not learn, suffers. And that's a good thing. It's how it's always been with evolution.

The trouble with this logic is that we *all* suffer even when *other's* fail to learn. Through no fault of our own, we can be victimized by poorly implemented policies that we have no control over at all. It's not our fault that things are the way they are, but we'll suffer the repercussions never the less for their failure to adapt. Whether we like it or not, we're all in the same boat here.

That 143 million figure represents virtually all US credit card holders, but with Equifax being a multinational company, who knows how far this breach actually goes.

On a more personal level, I discovered that a company I applied to illegally obtained my credit report. They're supposed to have explicit consent, but there's no actual security there and Equifax as a business makes their money selling credit data, their incentives are fundamentally maligned to our interests.

Edited 2017-09-08 13:35 UTC
Permalink - Score: 2
.
RE[5]: Comment by XKCD
By cb88 on 2017-09-08 14:03:06
I doubt that. I've disagreed with Thom on *many* occasions as we have very different viewpoints. And Here I am.
Permalink - Score: 3
.
RE[4]: Public social security numbers
By Alfman on 2017-09-08 14:08:13
ahferroin7,

> The problem is not how private companies are using it, it's that your SSN is the sole ID number you have. Everything traces back to it. Federally issued licenses, real background checks (for security clearance for example), and passports are about the only thing in the US that requires proper identity verification beyond knowing your SSN. As a result, if you get someone's SSN, you in turn are then able to trivially impersonate them for a large majority of things that actually have an impact on their domestic life.

But the problem is NOT in having a unique id, it's how the ID is used that's the problem. That was dark2's point, we would be more secure if SSN were public and not treated as something we needed to keep secret.


> In contrast, in most countries in Europe, and quite a few other countries, you have either:
1. Some publicly available ID number that is used as nothing more than a database key by most companies and holds little to no weight by itself as a means of identification.


This is exactly what SSN was originally intended to do and being a unique key is a perfect use of federal IDs. However somewhere along the way financial institutions started to this ID as authentication, which is what caused this whole mess with keeping them secret. Static IDs assigned at birth are great for database keys, but incredibly foolish to use as authentication.

> or:
2. Independent ID numbers for most things, with no need to give any of them out when registering for trivial things like library cards that don't have any reason to require an actual ID number.


Yeah, every library card I've ever gotten in the US required a federal ID number. We could debate whether or not they need to use a federal ID for their database key. However to be clear they needed to have real proof of identification and residency to open an account, so in this case it's not like the SSN is the proof. Ironically I think the libraries have a higher security bars than many banks and credit cards.

Edited 2017-09-08 14:24 UTC
Permalink - Score: 4
.
RE: Comment by PJBonoVox
By Bobthearch on 2017-09-08 17:12:30
Practically? It's the definition of Insider Trading.

Company executives regularly sell stock in their companies, true enough. But it's normally done at pre-scheduled intervals in order to avoid any perception of Insider Trading. These Equifax trades were not announced and not part of an existing routine trade program.

The source journalist at Bloomberg (if your ad-blocker is up to the task):

https://www.bloomberg.com/news/ar...

An Equifax statement claims the executives, “had no knowledge that an intrusion had occurred at the time.” And if you believe that...
Permalink - Score: 4
.
RE[2]: Public social security numbers
By dark2 on 2017-09-08 17:37:41
> for some weird political reason, Americans don't want mandatory IDs

The problem is the people that want mandatory IDs want to use it as a platform to "fight voter fraud," which always means use it as a way to stop people we don't like from voting.
Permalink - Score: 3

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-38

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?