www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Data of 143 million Americans stolen from Equifax
By Thom Holwerda on 2017-09-07 23:45:22

Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

Names, social security numbers, birthdays, addresses, driver's license numbers, credit card numbers - this is a very big breach.

Interestingly enough, three executives of the credit reporting agency sold their shares in the company days after the breach was discovered.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-38
.
RE[8]: Public social security numbers
By Alfman on 2017-09-09 17:59:18
daveak,

> You are missing the point. SSN are supposed to be unique. They are not. End of story. There is no problem in having a unique number. They just need to actually bloody be unique.

You cited one single example of a SSN mistake in the past 17 years. That's pretty damn good :) I dare say it's probably higher than that and some social security administration mistakes are just going unreported, but it's nowhere near the exaggerated scales you've been citing. The "40 million Social Security numbers associated with more than one person" comes from people submitting invalid IDs on forms rather than errors by the social security administration.

Please try to understand what I'm saying: *everyone* agrees this is a problem but the root cause is the utter lack of security and NOT the unique numbers themselves.

Like the hotel room example, the problem isn't that rooms have unique numbers, it's the way we use them without any form of authentication. Someone should not be able to charge things to my room just because they know my room number, likewise someone should not be able to apply for credit in my name just because they have my federal ID number. It's the same thing, the number isn't the problem, but the use of it without authentication is.

Edited 2017-09-09 18:08 UTC
Permalink - Score: 2
.
Comment by Boogaloo
By Boogaloo on 2017-09-10 19:25:32
I am actually happy to hear about such things. People need a hard hit on the head to wake up and smell the reality. A system where single "secret" number is enough to impersonate a person is retarded. A company that pays little to no attention to IT and data security deserves to crash and burn. People who put up with both these things deserve a painful lesson.
Permalink - Score: 2
.
RE: Comment by Boogaloo
By Alfman on 2017-09-10 21:44:21
Boogaloo,

> I am actually happy to hear about such things. People need a hard hit on the head to wake up and smell the reality. A system where single "secret" number is enough to impersonate a person is retarded. A company that pays little to no attention to IT and data security deserves to crash and burn. People who put up with both these things deserve a painful lesson.

I agree with your general assessment, but you are very wrong on the last point. You can blame the victims however much you want, but when it is companies that you have no relationship with that are ruining your credit and sending your interest payments skyrocketing, then what do you really expect people can do?

Their options:
1. Spend time and money going to court.
2. Wait in vein for congress to act (we're in a deregulatory political climate, so good luck with that).
3. Go to each of the three major credit bureaus who are selling your data and pay their fee so they stop selling your data.

https://www.transunion.com/credit...

This is probably the easiest option, but they still technically collect your data and it can still get leaked, they just stop selling it out.

You could argue it's your data and they have no ethical right to sell it in the first place. But they don't give a crap if you're right or wrong because they're making boatloads of money and congress has done nothing to stop them. Until their activities are banned by law, they'll continue to do it regardless of what we think.

Always keep in mind when it comes to companies selling personal credit data, you are the product and not the customer. It makes the whole notion of boycotting them completely mute unless you have a way to persuade companies to stop buying credit data. If you think there's a good way to do that, then please share because many of us would like to see changes.

Edited 2017-09-10 21:46 UTC
Permalink - Score: 2
.
RE[2]: Comment by Boogaloo
By darknexus on 2017-09-11 13:01:25
> You could argue it's your data and they have no ethical right to sell it in the first place. But they don't give a crap if you're right or wrong because they're making boatloads of money and congress has done nothing to stop them. Until their activities are banned by law, they'll continue to do it regardless of what we think.

And even if it were to be made illegal, they'd still do it on the sly, and with the government's covert blessing and approval. That's what you get when corruption is everywhere and encouraged.
Permalink - Score: 2
.
RE[3]: Comment by Boogaloo
By Alfman on 2017-09-11 14:56:25
darknexus,

> And even if it were to be made illegal, they'd still do it on the sly, and with the government's covert blessing and approval. That's what you get when corruption is everywhere and encouraged.

Yea, first the laws have to get passed. Quid pro quo dynamics between government and business make this unlikely.

Secondly, the laws have to be enforced. Without enforcement, laws don't help. Do not call legislation is an example of laws that were supposed to help, but many companies ended up taking advantage of the fact that violating the laws can still be low risk and profitable. :(
Permalink - Score: 2
.
In socialist Sweden...
By Megol on 2017-09-11 20:58:55
... the personal identifier is used as a key, it contains the date of birth, sex, location of birth combined with a running counter whose size depends on the location (highly populated areas need to support more births per day). There's also a simple checksum.

With the personal id number one can get the name. With the name one can get the current living address. With the name and address one can get the id number. Oh and the declared income and tax returns, marital status and cars owned too - it's all available if one really want to find out.

The only problems with this kind of system (except for paranoid people - those that have reason to be paranoid can get their data tagged secret for normal accesses) is in combination in bad systems design.
Permalink - Score: 2
.
RE[3]: Public social security numbers
By Lennie on 2017-09-12 10:10:03
If I remember correctly, this video explains it (but I lack the time right now to check it): https://www.youtube.com/watch?v=E...
Permalink - Score: 2
.
RE[5]: Public social security numbers
By zima on 2017-09-13 22:57:47
> It's a liitle bit different in Germany: You are forced to "buy" an ID card ("Personalausweis", personal identification) for a relatively high price (compared to the actual costs of creating the ID card), and it has a built-in expiration date. If you do not have one, you'll be facing a quite heavy fine. After expiration, you may not keep the (invalidated) ID card. It also contains "online functionality" which doesn't actually work and is also insecure.
Whoa, I can't believe I'm saying this, but it looks like Poland is "nicer" than Germany in some respect: in PL the ID card ("dowód osobisty", ~personal ~proof ...which BTW was made first required under occupation by Nazi Germany :P ) is free (it wasn't that way untill few years ago - you had to pay a small fee - but a court established that sinve it was mandatory, it shouldn't cost anything). It also expires / lasts for 10 years. I think you can also be fined for not having one. You may also not keep it after expiration. Latest-gen ID cards, issued from 2015 IIRC (and long in the planning stages...), were supposed to have a chip/"online functionality" ...but it was ultimatelly cancelled.

> A passport ("Reisepaß", travel passport) is fully optional. It is more expensive than the ID card. In many cases, it can substitute the regular ID card, but often requires that you also have a registration card ("Meldebescheinigung", certificate of residence) because the passport doesn't contain your postal address. This additional document of course also costs some money.
Here even the ID card doesn't have your adress! (the post-2015 ones; previous gen does have the adress, but it was removed in current gen)

> However, revealing the identification numbers of those documents (which identify the document, not the person!) is typically not needed. Data protection and privacy laws provide strong regulations about what may be obtained and stored by private companies.
In PL we have personal number "PESEL" which is printed on ID cards and typically required by banks or hospitals ...but it seems we avoid the issues plaguing US with its SSN, I think largely because the number is used mostly only as a database key and not a proof of identification/authenticati on by itself (for that, you need to show the ID card) ...though there are exceptions to this - I remember that during 2010 EU-wide census, you could login to the census webpage with nothing more than the personal number, and there were some instances of abuse...

Edited 2017-09-13 22:58 UTC
Permalink - Score: 2

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-38

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?