Equifax Breach Provokes Calls For Serious Data Protection Reforms (wired.com) 193
Equifax's data breach was colossal -- but what should happen next? The Guardian writes:
The problem is that companies like Equifax are able to accumulate -- essentially, without limit -- as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches... Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.
Mandate that SSNs are not proof of identity (Score:5, Insightful)
An SSN is a good primary key in a database because each SSN should correspond to a unique person. It's a terrible way, however, for proof of identity. We essentially use it as a username, but also as a password, and a password that you're unable to change. Furthermore, by law, you have to provide it to banks and some other institutions to use their services. You need to share your SSN with your employer in order to get paid for your job. And you have to trust that none of these entities will mishandle your SSN.
How about using the SSN for the primary key it is and doing away with it altogether for proof of identity. Mandate that financial institutions use other proof of identity such as one time use passwords and public key encryption. Devalue the SSN and, at the same time, replace it with a secure means to prove identity. The government does have a role, because they can and do regulate entities like financial institutions.
Re:Mandate that SSNs are not proof of identity (Score:2)
Sure. make SSN a unique key but using it has a primary key is always a bad idea. Use meaningless Object IDs as primary keys which in turn will be used as a foreign key in other tables instead of the SSN.
You can even put the SSN in a different table or database with added security features/restrictions.
Re: Mandate that SSNs are not proof of identity (Score:2)
Re: Mandate that SSNs are not proof of identity (Score:3)
And that's the problem; it is human readable and meaningful. Granted, you will have to lookup the primary key given a SSN in the protected table or database:
SSN -> primary key
Primary key is something like: bd3b546d7136432218858eff
Then search for that primary key (foreign key) in other tables.
That's exactly what we have to do in our applications. It is a little less convenient but security sometimes conflicts with "human readable".
Bonus: developers that have access to prod data do not need access to the SSN for most tasks.
Using SSN or other meaningful data as a primary key is bad security wise.
Re: Mandate that SSNs are not proof of identity (Score:2)
You could also use an easily-remembered hash of the primary key, like your "record locator number" for an airline reservation. This combined with some other elementary personal data would be unique.
Re:Mandate that SSNs are not proof of identity (Score:3)
It's a perfectly fine key - for the US Social Security system. The issue is all the lazy-ass leeches who want to use it for anything else. Credit and medical industries being major violators.
I haven't given my SSN to anyone who's not deducting SS from a payroll payment for about 30 years. On very rare occasion, I'll use the "last 4" for some things, but unless I'm being paid and they're adding to my SS account, that's all they get. That includes credit cards, mortgages, insurance, cell phone and other utilities - I've given it to none of them.
And, when a previous employer gave it to an insurance company without my permission, I filed a formal ethics complaint for disclosing personal info unnecessarily. Didn't go anywhere. They were clueless and blew it off, but they don't exist anymore and I'm still around.
Obamacare requires a Taxpayer ID, which is usually but not always an individual's SSN. One of the reasons it should be repealed.
Re:Mandate that SSNs are not proof of identity (Score:2)
I haven't given my SSN to anyone who's not deducting SS from a payroll payment for about 30 years.
You've got that right. This is actually the only use case for it. Where I live, corporations don't even want to know it if you try to give it to them for other purposes. Shit, even the nice police officer didn't want to know the other day!
We just went a quantum leap further than what was the topic of this subthread so far but then again: How will the developers using a fixed SSN like field everywhere in their database (primary client key, foreign keys) would cope with your behavior?
Those who do that might even have a stored proc to validate the SSN field, I have seen it ;-)
Re:Mandate that SSNs are not proof of identity (Score:2)
Strange thing, last time I opened a bank account, they wanted my Driver's License number. WTF? Since when you you have to drive to have a bank account?
I can help with that [fakena.me]. Or use 457-55-5462 (Lifelock CEO) or 078-05-1120 or 219-09-9999 [ssa.gov]
Re:Mandate that SSNs are not proof of identity (Score:2)
Strange thing, last time I opened a bank account, they wanted my Driver's License number. WTF?
Yep, driver license is still commonly asked since SSN is no more politically correct to ask for, passport works also...
Re:Mandate that SSNs are not proof of identity (Score:2)
I can help with that [fakena.me]. Or use 457-55-5462 (Lifelock CEO) or 078-05-1120 or 219-09-9999 [ssa.gov]
Yep, the formula to validate SSN is no big secret although it is not published at large.
Re:Mandate that SSNs are not proof of identity (Score:2)
There's no point in protecting the SSN, it's a good unique key that should be indexed so that you use it to bring up necessary biometric data to identify a person.
SSNs can be generated by a computer and then just tried out how well they work and if they work they are good enough for some illegals. Trying to get a SSN to not get into the wrong hands is futile.
Re:Mandate that SSNs are not proof of identity (Score:2)
You are an older schooler than I am!
Hint: we are now in 2017 and any sensitive information should be protected as well as your certificate authority (CA) although I am exaggerating just a tiny little bit...
Seriously, what you are suggesting just make leaking much more probable since we have to hide SSN and other sensitive infos repeated all over in the database with obfuscating scripts for people that don't need access for testing and that if we forget only one spot the whole exercise is pointless.
Re: Mandate that SSNs are not proof of identity (Score:2)
A SSN is not guaranteed to be unique
SSNs are not unique, but SSN+DOB is unique.
Re: Mandate that SSNs are not proof of identity (Score:2)
Not in a parallel universe! ;-)
Re:Mandate that SSNs are not proof of identity (Score:3)
Being an old codger going back to the days of big iron and wide green bar printouts I can remember when old printouts with full SSN, NAME, ADDRESS and other information that is now considered sensitive was freely available for anyone to take home for their kids to color on. We even used the back at work to sketch out program and process flows. Some lawyer should be able to milk the use of SSN's for granting credit for some number of gigabucks to discourage such use.
Re:Mandate that SSNs are not proof of identity (Score:5, Insightful)
Using an SSN (or other nationally valid identifier) for "identity" is one thing; using it as *proof* of identity (i.e., as an authenticator) is another. Any business using an SSN as an authenticator and trying to hang a debt around the neck of the person identified by the SSN should be laughed out of court.
The burden should not be on the shoulders of the "identity theft" victim to prove the negative (that they did not get the goods/services the creditor is claiming that they got), but rather on the shoulders of the creditor, to prove to just whom they gave those goods and services. As soon as that is recognized in law, I think a lot of the "identity theft" problems will go away. It may be harder to obtain goods and services on credit, however.
Re:Mandate that SSNs are not proof of identity (Score:3)
Around here it is already the law that the company claiming you owe them has to prove that the debt exists. Unfortunately it doesn't always help.
I had some company contact me with a debt I didn't recognize about a decade ago. I asked them to send me some proof, like a signed agreement, which obviously there is no way they could have. So they know that if they ever try to go to court they are screwed and will be laughed out, but it doesn't stop them sending me a letter every few months offering me some crappy deal on repayment.
Worse still, if I had not responded it seems that a lot of companies try going to court on the off chance that the defendant doesn't turn up. If they consistently get no response they often chance it and try to get a default judgement, and the courts don't even bother to do basic checks like seeing if they have a valid signature (how could they?)
Re:Mandate that SSNs are not proof of identity (Score:2)
The burden should not be on the shoulders of the "identity theft" victim to prove the negative (that they did not get the goods/services the creditor is claiming that they got), but rather on the shoulders of the creditor, to prove to just whom they gave those goods and services.
How? Make people come in to get their initial credit card so a picture can be taken and other proof of identity? We can't even get people to agree that people should have to prove their identity to vote.
Re:Mandate that SSNs are not proof of identity (Score:2)
The card says it is not to be used for identification. Which is now a joke.
Your social security number is not supposed to be used for identification. But there is a very simple reason why everyone uses it for exactly that purpose -- it is the only unique identifier that exists.
The problem isn't that it is used as a unique identifier. The problem is that it is used to verify that unique identifier. You should be able to tell anybody and everyone that you are the John Smith with SSN of 499-99-9993. You then should have to prove that someway with a signed key, picture ID, etc... It was a mistake taking SSN off of driver's license. They should be there. They should be on business cards too and mailboxes. SSN is the non-changing number that identifies you as a unique John Smith as opposed to the dozens of other John Smiths that might exist. The problem is you can't have knowledge of a person's unique non-changing identifier also be proof that you are that person. That is absurd. The simplest solution would probably be to have a government database where you can type in a Name and SSN and it pops up a picture and public key of the person in question. This would also be a solution to businesses unknowingly hiring illegal immigrants as well.
Re:Mandate that SSNs are not proof of identity (Score:2)
The simplest solution would probably be to have a government database where you can type in a Name and SSN and it pops up a picture and public key of the person in question.
I don't think you know what kind of systems the government is using. The people who know the most about you are the IRS, and they still rely on software that was running before man (allegedly) set foot on the moon.
Even when they try to modernize it's a joke. Look at the complete fubar of the 2 billion dollars Obamacare website.
Big brother concerns aside, there's just no way this kind of database could happen anytime soon. Facebook or Google are more likely to get that level of accuracy than good ol' Uncle Sam.
Re:Mandate that SSNs are not proof of identity (Score:2)
It should, but it doesn't. The converse isn't true either.
Re:Mandate that SSNs are not proof of identity (Score:2)
How about using the SSN for the primary key it is and doing away with it altogether for proof of identity.
It's not. Any value that can be NULL sucks. Not everyone has a SSN number. Even fact, not everyone lives in a country where such a thing exists. Equifax is a global company. So any solution that mentions SSN is a bad start.
At some point we'll have to get used to the fact that in order to be safe we'll have to have laws that demand our physical presence somewhere for certain important things in like. Ordering a credit card is one of these things. Would it really kill us to get out of the house, go somewhere, have your identify physically validated (showing documents or hardware that then come home with us and of which no copy is made) ?
During the process we could create some jobs, too.
Re:Mandate that SSNs are not proof of identity (Score:2)
The government does have a role, because they can and do regulate entities like financial institutions.
You're wagging the dog. Financial institutions regulate the government.
Re: Mandate that SSNs are not proof of identity (Score:2)
Naw bro, use a synthetic primary key. Although quite rare, people do occasionally change SSN.
Re:Mandate that SSNs are not proof of identity (Score:2)
This. The SSN offers zero security. So many institutions have it that it just as well be public information. Plus, even after a data breach, you cannot change it.
There are so many things wrong with the US credit (and banking) system. Basically anyone can write checks on your account, if only they know your routing and account numbers. SSNs as proof of identity. Etc.. It's all a "good faith" system, with zero security.
Then these three corporations managing everyone's credit information: Consumers are not their customers, so they have little incentive to ensure that your data is correct, or to respond to problems. The consumers are, at best, sheep for them to fleece for a bit of extra money, with their so-called "trust' programs.
Re:Mandate that SSNs are not proof of identity (Score:2)
SSN can't be a primary key because not everybody has one.
Re:Mandate that SSNs are not proof of identity (Score:4, Interesting)
The correct answer [slashdot.org] is to use UAF or U2F. The U2F keys all have UAF capability.
You walk into a bank, present your ID (driver's license, etc.), and they can see it's you. Online, you tell them what car you had in 1999, where you lived 6 years ago, and which bank holds a current loan. One of these is stronger than the other.
So what you do, you walk into a bank, present your ID, and then you take a brand-new, personally-owned, $20 security key to their terminal. You plug it in or wave it at the NFC, and it sends separate keys to Equifax, TransUnion, etc. Done. You now have an established trust with the credit reporting agency.
When you open a new credit account, the bank checks the CRA for your history. If you have a hold on your credit, the CRA tells them no loans. Same deal: when the bank talks to the CRA, the CRA sends a challenge; you use your security key to digitally sign the response, proving your physical possession of the correct key, thus your identity. Generally this is RSA or elliptical curve; and the devices are non-cloneable.
Lost your key? Call your bank and tell them. They'll put your trusts on hold with the CRA. You show up with ID and your key to re-establish trust. In the mean time, it's impossible to open a new loan account.
People can't hack the CRA or the bank and steal your identity to open new loans in your name if there's no shared secret to steal. You have the only secret; you can prove you have that secret; and you can prove it without revealing the secret. An adversary can only steal the secret by stealing a physical device; and they use secure hardware that resists physical and logical attack, so cloning is destructive at best, and destructive attacks tend to completely-fail on these devices.
That's the solution. It's the cheapest, most-effective, simplest option available today.
Re: Mandate that SSNs are not proof of identity (Score:2)
Was the Equifax breach big enough, and of enough consequence to actually change anything.
Depends. Did it impact Trump or any of his close family and friends? If not, then no.
Why "trumpize" this? Politicians on both sides have been making decisions based on self-interest forever, that's nothing new. And I suspect that if you personally were in the oval office you'd do the same. That's just human nature; it probably happens in your workplace. Odds are higher of having your company support the "pink ribbon" campaign if a woman is in charge of the social committee; if it's a man, it'll be movember. There's nothing wrong with that.
Re:Mandate that SSNs are not proof of identity (Score:2)
Exactly! As someone affected by the Equifax breach, Best Buy, Target and at least 2-3 others my SSN has been breached way too many times
Why the fuck did you give your SSN to Best Buy? I probably spend $7k / year there and they don't even have my disposable email address.
Re:Mandate that SSNs are not proof of identity (Score:2)
Wrong. https://www.computerworld.com/... [computerworld.com]
Cleaning floors, I hope.
Bad tech journalism must die (Score:5, Insightful)
These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.
About as insightful as the apper guy. Blockchain magic fixes everything. Also since when did the age of a company was a good predictor of an internal cowboy culture?
Re:Bad tech journalism must die (Score:2)
Re:Bad tech journalism must die (Score:2)
My thoughts exactly. Blockchain credit history? Great! Now every fraudulent entry is there permanently, and can't be removed! Brilliant!
as they say, "let the free market decide" (Score:5, Interesting)
- Name + phone hacked = $2 penalty
- Name + address hacked = $3 penalty
- Name + SSN hacked = $5 penalty
- etc., and combinations of the above, just multiply.
Things would get fixed right quick.
Re:as they say, "let the free market decide" (Score:2)
Re:as they say, "let the free market decide" (Score:2)
Pretty much impossible legally. That's why they're Limited Liability Corporations, after all.
In fact, that's the whole point of a Corporation - to make the corporation liable, and not its employees (like, you know, the CEO)....
Re:as they say, "let the free market decide" (Score:2)
- Any of those things hacked: Your company, and not the affected individual, has to prove innocence if anything happens. Someone managed to open a $20,000 credit line to the name of someone affected by the Equifax fiasco? Equifax pays those $20,000.
No statue of limitation here. As long as the breached data can be used for identity theft, Equifax is responsible.
Of course they are free to lobby for a major reform so that no stolen data can be useful for more than one year or so for _anything_ related to money.
Comment removed (Score:2)
Re:as they say, "let the free market decide" (Score:2)
It makes too much sense.
Actually, it doesn't make sense at all. Equifax had a profit of about $600M last year. That is about $2 per American. They can't possibly afford millions of $20k payouts. The money just isn't there.
The solution is to fix the idiotic system that allows "identity theft" by knowing a name, SSN and DOB. Equifax did not create that system, so why should they be penalized for it?
Re:as they say, "let the free market decide" (Score:2)
Wait? A company offering ID&V products isn't responsible for market acceptance of adequate ID&V?
It's possible to say, "That's insufficient information to identify the individual" and refuse to ID&V an individual; of course, that would reduce revenue so fuck consumers?
Re:as they say, "let the free market decide" (Score:2)
At least until they start implementing real security measures that start affecting voters. What do you mean there's an extra $50 on the loan or vehicle processing charge. What do you mean that they need an extra week to verify my identity? I need that money *now*!
In every single case outside of "they stole my credit card last week", I've never seen more than a tiny minority of North American consumers opt for security over convenience. Every single time.
As a businesses, you don't want to be in the bottom 10th percentile of security. But dear God will your customers crucify you if your product costs more, or even worse, is less convenient, than your competitors. It's got the point that I feel security improvements beyond the minimal only come if you have a monopoly and can inflict better security against your customers will.
(Latest example - why does EMV in the States mostly use signature rather than PIN? Because there's enough competition in the US that consumer's preferences for less security couldn't be ignored, unlike, for example, Canada that has better security now only because the ATM cartel (Interac) made sure they had no choice.)
That's a REGULATED market (Score:2)
Fines or not, imposing arbitrary rules is not a free market.
The free market only has one outcome - monopoly, and its resultant abuses. It's the ultimate corrupt system.
Re: as they say, "let the free market decide" (Score:2)
Check out the liability for spilled Protected Health Information in the Massachusetts Data Security act. IIRC it's $1000 per PHI *record* - not per patient. So you spill a database with a million rows, you're liable for 1 billion dollars. Believe me, that kind of liability will put the fear of God into even the biggest company.
Source: years ago, while working on medical research software, I was legal custodian for the PHI of about a million patients in Massachusetts.
Re: as they say, "let the free market decide" (Score:5, Insightful)
The free market has decided that since losing your PII to hackers effectively costs them nothing, they're going to keep cutting costs on data security.
The free market does not prioritize the best interests of customers. It prioritizes profits. If repeatedly fucking over customers or allowing others to do so is profitable - and right now it is - then customers are going to need copious lube and ice for their buttholes for the indeterminate future.
In other news... (Score:5, Funny)
... horse escapes from wide-open barn! Farmer encouraged to shut the f-ing door!
Bright godz, what a mess...
Re: In other news... (Score:5, Funny)
Three executives dump shares (Score:3)
Regulatory filings show the three Equifax executives — Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2.
Wait, that guy is named John Gamble? and he is the damned CEO?
Re:Three executives dump shares (Score:3)
We obviously need someone who can provide checks and oversight on his leadership. Someone so strongly invested in such a process [wikipedia.org] that it would similarly be reflected in their own last name.
Cost to Profit Ratio Too Low (Score:3)
Right now, it's in the best interests of the corporation to allow the details to be stolen.
Assuming the customer even catches the theft, they're still responsible for the first $50 dollars. And if the company chooses to dispute the customer's claim, they might get more than that.
The seller and processor all file claims with their insurance company, and get their money back.
In short, everyone but the victim wins.
Until that changes, this will continue to happen.
Re:Cost to Profit Ratio Too Low (Score:3)
innocent until proven guilty (Score:5, Interesting)
Re: innocent until proven guilty (Score:2)
I also agree. And it's not unrealistic; let's just look at credit card fraud where it's not pretty muck risk free for the customer. With the proper incentives, the financial services industry can do their homework.
Account hijack is a bigger threat (Score:5, Insightful)
In no place this should be considered "credentials". But the US financial institutions pretend these are secret passwords.
WRONG (Score:2)
This means that a law firm will make millions or tens of millions of dollars and the REAL victims will get $1.23 (less taxes).
And all up, this costs the corporation less money than doing the job properly.
The system is working exactly as it was intended to.
God, some people think rich people are just made of money, do you not know how much a Ferrari costs these days
Re:WRONG (Score:2)
You forget the trickle-down economy. When the lawyers make millions suing companies for losses experienced by someone else, they can afford to hire pool boy to clean the pubic hair and soiled condoms from their infinity pool filters. Then the pool boy can afford to buy a $5 iTune gift card for that special someone who's gonna spend it on Kanye West albums. In turn, Kanye West can use that money to buy more drugs and create more scandals at the MTV music awards, which attracts advertisers and viewers.
Lawyers are the linchpin of our economy.
Re:WRONG (Score:2)
Re:WRONG (Score:2)
I prefer to call it the 'golden shower economy'. They get the hookers and blow, we get the golden showers.
Fundamental principles of personal data (Score:5, Insightful)
(1) We should have control over our personal information, and no one should be allowed to collect it, sell it, and most importantly, use it against us or to manipulate us without our knowledge. I think that must start with the right to control WHERE that personal knowledge is stored (because possession is still 9 points of the law).
(2) Those parts of our personal information that have become public should be visible to ALL of the public. As it might apply in an improved Slashdot, I would thus be able use that public information to save time by ignoring people with low reputations. No insult intended [to the authors of rather mindless comments on today's Slashdot?], but I'd prefer to spend as much time as possible consorting with people who are nicer and smarter than I am and zero time (or less) being distracted by trolls.
(3) I'd be willing to help pay for such systems, both in terms of development and ongoing costs.
Feeling like a broken record stuck on an old joke, but lots of detailed suggestions available upon polite request. Even nicer if you have some better ideas, but if you have nothing to say, then why don't you say nothing?
Re:Fundamental principles of personal data (Score:2)
I must have missed the part where I said anything about thinking it would be easy to implement ANY of this against the dominant religion of corporate cancerism. Actually, your comment raises the problem of "government of the corporations, by the lawyers, for the richest 0.1%".
However, I do think that websites or other systems based upon such principles might be attractive to discriminating people. There was a time when I imagined Slashdot might be able to become such a website.
From the No Shit Sherlock Instution (Score:3)
B) The Equifax Security Cxx is held personally liable, and faces serious prison time
C) The other Cxx's are held personally liable, and get to eat based on how many cans they can dig out of trash dumpsters.
Until something like this happens you and I are fucked, while the 1% glide along with no problem.
Re:From the No Shit Sherlock Instution (Score:2)
What criminal law do you think the "Equifax Security Cxx" broke?
"The other Cxx's are held personally liable, and get to eat based on how many cans they can dig out of trash dumpsters." -- if it turns out to have been the result of an oversight in administration or a programming bug, shouldn't the IT staff that failed to do their job and/or the programmer that caused the bug (or chose to use open source software which had the bug) also be be held personally liable? They are the subject matter experts. Depending on circumstances (which hopefully some Senate and House hearings get to the bottom of), what you are proposing may be like holding the CEO of GM personally responsible for an accident caused by an improperly tightened brake line because a line worker failed to tighten it properly.
"Equifax gets sued out of existence" - that would be a nice outcome but I'm not holding my breath.
Re:From the No Shit Sherlock Instution (Score:2)
TL;DR don't take the reward if you aren't willing to accept the risk.
Re:From the No Shit Sherlock Instution (Score:2)
What criminal law do you think the "Equifax Security Cxx" broke?
Well, potentially the UK DPA for a start.
But why do you think people are calling for serious data protection reforms? Right now US data protection is largely absent, health data is about the only consumer data with legal constraints.
Equifax may get sued senseless here but unless there are clear corporate governance failures it's unlikely there'll be criminal charges in relation to the breach.
(Rather more likely in relation to the post-breach sale of shares though)
Re:From the No Shit Sherlock Instution (Score:2)
What criminal law are you proposing the CEO is guilty of? "Bad judgement", alone, is not a crime. The fact that something slipped through the cracks does not mean a crime occurred or that the CEO is guilty of a crime if somewhere in the corporation a crime was committed. We can only prosecute people for actual crimes that were a crime at the time they were committed (so, whatever changes to the law you think should be made wouldn't apply to this situation anyway).
I've had some a couple very good kernel level programmers working for me that were music majors in college. That alone does not make her unqualified. As well, an executive need not be an expert on every detail - if the executive in charge of manufacturing at GM were applying for a job on the manufacturing line s/he would likely not be hired - her/his job isn't turning wrenches, it's much more financial, planning/forecasting, vendor relations, legal etc.
A chief of security at a large corporation need not, themselves, be an expert on security implementation details. They simply don't have the time to keep up even if they were once experts in the area. That's why they hire people whose primary job IS the technical side and who effectively spend ALL their time on that side (vs. interacting with the board, doing budgets, planning, legal compliance issues, etc).
Re:From the No Shit Sherlock Instution (Score:2)
No, but it falls on the person claiming that someone broke the law to explain what that law is and how the person broke it.
For example, some people "believe" that if you walk down the street and see a stranger having a heart attack that legally you must render aid at least to the extent of calling 911 and that failing to do so is "illegal" -- yet, in the majority of jurisdictions in the United States, you have NO legal obligation to lift a finger to help the person and are not guilty of a crime if you fail to do so. The point is, many (perhaps most) things that people think are "wrong" are completely legal (and many things that many people think are/should be legal are not).
As well, the difference between criminal and civil statutes is important. There are many things that are "illegal" but only have civil penalties or which only expose you to financial liability when sued by the injured party, not criminal punishment - and you only can be put in the "slammer" for criminal violations.
"Surely there something that can be pinned on these assholes" is the first step of a witch-hunt and inappropriate. One should start with "this asshole did specifically X which is illegal" (and, hopefully, the person making the claim is willing to spend a few minutes with google to give some indication of where that law is found).
As far as I know, at this point we don't know if this breach happened due to several zero-day exploit of vulnerabilities in Intel and Cisco firmware that made the exploit invisible to the most sophisticated monitoring tools and techniques used anywhere in the industry and that Equifax only discovered it because one of their analysts had a brilliant insight that they should be looking for correlations in traffic that would reveal a highly improbable attack against a previously unimagined set of unknown vulnerabilities. No, I would not make an even money bet that is the case (as most such breaches are not that obscure), but before I conclude that some "assholes" should be found guilty of a crime, any crime, no matter how far we have to stretch the law, I would need to understand what really happened.
Sinple (Score:2)
Re:Sinple (Score:2)
Under which law? Doesn't the US have a law specifically against this? Technically two, I think you're suggesting breaking the 4th and 8th amendments.
High tech solutions (Score:4, Insightful)
It is weird to see proposal to introduce high tech solutions to fix the reliance on SSN: cryptography, biometry... All that solutions will have flaws
Another option could be to look at the numerous other countries in the world, where knowing your SSN has never been enough to get a credit on your behalf, or to sell your house.
Comment removed (Score:2)
Solution (Score:5, Informative)
Re:Solution (Score:5, Informative)
Until our country's people come around to the idea of a secure National ID card, SSNs and passwords are all American industries are gonna get.
It's still politically toxic for the American right-wing to even consider national ID. The solution is political. No amount of superior "wizz-bang" super-duper innovations in security such as blockchain will get these people off their seats. They're perfectly content extracting money from the corporation that lost their data and not much else.
They don't want "big brother" to know who they are, except they already have a passport and a birth certificate...
MFA? What? (Score:2)
"We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
How the heck does MFA help this situation? MFA guards the login portal, sure, but doesn't do anything to stop companies creating SQL injection attacks or just storing customer data on public S3 buckets (which is how a lot of these breaches are enabled).
Not going to happen (Score:2)
People need to understand that the internet is not their friend. Places like Equifax identify more with the people who hack them than their customers.
Encourage Simple Gov Regulation (Score:4, Insightful)
Regulation can be dangerous, but it seems this is a situation where it is called for: when a citizen's liberty is being trampled; and the Equifax breach will trample on people's liberty for decades to come – yet they are offering a pittance of one year's credit monitoring as if this will help for a lifetime of damage. Perhaps the EU's GDPR takes things a bit too far for the USA, but it can be used as a reference point, and we need something in our citizen's rights to their own identity in this modern world.
There are many technical solutions available, but out the gate, it seems like we should be seeking some greater level of culpability on behalf of those holding this data, perhaps even considering the GDPR in context. We can at least ask that of our government. A petition has been started [change.org] to at least raise visibility of this to congress. Start the dialog at the right levels, and hope it will not get steamrolled by lobbyists.
Re:Encourage Simple Gov Regulation (Score:2)
A petition has been started [change.org] to at least raise visibility of this to congress. Start the dialog at the right levels, and hope it will not get steamrolled by lobbyists.
Well since I suspect many congress people's and their relations personal information was in the breach, maybe we will finally see some real action taken. But the cynic in me thinks there will be two regulations, one for the powerful and another for the peons
Re:Encourage Simple Gov Regulation (Score:2)
Mmm, sounds like a libertarian tautology. Regulation is no more dangerous than any other human construct, like business contracts or deeds. The lack of regulation, though, has caused plenty of harm including deaths, though: the people who died on the Deep Horizon rig during Katrina, the dozens to hundreds of people who burned up in that London highrise because better materials would have cost a few thousand pounds, those chemical plants in Texas that have leaked or blown up, who's owners argued for lax regulations....
This will get co-opted by degregulators (Score:2)
Industry will somehow, with a straight face, claim that the answer will be getting government out of the way. The *only* reason this could have possibly happened is because of onerous, confusing regulations.
Why?
Memories are short.
Witness the power of this fully functional lobby (Score:4, Interesting)
Nothing will happen at the federal level right away because of this.
The banks are too powerful. These are the same guys who pushed binding arbitration in consumer contracts of adhesion.
States will need to take the initiative first. Let's hope that the banks don't have the power to pass a federal law to preempt the flurry of state laws which will come out of this.
Death by a thousand cuts at the state level might prompt a 'watered down' federal update to the Federal Credit Reporting Act, but it will end up pre-empting any state laws with a decent set of teeth.
Sometimes I worry about the rule of law and equal protection under the law in the US. It the banking cartel can rip off everyone by sidestepping the rule of law with binding arbitration, why can't a sniper take out a banker or two?
Only way they'll change.... (Score:2)
...is to be be financially responsible for any breaches where the cost of non-compliance far, far outweighs the cost of compliance.
Easy to do (Score:2)
You want to store personally identifiable information of ANY kind? No problem. We'll create security guidelines that you have to implement, you get audited once a year (at your expense) and if you fail, you pay 1% of your annual gross revenue per day in fines until your security is up to par.
Don't like it? Don't store the information. Easy solution.
That's a REGULATED market (Score:2)
Imposing fines for arbitrary rules is not a free market.
The free market only has one outcome - monopoly, and its resultant abuses. It's the ultimate corrupt system.
Well I'm pissed, so yeah. (Score:2)
Re:The ultimate ban hammer. (Score:5, Informative)
I'll believe that corporations are people when I see one executed. As the saying goes.
Re: The ultimate ban hammer. (Score:3)
Hahahahahahahaha!
So you wanna keep a couple hundred million dollars in a Somali bank? Oh my brother, have I got a great deal for you on a slightly used bridge...
Re:The ultimate ban hammer. (Score:2)
To avoid inconveniences like this, firms like Equifax will simply move vulnerable assets outside of the reach of US Law. Perhaps Belize or Somalia. What kind of physical presence do they actually need in the US any longer? It's all done with the Tubes these days.
They can base themselves anywhere they like. They’ll still need to operate within the U.S. and can therefore be regulated, or even banned. The former is slightly likely, the latter is not likely at all, though the class action lawsuits might take care of Equifax for us.
Laws on Exporting Data (Score:2)
To avoid inconveniences like this, firms like Equifax will simply move vulnerable assets outside of the reach of US Law.
Many countries have laws to prevent the export of sensitive personal data. Both the EU and Canada have laws that require any export of data has to be to a country where there is the same level of protection under the law for privacy. This is what causes Universities in Canada headaches with using US-hosted online assignments or has required special safeguard guarantees from the US before the EU would share air passenger data etc.
This is also what probably protected Canada from this breach. According to my Canadian bank, Equifax Canada was not affected by this breach because all their data is kept on Canadian-based systems. While they did not say explicitly I suspect that this is because there would be significant legal obstacles to hosting such sensitive data in the US.
Re:Laws on Exporting Data (Score:2)
This is only going to be more common. Russia, China, the EU, India, Pakistan all have laws going into effect that have actual teeth in them that are for data privacy.
Some of the laws actually are contradictory. The EU requires data to be retained on one hand for LEO access. On the other hand, data must be destroyed when it isn't used.
It is ironic that the US is the only civilized in the country in the world right now without data production guidelines except in specialized environments (medical, financial)... and even those guidelines are not enforced (Sarbanes Oxley hasn't been used for much other than having a fisherman arrested for going over the bag limit.)
Re:Laws on Exporting Data (Score:2)
This is also what probably protected Canada from this breach. According to my Canadian bank, Equifax Canada was not affected by this breach
Well, it doesn't appear that your bank knows if you are affected or not. According to this article [globalnews.ca], "Credit reporting giant Equifax has yet to reveal how many Canadians had their personal information hacked over the spring and summer when the company’s database was breached." and "The breach exposed the information of an 'unknown' number of people living in Canada and the United Kingdom." It sounds to me like Canadians are affected, they just haven't said how many yet.
Re:Stop it with the blockchain nonsense (Score:2)
Blockchain:
- Unclear accountability (the real reason for popularity)
- You're putting data on lots of computers, in different jurisdictions.
- Can't really delete anything (privacy nightmare)
- Not really anonymous.
- Encryption will be broken in time.
- Power not really distributed, just obfuscated (lies with devs).
- Slow and overly complex.
The Blockchain solves 1 and only 1 problem at great cost. That problem is the Byzantine General's problem [wikipedia.org] which handles the problem of bad actors in a system. Is that really the problem here? It seems like the problem is with token/identity assignment, generally sloppy corporate coding and the inevitable appearance of Murphy's Law. I don't think that any of these issues are analogs to the Byzantine General's problem.
A better solution would be to add a CC chip reader to each laptop and cell phone and put tokens on those chips which are used to validate transactions. As for server security, just generally doing a better job of the nuts and bolts of information handling solves most of those issues (like using an encryption key on those CC chips to encrypt PII). These breaches are rarely cracking of encryption or other "front-door" techniques. Its usually a 3rd party with sloppy security (like the trucking company or similarly "low tech" industries), not Hollywood style genius level hacking.
There are also techniques for applying operations on encrypted data without ever decrypting it. But those are really hard and very few companies have the expertise to make that work.
Re:Donald Trump playbook (Score:3, Interesting)
When anyone accuses you of something you accuse them of it 10x.
It's easier when your adversary is a corrupt, thieving, lying piece of garbage. At this point I'm starting to wonder about the real involvment of the Russians in the election; if they are indeed smart as chess players, maybe what they did was make sure that the Democrats picked the worst possible candidate instead of the guy that clearly embodies the real liberal values.
But when it comes to Equifax, this comparison hardly applies because Equifax are not evil, they're merely incompetent, and have been for a long time. They're just like Diebold (the makers of those hilarious MS-Access based voting machines); once you start scratching the surface you just can't help but freak out when you realize how fucking retarded they are.
Re:Donald Trump playbook (Score:2, Interesting)
As for your other point, it is also possible that the Democrats did not pick the worst possible candidate, but one that was not as appealing to the TV reality entertainment mindset of the populace and nevertheless actually qualified to do the job.
But that is way, way in the past. No one cares about it except trolls who want to divert attention from the present. It would be nice If those who got elected were to focus on the job and stop reminiscing.
Re:Donald Trump playbook (Score:2)
But when it comes to Equifax, this comparison hardly applies because Equifax are not evil, they're merely incompetent
Are you joking? They were the datamining scum-of-the-earth bastards before Silicon Valley even invented the term for it. Their entire business is founded upon the notion of putting people into indentured servitude via debt.
Re:Donald Trump playbook (Score:2)
The problem isn't the SSNs it's how everyone sees the SSNs - like some magic number that proves everything, but the reality is that it's not worth shit unless you use it as a key to look up the actual biometrics of the person carrying the SSN to verify their identity.
Re:Donald Trump playbook (Score:2)
SSN is very important, it's like a name only more precise.
Trying to use someone's name as a password or pretending it's a secret is the where the idiocy creeps in.
Re:Donald Trump playbook (Score:2)
Re:Big targets, big money, relentless attackers (Score:5, Insightful)
It's not a matter of increased security, it's simply a matter of following known best practices and being diligent in applying patches and hotfixes.
Equifax are complete morons. Last year they settled a lawsuit because of another security "breach": someone figured out that customers could login using a PIN made of the last 4 digits of their SSN and the 4 digits of their birth year. We're not talking about military-grade security being defeated by criminal mastermind. Those guys are complete and absolute incompetents.
They could fix their entire set of weaknesses and prevent further exploits by reading the bullet points of a CISSP tutorial and following them. That's all there is to it.
Comment removed (Score:2)
Re:Big targets, big money, relentless attackers (Score:2)
This will have roman_mir, cayenne8 and StupidKuntle in a hissy fit!
Do you have mandatory gay marriage, death panels and sharia law like they have in Venezuela?
Re:Big targets, big money, relentless attackers (Score:2)
Well if it works for Belgium then it ill certainly work here. SWIFT hasn't been hacked at all before.
What people seem to forget when stories like this come out is that most of our government sites have been hacked as well one time or another. It's not like moving this stuff to the government will make it suddenly secure
Crown Jewels (Score:2)
Credit databases like this are the "Crown Jewels" of online data due to their value for identity theft. I don't think it is asking too much that the extremely rich and profitable companies which manage these data look after them in a similar fashion.