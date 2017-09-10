Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
Security Privacy United States

Equifax Breach Provokes Calls For Serious Data Protection Reforms (wired.com) 32

Posted by EditorDavid from the identity-thief-crisis dept.
Equifax's data breach was colossal -- but what should happen next? The Guardian writes: The problem is that companies like Equifax are able to accumulate -- essentially, without limit -- as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches... Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

Equifax Breach Provokes Calls For Serious Data Protection Reforms More | Reply

Equifax Breach Provokes Calls For Serious Data Protection Reforms

Comments Filter:
  • Not sure how much increased security will help. You'd think Equifax would be a big target. At least for a fairly large identity theft ring. Might even be bigger and/or more deficated players looking to get data from Equifax. Ones where money isn't an issue.

  • An SSN is a good primary key in a database because each SSN should correspond to a unique person. It's a terrible way, however, for proof of identity. We essentially use it as a username, but also as a password, and a password that you're unable to change. Furthermore, by law, you have to provide it to banks and some other institutions to use their services. You need to share your SSN with your employer in order to get paid for your job. And you have to trust that none of these entities will mishandle your

    • Re: (Score:2)

      by ls671 ( 1122017 )

      Sure. make SSN a unique key but using it has a primary key is always a bad idea. Use meaningless Object IDs as primary keys which in turn will be used as a foreign key in other tables instead of the SSN.

      You can even put the SSN in a different table or database with added security features/restrictions.

    • Re: (Score:2)

      by Gim Tom ( 716904 )
      The card says it is not to be used for identification. Which is now a joke. Maybe they should just publish everyone's SSN and loose the dogs of war er Law on those that do use it for ID.

      Being an old codger going back to the days of big iron and wide green bar printouts I can remember when old printouts with full SSN, NAME, ADDRESS and other information that is now considered sensitive was freely available for anyone to take home for their kids to color on. We even used the back at work to sketch out p
    • Great idea, but one that costs money. Are we willing to invest in such a concept? Are businesses willing to invest in such a concept? Was the Equifax breach big enough, and of enough consequence to actually change anything. But yeah, using the same "username" and "password" is typically considered poor security. Definitely agree with you.

    • An SSN is a good primary key in a database because each SSN should correspond to a unique person.

      It should, but it doesn't. The converse isn't true either.

  • Bad tech journalism must die (Score:3)

    by geekpowa ( 916089 ) on Sunday September 10, 2017 @07:44PM (#55171403)

    These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

    About as insightful as the apper guy. Blockchain magic fixes everything. Also since when did the age of a company was a good predictor of an internal cowboy culture?

  • I have a very simple solution for policymakers to implement:

    - Name + phone hacked = $2 penalty
    - Name + address hacked = $3 penalty
    - Name + SSN hacked = $5 penalty
    - etc., and combinations of the above, just multiply.

    Things would get fixed right quick.

  • In other news... (Score:3)

    by sgage ( 109086 ) on Sunday September 10, 2017 @07:46PM (#55171413)

    ... horse escapes from wide-open barn! Farmer encouraged to shut the f-ing door!

    Bright godz, what a mess...

  • Regulatory filings show the three Equifax executives — Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2.

    Wait, that guy is named John Gamble? and he is the damned CEO?

    • We obviously need someone who can provide checks and oversight on his leadership. Someone so strongly invested in such a process [wikipedia.org] that it would similarly be reflected in their own last name.

  • Right now, it's in the best interests of the corporation to allow the details to be stolen.

    Assuming the customer even catches the theft, they're still responsible for the first $50 dollars. And if the company chooses to dispute the customer's claim, they might get more than that.

    The seller and processor all file claims with their insurance company, and get their money back.

    In short, everyone but the victim wins.

    Until that changes, this will continue to happen.

  • Penalties are aiming in the wrong direction because leaks will continue to happen. Better to change finance law so that the victim is presumed innocent until proven guilty. A victim should not be penalized. Rather, the lender who fails to perform due diligence and verify identity before extending credit should lose. That would be a powerful motivation for the finance industry to adopt new techniques that minimize their risk of losing.
  • Freezing credit lines does squat to stop the identity thieves from hijacking your accounts. They got social security number, driver license number and dates of birth.

    In no place this should be considered "credentials". But the US financial institutions pretend these are secret passwords.

  • The current system is designed so that when a breach happens US citizens can band together for a class action suit.
    This means that a law firm will make millions or tens of millions of dollars and the REAL victims will get $1.23 (less taxes).

    And all up, this costs the corporation less money than doing the job properly.

    The system is working exactly as it was intended to.

    God, some people think rich people are just made of money, do you not know how much a Ferrari costs these days

  • (1) We should have control over our personal information, and no one should be allowed to collect it, sell it, and most importantly, use it against us or to manipulate us without our knowledge. I think that must start with the right to control WHERE that personal knowledge is stored (because possession is still 9 points of the law).

    (2) Those parts of our personal information that have become public should be visible to ALL of the public. As it might apply in an improved Slashdot, I would thus be able use th

Slashdot Top Deals

Algol-60 surely must be regarded as the most important programming language yet developed. -- T. Cheatham

Close