Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever

The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely. Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Meanwhile, if you accept Equifax's paltry "help" you forfeit the right to sue the company, it has said. In its policy, Equifax also states that it won't be helping its customers fix hack-related problems.

UPDATE (9/9/17): Equifax has now announced that "the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.

Send 'em to jail

The equifax executives apparently sold stock immediately after learning of the breach. Jail them all for incompetence _and_ insider trading.

Re:Hopefully this will be the end of equifax

[dargaud]

I'd started to moderate this discussion but I'll lose it to answer your question:

how else would you propose preventing someone from running up a whole ton of debt, skipping out on it, and then doing it again at another creditor?

Like they do in every (?) other country: you go to a bank, show them your bank statements for the last few years, you tax statements, your job contracts, your current house mortgages and anything else they ask, and THEY decide on what kind of loan to give you based on that info. Oh, and yes, having a state-backed ID card helps against you running away and trying somewhere else. No centralization: too much power, too much risk and nothing to gain for the customer anyway.

Re:Hopefully this will be the end of equifax

[houghi]

I do not understand why they even exist. In Belgium we have the National Bank that has the database of all credits. Company has to check there to even be allowed to give a credit. They also need to add the credit they open. They do not see the other companies, just the number of loans and the amounts and all the rest, so they can calculate if there is enough margin to allow a credit.
If a person is on the black list (late payments) they will not be allowed ANY credit. If a company gives a credit where it was not allowed, the company becomes responsible and the person does not even need to pay back that loan. Yes, I have seen that happen. The company needs to take that loss. They asked nicely and they got a reply of "No" (OK, bit longer) from his lawyer and that was the end of it,
https://www.nbb.be/en/about-na...

It is pretty efficient and fast. You ask the customer how much he earns (pay slip and other official proof of income.), you deduct some standard cost of living for food and clothes. You deduct his other loans, if they exist. That is the amount he can spend on a new loan. Is that more than what it would be? Good, you have a loan? It isn't? No loan (or credit or what not).

e.g. income of 1500EUR netto per month (numbers pulled from a dark place)
Rend of 500 per month.
Being able to live 750 per month
Car loan of 250 per month.

That is 1500. No loan for you.
If he earn 1750, he could get a loan/credit where the maximum payment is 250.
The allow/deny a loan is instantaneously. Obviously done over SSL with several layers of security and signing.
What might take a bit of time is verification if the pay slip is real.

Obviously, it is a bit more complicated, but this is the basics. No need to go to a third party as all. The info is already available and required by law.

As a customer, I can ask what is there in my name and how much and what companies and what not.

Re: That's it. I'm done with Equifax

[ClickOnThis]

One way to protect yourself (to a certain degree) is to put a lock on your personal information with each of the three credit-reporting companies (Experian, Equifax, and TransUnion.) That way, nobody can access your information unless you lift the lock, either selectively, or for a finite period of time. Some of the agencies charge money (typically $10) for such a lock, or to lift it temporarily, but it's worth it IMHO.

Re:Hopefully this will be the end of equifax

[ichimunki]

In the US would raise the hackles of religious people who think being forced to go through a government owned/operated central bank is like being forced to do business with the antichrist. Seriously. 40% of the US population believes in creationism. The Social Security Administration will not produce SSNs starting with 666 (https://www.ssa.gov/kc/SSAFactSheet--IssuingSSNs.pdf).