Equifax Breach Provokes Calls For Serious Data Protection Reforms

Equifax's data breach was colossal -- but what should happen next? The Guardian writes: The problem is that companies like Equifax are able to accumulate -- essentially, without limit -- as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches... Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

The ultimate ban hammer.

Corporate death penalty. By Congress?

Re:The ultimate ban hammer.

[sgage]

I'll believe that corporations are people when I see one executed. As the saying goes.

Re:The ultimate ban hammer.

To avoid inconveniences like this, firms like Equifax will simply move vulnerable assets outside of the reach of US Law. Perhaps Belize or Somalia. What kind of physical presence do they actually need in the US any longer? It's all done with the Tubes these days; even the -fax part of Equifax is obsolete. Retail Credit Company changed its name before to Equifax in 1975 due its lousy reputation, known even back then.
A name change may be in order again, perhaps something regarding its base businesses and current flexible technology, something along the lines of "Credit Mobilier". A name historically and richly resonant of Ethical Behavior.

Re: The ultimate ban hammer.

[dougdonovan]

i hate to say it but do the updates. they are accessing a 100b$++ os obviously because "e" uses windows.

Re: The ultimate ban hammer.

[Reverend+Green]

Hahahahahahahaha!

So you wanna keep a couple hundred million dollars in a Somali bank? Oh my brother, have I got a great deal for you on a slightly used bridge...

Re:The ultimate ban hammer.

[mschwanke97402]

To avoid inconveniences like this, firms like Equifax will simply move vulnerable assets outside of the reach of US Law. Perhaps Belize or Somalia. What kind of physical presence do they actually need in the US any longer? It's all done with the Tubes these days.

They can base themselves anywhere they like. They’ll still need to operate within the U.S. and can therefore be regulated, or even banned. The former is slightly likely, the latter is not likely at all, though the class action lawsuits might take care of Equifax for us.

Re: The ultimate ban hammer.

"So you wanna keep a couple hundred _B_illion dollars in a Somali bank?"

You move Operations, the Call Centers, the Data Bases to Somalia. Somalia doesn't have a Minimum Wage, so the Grunt Work can be quite cheap, and the quality can't be much worse than what they currently have. Money stays where it is right now- Ireland, Jersey, The Caymans, Switzerland... places where such things as American concepts of Corporate Taxation, Extradition or Habeas Corpus just fails miserably.
It's one of the benefits of Outsourcing. I gather that this has become popular lately, for this and other reasons.

Re: The ultimate ban hammer.

Try Delaware.

The US is one of the largest tax havens in the planet. The only reason you hear more about foreing tax havens is because it doesn't want the competition.

Re: The ultimate ban hammer.

Panama FTW!!

Re: The ultimate ban hammer.

Delaware was just ducky for constructing a fictional US Corporate presence at one time.
But Delaware for these purposes is now old.
Apple went to Cork, Ireland, three decades back, instead of Delaware.
Do try to keep up.

Big targets, big money, relentless attackers

[Monster_user]

Not sure how much increased security will help. You'd think Equifax would be a big target. At least for a fairly large identity theft ring. Might even be bigger and/or more deficated players looking to get data from Equifax. Ones where money isn't an issue.

Re:Big targets, big money, relentless attackers

[lucm]

It's not a matter of increased security, it's simply a matter of following known best practices and being diligent in applying patches and hotfixes.

Equifax are complete morons. Last year they settled a lawsuit because of another security "breach": someone figured out that customers could login using a PIN made of the last 4 digits of their SSN and the 4 digits of their birth year. We're not talking about military-grade security being defeated by criminal mastermind. Those guys are complete and absolute incompetents.

They could fix their entire set of weaknesses and prevent further exploits by reading the bullet points of a CISSP tutorial and following them. That's all there is to it.

Re:Big targets, big money, relentless attackers

[houghi]

They should not be in business.

In Belgium all debts are available at the National Bank.
Only Credit Companies, banks and the people themselves will have access to that data and only see the amounts and if they are on the black list.
You want to know the credit score if you want to rent out an apartment? Well, I want a pony, so no.
You want to give me a loan, you will see if I am on the blacklist and how much credit I already have. Now you can decide if you want to give me a credit. If I should not have gotten a credit, the risk is 100% with you. That means I do not even need to pay it if I should not have gotten a credit, so thanks for the monies.

Re:Big targets, big money, relentless attackers

[Hognoxious]

This will have roman_mir, cayenne8 and StupidKuntle in a hissy fit!

Do you have mandatory gay marriage, death panels and sharia law like they have in Venezuela?

Re:Big targets, big money, relentless attackers

[JackieBrown]

Well if it works for Belgium then it ill certainly work here. SWIFT hasn't been hacked at all before.

What people seem to forget when stories like this come out is that most of our government sites have been hacked as well one time or another. It's not like moving this stuff to the government will make it suddenly secure

Mandate that SSNs are not proof of identity

An SSN is a good primary key in a database because each SSN should correspond to a unique person. It's a terrible way, however, for proof of identity. We essentially use it as a username, but also as a password, and a password that you're unable to change. Furthermore, by law, you have to provide it to banks and some other institutions to use their services. You need to share your SSN with your employer in order to get paid for your job. And you have to trust that none of these entities will mishandle your SSN.

How about using the SSN for the primary key it is and doing away with it altogether for proof of identity. Mandate that financial institutions use other proof of identity such as one time use passwords and public key encryption. Devalue the SSN and, at the same time, replace it with a secure means to prove identity. The government does have a role, because they can and do regulate entities like financial institutions.

Re:Mandate that SSNs are not proof of identity

Once AI is sufficiently advanced (it may already be in some of the three letter government agencies) it should be able to impersonate anyone no matter what criteria you set to make them prove their identity, short of a physical presence and fingerprint / iris scans.

Re:Mandate that SSNs are not proof of identity

[ls671]

Sure. make SSN a unique key but using it has a primary key is always a bad idea. Use meaningless Object IDs as primary keys which in turn will be used as a foreign key in other tables instead of the SSN.

You can even put the SSN in a different table or database with added security features/restrictions.

Re:Mandate that SSNs are not proof of identity

[Gim+Tom]

The card says it is not to be used for identification. Which is now a joke. Maybe they should just publish everyone's SSN and loose the dogs of war er Law on those that do use it for ID.

Being an old codger going back to the days of big iron and wide green bar printouts I can remember when old printouts with full SSN, NAME, ADDRESS and other information that is now considered sensitive was freely available for anyone to take home for their kids to color on. We even used the back at work to sketch out program and process flows. Some lawyer should be able to milk the use of SSN's for granting credit for some number of gigabucks to discourage such use.

Re: Mandate that SSNs are not proof of identity

[Monster_user]

Nobody will remember the actual primary key, but everybody has to remember their SSN. So for looking up a record, it is the primary field to locate that record. Given it is as unique as the primary key, it is essentially the human readable version/alternative for the primary key.

Re: Mandate that SSNs are not proof of identity

[Monster_user]

Great idea, but one that costs money. Are we willing to invest in such a concept? Are businesses willing to invest in such a concept? Was the Equifax breach big enough, and of enough consequence to actually change anything. But yeah, using the same "username" and "password" is typically considered poor security. Definitely agree with you.

Re:Mandate that SSNs are not proof of identity

[Hognoxious]

An SSN is a good primary key in a database because each SSN should correspond to a unique person.

It should, but it doesn't. The converse isn't true either.

Re:Mandate that SSNs are not proof of identity

The card says it is not to be used for identification. Which is now a joke.

Your social security number is not supposed to be used for identification. But there is a very simple reason why everyone uses it for exactly that purpose -- it is the only unique identifier that exists.

Re:Mandate that SSNs are not proof of identity

[ccguy]

How about using the SSN for the primary key it is and doing away with it altogether for proof of identity.

It's not. Any value that can be NULL sucks. Not everyone has a SSN number. Even fact, not everyone lives in a country where such a thing exists. Equifax is a global company. So any solution that mentions SSN is a bad start.

At some point we'll have to get used to the fact that in order to be safe we'll have to have laws that demand our physical presence somewhere for certain important things in like. Ordering a credit card is one of these things. Would it really kill us to get out of the house, go somewhere, have your identify physically validated (showing documents or hardware that then come home with us and of which no copy is made) ?

During the process we could create some jobs, too.

Re:Mandate that SSNs are not proof of identity

[AtomicSymphonic]

National ID cards are a non-starter for ultra-conservatives/wingnuts that want no extra regulation on their lives. Let alone the fact that most people already have passports.

As much as it sucks to say this, but the solution is political, it isn't blockchain-based or creating some new security. Until those wingnuts are affected by such data breaches in a personal way, they will not come around to supporting national ID laws.

Re:Mandate that SSNs are not proof of identity

Exactly! As someone affected by the Equifax breach, Best Buy, Target and at least 2-3 others my SSN has been breached way too many times. When are we going to face facts that using the SSN as proof of identity in the age of scanning, data warehousing and ubiquitous data collection is unworkable.

It is however an excellent unique identifier. I work in the Healthcare field and laugh every time I read about how best to develop a unique identifier for patient medical records when we have an excellent one that is already assigned to every American that we are not allowed to use.

Re:Mandate that SSNs are not proof of identity

[anegg]

Using an SSN (or other nationally valid identifier) for "identity" is one thing; using it as *proof* of identity (i.e., as an authenticator) is another. Any business using an SSN as an authenticator and trying to hang a debt around the neck of the person identified by the SSN should be laughed out of court.

The burden should not be on the shoulders of the "identity theft" victim to prove the negative (that they did not get the goods/services the creditor is claiming that they got), but rather on the shoulders of the creditor, to prove to just whom they gave those goods and services. As soon as that is recognized in law, I think a lot of the "identity theft" problems will go away. It may be harder to obtain goods and services on credit, however.

Re: Mandate that SSNs are not proof of identity

[ls671]

And that's the problem; it is human readable and meaningful. Granted, you will have to lookup the primary key given a SSN in the protected table or database:

SSN -> primary key

Primary key is something like: bd3b546d7136432218858eff

Then search for that primary key (foreign key) in other tables.

That's exactly what we have to do in our applications. It is a little less convenient but security sometimes conflicts with "human readable".

Bonus: developers that have access to prod data do not need access to the SSN for most tasks.

Using SSN or other meaningful data as a primary key is bad security wise.

Re:Mandate that SSNs are not proof of identity

National ID cards are a non-starter for ultra-conservatives/wingnuts that want no extra regulation on their lives.

They're also a non-starter for liberals who want illegal immigrants to have the same benifits as citizens.

Re:Mandate that SSNs are not proof of identity

[Wycliffe]

The card says it is not to be used for identification. Which is now a joke.

Your social security number is not supposed to be used for identification. But there is a very simple reason why everyone uses it for exactly that purpose -- it is the only unique identifier that exists.

The problem isn't that it is used as a unique identifier. The problem is that it is used to verify that unique identifier. You should be able to tell anybody and everyone that you are the John Smith with SSN of 499-99-9993. You then should have to prove that someway with a signed key, picture ID, etc... It was a mistake taking SSN off of driver's license. They should be there. They should be on business cards too and mailboxes. SSN is the non-changing number that identifies you as a unique John Smith as opposed to the dozens of other John Smiths that might exist. The problem is you can't have knowledge of a person's unique non-changing identifier also be proof that you are that person. That is absurd. The simplest solution would probably be to have a government database where you can type in a Name and SSN and it pops up a picture and public key of the person in question. This would also be a solution to businesses unknowingly hiring illegal immigrants as well.

Re:Mandate that SSNs are not proof of identity

[msauve]

"Sure. make SSN a unique key but using it has a primary key is always a bad idea."

It's a perfectly fine key - for the US Social Security system. The issue is all the lazy-ass leeches who want to use it for anything else. Credit and medical industries being major violators.

I haven't given my SSN to anyone who's not deducting SS from a payroll payment for about 30 years. On very rare occasion, I'll use the "last 4" for some things, but unless I'm being paid and they're adding to my SS account, that's all they get. That includes credit cards, mortgages, insurance, cell phone and other utilities - I've given it to none of them.

And, when a previous employer gave it to an insurance company without my permission, I filed a formal ethics complaint for disclosing personal info unnecessarily. Didn't go anywhere. They were clueless and blew it off, but they don't exist anymore and I'm still around.

Obamacare requires a Taxpayer ID, which is usually but not always an individual's SSN. One of the reasons it should be repealed.

Re: Mandate that SSNs are not proof of identity

You can enter any last name and 6 digits on the site and it will tell you that you are an affected. It's a scam

Re:Mandate that SSNs are not proof of identity

[ls671]

I haven't given my SSN to anyone who's not deducting SS from a payroll payment for about 30 years.

You've got that right. This is actually the only use case for it. Where I live, corporations don't even want to know it if you try to give it to them for other purposes. Shit, even the nice police officer didn't want to know the other day!

We just went a quantum leap further than what was the topic of this subthread so far but then again: How will the developers using a fixed SSN like field everywhere in their database (primary client key, foreign keys) would cope with your behavior?

Those who do that might even have a stored proc to validate the SSN field, I have seen it ;-)

Re:Mandate that SSNs are not proof of identity

[fustakrakich]

The government does have a role, because they can and do regulate entities like financial institutions.

You're wagging the dog. Financial institutions regulate the government.

Re: Mandate that SSNs are not proof of identity

The last 4 digits are the only meaningful digits. If you know where and when somebody was born and have the last 4 digits, you can generate the rest of the number.

Re:Mandate that SSNs are not proof of identity

[msauve]

even the nice police officer didn't want to know the other day!

Strange thing, last time I opened a bank account, they wanted my Driver's License number. WTF? Since when you you have to drive to have a bank account?

How will the developers using a fixed SSN like field everywhere in their database (primary client key, foreign keys) would cope with your behavior? Those who do that might even have a stored proc to validate the SSN field, I have seen it"

I can help with that. Or use 457-55-5462 (Lifelock CEO) or 078-05-1120 or 219-09-9999

Re: Mandate that SSNs are not proof of identity

Was the Equifax breach big enough, and of enough consequence to actually change anything.

Depends. Did it impact Trump or any of his close family and friends? If not, then no.

Re: Mandate that SSNs are not proof of identity

A SSN is not guaranteed to be unique, though collisions are rare. Even more reason they shouldn't be used as national identifiers. Too bad all real attempts at replacing it get shot down by people who understand little about the actual risks (hint: they're lower than the current reliance on easily obtained information like SSN and birthdate).

Re: Mandate that SSNs are not proof of identity

In case the parent's succinct prose hides the point: SSNs are not unique to a single person, and a single person can change their SSN. Stop trying to use them as primary keys already!

Re:Mandate that SSNs are not proof of identity

[ls671]

Strange thing, last time I opened a bank account, they wanted my Driver's License number. WTF?

Yep, driver license is still commonly asked since SSN is no more politically correct to ask for, passport works also...

Re: Mandate that SSNs are not proof of identity

[ShanghaiBill]

A SSN is not guaranteed to be unique

SSNs are not unique, but SSN+DOB is unique.

Re:Mandate that SSNs are not proof of identity

[ls671]

I can help with that. Or use 457-55-5462 (Lifelock CEO) or 078-05-1120 or 219-09-9999

Yep, the formula to validate SSN is no big secret although it is not published at large.

Re:Mandate that SSNs are not proof of identity

[lucm]

The simplest solution would probably be to have a government database where you can type in a Name and SSN and it pops up a picture and public key of the person in question.

I don't think you know what kind of systems the government is using. The people who know the most about you are the IRS, and they still rely on software that was running before man (allegedly) set foot on the moon.

Even when they try to modernize it's a joke. Look at the complete fubar of the 2 billion dollars Obamacare website.

Big brother concerns aside, there's just no way this kind of database could happen anytime soon. Facebook or Google are more likely to get that level of accuracy than good ol' Uncle Sam.

Re: Mandate that SSNs are not proof of identity

[lucm]

Was the Equifax breach big enough, and of enough consequence to actually change anything.

Depends. Did it impact Trump or any of his close family and friends? If not, then no.

Why "trumpize" this? Politicians on both sides have been making decisions based on self-interest forever, that's nothing new. And I suspect that if you personally were in the oval office you'd do the same. That's just human nature; it probably happens in your workplace. Odds are higher of having your company support the "pink ribbon" campaign if a woman is in charge of the social committee; if it's a man, it'll be movember. There's nothing wrong with that.

Re: Mandate that SSNs are not proof of identity

[Reverend+Green]

Naw bro, use a synthetic primary key. Although quite rare, people do occasionally change SSN.

Re:Mandate that SSNs are not proof of identity

[lucm]

Exactly! As someone affected by the Equifax breach, Best Buy, Target and at least 2-3 others my SSN has been breached way too many times

Why the fuck did you give your SSN to Best Buy? I probably spend $7k / year there and they don't even have my disposable email address.

Re: Mandate that SSNs are not proof of identity

[ls671]

Not in a parallel universe! ;-)

Re:Mandate that SSNs are not proof of identity

[Z00L00K]

There's no point in protecting the SSN, it's a good unique key that should be indexed so that you use it to bring up necessary biometric data to identify a person.

SSNs can be generated by a computer and then just tried out how well they work and if they work they are good enough for some illegals. Trying to get a SSN to not get into the wrong hands is futile.

Re:Mandate that SSNs are not proof of identity

[Hognoxious]

It is however an excellent unique identifier.

Wrong. https://www.computerworld.com/...

I work in the Healthcare field

Cleaning floors, I hope.

Re:Mandate that SSNs are not proof of identity

[ls671]

You are an older schooler than I am!

Hint: we are now in 2017 and any sensitive information should be protected as well as your certificate authority (CA) although I am exaggerating just a tiny little bit...

Seriously, what you are suggesting just make leaking much more probable since we have to hide SSN and other sensitive infos repeated all over in the database with obfuscating scripts for people that don't need access for testing and that if we forget only one spot the whole exercise is pointless.

Re:Mandate that SSNs are not proof of identity

SSN is not sensitive information. It _must_ not be. If a company tries to use it like it was sensitive, it still does not make SSN sensitive information.

Re:Mandate that SSNs are not proof of identity

[bradley13]

This. The SSN offers zero security. So many institutions have it that it just as well be public information. Plus, even after a data breach, you cannot change it.

There are so many things wrong with the US credit (and banking) system. Basically anyone can write checks on your account, if only they know your routing and account numbers. SSNs as proof of identity. Etc.. It's all a "good faith" system, with zero security.

Then these three corporations managing everyone's credit information: Consumers are not their customers, so they have little incentive to ensure that your data is correct, or to respond to problems. The consumers are, at best, sheep for them to fleece for a bit of extra money, with their so-called "trust' programs.

Re:Mandate that SSNs are not proof of identity

[Applehu+Akbar]

SSN can't be a primary key because not everybody has one.

Re: Mandate that SSNs are not proof of identity

[Applehu+Akbar]

You could also use an easily-remembered hash of the primary key, like your "record locator number" for an airline reservation. This combined with some other elementary personal data would be unique.

Re:Mandate that SSNs are not proof of identity

[AmiMoJo]

Around here it is already the law that the company claiming you owe them has to prove that the debt exists. Unfortunately it doesn't always help.

I had some company contact me with a debt I didn't recognize about a decade ago. I asked them to send me some proof, like a signed agreement, which obviously there is no way they could have. So they know that if they ever try to go to court they are screwed and will be laughed out, but it doesn't stop them sending me a letter every few months offering me some crappy deal on repayment.

Worse still, if I had not responded it seems that a lot of companies try going to court on the off chance that the defendant doesn't turn up. If they consistently get no response they often chance it and try to get a default judgement, and the courts don't even bother to do basic checks like seeing if they have a valid signature (how could they?)

Re:Mandate that SSNs are not proof of identity

[NicknameUnavailable]

The issue is that impersonating someone is already a crime so they never bothered with the password side, the result of a failed login is typically 10+ years in prison so nobody in their right mind did it. More recently people who take the identities of others haven't been held responsible, and instead the people who had their identities stolen ARE punished for it in the form of either being held accountable for the debt (banks too lazy to track it down and file charges so they tell the person they should have been more careful and pay up) where it either stops there or the person then invests months of time dedicated to getting the charges dropped and repairing their credit score. Just make identity theft enforced in every case instead of selectively based on whether or not the person who's identity was stolen has the time/money to pursue it and be done with it. If they're foreign abusers then fuck it, blacklist the whole country - but in most cases that's not the case, from the experiences I've had with identity theft it's always people in American cities doing it.

Re:Mandate that SSNs are not proof of identity

[bluefoxlucid]

The correct answer is to use UAF or U2F. The U2F keys all have UAF capability.

You walk into a bank, present your ID (driver's license, etc.), and they can see it's you. Online, you tell them what car you had in 1999, where you lived 6 years ago, and which bank holds a current loan. One of these is stronger than the other.

So what you do, you walk into a bank, present your ID, and then you take a brand-new, personally-owned, $20 security key to their terminal. You plug it in or wave it at the NFC, and it sends separate keys to Equifax, TransUnion, etc. Done. You now have an established trust with the credit reporting agency.

When you open a new credit account, the bank checks the CRA for your history. If you have a hold on your credit, the CRA tells them no loans. Same deal: when the bank talks to the CRA, the CRA sends a challenge; you use your security key to digitally sign the response, proving your physical possession of the correct key, thus your identity. Generally this is RSA or elliptical curve; and the devices are non-cloneable.

Lost your key? Call your bank and tell them. They'll put your trusts on hold with the CRA. You show up with ID and your key to re-establish trust. In the mean time, it's impossible to open a new loan account.

People can't hack the CRA or the bank and steal your identity to open new loans in your name if there's no shared secret to steal. You have the only secret; you can prove you have that secret; and you can prove it without revealing the secret. An adversary can only steal the secret by stealing a physical device; and they use secure hardware that resists physical and logical attack, so cloning is destructive at best, and destructive attacks tend to completely-fail on these devices.

That's the solution. It's the cheapest, most-effective, simplest option available today.

Re:Mandate that SSNs are not proof of identity

[JackieBrown]

The burden should not be on the shoulders of the "identity theft" victim to prove the negative (that they did not get the goods/services the creditor is claiming that they got), but rather on the shoulders of the creditor, to prove to just whom they gave those goods and services.

How? Make people come in to get their initial credit card so a picture can be taken and other proof of identity? We can't even get people to agree that people should have to prove their identity to vote.

Re: Mandate that SSNs are not proof of identity

[ebyrob]

> Using SSN or other meaningful data as a primary key is bad security wise.

In my experience, user-known data as a key is bad because users invariable want to control and change everything they know exists. Typically nothing to do with security which becomes a complicated subject very quickly.

Re:Mandate that SSNs are not proof of identity

[anegg]

Which is more ridiculous:

1. Joe Citizen is held liable for paying back Big Corporation for goods/services that Big Corporation claims it provided to Joe Citizen, on the flimsy basis that an individual claiming to be Joe Citizen showed Big Corporation Joe Citizen's name and social security number (as a ridiculously low-level of proof that they really were Joe Citizen), or

2. If Joe Citizen wants to buy things on credit, Joe Citizen provides a picture of himself along with some other credentials to prove he really *is* Joe Citizen?

The "ID to vote" issue is completely separate, I believe. It doesn't involve an innocent person from trying to prove a negative - that they didn't get goods/services someone else claims that they did. The current hoops that an "identity theft" victim must go through only exist because of a meme perpetuated by creditors that their current extremely weak process of authenticating the individuals to whom they provide goods and services is sufficient to warrant the legal system to putting the burden of proof on an individual that they DIDN'T get goods and services that the creditor claims that they did. We need a few court cases where the creditor trots out nothing more than a piece of paper with an individual's social security number on it as proof that they provided goods and services to the individual to whom the social security number belongs, whereupon the judge laughs and dismisses the case for a lack of evidence, in order to turn things around. Once creditors know that they can't depend on the court system to be their "enforcer" unless they have much better proof of a debt, the creditors will come up with an improved system quickly, I think.

Re:Mandate that SSNs are not proof of identity

[swb]

The last time I opened a bank account, they asked for two forms of identification, a driver's license "and something else that could be verified."

I gave the bank guy behind the desk my concealed carry permit.

He looked at it funny and said "umm...I don't think this is something we can use."

I asked why not? In order to obtain it, I had to pass an extensive criminal background check. I can't use it to open a bank account, but I can use it to legally walk into a bank and sit in front of a banker with a loaded handgun? You'd prefer something that any criminal could easily obtain, like a bogus credit card?

He squirmed some more and I gave him a credit card.

I did the same thing when I got contacted by a job recruiter. They wanted me to come in for a pre-interview at the recruiter offices. This recruiter had mostly been recruiting for low-level temp staff and they gave everyone who came in a bunch of forms, including one that required your SSN and an agreement to conduct a credit check. I left that form blank.

The interview went well enough, I was interviewed by a local staffer and someone from HQ who was helping them ramp up their "high value employee" recruiting. They were positive enough and said they wanted to send me in for an in-person interview with the actual company hiring for the position. The local staffer looked through the forms and stopped at the credit check form.

"You didn't fill this out? Why?"

"Nobody has offered me a job, and I work in IT. I don't know how you keep track of this information nor do I feel like an initial interview is appropriate to provide your company with a blank check to dig in my credit history. If I am going to be offered the job, I am more than willing to submit to a credit check, but at this stage of the process I don't think it's worth extending my own personal identity theft risk."

The local staffer got really pissed, and said "I think you're hiding something, like bad debts or a criminal record, you need to sign this form." His mentor from HQ looked pretty shocked as his behavior, too, like "don't fuck this up".

I plopped down my concealed carry permit and said "Here's your proof. You don't get one of these without the sheriff's department doing an extensive criminal background check. This is a guarantee I don't have a criminal record, and I've already agreed to have my credit checked when I'm offered a job contingent on my credit."

The interview ended at that point and I never heard from them again.

Re:Mandate that SSNs are not proof of identity

[flink]

An SSN is a good primary key in a database because each SSN should correspond to a unique person.

SSN is a terrible primary key in a database. It's a good candidate key for uniqueness but not sufficient by any means. I worked designing databases that tracked patient records and tied to demographics for many years had to learn the hard way that SSNs:

* Are not necessarily unique (they can be reused after death)
* Are frequently not assigned to children
* Are not held by all adults
* Are not held by all adult citizens
* Are not held by all adult citizens with jobs
* Are not held by all adult citizens with jobs that pay taxes
* Have no check digit (can be easily mis-keyed)
* Are not necessarily held for the lifetime of an individual
* Are occasionally falsified or misreported (shocking, I know)

For all of these reasons and more, when building a master person index (MPI), you use multiple heuristics to attempt to identify individuals positively. Among them are things like SSN, yes, but also SSN-off-by-1-digit, SSN-2-digits-transposed, home phone, address, address-soundex, home-phone-off-by-1-digit, driver's license, etc. The weights you assign to these heuristics depend on the demographics of the population you are trying to track. An SSN match carries more weight in rural Vermont, for example, than it would in LA. The output of your matching algorithm is a confidence value that two candidate records match. Then, again depending on your demographics, you set thresholds for p-match indicating whether the match is positive, negative, or indeterminate and needs to go into a work queue for a human to decide.

Then, once you've uniquely identified someone, you do the sane thing and assign them a synthetic identifier (UUID or sequence number) as their database primary key. You should also generate a record number for use by humans that has some safety features built in like error detection, being non-sequential, and having some mnemonic properties.

Re:Mandate that SSNs are not proof of identity

[datavirtue]

....but banks allow for variation in SSN when creating accounts. Digits can be off by one at any place. SSN is not a good key. We use it as an identifier but not as a key.

Re:Mandate that SSNs are not proof of identity

[kenwd0elq]

"An SSN is a good primary key in a database because each SSN should correspond to a unique person"

SSN is a TERRIBLE primary key for any database. The Social Security Administration has a miserable record of maintaining a one-to-one correspondence between database rows and human individuals. The Social Security Administration has on numerous occasions issued the same number to different individuals who have the same name, and there are thousands of people who use someone else's SSN.

Re:Mandate that SSNs are not proof of identity

[datavirtue]

You do realize that you could use the wrong SSN starting out, create all of your credit with it, and never use the real SSN?

Re:Mandate that SSNs are not proof of identity

[JackieBrown]

I get what your saying but I don't think the vast majority of people want to have to be physically present to apply for a credit card. Unless you think emailing or mailing a copy of a driver's ID should work but if someone stole my wallet, they have that.

Hell, I didn't even have to do that to apply for my USAA bank account.

There are many free ways to monitor your credit nowadays. It makes it easy for us as consumer to watch and protect our credit.

Re: Mandate that SSNs are not proof of identity

[ls671]

True enough, for example, it goes for usernames as well. We do the same for usernames. It is convenient, especially when the customer asks that email addresses are used as login names/usernames.

Not making the username a primary key in the user table makes it easy when a user needs to change his email address.

Bad tech journalism must die

[geekpowa]

These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

About as insightful as the apper guy. Blockchain magic fixes everything. Also since when did the age of a company was a good predictor of an internal cowboy culture?

Re:Bad tech journalism must die

[supernova87a]

I also heard that blockchain will stop global warming, cure cancer, and find Jimmy Hoffa!

Re:Bad tech journalism must die

[MSG]

My thoughts exactly. Blockchain credit history? Great! Now every fraudulent entry is there permanently, and can't be removed! Brilliant!

Re:Bad tech journalism must die

About as insightful as the apper guy. Blockchain magic fixes everything.

In an attempt to be better than the apper guy I will say that blockchain is actually better for this particular case. The single thing that blockchain technology give you is double entry book keeping without opportunity for for double spending. Everything else said about it is bunk.

Everyone has to agree upon the nature, order and quantity of the transactions on a blockchain. This was thought an unsolvable problem in accounting since the invention of ledgers.

Fundamentally we are all talking about ledgers here. Your ledger or account.

What the SSN does is provide a unique ID to tag you in any financial transaction relevant to the United States Social Security Administration. Even if you are not a citizen by any other measure, if you do something that pays into Social Security you might someday have to be paid out. So you are tracked.

What Equifax, Transunion and other credit agencies do is try to assemble a reasonable history of your financial behavior. Because a lot of it is not public or at least common knowledge they have to maintain extensive records from everybody you deal with.

In the first case, if all transactions had to go through a government backed blockchain tracking the flow of dollars you could never cheat on your taxes. Your Social Security balance would always be known. Every single reported paycheck would be somewhere on SSN block chain. Since your employer had to pay the government on your behalf when you get a pay check you don't even need to touch it. Same come the day to pay out. (And anytime Congress raids the funds to pay for random pork it shows up as a deduction from the SSN ledger and you know you've been screwed.)

In the second case, if I want to know your credit risk all I'd have to do is pull up a report from the block chain on all your transactions. As long as loans are recorded as on a public chain I can check then I can know how much you make, how leveraged you are and not only how well you pay but also the probable schedule. (Don't forget that prepayment is also a negative to someone who wants to evaluate offering you a loan.)

To do this we have to as a society finally admit that most if not all financial transactions are quite public. For this reason you will never see it happen. You can restore to cash to hide your drugs, porn and sex toys. But even then discover-ability is a matter of convenience. The only reason nobody knows about your illegal or immoral activity is that they are not motivated enough to go find out. A public block chain makes that bloody trivial to do. So people will block it.

Private chains are possible. But then you have to trust some agency(ies) and their servers and their private network just like everyone did with EquiHax. You'll quickly be back to square one with new Lords and Ladies controlling the fate of your credit, same as the old.

But with blockchains.

And still shitty security.

as they say, "let the free market decide"

[supernova87a]

I have a very simple solution for policymakers to implement:

- Name + phone hacked = $2 penalty
- Name + address hacked = $3 penalty
- Name + SSN hacked = $5 penalty
- etc., and combinations of the above, just multiply.

Things would get fixed right quick.

Re: as they say, "let the free market decide"

I disagree. The liability should be partly based on whether reasonable security measures were in place. The penalty should be significantly different for, say, a business that leaves a sensitive CSV file without password protection in an S3 bucket versus a business that is hacked via a zero day exploit. Also, the penalties for not reporting a breach in a timely manner abaolutely must be worse than those for being breached, otherwise businesses will have an incentive to cover up data breaches.

Re:as they say, "let the free market decide"

More like X ^ (V+Z+Y)

Re: as they say, "let the free market decide"

[He+Who+Has+No+Name]

The free market has decided that since losing your PII to hackers effectively costs them nothing, they're going to keep cutting costs on data security.

The free market does not prioritize the best interests of customers. It prioritizes profits. If repeatedly fucking over customers or allowing others to do so is profitable - and right now it is - then customers are going to need copious lube and ice for their buttholes for the indeterminate future.

Re:as they say, "let the free market decide"

It would also get them not reported.

Re:as they say, "let the free market decide"

[Ryanrule]

You need about 6-7 more zeros, and you need to apply the fines to the personal assets of the board and c suite. Worldwide.

Re:as they say, "let the free market decide"

[ccguy]

I'd say

- Any of those things hacked: Your company, and not the affected individual, has to prove innocence if anything happens. Someone managed to open a $20,000 credit line to the name of someone affected by the Equifax fiasco? Equifax pays those $20,000.

No statue of limitation here. As long as the breached data can be used for identity theft, Equifax is responsible.

Of course they are free to lobby for a major reform so that no stolen data can be useful for more than one year or so for _anything_ related to money.

Re:as they say, "let the free market decide"

Apparently you don't do math. Combine those for $30 per violation, and 143 million violations, and we're into the billions on penalties.

Also - fining an individual for the actions or mistakes of others would be egregious and not within the law. In other words I hope your kids don't make mistakes, because in your worldview we would find a way to make you pay big time.

Re:as they say, "let the free market decide"

[west]

At least until they start implementing real security measures that start affecting voters. What do you mean there's an extra $50 on the loan or vehicle processing charge. What do you mean that they need an extra week to verify my identity? I need that money *now*!

In every single case outside of "they stole my credit card last week", I've never seen more than a tiny minority of North American consumers opt for security over convenience. Every single time.

As a businesses, you don't want to be in the bottom 10th percentile of security. But dear God will your customers crucify you if your product costs more, or even worse, is less convenient, than your competitors. It's got the point that I feel security improvements beyond the minimal only come if you have a monopoly and can inflict better security against your customers will.

(Latest example - why does EMV in the States mostly use signature rather than PIN? Because there's enough competition in the US that consumer's preferences for less security couldn't be ignored, unlike, for example, Canada that has better security now only because the ATM cartel (Interac) made sure they had no choice.)

Re:as they say, "let the free market decide"

Problem Solved: GDPR. The European General Data Protection Regulation can fine a company 4% of their worldwide revenue for each breach.

Re:as they say, "let the free market decide"

[reboot246]

That's a good idea, but it will never happen. It makes too much sense.

Re: as they say, "let the free market decide"

Yes, but we can't send corporations to prison, so if not the officers, then who is accountable?

Plus the military used to do just that when commanders didn't adequately ensure their subordinates obeyed the law.

Re:as they say, "let the free market decide"

[ShanghaiBill]

It makes too much sense.

Actually, it doesn't make sense at all. Equifax had a profit of about $600M last year. That is about $2 per American. They can't possibly afford millions of $20k payouts. The money just isn't there.

The solution is to fix the idiotic system that allows "identity theft" by knowing a name, SSN and DOB. Equifax did not create that system, so why should they be penalized for it?

Re: as they say, "let the free market decide"

[Reverend+Green]

Check out the liability for spilled Protected Health Information in the Massachusetts Data Security act. IIRC it's $1000 per PHI *record* - not per patient. So you spill a database with a million rows, you're liable for 1 billion dollars. Believe me, that kind of liability will put the fear of God into even the biggest company.

Source: years ago, while working on medical research software, I was legal custodian for the PHI of about a million patients in Massachusetts.

Re: as they say, "let the free market decide"

That's because businesses have trained their customers to think that way. That shouldn't be an add-on charge for security, it should be included in the quote.

That extra time for verification should be explained as them carefully protecting the customer from ID theft and similar.

It's honest, helpful and would make a difference. It doesn't happen because most companies care more about turning a quick buck than sustainable reputation and future long-term profits.

Re: as they say, "let the free market decide"

Europe has good data protection rules and most European countries decently high penalties for this kind of thing, but Americans are nearly always unanimous in criticising them, you only have to look at how many Slashdotters from the US jumped on Google's "Right to be forgotten" disinformation campaign and kept parroting all the flagrant falsehoods about the law that Google were peddling.

As such it's not clear that most Americans actually want companies to be held accountable for securing personal data securely - most seem to fully support the idea that companies should be able to do what they want with personal data, including letting it be hacked, with pretty much zero accountability.

You're right - the US needs European style data protection laws if it wants to protect against stuff like this, but it's not clear there's any actual appetite for it in the US. Most Americans seem to be a-ok with companies obtaining data illegally, and not protecting it sufficiently.

This is exactly what the case Google wrongly propaganised as the right to be forgotten was about. It was about companies obtaining too much personal data that they don't have a need to store (making people's personal history searchable isn't a need, it's a profit based want for the company). Under EU law you have to have authorisation and a purpose for obtaining, storing, and processing personal information - Google didn't as it had zero legal mandate to make people's personal history searchable whatever the source of the data. CRAs like Equifax are one of the few companies that get an exception along with law enforcement and so on and so forth.

So before America sees any change here it needs to do some real soul searching - what's more important for Americans; companies being free to do what they will with personal data which, does have the potential advantage of rapid financial growth for corporations, or data protection, which means less instances of fraud, financial crime, and people being discriminated against for illness, or mistakes from their past. Until that dilemma is solved I don't see US data protection law changing.

Re:as they say, "let the free market decide"

[CrimsonAvenger]

and you need to apply the fines to the personal assets of the board and c suite

Pretty much impossible legally. That's why they're Limited Liability Corporations, after all.

In fact, that's the whole point of a Corporation - to make the corporation liable, and not its employees (like, you know, the CEO)....

Re:as they say, "let the free market decide"

1) CHIP+PIN has not really improved security. All but one fraudulent transactions against my credit card were online transactions for which CHIP+PIN does nothing. The remaining transaction was for $1 in Colorado and looked to me like a typo in hand-processed transactions.
2) The next big target is going to be ACH transfers; they don't have any meaningful security at all. Nobody cares yet.
3) I picked no debit card. The bank wanted to fight over it because they didn't want to issue an ATM only card.
4) There are no more meaningful security options I can take. There are lots of useless ones.

Re:as they say, "let the free market decide"

[Cederic]

Wait? A company offering ID&V products isn't responsible for market acceptance of adequate ID&V?

It's possible to say, "That's insufficient information to identify the individual" and refuse to ID&V an individual; of course, that would reduce revenue so fuck consumers?

Re:as they say, "let the free market decide"

You're math might be off....

Taking Equifaxes 143-144 Million count, that's potentially $8 minimum per person. So, $1.152 Billion to start with.

Taking on Op's suggestion of multipliers, say for each CC or Bank association leaked, per person, even at 2 or 3 times per instance, per person, you're up at around a $10 Billion dollar fine.

The real kicker here, wouldn't just be the fine. It would be the coverage that this fine, strictly DOES NOT absolve them from any future events. The same rules would apply the next time it happens.

In this scenario, Equifax might 'survive' the 1st round. But the 2nd round of hacks? Even at 1/10th the amount of hack count, under 20 Million, they're still looking at around $1Billion dollar fine likely.

At that point, Congress would be required to act on legislation, as the credit rating reputation in America becomes untrustworthy. That becomes a point, where International entities, start looking away for there currency to be backed by the Dollar.

THAT, would be the real eye opener!

Re: as they say, "let the free market decide"

[datavirtue]

I disagree. Leave the penalty the same and the invisible hand will eliminate the breaches and security hole.

Re: as they say, "let the free market decide"

[datavirtue]

It is not a cost cutting measure. It is pure, raw, unadulterated incompetency.

Re: as they say, "let the free market decide"

[Shatrat]

The free market prioritizes both the buyer and seller pretty well in general. The problem here is that the 143 million people affected by this aren't really Equifax's customers. Their customers are the lenders, credit card agencies, landlords et cetera. The average person like you and me aren't really even part of the transaction and that's why the Free Market doesn't give us any recourse on it's own. We can't take our business elsewhere, because we didn't want to be in Equifax's database in the first place. Unfortunately, Equifax donated generously to both parties in 2016, especially to the eventual winning color, so they'll probably come out of this with a wrist slap.
https://www.opensecrets.org/pa...

Re: as they say, "let the free market decide"

This is precisely what we get when people refuse to take action in the free marketplace. These days people think they're accomplishing something when they buy airline tickets and then complain about the crappy service they get on social media. This might make the poor consumers feel better but it doesn't affect the companies' bottom lines.

The key to making "let the free market decide" work is its dependency on consumer participation. If a company treats you like crap or charges too much for their products, you have to stop giving them your money. That's the weapon everybody holds, and they have the freedom and power to exercise it.

Please remember that every day is election day. Every dollar you spend on every product you buy every day of the year is an endorsement of that product, the store you bought it at, and the manufacturer that produced it. If these companies are screwing you over in one way or another, STOP GIVING THEM YOUR MONEY. Companies can't earn profits if the public won't buy their products.

Example: I refuse to fly on commercial airlines mostly because of the illegal and unconstitutional fascist police state that's installed at our nation's airports but also because of the horrible way the airlines treat their passengers.

BTW, the Supreme Court ruled in a pair of decisions, one of which dates back to the Civil War (1865 or so) and the other in the late 1920's, that every person has a constitutional right of freedom of travel. Every government "official" swears an oath to protect and defend the Constitution of the United States, which implies that they must obey that very same Constitution. But hey, if you think it's OK for your own government to strip search you without a warrant or any due process of law just because you want to travel somewhere, then by all means keep going to the airport and paying for the experience.

If you think it's OK for an airline to beat you to a bloody toothless pulp and forcibly remove you from that seat on a plane that you paid for, them by all means keep handing them your money, make sure your dental insurance is paid, drop your pants, and spread those cheeks, baby. Show us how you can be more subservient in the face of government oppression than everybody else in this "free country". Make us proud, bitch.

In the meantime, I'm building an Burt Rutan designed OpenEZ. This free man will be flying over the long TSA lines at the commercial airports and no airline will ever get a single penny out of me ever again until we go back to being a free country and the airlines change their ways. Enjoy your rectal searches, minions.

And finally, just to be as painfully clear as I possibly can, the free market is NOT what companies decide you will get. The free marketplace is what you agree to pay for. If you agree to pay for shit products and shit treatment, well there you are. However, if you insist on quality products and services, decent treatment, and low prices, then those companies have to get it together and provide quality if they're ever going to get your money. Therefore, you decide what you get, not the companies.

Biometrics

Yeah, good idea. They already ruled biometric data isn't covered by 4th amendment protections so let's go ahead and link our financial data to it. That way it's even easier for the police to steal from us with impunity.

In other news...

[sgage]

... horse escapes from wide-open barn! Farmer encouraged to shut the f-ing door!

Bright godz, what a mess...

Re: In other news...

A large number of horses escape from a rented stable where the door was left wide open. To determine if your horse was lost, you must place another horse in the stable and agree to a binding arbitration clause regarding the loss of the new + original horse.

Re:In other news...

When this becomes law and then computers are outlawed later in the future, the human datastores who memorize all the data will be forbidden to memorize more than 3,000 people-records each. If you want to memorize more, you'll have to get a note stamped by a mechanical diagnostic syringe-punch certifying that you have multiple personality disorder.

Dump it all

Get rid of credit checks so there's no need to have companies harvest personal information. Bring back indentured servitude for people who don't pay back loans. You offer your labor or property as collateral for loans.

Time for a replaceable social security number

The government needs to allow it's citizens replace their social security numbers just like when you loose your credit card. And we should make the companies that have the security breaches be the ones that cover the cost of getting use those replacement SS#s.

Re: Time for a replaceable social security number

[Monster_user]

Or we could just stop using the SSN altogether, anduse another number, like a Universal Credit History ID, or UCHID. Then we could have puns when a bloke applies for credit, just look at him funny and say "you kid?" (You kidding me?). Pair the UCHID with other means of protecting it, such as a changeable password, and problem solved.

Three executives dump shares

[140Mandak262Jamuna]

Regulatory filings show the three Equifax executives — Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2.

Wait, that guy is named John Gamble? and he is the damned CEO?

Re:Three executives dump shares

[Krishnoid]

We obviously need someone who can provide checks and oversight on his leadership. Someone so strongly invested in such a process that it would similarly be reflected in their own last name.

Cost to Profit Ratio Too Low

[IonOtter]

Right now, it's in the best interests of the corporation to allow the details to be stolen.

Assuming the customer even catches the theft, they're still responsible for the first $50 dollars. And if the company chooses to dispute the customer's claim, they might get more than that.

The seller and processor all file claims with their insurance company, and get their money back.

In short, everyone but the victim wins.

Until that changes, this will continue to happen.

Re:Cost to Profit Ratio Too Low

[ichimunki]

Really? The insurance company just pays out all the time and never denies a claim coming from a seller or processor? And they never raise the rates on the policy? Does the insurance company have a magic goose out back or something?

Re:Cost to Profit Ratio Too Low

It's not always the same insurance company every time....

Re:Cost to Profit Ratio Too Low

You don't think that there's a database that insurance companies consult when deciding what rates they want to offer? And even failing that, they don't look up large companies on the internet to see if they've got some sort of reputation for these sorts of things?

innocent until proven guilty

[at10u8]

Penalties are aiming in the wrong direction because leaks will continue to happen. Better to change finance law so that the victim is presumed innocent until proven guilty. A victim should not be penalized. Rather, the lender who fails to perform due diligence and verify identity before extending credit should lose. That would be a powerful motivation for the finance industry to adopt new techniques that minimize their risk of losing.

Re: innocent until proven guilty

[Monster_user]

Can we get this upvoted please? Absolutely agree!

Re:innocent until proven guilty

It's all a shell game, regardless of finance law reform, when weighs and means are themselves set by foolish decree.

Re:innocent until proven guilty

Rather, the lender who fails to perform due diligence and verify identity before extending credit should lose.

Even if this could be successfully implemented there would be some perverse side effects. Making credit harder to obtain forces more people into the sub-prime part of the market or even off into the black market. This is especially true with minorities and other disadvantaged people who would then be reduced to pawn shops, payday lenders or Vinnie at equivalent annual rates approaching hundreds or even thousands of percentage points. People already complain about wealth inequality in the United States. Pinching off access to credit will not improve the inequality that already exist. In fact, it will probably make wealth inequality even worse.

Re: innocent until proven guilty

[lucm]

I also agree. And it's not unrealistic; let's just look at credit card fraud where it's not pretty muck risk free for the customer. With the proper incentives, the financial services industry can do their homework.

Re: innocent until proven guilty

How much credit do people really need? Apart from buying a house or car, people rarely have any need for borrowing more than a few grand at a time.

I know that I could get a lot more credit if I wanted to. But I rarely even use a tenth of what I have and having more makes it easier for criminals if they manage to get my cards.

I started with a credit card with a $500 limit and just paid off my balance on time and in full every month.

Creditors really just need to know about your income. Amount of credit available and used. As well as how often you're late/ delinquent on your accounts. That last bit being the most important.

And most of that data can be scrubbed before sharing as it only needs to be accessible if there's a mistake or dispute.

Re:innocent until proven guilty

This is so right. If you buy a plane ticket and get to the airport to find that someone else impersonated you, upgraded your ticket to first class at the front desk, got all the way through security, and is sitting in your seat, the airline and airport are in trouble for a major security lapse, not you. It should work the same way if someone takes a loan out in your name.

Account hijack is a bigger threat

[140Mandak262Jamuna]

Freezing credit lines does squat to stop the identity thieves from hijacking your accounts. They got social security number, driver license number and dates of birth.

In no place this should be considered "credentials". But the US financial institutions pretend these are secret passwords.

Re:Account hijack is a bigger threat

[leftCoaster]

Freezing credit lines does squat to stop the identity thieves from hijacking your accounts. They got social security number, driver license number and dates of birth.

If your records show multiple dates of birth, you might be a victim of identity theft. Or your mom was trying to hide something.

Data "capitalists"?

Can we please stop with this leftist tripe!?
BS - They're data SOCIALISTS.

The government happily and gleefully lets them collect the data so it can use it for its own nefarious purposes.

China collects far FAR more data on its populace than even these guys do and don't even get me started on Facebook. But hey it makes for a nice meme "Ooooh if only we weren't capitalist this evil data collection wouldn't happen"

The data the NHS and HHS collects on our health history is far FAR more dangerous and centralized... and it will leak one day.

Re: Data "capitalists"?

The data is being brokered to make money, which is also known known as capital. If they were using the data to better society, then you could call them data socialists.

Re:Data "capitalists"?

I just realised how stupid my post make me seem, Sorry everyone, I was having a bad day. I know what I posted is utter crap.

WRONG

[sit1963nz]

The current system is designed so that when a breach happens US citizens can band together for a class action suit.
This means that a law firm will make millions or tens of millions of dollars and the REAL victims will get $1.23 (less taxes).

And all up, this costs the corporation less money than doing the job properly.

The system is working exactly as it was intended to.

God, some people think rich people are just made of money, do you not know how much a Ferrari costs these days

Re:WRONG

[lucm]

You forget the trickle-down economy. When the lawyers make millions suing companies for losses experienced by someone else, they can afford to hire pool boy to clean the pubic hair and soiled condoms from their infinity pool filters. Then the pool boy can afford to buy a $5 iTune gift card for that special someone who's gonna spend it on Kanye West albums. In turn, Kanye West can use that money to buy more drugs and create more scandals at the MTV music awards, which attracts advertisers and viewers.

Lawyers are the linchpin of our economy.

Re:WRONG

[sit1963nz]

Damn it, I read that as "Lawyers are the lynching of our economy."

Re:WRONG

[JonnyCalcutta]

I prefer to call it the 'golden shower economy'. They get the hookers and blow, we get the golden showers.

Fundamental principles of personal data

[shanen]

(1) We should have control over our personal information, and no one should be allowed to collect it, sell it, and most importantly, use it against us or to manipulate us without our knowledge. I think that must start with the right to control WHERE that personal knowledge is stored (because possession is still 9 points of the law).

(2) Those parts of our personal information that have become public should be visible to ALL of the public. As it might apply in an improved Slashdot, I would thus be able use that public information to save time by ignoring people with low reputations. No insult intended [to the authors of rather mindless comments on today's Slashdot?], but I'd prefer to spend as much time as possible consorting with people who are nicer and smarter than I am and zero time (or less) being distracted by trolls.

(3) I'd be willing to help pay for such systems, both in terms of development and ongoing costs.

Feeling like a broken record stuck on an old joke, but lots of detailed suggestions available upon polite request. Even nicer if you have some better ideas, but if you have nothing to say, then why don't you say nothing?

Re:Fundamental principles of personal data

[mrwireless]

We also need to develop a more nuanced about data:

Databrokers create 'derived data' from your data: probabilities that you fit categories like 'parents divored before the age of 21'. These scores are no longer your data, they are their data.

In the USA these 'opinions' are protected as corporate free speech, which makes your proposal harder to implement than you may think.

Re:Fundamental principles of personal data

[shanen]

I must have missed the part where I said anything about thinking it would be easy to implement ANY of this against the dominant religion of corporate cancerism. Actually, your comment raises the problem of "government of the corporations, by the lawyers, for the richest 0.1%".

However, I do think that websites or other systems based upon such principles might be attractive to discriminating people. There was a time when I imagined Slashdot might be able to become such a website.

We need a National ID.

We're putting too much on pseudo-IDs which can never be changed, etc. It's insane.

Easy.

$1 million fine per victim

From the No Shit Sherlock Instution

[Snotnose]

A) Equifax gets sued out of existence
B) The Equifax Security Cxx is held personally liable, and faces serious prison time
C) The other Cxx's are held personally liable, and get to eat based on how many cans they can dig out of trash dumpsters.

Until something like this happens you and I are fucked, while the 1% glide along with no problem.

Re:From the No Shit Sherlock Instution

[uncqual]

What criminal law do you think the "Equifax Security Cxx" broke?

"The other Cxx's are held personally liable, and get to eat based on how many cans they can dig out of trash dumpsters." -- if it turns out to have been the result of an oversight in administration or a programming bug, shouldn't the IT staff that failed to do their job and/or the programmer that caused the bug (or chose to use open source software which had the bug) also be be held personally liable? They are the subject matter experts. Depending on circumstances (which hopefully some Senate and House hearings get to the bottom of), what you are proposing may be like holding the CEO of GM personally responsible for an accident caused by an improperly tightened brake line because a line worker failed to tighten it properly.

"Equifax gets sued out of existence" - that would be a nice outcome but I'm not holding my breath.

Re:From the No Shit Sherlock Instution

[antifoidulus]

Because if the CEO wants to take the lion share of the profits when things go good they better be willing to put their neck on the line when things go bad. Otherwise they are just thieves. I might be more willing to have sympathy for the CEO if they weren't making hundreds of times what the average worker wants.

TL;DR don't take the reward if you aren't willing to accept the risk.

Re:From the No Shit Sherlock Instution

The Equifax chief of security was some dumb broad with a music degree. The CEO and whoever hired her should hit the slammer for criminal mishandling of PCI PIAA at the scale of 143 MILLION PEOPLE, which corresponds to at least ten thousand years in prison, and so we should just shoot the fucker a dozen times center mass and put his head on a spike outside the NYSE.

Re:From the No Shit Sherlock Instution

[uncqual]

What criminal law are you proposing the CEO is guilty of? "Bad judgement", alone, is not a crime. The fact that something slipped through the cracks does not mean a crime occurred or that the CEO is guilty of a crime if somewhere in the corporation a crime was committed. We can only prosecute people for actual crimes that were a crime at the time they were committed (so, whatever changes to the law you think should be made wouldn't apply to this situation anyway).

I've had some a couple very good kernel level programmers working for me that were music majors in college. That alone does not make her unqualified. As well, an executive need not be an expert on every detail - if the executive in charge of manufacturing at GM were applying for a job on the manufacturing line s/he would likely not be hired - her/his job isn't turning wrenches, it's much more financial, planning/forecasting, vendor relations, legal etc.

A chief of security at a large corporation need not, themselves, be an expert on security implementation details. They simply don't have the time to keep up even if they were once experts in the area. That's why they hire people whose primary job IS the technical side and who effectively spend ALL their time on that side (vs. interacting with the board, doing budgets, planning, legal compliance issues, etc).

Re:From the No Shit Sherlock Instution

Ah yes, just because we're not professional lawyers and can't name immediately what law they broke, it's assumed that they didn't break any laws? Given that the average American breaks about 3 laws a day, surely there's something that can be pinned on these assholes.

Re:From the No Shit Sherlock Instution

[uncqual]

No, but it falls on the person claiming that someone broke the law to explain what that law is and how the person broke it.

For example, some people "believe" that if you walk down the street and see a stranger having a heart attack that legally you must render aid at least to the extent of calling 911 and that failing to do so is "illegal" -- yet, in the majority of jurisdictions in the United States, you have NO legal obligation to lift a finger to help the person and are not guilty of a crime if you fail to do so. The point is, many (perhaps most) things that people think are "wrong" are completely legal (and many things that many people think are/should be legal are not).

As well, the difference between criminal and civil statutes is important. There are many things that are "illegal" but only have civil penalties or which only expose you to financial liability when sued by the injured party, not criminal punishment - and you only can be put in the "slammer" for criminal violations.

"Surely there something that can be pinned on these assholes" is the first step of a witch-hunt and inappropriate. One should start with "this asshole did specifically X which is illegal" (and, hopefully, the person making the claim is willing to spend a few minutes with google to give some indication of where that law is found).

As far as I know, at this point we don't know if this breach happened due to several zero-day exploit of vulnerabilities in Intel and Cisco firmware that made the exploit invisible to the most sophisticated monitoring tools and techniques used anywhere in the industry and that Equifax only discovered it because one of their analysts had a brilliant insight that they should be looking for correlations in traffic that would reveal a highly improbable attack against a previously unimagined set of unknown vulnerabilities. No, I would not make an even money bet that is the case (as most such breaches are not that obscure), but before I conclude that some "assholes" should be found guilty of a crime, any crime, no matter how far we have to stretch the law, I would need to understand what really happened.

Re:From the No Shit Sherlock Instution

Are you certain that the CEO takes the "lion's share of the profits"? My guess is that the salary of the CEO is insignificant compared to the company's profits. A little research can confirm this.

Re:From the No Shit Sherlock Instution

[Cederic]

What criminal law do you think the "Equifax Security Cxx" broke?

Well, potentially the UK DPA for a start.

But why do you think people are calling for serious data protection reforms? Right now US data protection is largely absent, health data is about the only consumer data with legal constraints.

Equifax may get sued senseless here but unless there are clear corporate governance failures it's unlikely there'll be criminal charges in relation to the breach.

(Rather more likely in relation to the post-breach sale of shares though)

Another idea

[Monster_user]

What if we made credit rejections due to credit theft or other incorrect data a prosecutable offense against the businesses and such that are out there. Right now they don't demand accurate data upon which to base decisions upon, only a reasonable assurance that the risk is low. The businesses then inerrantly uses this data as the entire or a significant part of the basis for making this decision. Due to the significant impact of such denials for consumers, then either credit should be removed from our economy entirely, including the national debt, or businesses should be held to a higher standard for intelligence gathering and denial, so that they hold the big three intelligence organizations to a high standard of accuracy.

Sinple

[Ryanrule]

Take all the assets of the board and c suite. Everything they have, everything their immediate family has. Put them on the street.

Re:Sinple

[Cederic]

Under which law? Doesn't the US have a law specifically against this? Technically two, I think you're suggesting breaking the 4th and 8th amendments.

The Block Chain

When anonymity is protected then there is little direct "individual" data to worry about

Or just lobby Congress to prevent reforms

That would be easier for Equifax.

High tech solutions

[manu0601]

It is weird to see proposal to introduce high tech solutions to fix the reliance on SSN: cryptography, biometry... All that solutions will have flaws

Another option could be to look at the numerous other countries in the world, where knowing your SSN has never been enough to get a credit on your behalf, or to sell your house.

Re:High tech solutions

[houghi]

Belgium is such a country. You have a National Number YYYYMMDD-XXX-ZZ
Date backward, counter, The last two are gender and a control number. So the first baby born on 20170911 will get 20170911-001-12 (Or something similar) Well, not born, but officially mentioned, so that could be somebody who comes to Belgium at the age of 60. He will not be number 001 for that day, bit 857 or whatever.

If that number is abused, they could give you a new number. However that national number by itself means nothing. You also must have an ID card. That card is your way to ID yourself.
On that ID there is a chip. That info is readable via open source software : https://eid.belgium.be/en
It can be used (but is not done in too many places) to do electronic signature. I use it to do my taxes online. Easy and fast.

It is used as age verification for e.g. buying cigarettes and beer at vending machines to verify age.

Those IDs can be stolen, so if you need to verify them, you go to https://www.checkdoc.be/CheckD... and you can see if it is valid or not. That is all you will see OK or NOK.

If they are stolen, you call a number and they block the card. You then need to go to the police to get a temporary paper and go to the city hall to ask for a new one. That one will then have a new number.
Cards are valid for 5 years.

So what are the downsides?
1) If you use it, they will be able to see all the information. e.g. if you use it to verify your age, it will be able to read your name and address. There are laws what they could do with that info, but it is possible for them to start sending spam. More a minor inconvenience than a serious risk in reality.
2) The Police could play Gestapo and ask everybody for their papers. However if they do that, it is very likely they will get in trouble and fired. Accountability and such.
I have had it once that they asked me on the street for my ID. Did a verification and I was on my way in 5 minutes. Two days later I saw them do the same with somebody else who looked very similar and was dressed very similar to me. So clearly they where looking for somebody. The fact they did it that way tells me that this was not just about some unpaid parking tickets or speeding or even DUI.

Other time I had to show my ID where when I was with a DUI many years ago. (Took my drivers license for several weeks and rightfully so.)

Re:High tech solutions

[Alioth]

Date backward? That's the One True Date Format (ISO format), of which others are inferior (DD-MM-YYYY and worse MM-DD-YYYY). ISO dates will even sort without needing a date specific sorting function.

Solution

[thisisauniqueid]

SSNs, birthdates and associated names should all be considered public knowledge, since none of them are revokable (or realistically revokable, in the case of SSNs and names). Relying on an SSN and/or birthdate as a password is madness.

Re:Solution

[AtomicSymphonic]

Until our country's people come around to the idea of a secure National ID card, SSNs and passwords are all American industries are gonna get.

It's still politically toxic for the American right-wing to even consider national ID. The solution is political. No amount of superior "wizz-bang" super-duper innovations in security such as blockchain will get these people off their seats. They're perfectly content extracting money from the corporation that lost their data and not much else.

They don't want "big brother" to know who they are, except they already have a passport and a birth certificate...

Re:Solution

SSN already is the national ID. What it is not is a proof of identity.

Proving identity and having identity number are two separate things.

MFA? What?

[scdeimos]

"We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."

How the heck does MFA help this situation? MFA guards the login portal, sure, but doesn't do anything to stop companies creating SQL injection attacks or just storing customer data on public S3 buckets (which is how a lot of these breaches are enabled).

Stop it with the blockchain nonsense

[mrwireless]

Blockchain:

- Unclear accountability (the real reason for popularity)

- You're putting data on lots of computers, in different jurisdictions.

- Can't really delete anything (privacy nightmare)

- Not really anonymous.

- Encryption will be broken in time.

- Power not really distributed, just obfuscated (lies with devs).

- Slow and overly complex.

Sources:

http://estsjournal.org/article...

https://medium.com/enspiral-ta...

https://www.forbes.com/sites/j...

https://www.theatlantic.com/te...

https://blog.ethereum.org/2016...

http://blog.ezyang.com/2011/06...

Re:Stop it with the blockchain nonsense

[sfcat]

Blockchain:

- Unclear accountability (the real reason for popularity)

- You're putting data on lots of computers, in different jurisdictions.

- Can't really delete anything (privacy nightmare)

- Not really anonymous.

- Encryption will be broken in time.

- Power not really distributed, just obfuscated (lies with devs).

- Slow and overly complex.

The Blockchain solves 1 and only 1 problem at great cost. That problem is the Byzantine General's problem which handles the problem of bad actors in a system. Is that really the problem here? It seems like the problem is with token/identity assignment, generally sloppy corporate coding and the inevitable appearance of Murphy's Law. I don't think that any of these issues are analogs to the Byzantine General's problem.

A better solution would be to add a CC chip reader to each laptop and cell phone and put tokens on those chips which are used to validate transactions. As for server security, just generally doing a better job of the nuts and bolts of information handling solves most of those issues (like using an encryption key on those CC chips to encrypt PII). These breaches are rarely cracking of encryption or other "front-door" techniques. Its usually a 3rd party with sloppy security (like the trucking company or similarly "low tech" industries), not Hollywood style genius level hacking.

There are also techniques for applying operations on encrypted data without ever decrypting it. But those are really hard and very few companies have the expertise to make that work.

Not going to happen

[Ol+Olsoc]

This will cost money - fail. This will require people who collect a salary - huge fail.

People need to understand that the internet is not their friend. Places like Equifax identify more with the people who hack them than their customers.

Newsflash!

[boudie2]

Corporate America doesn't care about you or your privacy. And your lawmakers work for them. Now what are you going to do?

Encourage Simple Gov Regulation

[Tora]

Regulation can be dangerous, but it seems this is a situation where it is called for: when a citizen's liberty is being trampled; and the Equifax breach will trample on people's liberty for decades to come – yet they are offering a pittance of one year's credit monitoring as if this will help for a lifetime of damage. Perhaps the EU's GDPR takes things a bit too far for the USA, but it can be used as a reference point, and we need something in our citizen's rights to their own identity in this modern world.

There are many technical solutions available, but out the gate, it seems like we should be seeking some greater level of culpability on behalf of those holding this data, perhaps even considering the GDPR in context. We can at least ask that of our government. A petition has been started to at least raise visibility of this to congress. Start the dialog at the right levels, and hope it will not get steamrolled by lobbyists.

Re:Encourage Simple Gov Regulation

[jmccue]

A petition has been started to at least raise visibility of this to congress. Start the dialog at the right levels, and hope it will not get steamrolled by lobbyists.

Well since I suspect many congress people's and their relations personal information was in the breach, maybe we will finally see some real action taken. But the cynic in me thinks there will be two regulations, one for the powerful and another for the peons

Re:Encourage Simple Gov Regulation

[Uberbah]

Regulation can be dangerous

Mmm, sounds like a libertarian tautology. Regulation is no more dangerous than any other human construct, like business contracts or deeds. The lack of regulation, though, has caused plenty of harm including deaths, though: the people who died on the Deep Horizon rig during Katrina, the dozens to hundreds of people who burned up in that London highrise because better materials would have cost a few thousand pounds, those chemical plants in Texas that have leaked or blown up, who's owners argued for lax regulations....

This will get co-opted by degregulators

[sandbagger]

Industry will somehow, with a straight face, claim that the answer will be getting government out of the way. The *only* reason this could have possibly happened is because of onerous, confusing regulations.

Why?

Memories are short.

Witness the power of this fully functional lobby

[hwstar]

Nothing will happen at the federal level right away because of this.

The banks are too powerful. These are the same guys who pushed binding arbitration in consumer contracts of adhesion.

States will need to take the initiative first. Let's hope that the banks don't have the power to pass a federal law to preempt the flurry of state laws which will come out of this.

Death by a thousand cuts at the state level might prompt a 'watered down' federal update to the Federal Credit Reporting Act, but it will end up pre-empting any state laws with a decent set of teeth.

Sometimes I worry about the rule of law and equal protection under the law in the US. It the banking cartel can rip off everyone by sidestepping the rule of law with binding arbitration, why can't a sniper take out a banker or two?

India has Aadhaar

Aadhaar(meaning support/foundation) is the largest digital database of biometric information repsenting digital identity of 1.2 billion people. It consists of 12-digit unique number, 10-finger scans, iris-scan. The authenticity is done with electronically thru APIs/OTP, being used in financial world and govt schemes. More info at https://en.m.wikipedia.org/wiki/Aadhaar.

Only way they'll change....

[Rick+Zeman]

...is to be be financially responsible for any breaches where the cost of non-compliance far, far outweighs the cost of compliance.

Easy to do

[Opportunist]

You want to store personally identifiable information of ANY kind? No problem. We'll create security guidelines that you have to implement, you get audited once a year (at your expense) and if you fail, you pay 1% of your annual gross revenue per day in fines until your security is up to par.

Don't like it? Don't store the information. Easy solution.

It's a scam

You can enter any last name and last 6 digits on the site and it says you've been affected by the breach

That's a REGULATED market

[evanh]

Imposing fines for arbitrary rules is not a free market.

The free market only has one outcome - monopoly, and its resultant abuses. It's the ultimate corrupt system.

Just say no.

Yet more government intervention is not the solution to yet another example of government incompetence.

Easy Fix

Tack onto the next must-pass legislation:

"Natural persons shall be vested with a property right in information about themselves".

That's a REGULATED market

[evanh]

Fines or not, imposing arbitrary rules is not a free market.

The free market only has one outcome - monopoly, and its resultant abuses. It's the ultimate corrupt system.

Re:Donald Trump playbook

[lucm]

When anyone accuses you of something you accuse them of it 10x.

It's easier when your adversary is a corrupt, thieving, lying piece of garbage. At this point I'm starting to wonder about the real involvment of the Russians in the election; if they are indeed smart as chess players, maybe what they did was make sure that the Democrats picked the worst possible candidate instead of the guy that clearly embodies the real liberal values.

But when it comes to Equifax, this comparison hardly applies because Equifax are not evil, they're merely incompetent, and have been for a long time. They're just like Diebold (the makers of those hilarious MS-Access based voting machines); once you start scratching the surface you just can't help but freak out when you realize how fucking retarded they are.

Re:Witness the power of this fully functional lobb

It the banking cartel can rip off everyone by sidestepping the rule of law with binding arbitration, why can't a sniper take out a banker or two?

It's been known to happen to abortion doctors. The bankers might want to keep that in mind.

Laws on Exporting Data

[Roger+W+Moore]

To avoid inconveniences like this, firms like Equifax will simply move vulnerable assets outside of the reach of US Law.

Many countries have laws to prevent the export of sensitive personal data. Both the EU and Canada have laws that require any export of data has to be to a country where there is the same level of protection under the law for privacy. This is what causes Universities in Canada headaches with using US-hosted online assignments or has required special safeguard guarantees from the US before the EU would share air passenger data etc.

This is also what probably protected Canada from this breach. According to my Canadian bank, Equifax Canada was not affected by this breach because all their data is kept on Canadian-based systems. While they did not say explicitly I suspect that this is because there would be significant legal obstacles to hosting such sensitive data in the US.

Re:Laws on Exporting Data

[ctilsie242]

This is only going to be more common. Russia, China, the EU, India, Pakistan all have laws going into effect that have actual teeth in them that are for data privacy.

Some of the laws actually are contradictory. The EU requires data to be retained on one hand for LEO access. On the other hand, data must be destroyed when it isn't used.

It is ironic that the US is the only civilized in the country in the world right now without data production guidelines except in specialized environments (medical, financial)... and even those guidelines are not enforced (Sarbanes Oxley hasn't been used for much other than having a fisherman arrested for going over the bag limit.)

Re:Laws on Exporting Data

[Enigma2175]

This is also what probably protected Canada from this breach. According to my Canadian bank, Equifax Canada was not affected by this breach

Well, it doesn't appear that your bank knows if you are affected or not. According to this article, "Credit reporting giant Equifax has yet to reveal how many Canadians had their personal information hacked over the spring and summer when the company’s database was breached." and "The breach exposed the information of an 'unknown' number of people living in Canada and the United Kingdom." It sounds to me like Canadians are affected, they just haven't said how many yet.

Crown Jewels

[Roger+W+Moore]

In which case you had better have the money to mount an equally relentless defence of that data. This was also not some minor slip-up like a few files on a USB stick or temporary files on someone's hacked desktop this looks like pretty much their entire database. It is possible to protect such valuable assets - the Crown Jewels have been safely kept for centuries with a thief only once, briefly, getting their hands on them but they never made it out of the Tower.

Credit databases like this are the "Crown Jewels" of online data due to their value for identity theft. I don't think it is asking too much that the extremely rich and profitable companies which manage these data look after them in a similar fashion.

Re: Crown Jewels

[Monster_user]

1. It is too much to ask a company who's livelihood is based on the accuracy of such data, but rather merely the risk level the data indicates. This data is hardly considered to be "crown jewels" by Equifax. Despite being that valuable for most who participate in our economy. 2. The actual crown jewels are not part of the Internet of Things. They are offline only devices which require physical access to steal. Thus they can be secured. Stealing the crown jewels requires actions which will be noticed and reacted upon immediately. Online information is inherently insecure, because it is designed to be accessible and copied. Any attemps to steal that data would look little different to legitimate access of that data.

Re:Donald Trump playbook

[Z00L00K]

The problem isn't the SSNs it's how everyone sees the SSNs - like some magic number that proves everything, but the reality is that it's not worth shit unless you use it as a key to look up the actual biometrics of the person carrying the SSN to verify their identity.

Re:Donald Trump playbook

[jimtheowl]

Sone would argue that Equifax has always been evil, and now they are showing that they are incompetent as well, so they could be both.

As for your other point, it is also possible that the Democrats did not pick the worst possible candidate, but one that was not as appealing to the TV reality entertainment mindset of the populace and nevertheless actually qualified to do the job.

But that is way, way in the past. No one cares about it except trolls who want to divert attention from the present. It would be nice If those who got elected were to focus on the job and stop reminiscing.

Re:Witness the power of this fully functional lobb

There is a line somewhere between corruption and lobbying. And there is a line somewhere between corruption and sabotage.

One could argue lobbying when taken too far equals with sabotaging the nation.

There's one thing that should be done

And that would be taking the tools out of the hackers' hands. Ban general purpose computers. I know many lack the scope to see this but unless you're a certified programmer you do not need a general purpose computer. Period. One of these days we will be counting the dead from a hacker attack and your irrational attachment to unfeeling machines cannot be a valid counterpoint to a necessary step for the security of the populace.

Nope

This isn't Europe, and you can't ban people from knowing things. You can penalize breaches to get a similar outcome.

This will never work because the government will never agree to give up all your info, and their security is no better than anybody else's (IRS, OPM, etc.)

Try harder.

Re:Donald Trump playbook

[NicknameUnavailable]

I think you're reading the Democrat playbook backwards: accuse others of doing what you already have a monopoly on because you both need a fallguy AND the commoners are too dim to see beyond "this other guy was accused first."

Re:Donald Trump playbook

[NicknameUnavailable]

But when it comes to Equifax, this comparison hardly applies because Equifax are not evil, they're merely incompetent

Are you joking? They were the datamining scum-of-the-earth bastards before Silicon Valley even invented the term for it. Their entire business is founded upon the notion of putting people into indentured servitude via debt.

Make binding arbitration illegal.

First make all binding arbitration between/for consumers illegal.

Bank Fraud. Not Identity Theft

It is BANK FRAUD.

Not "identity theft" as they are trying to label this in order to put the burden on an unsuspecting person.
"You" have never participated in the contract between the bank and the fraudster.
There should be no legal reason why you should have to be liable to the bank for something someone else did.

Mandate that 666 are not proof of identity

Can this "solution" be embedded in either the hand or forehead?

Re:Donald Trump playbook

[ebyrob]

SSN is very important, it's like a name only more precise.

Trying to use someone's name as a password or pretending it's a secret is the where the idiocy creeps in.

Well I'm pissed, so yeah.

[sabbede]

My info was compromised, so was my special lady's. I'm not happy about it or how pitiful EF's offered remedy is. I'll happily accept regulating them out of existence.

Re:Donald Trump playbook

[sabbede]

Idiot.

My solution

I sent Equifax a letter about 15 years ago demanding they destroy all data and material they had on me. I did this because I don't buy anything on Credit and so there is no reason fro them to have any data of which I am the intellectual property owner.

Re:Donald Trump playbook

[lucm]

They were the datamining scum-of-the-earth bastards before Silicon Valley even invented the term for it. Their entire business is founded upon the notion of putting people into indentured servitude via debt.

I don't think that's true. Equifax incompetence aside, keeping track of credit-related events is important, and not just for borrowing money but also for any kind of contract where credit history matters (e.g. big insurance policy, job in a bank, etc).

Most Americans do not have a passport

Most Americans do not have a passport. Only 35% of us do and mine expired a few months ago, so technically I do not have a passport, now. But I travel internationally 2-5 times a year, so that will be replaced.

Birth certificates are state documents, not national documents.

I hope the FTC gets involved, fines should be $1000 per incident, paid directly to the people injured. They should send the check to my last known address. I shouldn't have to do anything.