Equifax Breach Provokes Calls For Serious Data Protection Reforms

Equifax's data breach was colossal -- but what should happen next? The Guardian writes: The problem is that companies like Equifax are able to accumulate -- essentially, without limit -- as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches... Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

Mandate that SSNs are not proof of identity

An SSN is a good primary key in a database because each SSN should correspond to a unique person. It's a terrible way, however, for proof of identity. We essentially use it as a username, but also as a password, and a password that you're unable to change. Furthermore, by law, you have to provide it to banks and some other institutions to use their services. You need to share your SSN with your employer in order to get paid for your job. And you have to trust that none of these entities will mishandle your SSN.

How about using the SSN for the primary key it is and doing away with it altogether for proof of identity. Mandate that financial institutions use other proof of identity such as one time use passwords and public key encryption. Devalue the SSN and, at the same time, replace it with a secure means to prove identity. The government does have a role, because they can and do regulate entities like financial institutions.

Re:Mandate that SSNs are not proof of identity

[anegg]

Using an SSN (or other nationally valid identifier) for "identity" is one thing; using it as *proof* of identity (i.e., as an authenticator) is another. Any business using an SSN as an authenticator and trying to hang a debt around the neck of the person identified by the SSN should be laughed out of court.

The burden should not be on the shoulders of the "identity theft" victim to prove the negative (that they did not get the goods/services the creditor is claiming that they got), but rather on the shoulders of the creditor, to prove to just whom they gave those goods and services. As soon as that is recognized in law, I think a lot of the "identity theft" problems will go away. It may be harder to obtain goods and services on credit, however.

Bad tech journalism must die

[geekpowa]

These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

About as insightful as the apper guy. Blockchain magic fixes everything. Also since when did the age of a company was a good predictor of an internal cowboy culture?

Account hijack is a bigger threat

[140Mandak262Jamuna]

Freezing credit lines does squat to stop the identity thieves from hijacking your accounts. They got social security number, driver license number and dates of birth.

In no place this should be considered "credentials". But the US financial institutions pretend these are secret passwords.

Fundamental principles of personal data

[shanen]

(1) We should have control over our personal information, and no one should be allowed to collect it, sell it, and most importantly, use it against us or to manipulate us without our knowledge. I think that must start with the right to control WHERE that personal knowledge is stored (because possession is still 9 points of the law).

(2) Those parts of our personal information that have become public should be visible to ALL of the public. As it might apply in an improved Slashdot, I would thus be able use that public information to save time by ignoring people with low reputations. No insult intended [to the authors of rather mindless comments on today's Slashdot?], but I'd prefer to spend as much time as possible consorting with people who are nicer and smarter than I am and zero time (or less) being distracted by trolls.

(3) I'd be willing to help pay for such systems, both in terms of development and ongoing costs.

Feeling like a broken record stuck on an old joke, but lots of detailed suggestions available upon polite request. Even nicer if you have some better ideas, but if you have nothing to say, then why don't you say nothing?

Re: as they say, "let the free market decide"

[He+Who+Has+No+Name]

The free market has decided that since losing your PII to hackers effectively costs them nothing, they're going to keep cutting costs on data security.

The free market does not prioritize the best interests of customers. It prioritizes profits. If repeatedly fucking over customers or allowing others to do so is profitable - and right now it is - then customers are going to need copious lube and ice for their buttholes for the indeterminate future.

High tech solutions

[manu0601]

It is weird to see proposal to introduce high tech solutions to fix the reliance on SSN: cryptography, biometry... All that solutions will have flaws

Another option could be to look at the numerous other countries in the world, where knowing your SSN has never been enough to get a credit on your behalf, or to sell your house.

Encourage Simple Gov Regulation

[Tora]

Regulation can be dangerous, but it seems this is a situation where it is called for: when a citizen's liberty is being trampled; and the Equifax breach will trample on people's liberty for decades to come – yet they are offering a pittance of one year's credit monitoring as if this will help for a lifetime of damage. Perhaps the EU's GDPR takes things a bit too far for the USA, but it can be used as a reference point, and we need something in our citizen's rights to their own identity in this modern world.

There are many technical solutions available, but out the gate, it seems like we should be seeking some greater level of culpability on behalf of those holding this data, perhaps even considering the GDPR in context. We can at least ask that of our government. A petition has been started to at least raise visibility of this to congress. Start the dialog at the right levels, and hope it will not get steamrolled by lobbyists.

Re:Big targets, big money, relentless attackers

[lucm]

It's not a matter of increased security, it's simply a matter of following known best practices and being diligent in applying patches and hotfixes.

Equifax are complete morons. Last year they settled a lawsuit because of another security "breach": someone figured out that customers could login using a PIN made of the last 4 digits of their SSN and the 4 digits of their birth year. We're not talking about military-grade security being defeated by criminal mastermind. Those guys are complete and absolute incompetents.

They could fix their entire set of weaknesses and prevent further exploits by reading the bullet points of a CISSP tutorial and following them. That's all there is to it.