Slashdot Mirror
Government Officials Begin Investigating Equifax Breach (thehill.com)
An anonymous reader quotes the Hill:
The massive breach of credit rating firm Equifax is attracting scrutiny from government officials across the country. Lawmakers from both parties have expressed concern over the hack, which could have left vulnerable sensitive personal information for as many as 143 million people. The New York, Pennsylvania and Illinois attorneys general have announced formal investigations into the hack...
The Senate Commerce Committee announced on Thursday that it sent a letter to Equifax seeking answers about the extent of the breach and what Equifax is doing to mitigate its impact. In the House, Financial Services Committee Chairman Jeb Hensarling (R-Texas) said that his committee would hold a hearing on the hacks at a to-be-determined date. Hensarling noted in a statement that such breaches are becoming "too common" and that consumers "deserve answers." House Energy and Commerce Committee Chairman Greg Walden (R-Ore.) said that his committee would hold a separate hearing on the matter as well.
The Senate Commerce Committee announced on Thursday that it sent a letter to Equifax seeking answers about the extent of the breach and what Equifax is doing to mitigate its impact. In the House, Financial Services Committee Chairman Jeb Hensarling (R-Texas) said that his committee would hold a hearing on the hacks at a to-be-determined date. Hensarling noted in a statement that such breaches are becoming "too common" and that consumers "deserve answers." House Energy and Commerce Committee Chairman Greg Walden (R-Ore.) said that his committee would hold a separate hearing on the matter as well.
I don't know that it has. Whoever stole the data isn't going to just dump it online they are going to sell it. Eventually it will all leak but not before much of it is quite stale.
Most people STILL don't realize this but anyone who works for a company with a subscription to any of the private investigative services could pretty much get all this information inside of 30 seconds. Not everyone is in the pay-for-use-databases but most are. I don't know if I have ever had a search come back empty.
The reality is this information was already out there on almost everyone one, this will be just one more source. Maybe a price a little more attractive to the ner'er do wells but I predict a minor blip in increased id theft at most.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I worked for a financially-regulated place here in the UK and every once in a while you'd hear "that sort of f-up could see us lose our license" (and so stuff didn't happen) - exactly what the regulator intended (and for the most part, it seemed like a good outcome, from what I could tell).
In the case of Equifax in the US - why do they need SSNs? I presume it's a way to differentiate Jim Kirk from New York and Jim Kirk from Boston. I don't imagine they ever actually have a need to use the SSN with someone else (right?). In which case, they could have simply hashed the SSN on receipt and stored the hash. Right now, they'd still be in a world of trouble, but a lot less than they actually are (and could arguably have been a smaller target).
I guess what I'm asking is what could (really) cause such an incredible failure of judgement/execution on their part? Even the US's relatively slack laws on data protection would at least make hashing SSNs something you might at least think about, don't they?
Whilst I agree that some major sanctions against companies doing this sort of thing is definitely in order (here, the US might do well to look to the EU or Singapore for some ideas), but will that actually solve the real, core, underlying issue that let this happen in the first place, or will it just throw a couple of extra firewalls on the network for "due diligence" and leave the same crappy implementation choices in the systems that actually run the show?
What about all the insider trading? The Execs dumped loads of their stock before worrying about contacting anyone that might be affected by this.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
...Is congress needs to pass legislation that gives a process to people that allows them to collect damages from lenders that lend to criminals. Such a process needs to burden the lender with proving a debtor owes this money, and that it was actually they who requested such a loan. If they cannot, then if they attempt to collect on such a debit, they can be liable for damages. Probably not a large sum, possibly just a (small) percentage of the loan they gave away to the crook. Of course more aggravated attempts might warrant larger sums. Much such a process require that the fiscal institution cannot collect and store. So that each application must be independently vetted, each time.
Some side effects: More stringent identification taken to link documents to people. Loan processes taking much longer, and people who cannot vet themselves to an institutions satisfaction not receiving loans. An entire new system or vendors and providers revolving around bio metric verification. Also, higher loan rates because they will pass these costs onto the consumer. Less loans in total.
"...whenever any Form of Government becomes destructive...it is the Right of the People to alter or to abolish it..."
Under the law Equifax is the "victim", not us. That is unlikely to change with the current US administration.
They typically use a number of 'attributes' to positively identify someone. SSN is one. But they also use first name, last name, DOB, etc.
Now, if SSN is unique, then why do they need all that other information? To protect against a fraudulent credit request or a request without enough information.
So, you send the credit request to whatever company.... odds are you're not directly asking the three majors (Experian, Equifax, TransUnion), for the information. But regardless, you send the request off. Let's say you have the right name, and the right SSN, but whoever handled the data entry on the DOB had a typo in there.
It _should_ come back with a response that your identifying information doesn't match anyone. But that all depends on which service you're using. Some are much more on the ball about this sort of thing. Hell, some of the services won't let you pull a credit report UNLESS you have all that info and more, just to cut down on requests.
Mr. Hu is not a ninja.
It finally hit home and some congresscritters were affected by the fallout.
Good.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Maybe the fines should be whatever it costs to re-issue new social security (or social insurance in Canada) numbers to everyone, including costs of managing the transition.
I think it's pretty clear that the US needs to move away from the social security number being both a confidential number and a unique key that is shared to verify your identity. Those two uses are mutually exclusive.
The government either needs to give the individual the ability to authorize specific identity checks though a tokencard or some other means.
Congress doesn't want to do this because big business wants to be able to check your background details for free and at will, but it needs to stop. Unfortunately, the amount of traction that the private citizen has with congress is pretty small compared to big business' lobby.
It would be nice to be able to issue an authorisation token with the credit agency and pass that to the institution that wants to search my file. Don't have the token? No search, go away.
"Everybody's naked underneath" -- The Doctor