Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Made Salary, Work History Available To Anyone With Your SSN and DOB (krebsonsecurity.com)

Posted by BeauHD on from the breach-fallout dept.

An anonymous reader quotes a report from KrebsOnSecurity: In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax. At issue is a service provided by Equifax's TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that "Your personal information is protected." "With your consent your personal data can be retrieved only by credentialed verifiers," Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits. Sadly, this isn't anywhere near true because most employers who contribute data to The Work Number -- including Fortune 100 firms, government agencies and universities -- rely on horribly weak authentication for access to the information.

1 of 169 comments (clear)

  1. Re:Why does this matter? by Anonymous Coward · · Score: 2, Funny

    It's my experience, however, that most people who are reluctant to share their previous salaries either don't have enough self confidence to believe they are worth as much as what they believe the job they are applying for should reasonably pay (which tells the employer they could probably underpay them anways), or else they have unrealistic ideas about what their skills are actually even worth, which means they wouldn't be satisfied with a reasonable offer anyways so the company is probably better off hiring someone else.

    I think you've omitted a scenario that would cover a heck of a lot of people:
    an employee outgrows their current position and applies for a job that *should* pay much, much better.

    Of course, a prospective employer would love to know the applicant's previous pay so that can offer a minimal pay rise as enticement.

    Just imagine the reverse:
    within every job ad companies having to include the maximum they're willing to pay for each position.