Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Made Salary, Work History Available To Anyone With Your SSN and DOB (krebsonsecurity.com)

Posted by BeauHD on from the breach-fallout dept.

An anonymous reader quotes a report from KrebsOnSecurity: In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax. At issue is a service provided by Equifax's TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that "Your personal information is protected." "With your consent your personal data can be retrieved only by credentialed verifiers," Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits. Sadly, this isn't anywhere near true because most employers who contribute data to The Work Number -- including Fortune 100 firms, government agencies and universities -- rely on horribly weak authentication for access to the information.

9 of 169 comments (clear)

  1. Remember when? by whoever57 · · Score: 4, Interesting

    Remember when people mocked the credentials of Equifax's former CIO and other people pushed back because many people in the field didn't have traditional background?

    Well, it looks like security was a systemic failure at Equifax, so perhaps it's actually time to suggest that someone with a music degree wasn't qualified for the job?

    Let's face it: success is defined as no known security breaches, yet, this could be down to luck rather than skill. Either no-one successfully targeted her prior employers or any breaches never became public.

    --
    The real "Libtards" are the Libertarians!
    1. Re:Remember when? by AmiMoJo · · Score: 2, Interesting

      Do you have one shred of evidence that she was hired because of her gender? Even the smallest hint?

      "His name was James Damore."

      Check out his Twitter feed. He's not the martyr you think he is.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. What about voting history? by Anonymous Coward · · Score: 0, Interesting

    What protects voting history exactly? Is there a special law that would stop a data seller like Equifax (or Cambridge Analytica, or Choicepoint) from selling data on voting history? Work history is bad enough, but there does not seem to be privacy laws for anything but medical history.

    In theory the voting history is supposed to be secret, but its apparently recorded if you do postal votes.

    I notice that data on postal ballot votes was handed over to Trump's "Election Integrity" commission, which in turn contains Hans Von Spakovsky of the Heritage Foundation, a vote suppression specialist. These are the same election databases Russia was trying to hack last year, so I believe its very useful to groups like Heritage Foundation.

    So if that data finds its way into a political data mining company, would there be an investigation into the handing over of private data and a prosecution or would be simply be ignored?

  3. Stick a fork in them. by sconeu · · Score: 5, Interesting

    Time for the corporate death penalty. If "corporations are people", then they can get the death penalty.

    Yank their charter. And, if possible, blacklist their CxOs.

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re: Stick a fork in them. by Ogive17 · · Score: 4, Interesting

      Oh, I didn't realize Yahoo was have such great success before Meyer.

      She didn't drive them into the ground but she also didn't save them.

      --
      "Action without philosophy is a lethal weapon; philosophy without action is worthless."
  4. equality of predation by Reverend+Green · · Score: 5, Interesting

    Site designed to help capitalists to abuse workers is abused by non-capitalists. I feel profound indifference.

  5. Re:Sloppy rebuttal by lucm · · Score: 3, Interesting

    it obviously lead to confused questions about potential employers getting access to your income info. They only would get that if you let them have it.

    In some industries it's a standard practice. I've worked for a firm that does "sensitive" work for a government agency (at least according to them, if you ask me it was not all that sensitive) and short of a finger up the ass they probed every intimate corner of my life. Background check, salary history, parking tickets, credit cards balance, I even had to get an affidavit from the police station stating that I wasn't the subject of an investigation and that I had no history of public disturbance. Technically I could have said no, but that would have been the same as turning down the job.

    --
    lucm, indeed.
  6. just make it public already by doctorvo · · Score: 5, Interesting

    Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans

    Sweden makes tax returns public with no apparent ill effect. The US already makes real estate values, ownership, and taxes public, and we should do the same thing for income tax returns.

  7. Re:Wait, what? by Solandri · · Score: 3, Interesting

    That's the problem though. This isn't your secret data. This is data that's shared between you and another party. And the other party is the one opting to share it with the credit agency.

    Logically, arguing that the other party shouldn't be allowed to share this info without your permission, is equivalent to arguing that you shouldn't be allowed to write a Yelp review of a restaurant without first getting the restaurant's permission.