Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Made Salary, Work History Available To Anyone With Your SSN and DOB (krebsonsecurity.com)

Posted by BeauHD on from the breach-fallout dept.

An anonymous reader quotes a report from KrebsOnSecurity: In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax. At issue is a service provided by Equifax's TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that "Your personal information is protected." "With your consent your personal data can be retrieved only by credentialed verifiers," Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits. Sadly, this isn't anywhere near true because most employers who contribute data to The Work Number -- including Fortune 100 firms, government agencies and universities -- rely on horribly weak authentication for access to the information.

29 of 169 comments (clear)

  1. Remember when? by whoever57 · · Score: 4, Interesting

    Remember when people mocked the credentials of Equifax's former CIO and other people pushed back because many people in the field didn't have traditional background?

    Well, it looks like security was a systemic failure at Equifax, so perhaps it's actually time to suggest that someone with a music degree wasn't qualified for the job?

    Let's face it: success is defined as no known security breaches, yet, this could be down to luck rather than skill. Either no-one successfully targeted her prior employers or any breaches never became public.

    --
    The real "Libtards" are the Libertarians!
    1. Re:Remember when? by Anonymous Coward · · Score: 4, Insightful

      To be fair you don't need a degree in something to be good at it, work history is just as important.

      So, would you rather have:

      Someone with a music degree but 20 years in the IT industry

      Or

      Someone with a comp. sci. degree but 20 years in the music industry?

      I know which I'd choose. A comp. sci. or similar degree means jack shit if you've never put it into practice.

    2. Re:Remember when? by AmiMoJo · · Score: 2, Interesting

      Do you have one shred of evidence that she was hired because of her gender? Even the smallest hint?

      "His name was James Damore."

      Check out his Twitter feed. He's not the martyr you think he is.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Remember when? by The+Cynical+Critic · · Score: 2

      The previously mentioned music degree and no previous work history in the industry? Because her since then deleted LinkedIn account didn't show anything IT related between her degree in music composition and being hired as CSO at the company.

      Only way this makes any sense is if she's another diversity hire or it's just plain old nepotism (which for some reason nobody has seemed to have even considered so far).

      As for Damore, what do you expect when he got this brutally stabbed in the back and misrepresented by the pseudo-progressives of silicon valley and the mainstream media?

      --
      "Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it."
    4. Re:Remember when? by AmiMoJo · · Score: 2

      I'm not disagreeing that she doesn't appear qualified, but "diversity hire" is one of the least likely explanations. Nepotism seems far more likely. It's very common at C level.

      Check Damore's twitter feed. All the claims that he was only interested in science and reason are undermined by the stuff he has posted since.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Remember when? by msauve · · Score: 2

      "The previously mentioned music degree and no previous work history in the industry? Because her since then deleted LinkedIn account didn't show anything IT related between her degree in music composition and being hired as CSO at the company. "

      You're making things up. Prior to Equifax, Susan Mauldin spent over 4 years at First Data as Senior Vice President and Chief Security Officer. It's not clear what "industry" you're referring to, but before that she worked for both SunTrust (financial industry) and HP (IT industry).

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  2. Re:Why does this matter? by Anonymous Coward · · Score: 2, Insightful

    "many places"??? FUCK YOU. Who wants to share their salary? So that they can screw you up when you lose a job and have to find another?

  3. Wait, what? by SeaFox · · Score: 5, Insightful

    The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it.

    What business is it of a potential employer what I was paid by my previous employers? All that does is weaken the applicant's position when it comes time to negotiate a starting salary.

    1. Re:Wait, what? by Pfhorrest · · Score: 4, Insightful

      That's why employers like that service and provide data to it. Same reason lenders like the basic credit reporting service and provide data to it. So the people in power have numbers to justify keeping you in your place.

      --
      -Forrest Cameranesi, Geek of all Trades
      "I am Sam. Sam I am. I do not like trolls, flames, or spam."
    2. Re:Wait, what? by Anonymous Coward · · Score: 2, Insightful

      The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it.

      What business is it of a potential employer what I was paid by my previous employers? All that does is weaken the applicant's position when it comes time to negotiate a starting salary.

      It's not a bug. It's a feature. In fact, it's pretty much the whole point.

    3. Re:Wait, what? by Rockoon · · Score: 2

      One of your mistakes is thinking that that score represents your credit risk in some way.

      That score represents how profitable you are to them.

      --
      "His name was James Damore."
    4. Re:Wait, what? by AmiMoJo · · Score: 2

      You answered your own question there. Employers seem to have an attitude that you shouldn't get a big pay increase because if you were worth that much your previous employer would have paid you more. They also like to pretend it's an indication of market rate.

      Of course if it's a massive pay cut that's fine, market rates etc.

      The stupid thing is that this just punishes loyalty and encourages people to change jobs every few years just to get salary bumps.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Wait, what? by Solandri · · Score: 3, Interesting

      That's the problem though. This isn't your secret data. This is data that's shared between you and another party. And the other party is the one opting to share it with the credit agency.

      Logically, arguing that the other party shouldn't be allowed to share this info without your permission, is equivalent to arguing that you shouldn't be allowed to write a Yelp review of a restaurant without first getting the restaurant's permission.

  4. Re:Why does this matter? by Anonymous Coward · · Score: 2, Insightful

    If you are a criminal deciding who to steal from, or who's relatives to kidnap for ransom, wouldn't you like a big list of everybody's salaries?

  5. Stick a fork in them. by sconeu · · Score: 5, Interesting

    Time for the corporate death penalty. If "corporations are people", then they can get the death penalty.

    Yank their charter. And, if possible, blacklist their CxOs.

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re:Stick a fork in them. by lucm · · Score: 3, Insightful

      if possible, blacklist their CxOs.

      Marissa Mayer made roughly $900,000 for every week she spent at Yahoo, while driving the company into the ground. And yet her name was mentioned as a possible new CEO for Uber.

      There's no blacklist for those people

      --
      lucm, indeed.
    2. Re:Stick a fork in them. by AmiMoJo · · Score: 2

      Mayer destroyed Yahoo, and is now being considered to destroy Uber. I don't see a down site to this.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re: Stick a fork in them. by Ogive17 · · Score: 4, Interesting

      Oh, I didn't realize Yahoo was have such great success before Meyer.

      She didn't drive them into the ground but she also didn't save them.

      --
      "Action without philosophy is a lethal weapon; philosophy without action is worthless."
    4. Re:Stick a fork in them. by Anonymous Coward · · Score: 4, Insightful

      Yahoo was dead before Marissa Mayer came along.

      The fact that she's a completely worthless tool who just pumped enough stock price to bail out the venture capitalist and investment firms by selling it for something rather than watching it disintegrate into nothingness has nothing to do with if Yahoo was going to survive or not.

      Yahoo was already dead.

      Mayer did exactly what she was hired to do, sell it before it was a complete and total loss to investors.

      She's not a CEO thats good at running a company, she's a CEO that you put in place when you want the company dead with the least amount of pain as possible and a great scapegoat

  6. You know it's almost as if by rsilvergun · · Score: 3, Insightful

    our entire economic system was rigged against the working class. Good thing that would never happen.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  7. equality of predation by Reverend+Green · · Score: 5, Interesting

    Site designed to help capitalists to abuse workers is abused by non-capitalists. I feel profound indifference.

  8. Re:Why does this matter? by mark-t · · Score: 3, Insightful

    If you weren't making enough at your previous job to meet your expectations, then why did you stay it at it long enough that it would even be an issue? If you were making good money for what you were doing, and are applying for a similar role, it's fair to mention, when answering a question about your previous salary, that you'd expect to be making about the same amount. If the job entails more responsibilities, then it's fair to instead say you'd expect to be making somewhat more than what you were making before because of that.

    It's my experience, however, that most people who are reluctant to share their previous salaries either don't have enough self confidence to believe they are worth as much as what they believe the job they are applying for should reasonably pay (which tells the employer they could probably underpay them anways), or else they have unrealistic ideas about what their skills are actually even worth, which means they wouldn't be satisfied with a reasonable offer anyways so the company is probably better off hiring someone else.

    --
    File under 'M' for 'Manic ranting'
  9. Dox Congress by Required+Snark · · Score: 4, Insightful
    The only way to wake the government up is to stick a red hot poker up it's collective ass. In this case Congress has spent decades sucking up to self serving business dimwits who think security is a waste of money. The answer: dox every member in Congress, both House and Senate. That would get their attention.

    It's not like their info isn't already compromised. Between Equifax and all the other leaks, particularly the Office of Personal Management fiasco, everyone who gets a government paycheck can easily have their identity stolen. It's a dead certainty that both the Russians and the Chinese can impersonate anyone in the government online almost instantly. It's a security nightmare that has been covered up. Showing how completely screwed all our security is would be a public service. It would force government and business to behave responsibly for a change.

    The really ballsy move would be to apply for credit cards for all of Congress and then go to Amazon and buy a sex toy packing, one for their office and one for their home. It would be suicidal at the level of Kim Dotcom or Assange, but it would be funny. You could have a great laugh in Gitmo when the FBI is tasering your eyeballs.

    --
    Why is Snark Required?
  10. Re:Sloppy rebuttal by lucm · · Score: 3, Interesting

    it obviously lead to confused questions about potential employers getting access to your income info. They only would get that if you let them have it.

    In some industries it's a standard practice. I've worked for a firm that does "sensitive" work for a government agency (at least according to them, if you ask me it was not all that sensitive) and short of a finger up the ass they probed every intimate corner of my life. Background check, salary history, parking tickets, credit cards balance, I even had to get an affidavit from the police station stating that I wasn't the subject of an investigation and that I had no history of public disturbance. Technically I could have said no, but that would have been the same as turning down the job.

    --
    lucm, indeed.
  11. just make it public already by doctorvo · · Score: 5, Interesting

    Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans

    Sweden makes tax returns public with no apparent ill effect. The US already makes real estate values, ownership, and taxes public, and we should do the same thing for income tax returns.

  12. Re:Why does this matter? by Alain+Williams · · Score: 4, Insightful

    This only gives a person's work history? ..... Again, why is this a big deal?

    The point is that this results in an uneven playing field when negotiating salary. The company knows what you are earning and can make an offer close to that. You do not know what the company is prepared to pay (eg: average of those doing a similar job at the company). The potential employee is thus at a negotiating disadvantage.

    Knowing the average industry salary for the job that you are seeking does not give equal negotiating power. If you are currently being paid less than the average you could find yourself in a place that is hard to get out of.

  13. Re:Why does this matter? by Anonymous Coward · · Score: 2, Funny

    It's my experience, however, that most people who are reluctant to share their previous salaries either don't have enough self confidence to believe they are worth as much as what they believe the job they are applying for should reasonably pay (which tells the employer they could probably underpay them anways), or else they have unrealistic ideas about what their skills are actually even worth, which means they wouldn't be satisfied with a reasonable offer anyways so the company is probably better off hiring someone else.

    I think you've omitted a scenario that would cover a heck of a lot of people:
    an employee outgrows their current position and applies for a job that *should* pay much, much better.

    Of course, a prospective employer would love to know the applicant's previous pay so that can offer a minimal pay rise as enticement.

    Just imagine the reverse:
    within every job ad companies having to include the maximum they're willing to pay for each position.

  14. Re:Why does this matter? by Rob+Y. · · Score: 2

    Typical SlashDot nerd response. "I'm so smart and good at what I do that I don't care about things that might be threatening to the rest of you mere mortals. No skin off my ass".

    This story was about a company lying about how well they protect the data they gather - and then giving much of it away to anyone who asks. That should be alarming to anybody - even you self-identified tech gods.

    --
    Posted from my Android phone. Oh, I can change this? There, that's better...
  15. Re:Why does this matter? by ichimunki · · Score: 2

    It's not about lacking confidence in one's abilities and skills. It's about negotiating leverage and wasting time. If I am expecting a big bump from what looks like a promotion to me, giving the potential employer the information about my current salary is just giving them a reason to low-ball me and now I have to go through this whole ordeal of negotiating and convincing them that I deserve more. That is a waste of time.

    Not that they ever will, but if the employer simply disclosed the range up front, they could save all of us a lot of time-- a lot more time than if I tell all my potential employers what I make now or have made in the past. This is because I have a minimum I require to even consider a job change lateral, let alone a promotion worth taking the risk and effort of applying. If I know up-front that they can't afford me, then I can just skip them, rather than going through a whole song and dance just to find out they are offering short money. And if I know that the job pays a good deal more than I currently make, then I have the incentive I need to understand what they are looking for, make sure I am a fit, and spend the time necessary to convince them of it.

    My current salary is totally irrelevant except as a minimum and me giving it out first is backwards. This is like playing poker against a table of people who hold their cards close, but my cards are face-up on the table. Not good odds. Furthermore, if everyone applying for the job is disclosing salary to the employer, they can use that to help them pick the lower paid of two seemingly equal candidates, rather than taking the time to discern which person might truly be the best fit on other measures.

    --
    I do not have a signature