Equifax Made Salary, Work History Available To Anyone With Your SSN and DOB

An anonymous reader quotes a report from KrebsOnSecurity: In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax. At issue is a service provided by Equifax's TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that "Your personal information is protected." "With your consent your personal data can be retrieved only by credentialed verifiers," Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits. Sadly, this isn't anywhere near true because most employers who contribute data to The Work Number -- including Fortune 100 firms, government agencies and universities -- rely on horribly weak authentication for access to the information.

Remember when?

[whoever57]

Remember when people mocked the credentials of Equifax's former CIO and other people pushed back because many people in the field didn't have traditional background?

Well, it looks like security was a systemic failure at Equifax, so perhaps it's actually time to suggest that someone with a music degree wasn't qualified for the job?

Let's face it: success is defined as no known security breaches, yet, this could be down to luck rather than skill. Either no-one successfully targeted her prior employers or any breaches never became public.

Re:Remember when?

To be fair you don't need a degree in something to be good at it, work history is just as important.

So, would you rather have:

Someone with a music degree but 20 years in the IT industry

Or

Someone with a comp. sci. degree but 20 years in the music industry?

I know which I'd choose. A comp. sci. or similar degree means jack shit if you've never put it into practice.

Wait, what?

[SeaFox]

The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it.

What business is it of a potential employer what I was paid by my previous employers? All that does is weaken the applicant's position when it comes time to negotiate a starting salary.

Re:Wait, what?

[Pfhorrest]

That's why employers like that service and provide data to it. Same reason lenders like the basic credit reporting service and provide data to it. So the people in power have numbers to justify keeping you in your place.

Re:Wait, what?

[Solandri]

That's the problem though. This isn't your secret data. This is data that's shared between you and another party. And the other party is the one opting to share it with the credit agency.

Logically, arguing that the other party shouldn't be allowed to share this info without your permission, is equivalent to arguing that you shouldn't be allowed to write a Yelp review of a restaurant without first getting the restaurant's permission.

Stick a fork in them.

[sconeu]

Time for the corporate death penalty. If "corporations are people", then they can get the death penalty.

Yank their charter. And, if possible, blacklist their CxOs.

Re:Stick a fork in them.

[lucm]

if possible, blacklist their CxOs.

Marissa Mayer made roughly $900,000 for every week she spent at Yahoo, while driving the company into the ground. And yet her name was mentioned as a possible new CEO for Uber.

There's no blacklist for those people

Re: Stick a fork in them.

[Ogive17]

Oh, I didn't realize Yahoo was have such great success before Meyer.

She didn't drive them into the ground but she also didn't save them.

Re:Stick a fork in them.

Yahoo was dead before Marissa Mayer came along.

The fact that she's a completely worthless tool who just pumped enough stock price to bail out the venture capitalist and investment firms by selling it for something rather than watching it disintegrate into nothingness has nothing to do with if Yahoo was going to survive or not.

Yahoo was already dead.

Mayer did exactly what she was hired to do, sell it before it was a complete and total loss to investors.

She's not a CEO thats good at running a company, she's a CEO that you put in place when you want the company dead with the least amount of pain as possible and a great scapegoat

You know it's almost as if

[rsilvergun]

our entire economic system was rigged against the working class. Good thing that would never happen.

equality of predation

[Reverend+Green]

Site designed to help capitalists to abuse workers is abused by non-capitalists. I feel profound indifference.

Re:Why does this matter?

[mark-t]

If you weren't making enough at your previous job to meet your expectations, then why did you stay it at it long enough that it would even be an issue? If you were making good money for what you were doing, and are applying for a similar role, it's fair to mention, when answering a question about your previous salary, that you'd expect to be making about the same amount. If the job entails more responsibilities, then it's fair to instead say you'd expect to be making somewhat more than what you were making before because of that.

It's my experience, however, that most people who are reluctant to share their previous salaries either don't have enough self confidence to believe they are worth as much as what they believe the job they are applying for should reasonably pay (which tells the employer they could probably underpay them anways), or else they have unrealistic ideas about what their skills are actually even worth, which means they wouldn't be satisfied with a reasonable offer anyways so the company is probably better off hiring someone else.

Dox Congress

[Required+Snark]

The only way to wake the government up is to stick a red hot poker up it's collective ass. In this case Congress has spent decades sucking up to self serving business dimwits who think security is a waste of money. The answer: dox every member in Congress, both House and Senate. That would get their attention.

It's not like their info isn't already compromised. Between Equifax and all the other leaks, particularly the Office of Personal Management fiasco, everyone who gets a government paycheck can easily have their identity stolen. It's a dead certainty that both the Russians and the Chinese can impersonate anyone in the government online almost instantly. It's a security nightmare that has been covered up. Showing how completely screwed all our security is would be a public service. It would force government and business to behave responsibly for a change.

The really ballsy move would be to apply for credit cards for all of Congress and then go to Amazon and buy a sex toy packing, one for their office and one for their home. It would be suicidal at the level of Kim Dotcom or Assange, but it would be funny. You could have a great laugh in Gitmo when the FBI is tasering your eyeballs.

Re:Sloppy rebuttal

[lucm]

it obviously lead to confused questions about potential employers getting access to your income info. They only would get that if you let them have it.

In some industries it's a standard practice. I've worked for a firm that does "sensitive" work for a government agency (at least according to them, if you ask me it was not all that sensitive) and short of a finger up the ass they probed every intimate corner of my life. Background check, salary history, parking tickets, credit cards balance, I even had to get an affidavit from the police station stating that I wasn't the subject of an investigation and that I had no history of public disturbance. Technically I could have said no, but that would have been the same as turning down the job.

just make it public already

[doctorvo]

Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans

Sweden makes tax returns public with no apparent ill effect. The US already makes real estate values, ownership, and taxes public, and we should do the same thing for income tax returns.

Re:Why does this matter?

[Alain+Williams]

This only gives a person's work history? ..... Again, why is this a big deal?

The point is that this results in an uneven playing field when negotiating salary. The company knows what you are earning and can make an offer close to that. You do not know what the company is prepared to pay (eg: average of those doing a similar job at the company). The potential employee is thus at a negotiating disadvantage.

Knowing the average industry salary for the job that you are seeking does not give equal negotiating power. If you are currently being paid less than the average you could find yourself in a place that is hard to get out of.