Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Made Salary, Work History Available To Anyone With Your SSN and DOB (krebsonsecurity.com)

Posted by BeauHD on from the breach-fallout dept.

An anonymous reader quotes a report from KrebsOnSecurity: In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax. At issue is a service provided by Equifax's TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that "Your personal information is protected." "With your consent your personal data can be retrieved only by credentialed verifiers," Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits. Sadly, this isn't anywhere near true because most employers who contribute data to The Work Number -- including Fortune 100 firms, government agencies and universities -- rely on horribly weak authentication for access to the information.

11 of 169 comments (clear)

  1. Remember when? by whoever57 · · Score: 4, Interesting

    Remember when people mocked the credentials of Equifax's former CIO and other people pushed back because many people in the field didn't have traditional background?

    Well, it looks like security was a systemic failure at Equifax, so perhaps it's actually time to suggest that someone with a music degree wasn't qualified for the job?

    Let's face it: success is defined as no known security breaches, yet, this could be down to luck rather than skill. Either no-one successfully targeted her prior employers or any breaches never became public.

    --
    The real "Libtards" are the Libertarians!
    1. Re:Remember when? by Anonymous Coward · · Score: 4, Insightful

      To be fair you don't need a degree in something to be good at it, work history is just as important.

      So, would you rather have:

      Someone with a music degree but 20 years in the IT industry

      Or

      Someone with a comp. sci. degree but 20 years in the music industry?

      I know which I'd choose. A comp. sci. or similar degree means jack shit if you've never put it into practice.

  2. Wait, what? by SeaFox · · Score: 5, Insightful

    The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it.

    What business is it of a potential employer what I was paid by my previous employers? All that does is weaken the applicant's position when it comes time to negotiate a starting salary.

    1. Re:Wait, what? by Pfhorrest · · Score: 4, Insightful

      That's why employers like that service and provide data to it. Same reason lenders like the basic credit reporting service and provide data to it. So the people in power have numbers to justify keeping you in your place.

      --
      -Forrest Cameranesi, Geek of all Trades
      "I am Sam. Sam I am. I do not like trolls, flames, or spam."
  3. Stick a fork in them. by sconeu · · Score: 5, Interesting

    Time for the corporate death penalty. If "corporations are people", then they can get the death penalty.

    Yank their charter. And, if possible, blacklist their CxOs.

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re: Stick a fork in them. by Ogive17 · · Score: 4, Interesting

      Oh, I didn't realize Yahoo was have such great success before Meyer.

      She didn't drive them into the ground but she also didn't save them.

      --
      "Action without philosophy is a lethal weapon; philosophy without action is worthless."
    2. Re:Stick a fork in them. by Anonymous Coward · · Score: 4, Insightful

      Yahoo was dead before Marissa Mayer came along.

      The fact that she's a completely worthless tool who just pumped enough stock price to bail out the venture capitalist and investment firms by selling it for something rather than watching it disintegrate into nothingness has nothing to do with if Yahoo was going to survive or not.

      Yahoo was already dead.

      Mayer did exactly what she was hired to do, sell it before it was a complete and total loss to investors.

      She's not a CEO thats good at running a company, she's a CEO that you put in place when you want the company dead with the least amount of pain as possible and a great scapegoat

  4. equality of predation by Reverend+Green · · Score: 5, Interesting

    Site designed to help capitalists to abuse workers is abused by non-capitalists. I feel profound indifference.

  5. Dox Congress by Required+Snark · · Score: 4, Insightful
    The only way to wake the government up is to stick a red hot poker up it's collective ass. In this case Congress has spent decades sucking up to self serving business dimwits who think security is a waste of money. The answer: dox every member in Congress, both House and Senate. That would get their attention.

    It's not like their info isn't already compromised. Between Equifax and all the other leaks, particularly the Office of Personal Management fiasco, everyone who gets a government paycheck can easily have their identity stolen. It's a dead certainty that both the Russians and the Chinese can impersonate anyone in the government online almost instantly. It's a security nightmare that has been covered up. Showing how completely screwed all our security is would be a public service. It would force government and business to behave responsibly for a change.

    The really ballsy move would be to apply for credit cards for all of Congress and then go to Amazon and buy a sex toy packing, one for their office and one for their home. It would be suicidal at the level of Kim Dotcom or Assange, but it would be funny. You could have a great laugh in Gitmo when the FBI is tasering your eyeballs.

    --
    Why is Snark Required?
  6. just make it public already by doctorvo · · Score: 5, Interesting

    Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans

    Sweden makes tax returns public with no apparent ill effect. The US already makes real estate values, ownership, and taxes public, and we should do the same thing for income tax returns.

  7. Re:Why does this matter? by Alain+Williams · · Score: 4, Insightful

    This only gives a person's work history? ..... Again, why is this a big deal?

    The point is that this results in an uneven playing field when negotiating salary. The company knows what you are earning and can make an offer close to that. You do not know what the company is prepared to pay (eg: average of those doing a similar job at the company). The potential employee is thus at a negotiating disadvantage.

    Knowing the average industry salary for the job that you are seeking does not give equal negotiating power. If you are currently being paid less than the average you could find yourself in a place that is hard to get out of.