Equifax Breach Included 10 Million US Driving Licenses

An anonymous reader quotes a report from Engadget: 10.9 million U.S. driver's licenses were stolen in the massive breach that Equifax suffered in mid-May, according to a new report by The Wall Street Journal. In addition, WSJ has revealed that the attackers got a hold of 15.2 million UK customers' records, though only 693,665 among them had enough info in the system for the breach to be a real threat to their privacy. Affected customers provided most of the driver's licenses on file to verify their identities when they disputed their credit-report information through an Equifax web page. That page was one of the entry points the attackers used to gain entry into the credit reporting agency's system.

Jail time

[Major_Disorder]

Someone needs to get handed a few decades of jail time for this. By somone, I mean someone with Director, or C_O after their name. Better yet a few someones.

Re:Jail time

[Teckla]

Someone needs to get handed a few decades of jail time for this. By somone, I mean someone with Director, or C_O after their name. Better yet a few someones.

So here's the thing. We are currently experiencing the Computer Security Dark Ages. The security situation at almost ALL companies is as crappy as Equifax (not that Equifax should be off the hook as a result).

The first problem is that security is way too hard. When 99.9% of people can't get something right, you have to start wondering if humans and education aren't the problem, but instead, if the tools are. Things should be ultra-paranoid super secure by default, and it should be downright hard to "un-secure" them.

The second problem is that when it comes to software development, management generally cares about three things most of all, I will list them in order here:

1. Get it done fast

2. Get it done fast

3. Get it done fast

Software development is shit these days because the only thing that matters is speed. Oh, they often give security, reliability, and correctness some token attention, especially after news of big hacking incidents, like the Equifax breach. But really, all they care about is getting work done fast, and it's costing all of us much more, big time, in the long run.

Customers?

[Zocalo]

You know, it's really starting to bug me that the media, including those that really ought to know better, keeps referring to the victims of the Equifax hack as their "customers". With the exception of those who actually signed up to Equifax's credit checking service of their own volition they, or more accurately the data Equifax has about them, are either victims or the *product*. Equifax's actual customers are the banks, employers, stores, and other companies that buy the data Equifax holds on the victims of the hack, most of whom have no direct business relationship with Equifax beyond an agreement with a third party to have their credit checked that probably didn't even make it clear that it would be Equifax doing the checks.

It's not just credit

The information can be used to file taxes. When one gets those "your taxes have already been filed" letters from the IRS is because someone used your SSN and other information and filed taxes to get a refund and other credits.

That information is also used to get jobs. Illegal aliens use fake credentials to get jobs - and file taxes to get refunds and EIC, CTC, ACTC, AOTC or other credits.

That information is also used for other nefarious reasons.

And if that information is abused, it's up to the victim to correct it - if they can - and cover the costs.

And most of the things that are done last forever. Even debt. Debt collectors are all unethical sacks of shit and they'll bully folks to pay to debt that isn't there's - including folks who have had their identities stolen. So, after having to deal with the identity theft, you will have to deal with assholes who will lie about the law to collect on debt that isn't yours.

Suck it up my fellow peon.

Equifax should be shut down, their C-level executives fired without pay, pensions or golden parachutes and the stockholders have their shares valued worthless - they shouldn't have invested in a company with an unethical business model and deserve the bad karma.

I have been victim of Anthem's (lying cocksuckers) break-in, Equfax' (unethical lying fucks) and another one - I'm tired of getting letters that say my data was part of a data breech.

We must have European regulations and laws regarding our data and privacy. Business is incapable of acting ethically, fairly and honestly.

Re: It's not just credit

[sabri]

Equifax should be shut down, but the C-level executives should get the electric chair.

You have to be realistic, and be fair. Read my comment and see if you still feel this way. And before I start: I am in no way affiliated with any credit reporting agency. I'm just a network engineer.

1. Credit reporting agencies serve a purpose. They ensure that future creditors can make a responsible decision on whether or not you can handle credit, and are creditworthy.

2. The information that they obtain, is provided to them by your creditors, and with your consent (you did read the terms and conditions, right?). Also, usually you will sign a waiver or permission slip of some kind, allowing a potential creditor to review your credit report when you apply for new credit.
3. That said, I fully agree with you that this information should not have leaked. It is the company's responsibility to ensure that our data is safe and secure. However, let's be realistic. No system is secure. Hell, even the NSA got hacked. I would love to see the executives get some form of punishment, but primarily for the way they handled the hack. The hack itself: that's a risk of doing business.
4. But my biggest thing: this should not be a problem. I should be able to have my social security number printed on the frontpage of the Wall Street Journal, without needing to be afraid of "identity theft". Why the F am I carrying ID? Banks and other creditors should always require and check my government issued ID prior to even talking to me. Having knowledge of a number does not constitute being me.

And that my friend, is the real issue here, and that's not just the Equifax executives' fault.

For example, my home country prints your SSN (well, it's tax-id equivalent) on your passport. Why? Because it also requires banks to have a copy of your ID on file, which they verified and checked for validity and authenticity. If someone is able to open an account in my name, I'll be suing the bank for failure to properly check ID.

Re: It's not just credit

[ShanghaiBill]

Equifax should be shut down

That will accomplish nothing. Equifax is already transitioning to different management. Shutting them down will just reduce competition even more and put 9500 people out of work.

Re:That's just silly...

[Blymie]

The law already handles this all over the spectrum. It's called 'negligence'. Fault is easy to assign.

You don't patch shit? That's negligent. That's jail time.

You get hit by a zero day, you have firewalls, and you catch it (because you're monitoring things!) fast? That's not your fault. You're not to blame.

Equifax CxOs *do* deserve jail time. They were negligent. There needs to be criminal charges, and jail time served.

Equating it to cars? You're driving down the road drunk. Or, you're on your phone not paying attention. You can be charged with various things at that point, which result in jail time (including dangerous driving here). But, you *hit* someone or something, and it's shown this is the case? EG, you were negligent?

No sorries or excuses, you'll be seeing the inside of a jail cell...

Re:Throttle access to data

[Blymie]

It apparently took the hackers months to get all the data. Why? They kept data transfers to a minimum, so it didn't show up on graphs.