Slashdot Mirror
One Year After the Massive Equifax Data Breach, Pretty Much Nothing Has Changed (axios.com)
The Equifax data breach was supposed to change everything about cybersecurity regulation on Capitol Hill. A year ago, Equifax announced that 145.5 million U.S. adults had their social security numbers stolen in an easily preventable breach. If any data breach was going to be able to shock Washington into enacting sweeping privacy reforms, this should have been it. Axios: But that didn't happen: "The initial interest that was implied by congressional actions didn't pan out," said Michelle Richardson, director of the Privacy and Data Project at the Center for Democracy and Technology (CDT). What was supposed to happen: After the first of several hearings involving Equifax, Sen. Chuck Grassley (R-Iowa), chair of the Judiciary Committee, said it was "long past time" for federal standards for how companies like Equifax secure data.
Data security wasn't the only anticipated reform. Congress appeared poised to create a national breach notification law governing how and how quickly companies must notify anybody whose personal information is stolen in a breach. Currently, to the chagrin of national retailers, those laws vary state to state. Several investigations were supposed to penalize the credit bureau for lax cybersecurity, including failing to patch the vulnerability hackers exploited despite government warnings. What actually happened: The bills petered out. Mick Mulvaney took over the Consumer Financial Protection Bureau in November and halted the bureau's investigation.
Data security wasn't the only anticipated reform. Congress appeared poised to create a national breach notification law governing how and how quickly companies must notify anybody whose personal information is stolen in a breach. Currently, to the chagrin of national retailers, those laws vary state to state. Several investigations were supposed to penalize the credit bureau for lax cybersecurity, including failing to patch the vulnerability hackers exploited despite government warnings. What actually happened: The bills petered out. Mick Mulvaney took over the Consumer Financial Protection Bureau in November and halted the bureau's investigation.
It's the same winner, every time. Money.
Make America grate again!
Politically, nothing happened. But a lot of people locked their credit score. I'm sure credit card companies are now asking for more information to prove your identity to open a new card. People's ssn, date of birth, and drivers license can no longer be trusted as a form of identification for anything. I also had so many friends and family ask what they should do, which opened the door for me to introduce them to things like LastPass, Yubikey, and other security.
And when the whole debate about voting machines came up, one word shut most people up: Equifax.
This industry, the idea that credit is something that can be measured and a value of trust and worthiness ascribed to certain goods and services, is fragile.
Equifax is running out of keys and they just dont seem to care. They are running out of the very currency that funds their business model. If you can no longer trust SSN's because every hacker on the planet has them, and you can no longer trust personal information because its been stolen as well, then the value assigned to the majority of your assets (people) is effectively worthless.
and if all you can report in 20 years is the fact that everyone in your database is categorized as credit-unworthy, then you become worthless as a saleable service to your real customers: banks.
Good people go to bed earlier.
He's got big hands, though. Really big, the biggest. Very nice, very big hands. So he'll fix the cyber problem. It really won't be that hard. We've got some great people working on that. Really great, the best.
I realize that this is just a troll attempt, but even if we had a president that everyone could agree was competent, trustworthy, etc. the U.S. was founded to get away from exactly this kind of autocracy where one person has the power and authority to change something like this. People always think of all the good that might be done with such power, but rarely consider how much evil can be wrought with that authority just as easily.
There's no incentive, no motive.
Customers are helpless to do anything about it so they just shrug and move on.
Their shit is out there anyway, what with all the other goddam break-ins.
In the spirit of, "too big to fail," Equifax is too big for their breaches.
All your base are belong to us.
It little behooves the best of us to comment on the rest of us.
I've been mulling over the lack of an armageddon since the breech happened. I'm not a conspiracy theory kind of guy, but my personal conclusion is that it was done by a state actor, and that actor was China. My suspicion is they hoovered Equifax because the exploit made them vulnerable and in doing so it gave China access to a treasure trove of information not just on pretty much every American, but a specific subset: every American working for the U.S. government. Every CIA agent, every NSA agent, in addition to every head of industry, every computer chip researcher. Anyone who might be of interest. At first I thought it might have been theft for stealing medical insurance coverage, but not only did that not happen, but nothing happened. It was such a huge haul of information that no criminal org capable of stealing that amount of info is going to sit on it - they need/want to monetize it for their efforts, but a government who wanted it for different purposes could.
When you sympathize with stupidity, you start thinking like an idiot.
I see a lot of these comments, and when I read them I hear a Russian accent.
We play the game with the bravery of being out of range
I'm pretty pissed off that Meuller is investigating Trump and not Equifax.
In no way whatsoever are these alternative actions. Mueller would not be the right person to investigate Equifax anyway, since he doesn't grok technology.
The Equifax fiasco is not hard to understand. Unqualified people were placed in positions of authority, they made stupid decisions, and there were no mechanisms for underlings with better understanding to raise alarms.
But there are deeper systemic problems. Only in America do we rely on critical information being both secret and widely known. Mere knowledge of someone's SSN, DOB, and address should not be enough to clean out their bank account nor establish credit in their name. No other country has this problem. Until we fix our financial system, data breaches and identity theft will continue to be major problems.
I've had my credit frozen since way before the Equifax breach. Somehow (I've never found out how and likely never will), someone got my name, SSN, DOB, and address. They used this to open a credit card in my name. (RED FLAG #1: They got Mother's Maiden Name wrong. So much for security with that.) They then immediately changed the address to an address in another state (RED FLAG #2) but not before paying for rush delivery of the card. Thanks to the latter, the card was rushed out before the address change went through and it came to me instead of to them. Had this not happened, I would have known about it when the collection agency was busting down my doors to collect debt that "I" ran up. While the card was on its way, a woman representing "me" called asking for a $5,000 cash advance before the card was activated (RED FLAG #3). This was thankfully denied. Still, none of these red flags caused the credit card company (Capital One) to rethink whether this was fraud.
When I called Capital One to ask about this card, they first insisted that I had opened it. Then, they claimed that my wife opened it without my knowledge. (She was standing right there terrified about what this meant.) Finally, they admitted it was probably fraud, but refused to give me more information. As they put it "if we give you their address and you go and shoot them, we're liable." Yes, that's a direct quote. They were concerned I might perpetrate violence on the people who opened a credit card in my name and they'd be legally liable. They weren't concerned about legal liability for opening a line of credit in my name, though. No issue there for them to worry about.
The police looked into it but a) didn't know how to track where IP addresses came from much less track people across the Internet and b) weren't interested in pursuing a case that they would need to hand off to another department for the arrest. That and Capital One giving the police the runaround (told them to call a line that went to perpetually unanswered voice mail) meant that the people responsible for this were never arrested.
The most I was able to do was freeze my (and my wife's) credit file. This prevents this from happening in the future since my information is obviously "out there." However, it becomes a pain whenever I need a loan or anything else that needs my credit file thawed.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
One of the big problems is that big agencies like Equifax contribute to politicians and hire lobbyists.
Imagine your example, but when you steal 10 cookies, you give your mother a cookie. In exchange, she wags her finger at you for stealing cookies but nothing else. Meanwhile, your younger brother has no such arrangement and gets grounded for a week for eating a cookie crumb that wasn't his. After the most recent Cookie Stealing Incident, your mother moans about how horrible it is that people steal cookies and pledges to get to the bottom of it, but then ups the punishment on your younger brother while munching on a cookie you gave her.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
> In no way whatsoever are these alternative actions. ...
> Unqualified people were placed in positions of authority, they made stupid decisions, and there were no mechanisms for underlings with better understanding to raise alarms.
And the other situation is Equifax.
That's not true.
The Republicans are 25% owned by the anti-science religious nuts and the Democrats are 25% owned by the bleeding heart liberals, so they're at most 75% owned by big money corporations.
The last line of the summary says it all: "Mick Mulvaney took over the Consumer Financial Protection Bureau in November and halted the bureau's investigation."
The current administration is not interested in consumer protection.
They are on the side of business, not consumers.
The problem with that reasoning is Equifax's security was so demonstrably poor that it could have been China or your 8 year old cousin. They should have been sued, fined, and regulated into oblivion.
Be Excellent To Each Other
That is a very cynical view, and I don't believe it is true.
People don't always engage with politics, and this is partly because they don't feel that they have any real influence, and if that is what it feels like, then being informed isn't a high priority. To give him his due, Trump at the very least has made people believe that they can have an influence on the politics that affect their lives, and that it is worth engaging.
If you look at the sweep of American (and Western) history over the last 100 years, politics has effected great changes, and that has come about through a combination of direct political action and awareness raising that has widened the right and ability to vote, and the influence ordinary people have, and it has been a very positive development.
No, your other situation is the entire system called credit ratings. Equifax is just a part of the stupid.
Credit rating in a nutshell:
Person 1: Sir you have huge debt that means you must be good for it, here's a credit card with an even huger limit.
Person 2: Sir you're homeless, your credit rating sucks. Have a smaller credit card we know you won't pay off.
Person 3: Sir you're an engineer earning six figures who just moved into the country? We can give you a credit card with a $200 limit, but because you don't have a credit rating you'll have to pay us $200 for that card. You earn a lot and are intelligent, we can't use that as a basis for a credit system.