Wow, this document is extremely short. The disaster is very palpable in this format.
> names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million U.S. consumers (since updated)
OK, so who is going to be the grown-up in this situation?
It's obvious now that these numbers can no longer be treated as secret or, in most cases, as identifying instruments.
Who will lead the effort to deprecate them and migrate all of the documents and accounts which rely on them?
Why is it so difficult to imagine a coherent, sober response from government and mega-corporate entities which have until now, been using SSNs as identifying data?
They're already trying to change "bank fraud" into "identity theft" and defer liability to the person whose info is being used, vice the old way of the bank being fully liable.
Ironically, for a lot of industries they're better off just giving it the see-no-evil-hear-no-evil-speak-no-evil treatment and ignoring that those numbers can/will be stolen.
It's a little bit like the opposite of the way everyone is doing facial recognition and biometrics these days - plausible identifiability, when it's to their interest not to notice that the person doesn't match the id.
>"They're already trying to change "bank fraud" into "identity theft" and defer liability to the person whose info is being used, vice the old way of the bank being fully liable"
Do you some references or citations you could share about such a development? This is the first I have heard about this. Who is the "they" here? SEC? Banks? Lawmakers?
And yet we still use it with no end in sight. The only reason your identity isn't yet stolen and financial history ruined is likely literally that they haven't gotten to you yet.
What incentives are there for Equifax, Experian, TransUnion, Innovis, etc who profit from this system existing to make it better?
Who in the government will go after them, or even better, come up with something which will render them obsolete?
They profit from this system and also profit from breaches.
All of them have been making money hand over fist on this, thanks to their exclusive ability to monitor and lock/unlock their own credit reports.
Even if you aren't paying these companies directly, you're paying a company paying them for credit reporting to watch for identity theft.
Calling it a perverse incentive is an understatement. Only the US Government could have stepped in and made it unprofitable, but it appears as there will be no significant punishment for Equifax, and instead as a result of this the Congress made it harder to file a Class Action Lawsuit against companies like Equifax, so the next time you won't even have that option...
And yet bring up any kind of negative incentive here on HN and you’ll br greeted with “that would stifle innovation” and “negative incentives will just make companies try to keep breaches secret”
couldnt that logic be applied to all laws making bad behavior have negative consequences?
There is a pretty elegant solution in Europe: you're given an ID card (as a foreigner I paid €28 euro to get one of these in favour of a paper-based equivalent containing just the personal number/tax ID, not sure how it works as a citizen). It's also the same with the Estonian e-residence (and naturally the normal one too).
Most services use public key crypto and your ID card doubles up as the thing you use to cryptographically sign any documents that require proof of ID. You can do this yourself for many official documents with a generic smart card reader, and most places that would require ID in general (like your bank) will use that same system too.
The nature of the system means that while there's still likely to be a list of personal/tax numbers lying around, they are not the secret and there isn't a central database of everybody's private keys out there. If the root cert is compromised it can be renewed and card holders can refresh their card through some system or another (where I lived I had to take it to an office for them to do it for me).
I enjoyed using that in favour of the UK method of telling somebody where I lived for three years and where I was born, along with various other details, in order for them to become convinced of who I am. All I had to do in Europe was plug in my ID and that was enough proof.
Of course, implementing such a scheme in the US and UK seems to be politically toxic for various reasons that can be summarised as paranoia (whether that's warranted or not), where the potential for the government to abuse it in myriad dystopian, conspiratorial ways is still far, far worse than what the corporate megaliths are doing with all of that information already, for profit, as if the natural state of government is to be less trustworthy than a corporation despite reality showing otherwise time and time again.
I want to see us move away from SSNs and OLNs (driver license numbers) as identifying instruments. But this comment seems a little naive.
There is massive infrastructure built entirely around the use of SSN as the sole and final arbiter of who is who. You can change your social, yes, but many many systems ignore that entirely because it's for the part rare and something that happens 0-1 times in a person's life.
The government cannot just say "hey that whole SSN thing yeah we're not doing that anymore" without a decade or more of lead time. Companies like Equifax and other not-quite-as-dumpster-fire ones who rely on something like SSN can't just create their own and can't just use everything but.
It needs to change but it will take years if not decades to fully extricate it from the system, and that's if the government decides today that it needs to be done, which itself isn't clear right now.
They can. It will be a dumpster fire and will cost businesses massive amounts of money, but I think that's a good thing. You took an easy path that makes things worse not just for your users, but for people who never consented to using your system or doing business with you to begin with. Just pass a law that has an incrementing cost associated with use of SSNs. It can be done. That rich people who don't want it to be done because they like our the current setup to nonconsensually shift risk oppose it doesn't mean it can't be done.
When I say "companies like Equifax" I don't mean credit monitoring services. I mean any company which has a regulatory or business requirement to verify you are the person you say you are. They all use SSNs, and most of them require your consent to operate.
> The government cannot just say "hey that whole SSN thing yeah we're not doing that anymore" without a decade or more of lead time.
The government itself has done it, certain parts at least. It took fewer than 10 years. Do you think the private sector would be slower than the public sector?
I saw an apparently authentic local post on Facebook from a woman who received a call from someone in law enforcement. She had apparently missed a jury summons, and the official was trying to help her sort out the mess. He asked her about her address (turned out to be an older address) and knew her occupation, told her to meet him somewhere.
Something seemed odd to her, called the police and established that no one by that name worked for them, may have dodged a kidnapping attempt.
To make an incoherent and possibly bogus story short: this felt to me like a possible outcome from the Equifax data breach. Random stranger knows your (previous) address, knows what you do for a living, knows your phone number. There could be even worse outcomes than identity theft from this.
A more more direct anecdote: I just got a replacement social security card by mail. All it took to do it online was information from my credit report.
Thanks to this breach, the only defense against someone getting my social security card fraudulently is that it has to be mailed to my current address.
You can put a credit freeze on you file in major credit bureaus - this way their website would not be able to verify answers on security questions and deny login.
Brian Krebs did a good article on the process placing a freeze on your file [1]
Just have to add that in circumstances like this a corporate death penalty seems appropriate. Equifax is an entity that you are not able to be removed from in any way. When you look at the financial and security ramifications of the breach and what was released and the response, seems appropriate. The kicker is that Equifax also offers credit monitoring for fraud prevention as a product to line their coffers.
I hope you're being specific in your wish for Equifax to be shut down and not the whole consumer credit reporting industry. That industry solves a very, very real problem for consumers, and countries without credit reporting also don't have consumer access to credit, making, among other things, finding mortgage loans virtually impossible.
The privacy angle is minuscule compared to the human costs of not having consumer debt.
I am someone who believes the world would be better off without these companies. My argument generally goes like this:
- Credit existed before reporting agencies
- It's possible to verify creditworthiness without a reporting agency
- Reporting agencies aren't particularly good at their job anyways
You may dislike the first two arguments, because obviously they make debt more expensive. I don't think that's the worst thing in the world. So, I'll focus on the last point.
Credit reporting agencies often have incorrect info. Here's an FTC study that says one in five have wrong info that was corrected. [0]
You may argue that I should use the other number, ie. people who still had errors after fixing it: 2.2%. But, it oftentimes by the time you fix an error, the opportunity to get the thing you want (ie. job, apartment, car, house, etc) has passed.
But even if the data was correct, the way they generate the score manipulates people into taking on more debt than they should and take on worse debt.
Getting and using one or more credit cards is the easiest ways to improve your credit score, and this is honestly bullshit. Credit cards encourage bad spending habits and trap people in debt. The credit card companies rely on people carrying a balance and a really good way to make that happen is to make sure everyone uses their credit cards for everything.
Meanwhile, things that should improve your score often don't. For example, rent and utility payments only count if they are reported and a lot of landlords or companies don't report or only report if you don't pay.
Maybe it's not the credit reporting agencies' problem if people don't report good behavior. And, I don't know what efforts they've made at getting more people to report. But my bias tells me that they probably just don't care.
Is it a bad thing that getting a loan requires you to go to church? Yeah, kind of.
Edit: Now I don't know what I'm responding to. You agree that someone's history in repaying debts is legit to use as an indicator. You agree in augmenting the lending decisions with algorithms. That's what credit reporting is!
And yet somehow that's a defense of your conclusion that "therefore it should be more based on whether your social circles include the people with money" (which no one would scream bloody murder about for being anti-minority)? I'm lost.
We seem to have talked past each other. I have no issue with credit reports per-se. Rather, I believe that they systemically mis-categorize bad behavior as good and underreport good behavior that is non-traditional.
Also, I have no idea what you are talking about with Church things. I never mentioned Church or basing lending on social ties.
>I am someone who believes the world would be better off without these companies. My argument generally goes like this:
>Credit existed before reporting agencies
So, you like credit reporting, but not credit reporting agencies? Can you see how I might have missed this subtlety, since you never even tried to justify it?
Upon examination, your position isn't even against "credit reporting agencies", but "having wrong credit information". Great, everyone agrees, but it's unclear what you're saying should be different from the current system, now that you say you like "credit reporting".
>Also, I have no idea what you are talking about with Church things. I never mentioned Church or basing lending on social ties.
Or you forgot already. The Church came up because I pointed out that, yes, lending did exist before credit reporting agencies, but only based on these informal social cues, like whether someone "seems like a good Christian man" (gender intended) or whether your went to the same church (yes, church specifically). Then we had this exchange:
>>[lending was based on] whether the banker knows you from church as a good C̶h̶r̶i̶s̶t̶i̶a̶n̶ ̶m̶a̶n̶ person
>Is that supposed to be a bad thing?
Now you're acting like none of that happened, and also calling me a troll.
If there's a clear argument, I'd like to engage with it, but I can't discern what it is from your comments.
You're first comment suggested that I wanted to go back to some glorious past where credit reporting was better. I didn't say this and if you misinterpreted that from "Credit existed before reporting agencies", that's a shame.
It seems what you jumped to was that I think that it's better in the past, which I didn't say and don't mean.
What I meant is that it is possible to evaluate peoples credit one-by-one without having it all pre-gathered up front by a central reporting agency. This is more expensive, but I am fine with that.
The way it would work is similar to how it already works with underwriting. You submit a lot of paperwork on your account histories, rent payments, any leases or other contracts you are in now or recently, etc. These documents establish your creditworthiness.
For example, this is how I got a car loan. I had no credit score at all, but a bank was willing to give me a loan because they saw a bunch of docs saying I pay stuff on time and that I have a good job that pays enough to pay off the loan.
And also it wasn't what I focused on in my original comment anyways. I focused on the bad data, mis-categorization, and underreporting.
Edit:
Maybe this helps clarify things...
if credit agencies exist:
do better by...
- improving process for removing incorrect info
- stop encouraging people to use credit cards
- track rent, utilities and other good behavior better
else:
it's not a disaster because underwriting already requires all the docs needed to establish creditworthiness
The whole credit reporting industry depends on others absorbing their massive negative externalities. The companies are the equivalent of gross polluters dumping benzene into reservoirs.
> The privacy angle is minuscule
It is infuriating to see the suffering of the individual victims of identity theft dismissed so cavalierly. If the credit reporting companies had to pay for all the harm they cause they would be bankrupt many times over.
Even if credit rating serves a purpose, how does the system get reformed to bring true redress to those negatively affected by it?
And if getting a mortgage or a similarly big decision was the only time you needed a credit score, that would be one thing. Problem is in the US, a stupid number of things requires a credit score, including some mobile phone contracts (!).
Having grown up in a credit-averse and cash-focused society, I don't think they're that necessary. What people do instead in build a relationship with your local bank. Of course, once you're used to a credit-driven society it's hard/impossible to go back. People apparently hate being told "No you can't afford that new car".
In my twenties when I left the military I lost the ability to pay back my debts. It took me some 9 years to decide to clean up my credit. Living without a credit score is absolutely possible right now.
One simple way to change credit reporting is to make the process "opt-in". Credit reporting agencies can only report on consumers that agree to have their information reported. They could still collect publicly available data but couldn't report unless they have a consumer's ongoing agreement. Essentially, everyone's report is "frozen" by default and the agencies are automatically monetarily liable unless have an explicit agreement for this unfreezing.
That said, I'm not sure a world without consumer debt would be that much worse.
This is pretty much how it works already. When you sign for a credit card/loan/etc. the agreement includes language saying you also agree for it to be reported to a credit agency.
Credit reports are not frozen by default, per gp's suggestion. That would prevent those who want to inquire about an individual's credit from finding anything out without the individual taking concrete action to unfreeze the account.
The corporate death penalty here would not fix the problem. The data are already exposed.
Equifax market cap is currently $13.5B. Corporate death penalty would hurt owners of that stock, maybe funds in your own 401K account. Thousands of people would lose their jobs.
Would it have a preventive effect? Maybe but doubtful. There are too many systems with too much data that are too old and too interconnected to think that it's even possible to secure them all. If it wasn't Equifax it would have been someone else, eventually. Most of what Equifax exposed was probably already exposed in other leaks anyway.
Better solution should be developing new, secure methods of proving identity, where leaks don't matter because it's not possible to leak anything of value. All the old ways are now forever broken.
Bullshit apologism. Shareholders should lose their shirts, for the same reason Enron shareholders did. [Equifax did not commit fraud, but my point is that when a company through incompetence or malice damages 100s of millions of Americans...yeah, they should be dissolved from existence.]
Data breaches are only preventable when you have an inhumanly good security team. This is mot even possible for your average non-technically-inclined business leader.
Why don’t I have any say in all my financial transactions and “passwords” being sent to and vacuumed up by tech ologically incompetent, undeniably unethical bureau-corps?
It’s what I found so refreshing about Monero and other cruptocurrencies when I still used them (took a break from the scene). No one can steal your identity or your money withhout you yourself making a mistake.
Money is a proxy for power in society. The fines for this breach should be enormous since it wasn't just them being hacked, they were negligent in maintaining their systems.
If the consequences of losing our data was high enough, more money would be spent protecting the data. Which I think is one of the good things for GDPR, it has stiff penalties and one of the considerations for the fine is negligence.
Equifax is probably going to end up making more money now because of the breach as more people now need "better" identity verification - a service that Equifax conveniently provides.
Maybe the other credit reporting agencies and other companies would take security seriously. Sometimes breaches happen. Sometimes it's clearly negligence.
And just because it's too late now doesn't mean the law can't be adjusted to prevent it from happening in the future. If you don't learn from mistakes, that's dumb. And obviously companies can't be trusted to do it themselves.
Neither does the regular death penalty un-murder anyone. But as long as our society feels it has the right to end human lives, it should absolutely have the right to dissolve corporations; and corporations are capable of much greater harm than individuals.
Capital punishment is meant as a deterrent, not a preventative measure (well, really, it's revenge for the mob) and so it could potentially work much better with corporations than with individuals.
If a shareholder (or fund) is invested in a company, those investments should be considered at risk, without a risk component, companies may as well only return the tbill rate.
By giving equifax the death penalty, future shareholders should choose between competitors, including on who will do the better job with accuracy and data security.
Don't forget, if you want to change your social security number, here's the process[1]:
1. Prove you meet the conditions for changing it (you must show proof of identify _theft_ and how it disadvantages you)
2. Show up at an office, in person, with original documentation.
Sounds like a great startup idea: make fixing 143M citizens' identities as easy as ordering a pizza. Or create the Uber for people who will stand in line for you at the Social Security office.
Problem is data theft doesn't meet the criteria of identify theft. You can't change your SSN until you have proof of identity theft, not a data breach.
I'm typically not particularly paranoid, but if a state actor wanted to destabilize the US economy, increasing the rate of fraud via identity theft sounds like a great way to do it. Crank it up just enough to hurt the economy, but not quite enough to break the identity status quo....
The leak of this data basically enables a denial of service attack against parts of the economy dependent on personal identity.
I know this is somewhat off point, but there's a https://en.wikipedia.org/wiki/Fallacy_of_division happening here when considering risk - individually, my chance of impact is low (I think?), but as a society, the risk of impact is very high.
I think that makes it worth replacing everyone's SSN, at a minimum.
The problem is that SSNs are not secret to begin with. They are a unique identifier that is in hundreds of systems already. They provide no security. We need another common system to confirm people's identities.
Cool idea. YMMV with this, though. The government accidentally assigned me someone else's SSN (had the same first/last name as me and was born in the same hospital) and it took about 2 years to rectify.
The first and last name may be a coincidence, but depending on how old you are the "same hospital" is likely not. SSNs are generated based partially on geographical area, so if that's the only or the biggest hospital in the area, the likelihood of getting a number from the same hospital is substantially higher.
If you have someone's SSN, you can pretty easily deduce what city they were born in unless they are very young (they switched this process recently).
Presumably, sho'he requested a credit report to verify success and saw a lifetime of someone else's credit interactions (different car, mortgage, credit cards). <edit for irreverent trailer : https://www.youtube.com/watch?v=OnouJoQs52c />
Serious question: at what point does it not matter that your identity has been stolen simply because everyrone's has been stolen? I mean, we're approaching that point, right? The size and scope of this breach basically encompasses the entire adult population of the US, does it not?
We're certainly at the point where there's no reason to believe that your data has not been exposed. Whether it's been used to commit fraud is another matter. The odds are in your favor by sheer numbers but who knows for how long.
It has been eight months since the data breach was announced (nine since it was discovered). This is the first time we are getting a full reckoning of what data was accessed. (We knew it was ~150 million SSN's, but we didn't what else it included--e.g. address history, income, debt, etc.) I'll admit, Equifax actually exceeded my expectations in this regard, I was skeptical that they would be able to create a document like this at all. Still, the impact of the data breach was magnified by the fact that they have so little oversight over their own systems that reconciling records took more than half a year.
Any time there's a privacy issue nowadays, I like to play "What if GDPR?" GPDR would have required this document be filed to the relevant authority in three days (Article 33). And the work to compile this document would have mostly been front-loaded by complying with the documentation requirements in Article 30. I don't think GDPR would have made a direct impact on preventing the breach (other than maybe causing someone to look at the towering pile of paperwork and consider thinking of the data as a liability), but affected users would have been much better prepared to know how they might have been affected and how to respond.
In three days (where possible). Equifax would have said it was not possible. The benefit of GDPR is that you could request that they delete any data they have on you. I also believe they wouldn't be able to collect this personal information in the first place since you don't have a business relationship with them.
> names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million U.S. consumers (since updated)
OK, so who is going to be the grown-up in this situation?
It's obvious now that these numbers can no longer be treated as secret or, in most cases, as identifying instruments.
Who will lead the effort to deprecate them and migrate all of the documents and accounts which rely on them?
Why is it so difficult to imagine a coherent, sober response from government and mega-corporate entities which have until now, been using SSNs as identifying data?