Equifax Security Breach Is A Complete Disaster... And Will Almost Certainly Get Worse
from the hang-on... dept
Okay, chances are you've already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven't, you need to pay more attention to the news. I won't get into all the details of what happened here, but I want to follow a few threads:
First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it's not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was...) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it's set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user -- "Edelman" -- the name of a big PR firm.
Not surprisingly, it didn't take long for various security tools to warn that the site wasn't safe.
Said site is now unsurprisingly being flagged as suspicious by OpenDNS (and probably others) 🤦‍♂️🤦‍♂️🤦‍♂️ pic.twitter.com/JZOIgSQpRo
— John Kelly (@mrjohnkelly73) September 8, 2017
Google have now marked the Equifax breach notification SSN check as phishing. pic.twitter.com/zb2dDQEwip
— Kevin Beaumont (@GossiTheDog) September 8, 2017
And, when Equifax pushed people to its own "TrustedID" program to supposedly check to see if you were a victim of its own failures... it just started telling everyone yes no matter what info they put in:
Just wow. If you enter "Test" and "123456" on Equifax's hack checker page, it says your data has been breached. pic.twitter.com/cTjTs7Frjv
— Zack Whittaker (@zackwhittaker) September 8, 2017
So, yeah, what the hell did Equifax do during those six weeks it had to prepare? Oh, well, a few of its top execs used the delay to sell off stock, which may put them in even more hot water (of the criminal variety). Also, just days before it revealed the breach, and long after it knew of it, the company was talking up how admired its CEO is. This is literally the last tweet from Equifax prior to tweeting about the breach (screenshotted, because who knows how long it'll last):
I can't see any scenario under which Smith keeps his job. And it seems likely that many other execs are going to be in trouble as well. Beyond the possible insider trading above, there's already scrutiny on its corporate VP and Chief Legal Officer, John J. Kelley, who made $2.8 million last year and runs the company's "security, compliance, and privacy" efforts.
And despite six weeks to prepare for this, the following was Equifax's non-apology:
We apologize to our consumers and business customers for the concern and frustration this causes.
That's a classic non-apology. It's not apologizing for its own actions. It's not apologizing for the total mess it's created. It's just apologizing if you're "concerned and frustrated."
Oh, and did we mention that the very morning of the day that Equifax announced the breach, it tweeted out about a newsletter it published about how "safeguarding valuable customer data is critical." Really (again, screenshotted in case this disappears):
What the fuck, Equifax? Should we even mention that Equifax has been a key lobbying force against data breach bills? Those bills have some problems... but, really, it's not a good look following all of this.
And while there was some concern that signing up to check to see if you were a victim (again: look, you probably were...) would force you out of being a part of any class action lawsuit, that's since been "clarified" to not apply to any class action lawsuits over the breach. And you better believe that the company is going to be facing one heck of a class action lawsuit (a bunch are being filed, but they'll likely be consolidated).
That's all background of course. What I really wanted to discuss is how this will almost certainly get worse before it gets better. More than twelve years ago, I wrote that every major data breach is later revealed to be worse than initially reported on. This has held true for years and years. The initial analysis almost always underplays how serious the leak is or how much data is leaked. Stay tuned, because there's a very high likelihood we'll find out that either more people were impacted or that more sensitive information is out there.
And that should be a major concern, because what we already know here is stunning. As Michael Hiltzik at the LA Times noted, this is the mother lode of data if you want to commit all sorts of fraud:
The data now at large includes names, Social Security numbers, birthdates, addresses and driver’s license numbers, all of which can be used fraudulently to validate the identity of someone trying to open a bank or credit account in another person’s name.
In some cases, Equifax says, the security questions and answers used on some websites to verify users’ identity may also have been exposed. Having that information in hand would allow hackers to change their targets’ passwords and other account settings.
Other data breaches may have been bigger in terms of total accounts impacted, but it's hard to see how any data breach could have been this damaging. For over a decade, we've pointed out that credit bureaus like Equifax are collecting way too much data, with zero transparency. In fact, back in 2005, we wrote about Equifax itself saying that it was "unconstitutional and un-American" to let people know what kind of information Equifax had on them. The amount of data that Equifax and the other credit bureaus hold is staggering -- and as this event shows, they don't seem to have much of a clue about how to actually secure it.
At some point, we need to rethink why we've given Equifax, Experian and TransUnion so much power over so much of our everyday lives. You can't opt-out. They collect most of their data without us knowing and in secret. You can't avoid them. And now we know that at least one of them doesn't know how to secure that data.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, fraud, leak, security, security breach
Companies: equifax
Reader Comments
The First Word
“Subscribe: RSS
View by: Time | Thread
Their solution is a sales trick
[ link to this | view in chronology ]
Re: Their solution is a sales trick
https://yro.slashdot.org/story/17/09/10/0128214/techcrunch-equifax-hack-checking-web-site-is-re turning-random-results
[ link to this | view in chronology ]
Re: Re: Their solution is a sales trick
That's from 2017.
[ link to this | view in chronology ]
Re: Re: Re: Their solution is a sales trick
So is his comment...
[ link to this | view in chronology ]
Its all about lawsuit prevention
Not sure a judge is going to accept this but its really ugly in terms of legal protections.
It gets better, if your a customer you've already signed away your rights, and if you agree to the free credit monitoring, you agree to arbitration as well.
The only good thing is that this also falls under the fair credit reporting act, so that act may override arbitration, but no one actully knows for sure.
[ link to this | view in chronology ]
Re: Its all about lawsuit prevention
Its funny, but the very act of looking up if your a victim appears to wave your right to trial by court and requires you to go to mandatory arbitration.
As mentioned in the post, this isn't actually true. 1. the terms actually only say the arb clause applies to the monitoring service, not the rest of Equifax and 2. the company explicitly has said it doesn't apply to this breach.
I know this claim went viral today and got covered in lots of places, but it's simply not true.
[ link to this | view in chronology ]
Re: Re: Its all about lawsuit prevention
No, the claim WAS true. They have changed the TOS.
[ link to this | view in chronology ]
Re: Re: Re: Its all about lawsuit prevention
"The TOS doesn't cover the cybersecurity incident"
The TOS is thus irrelevant in this case and btw. would only be eforceable for TrustedID-users who signed up for the premium service.
[ link to this | view in chronology ]
Re: Its all about lawsuit prevention
Equifax is looking at enough legal/judicial scrutiny to need consideration of if they can keep afloat economically.
[ link to this | view in chronology ]
lawsuit prevention
Does it mean the Equifax and their executive can not be sued?
[ link to this | view in chronology ]
Re: lawsuit prevention
I'm sure we can find a dozen Equifax employees who have direct access to the data that have accidentally(!) removed their own information. Typos happne.
After all, who else could be so impartial?
[ link to this | view in chronology ]
Down Under done over too
Despite Equifax tweeting its assurances that there is no evidence yet its Australian customers are affected, cybersecurity expert Mark Gregory from RMIT said Australians should urgently check their credit records.
"We should probably assume at this point that the data has not been integrated between the countries, but that's not to say that there hasn't been some data integration," he said.
http://www.abc.net.au/news/2017-09-08/smiley-credit-check-australians-financial-information-at- risk/8887198
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
"it's that identity theft is nearly impossible to fully recover from."
No no, you're not thinking about it right. It's actually an opportunity in disguise. Once someone grabs your identity, you complain and then YOU go and buy all kinds of stuff as yourself and then blame THEM.
Oh, that high-end computer, that 666" TV, that gold-plated XBox? I Didn't Do It, Nobody Saw Me Do It, There's No Way You Can Prove Anything!.
[ link to this | view in chronology ]
Re: Problem isn't just Equifax
<> " At some point, we need to rethink why we've given {Federal/state/local Government} so much power over so much of our everyday lives. You can't opt-out. They collect most of their data without us knowing and in secret. "
____
Your American Government is ten times worse than Equifax.
At least Equifax will suffer severe financial consequences for its malicious actions and incompetence -- government politicians and bureaucrats need not worry about such outcomes.
Also, SSAN as de facto national ID # is entirely the severe fault of the Federal Government. SSAN's should be abolished, but the Fed's luv them for tracking & controlling the citizens.
[ link to this | view in chronology ]
Re:
There simply aren't enough numbers to reassign them all after a breach this large. SSNs are only 9 digits, and share space with ITINs.
If we're going to replace SSNs, we'd best re-think the whole idea of using the same static number to identify ourselves everywhere. There are some countries where it's illegal to use government ID numbers for non-official purposes (for example, in Ontario, Canada, it's illegal to store a health card number for non-medical purposes; or for the SSN-equivalent "SIN", "Unless an organization can demonstrate that the reason it is requesting an individual's SIN is specifically permitted by law, or that no alternative identifiers would suffice to complete the transaction, it cannot deny or refuse a product or service on the grounds of a refusal to provide a SIN").
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Have to wonder if a janitor or secretary got a bright idea after overhearing the 3 executives discuss selling stock.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Why? Doing so based on 'inside information' is already illegal, and if shorting were completely illegal, one could still make money with options.
[ link to this | view in chronology ]
Re: Re: Re:
If you pulled this "trick" anywhere else, you'd be in prison.
Not really. You can do it with real estate (a reverse mortgage). You can do it with most small/medium sized items (at pawn shops or similar). And there's no laws preventing you from doing it with other things, just a general lack of organized groups/people offering to be the counter-party.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Short selling? What about naked short selling?
[ link to this | view in chronology ]
Re: Short selling? What about naked short selling?
But I would be even more careful in regards to free flowing options, since they are a derivative of the stock-market and even more so derivatives of the derivative markets like vix and xiv. Btw. ETFs and indexes are also derivatives...
Shorting a stock can be fixed so that the effects are minimally disruptive, but the option market needs a collateral to provide security and an infinite volume derivative can never act as such.
[ link to this | view in chronology ]
Re: Re:
It's possible that the sale was automatic; some people set accounts up to automatically rebalance at the beginning of every quarter.
But yes it looks suspicious as hell and should be one of the first things the investigators look into.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
People v.
You know when you hear of a lawsuit and it's referred to as "People v. Such-and-such"? This will probably be the first time People actually does mean everyone!
And also,
is a great example of such statements usually released by companies after these events. No admission of guilt, though, fair enough, any good lawyer wouldn't let that one pass.
But then they're basically saying "We see you're feeling concerned and frustrated over something, though we can't imagine why, but we're so empathetic we feel and share your pain." No you don't, no that's not why you should be sorry, and NO NO NO the onus for our distress isn't on us, it's on you!
So commiserate all you want, but fuck off with empty gestures after such a colossal fuck-up!
That's the kind of statement that would be inappropriate when you get my McD order wrong, so learn that, because it may serve you well in a not so distant future.
[ link to this | view in chronology ]
That apology
[ link to this | view in chronology ]
You know who isn't affected ?
No mobile phone, no credit card, always pays with caaash.
[ link to this | view in chronology ]
Typical, the banks are protected and we aren't
But info that would let you steal money from banks directly? (Like credit card account numbers?) That's locked down just fine, except for a "measly" 200k-ish accounts.
Note to Equifax: The fact that my account numbers likely aren't public does not help me feel better. I've had a credit card used fraudulently four times not, and at no time was it anything but a minor inconvenience. My most vital identifying data is most certainly quite a bit more important.
[ link to this | view in chronology ]
Holy Crap
Now this morning I read this posting & find that the site for checking of I'm a victim (which it doesn't) was not secure! These people monitor our credit! They hold all the cards & see all of our's as well! These people CAN'T make mistakes like this! It's inconceivable!
The clowns that run this outfit are too busy counting their money to do any kind of a decent job. Time to take their money back & fire them. They are not competent enough to be cashiers at Walmart.
[ link to this | view in chronology ]
Re: Holy Crap
Data security is a black hole you can never fill with money. The answer for many indebted companies is to prioritize other issues.
EFX is screwed because the CEO and directors has kept digging with their advertising of security, trading on some potential insider knowledge and general lack of understanding about what has occured.
[ link to this | view in chronology ]
Well, what they're collecting is pretty transparent *now*.
[ link to this | view in chronology ]
Re:
I hope that they secure the database in the UK much better than they do in the US.
[ link to this | view in chronology ]
On another note, my ID info has been stolen three times now
I've been hit with OPM, Anthem, and now this; I might as well put that information at the bottom of my e-mail signature at this point.
I know that at least the last four digits of my SSN, along with a ccard acct. number were used to steal one of my credit cards last year in a fascinating social engineering attack. (Used the telephone account access system to authenticate with a Cap One CSR to change my e-mail address. They then used the new e-mail to answer "yes" when e-mailed an alert about a huge obviously-fraudulent charge they were trying to make.)
[ link to this | view in chronology ]
Re: On another note, my ID info has been stolen three times now
[ link to this | view in chronology ]
Re: On another note, my ID info has been stolen three times now
Good news! It hasn't been stolen, just illegally copied. Equifax never lost access to the data—it's still sitting on their servers, ready for future criminals to copy again.
[ link to this | view in chronology ]
Re: On another note, my ID info has been stolen three times now
I'm in the same boat with all three. And those are just the three we've been told about.
[ link to this | view in chronology ]
Diversity ftw!
In fact, their chief information security officer is a woman with a bachelor's AND a master's in music composition. https://www.boardroominsiders.com/executive-profiles/1006308/Equifax,-Inc./Susan-Mauldin
Thank Gaia the company didn't hire a white man with a background in computer security. I can't imagine how bad the breach would have been then.
[ link to this | view in chronology ]
Fail. (On your part)
Many of the best hackers I know don't have degrees that have anything whatsoever to do with computing; it's not unusual at all.
I'm not saying she's good at her job, just that the information you posted would not give you any useful information on if somebody was a "diversity hire" or not. (Certainly there are plenty of "white men with a background in computer security" that are also complete failures at similar jobs.)
[ link to this | view in chronology ]
Re: Fail. (On your part)
I have met more than enough "Experienced Security Professionals" that are only capable of regurgitating something a magazine told them. More than 50% of all Companies and their Security/Compliance teams do not fundamentally understand security.
I would not trust any "experienced" professional in IT for shit, there are just too many fucking idiots that only know enough to get by.
For example... how long has this been around?
https://xkcd.com/936/
Only recently has NIST updated their password recomendations.
Additionally, most companies still use the old "security theater" method of password security.
adding rules that enforce complexity only REDUCE the actual security of the password because complexity rules only lets hackers know which combinations of passwords they don't have to try for. This reduces the permutation strength by at least an order of magnitude per complexity requirement rule added to the password. 1 rule = one order of magnitude weaker password, 2 rules, that is 2 orders of magnitude weaker password, 3 rules... you get the idea!
That password policy is just the tip of that iceberg. I have seen organizations present numerous security requirements for users while almost completely reducing them for executives and upper management, even upper level IT come with far fewer security requirements.
I even watch as companies do stupid shit like prevent build in copy paste and screen capture tools. They only reduce productivity and hackers still get the shit they want with no additional effort. Yes, I have heard that this to also prevent theft by employee.... I have yet to see it stop any form of breach. The number of cases I had to deal with each year in corporate espionage was not impacted one iota by the fucking security theater approaches to keeping company assets safe.
Breaches like this, let me tell you, almost every company in the US has already had a similar breach and almost 1/2 of those are not even aware of a current or a past breach.
it is seriously THAT BAD!
[ link to this | view in chronology ]
Re: Re: Fail. (On your part)
It doesn't matter that hackers know what kind of complexity rules they can ignore, a password like ';324k5@#$%-098awle5i398$%43klj454$$#' is going to be far more secure even with complexity rules than 'Password123'. Forcing more complexity rules on users so their passwords end up looking more like the former is always a good thing, not bad.
[ link to this | view in chronology ]
Re: Re: Re: Fail. (On your part)
[ link to this | view in chronology ]
Re: Re: Re: Re: Fail. (On your part)
Case in point, 1HBw0tRr8%, uses the first letter of each word in the phrase "I have been working on the railroad" with some letters swapped out for their l33t equivalents and a number and symbol added to the end for increased complexity. I should be able to reasonably remember that password without writing it down, while meeting common complexity requirements and it will be vastly more secure than Password123.
Additionally, password managers make your argument moot.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Fail. (On your part)
Just to pour some petrol on the fire...
https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
The real world problem with "1HBw0tRr8%" is that you'll need to change it to something quite different say every 30 days, for x number of accounts, x being (in my case) quite large. So to avoid getting continuously locked out, you'll adopt some kind of pattern, an aide-memoire if you will. Unfortunately these patterns are pure gravy to people whose business it is to pry open accounts.
Using a password manager is often forbidden by OpSec/InfoSec people as it puts all the crown jewels all one place.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Fail. (On your part)
The problem with difficult-to-remember passwords is that they get written down somewhere.
That's the point of the (encrypted) password manager is that a worker has to remember only ONE pile of gibberish (and not write it down) and the rest get remembered, assuming proper security hygiene (e.g. don't let someone shoulder surf while you're typing)
I had assumed that Equifax's sin was the same as government agencies -- not taking computer security seriously enough -- but it sounds like they still think they're in the early nineties and don't keep up on the state-of-the-art protocols.
Like the ones that suggest the worse vulnerabilities are between chair and keyboard.
Well, hackers do.
And they've got lists and lists of BCAK exploits.
[ link to this | view in chronology ]
Re: Fail. (On your part)
Many of the best doctors I know don't have degrees that have anything whatsoever to do with medicine, or a degree at all; They just supply me drugs.
[ link to this | view in chronology ]
Re: Re: Fail. (On your part)
[ link to this | view in chronology ]
Re: Fail. (On your part)
I'm pretty sure there were degrees in things like computer science. And if she's so good at it now, maybe she should go back to school for an appropriate degree. She should be able to dance right through, right?
[ link to this | view in chronology ]
Re: Re: Fail. (On your part)
[ link to this | view in chronology ]
Re: Re: Fail. (On your part)
Oh how things have changed.
[ link to this | view in chronology ]
Re: Fail. (On your part)
In this case, it is obvious that security was not important to the company. What we don't know is the reason why. It could be cost, it could be technical difficulty, it could be a lack of ability. It could be something else or a combination of several factors.
We do know part of the end result. Many years of horrible experiences for many many people, and likely a financial industry with zero interest in making things easier/better for those people. Those people probably include some/many of us.
[ link to this | view in chronology ]
Re: Diversity ftw!
Perhaps if you had better communication skills you would be able to express your true feelings.
[ link to this | view in chronology ]
Re: Re: Diversity ftw!
Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed
https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier -than-the-date-disclosed
I'm sure she's super-duper competent at computer security and stuff, despite her music composition degrees. If only she had a _fourth_ month to secure her systems after she learned of the first breach.
[ link to this | view in chronology ]
Re: Diversity ftw!
[ link to this | view in chronology ]
Re: Diversity ftw!
[ link to this | view in chronology ]
Re: Diversity ftw!
Let me guess - you're a white guy with a CS degree but no industry experience, and you've decided that it's "diversity" that's making it difficult to get that sweet job you saw a black women with the same qualifications get a while back, and not your shitty attitude, zero industry knowledge and entitlement complex?
[ link to this | view in chronology ]
Silver Linings
[ link to this | view in chronology ]
Re: Silver Linings
[ link to this | view in chronology ]
Re: Re: Silver Linings
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Truth in naming
[ link to this | view in chronology ]
Just a reminder where these people get their ideas and how they morphed
A brief history of the fist credit reporting agency and how it changed into the monstrosities we have today.
The will probably get off with a slap on the wrist but it's gonna be a shit storm of outrage for quite a while I was watching the PBS newshour last night and both the presenter and the expert guest started the segment stating they had both been affected and the last word on the subject was that signing up for the monitoring abrogated to right to sue..
Now the NewsHour is mostly viewed by the over 65 but they have middle aged children that they will likely call in a panic either for themselves or for them and you can bet there are going to be a lot of eyes on this for a long time.
So It's got that going for it, which is nice.
[ link to this | view in chronology ]
Re: Just a reminder where these people get their ideas and how they morphed
That $14 trillion should just about put Equifax where it belongs: out of business.
[ link to this | view in chronology ]
Jail time
[ link to this | view in chronology ]
1) defrauded business demands payment from you because your "identity" was "stolen"?
2) defrauded business takes measures to help prevent future errors.
[ link to this | view in chronology ]
Re:
Though I do wonder, how many persons will now try to purchase things as themselves and claim identity theft...
[ link to this | view in chronology ]
Re: Re:
Considering the breach covers EVERY adult in the US, and considering what percentage of the population are con-artists, this will probably be at least in the thousands, if not tens of thousands.
[ link to this | view in chronology ]
Re: Re:
Also see Ross Anderson's description of this false narrative:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Given this the execs should pay a high price for their incompetence such as jail time. I'm not even bringing up the fact that they cashed out before revealing the damage. No accountability from any corps mishandling our info.
[ link to this | view in chronology ]
Like the guy above, my information has now been jacked 3-times that I know of. That doesn't include more minor hacks like linkedin, yahoo, and the one's I've never heard about. It may as well be public at this point.
One of the more egregious things I've heard about, it's not a hack, was ADP selling salary information that they got from processing you checks. This kind of thing should have been illegal from the start. Seriously, you process the check, and get to sell the information....
And this is where we dropped the ball. These big giant collectives of personal data needed to be stopped a long time ago. If you want to have it, fine, if it gets out people go to jail and companies get wrecked. If you want to take the risk you take the punishment.
But, don't worry, Jeffrey's on the job, oh wait, he's busy getting police tanks and bazooka's, while the public gets reamed by these kind of crimes.
[ link to this | view in chronology ]
Yaaa-Hooo
If they would break into the OTHER 2 agencies..
Any info they could give out would be subject to Scrutiny..
And need to be Validated..
So, that the 3 agencies responsible for ANY credit you get, would be GONE..
THEN, either the bank HAS to listen to you, or NOT..if NOT, they still need to figure out WHO they can give money to..
HONESTY unchecked??
[ link to this | view in chronology ]
"In trouble"
You're implying that Smith is in trouble. He was making 12 million dollars per year, and very likely has an indemnity agreement such that Equifax will pay any legal costs arising from his work. Even if fired, he won't be in the poorhouse anytime soon. There are 143 million people in more trouble than him.
[ link to this | view in chronology ]
So...
Two- and Three-factor authentication for everything!
Not a half-bad idea.
[ link to this | view in chronology ]
Walter Tangoe Foxtrot
It's amazing the lengths companies will go to, collecting information on everyone they can, in order to secure a loan. Next they'll start telling us how to live our lives. Although I do think most people are coming to the realization if they ever want to get anywhere they need to decide what they're willing to put up with and work hard at not putting up with it.
[ link to this | view in chronology ]
Re: Walter Tangoe Foxtrot
Been goin on since caveman days
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Oh the government values your data and privacy; that's why they want "just":
The Government Cares all about you and wants to know =everything= there is to know about their precious constituency.
"All the better to guard you with, my dear." -- Grandma from the Little Red Riding Hood.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Equifax is doomed.
That means if they were to give a mere TWENTY DOLLARS to each person who has had their information leaked it would cost them nearly their ENTIRE YEARLY REVENUE. Equifax is fucked.
[ link to this | view in chronology ]
Payouts
[ link to this | view in chronology ]
Look at the good side of this
- Who will be able to pass a security check for a job working with DOD classified data, for a job with the FBI or CIA or NSA or DHS?
- Who will pass a background check for these crooked web sites who claim to verify people for jobs, dates, contracting and so on?
- Who will pass an HR background check for any professional or skilled job?
Congratulations, we're all criminals now. As Mike said, this is going to get much bigger.
[ link to this | view in chronology ]