
Massive mortgage and loan data leak gets worse, original documents also exposed - PretzelFisch
https://techcrunch.com/2019/01/24/mortgage-loan-leak-gets-worse/
======
cascom
This is getting so tiresome - consumers need direct recourse against those
institutions that are mishandling/losing their data

Edit: if this were the case, the perception would change from viewing large
troves of personal private data as an asset, to being viewed as a liability
that needs to be mitigated.

~~~
BoiledCabbage
This will continue to happen as long as data is viewed as an asset to hoard.

It needs to be viewed like debt - a liability to manage. Ie only hold it when
it provides you value greater than the risk and cost involved.

Current time in society "data" is a zero interest rate loan, that is never
due, with no credit worthiness check, and no penalty for default. The
incentives are perverse.

It absolutely doesn't align with the costs to society.

At bare minimum you need penalty for default, and a non-zero interest rate
(with regular payments).

~~~
specialist
Please say more.

\--

My current position is that my data is me. Anyone using my data owes me money.
To guard my privacy, I get to choose what is publicly known about me.

Being a very simple bear, I envision modern privacy as an extension of
property rights, a fundamental human right.

I want to hear more about your (?) ideas of debt, liability. It feels more
flexible, but I'm having hard time envisioning the mechanics.

My notion does not cover the decay rate (shelf-life) of data. eg When I die,
what happens to my data? Do I really care that anyone knows my autopsy report,
my DNA, my lifetime earnings, my favorite sports ball teams, etc?

Nor does it cover (pseudo-)anonymous data. How would my data be included in
longitudinal datasets like public health, surveys, traffic, etc?

\--

I've been chewing on this stuff for a long time. I have direct experience with
(in order) electronic medical records, voter privacy, marketing, metrics &
analytics. This topic always makes my head hurt.

~~~
cascom
How about this (assume inflation adjustment for all numbers):

1\. Failure to report a data loss is a fine of $10,000/user (need a compliance
stick)

2\. An exponential schedule of loss categories:

level 3 items: name, address, email, etc. = $2/each

Level 2 items: username, purchase history, etc = $10/each

Level 1 items: financial data, communications, passwords (unsecured/poorly
secured), pictures, etc. = $100/each

Then each category would be multiplicative lose 1m customer names and
addresses it would be $2x$2 =$4/each or $4m lose 1m names, addresses and
personal communications, it would be $2x$2x$100=$400/each of $400m

------
lykr0n
There needs to be fines for this kind of stuff.

Each and every person affected needs to be notified, and the companies sued
into oblivion. It's just negligence.

~~~
breakingcups
Europe has it, with the GDPR. It'll never happen in the U.S., corporate
America has too much lobby power.

~~~
maxxxxx
I can see in my (US) company how the GDPR already has an influence on data
collection practices. Three years ago we wanted to just suck up all available
data and figure out later what to do with it. Now there is much more thought
and we have to set up processes for deleting data and other things. It's a
little more work but definitely a good thing.

~~~
WrtCdEvrydy
My favorite part is salting someone's database.

Sign up as a US citizen, switch your country in the preferences to Spain like
2 minutes later... Boom

~~~
maxxxxx
That's why it's often easier to go full GDPR if you have worldwide customers.

------
dwyerm
> "Campbell confirmed that the company will inform all affected customers"

Even though they might be holding my data, I'm most likely not their customer.
So, will I ever get informed if they leaked my data?

The ownership of data is getting to be a tricky problem. My employer is asking
me to submit to regular and continuous background checks through a third-party
service. My employer claims that this third-party has remedies to my employer
in their contract in case of a breach, but when I asked what the remedies were
to _ME_ I was met with silence.

------
sct202
I don't understand how do people just leave servers with open access. Don't
you have to manually set them up to be unprotected and accessible that way?

Edit: missed a word

~~~
technofiend
No, the opposite is often true. To get you working quickly software often has
open-to-all by default and the user is left to lock down as they see fit.

~~~
travisr
The new leak came from an S3 server, which would have been locked down by
default. Someone had to make it open to the public.

~~~
PretzelFisch
Didn't S3 used to default to public? I know older versions of Elasticsearch
didn't need authentication when first setup.

~~~
WrtCdEvrydy
Yes, now you get even a warning for opening the bucket but I bet you someone
googled the answer and was like 'fuck it, too much a headache to set up IAM
for my app.'

------
xfour
So sloppy, this is why it becomes clear that your developers need to know the
scope of your business. Best practices sure don’t leave an open server with
production data. But, if you know you have tons of pii in there, you should
treat that like proverbial nuclear radiating material and lock it down with
whatever means are at your disposal, regardless of difficulty to do so.

~~~
stronglikedan
Securing the data costs money. Leaking the data doesn't. Until it does,
businesses will take the path that least affects their bottom line.

------
ulkesh
So how do we truly know if we're affected? OpticsML claims they are "working
to notify all affected parties", but they have lost all trust and credibility,
so I'm not holding my breath.

~~~
misiti3780
who is behind OpticsML, cant find anything about them

~~~
matheweis
From the archive.org cache
([https://web.archive.org/web/20180824215739/https://www.optic...](https://web.archive.org/web/20180824215739/https://www.opticsml.com/))
of their homepage, it looks like they were a company that did OCR, indexing, &
AI assisted data extraction.

Seems like a pretty good use of ML really - shouldn’t be an intractable
problem to identify something like a scanned W2, run OCR on it and extract the
income fields.

------
psychometry
Was Elasticsearch on AWS, too? I wouldn't be surprised since they don't
support x-pack, making only more inconvenient forms of authentication
available to users.

------
crb002
This does not disturb me (modulo leak of SSNs). If documents for federal
mortgages were public we would have seen 90% less mortgage fraud.

