
Equifax statement regarding extent of security incident announced Sep 7 2017 - geocar
https://www.sec.gov/Archives/edgar/data/33185/000119312518154706/d583804dex991.htm
======
jMyles
Wow, this document is extremely short. The disaster is very palpable in this
format.

> names, Social Security numbers, birth dates, addresses and, in some
> instances, driver’s license numbers of 143 million U.S. consumers (since
> updated)

OK, so who is going to be the grown-up in this situation?

It's obvious now that these numbers can no longer be treated as secret or, in
most cases, as identifying instruments.

Who will lead the effort to deprecate them and migrate all of the documents
and accounts which rely on them?

Why is it so difficult to imagine a coherent, sober response from government
and mega-corporate entities which have until now, been using SSNs as
identifying data?

~~~
tomglynch
Need a totally new way of verifying identity now. The old way was already
broken, but now it's totally destroyed.

~~~
seanp2k2
And yet we still use it with no end in sight. The only reason your identity
isn't yet stolen and financial history ruined is likely literally that they
haven't gotten to you yet.

What incentives are there for Equifax, Experian, TransUnion, Innovis, etc who
profit from this system existing to make it better?

Who in the government will go after them, or even better, come up with
something which will render them obsolete?

~~~
Someone1234
They profit from this system and also profit from breaches.

All of them have been making money hand over fist on this, thanks to their
exclusive ability to monitor and lock/unlock their own credit reports.

Even if you aren't paying these companies directly, you're paying a company
paying them for credit reporting to watch for identity theft.

Calling it a perverse incentive is an understatement. Only the US Government
could have stepped in and made it unprofitable, but it appears as there will
be no significant punishment for Equifax, and instead as a result of this the
Congress made it harder to file a Class Action Lawsuit against companies like
Equifax, so the next time you won't even have that option...

~~~
ams6110
Some states by law require that there be no charge for credit report
locking/unlocking.

------
macintux
I saw an apparently authentic local post on Facebook from a woman who received
a call from someone in law enforcement. She had apparently missed a jury
summons, and the official was trying to help her sort out the mess. He asked
her about her address (turned out to be an older address) and knew her
occupation, told her to meet him somewhere.

Something seemed odd to her, called the police and established that no one by
that name worked for them, may have dodged a kidnapping attempt.

To make an incoherent and possibly bogus story short: this felt to me like a
possible outcome from the Equifax data breach. Random stranger knows your
(previous) address, knows what you do for a living, knows your phone number.
There could be even worse outcomes than identity theft from this.

~~~
macintux
A more more direct anecdote: I just got a replacement social security card by
mail. All it took to do it online was information from my credit report.

Thanks to this breach, the only defense against someone getting my social
security card fraudulently is that it has to be mailed to my current address.

~~~
sgdread
You can put a credit freeze on you file in major credit bureaus - this way
their website would not be able to verify answers on security questions and
deny login.

Brian Krebs did a good article on the process placing a freeze on your file
[1]

[1] [https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-
wo...](https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-
embrace-the-security-freeze/)

~~~
macintux
Good point, hadn't occurred to me to correlate that idea with the SSA's
system.

------
rbankston
Just have to add that in circumstances like this a corporate death penalty
seems appropriate. Equifax is an entity that you are not able to be removed
from in any way. When you look at the financial and security ramifications of
the breach and what was released and the response, seems appropriate. The
kicker is that Equifax also offers credit monitoring for fraud prevention as a
product to line their coffers.

~~~
ams6110
The corporate death penalty here would not fix the problem. The data are
already exposed.

Equifax market cap is currently $13.5B. Corporate death penalty would hurt
owners of that stock, maybe funds in your own 401K account. Thousands of
people would lose their jobs.

Would it have a preventive effect? Maybe but doubtful. There are too many
systems with too much data that are too old and too interconnected to think
that it's even possible to secure them all. If it wasn't Equifax it would have
been someone else, eventually. Most of what Equifax exposed was probably
already exposed in other leaks anyway.

Better solution should be developing new, secure methods of proving identity,
where leaks don't matter because it's not possible to leak anything of value.
All the old ways are now forever broken.

~~~
maxerickson
Power is part of the problem. Blowing up companies will have the effect of
diffusing power.

That they've managed to schmear consequences of that explosion across society
is a pretty circular reason for not damaging them.

~~~
ams6110
OK, say Equifax is blown up.

How does that get us any farther with the fundamental problem of how to prove
identity when all the old schemes have been rendered useless?

There's a revenge or punishment piece that maybe is necessary and appropriate,
but it doesn't solve any of the real problems we now face.

~~~
guitarbill
Maybe the other credit reporting agencies and other companies would take
security seriously. Sometimes breaches happen. Sometimes it's clearly
negligence.

And just because it's too late now doesn't mean the law can't be adjusted to
prevent it from happening in the future. If you don't learn from mistakes,
that's dumb. And obviously companies can't be trusted to do it themselves.

------
schainks
Don't forget, if you want to change your social security number, here's the
process[1]:

1\. Prove you meet the conditions for changing it (you must show proof of
identify _theft_ and how it disadvantages you)

2\. Show up at an office, in person, with original documentation.

Sounds like a great startup idea: make fixing 143M citizens' identities as
easy as ordering a pizza. Or create the Uber for people who will stand in line
for you at the Social Security office.

[1]:
[https://faq.ssa.gov/link/portal/34011/34019/Article/3789/Can...](https://faq.ssa.gov/link/portal/34011/34019/Article/3789/Can-
I-change-my-Social-Security-number)

~~~
xtony
Cool idea. YMMV with this, though. The government accidentally assigned me
someone else's SSN (had the same first/last name as me and was born in the
same hospital) and it took about 2 years to rectify.

~~~
mehrdadn
How did you find out?

~~~
xtony
The other person was able to use his/my SSN to "mistakenly" withdraw a large
amount of money from my bank account. That was what first tipped me off.

------
wmeredith
Serious question: at what point does it not matter that your identity has been
stolen simply because everyrone's has been stolen? I mean, we're approaching
that point, right? The size and scope of this breach basically encompasses the
entire adult population of the US, does it not?

~~~
ams6110
We're certainly at the point where there's no reason to believe that your data
has not been exposed. Whether it's been used to commit fraud is another
matter. The odds are in your favor by sheer numbers but who knows for how
long.

------
lmkg
It has been _eight months_ since the data breach was announced (nine since it
was discovered). This is the first time we are getting a full reckoning of
what data was accessed. (We knew it was ~150 million SSN's, but we didn't what
else it included--e.g. address history, income, debt, etc.) I'll admit,
Equifax actually exceeded my expectations in this regard, I was skeptical that
they would be able to create a document like this at all. Still, the impact of
the data breach was magnified by the fact that they have so little oversight
over their own systems that reconciling records took more than half a year.

Any time there's a privacy issue nowadays, I like to play "What if GDPR?" GPDR
would have required this document be filed to the relevant authority in _three
days_ (Article 33). And the work to compile this document would have mostly
been front-loaded by complying with the documentation requirements in Article
30. I don't think GDPR would have made a direct impact on preventing the
breach (other than maybe causing someone to look at the towering pile of
paperwork and consider thinking of the data as a liability), but affected
users would have been much better prepared to know how they might have been
affected and how to respond.

~~~
kingnothing
In three days (where possible). Equifax would have said it was not possible.
The benefit of GDPR is that you could request that they delete any data they
have on you. I also believe they wouldn't be able to collect this personal
information in the first place since you don't have a business relationship
with them.

------
eyeareque
Can EU citizens request that equifax purge them from their systems? If so I
wonder what would happen if you deleted yourself?

