Hacker News new | past | comments | ask | show | jobs | submit login
The Equifax breach may be the worst leak of personal info ever (arstechnica.com)
559 points by mozumder on Sept 8, 2017 | hide | past | web | favorite | 325 comments

Why are identifiers being treated as passwords? It's 2017 and my mind is boggled that we continue to use SSNs and thumbprints as passwords. These are more akin to usernames. Why is our most important information not protected by passwords, or better yet, 2 factor authentication?

If I try to spend $1000 on my credit card at IKEA, my bank usually calls me to confirm the transaction. However, we don't have such a system when handling our most important information? Why is this allowed to happen? How many people have to be damaged before they stop watching Tom Brady throw touchdowns and get out there to make a difference?

> If I try to spend $1000 on my credit card at IKEA, my bank usually calls me to confirm the transaction. However, we don't have such a system when handling our most important information? Why is this allowed to happen?

It's allowed to happen for the same reason the US uses credit cards without PIN numbers - a lack of desire to spend money on security/upgrades (it's easier to pass on the cost of fraud via the transaction fees), a weak regulatory structure for protecting consumers, a glacial rate of technology adoption in banking systems, and ignorance/unwillingness to evolve by customers/businesses/executives etc.

Don't forget the odd US anti-fed/anti-state bend which led to your identity being smeared across thousands of untrustable private companies linked through a something never originally intended as an identification token (SSN) but having become done so for the sole reason of being nigh-universal.

Had the US implemented a proper citizen's registry it could be managed as that with all the security and personal details isolation that entails, including but not limited to biometric and chipped ID cards.

The US cannot implement a proper registry, large sections of the country would freak out.

Interesting. What sections?

The sane. Frankly people who use this kind of language to insist that the only way to achieve this is through the state are just looking for excuses to be mean to people who don't trust the state.

We've had public key infrastructure for a long time, we have also had legal attestation; the reason we don't use these things to secure this information is that nobody cares.

When the state does it, you get breaches, but nobody gets all that upset. Just look at what happened with the data breach and subsequent coverup in Sweden. One person had half a month's salary docked, and that was it.

It isn't that nobody cares. Many people definitely care. Maybe not everybody cares, and maybe even among those that do there's only some subset that's actually capable of proposing effective solutions to the problem. But I know plenty of normal everyday people outside the techsphere who would prefer if data privacy and authentication worked better and are scared by data breaches like this.

The apathy is really more of a practical matter -- they don't feel like they understand the problem or know how to solve it, and they don't feel like they'd have the power to do something even if they did.

They correctly realize that we don't have a system where entities like Equifax are accountable to individuals that care. The only way you'd get that accountability is through some kind of collective action.

Same thing is true for widespread adopting of PKI-based schemes. Saying "nobody cares" is about as true as saying nobody cares if the oil in their car gets changed -- they don't want to have to pay attention, they don't want to invest in understanding/adopting, and maybe rightly so because there's so damn much that already requires attention. But you might get adoption among private institutions that matter by some kind of legal policy.

A state-run identity registry and authentication solution isn't the only way, to be sure, and I think it's a weird shibboleth in the context of democratic republic run by elected representatives, but since it's not the only solution, nobody needs to die on that hill.

But by the time you're talking about society-wide improvements that address the relevant problems, you're almost certainly going to be invoking government-like powers. The issue you've discovered here isn't about who/how many people care, it's about one of the limits of market-like institutions to transform some forms of concern into effective action. Something even for people who don't trust the state to think about.*

(Also: "people who use this kind of language to insist that the only way to achieve this is through the state are just looking for excuses to be mean to people who don't trust the state" deserves an eye roll so hard. It's manifestly true that there are people out there who enjoy trolling, but the idea that's the only possible motivation is a non-starter and not a good way to indicate you yourself are approaching a conversation in good faith.)

(* I also don't trust the state, just like I don't trust many forms of private power. But it turns out both can be situationally useful and beneficial if you can get the balance right.)

Also: "people who use this kind of language to insist that the only way to achieve this is through the state are just looking for excuses to be mean to people who don't trust the state" deserves an eye roll so hard.

You can roll your eyes all you want, but there are valid historical reasons for being concerned about the extent and disposition of the data that a government collects on its citizens or subjects.

Corporations didn't intentionally kill 100 million of their own customers in the last century alone. It took governments to do that.

There are certainly valid reasons to be concerned. The eye roll is for the comment about the sole purpose of being "mean" to people who disagree.

Me. The less sensitive information on me that is centralized, the better for my privacy and security, as very clearly demonstrated by this leak.

If you think Equifax's security is bad, wait until you see what it's like at any government agency that doesn't explicitly focus on security.

It's also pretty unlikely that a credit bureau decides to use vast stores of personal information to prosecute people, but governments have done this several times throughout history, perhaps most notably during WWII.

I like to think that fewer try to hack US government services because of the consequences. Attempting to do so would get a black hat chased after by multiple three-letter agencies.

I'm sure the FBI is looking into the Equifax breach but not as hard as if someone breached the Social Security Administration.

You have too much faith in the federal government 3-letters:


> The less sensitive information on me that is centralized, the better for my privacy and security

This is interesting. I don't agree or disagree with it; I'm not informed enough to stake a position. But as a thought experiment, if we took it as given that any information a given entity tried to keep secure will eventually be revealed publicly, what kind of security infrastructure would we end up with?

A highly de-centralized one, with information joined together across services only after authentication, authorization, and a lot of artificial identifiers. Or at least, in a context where the people driving product decisions place a high priority on security.

In reality, we're in the world you hypothecate right now. Centralization is really convenient for a lot of uses, and security advocates are rarely in a position to impose the kind of privacy controls the rest of us might like. And the average people who buy services LOVE the convenience enabled by centralization - until there's a breach, and they disapprove for a few days.

I don't think we're proposing a centralized information store- only an identity service.

"Real-name" identity services inherently need to know and store a great deal of identifying information. It's also naive to assume that the government would stop at a straightforward oauth service. They are going to add request tracking (if they don't have it already), background check data, etc. It's too politically and practically appealing to leave it even as privacy-preserving as, say, google oauth (which is a pretty low bar already).

evangelicals. they believe any sort of government issued identifier is synonymous with the biblical 'number of the beast' and a step towards biblical armageddon

don't forget libertarians too.

Pretty much everybody with a brain. Or who knows government officials with lists can turn many people into ashes.


Many (not all) Christians believe such a system to be the biblical "mark of the beast" as described in the Book of Revelation.

That's the most politically significant opposing group, IMO.

Uh, "mark of the beast". (I usually don't correct other people's spellos on HN, but this one could be confusing.)

Thanks, fixed the typo.

Don't forget the odd US anti-fed/anti-state bend

What do you find odd about it?

Had the US implemented a proper citizen's registry

Thanks, but no thanks. We don't need to do even more to enhance the ability of the State to monitor and track out every activity.

Seems to me we got both pervasive state tracking capabilities AND poorly secured private systems too.

And it's interesting to note that the use of an identifier like the SSN spread not because its wide use was mandated (in fact, it spread despite being discouraged) but because it turns out organizations both public and private have the same incentives that drive them to want increased legibility throughout their systems through such an identifier. And most individuals also have a motive to want them to be able to positively identify and authenticate them (and negatively rule out imposters).

It's almost like it'd make a good utility, though that's not the only possible solution.

And the anti-govt bend is odd for at least two reasons: in a democratic republic with an elected representative government, it's pretty weird to treat the feds as a hostile occupying power. And two, even among those that do, their opposition often seems to have a cargo-cult focus on certain lines as tokens of liberty (firearms, national id, taxes) rather than frequent demonstrations of insight about the balance between having a useful federal apparatus and different ways that it can be (and is!) limited and checked.

>in a democratic republic with an elected representative government, it's pretty weird to treat the feds as a hostile occupying power.

But that's exactly our ethos and, I think, our major problem. We believe the gov't doesn't work, so fight hard to make sure it doesn't work, then sure enough, when you need it to do its job, it can't, and so it reinforces the negative loop.

It's probably why we're at where we are now where a large percentage of the voting age population didn't vote on two candidates no one really wanted to run a gov't while ceding most of our representatives to the power of the corporate world, rather than the people actually being able to hold them accountable. But that gets even more off-topic.

Sorry. And thanks for the very cogent statement vs my ramble.

>>> And the anti-govt bend is odd for at least two reasons: in a democratic republic with an elected representative government, it's pretty weird to treat the feds as a hostile

You don't explain why you think the sentiment "is weird". Maybe you have never been the target of repression so congratulations.

Government officials with lists are potentially very effective ashes-creators:


Read: IBM and the Holocaust

Thank you for stating my thought likely more clearly than I would have.

Ironically, at most companies that use SSN's for ID, someone impersonating you doesn't usually don't even need to know your full SSN, just the last 4 digits will do.

It's not ironic, it's exactly what I pointed out: for lack of a proper universal secure ID, people (including the federal government itself) started using the improper insecure one which was there as it was universal enough for most purposes.

At least we have cards with chips in them now, so there's some movement on this. Maybe gas stations will have them by 2020.

The chip implementation in the US provides zero incremental security. It was done as part of a liability struggle between shops and credit card providers, not to improve your life.

I wouldn't say it provides NO incremental security, EMV defeats skimmers which is a pretty big issue - but until everywhere has it deployed and magstrips are no more we're still in a phase where the benefits are partial at best.

> and magstrips are no more

There is zero incremental security because of this. Why pick the lock on the door when the window is open?

Sigh. You have to deploy the new stuff before getting rid of the old stuff. If everyone had this impatient attitude, instead of taking many years to improve credit card security it wouldn't happen at all.

I don't know what to do with comments like this.

I made a statement of fact. I'm making no normative claims, I'm describing reality. At this point in time, there is zero additional security provided by the implementation. Am I supposed to ignore reality and lie about it, because someday things will be better?

Saying "For now, there is zero incremental security" would be better. But it's not really zero since it protects against credit card cloning at a particular point of sale.

Eh. Humans don't generally qualify their statements that way when informally describing things. "Did Bob graduate college?" "His educational background may improve in the future." If you want me to sound like a PR-bot, you can pay me to write copy for you.

> protects against credit card cloning at a particular point of sale

A sieve stops water from streaming through at particular points in the mesh, too.

> "Did Bob graduate college?" "His educational background may improve in the future."

Your black and white reasoning is not how most humans think. What if the answer is "Bob graduates in a month."?

Applying for jobs my senior year of college was such a pain because of this. Why is there so often no degree option for "I will have my degree very soon".

If you had paid attention to the conversational context, you might have noticed how irrelevant that comment is.

There are already less skim targets as some stores only accept chip.

I almost wish EMV-capable ATM's would stop holding the card captive until the magstrip is abolished, they're one of the best targets for skimmers so only inserting the card partially would help deal with magstripe readers attached to the machine. It's increasingly rare I go to a store that doesn't have the chip reader or NFC enabled, but every ATM I use still insists on eating my card.

ANZ bank in Australia has actually started rolling out Contactless ATMs.

Which is great, as even some chip ATMs you put the card in far enough to have a magstripe skimmer work on most cases (presumably so that they work with the magstripe cards also)

Not the case for contactless!

(Of course here in Australia, Chip+Pin is Universal and Contactless is near-universal... I can use Apple Pay almost everywhere even small shops and have been able to for several years.. different story to much of the world)

Now the one thing that annoys me, is that currently shops here despite having separate payment terminals customer facing (largely for pin numbers) still operate sometimes on you handing your card to them - which is totally not necessary - especially in drive throughs. This is getting less common with tap to pay using mobile phones as people are (somewhat amusingly to me, given the value potential) hesistent to hand their phone to someone versus their actual card. I really wish merchants would enforce hard not letting the shop assistants handle cards (at least, prompt to handle it, if someone really wants help I'm not against that, but I don't like the default expectation).

But I also realise this kind of thing is much more common in some places so your mileage and feelings may vary.

Even in Canada, where we’ve had the chip + pin for far longer, the ATM eats your card. After a certain amount of incorrect PIN attempts, or the bank flags the card, it will not release the card.

You can get the incremental security easily at home: swipe over your card with a strong magnet. Now card thieves (and you) can only use chip & PIN payments.

As a warning before trying this for real: most ATMs annoyingly check both the chip and magstripe, so you won't be able to get cash out even in countries where chip & PIN are the widely used in payment terminals. Found out by carrying my cards in a phone case with a snap-close magnet.

Eventually banks are going to stop issuing cards with magstripes on them. But this will take years, until everyone has both on their cards and both readers in their terminals.

A chip immediately stops all attempts at cloning a card. That rendered all the ATM-addon style devices useless.

Even if they have newer terminals, they are still going to accept signature, so essentially there's zero security. The only way forward is to stop accepting the magnetic strip + signature altogether.

Are you sure about this? In Canada we've had chip-and-PIN for almost a decade now (2009 I believe?), and almost all merchants have chip-capable POS terminals.

(Yes, really! I don't know what the delay is in the US.)

These terminals still have a mag stripe reader, and our cards have mag stripes as well. But they're just for compatibility: if you try to use the mag stripe of a chip-capable card on a chip-capable terminal, it beeps at your angrily and tells you to use the chip.

Yeah, and you just put some paint over the chip, it will beep 3 times and then let you use the signature, even for cards which are marked "electronic use only". It's a failsafe for situations when the chip is genuinely damaged, the terminal lets you sign for the transaction.

My interac card doesn't - if the chip fails the terminal will occasionally tell me to use the magstripe but the transaction is always declined.

Why would you want to disable the chip?

I wouldn't - I'm saying someone can trivially damage the chip on a stolen card and just use the mag stripe and signature instead.

Ah, I get it. Thanks for the explanation.

And Canada was only, what, a decade behind Europe? :)

I have a Sams Club credit card that has the chip & PIN feature. They state that the PIN is required when using it at Walmart and Sams Club, but I have used it in other places and have had the transaction go through with or without a signature (the latter of which was for a purchase under $50).

Do the terminals have an order of preference in terms of what's required for payment. For instance, try chip+pin first, then try chip+signature, then try mag stripe+signature? If that's the case, then I don't see why all stores that have chip readers won't start using chip+PIN as a first preference for payments with chip enabled cards.

chips have just become another salvo in an arms race between merchants/consumers and fraudsters. A chip card is more prized than a non-chip card so the rewards for capturing one is higher so more work is justified in cracking into one.

That's because the US government doesn't provide a convenient and reliable way of proving physical identity. And that's mostly because the people don't want it.

Most countries have some form of universal photo ID, and a copy of it is usually required, along with a signature that matches. Not perfect but better than a simple number. Some countries like Estonia include a cryptographic token in their ID, protected by a PIN. That's the 2 factor security you wanted.

But people in the US tend not to like the idea of government IDs. But when such a thing is needed, they use the closest thing they have, and that's the SSN.

That's because the US government doesn't provide a convenient and reliable way of proving physical identity.

And that's a Good Thing. Government should exist to protect property rights, provide rule of law, and maybe to enforce contracts. Managing everyone's identity is clearly not something that the State should be involved in.

It's not clear to me. Care to elaborate? Seems like a good thing to know how many citizens are in the country, for keeping track of voters if nothing else.

In Denmark we have a government sponsored two-factor authentication system linked to the Central Person Register or CPR number which every citizen gets assigned at birth. The two factor authentication is used for all communication with state and municipal and for all banking. Works quite nicely from my point of view. Makes a lot of things a lot easier.

Your position makes sense if you trust your government, many of us don't trust ours thus his position.

How do you enforce such things without being able to identify and validate that the parties in the dispute are who they say they are ? Example how do you make sure that the crime ends up being recorded against the right John Smith ?

The US government actually does have a a convenient and reliable way of proving physical identity (a Green Card for example serves the purpose of identifying permanent residents), they've just declined to deploy it more widely.

US citizens can legally exist without any government identification or documentation whatsoever - no SSN, no birth certificate, no driver's license, no state ID, no nothing.

It deals with them the way the government dealt with such cases before government identification ever existed - who do you say you are, and who do other people say you are? Where do you and other people say you live?

In your example, in the modern age, "John Smith" would have an arrest mugshot to aid with identification. Whatever criminal records are kept would probably just have the missing information blank. It's not as if there's a big database of citizens with Felon? Y/N as one of the fields, making you run the risk of marking the wrong John Smith as a felon.

The world is a very messy place - the US system does an okay job of treating it as one.

Same in UK. We don't need to carry passport or visual ID with us.




I still have a paper driving certificate, and it is still legal (https://www.gov.uk/exchange-paper-driving-licence). I used it 2 days ago in Germany to hire a car. I have resisted "upgrading" to a photo drviers license because my address is still valid, and the photo driving license isn't (at least wasn't) valid without the paper extra anyway. If it ain't broke...

In reality I carry my passport in my briefcase because I both travel overseas fairly often, and visit customers where it is necessary to show a photo id and that is all I have.

As I recall, you may be required to report to a police station and show an ID or proof of identity if necessary - within a few days. But without evidence to the contrary (and subject to powers listed above for police), you are believed when you identify yourself.

It seems to me that all three of the above depend upon being able to certainly verify someone's identity.

Agreed. Any company worth its salt should allow me to authenticate myself purely cryptographically if I want to do so. This is easier, more secure, and more human-friendly than a centralized government ID registry.

Unfortunately, most companies aren't worth their salt.

Incidentally, even SSNs are not universal. You are not required to have an SSN, and some religious groups opt out.

Cost of repercussions due to lapse of security <<< cost of fixing it.

Until Equifax and the like get sued out of business, Equifax and its shareholders won't feel the heat.

Time for the class action suit to dwarf all other class actions... liquefy Equifax and turn its assets over to the 143 million.

And as is the case for every class action suit ever, some lawyers make a lot of money and everybody whose information was compromised by Equifax gets a check for 24 cents.

Honestly I don't mind too much. At this point I just want significant punishment for those who allow massive data leaks so there's a reasonable deterrent for other companies. Something needs to happen to make these executives take data security issues seriously.

Don't fall for the "credit monitoring" bait they're offering then - accepting it nullifies your class-action rights.

The monitoring benefits (Do to their negligence) is probably worth more than the $10 you'll get out of the CAS.

It would be better if we could get the monitoring from one of their competitors on Equifax's dime.

"Worth more" in the sense that they probably charge more for it, but I doubt it would cost Equifax as much to provide that service as it would if they actually were forced to cough up real money.

They've already built out the infrastructure necessary for the monitoring product. The marginal cost of every additional person they add to it is probably quite low.

I bet the other two credit bureaus would be much more careful about security if that happened.

>Until Equifax and the like get sued out of business, Equifax and its shareholders won't feel the heat.

Equifax's breach might be deserving of it being sold to the government for pennies and having leadership reorganized (read: fired), but I don't think we can nuke it out of existence immediately. Primarily due to it being relied on by so many other banks and services.

There's three other companies that do the same thing.




Just like bikeshedding and risk perception decreasing near sources of catastrophic risk, never discount the powers of rationalization and cognitive dissonance.

Ultimately a major cause is that America doesn't have a national ID, PKI or 2FA systems. And, as such, there is the de-facto, cargo-cult tradition of ultimate reliance on inadequate systems designed for retirement pensions and drivers' licenses. People must give up the "states rights," delusions of privacy and other similar fallacies already and demand proper authenticated and authorized identity, banking and credit systems that require positive, possibly-interactive authorization to use details or complete transactions. Such tokens/documents could be physically enrolled/administered just like passports at USPS.

Because it's not a simple problem. If you ask me for a loan, how do I know who I'm loaning the money to, who will be accountable for paying it back to me? If we have no prior relationship, then there's no pre-existing password I can use to authenticate you. What's your solution?

A government provided security token of some sort, backed by a government database? A lot of people have all kinds of problems with those, from trusting government's intent, to their competency, to their security.

A private party identity provider? Go start it.

Why don't do it like we did for hundreds of years? Get to know the person you are lending money to.

Oh yeah that's scalable...

Fixing it costs them more money than leaving it alone, is the reason.

How would you implement 2FA without making your personal phone number publicly available for anyone to attempt to authenticate with? It's not the same as your bank calling you when you already have an account with them - we're talking about a new bank, who you have no relationship with, trying to call you to verify your identity.

A true public key system opens up each individual user to malicious spam. Given the current prevalence of phone, mail, and email spammers, such a system would create more problems than solve.

SSNs could technically be passwords. The problem then is that data servers need to not store SSNs in plaintext, but rather store hashes of them, just like passwords should not be stored in plaintext.

In fairness, Tom Brady had zero touchdowns last night.

SSNs are not even supposed to be used as identifiers in the first place -- that it is being used as the key identifier to determine your creditworthiness is already mind-boggling.

I've been saying for a long time. Companies that store sensitive information should be required to insure it. Want my SSN for some inane reason? 5 million^H^H^H^H^H^H^H^H^H 500k dollar insurance policy on each one. Seem excessive? Better buckle down on security or better yet not store extremely sensitive and damaging information for arbitrary reasons. There is literally zero reason or consequences for any company to care about security right now.

I understand the emotional appeal of overselling the problem, but you'd get much better response with a $50K insurance policy than an obviously absurd $5M. Even $50K is sort of generous and probably generally more towards the worst case end of identity theft than the average case. It is plainly obvious to everyone that when Bob the upstanding middle class guy is hit by identity theft that Bob may experience great loss of money and time from his point of view, but that identity theft was not the one thing standing between Bob and $5M.

At scale $50K still adds up to a lot, and we'd probably have to cap it some other way too because at-scale breaches don't add up that far, because the system does in fact react to them. This particular breach would be a seven trillion dollar payout if we don't cap it, and the simple reality is that this breach, no matter how much pain it may eventually cause us, is not going to cause anywhere near seven trillion dollar's worth of damage to consumers, or the economy, or anything else. But $50K makes sense for isolated cases that don't get a coordinated response.

Why would you cap punitive damages? Sure, it won't be collected, but that's okay--this sort of failure should destroy a company that betrayed the societal trust. It should be a smoking crater when all is said and done.

We should go one step further and just terminate consumers that use companies that don't have good security. That way it will never happen again for sure.

I can get on board with this as soon as you figure out a way to require security training for the masses as opposed to the handful in charge of security.

If you get it to work, we can then proceed to get rid of police departments.

Not the person you replied to, but while I see your point, there should not be a cap to prevent companies from taking consumer trust for granted, especially at the scale and magnitude of companies that handle almost all American's information. If a person's SSN is pretty much a key to screwing that person's financial life up is not worth protecting correctly by these companies, these companies should be financially screwed too. In the current state, will Equifax be held liable for any identity theft that occurs from this breach?

I think we can probably all find a cap somewhere south of 1/3rd of the 2016 United States GDP for a single breach.

I mean, really, once you get past the amount of assets that Apple holds, it's all the same penalty anyhow: Instant corporate bankruptcy. Arguing about whether we penalize a company trillions of dollars or quadrillions of dollars is not really an argument.

insuring for the "average case" defeats the entire purpose of insurance.

Making insurance obligatory also would force companies to implement proper security to drive insurance premiums down.

I really like this idea and I wish the government actually cared enough to try it.

Too bad the current party in power has only one mandate: tear down everything the last guy accomplished.

Honestly this kind of idea would appeal to the MAGA crowd.

Would it?

I can imagine at least some companies would stop worrying about security since they are insured if something goes wrong.

That's when insurance companies make premiums depend on your security. E.g. (some (our)) home insurance premiums depend on the quality of your lock, etc. It's a case of let the market sort it out.

Maybe it's better to enact legislation to stop using the SSN the way it's used today.

Do you mean something like the Privacy Act of 1974?

Can you expand on how this law is supposed to help but doesn't?

How is this law supposed to help with this situation?

Summarize what you think this law is preventing in your words and we can compare it to what the law actually says.

The Social Security Administration could make everyone's SSN public[1] immediately and then we could watch the entire credit industry scramble. Probably not a good idea without a reasonable alternative already in place but I think a certain amount of grim satisfaction would be gained in seeing the issue forced.

[1]: But unfortunately they may be constrained by the aforementioned Privacy Act of 1974.

I think you and OP both hit valid points that should happen, but never will under government.

However, on the blockchain...well that might just happen, but it won't be a government running the identity system.

What about on the cloud? Or on the world wide web? Or the information superhighway? Are those buzzwords too outdated?

Wow, sounds like a real paradigm shift.

Yes and lets lose the ability to trace any and all criminal activity. Underground crime will love that - bring on the golden years!

I honestly can't tell if you're arguing for or against the blockchain here, but regardless, I think you've misunderstood my comment because I left off the /s tag.

It is a mistake and perhaps Pollyanna-ish to believe a governmental entity has not and cannot exert control over a blockchain ledger system of any kind either by means of protocol or other methods. In any case, I find it highly unlikely blockchains will not be implemented by various governmental agencies. As a store of auditable data, they would certainly be more trustworthy than some papers filed away somewhere or in some given database.

Certainly a lot of banks seem to be interested, and if banks can find a use for them I can't see why not governments as well.

I suppose a proper government issued ID number that doesn't double as a password would also be useful.

This isn't realistic. The cost would be astronomical for a 5MM insurance policy on each user. Further, no matter how seriously you take security there's always a chance, even if a minimal one, that a hack happens. So, for example, if you were a bank and had 100,000 members and you had their SSN's and were hacked you're talking about a possible $500B settlement. The bank wouldn't take out such a policy due to cost and no underwriter would grant it because it would put the company out of business.

insurance doesn't mean "pay out the max if anything happens", it means "cover damages up to limit"

if a hacker took my info how would I prove they got it from Equifax so I could get the insurance money?

wouldn't disclosure of hacks (by Equifax) be strongly disincentivized with this scheme?

wouldn't Equifax just lie to the public if they discovered a hack so that their insurance premiums stayed low?

worse yet, would Equifax just eliminate security audits and stop looking for hacks altogether so they could plausibly claim their data was secure?

Clear regulations with legal penalties and regular audits for companies that hold information like SSNs.

Maybe this would lead to a rise in secure storage firms that actually do their job with this so small outfits like employers could continue to identify employees without having to actually have a SSN in the database.

> regular audits

is the government going to do those? it doesn't seem to be able to do that sort of thing now. how will the government gain the resources, the capability?

The government inspects buildings, food, a number of things. Somewhat capably. For the record I'm not a big proponents of more government. But something needs to be done about companies irresponsibly holding personal information at this level.

i'm not against government regulations or government inspections, but it seems to me the government is mainly good at passing laws and regulations it cannot or will not enforce.

i don't see the government doing a good job of regulation enforcement.

sometimes it's corrupt (e.g. building inspection approvals in Los Angeles, where I live, have sometimes required side payments to the inspectors).

sometimes it's underfunded. one source estimates that only 2% of imported food is inspected: http://www.nbcnews.com/id/44701433/ns/health-food_safety/t/f...

And similar to travel insurance, they'll make it an option you pay for.

In fact, it's the best case scenario for the company, to make even more money by selling insurance for protecting the data you just gave them.

Another commenter, who now deleted the comment, said: "There's a 44% chance you were affected, but a 100% chance you waive your right to be in a class action lawsuit if you enroll in their ID protection."

I thought it was a good comment, but I wonder if it matters.

How much would you get? I have been a member of these class action lawsuits before, and I get, like, $3 for my troubles at the end of the day, so I never claim the prize because it's another database where my SSN would be stored and stolen from.

I think the best is to freeze your credit report and deal with the troubles of having to unfreeze it when you need a loan.

If there are expert people from the Fin Svc industry here, is the above correct? Is freeze pretty much the only reasonable action now to protect ourselves?

Saying it's a 44% chance you're affected is really skewing things away from how severe they really are. At least 22% of Americans are under 18. There are actually 167 million Americans who own one or more credit cards, so this actually affects 86% of all US credit card holders.

Not to shamelessly promote, but as soon as this broke yesterday I brought this to the attention of my firm and we filed I believe this morning.


Could you guys push for free credit freezes and unfreezes going forward instead of some sorta ridiculously small monetary comp. It should be free at all bureaus, with Equifax picking up the bill for unfreezing and freezing at the other two.

And. Make it possible to do the process online for all three credit reporting agencies (one of them still requires a phone call). Having to pay and spend at least 20 minutes on the phone to lift your credit freeze because is just ridiculous.

Better yet, lets do away with credit reporting agencies. Why should any oligopoly or, indeed any non-government entity be allow to have the power to cause so much harm to is with effectively no accountability?

How do you prove your identity when freezing and unfreezing? Is it similar to how you "prove" your identity when you apply for credit?

You would use a PIN that is generated at the time of freezing the account. However, this doesn't prevent a future attack from obtaining the PINs.

And if I forget my pin?

I'm just a developer in marketing, but I can suggest it.

Well, at least let them know that some nerds on the internet asked for this :)

Glad filings are being made already, I wonder if it will be possible for someone to also seek relief/guidance for individuals checking to see if they were breached on trustedidpremier.com and may be inadvertently waiving their rights to class action suits and instead being forced into individual arbitration.

Based on the fact their privacy policy and terms of service were just updated on Sep 6, this seems pretty blatant. Browserwrapped agreements haven't held up in most cases, but having the arbitration clause at the very beginning seems to be point of the entire thing. Pushing a notice 41 days after a breach (just in time for the 45 day requirement in most states) and directing individuals to check if they are impacted all while tricking them into waiving rights. Seems deceptive to me.

It'll be pretty epic for the class if you guys manage to settle this one for tens of millions of dollars too.

Another firm that filed in Oregon yesterday said they're seeking up to 70 billion in damages for clients nationally.

That's right, billion with a B.

I was just making fun of the info highlighted in the press release. If I have it right, the Target breach affected 41 million people. Helping them put it in the rear view mirror for ~$10 million is quite a service.

Maybe it was a different Target data breach?

That's how class actions work. The lawyers extract a fee from the perpetrator as protection against larger settlements/judgments. Perp limits their downside, law firm gets paid, consumers are left holding the bag.

AFAIK, one of our attorneys was involved in 2 with Target, one for $10mil and one for $13mil. We're also involved with Home Depot and other data breach cases. They scope of those breaches is much smaller than this one, by the way.

I'm just saying that some firms try. There's really nobody making them accountable otherwise.

This isn't Equifax's first data breach and the others are pretty recent too.

To date, having been a participant in three - that I was notified of by email - I've netted about twenty bucks.

But I'm also not sure what the benefit of enrolling in their ID protection scheme is, given that the whole reason they're offering it is because they already gave it out to some rando on the internet.

It's rather like paying the schoolyard bully to stop taking your lunch money.

I've received $20.43 from the Perkins v. LinkedIn class action settlement. Personally, it's not about the money, but rather about trying to hold companies accountable for their actions.


Exactly. People complain about how the lawyers who managed the case (sometimes for years!) take most of the payout, but so long as the company's risk/reward math is tipped towards the safety of their customers I have no issue with not seeing much of the settlement.

>the lawyers who managed the case (sometimes for years!) take most of the payout

This meme is part of the problem. The lawyers take maybe a third of the settlement, after bearing most of the costs of litigation themselves, which they would still bear if they lost. It's high risk/high reward. Lowering the reward just means no lawyer will take the case.

Quibbling over "most" is beside the point.

There is a real issue where the incentives for the lawyers don't line up well with the interests of the class. The lawyers likely do pretty well if they settle a huge case for tens of millions and the main thing that happens for the class is they can't file a lawsuit anymore.

The financial penalty for the company is better than nothing, but it often isn't all that much and often doesn't do the class any real good either.

Part of the reason that is an issue is that they're settling for much smaller amounts because the cut they get is big. So you have some massive data breach cases settled for things like $10 million. That's not even punitive at that point for companies like Target.

In practice it seems it basically just winds up being a big payout for whoever actually filed.

> Personally, it's not about the money, but rather about trying to hold companies accountable for their actions.

I'm not entirely certain that a class action settlement is a sufficient deterrent; do the payouts typically hurt the company enough to not take some given risk again?

But didn't you have to provide your SSN to them? That would seem like a huge risk to give your SSN to some paralegal somewhere or some Wordpress plugin and MySQL unsecured database right?

This is a space where I think the id theft protection industry misses. A large chunk of the space revolves around the 3 bureaus, but there's a lot more to it than that.

A credit freeze is only effective if the entity using your information actually checks your credit/talks to the bureaus.

Tax fraud, healthcare fraud, shady car dealerships that don't care about your credit, buying a house where the seller 'holds the papers', etc, are all attack vectors that can be used with this sort of information.

> the best is to freeze your credit report

A question that came up among my coworkers and I was: given the nature of the data that was accessed, don't the thieves already have all the info needed to unfreeze your credit?

When you freeze, they give you a PIN to unlock it. You can't unfreeze with just your hacked data alone. Of course, the PIN is probably in the next column over, so...

They've almost certainly got a "forgot my PIN" flow, too. Otherwise a forgotten PIN would mean a lifetime loss of access to credit.

What do you want to bet it uses stuff like your SSN to verify?

For Equifax, you are exactly right [1]. If you lose your pin you just ask for a new one and provide some basic form of id.

[1] https://help.equifax.com/s/article/ka137000000DS9XAAW/What-d...


> Please provide proof of identification, such as a copy of your driver's license, passport, birth certificate or other proper identification forms.

Given that the hack included name, SSN, date of birth, and address, a fake copy of one of these should be incredibly easy to generate.

edit: Driver's license numbers were also leaked in some cases. Fun.

Even worse: In a number of states, the DL number is deterministic based upon name and DOB.


I don't know if it's still the case, but Virginia used to your SSN as an ID. There was an opt-out for that, which I exercised about 25-30 years ago, so I don't know if that policy is still in place.

There was no mention made that unfreeze PINs were leaked. When you freeze your report with the three CRAs, you are given an unlock code or PIN needed to unfreeze it.

(At least for Equifax) you can get a new pin if you provide a basic form of identification. Guess what they accept? The very things that were stolen.

That's not clear from their help article about it [1], depending on what, in their definition, constitutes "proper identification forms":

"If you lose the PIN that was issued to you when you added the Security Freeze to your credit file, you may request a new one in writing. Please provide proof of identification, such as a copy of your driver's license, passport, birth certificate or other proper identification forms."

[1]: https://help.equifax.com/s/article/ka137000000DS9XAAW/What-d...

Yea I really want clarification on this before I fork over $30 to the mafia families, I mean credit agencies, to lock my credit score.

The point of a class action suit isn't really the individual gain; it's the pain it's supposed to make the corporation feel. Providing a free trial of their stupid credit monitoring service probably doesn't do that.

It matters a great deal, because the company is saying, in effect, "We will help you mitigate the consequences of our failure, but only if you indemnify us against being held accountable."

I'd be happy to get nothing if they were enjoined from storing any data on me with a hefty penalty for non-compliance.

> you waive your right to be in a class action lawsuit if you enroll in their ID protection

Good luck to them trying to get that to hold in a court of law. Remember that it's ultimately a judge's decision on whether or not legalize like that has any real power.

I've been a member of many class action law suits. Often the payout is literally pennies, maybe dollars. But I have been a member of one class that received several thousand dollars from one suit. So it can happen, it's just rare.

Huh? I've been a part of many class action suits and received many hundreds of dollars. Better than just giving up.

I just used their "check if you've been compromised" tool on their crisis response site and they are using it not only as a notification service for potentially affected customers, but also as a lead generation tool for their TrustedID Premier service.

We need a new word, "chutzpah" isn't strong enough in this case.

I think the word you are looking for is gall. As in sheer unmitigated gall.

If we're lucky, this will be the best leak of personal info ever.

The primacy of the SSN in American society is idiotic. It's a "secret" that you have to hand out to dozens of different organizations. I've long thought that we should phase this out by committing to publish all SSNs (and the associated info, obviously, so it's not just a list of most 9-digit numbers...) which would force all these companies to stop treating it as confidential.

The system is dumb and works poorly, but worked will enough that there was no impetus to fix it. Some people got affected by breaches, and it sucked for them, but it was always a small enough group that most people didn't care.

Now that a majority of people's "secret" info is no longer confidential, maybe they'll realize they can't rely on it anymore.

OK, the odds of this actually coming to pass are not great. But I can hope.

For anyone who wants an explanation at just how bad the social security number really is, this is the most enjoyable explanation for it I've seen, by CGP Grey


Wow. Having an ID card seems so normal to me that I would never have thought that the US didn't have any. I've been to the US before and never even noticed. Thanks for the link.

There's a substantial faction of the American right wing which is vehemently opposed to any sort of national ID scheme. They don't want the government having a big database of all citizens. Strangely, these tend to be the same people who want to require photo ID to vote.

I hate to play the recently poisoned "both sides" argument, but it really is weirdly widely unpopular. The ACLU in particular is strongly opposed to a national ID system.

I say this as someone who would strongly support a federal mandatory national ID system (and the ACLU, generally)

In this particular case, I think the "both sides" argument may well have merit. Thanks for pointing that out. I really should just say a big chunk of Americans.

There's a substantial faction of the American right wing which is vehemently opposed to any sort of national ID scheme.

Oh, I doubt it's a left-right thing. I'm pretty lefty these days, and I oppose a national ID. Some minority groups, like say Jewish folks, might carry bad connotations about putting everybody in a big database so we can keep track of (and categorize) them.

I believe the majority of these people would be against the Federal government requiring such an ID. They are likely fine with their local government, that they have more control over, handling such IDs which would be required for voting.

But, of course, there's not much preventing the local government from sharing the info with the Feds.

No, some of us would love for the government to have one in an ideal world, we just recognize that the US government that exists today is not competent enough to be trusted to run such a database. Just think about the topic we're discussing - do you really trust the US Department of Identity to not have breaches like this every year? The only difference is that we'd never hear about them.

Is there any reason the data in a national database would have to be confidential in the first place?

One can dream that the state governments would be competent enough though. I feel like it wouldn't be that hard to make driver's licenses / state identification cards mandatory at the state level (fewer people to piss off).

This is not a right wing issue, it's an authoritarian vs libertarian issue. Plenty of people on every side don't trust the government and don't want to give it more power.

To be fair, I've traveled many places that require national ID cards, and yet never carried my passport on my person, in violation of local laws. And I've never had an issue.

It's something so unlikely to come up in day-to-day interactions that it's not really that important. I'm sure if I got stopped in, say, France, and had no passport to show, they wouldn't exactly lock me up on the spot, they'd find a way to accommodate me.

I still only have a really vague understanding of what happens if a cop in the US wants me to identify myself and I refuse. If I'm not suspected of a crime, obviously, I can just walk away. I'm not really sure what I'd do if I was arrested for cause and refused to identify myself.

This is an excellent video. Thanks for sharing it. Are there any other videos by this guy that you recommend? I like his style quite a bit.

Others have already chimed in here, but I honestly can't remember a CGP Grey video that I wasn't thoroughly entertained by, even when I already knew all of the facts presented.

For amusement's sake, I really enjoy his videos on geography, such as (his first video ever) this one on the UK (which I guess might need updating soon?):


or this one on Scotland:


or my favorite geographical video, on the Vatican:


That said, they're all pretty great, so I'd just start with this list of all his videos in ascending order:


There are a lot. I thought this one was really funny [0]. This one I found very interesting [1].

Somewhat different, is the Hello Internet [2] podcast, which is by Grey and Brady Haran who you might know from the Numberphile youtube channel [3]. It's basically the 2 of them chatting about random stuff, but I find it very entertaining.

[0] https://www.youtube.com/watch?v=LO1mTELoj6o

[1] https://www.youtube.com/watch?v=LrObZ_HZZUc

[2] http://www.hellointernet.fm/

[3] https://www.youtube.com/watch?v=w-I6XTVZXww

All of them.

Back when I started college, my SSN was my student ID number. It felt weird, of course. I think there was a change in the law soon after I started college, because it did soon get changed into a different number of the same length.

Later on, I did a brief stint working for the federal gov't. In that setting, they used the SSN as our employee IDs. It was on all the personnel forms, and often seen on "list of people in the department" spreadsheets. Of course in order to comply with some law, these forms would also have a footnote explaining why they needed the SSN.

From these experiences, I have a very hard time actually thinking of the SSN as the sort of "secure password" everyone else wants to insist that it is. Unfortunately, I'm not aware of an alternative.

An alternative? You mean user-created passwords?

Pretty much why I'm not freaking out, yet.

If my SSN & other personal details get out, it's my problem. If the SSN & personal details of half the country leak out, it's somebody else's problem.

Whose I'm not sure, but it would seem like banks. At this point, virtually all potential credit applicant's details have been leaked, and I believe it's the banks that ultimately lose when they issue credit to a fraud. So if you're the bank, hopefully right about now you're starting to think you need a much better method to authenticate credit applicants.

Banks never lose. They just create a fee to pass it on, throw a party and hand out bonuses.

But... in this case, the overall cost may be high enough that there's a competitive advantage in not needing to charge this particular fee, and that will force the industry to do something about it. Maybe.

Banks are already charging all the fees they think they can while still remaining competitive. If they could have already charged another fee they would have.

> The primacy of the SSN in American society is idiotic. It's a "secret" that you have to hand out to dozens of different organizations

I'm not from the US. The first time i had an american friend explain me the SSN thing, I thought they were crazy, for the exact same reasons.

It is idiotic, as you say.

Here in my third-world country there isn't any number or code that I need to keep secret and I need to hand over to other companies at the same time.

If you don't mind me asking, because I'm genuinely curious how it works in other countries. Does your country have an equivalent of a 'credit score' like in the US, which would be used by financial institutions when they judge whether or not they can loan you money? If so, how is this score calculated, how does it aggregate all your financial information without a specific identifier, and how do you secure yourself from identity fraud/theft without having a 'secret' number to id yourself?

>If you don't mind me asking(...)how is this score calculated, how does it aggregate all your financial information without a specific identifier

We do have an specific identifier. Each person has an ID card, with an ID number. The ID number is not secret at all and used for many things everywhere. By the way, we don't have anything like a "social security card". Even kids have this ID card, their parents can (and ought to) request one for each kid.

This ID number has nothing in common with your birthday or anything. It is mostly a sequential number.

All aggregations are done using this (unique) ID number. So financial companies submit payment data associated to your ID number. So later credit scores can be computed as well.

The difference with this ID number versus the SSN is that our ID number is not used as a password of any sort.

How do companies or government institutions check out if you are who you say you are? They can take a look at your ID card. And usually they do have fingerprint scanners and signature scanners to check against the government's central ID registry.

By the way, last year we issued the Electronic Id Card, this one has a security certificate (public-private key cryptography) associated with it, and each person chooses (and keeps secret) a password. This password never needs to be revealed to anyone. With this password one can do digital signatures of any document, etc.

> By the way, we don't have anything like a "social security card". Even kids have this ID card, their parents can (and ought to) request one for each kid.

Nowadays SSNs are generally issued at birth, particularly since the IRS wants one for each dependent listed on the tax return. I believe this has been the case for at least twenty or thirty years; certainly my card dates from when I was born.

> This ID number has nothing in common with your birthday or anything. It is mostly a sequential number.

If it's a sequential number requested near birth that would mean that most people with the same birthday have similar numbers, doesn't it?

> If it's a sequential number requested near birth that would mean that most people with the same birthday have similar numbers, doesn't it?

In practice it is not requested near birth. It is sequential to the time you asked for an ID card, so people who asked for one in the same timeframe get a close number

It probably varies by country, but here you have a unique personal ID-number. First number denotes your sex, next six numbers contain your birtday, and the next four numbers are assigned (probably? not certain) in order of births during that day. Last number acts as checksum, allowing immediate check for typos.

That ID number is public and allows government & any companies/organisations you show it to immediately verify that they are dealing with a specific person, instead of having to spend time figuring out which specific person named "John Smith" they are dealing with. Having this number simply makes life more quicker and convinient. It also allows to remove any pointless duplications for cards.

For some examples: separate medical insurance card was discontinued, you can verify medical coverage by a simple number query. Same with drivers licences, they still exist in a separate physical forms for foreign trips, but but not inside the country. There is no separate libary cards, I don´t have to carry a separate card for my gym or various retailers.

I can verify myself online quickly and securely. I can digitally sign documents and contracts and email them. Honestly, I´m having hard time imagining my life without it. I´m aware that all proposals for national identification methods in the US have failed thanks to fears of "mark of the beast" and big brother, but it seems pretty silly to me. All that data already exists and can be cross referenced. Making average person waste more time and money by having such massive inefficiencies in the system seems rather silly in these times.

This ID seems just as insecure as a SSN.

"This ID seems just as insecure as a SSN"

There is a big difference: that ID is being used as a username whereas our SSNs are (usually) used as passwords.

Oh, that makes sense. What do you guys use for passwords?

SHA and PIN.

For online verification(banking, contracts, taxes, voting etc) you need both physical card and PIN at the same time.

Otherwise it works just as any other normal ID.

A personal primary key that's semipublic, and when you do a financial transaction the institution performs know-your-customer identification checks - checking photo ID (with key printed), that sort of thing.

Some even have federated systems where you can later ask the financial institution to hand out a 2FA crypto token that you can use to identify yourself to other institutions over the Internet without ever showing up in person.

Moreover, there is no actual need for credit reporting agencies to have SSNs. They don't need to report payments to the government for tax collection. SSNs didn't prevent credit reporting agencies from commingling my father's credit data with mine.

if they switch to an Equifax ID, then you'll have to submit an Equifax ID when applying for a loan and a fraudster could do the same they do today.

If you switch to dozens up separate IDs, the entire system will get bogged down as everyone forgets all their ID #s

I think the bigger point is that companies like Equifax shouldn't be using ID numbers at all in the way that they rely on them. They use SSNs as a database ID crutch to keep from having to do the actual leg work of talking to people, verifying/reverifying the accuracy their data, and basically doing the job people pay them to do.

Others on this thread have suggested that storing information that can cause me to incur a liability should require insurance against such a damage. I'm confident that with the right incentives in place, commerce will proceed without getting bogged down.

Agree. The best thing that can happen here is the entire 149 million gets published online somewhere - that will force change. Overnight, companies will have to stop assuming SSN is secret.

At this point I think it's rather safe to assume no SSN is secret.

I agree - but this is going to get forgotten about in a month, Equifax's stock price will be back where it was in 6 months (or less) and everything will continue as before

Yeah, I won't be holding my breath.

He's right though, even if not feasible to implement. A SSN is an ID number that needs to be kept secret. How dumb is that?

How about using something like an ID card with attached chip that can be used to digitally sign things? Works great in Belgium.

There are millions of Americans who genuinely believe a national ID program is "the mark of the beast" and will hasten the arrival of the Biblical End Times: https://encrypted.google.com/search?hl=en&q=real%20id%20mark...

Americans have an distinctive hate for ID cards.

Actually, we have lots of ID cards. There's just a distrust of one card for everything controlled by the Federal government. Which is inevitable.

But they sure love their identity theft! ;)

I get it, most people aren't always rational about these things.

There is no political will to do such a thing. Even the REAL ID stuff with licenses is pretty weak and taking an eternity to implement.

He's right though, with any luck, the SSNs of a slew of politicians will be included in the data leak and then we may just get the ball rolling on change. Hopefully, this is the one that gets us moving.

I mean, the OPM breach didn't.

If they do something like that in between elections, conservatives will flip.

The sentiment goes something like this:

- Conservatives gave up on minorities, historically stated that the less they vote, the better - Conservatives push the narrative that voting fraud is a big problem, and that the liberals are doing it (many high profile member's of Trump's family/cabinet are registered to vote in many states simultaneously)

- They push for Voter ID laws and push back against weekend voting days, as it makes it harder for hourly/poor/minority voters to show up and vote.

So it would probably be a great idea, but since conservatives consider non-white franchising is an existential threat to their cause, they'll probably scream "state's rights" and block it from happening.

I advocate something similar regarding all secrets (passwords, private keys, credit card numbers, etc).

Secrecy (and privacy) aren't sustainable, and relying on them will just end up hurting people.

Identity must be solved, not through secrecy, but through transparency.

If AI overcomes us, it will be (in part) because we failed to adapt to this reality.

I'm sorry that you are getting downvoted for simply expressing an unpopular opinion, but you may be interested in this: https://www.theatlantic.com/politics/archive/2014/08/this-ma...

How could we go about not having private passwords or credit card numbers?

You authenticate with physical states with enough entropy generation rate, e.g. physical tokens. All security is physical security.

You first.

Are you being sarcastic?

No. I'm completely serious.

This is truly low: Equifax gives the affected victims a "special offer" to protect their identities. In the fine print is a waiver to any class-action lawsuit.


I doubt this would be upheld by a judge in the event that a class action were to be taken to court.

Remember, any legalize like this is worthless unless a judge says it's valid.

Doesn't make them any less scum for trying it.

Fortunately binding arbitration clauses are considered unenforceable in some cases.

I'd like to think OPM employees are reading this headline and thinking "Yeah we'll see!"

The entirety of federal government SF-86s being dumped to a foreign government has diplomatic and economic repercussions that will last for decades.

To clarify the OP's acronyms:

OPM: Office of Personnel Management, where all the 'blackmail' files for cleared gov employees and contractors are stored, in addition to many other more mundane functions.


DoD: Department of Defense, but this also refers to contractors in places like Lockheed and other smaller contrating firms.

SF-86: Standard Form #86, the form that must be completed to gain any kind of clearance with the gov. These clearance processes can run into the $20k+ range, though not usually, as they have to send agents out to talk to people to verify the applicant.



The 2015 data breach of the OPM was a BIG deal in the security clearance world, as it seems all the blackmail files were stolen. The a large issue was that the OPM worked on an entirely separate internet that the gov built, as in they had totally different wires and cables and everything, very expensive. How this happened is yet to be released AFAIK. Also, many people were trusting the gov with their darkest secrets, so as to be un-blackmail-able by others. Now, the gov is not so trustworthy and this then throws a huge wrench into all of the processes, including retention of employees and recruitment of new ones.

Thanks; I also had to double back and change DoD to the more accurate "federal government", which includes other branches that used OPM services.

No worries! Thanks for putting this up. This Equifax issue is a big deal, for sure, but the OPM was too. In general, these breaches are just getting bigger and worse as time goes on. There has been a lot of talk about the CyberWar, and if there is one going on, it seems that the US is not winning it very well.

As part of the DoD I generated my SF 86 with e-QIP and sent it to my S2 but he needed the S1 to get some PII out of SIDPERS which required a DA 4187 to send to the G1 but I couldn't sign it with my CAC because the NIPR is down and the TACSAT is deadlined so for now my TS/SCI is MIA.

.. And I could go on. Yes, we love our acronyms.

I got some credit monitoring and a form letter. My data was lost in the OPM hack. I came to post pretty much the same thing.

Worst? For whom?

"Lost"? It was saved in globally distributed backup!

That's a very positive outlook. Maybe it was just the governments way of initiating a distributed file sharing service?

By strange coincidence, the missus was saying that she needed another drive to backup more photos. I told her she didn't need to, the NSA already has them archived. She did not see the humor.

This sort of reminds me of when Wells Fargo called me one day to tell me my card was compromised. I got on the phone with them only to find out it wasn't. Then they tried to hard upsell me on a pay by the month identity protection plan with a 6 month complimentary introductory period.

It seems like it's sort of in Equifax's interest for a breach to happen and have 144 million people freak out and then buy their $20/month service

I hope you changed banks after witnessing their sleazeball tactics first hand.

Only the absolutely dumbest Americans are Wells Fargo customers at this point. Or, maybe, they can't read the news.

I can read. I am not dumb.

Wells Fargo is the biggest mortgage servicer in the United States and you don't have a choice over who services your mortgage- mine was sold to Wells Fargo without my say. I could refinance but that comes with significant fees (>$1,000), I'd lose my amazing interest rate, and there is no guarantee it won't end up back in Wells Fargo's hands again.

Not all banks re-service mortgages. BB&T is known to keep servicing mortgages that they originate.[1] Disclaimer: I have a mortgage through Wells Fargo (that was almost immediately re-serviced!), but I work for BB&T.

[1]: https://www.nerdwallet.com/blog/mortgages/bbt-mortgage-revie...

I don't disagree for a second there are some banks and credit unions that intend to service their mortgages but you don't know that will always be so. That's their policy now but it can change in the future and you have no control over it. Banks and credit unions are being bought and sold all the time.

The bank that held my parents mortgage was acquired no less than four times between 1996-2012. In 2007 I got a credit card from my local credit union - right now it's being transitioned into a Bank of America credit card. The credit union still exists though, they sold their credit card division to another company which then was acquired by BoA. Funny thing is a several years after they sold their credit cards they decided to offer them again and create new ones.

Exactly. My primary credit union, First Tech, also states that they will service the mortgages they originate.

What happens when First Tech gets bought out by [mega credit union] though?

First Tech bought out the HP Credit Union (Addison Avenue) and others so in some sense, it has acted as [mega credit union].

Beyond that, this question is an imponderable for me because who can say what the future brings vs. the present. I guess one can refinance with some other credit union were this to happen in the future in a manner that was not desirable for one's mortgage.

I dropped them around 2012 when every encounter with a teller turned into an upsell session. I now use credit unions (First Tech, for example) for banking. Also moved the mortgage over to the credit union since they promise to service it for the life of the loan.

For day to day financial services maybe. But for fixed APR mortgages? They are still very competitive, and if you are a member of certain groups, like veterans, even better.

What benefits does Wells Fargo give to veterans?

A relative of mine got some fees waived and a $1000 gift card at his choice of a number of home goods stores.

For a mortgage?

I'm asking because the hubby is I'm the military and he's the primary on our mortgage.

I did indeed. Switched to Chase.

Still, my point is. Equifax has the same conflict of interest as Wells Fargo. It feels scammy to me.

I think $1000 is a lowball estimate for the per-person damage done by this breach. At $1000/head, they would be looking at $137B of liability with a market cap of $17B. Good.

How hard is it to opt-out of whatever class action settlement is offered, and take this to small claims court?

Anyone want to setup a website to automate the paperwork? I'd love to see a not-for-profit do this moving forward when things like this happen.

I would love to see something like this happen as well. I'd be happy to setup the website, but we'd need a lawyer to help with the forms.

I would be happy to help out as well. I am not a lawyer, but I just filed in GA small claims court today. Contact info in profile.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact