Hacker News new | past | comments | ask | show | jobs | submit login
A year later, Equifax has faced little fallout from losing data (techcrunch.com)
934 points by sahin-boydas 6 months ago | hide | past | web | favorite | 276 comments

I'm most disappointed in the Canadian gov't and their lack of action. This would have been the perfect opportunity to mandate change - We don't have to send data on all of our people and their credit history to this American company. Or at least without actual legislation and rules around governance, security, and actual penalties for breaches.

Instead we let them get away with - no more than a handful of Canadians were affected - followed by - oops, yup lots of Canadians - followed by - holy heck, how many Canadians are there way up there?

We don't need to go along with this. Yet it never seems to get better.

Did you write to your MP?

Did you meet with them?

These things only get fixed when people speak up.

I met with my MP over the weaponization of autonomous systems. I've put a ton of work into understanding where all this is headed. I spoke up[0] at the hearing on electoral reform about the cybersecurity risks of computerized elections, but I'm only one man. I've been able to get some things through, like pressuring the Liberal Government to put up more resources[1] but political will lags public outcry. If you want something changed you can't just complain online in your little bubble.

[0] I was one of only two people that spoke up about it and it was added to the final report. The world is changeable. What it takes is showing up and pushing hard.

[1] https://www.cbc.ca/news/politics/budget-billion-cyber-securi...

"Write your representative" is the standard response in the US too, and I'm honestly done with it. I've written many, many letters to senators. I've placed phone calls. I've donated to candidates I support. I've taken a day off work to attend what was supposed to be a town hall but that ended up just being propaganda and thinly veiled hints at donating to related election campaigns, with so little time for public comment that I never got a word in.

And yet I've only ever received token replies and seen zero change. No one I ever really wanted to vote in to a major seat has won. And Congress really can't see what's wrong with the Equifax breach on their own?

Fuck all of them. I've given up on our political system maintaining much more than panem et circenses.

You're not wrong. A Princeton study found the average voters have almost no impact on policy anymore. However corporations have taken over that position of influence.


I personally believe it is because politicians have to listen to voter blocks. Since American families and homeowners have fallen to record lows they have no consistent voter base from individuals anymore. Homeowners and Familiy's used to be the two biggest voting blocks. They no longer are; businesses are the only voters that will be guaranteed to stick around until the next election.

>Since American families and homeowners have fallen to record lows they have no consistent voter base from individuals anymore.

No. This is just factually incorrect.

American are moving at historically low levels.


Homeownership is certainly not at historic lows.

https://www.marketwatch.com/story/homeownership-rate-reaches... (data for 2017, 2018 is higher: https://www.census.gov/housing/hvs/data/index.html )

Anymore? Was there ever a time when the "common" person had a strong influence on government policy, relative to wealthy people or large coalitions?

Note that I'm referring to policy, not rhetoric.

I deeply understand your frustration. It takes a lot of work even here in Canada to get political will to take proactive action.

It's only harder in the US. You guys have ten times the people per representative which means political victory is governed by opinion polling and, unfortunately, monied advertising. Citizens United made it ten times worse.

From my vantage point in Toronto, it looks like action towards fixing the political system is the top priority right now. So many things are wrong that it's hard to figure out where to even start.

There will be a breaking point though. As demographics continue to change if the GOP continues to win despite losing the popular vote I can see some sort of general protest or riot forming.

I can't name a single issue that I could give 2 shits about that was different before the GOP won the last election. The Democrat's healthcare plan sent my premiums through the roof, there's still virtually no transparency or accountability in the way billing is done unless I lawyer up, medicinal cannabis is still illegal, and my Facebook feed is still inundated with friends going to GoFundMe for healthcare bills because they still haven't bought insurance as required by law. Still in the middle east too. If that's what the Democrats are so proud of, then fuck popular vote.

There are other problems too. The broken political system changes the character of the people that run. Most first world countries have sane healthcare systems. Most also have saner political systems.

Well, if you only name the things that got worse or haven’t improved of course everything sucks.

I named the biggest achievement I heard cited from Democrats seeking reelection.

I am not from the US but it's the same thing everywhere.

The only place where citizens seem to have an impact is Switzerland where with enough signatures you can request a referendum. Good luck implementing that in other countries.

Somebody one day told me this little bit of wisdom:

In a dictatorship, the government wants you to shut the hell up but in a democracy they let you keep talking because they don't listen and do not give a single fuck about you.

The world's political systems are broken.

I for one do not bother to vote anymore and the cynicism transpires in my daily life where on many issues I find myself thinking that if nobody cares, why should I?

That's progress apparently.

I struggle a lot with the idea of the tyranny of the 51%, though. I don't like Jeremy Clarkson's politics, but I really like a point he frequently makes in his columns: everyone loves the idea of a jury of one's own peers until they realize that their peers are all idiots. Same goes for democracy. It sounds great, until 51% of people start making dumb decisions about how you should run your life.

Example: a slightly larger majority of my town than that wanted a slightly better deal of waste management, so they voted for a town-wide contract. Now I'm forced to pay for a recycling program that is so inconvenient I pay to use a different one anyway. Enough people (that it will probably happen) are now pushing for a measure to make it as convenient as it used to be, but raise taxes to pay for all the abuse that ruined things. I don't want better voting, I want the ability to opt out and be left alone.

This isn't actually that complex a problem. 51% don't get to make decisions, 66% do. The correct answer is almost always "no" so making it more difficult to get to a "yes" from the decision making body is (within reason) a good thing. This has the added benefit of forcing people to take a good hard look at what they propose because it has to make sense to everyone to have a chance to pass.

Yeah I absolutely love the solution of requiring a supermajority. I wish it was required in most instances and that we actually required it when it is already required by the Constitution in practice. In the US Constitution it's only used to convict, override or expel people who were elected by simple majority (or in some case,s less, though I like the idea of the electoral college not giving all power to a couple of states), and for ratifying treaties and constitutional amendments. Of course, even though alcohol prohibition required a constitutional amendment, you can apparently prohibit anything else by having it "scheduled". And when was the last time the President waited for Congress's permission for our foreign relations, be they treaties or war?

California has a pretty extensive referendum system (although not as far-reaching as Switzerland). Overall I think it’s a positive. Although one of the dumbest and most destructive policy in California (proposition 13) was introduced by referendum. And I believe Switzerland has been known to show its nasty xenophobic side from time to time. So it’s a double-edged sword.

It's downright dangerous. Putting major decisions directly in the hands of the people requires well informed citizens and balanced, independent media coverage. While it's not a problem exclusive to the US, judging by recent political developments and voting outcomes I'd say a large number of people are particularly prone to manipulation and populist narratives.

> The only place where citizens seem to have an impact is Switzerland where with enough signatures you can request a referendum. Good luck implementing that in other countries.

That "works" in Switzerland because Switzerland is an entire country with a smaller population than New York City. Even then, it doesn't prevent pretty horrible laws from passing in Switzerland, because a majority of the electorate can be convinced to demonize a minority pretty easily.

Direct democracy like this doesn't scale up well at all, and we can look at California's proposition system to how that turns out at a larger scale.

I feel the pain and feel similarly. Sorry that we're sharing this space of despair in our political institutions.

The town hall comment jumps out to me. I have this sense that more local communication, or dare I say "organizing" -- not in a politically-specific sense but in a more general "community getting to know each other" sense -- is the way forward.

Has anyone ever participated in a town hall or other forum for communicating with fellow citizens that has gone well? I'm curious to know.

I've also been very active in my local metro district and HOA meetings. Unfortunately, even at that level the company that began developing the neighborhood will hold majority power of the board for, at their current rate of development, the next 40 years. They have attorney's that advise them not to speak with us, and we pay for those attorneys. Currently a large chunk of my property tax is paying interest on the developer's debt. Those meetings go about as well as you think. I've been to town council meetings and informal meet-the-mayor and meet-the-city-councilperson coffee events, and was referred to email their attorney. The only time I've seen my town council get anything done, it was either (a) due to a massive showing by a think-of-the-children type group, or (b) a company with massive pockets.

You're not alone friend.

Which is why I say we need a modern voting system. One vote for one person to one candidate creates this pro/anti party system. There are other options to consider, but of course the incumbents would fight it tooth and nail.

Good question though obviously asked assuming the opportunity to judge and belittle judging by the "...you can't just complain online in your little bubble."

I actually did and ended up with a purely political answer blaming the difficulty of regulation and consumer-beware-ism. Even though in this particular case there really is no opportunity to beware - its either go with the banks that are all part of this or live on a commune singing about flowers -- and it is way too cold here in the winter for that!

I regret how I phrased it. Thank you for writing to your MP; you are part of a very small minority and I appreciate your effort.

Consider the comment only aimed at those that don't take action.

What about the folks who are tired of taking action and being ignored or written off by their representatives? What about the folks who called their representative's office only to be greeted by a full voicemail box? What about the concerned citizens with no formal degree who have little chance of being taken seriously in this time- and attention-starved age?

I don't know which country you live in, but at least in Canada, I've generally found my political representation responsive to thoughtful communique. If you live in the US, see my response to this person:


What action did you ask them to take? I find this situation to be quite upsetting, but I don't know how to fix it.

Crises precipitate change

I get that there's some things where you need to make sure your voice is heard, but I mean c'mon. There's some things like this where the government should just take initiative on because it's that obvious.

Most politicians are lawyers or community organizers. They don't understand technology. Think about some aspect of the world you don't understand, like crop fertilization or NASA probes. That is how ill-defined the world of tech is to the majority of our policy makers.

I guess I'm curious how to make them familiar with such topics. When my dad got cancer, he researched to become an expert on all things cancer as much as he could. When I started getting chronic pain in my hip, I started learning about how to strengthen it and about various physical therapies. When I feel unsafe about the food I eat, you bet your darn ass that I'll research agricultural methods and food supply chains. What makes someone like Erin Brockovich change to become Erin Brockovich, and how do we get more people like her? If cybersecurity issues that are big news (to differ from physical security issues) don't get people moving to understand the issues, what will? Maybe people just get the politicians they deserve and never the politicians they need. :(

There at any number of potential problems a politician may be called on to propose solutions for. We can’t expect them to be experts in each and every one. Right now, the “best” advice they get is probably from those who care the most, i.e. those who have a financial stake in the outcome.

Politicians need better topic advisors that represent their average constituent.

We ALL have a financial stake in the outcome. Furthermore, there are things far more valuable and costly at stake. Like Liberty. Freedom. Justice. You know, those things?

Reducing the equation of politics down to mere financial stakeholders is how you get to the position the United States is in in the first place.

I get that we all like to laugh about those quaint ideals, but it truly SHOULD be the first thing on a politicians mind.

Also, EVERY Congressman has the option of retaining researchers who have the job of becoming experts on every topic imaginable. Never mind access to one of the most extensive libraries known to man. Expertise is easier to come by than you seem to think.

A Congressman being spoonfed information by lobbyists without having his/her own staff doing some digging and USING their powers to subpoena is a Congressman in sore need of replacing.

Nevermind that we don't bother enforcing statutes that make it a felony to lie before Congress.

Again, what's the solution? For people to care to vote for change, they need to care to research and understand the subject themselves, and then consider it a priority after researching well. I doubt that happens. People are getting the politicians they deserve, not the politicians they need.

I entirely agree.

Oh come on. If those crops die off en-masse or those NASA probes keep crashing into the countryside, you don’t need a degree or specific knowledge on the subject to know that something is wrong.

What it takes is having the means to show up, etc. Most people are not in the financial position to pursue such actions.

United groups find ways easier.

We should be able to trust our elected officials to do the right thing. And if we can’t, we need to fix our democratic systems so we can.

It’s not sustainable for a population to continually apply political pressure on each and every issue. Particularly to lobby against well funded opponents.

The result of a system where we can’t trust elected officals is going to be a failing system. Voters will understand they’re being screwed but won’t understand the issues. So they’re end up voting for someone offering simple solutions, like Trump.

Isn’t the whole point of electing them that they will vote as we would have voted? At least, I think that’s how it was described in my classes...

Not exactly. We (should) elect people whose positions and intellect we respect, essentially delegating decision-making responsibility to them. Not that they will make the same decisions we would make in every case, that's just impossible to expect and not what leadership is about.

(The extra bit of irony is that when you move from canada to the us you have zero credit history, and have to bootstrap from some cruddy credit card that you're never allowed to close afterwards, lest you impact your credit rating...)

It's the same in reverse, mostly! There are exceptions where they will look at US credit history, but even for Americans moving to Canada, that's not the default case.

Source: Am American, moved to Canada, experienced this personally.

The illusion of Democracy while running on Capitalism. Sooner or later this will have to change. Capitalism simply just motivates businessman to pursue profit and neglect everything else. That includes updating to a more secure Java Web Framework, funny to even think that being a priority in today's mega corps.

The correct response should have been for credit card holders to sue their credit card companies. We have a relationship with the card companies, and they chose to share data with a third party, so the credit card companies are responsible. This class action suit did not happen as far as I know. Why not?

If we're so outraged and thus there's a market for it, why didn't banks start offering their own credit cards with guarantees not to share your data with any third parties?

Also, why should it be risky for someone to know your name, address, and social security number? Yes, I agree it is risky, but it shouldn't be. Those things are not me. They're not even secrets. Knowing those things should not give you superpowers.

> The correct response should have been for credit card holders to sue their credit card companies

Why? Why should it be the victims job to find and prosecute criminals?

Should victims also be responsible for breaking up monopolies? Or cleaning up oil spills? Or to keep hospital patient records private? How much time and money should victims be required to invest in lawsuits, to bring justice against illegal mistakes made by entities with thousands of people and million/billions of dollars?

Wouldn't it be better if we had government agencies draft and strictly enforce regulations to prevent this. Like say, an EPA for environment, or HIPAA for healthcare, or GDPR for consumer/business data?

Whether it would be better is a really interesting question.

For this specific case, I think energetically enforced regulation would be clearly better. But in general, I'm not so sure. The American system of "let people do what they want; if there's harm, they can sue" allows a lot more room for innovation than a system of up-front regulation.

I think the difference for me lies in the extent to which an issue is a) in a stable context, b) causes significant harm, and c) is unlikely to be fixed through market mechanisms or self regulation.

Here, since consumer privacy is basically an externality to these companies and the market is an oligopoly, I think stronger regulation is a pretty good bet. But in general I think private right of action is underappreciated. Especially class action suits, which aren't burdensome for most plaintiffs.

I think the problem with that strategy is that harm is generally done on a large scale until someone prevents it from continuing.

Well, generally it isn't. Most businesses go along doing good things for their customers and getting paid in return. Really, given the way that the Internet has changed everything, we've had surprisingly few major problems.

As a tiny example, look at phone calls. They used to be absurdly expensive. In college I remember having phone bills costing ~30 hours of (minimum-wage) labor. Now it would be hard to explain to an 18-year-old what a long-distance call even was. These days I have effectively unlimited calling from anywhere to anywhere via a handheld device that costs ~7 hours of (minimum-wage) labor/month, and I see lower-cost vendors that provide it for ~4 hours/month.

If we had taken a regulation-first approach, where each new service had to get regulatory approval, I could imagine us still being stuck in the old paradigm, where each phone call had to go through a monopoly operator, and things like Skype were illegal. Or maybe we'd be part-way along the curve, but with incumbents pushing to increase regulatory burden and hobble startups.

So I agree the problem with a default-permit model is that you have more problems to fix, and some can be big. But the problem with a default-deny model is that you miss out a lot of gains. And those, being hypothetical, are easy to underweight against the benefits of the status quo.

> Wouldn't it be better if we had government agencies draft and strictly enforce regulations to prevent this. Like say, an EPA for environment, or HIPAA for healthcare, or GDPR for consumer/business data?

Yes! Since the state enforcing this creates a legal threat. If the individual has to prosecute there is a good chance that nobody comes after them, making it viable from the companies position to be a bit too relaxed. If the state strictly goes after it the risk calculation is different.

Yes, it would, but our government agencies and officials are paid by Equifax to NOT draft and strictly enforce regulations to prevent this.

> We have a relationship with the card companies, and they chose to share data with a third party, so the credit card companies are responsible.

When people sign up for credit cards they agree to the terms and conditions, and sharing data with credit scoring agencies is one of them.

Equifax is the one to sue -- they are the ones who let the data become public.

And frankly there are a good reasons we have credit scoring agencies. Getting rid of them would make it more difficult for creditworthy people to prove they are creditworthy in order to obtain credit. If there were not credit scoring agencies, lenders would need to rely on methods of determining creditworthiness that are more invasive of privacy than credit histories. Getting a credit card would be like getting a mortgage, and lenders would demand bank statements, pay stubs, proof of past payments, etc.

That's simply not true. Many European countries have privacy laws that render credit scoring agencies effectively useless. And yet it's not at all hard to get a credit card.

I think those ‘invasive’ methods of determining credit worthiness are a lot more accurate and safe. Mainly to protect people against themselves.

And the burden would fall on those who use credit, not on those who largely don't.

That class action suit did not happen as far as I know

Yes it did. The complaint can be found below.


Any idea whether it’s going anywhere?

The correct response should have been for credit card holders to sue their credit card companies.

Which we won't be able to do at all in a few years thanks to the ubiquitousness of forced arbitration clauses?

Every credit card has a forced arbitration agreement that prohibits class actions.

Forced arbitration needs to go, as a concept. I can’t imagine any situations where it makes sense.

Didn't this USSC recently rule that forced arbitration was ok?


It upsets me a lot how these financial institutions have complete power over us. God forbid a bank writes a loan to a scammer in your name, cause to them it's your fault. Absurd!

Yes! The only real change that needs to happen is that banks needs to be liable for loans they write in your name fraudulently. If they accept stolen data without verifying it is actually you, it needs to be their fault. The current system of it being your fault makes no sense.

> banks needs to be liable for loans they write in your name fraudulently

Is this not the case already? I know that it could be an incredible hassle to prove that you didn't take out the loan and that someone else has stolen your identity. (There's also the question of who has the onus of proof -- you or the bank.) But if it's a fraudulent loan and you could prove it was fraudulent (which I agree could be difficult to prove), can you be held responsible?

> But if it's a fraudulent loan and you could prove it was fraudulent (which I agree could be difficult to prove), can you be held responsible?

The simple answer to this is "no." Identity theft can take time and, occasionally, a small amount of money to clean up. This has a very real cost if you happen to be a person that has little of these resources. But you can never* be held responsible for a loan you didn't take out.

This is also the core reason why Equifax has not suffered many consequences: it's because the real world harm of their negligence simply wasn't that significant. I don't even know if there is any data to show that the number of identity thefts has increased in the wake of their breach.

*Unless I guess you receive a summons to a court date and don't show up and someone gets a default judgment against you. "Never," here, as usual, means "extremely rarely."

From a quick Google search I got "Online fraud attack rates have increased by 13% since the start of 2017, according to a new study from e-commerce fraud-prevention provider Forter. Digital goods—including gift cards, gaming and music—experienced the sharpest increase in online fraud in the wake of the Equifax breach, soaring 167% between the first quarter of 2017 and the same period a year later, Forter said. E-commerce sellers of electronics saw a 66% increase in online fraud over the same period, and online fraud in food and beverage also showed a sudden surge." though who knows how reliable that is.

One thing I hate about massive corporations is that there's no semblance of accountability. I'm not looking for Hamurabi's law, but as long as companies can act with impunity in the face of the law we're in for a rough future :[

The burden of proof is wrong here though. You shouldn't have to prove you didn't take the loan out. The bank should have to prove that you did.

The thing is, the burden of proof shouldn't be on the victim to prove that the loan was fraudulent. The bank should have to prove that it was valid otherwise it's automatically ruled in the victim's favor. You know, innocent until proven guilty and all that.

This is the Identity Theft sketch -- love it!

Here is a real, widespread, horrifying example: I was aghast when reading "Chain of Title" by David Dayen. https://thenewpress.com/books/chain-of-title

Amongst many things, recall how banks got away with a slap on the wrist for the whole Robo-Signing scandal. (see: https://en.wikipedia.org/wiki/2010_United_States_foreclosure...)

If an average individual had done this, they would face charges (and they should.) But mysteriously when it is done tens of thousands of times it somehow becomes legitimate. I'm a pretty liberal person but I am deeply disappointed in the previous US administration for not pursuing this scandal towards justice.

Equifax really isn't a financial institution. But yeah, in a capitalist system, it shouldn't be surprising that capital has power over you just like in a monarchy, the monarchs have power over you.

Power is never taken. It can only be given. That’s why threats of violence from the would-be rulers are usually necessary. A few people having power over the many is because the many don’t scare the few.

All the more reason to move to block chain identities.

Fuck the blockchain.

Just issue public/private keys to citizens. They sign with their private key, banks verify with their public key. Anyone can request your public key from the Social Security Administration via API. Done.

The SSN acting both as the identifier and the password is the real problem, and throwing the blockchain into the mix just complicates things more.

We still need a central agency. It's the authentication method that is pathetically worthless.

Terrible idea. If you try to force users to do key management, you've lost.

Keybase is the only one getting this right, and people are now claiming they're ignoring security in order to do it. It would be a dumpster fire to trust government agencies to get the design requirements right.

Really? It seems to be working fantastically in Estonia:


That’s very cool! Thank you for pointing out the counterexample.

Belgium also uses decent crypto, software, and hardware for their electronic identity system:


For the last several decades, many of us Americans have become too skeptical about what government can do in terms of technology, even while it's completely true that government often gets it wrong.

That skepticism may have something to do with many of us Americans watching our government spectacularly fail to keep pace with changing technology over the past few decades. Not sure there's any real solution for a nation of federated states who don't like to coordinate with one another. Please prove me wrong, politicians.

It's definitely tricky, not disagreeing there. But Belgium is also a federation of multiple language regions who don't like to coordinate with each other. Way smaller and way fewer regions, sure, but equally with more hostilities between them.

There are very few government officials worldwide who truly know technology or how to effectively engage the real experts in an agile way rather than just government contractors. That seems to be the main problem to me.

Even in the US, the US Digital Service and 18F have done great work. And Canada has at least one backbencher MP who's a Linux and free software geek, asking legitimately knowledgeable questions in committees on topics like IPv6, copyright, and plenty of unrelated topics too.

Of course I realize those organizations and people are exceptions. But they, and the Belgian and Estonian examples, indicate what can be.

Maybe we can figure out how better to make technologists interested in serving in government, or working closely with it from the outside.

I'm paraphrasing from this article in the New Yorker [1] that I read some months ago, but it seems the trick to getting bona fide technologists to work in government is to offer competitive pay and benefits, as well as making the job "sexy" by offering a chance to work on a truly revolutionary project that will make life better for your countrymen. That's what's working in Estonia, at least.

I'm holding out some hope that Estonia will be able convince their fellow EU member states to pick their game up now that they have the rotating presidency of the EU council [2].

But one thing Estonia has going for it (or working against it, depending on perspective) is its close proximity to a technologically advanced hostile nation. Estonia's rapid progress has been spurred in large part by the necessity of protecting itself from Russian cyberattacks, a Big Issue if I'm remembering the New Yorker article correctly.

[1] https://www.newyorker.com/magazine/2017/12/18/estonia-the-di...

[2] https://www.visitestonia.com/en/why-estonia/estonia-is-takin...

Maybe it has something to do with all our politicians being older than my parents... who can barely figure out email.

Users are already doing key management! It's just that the record ID, public key, and private key are all the same number.

Let's all move to a system where, once someone has taken a fraudulent loan in your name, it gets put on a permant record that can't ever be changed or undone, what a great idea!

You'd think that crypto proponents would have learned after the first five major bitcoin breaches and millions of dollars of losses without recourse, that having trusted people with the power to change transaction history is a good thing.

Ok I will be the one to start it.

This it's why we needed GDPR. The courts have been totally unwilling to combat this kind of corporate malpractice, assessing the costs of a breach to be puny.

My opinion is, if your business is sensitive data then being careless with it should be an existential threat to that business.

GDPR is not enough unfortunately to stop the abuses of credit check agencies. As far as I understand it, them sucking up all your data is a legitimate business use, and you do have to give consent for it.

What we really need is regulation to limit the amount of information that can be used for credit checks (and insurance premium calculations while we're at it). Actually that is partly done in the UK - e.g. gender cannot be used while calculating car insurance premiums. But sadly they can still ask for your profession, marital status, etc.

GDPR does not only regulate what data a business can collect. It also has many other provisions that would be relevant in the Equifax data breach. It requires that appropriate security measures be taken to secure any personal data that you collect, which Equifax obviously failed to do. It also requires that data breeches be disclosed within 72 hours of when they are discovered while Equifax took about nine months to do so.

What about the Right to Forget? Can't we ask Equifax to delete all of our information?

Right to forget is basically the right to withdraw consent. You can only make them delete things that they needed your consent for in the first place.

This is not actually true. The right to withdraw consent, the right to object and the right to be forgotten are all different. In the first and second case, the company has to stop processing the data, but they don't have to remove it. In the last case, they actually have to remove the data. The removal of data has a caveat that the company doesn't have to do it if it would be onerous (but what that means is left up in the air... so we'll have to see some judgements before we know exactly what it means).

In the case of Equifax, they are a third-party processor. Under GDPR, you would have to be informed if the processing was necessary under contract basis. Once the contract is finished, you can request that your data is removed and the original processor must inform all third party processors. So Equifax would be required to remove the data. For legitimate interest or consent basis, you can ask to be removed at any time. You don't have the right to be removed wrt data collected for regulatory reasons.

I think the key here is that Equifax (being a third party processor) does not have to respond to you if you say "Please remove all of my data". I think you have to go to the original processor (which sucks, because you have to track down how they got your information). I may be wrong about that, though (the company I work for doesn't collect 3rd party info, so I didn't pay much attention to that part of the law).

If you have to give consent to it, then under GDPR you can withdraw that consent (though not every purpose requires consent). Much more important in this context, GDPR forces you to adequately protect the data you have collected.

And if you didn't have to give consent, you can object to your data being used anyway. They then have to give a credible reason that counters your objection. I mean, technically the law says you can only process data iff you have a purpose for it and must delete it when you no longer have an immediate purpose for it so I don't really get why there is a separate provision for this, but we all know how this goes (you don't make money by deleting data so nobody is on top of it) so I'm happy that provision is explicitly mentioned. (Disclaimer: besides IANAL, I'm also not actually sure if this was in the text of the law or if this was on the local regulator's site.)

> gender cannot be used while calculating car insurance premiums. But sadly they can still ask for your profession, marital status, etc.

How is that bad? An insurance works by collecting slightly higher premiums than the expected insurance payout. The more acurately the insurance can predict risk, the better. And if they calulate that some profession/gender/lifestyle/whatever carries a higher risk, it's only fair that those people have to pay more, after all they also cost the insurance more.

Having people pay for their risk is also a net-positive force for society. If some profession causes people to be sleep-deprived and have more car accidents, their premiums go up, producing pressure to either reduce the risks or choose other professions. If you don't let insurances factor this in, you are just subsidizing those with riskier lifes.

If you hyper-specialize the risk pools it effectively prices lots of people out of the market, causing their risk pools to collapse. Insurance also loves to write exclusions if they aren’t prohibited. By your logic health insurance should exclude sickle-cell anemia coverage for black customers.

For insurance to work as intended, it has to be spread across a large population and it needs to cover a wide variety of perils.

Where insurance can be a force for societal good it should be allowed to discriminate. For example, insisting on better fire safety. Or basing your car insurance rate on your car’s safety rating.

P.S. Insurance works by making money off the float, not by collecting more in premiums than they pay out. The expected payout is around 100% over the long run, but the payout happens over time. Until it does, the insurance company holds the money and uses it to make money. (Granted, in this low-interest-rate environment insurance companies may set the payout ratio a bit more favorably since the float makes them less money, but competition effectively helps keep a cap on that).

Mutual insurance companies (owned by their policy holders) are different. Any profit of a returned to the policy holders, so there’s no incentive to set rates higher than required. However the tragedy of the commons kicks in: if they offer lower rates to high-risk groups, they tend to attract the worst of those groups, causing higher losses - especially with health insurance. That’s part of the reason government regulation of insurance is the way it is, the other being gross mis-management causing insurance companies to go bankrupt and be unable to pay out during times when people need it the most.

The variance you see in car crash risk among groups of people is far smaller than the risk of health problems. No drivers have a 100x genetic risk of crashing. The worst case of "new young driver" is already discriminated against, after all, but they can still afford insurance.

> P.S. Insurance works by making money off the float, not by collecting more in premiums than they pay out.

This really doesn't matter. Float happens to be of similar magnitude to profits. It could be significantly more or less. I'd say it's more of a coincidence than anything whenever the two align.

Also, very few people have ever died because they weren't allowed to drive.

> Also, very few people have ever died because they weren't allowed to drive.

How in the world would you know that?

The more acurately the insurance can predict risk, the better. And if they calulate that some profession/gender/lifestyle/whatever carries a higher risk, it's only fair that those people have to pay more, after all they also cost the insurance more.

This is the classic correlation/causation fallacy that is why sadly we have needed explicit anti-discrimination laws in other contexts.

When I added my partner to my car insurance policy, at a time before prohibiting the use of gender to determine premiums, our payments went down quite significantly despite now covering two drivers. When I asked why, they told me that statistically women are safer drivers than men, and since my wife had a good track record with no accidents, that meant our risk together was now lower.

The thing is, at that point I had been driving regularly for many years, while my partner had also passed a test many years earlier but had hardly driven since. We both had clean sheets, but as you'd expect given our vastly different levels of experience, she was not as safe a driver as I was and would have been the first to admit it. However, the insurer's questions hadn't identified any of this, and had reached an obviously absurd conclusion.

Even after the policy change, in practice I was almost always still driving anyway, so clearly whatever my level of risk was before, our combined level of risk was still similar afterwards. But again, nothing asked when we adjusted the cover or since would have picked that up.

This is the trouble with almost any profiling based on personal data, from insurance calculations to targeted police actions to screening job applicants: in principle, it might be a reasonable thing to do, but if your model doesn't properly incorporate all relevant facts, it can actually be worse than nothing because not only does it give an incorrect assessment, it also instils false confidence in that assessment.

You are missing out on the additional information about you that they got when you added your partner, i.e. that you are in a long-term relationship. Married men are well-known to be lower-risk drivers than single men, presumably the insurer also knows that men in a relationship significant enough to buy insurance together are also lower risk.

Also, someone who hardly ever drives is very safe from the insurer's perspective. They may not be very skilled, but they also don't have many opportunities to get in accidents.

Even if that first part were true, we'd been together for a considerable time before she was interested enough in driving the car that we changed the insurance, so their risk analysis would still have been miles off for years.

But they can't base insurance premiums off of information that they don't know. They can't just take your word for it that you are in a relationship, because that is too easy to lie about. Buying insurance together is a clear indicator that would take significant effort to game.

But they can't base insurance premiums off of information that they don't know.

Of course. But as long as they can't form a sufficiently complete picture to make fair decisions -- that is, pricing based on actual risk -- discriminating on easier grounds that are correlated with risk but also happen to be incorrect in many cases isn't fair, so we make laws that stop them doing that.

"...it's only fair that those people have to pay more, after all they also cost the insurance more."

Insurance is supposed to spread risk. If your logic were taken to its limit, everyone would pay in the same amount that they were expected to cost - with an added amount to line the pockets of the insurance companies. Then why bother with insurance at all?

it's only fair that those people have to pay more, after all they also cost the insurance more

What a curious thing to say in 2018. Would you also argue that women take more time off to have babies so it’s only fair on employers not to hire them?

> Would you also argue that women take more time off to have babies so it’s only fair on employers not to hire them?

No, hiring no women simply because they get babies would be silly.

How long the person will likely stay with the company and which extended leaves they will be taking is of course a factor in the hiring decision. Both of those events incur a real and measurable cost to the company. But there are many reasons why males and females leave or take time off, babies are only one of them. And it is only one factor among many. Expected job performance, personality, the effects of certain team compositions, customer perception, etc all have a bigger effect on the company than the baby factor and thus should be weighed accordingly.

We don’t need GDPR. We need sane penalties for data breaches caused by incompetence. The last thing Canada needs is to put ourselves at any more disadvantage with the US market.

GDPR has sane penalties, that’s why it’s such a big deal. GDPR seems to put the EU in a better position for the US Market since it has better data laws so is more attractive for US customers. The only downside is for companies not in the EU targeting the EU market, either follow the EU law or withdraw from that market. It basically puts the US in a worse position in my opinion.

$10MM minimum penalty is not sane.

The law states "up to 10,000,000 EUR" which is the opposite of minimum I'd say.

The law does not state that. It states €10 million or 2% of gross worldwide revenue -- whichever is higher.

Those are still the maximum, the 10 million is still not the minimum.

The EU could fine a corporation with 10 billion turnover 10$ but they also could fine up to 200 million $. It doesn't mean they have to fine atleast 10 million once you're over the 2% switchover.

You're missing my point -- what you said the law says and what the laws says are different. You're maximum/minimum argument relates to the guy above your post. That additional option of a 2% figure changes the dynamic of how the fines work completely.

The law says “up to” which is what they explained.

It's very sane -- For a mistake as large as Equifax, a $10MM penalty is basically a slap on the wrist.

It's not a minimum penalty. There is no minimum penalty.

It's part of the calculation for the _maximum_ penalty, which is max(€20m, 4% of global turnover)

As many people have pointed out, what you have said is untrue. I'd actually read about the regulation before commenting on its sanity.

If company does not leak your data but sells it then your law for security breaches are not enough.

You mean data breaches are fine as long as they’re intentional?

That's the exact opposite of what they meant and is what Hanlon preaches to us about.

If you divide causes into "accidental" and "intentional", and assume "caused by incompetence" belongs into the "accidential" catagory, then the comment "We don’t need [X]. We need sane penalties for [Y] caused by incompetence" can be read as arguing against penalties for intential actions.

If they meant the opposite of that, then that's a really weird way to express it.

So what did they mean? GDPR is basically what they said, plus that you have to show you have made a meaningful effort to stop data breaches from happening before they happen. Is that bad?

Intentional data breach is basically the business model where you sell private information without getting meaningful consent from your users. Do you think that is okay because you need that to stay competitive with US companies?

> This it's why we needed GDPR. The courts have been totally unwilling to combat this kind of corporate malpractice

It should come as no surprise that the legislative enforcement arm is unwilling to also. I know you dream of laws like the GDPR working, but it doesn't and neither did its predecessor. Instead of asking for new laws, why are you not asking for enforcement of existing ones? And what makes you think a new law will be magically enforced where current ones aren't?

I know you dream of laws like the GDPR working, but it doesn't and neither did its predecessor

Didn't it? Maybe I'm biased, but I don't remember breaches like Equifax's or Target's in the EU. I also don't remember the records of 154 million EU voters being exposed.

According to this report[1], the "U.S. accounted for 728 of the 974 incidents around the globe in the first half of 2016." They do say part of the difference may be the disclosure laws, but is that all?

[1] https://blog.gemalto.com/security/2016/09/20/data-breach-sta...

Maybe I'm biased, but I don't remember breaches like Equifax's or Target's in the EU.

I am in the EU, and I got a letter from Equifax saying they'd leaked all kinds of stuff about me and offering some token countermeasures several months too late to provide much meaningful protection against any additional risks I faced as a result.

> Didn't it? Maybe I'm biased, but I don't remember breaches like Equifax's or Target's in the EU.

So if you don't remember it ever happening, what did the laws curb again? I'm talking about the effectiveness of adding laws... going from 0 to 0 demonstrates no effectiveness much less the effectiveness required to overcome the societal cost of compliance.

If anything, your argument explains the embedded big business cultural differences and laws like the GDPR added nothing wrt data breach enforcement/prevention.

I see this self-assured attitude often with users from the US. Do you honestly not think GDPR had any effect? If it only served to remind businesses user privacy is protected by law, then that was an effect. The EU has taken legal action against US companies before, and it has made a difference in this world. Why do you think it won't happen again, apart from your deep-rooted revulsion to mostly all forms of market regulation?

This idea that the US is the breadwinner of the world and a paragon for all to strive for is such a tired old misconception born from not-so-subtle nationalism. The US is not a utopia of happy, well-fed people with homes. You got a big army though, that's for sure.

I work in Google and we had posters about getting ready for GDPR eons ago. Which sounds like having some effect to me.

> Do you honestly not think GDPR had any effect?

Of course I think it had an effect. I just believe it was/is a net negative effect. When I say doesn't/didn't work, I mean what I perceive the intended goal is vs societal costs. Akin to saying anti-drug laws don't work and are ineffective... nobody is saying they have no effect. I believe, if reasonably drafted and incrementally applied, data protection laws could have a positive effect.

> Why do you think it won't happen again, apart from your deep-rooted revulsion to mostly all forms of market regulation?

I'm talking about data protection regulation. Based on my research, many companies were violating existing data protection statues and the regulatory bodies were not punishing them out of apathy and limited resources.

Why do you assume I have an issue with all forms of market regulation? That's false and I'm not sure where I said that. All of the rest of your post is attacking some other kind of argument that I never presented.

I think narcotics legislation has worked fine for most nations. Only one declared war on drugs though, which has not panned out super well I'd say. It has amounted to kicking extra hard on those lying down in many ways.

Attacking this and attacking that, I'm describing a mentality that I come across as a European on HN a lot. It has a little bit to do with you, as I said, I'm picking up on this same sense of "lol look at those dumb Europeans, they don't know what's best for the market," I think you'd agree that this mentality is fairly strong in the US. The US is many things, but humble is not a word I'd use.

You shouldn't pick up that sense, you shouldn't assume people are calling entire peoples dumb, etc. I think that mentality you assume is absolutely not very strong. In many cases, envy and embarrassment is much stronger. By arguing from your assumed perspective you are not doing so in good faith and disappointing.

So if you don't remember it ever happening, what did the laws curb again? I'm talking about the effectiveness of adding laws... going from 0 to 0 demonstrates no effectiveness much less the effectiveness required to overcome the societal cost of compliance.

The laws might have curbed what would have happened if they didn't exist - and did end up happening in places without it, like the US. Remember that the Data Protection Directive is from 1995, before companies were so connected and exposed, so a lack of such breaches before it passed is not very indicative of its lack of effectiveness. But a comparison with other countries might be.

embedded big business cultural differences

Maybe, but law shapes culture too, so that's hard to separate. As an European myself, I'm kind of skeptical that our business people would intrinsically care much more about data protection when their money is on the line.

This is some tiger-rock argumentation.

Right. I wonder how much the US would pay for this rock I found in Europe? There were no large data breaches while this rock was there.

You can't determine the past effectiveness of increased future legislation, especially if it's in an environment with a history of lax enforcement.

What's this mean?

Except it did. GDPR sent many companies scrambling to comply and they did. Equifax, as you can imagine, was not on that list.

What current law are you referring to (in the US..), that makes what Equifax did illegal?

SEC disclosure timeliness requirements since it affects financial outlook at the very least. If they can't even be heavily punished by public institutions for at least that, how can they be expected to punish when given more breakable rules? Or, as the EU erroneously thought, does the US really believe the lack of punishment is due to legal handcuffs instead of political will, resources, and lobbying? More paper will not magically turn handshakes into arrest warrants.

At least the US, and probably other countries as well, have the issue of no reliable means of /authentication/. I feel like this won't be solved until a proper national ID replaces the thing that __everyone__ is forced to use as one even though it isn't supposed to be; 'social security' numbers. That method would need to be secure, reliable, and traceable.

All contracts / inquiries that require use of the identity signature would also need to register that use; ideally the government would run an observation oracle that mirrors the publicly published signatures each agency hosts on their own (which would be a defacto place to check for use/abuse of the signatures).

This would also oblivate the need for services like equifax to exist at all.

> That method would need to be secure, reliable, and traceable.

And that's why it will never happen. This is one of my biggest complaints about the Hacker News community: so many of us are engineers who see a problem and immediately think "here's a solution, technical or otherwise."

We can't "solve" humanity -- it's pure hubris to think otherwise. Any national ID will run the same risks the befall SSNs, passports, licenses, passwords, or any other form of identification. Which, simply put, is that the weakest link is always the person behind them. All it takes is one screw-up -- your passport falls out of your bag on a busy street, a thief breaks into your home and steals the safe with your SSN card inside, someone accidentally makes a list of password hashes public -- and the "secure, reliable, traceable" goes out the window.

I don't have a solution. But I think those of us who are engineers owe it to the general public to stop kidding ourselves into thinking we can come up with "solutions" -- technical or otherwise -- that aren't (1) flawed in some other fashion, (2) unacceptable due to societal norms, or (3) require the elimination of personal freedoms and liberties that at least we in the U.S./Canada/Europe seem to enjoy.

Yeah, but you can make it hard to fake someones identity. In the US you just need some Google skills and their SSN number.

In the EU you need to fake a plastic card that has your photo, has holograms and whatnot. If its lost I get a new one with anew number. For anything serious like opening a back account, applying for credit you need to show this card in person.

This is why identity theft crimes are more than 10 times higher in the US.

In my opinion there is a much better solution. My European id card including its number used for authentication is valid for 10 years, and I can report is as lost or stolen. The same technique is already in use for debit and credit cards across the globe. Why not use it for identification in the United States?

The weak link you present is actually one of the reasons use HAS to be public record.

Making it public record also implies that there's a Cert Revocation List check (during the submit to the central monitor(s) oracles) and also gives everyone the ability to monitor those lists FOR unauthorized use they aren't yet aware of.

And you are falling into a nirvana fallacy. Plenty of Hacker News users who propose "solutions" are also doing so, but that's no excuse.

The thing is, Social Security Numbers just suck. All I want is to add a verification digit at the end, like my credit card has, so that forms that require my SSN can throw an error if I make a typo. You don't have to "fix humanity" to do that; it's just adding one more digit and using it to tell if somebody accidentally entered a 4 when they should've entered a 5. Most identification numbers use this; the SSN is really the odd duck here.

So what should we do instead, be resigned to the current state of things?

I think it's totally unreasonable to tell us to stop trying to innovate. We have solved so many of the world's problems, why should we stop now?

Agree, too often we are using drivers licenses #s (which btw, are public record often), address, phone numbers, and worst case SSNs and foolish "security questions" in the US for identity. None of these are appropriate authenticators of a person, and almost all of this data has been leaked in the past.

I think if there is anyone who is well suited to tackle this, it's.. banks. There are so many bank locations, most people have an existing relationship with a local bank. If we allow tellers in banks responsible for verifying identity of people (the same way a social security office or DMV office verifies a person: birth certs and records checking), they could be be paid to be the hands and feet of something like national ID system.

I think the availability of digital authentication methods significantly varies by country.

E.g. here in Finland TUPAS (https://en.wikipedia.org/wiki/TUPAS) is used by both government sites and private companies. It relies on two-factor bank credentials that almost everyone here has. Two-factor has been standard since online banking became a thing in the 90s and all banks are part of the ~10 bank groups so there aren't any small unsupported banks that I'm aware of. Government sites also support ID cards but no-one uses that option.

I believe some other countries have working, but different, digital authentication schemes as well. Maybe Estonia and Belgium?

These don't work over the phone, though, and asking for address and your identity code (or some part thereof) remains a common over-the-phone "verification" method, at least here. So the identity code / social security number issue still exists, at least to some extent.

I'm not following how authentication obviates the need for record-keeping.

Credit reporting agencies are basically a data warehouse for financial event history. If such a thing didn't exist in some form, how would a lender check whether you made previous payments on time? They can't contact every possible creditor that you could have interacted with.

Maybe a better architecture is possible than storing all the data centrally and creating a massive single point of failure, though.

The problem is that SSNs are used for both identity and authentication. It’s as if your login was just a username, no password. Equifax et al only need to know your “username” and still allow for credit checks. But since all we have is SSN, Equifax has your “password” as well, turning a data breach from a theft of private data into a wide open avenue for identity theft.

A super common complaint about Equifax is that everyone's SSNs were stolen, which puts people at risk of identity theft. With a national ID scheme where authentication is not based on knowing what is essentially a primary key, this concern would go away.

This would do nothing about any other data, but to draw a parallel to merchant breaches, we mostly see stolen credit cards as a nuisance and a matter for the banks to deal with, rather than something we really worry about.

It is so damn difficult to prove substantial damages to be directly attributable to a specific data leak. It isn't right, but it also isn't reasonable to attribute a specific identity theft incident to a specific leak. My data has been compromised by at least 1 dozen corporations in the past 3 years. Whom is to be held accountable if my identity is compromised or my opinion influenced maliciously as a result of a breach?

It isn't as it this data has some chain of custody that can show which actor sold it to another and whom used it for a spearfishing campaign. Our secrets are laid bare to whomever has the will to partake of them.

Sometimes I wonder why it is considered immutable that human malice is an unstoppable force. I want my kids to live in a world where those who leak data and those that use it to malign others are rare and held accountable in a manner that is truly commensurate with their cost.

It _is_ rare. But that doesn’t mean those who let your data leak should go unpunished.

You don’t need to figure out who was the cause of a specific misuse, you just punish the data being leaked in the first place.

Though I guess you need to figure out a way for companies not to hide the leak then.

Revised headline: A year later, the vast majority of people have faced little fallout from having data about them inadvertently made public.

Nearly all of the dire predictions made at the time of the breach have been wrong to date.

Tell that to my coworker who spent all day on the phone last week fighting identify fraud with his bank. The impacts will be intermittent lightning strikes on random people at random times. To everyone else, business as usual.

Are you saying this anecdote makes the dire predictions accurate? Or are you just saying it had > 0 effect? The parent post was talking about the former as a whole, not sure it's worth countering with the latter.

Can your coworker trace the identity fraud to the Equifax breach? As opposed to all of the identity fraud that happened throughout the years before the breach?

Are you implying that, when a hurricane strikes, no one drop of water can be responsible for the resulting devastation?

(When in this case, to stretch the metaphor, the droplets all had strong profit incentives related to storing and making decisions based on peoples' data, and that they were pretty demonstrably negligent at protecting their charge?)

All I'm really saying is, these breaches won't ever stop if the cost of a response remains substantially lower for these companies, than the profitability of being the (ir)responsible ones and maintaining the data in a negligent state.

> > Nearly all of the dire predictions made at the time of the breach have been wrong to date.

> Tell that to my coworker who spent all day on the phone last week fighting identify fraud with his bank.

I'm saying that identity theft happened before the Equifax breach, and the Target breach, and the Yahoo! breach, etc. It will continue to happen. What we need is some sort of reform, like a national ID system with stronger ways to identify people (like fingerprints) and strong penalties for the criminals, not the organizations that get victimized. Note that anything like this will probably result in restricting access to credit or raising the cost of it.

People like to blame the CRAs for this, but it's the businesses that don't do due diligence in verifying identity that are at fault.

> It will continue to happen.

I would like, if you are one of the entities with control over this situation, if you bet against this. How much will it cost me to get you, as a service provider, to start betting against this?

I know this sounds crazy, but ... entities cannot secure their relationship with you if they cannot maintain some detail as private. (Until we all have PKI and use it?)

> The impacts will be intermittent lightning strikes on random people at random times. To everyone else, business as usual.

And that's acceptable to virtually everyone.

Until it affects you. Then you're outraged, but too late to do anything.

1) A few hours on the phone != getting hit by lightning.

2) It's still a bit early to trust the data, but so far identity theft rates do not appear to be up significantly in the aftermath of the equifax breach.

Since much of the information doesn't change easily it is my understanding the identity thieves will sit on the information and use it intermittently for years.

Revised revised headline: A year later, we do not have a full accounting of the impact of the data breach, but this weird blog quotes a fraud prevention company saying they saw big increases in online fraud rates: https://www.paymentssource.com/slideshow/data-fraud-after-th...

Ha, how will you know how the leaked information is being used ? This is the problem, once your data is out there there is no way to know how it will be used. Everyone i know had to take active steps to lock the credit history including me. This is the major blunder they got away with..unbelievable!

Slight change: "having data stolen from them due to outright incompetent security"

It wasn't inadvertently, they made decisions and said "eh whatever"

That's a fair change. I didn't love the use of "inadvertent" there and was struggling for the best single word adjective to use. There was definitely significant negligence on equifax's part.

Put your money where your mouth is. Publish your info and see what happens. If you later have a problem, how will you be able to show that it was because you published your info?

Identity theft is at an all time high.

"little fallout"

Pfft. They've been required to offer credit account locking and unlocking services without charging individuals for the privilege. That's a serious blow to executive bonuses. Surely they'll all have moved on to other companies with a more encouraging compensation structure, leaving Equifax a shell of its former self.

That's not really that big of a blow. Unless I'm greatly misunderstanding their business, in which case I'd appreciate it if you enlightened me.

+= "/s"

Let's see, 3 billion revenue, 200 mil expense - yeah, a serious blow alright.

This is the same case like big banks during financial crisis. I can’t believe they are still a running company after such a big blunder. Worst part is I as an individual never wanted my social security and personal data be mined by such companies let alone have it hacked. We have no say in this.

They didn't lose anyone's data. They just made accidental public backups.

(Seriously though, the use of the same word to describe data loss and data theft is problematic; depending on the nature of the data, one well typically be far more serious than the other.)

They lost control of it. Meaning, they no longer control access to it.

released or leaked

I like leaked more than the other suggestions, but it still sounds so ... not reckless. There needs to be way more judgement.

How about "discharge"? Yes it's gross but that's the point.

“Leak” sounds small, too, so it gives a minimized impression of what happened.

“Hemorrhage,” perhaps. :)

could call it "negligent public disclosure of personal information"

Why would they leak the data? That seems counter-intuitive to me.

Negligence, incompetence, and apathy.

Have there been any studies about the actual consequences of these data breaches on victims (in terms of fiscal, social or even emotional impact)?

What I don't see anyone actually asking is who was behind the breach given the sophistication of the attack and the measures they went to to avoid detection. This wasn't the case of a database just sitting in the open that they could access.

The actual report makes for better reading than Tech Crunch.


This will really only end when the credit rating agencies become irrelevant. Large purchases should be based on ability to pay, which is different than credit rating.

You can have a credit rating of zero just because you don't use credit - even though you have plenty of money in the bank.

If you are running a business, why not avoid equifax and other credit raters and use a different mechanism?

If you are looking to startup a business - doesn't this look like an area that needs disruption?

Most loans require both: (1) an ability to pay (payer stubs, tax returns) and (2) a history of paying back loans in the past.

Or how corporate USA get unpunished over and over again.

This is disturbing, but, really, is it surprising? The GOP is in control of all three branches of government in America, and they're always very pro-corporate power. Equifax's data breaches were caused by criminally-insufficient security controls, by a company large enough to know better. They could have secured the data and chose not to. They could have brought in third-party auditors, yet chose to not spend the money. So it's on them. Hopefully, we can hold Equifax accountable at some point, when the politics become a little more consumer-friendly again. Right now, it's almost 100% on the side of corporate rights.

A Trump appointee ended the investigation into Equifax


Wikipedia has more of this guy's greatest hits. I especially love this one: "In January 2018, Mulvaney canceled an investigation into a South Carolina payday lender that had previously donated to his congressional campaigns."


Great find! I like the "Mulvaney submitted a quarterly budget request for the [Consumer Financial Protection Bureau] to the Federal Reserve for $0."

And after trying to shut down the database of consumer complaints, turns out "8 of the 10 firms with the most complaints about them had contributed to Mulvaney's campaigns."

It's interesting there is more concern and discussion regarding social media privacy but very little discussion of this PII information that consumers are not able to control at the moment. Why should consumers not be able to control who can access this PII data and when they can request it be deleted? They can do so with social media data, so why not this? If they do choose to delete it with a given company another company can retain it who has exercised more fiduciary responsibility by keeping consumers secure. If the company changes and fixes the holes then consumers should be able to start sharing data again with that company from that point forward.

I suppose users are just "getting used to" data breaches? Like clicking your way through pop-up windows asking for permission to install?

And if you need to set a fraud alert with them you have to do by mail. FML.

Hmm, I was able to lock my credit history with all 3 bureaus without using mail; TransUnion was the highest touch in that it required phone confirmation. Prior to that, I had been using the 90-day fraud alert, which I always set online every 90 days.

For some reason they don’t allow me to do it online. Probably because they were the ones providing my data to whoever is using it.

Socialize the losses, capitalize on the gains.

Just like all the big banks in 2008.

The problem is that I have no choice but to use equifax when I need to do anything involving my credit rating. They have a bizarre monopoly on this vital aspect of life. When I go to the banks asking for them to give me my credit score that they have on file they defiantly refuse me.

Further evidence of the lack of any effective competition in this space.

And of wholesale regulatory capture.

So, U.S. public, what are you going to do about it? Bolster organizations who can effectively mitigate (public or private, to put that agnostically), or let the wave carry you under?

> West sued Equifax for nearly $5,000, but the judge agreed to give her $690 ($90 of which was for court fees)

Come on.

> Going toe to toe with Equifax’s representative in front of a judge, Haigh won $8,000.

That's better. But you could still argue that it's not adequate.

anyone know why there hasn't been a class action lawsuit around this?

If individuals could win....

Data is like 'electronic IP' such as videos, music and computer programs in that it's a precious resource that's easily stolen.

The problem is that it's not easy to secure. Physical things can be stuck in a vault or watched over by armed guards. Electronic IP can be swiped in the blink of an eye and replicated many times once obtained.

It's a hard problem. To date, only ham-fisted excessive financial fines have been used to scare the general public. That technique isn't viable for the long term-- we need something better.

A more positive implication is that downstream security has gotten good enough that large breaches like this can’t be systematically exploited for financial gain. Two factor auth seems to be more pervasive, and there’s a host of retrospective security tools in the industry.

That said, I have no doubt there’s a vibrant underground market for all this data, and its likely being used in more surgical attacks already, and could, one day, be the basis of a broad attack (once an appropriate attack vector becomes available).

Heck one of the former Equifax guys went to work for Panera Bread (of all places) and didn't even know what a security researcher was telling him when he identified an API that was wide open....


Equifax has been heavily marketing to banks this new product called InstaTouch, which they want to be a credit card application handler. The feature they advertise the most is "security and risk management for banks".

Uhh, no.... clearly they didn't learn from their mistakes and don't care.

A more interesting question is if costs of fighting financial fraud and or identity theft using the stolen credentials has noticeably increased in the past year. I suspect the costs of this are being borne systemically with consumers paying in slightly higher interest rates on loans/credit cards, etc.

Yet we'll keep thinking this is an Equifax problem without realizing it's a systemic problem with companies we rely on ubiquitously with hardly enough regulation above them to prevent them from maximizing exploitation.

They didn't lose your data they shared it.

It'd have been nicer if they had lost it.

I see so many comments on HN arguing that being outraged about this type of thing and pedantically hammering on it even unto the detriment of your personal life is not worth it. Comments arguing the opposite get sanctimoniously downvoted, whether it’s prolonged outrage about police brutality, abuses of political power, unpunished fraud or privacy breaches, and so on.

But truly it just seems like sustained outrage is just not high enough to bring about justice.

A politician could probably sweep the board picking up all of this unresolved outrage laying around, I don't understand why nobody is trying to do it.

It's about balances of power. There's unfortunately a strong tendency for corporate power to overwhelm all other institutions, given how centrally organized, self-optimizing, evolving it is. Government ideally should offer a balancing power, an equally intelligent, evolving structure safeguarding individuals (and humanity vs economics). The problem is corporations have found ways to control governments and will use their power to terminate impacts on their productivity, which will inevitably include human rights, quality of life, human values.

The only solution I can see is through legislation, strictly forbidding and creating institutions to prevent corporate interferance in government.

Some measures:

1) Outlawing lobbying more broadly, improving campaign financing, etc.

2) Reforming the government to promote greater adaptability and efficiency, mimicking how companies improve themselves through competition.

There are quite a few examples of countries with good control over corporations (Japan I think is quite strict at least in terms of election financing and advertising), and good alignment of government and human values. But many others, notably by the US, turn more and more the opposite way towards corporate/economic absolutism.

It's been said before, but people put a little too much fear into AI takeover when gigantic, scalable, self-improving systems with trivial values (economic output) are already almost taking over the world.

Fear The Corporation.

Well, they wouldn't have enough money to market themselves. Or if they were independently wealthy and leveraged people's outrages to get elected, well that worked last presidential election.

Seriously though, internet + mass-media-driven outrage on a topic like this is probably much smaller than people think whereas less squeaky outrages (e.g. the ACA) have huge angry-yet-silent bases.

Some are (in the US at least), but not enough of them are in power right now to do much about it. Luckily, there's an election in November...

Nothing is going to happen to them in the future as well.

People who don’t interact with politicians and often don’t vote can’t have an opinion about anything political. They are not in the game. Fortunately this is easy to fix.

Equifax and what they do is the epitome of uselessness [https://www.vox.com/2018/5/8/17308744/bullshit-jobs-book-dav...]

They are a company whose sole purpose is to track how reputable a consumer is, which is entirely extrajudicial and arbitrary. How do you fine/hurt/stop something which is pure made up bullshit and had no purpose to begin with?

"Equifax and what they do" replaced a previous informal system without mechanical credit scoring that was far, far more discriminatory than the one we have now. The average HN reader --- and especially the average angry political HN commenter --- would not be happier in a world without credit ratings agencies. The fallacy is that in such a world world, you can get credit (or rent an apartment or whatever) without jumping through hoops. In fact, what really happens is that the hoops get more arbitrary, less standardized, less accountable, and more plentiful.

It is for that reason that we should be especially unhappy about the way the law handles breaches like the one that happened at Equifax. These are companies that have decided to insinuate themselves in a crucial component of the consumer finance industry, and they should be held to a higher standard than we're holding them now.

There's a purpose. Companies pay them, there's a market. The business case is solid, but you can certainly make an ethical argument against it.

Companies already have this service provided by the judicial system, it's called bankruptcy and it's a public record.

If theres a market for more detail than that, it's a bullshit market, because how that report gets generated is entirely arbitrary.

US bankruptcy is not a service provided by the judicial system to companies. It's a service provided by the US courts to consumers. Our bankruptcy law is notably among the most liberal and consumer-friendly in the world.

From experience helping family members: you can be hundreds of thousands of dollars in debt before bankruptcy becomes a real option. Entire sectors of the consumer finance market are dedicated to keeping them out of bankruptcy, where they become total writeoffs to creditors. I watched creditors offer to settle mid-5-figure delinquencies for nickels on the dollar simply because that was the best they were going to get with a bankruptcy on the table.

The idea that creditors could simply extend credit uniformly to everyone who hasn't declared bankruptcy in the past is ludicrous.

I'm not suggesting that we do that, I am saying that not paying a debt outside of a predefined grace period is a contractual and legal issue, which would be a part of a civil dispute, and also a matter of public record.

How does that address the problem that credit scores solve? If I'm a lender given no data about a potential debtor and my only recourse is to the courts, I'm not going to lend to anyone --- or, if I do, it'll be based on far more arbitrary and discriminatory standards, like whether the right poobah at the local Chamber of Commerce vouches for you personally. That's how it worked before we had credit scores.

Never said we had to go backward, and I definitely don't think that's better. I am saying that the legal system is the demerit based system for this kind of reputation based decision-making, which has completely failed us in the proper function of this task.

You already acknowledged elsewhere the comment where I informed you why the legal system cannot function as a credit reputation service. We had the legal system before credit scores, and we know what the outcome of that system was.

Even today, people (in effect) steal thousands of dollars from creditors, essentially for sport, by exploiting the FCRA and the procedural difficulty of enforcing contracts and collecting delinquencies. The courts are not a realistic option for underwriting consumer credit.

I think we're pretty much on the same page though, the civil courts are not functioning correctly in this regard, but to me that doesn't mean the credit industry is the be-all end-all solution to the problem.

We really should be improving our judicial system rather than letting private industry determine what we as a society should consider when someone wants to take out a loan.

"People who have paid back previous loans on schedule are more likely to pay back future loans on schedule" is not arbitrary.

That is already described via bankruptcy.

No it's not. You can be behind on payments without filing for bankruptcy. You can have a debt sent to collections without filing for bankruptcy.

There are all sorts of cases where a person is not trustworthy with money that do not show up in the public record. That's why credit bureaus came to exist, and although their business practices and data security leave much to be desired, I understand why they exist in the first place.

Credit bureaus came to exist because of this murkiness when it comes to contractual obligations. If you provide a grace period around a deadline, it's on you, and not something which should be punished against.

If they broke the contract, it's on you to bring them to court. Apparently companies thought it was to expensive to enforce contracts, so they decided to create this extrajudicial system.

My point is, if you can't physically pay your debts, you can file for bankruptcy. That is the public record.

The average duration of a contested civil court case is on the order of 2-3 years. The courts are not going to resolve even a significant fraction of delinquencies, and are not a real recourse in the main for creditors.

I agree! Until that aspect is solved, the standards of when you get reported and for what are entirely private, arbitrary, and have long-lasting effects on your overall wellbeing.

So, like, in a parallel universe where we reinvent the civil legal system, you might have a point? But in this universe, you concede that Equifax has a practical purpose?

I don't consider arbitrary systems practical. I don't define myself by what Equifax thinks of me, and neither should a bank. Unless a proper, accountable, civil system exists, call it for what it is: Bullshit.

I guess I can just accept that we're using different definitions of some of these words.

Arbitrary again.

To quote Inigo Montoya, you keep using that word. I do not think it means what you think it means.

It is arbitrary, why do you think it isn't?

Arbitrary means "based on random choice or personal whim, rather than any reason or system." Whatever problems you have with credit scores, they are robust predictors of people's likelihood of paying back loans.

Something can be accurate statistically but still be quite bad for those individuals for which it isn't.

Perhaps, but that thing will not be arbitrary.

That is not at all true.

You don't go bankrupt when you are late paying back a loan or miss payments or even default on a loan completely.

It's also blatantly unconstitutional because it discriminates against the sects of Islam that don't allow loans with interest (and that's the only way to build "credit").

The constitution only applies to the federal government. You might mean illegally discriminatory per the 1964 Civil Rights Act, which disallows businesses to discriminate on the grounds of religion. Even that, though, might only be applicable Equifax's customers, since those are the businesses who would be denying service to people without credit histories.

Thanks, I misspoke.

IANAL but I still think Equifax itself is in the wrong. You can't expect businesses that deal in credit to skip due diligence on their customers. Equifax (and the other 2) get to define creditworthiness for all these other businesses.

> Equifax (and the other 2) get to define creditworthiness for all these other businesses.

They do not. The CRAs provide the information, and the individual businesses decide what their limits are. A lot of businesses standardize on FICO scores, which just use CRA data. So a business decides what's acceptable, based on the info from CRAs and the model from FICO.

That would be libel, then.

Realizing in my twenties that not having a credit card was hurting my credit score, that really summed up to me how loathsome and manipulative the entire system is.

For those who defend the credit history system, where was the consideration that I was mature enough to limit my spending and save for future expenditures rather than use a credit card? Where was the consideration to avoiding unnecessary risk entirely and still paying my bills?

Bankers' attitudes about it make it even more infuriating.

Whenever I'm at the bank I get asked, "Have you considered taking a credit card to start building your credit?" When I patiently explain why I can't do that, their response is usually to just reiterate how important it is and how irresponsible I'm being.

I've never seen a salesperson in any other industry do this. When I ask waiters for non-pork substitutes, they don't come back with, "Listen, I know you don't eat pork but you should get the bacon anyway because it's really good."

One time the lady asked me, how they are supposed to make money from zero-interest loans? How should I know? You're the finance expert. I didn't come in here looking for a loan. You asked me!

What I want to see out of this or future generations is a culture of never-debts, who responsibly save, invest, and not tie their entire lives to credit ratings, shiny garbage, and what wall street wants.

The biggest con job on the American middle class was the 401k though, how else could people be so fashioned against their own interests than to emotionally tie their future so intimately with how the stock market is doing.

I'm not holding my breath on things changing though...

Debt is valuable, man. It fuels growth. Frequently the guy who can do things isn't the guy with money. Debt is one means of the doer guy acquiring the money to do.

Debt isn't valuable, investment is.

How so? A CRA will just report that a loan is paid on time or not. If you can get an interest free loan, and you pay it as agreed, that'll get reported same as any other loan.

Really? Where can one get these "interest free loans?"

There are companies that provide "Islamic" or "Shariah-compliant" mortgages. I don't understand the model, but they claim there's no interest involved.

They buy the house for, say, $200,000 from the seller. They then sell it to you for $400,000, made payable in equal-sized payments over 25 years.

The key difference would be what happens if you stop paying. Otherwise it’s just a lease with a purchase option at the end. If you can walk away from the lease with no further repercussions, then I can buy that it’s not technically a loan. If the lessor can pursue you for further payments or charges you fees and etc, then it’s just a regular loan with built in interest rate, and it’s a childish way to attempt to get around “interest”.

Religion is full of these things, hermano. Here's another example: https://en.m.wikipedia.org/wiki/Sabbath_mode

Out of pure curiosity: why would someone who has no desire to obtain credit care if a credit rating agency hampered their ability to build credit?

CRA information gets used in any situation where there are payments over time, even if they aren't "credit" situations. Renting, getting utilities, etc.

Also, car insurance rates.

All the places I've rented only cared if there was an eviction on your record and I've never had an issue getting utilities -- sure, they usually want a deposit since I have a bad credit rating because I'm horrible at paying bills on time but they always give me service.

The last place I rented started the eviction process the very same afternoon the "grace period" ended -- think I was off doing reserve stuff that weekend or simply forgot -- and that caused me to not be able to move into a fancy apartment complex once upon a time (though, mostly, they were using it as an excuse to discriminate against a "dirty truck driver" who didn't fit the kind of people they wanted in their yuppie complex, which they basically told me) but my current landlord could care less, as long as you pay your rent (not necessarily on time) and don't cause any problems you're golden.

Why would an apartment owner want to rent to someone who had been evicted? I would assume that would be the #1 thing they look out for. Applicants who didn't hold up their end of a rental agreement is a strong indicator.

If your employer paid you late because they were "bad at paying their bills" you'd be pretty upset, as would most people.

You’re the perfect use case for the utility of credit reporting agencies by people who care about getting paid on time, which is almost everyone.

I'm not playing victim or making excuses here, just saying that the credit rating game isn't designed to discriminate against people who don't believe in usury (as the OP claimed) but to serve as a tool to warn against people like me who can't be bothered to fulfil their contractual obligations in a timely manner.

If I, in my perpetual slackitude, can acquire all the necessary things to live then someone who does pay their bills on time but doesn't believe in credit should have no problems at all is all I'm saying.

If you define the grace period in your contract, and they are a little late with a payment, punishing them for what you agreed to seems counter to the contract.

If they fall outside of the grace period, you should have a legal means to arbitrate and make it public record.

Yes of course. But when someone says they’re late, I assume it’s after the agreed upon deadline which includes a grace period (since that is the real deadline).

Not that it matters too much but IIRC they said you had until the 2nd to pay and the eviction notice was on the door at something like 4pm on the 2nd when I came home. I thought it was absurdly early and went and paid but didn't realize they went to all the trouble of filing with the courts until I was looking for an apartment a year or so later.

They were also kind of sketchy when I had to break my lease because my reserve unit got called up to active duty, apparently they were trying to say I had to keep paying until my mom (who was handling my finances while I was gone) threatened to get the army lawyers after them which made them change their tune real quick.

It affects your life in a whole lot of other ways. Car rentals, apartment applications, etc.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact