In short, the pension cash-out was handed over to a third party. And a primary factor that party used in establishing that I was indeed the beneficiary, when I called to discuss the details, was to ask me questions about my address history.
In fact, where did they get these details? From an outfit like Equifax, or from the same set of data brokers from whom Equifax acquired them.
The mitigations against such a breach are so obvious -- technical "lockdown" aside. Data rate/query limits. Ongoing auditing that targets anomalous data flows and data rates for mandated attention. Etc. Etc.
You don't have to have "perfect" technology. In fact, you should expect and plan for never having perfect technology.
It shouldn't have been too hard to pick up such a sweeping outflow of records; it should have become apparent that the request channel was (systematically, once you analyse and determine the specific system being used) working its way through the U.S. population.
As for Equifax, if I had my druthers, this would be a corporate death sentence. They've demonstrated a fundamental breach of trust and a fundamental incompetence.
Criminal investigators should squeeze them like hell, flipping smaller fish to fully determine the chain of command and responsibility that decided upon and implemented this catastrophic neglect.
As for the shareholders? Well, ultimately they bet on a company that has demonstrated itself a complete failure. They were happy to take the profits, including the greater profits made by not paying for proper systems and staffing. If their investment now evaporates -- well, I'm getting to the point of simply saying, "So be it."
A few shareholder "disasters", like this, and there will be a lot less pressure for laissez faire short-term profit maximizing, and a lot more for oversight -- internal and external -- and regulation that prevents them from being screwed by incompetently or corruptly negligent management.
"What check number did you use to pay the 13,753rd dollar of your car loan in 2001?"
"In 2014, you signed up for an American Express Gold card. Which version of Firefox did you use to complete the application?"
Recently I called to report a lost credit card, for instance, and the operator read through a list of 10 addresses. I had to confirm which ones I'd lived at at some point in my life, in order to verify my identity.
This is the first I've heard of this, and it's a different characterization than what one finds on e.g. Wikipedia (excepting the last section of that page). Still, I believe TFA. It's remarkable how often the impetus to "do something" leads to precisely the wrong thing being done.
[0] https://en.wikipedia.org/wiki/Red_Flags_Rule#Red_Flag_Rule_a...
So an example to emulate then!
Except: Estonia suffered an embarrassing blow to its much-vaunted ID cards that underpin everything from electronic voting to online banking [...] a security risk that affects almost 750,000 ID cards and that would enable a hacker to steal a person’s identity.
https://www.ft.com/content/874359dc-925b-11e7-a9e6-11d2f0ebb...
[1]: https://webcache.googleusercontent.com/search?q=cache:wP7nTG...
These companies earn revenue by selling access to a database of all humans, which ranks each of us as to how valuable/risky we are to profit off of.
Many companies are starting to make hiring decisions based on this data, and obviously whether or not you are worthy of a loan has been much of the purpose of a credit rating (and these loans are necessary for nearly everyone in the US, unless you're exceptionally wealthy).
Disputing an unfair or illegal mark against your credit is an absurd process with very little recourse.
This is far worse than what the NSA has done, in my opinion, and it continues without much criticism.
Obviously this giant hack of Equifax is a very serious issue. But why should these credit companies be allowed to keep this kind of data about us anyway?
What human right is being violated, and what treaty is that right listed in?
Article 23, section 1 and 2, and possibly 3: as to being judged by employers based on a credit score.
Article 25, section 1: It is not possible to afford housing without a loan, and most of the variables of a loan (and even more importantly: whether you are able to secure a loan in the first place) are entirely determined by a credit score. Note that ~75-90% of Americans are unable to purchase a home without a loan: https://en.wikipedia.org/wiki/Wealth_in_the_United_States#St...
More from Article 25, section 1: Many of the other rights given in this document (like food, clothing, medical care) are also not achievable without smaller loans (like credit cards, also unattainable without a decent credit rating or a significant amount of accrued wealth).
I'm sure there's plenty more, this is just what I've seen at first glance. But I want to thank you for making me aware of this amazing UN document. It's kind of amazing the number of economic rights this document secures for all humans.
1) Are we about to see the end of "Name, DoB, last four" as an authentication? (Damn well should if anybody can be me now)
2) Are the credit reporting agencies discredited as a business model? The other two are likely either hacked already or about to be, and given this standard of reporting we wouldn't know till months from now anyway.
Can't trust em, don't use em, don't trust anybody that does.
Oh joy.
With #2, nothing is going to change. The credit agencies business isn't identifying people (as we are discussing, they outsource that to the government), it's tracking credit activity. And that works extraordinarily well from the perspective of its customers (the banks). If Equifax dies, Experian and TransUnion will just see more business. If they all die, the banks will find some way to do this for themselves.
Oh, a computer was involved. So hire the cheapest person you can find who can half make it work, let even the low level managers do whatever they want, and when it gets hacked blame somebody else. It's computers. NOBODY knows how they work!
Likely they may not be paying taxes, but have already found a way to circumvent the system such that they collect something (aid, EI, etc).
Old guy here. The reason I know my SSN by heart is that it was my student ID number in college and had to be given at the beginning of each semester to get my course list, later for grades, etc.
I had a credit union account from the 80's and as of the 90's my SSN was printed on each monthly statement.
Both were before the "digital age" and neither could be considered "in a locked filing cabinet" nor under my control.
I went to a well-known university and they used SSNs as student ID number until roughly 2001-2002. The first half of my university career, my SSN wound up on every Scantron sheet, exam blue book, and term paper I handed in. It was printed on the front of my ID, and even after they recalled old IDs and replaced them with non-SSN cards, the magstripe track data still had your SSN on it because some old dining hall POS system or something like that hadn't been converted.
It was like fish in a barrel for fraudsters, just root around in the trash after finals week and grab people's term papers. I had quite a few friends who discovered that during the time they were attending college, someone had opened a cell phone (or a credit card, in one person's case) in their name.
This was before the days of the free annual credit report law. So these folks never pulled their own files, and only discovered the fraud years after graduation, when they went to apply for a car or home loan and got denied.
Medical insurance companies commonly broke the law but skirted it by saying it was "optional", and of course not telling anyone about the option. At least several times when I applied for insurance, I filled in "Assign ID" and had to correct the first level agent who insisted that I needed to provide and SSN. Patiently insisting that they needed to escalate the call, the first higher-level agents who knew would immediately accept it.
This sort of sloppyness confusing an IDentifier with an authentication has now gotten us into a world of trouble.
Didn't stop some professors from continuing to use them. I had one prof who would use the last 4 digits (oh, only the last 4, those aren't the most important ones or anything) as a way to post psuedoanonymous grades after tests.
I've done a lot to try and build my credit and protect my identity by restricting the information I give out. Now I can do nothing to protect it now besides hope someone doesn't target me.
Anyone have ideas on how to ensure an identity is not stolen?
> Also known as a security freeze, this tool lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to see your credit report before they approve a new account. If they can’t see your file, they may not extend the credit.
I've never done this, but it sounds effective - although if you want to open another line of credit, you'll have to temporarily suspend the freeze.
All other solutions that purport to protect your credit are futile. Although I think some are now offering insurance as part of their guarantee.
I use Zander identity theft insurance. If my identity is ever stolen, they are supposed to take over all the hassles of getting me right. As well as up to a million dollars in damages including legal fees if necessary.
I have heard good things from customers who had their identity stolen. But I can't personally vouch for how well their recovery services work since I havent experienced a theft yet.
The idea is that this information shouldn't be so sensitive because it isn't really secret in the first place. It also cannot be changed, so it doesn't really meet any reasonable criteria for authenticating information.
To quote the relevant top-level comment I had in mind:
>mikeash 2 hours ago [-]
>If we're lucky, this will be the best leak of personal info ever. The primacy of the SSN in American society is idiotic. It's a "secret" that you have to hand out to dozens of different organizations. I've long thought that we should phase this out by committing to publish all SSNs (and the associated info, obviously, so it's not just a list of most 9-digit numbers...) which would force all these companies to stop treating it as confidential. The system is dumb and works poorly, but worked will enough that there was no impetus to fix it. Some people got affected by breaches, and it sucked for them, but it was always a small enough group that most people didn't care. Now that a majority of people's "secret" info is no longer confidential, maybe they'll realize they can't rely on it anymore. OK, the odds of this actually coming to pass are not great. But I can hope.
So if the SSN stops being considered as a combination identifier/authenticator, other government agencies stand eager and ready to plunge headlong into the same mistake.
The way around it is to pass a law that requires government agents and agencies to consider identifiers to be public, and authenticators to be secret, and that nothing can ever be both. The government could require itself to publish indexes of names to SSNs and SSNs to names, such that no stretch of anyone's imagination would ever generate a presumption that knowing the number proves you are the person to whom it is assigned.
The ridiculous assumptions made in the credit and credit reporting industry that are held out to be reasonable should never be allowed to hold up in court.
