2.9B hit in one of largest data breaches; full names and SSNs exposed (opens in new tab)

Here's a fun thought experiment.

How much should National Public Data have to pay the people affected by this breach? The article says there are 2.9 billion people impacted. Let's take that at face value and assume that there are no duplicates in there. How much should each person receive? The article also says that USDoD tried to sell the data for only $3.5 million, so they value it at roughly $830/person.

Now, in class actions, not everyone takes the deal. Most people ignore it or never pay attention to the notice. Let's say, very generously, 10% of those affected take the deal. That would be 290 million people. If you gave each of them $100, that would be $29 billion dollars. Do you think National Public Data even has that kind of money? What if we gave everyone just your $3? That's $870 million. I don't think this data broker probably even has that much money.

Your only real hope of getting a sizable payout from this class is either a) NPD is sitting on a mountain of cash or b) a very small percentage of users get paid. Anything else and the money isn't there.

When people say that there need to be criminal, go-to-jail type repercussions for not securing data, this is why. People value their freedom much more than businesses value staying solvent.

Planet Money just did a great episode on how class action lawsuits actually work, from both sides[1].

[1] https://www.npr.org/transcripts/1197961271

You don't get a check, you get a gift card for a credit monitoring service that you will never use because all your data leaks all the time already.

Motherfuckers asked my wife her SSN when she was getting a store card the other week. Not a credit card, a store card.

We "just" need to stop pretending they are secret like passwords and using them to authenticate that someone is who they say they are. Banks should not be issuing loans based on a bunch of personal information (including SSN) that the collected and concluded "Yup, that data matches itself--therefore you are actually you!"

I'd love to see the government force companies to stop treating them like an ID number that's secret.

Maybe they should allow people to request a new number any time they wish and even hold multiple SSNs. Or create a virtual number system like some credit cards have where you would give every company that asks for a SSN a unique number that only they have. It would be cool to be able to tell exactly who had the data breach when your number shows up in a dump.

SSNs have always been clear that they’re identifiers, not authenticators - it’s printed on the card! The problem are the businesses who tried to skimp by treating them as secrets, and they invented the mainstream concept of identity theft to make it sound like their negligence should be your problem.

The fix should be simple: stop taking companies seriously when they only used an SSN for authentication. Ideally there’d be a law adding penalties: try to bill someone for a loan authenticated only by common metadata and they have to pay the target a penalty fine, allow insurers to deny claims, etc. As soon as it costs them money, they’d suddenly find the money to check ID like everyone else.

There's a really good video by CGP Grey that touched on this:

https://youtube.com/watch?v=Erp8IAUouus

I'm more and more convinced that the only way to do this is the "Swedish way", make all SSNs public and/or available on request.

Until that happens, companies will still pretend they're private information.

You freeze your credit by making an account on TransUnion, Experian, and Equifax's websites. It sucks, and they suck, but it's free. Unless you take out loans quite frequently, there's no reason not to do it. My credit has been frozen for years, and I only ever unfreeze it for a month or two at a time when I need to refinance a mortgage or something like that.

In Poland you have a national ID card you carry with you if you don't have it with you won't get anything done anywhere. If you lose it/it gets stolen you have an obligation to report it. We have something like SSN number (personal id number) assigned at birth but it's not enough to get a loan or anything.

In Finland banks are the ones who usually handle the strong authentication (not necessarily just the initial one). They are required by law to know the customer. In-person authentication in the branch is required to be done via either ID card or passport, those can be requested from police and expire after 5 years. Driver's license is not official ID card. Logging into you bank account requires 2FA (I'm not sure if any bank sends codes via text messages, at least it's not very common).

It can also be done with ID card (which is a smartcard) or mobile certificate (https://mobiilivarmenne.fi/en/) if the service supports it.

Usually an identity card. In the EU this is an authentication mean but in order to be liable you must be present with the card at transaction time (i.e. a scan is not enough).

Then you have solutions of increasing robustness such as certificates for e-signature.

The national "id" (of there is one) is just to make it easier to find you. Poland has one, France does not have any for instance.

The problem isn’t the SSN but corporate responsibility shirking: they don’t want to check ID because that costs more, they want things like instant credit applications to allow impulse purchases, etc.

This seems to slowly be improving because so many people have been breached by now that they don’t enjoy the assumption of security. In the 90s, if they took you to court saying you weren’t paying a loan it’d be assumed that a crook wouldn’t have known your SSN but now it’s at least a lot more likely that nobody will believe that without additional proof.

They are claiming this is from a data aggregator called National Public Data, so it probably originated in many other places and contains a variety of different information depending on the source. So it includes SSNs for some people, but not every record is necessarily connected to a SSN.

"data including SSNs"

But 2.9B is a number so high that the only way it can be true is that they got some Facebook data or the method they used for scraping data led to A LOT of duplicates

I was wondering this, too. A nine-digit number can only represent 1 billion unique values. Even if you consider Employer Identification Numbers too that wouldn't add up. Probably they mean ID #s from other tax-ID systems in non-US countries, or some equivalent identifier. Maybe pooled with driver's ID numbers? I only have guesses.

The plural used implies that at least 2 people had their full name and SSNs exposed. The horror!

Ashley Maddison happened just under 10 years ago, that's as scandalous as it gets, and nobody cared either.

I'm with you on this.

At this point the only thing I think that could happen to change the status quo is a full blown war against a country that's going to use hacked data against the United States in such a disruptive way that the legislators would have to react due to national security concerns.

My oldest email has been exposed in 37 data breaches (so far) according to haveibeenpwned.com, not receiving more spam and/or threats than usual today or yesterday.

Names like this are so exhausting. See "Patriot Act" and "Americans for Prosperity Action".

You can request it from any of them. Almost all of them will deny the request because the CCPA is rarely prosecuted and because you can't bring any private lawsuits based on the CCPA. Even "real" corporations like Atlassian operate that way.