Bill Brenner, writing on Sophos’ Naked Security blog:
To understand how bad the data breach at Equifax is, consider this: the US has a population of approximately 324m people. The credit services provider says its breach may have affected up to 143m Americans: nearly half the population is potentially involved.
What kinds of customer data did the culprits access? Names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, according to Equifax chairman and CEO Richard Smith. In addition, he said, credit card numbers for approximately 209,000 US consumers and certain dispute documents with personal identifying information for approximately 182,000 US consumers were accessed.
Equifax apparently discovered this breach on July 29, and it’s huge — not only in quantity, but in the kind of information that was leaked. Equifax is one of three major credit rating agencies in the United States, and their reports have the power to approve or reject housing, transportation, and financial services for millions of Americans.
Moreover, the leak of tens of millions of Social Security numbers is likely to wreak havoc, as it’s basically a single birth-to-death numerical identifier for all Americans with very few restrictions protecting its use. Electronic Privacy Information Center executive director Marc Rotenberg, as quoted by Jason Koebler, Lorenzo Franceschi-Bicchierai, and Derek Mead for Vice:
It is important to emphasize the unique status of the Social Security Number in the world of privacy. There is no other form of individual identification that plays a more significant role in record-linkage and no other form of personal identification that poses a greater risk to personal privacy.
Equifax: you missed a cc payment 3 yrs ago. How irresponsible. Good luck buying a home
Also, Equifax: Your SSN’s were hacked. Shit happens
But wait — there’s more to this story. Anders Melin, Bloomberg:
Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers.
The trio had not yet been informed of the incident, the company said.
So, to summarize: Equifax is a private corporation that retains extremely confidential records of tens of millions of Americans’ financial habits. They are disclosing this breach over a month after it was discovered. Members of their executive team sold nearly $2 million worth of shares shortly after it was discovered, and the company’s defence is that these executives were not informed of a major confidential data breach within several days of it occurring. Got all that?
Wait, what? Members of their executive team weren’t immediately informed?
Equifax is offering a year of their own credit monitoring services, but I’m guessing that the fallout from this breach will last for a decade or more, based on the size and scope of this data set.
At this point, it’s very likely that different pieces of your personal and confidential data have been leaked multiple times in the last ten years. The last couple of years have been especially bad for big breaches: you may remember that personal details from hundreds of millions of people were leaked from a Republican National Committee database, or repeated announcements from Yahoo, or announcements from various other social networks.
At this point, if you live on Earth and have ever used money or the internet, your personal information has probably been leaked.
And, yet, there seems to be very little accountability. Between nefarious incidents, corporate acquisitions, and information sharing agreements, user data gets shuffled around all the time with seemingly no restrictions or adequate protections. Your consent to do this is probably buried in the privacy policies that almost nobody reads before agreeing to.
There’s a lot to be despondent about, but I think the most worrying thing is that there is almost no incentive for Equifax or any other company to take user privacy seriously. The company has already lost about $2 billion in value, and they might pay millions of dollars in fines. But in a year or two, do you really think it will make much of a difference? Earlier this year, even after several major security breaches were reported by Yahoo, Verizon still paid nearly the previously-agreed price to acquire the company. I genuinely doubt that, in a year, Equifax will still be feeling the effects of such a huge breach of responsibility.