I think you are missing something. Here's what's needed to initiate your TransUnion freeze:
To set up a security freeze with TransUnion, please visit our online form. You should be prepared with the following types of information:
1. Your full name, including middle initial and suffix, such as Jr., Sr. II, III
2. Social Security Number
3. Date of birth
4. Current address
5. All addresses where you have lived during the past two years
6. Email address
7. A copy of a government-issued identification card, such as a driver’s license or state ID card, etc.
8. A copy of a utility bill, bank or insurance statement, etc.
So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.
The problem is these companies, who non of us ever chose or nominated to collect our data, are careless with our PII. And until some accountability is added into the system, this will continue.
I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.
> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.
Nope. Ain't gonna happen. Financial crime pays, big time! No one goes to Jail. They usually have an investigation followed by a hearing in Congress (if it is "BIG" enough), then come back and pay a fine. Media will report the fine as "MILLIONS OF $" but the fine hardly makes a dent in the Bank / Financial institute's coffer.
W.r.t. this particular situation, here's a story that just broke.
Of the three letter agencies, the IRS and the SEC are particularly ruthless. They can only enforce what Congress will allow, unfortunately, so that leads to bigger fish not being fried up.
Equifax can handle its internal management and operations however it wants.
Externally, though, I want Equifax to have to pay a fine for every individual whose information was compromised. Identity theft can easily cause five figures worth of damage, so $10k per individual would be fair. Maybe as a warning shot we could lower this to... $1k? $100?
That's the only way to properly align incentives so companies will proactively defend against attacks like this.
This thing called "Identity Theft" does cause damage, but it's important to remember that if fraudsters trick a bank into thinking they are you, it is the bank's fault for failing to properly verify it was actually you. Doing so would cost them more money and it is much easier to do cursory checks instead.
No doubt fraudsters impersonating you is a hassle and you must spend some time and money dealing with it if you are targeted, but do not lose sight of why it happens and who is ultimately responsible.
It hurts everyone foolish enough to still do business with the bank after they jack up their fees to pay for it. Or in jurisdictions where a small number of banks are given a monopoly, or competition is otherwise discouraged, it hurts everyone.
$1k, $100, that's far too low in my opinion even for a warning shot.
As someone who has had their info leaked by two universities before, both of whom subsequently paid for multiple years of credit/fraud protection, the sheer pain and stress of having random credit cards frozen and need to be replaced is worth far more than that dollar amount of my time. This is potentially messing with people's livelihoods with long term lasting effects.
If monetary sums are given out, then I hope a fair amount is given out instead of a warning shot. Those tiny figures won't help at all and effectively send the message that companies are more important than the people they serve.
Perfect. If they're in the business of selling access to sensitive information and cannot keep said sensitive information safe, they should not be allowed to continue to leak that sensitive information.
I would not doubt a class action lawsuit results from this, and I'd be very surprised if Elizabeth Warren didn't pursue congressional action against them (although not officers of the company unfortunately).
And then I'll get six months of free credit monitoring from Equifax? Oh boy!!1!
More seriously, this is a breach big enough that Equifax should honestly no longer exist as a company. So call it $100/incident, and I'm happy. Other agencies would still exist, and, although they're just as terrible, it might get them to kick their asses into high gear to fix their security.
Maybe, the suggested demise of Equifax, the extreme perpetrator of neglect in this particular case, should lose the ability to print money, much like Symantec and other ssl cert issuers (identity certifies) for their recklessness; perhaps that doesn't go far enough.
Maybe the whole commercial enterprise of credit reporting (and identity verification) needs to be dramatically reworked in a more modern, sane design, with different governance and oversight.
> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay.
The issue here is likely related to business units that were acquisitions, with the breached product in question having been developed pre-acquisition by a code farm staffed by interns in some developing nation. I spent a few years trying to unfuck some of those messes and moved on.
It's more a problem with their reckless growth over the last decade than anything. (ed) Due diligence is obviously lacking, but I can personally attest that nobody in senior leadership there willfully ignores matters of security once it becomes known.
We don't know if this has anything to do with any acquisitions - this is a conjecture, at best.
At any rate - I don't care. I never gave Equifax permission to collect my personal data. I certainly never gave them permission to store it in a way that it can easily be hacked. If you buy a 3rd party company, "unfuck" and harden their software BEFORE you let the data flow in.
Allowing data to slip out is negligent. If you're in the army, or the intelligence community, you get punished for this. It's about time the private sector felt some sort of accountability.
This so much. The stream of corporations passing the buck into a black hole of irresponsibility needs to end now. If people arent held responsible, they will continue to make these failings without pause. I hope everyone is writing their legislators and congresspeople right now. They listen more than even my disillusioned self thought. The just might have bigger incentives to act otherwise. But if they dont know, they cant even choose to be corrupt or not, they are ignorant by proxy. Communicate to your leaders, and remember their response when you vote.
The best way to punish them is for us all to organize and create a Proposition that bans them from being a credit bureau, etc. If this passes in California, it will destroy them as a company.
The problem here is that they've expanded their core business to be so pervasive, they're no longer reporting on just your credit history-- they've also moved into the employment history, salary history, etc. space. So you kill their financial tentacle, they'll still be collecting intelligence for other purposes.
> The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
Since core business was unaffected (nobody hacked the mainframe), I guarantee you some crappy product they acquired got compromised.
And like it or not, you do give them permission to collect your personal data every time you authorize a creditor, utility or employer to run a credit check. Never sign up for utilities, loans, credit cards or get a job and then you'd have a case for privacy.
It could also be related to how they sell things. Given how commonly they redistribute this data I wouldn't be surprised if it turned out to be something like a customer portal where they can say it wasn't core because the attacker couldn't have altered data, etc.
Oh, good, it wasn't their _core_ business. What a bullshit copout - you acquire a company, you own it, warts and all. Who's worse, the crappy company or the company that acquires it and continues to operate it without fixing it?
You probably did if you have any sort of bank account or loan or job application or rent. It's pervasive in contracts/agreements that they report to partners and credit agencies.
If that were the case, then who approved the acquisition? Who did due diligence on it?
Suddenly letting a bunch of untrusted, poorly audited code run on your infrastructure is itself a massive security breach. And even that doesn't explain how data was extracted for two months with no one noticing.
That's not nearly enough, considering the reach and impact this could potentially have. These people need to be getting life prison sentences before security is finally taken seriously enough by executives.
It's high time we had an equivalent law to Sarbanes-Oxley for security.
S-O made sure that when a C-level type guy signs a report, he knows his ass is on the line in case an illegal transaction just occur under his nose. If your company deals with PII, I want that data to be treated as important, if not more important, then company's funds. If you lose it, and you had any say in security (or lack thereof), you should do time.
> So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.
To what end? As has been pointed out they have all that info anyway so it's not like you're making the situation worse.
But more importantly, if your credit is frozen who cares? What are they going to do with your SSN? Get a loan? Get a CC? Buy a house?
That's the point of a freeze, it makes your PII less valuable.
The actual concern is about the PIN. Because surely they could go through the trouble of PIN recovery to unfreeze your credit and then make use of it. But considering the numbers game, its not worth their trouble vs all the unfrozen accounts.
> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.
The Equifax site appears broken in at least some browsers. Transunion wants me to sign up for an online account, and Experian charges a $10 fee in my state to place a freeze.
All three want to collect my name, DOB, SSN, etc. _again_ in order to sign up.
This is complete and utter BS. Credit reporting agencies are one of the greatest/worst rackets in the modern financial system.
"You could be at GRAVE RISK because we accidentally leaked your personal information. Please give us all of your personal information so that we can tell you if you were affected."
It's almost funny, in a way. What, so I can become affected if I'm not already?
I don't understand this. Equifax claims they just leaked my SSN, Drivers License, and other pertinent data to everybody. How would they possibly confirm that I am the one lifting the 'freeze'?
And what happens if I call to unfreeze but have lost the PIN? Can I never get a loan again for the rest of my life? Or is there some way around the PIN - perhaps only requiring the already leaked information?
You call them up... but this will probably no longer work b/c of the data breach. Otherwise you snail mail them a letter with a govt ID and they send you a new pin.
https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo...
https://www.transunion.com/credit-freeze/place-credit-freeze
https://www.experian.com/freeze/center.html