| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by pasbesoin 3206 days ago

In particular, I've observed reliance on address history, recently. I had a forced pension cash-out, from a place I last worked years ago, and that has since been sold to / merged (and perhaps remerged) into a different entity.

In short, the pension cash-out was handed over to a third party. And a primary factor that party used in establishing that I was indeed the beneficiary, when I called to discuss the details, was to ask me questions about my address history.

In fact, where did they get these details? From an outfit like Equifax, or from the same set of data brokers from whom Equifax acquired them.

The mitigations against such a breach are so obvious -- technical "lockdown" aside. Data rate/query limits. Ongoing auditing that targets anomalous data flows and data rates for mandated attention. Etc. Etc.

You don't have to have "perfect" technology. In fact, you should expect and plan for never having perfect technology.

It shouldn't have been too hard to pick up such a sweeping outflow of records; it should have become apparent that the request channel was (systematically, once you analyse and determine the specific system being used) working its way through the U.S. population.

As for Equifax, if I had my druthers, this would be a corporate death sentence. They've demonstrated a fundamental breach of trust and a fundamental incompetence.

Criminal investigators should squeeze them like hell, flipping smaller fish to fully determine the chain of command and responsibility that decided upon and implemented this catastrophic neglect.

As for the shareholders? Well, ultimately they bet on a company that has demonstrated itself a complete failure. They were happy to take the profits, including the greater profits made by not paying for proper systems and staffing. If their investment now evaporates -- well, I'm getting to the point of simply saying, "So be it."

A few shareholder "disasters", like this, and there will be a lot less pressure for laissez faire short-term profit maximizing, and a lot more for oversight -- internal and external -- and regulation that prevents them from being screwed by incompetently or corruptly negligent management.