[auslegung]

It depends on what you mean by 'etc'. The problem might not be in a single leak, but with enough leaks people can get access to all kinds of PII (personally identifiable information). It's important to me that my physical address not leak, I don't want people or packages showing up that I didn't ask to show up.

If your important numbers (in the US that's passport, social security, and driver license) get leaked, it becomes easier and easier for someone to commit identity theft and open credit cards in your name which you will have will have to pay with either money or a lot of time proving it wasn't really you. Or they can get traffic tickets in your name which will become a warrant for you.

And if they know enough about you (address, likes and dislikes, etc), it becomes much easier to socially hack (https://en.wikipedia.org/wiki/Social_hacking) you. Any security is only as strong as its weakest link, and social hacking has been used to get access to people's bank account, email address (doesn't sound scary but if someone has access to your email, they likely have access to all of your accounts because they can trigger a password reset, intercept it, set a new password, then lock you out), and a lot of other things.

[closeparen]

The relation between full name, telephone number, and physical address is not secret at all. Sometimes I feel like I'm the only person who grew up with a phone book.

The financial sector abuses some of the more obscure facts about people (SSN, DL/passport number, bank account number, address history, mother's maiden name) as authenticators. They aren't. In the short term, someone can create a lot of bureaucratic hassle for you by knowing these facts. In the long term, institutions will adapt to the reality that knowing them no longer proves anything.

The stuff you should really care about, IMO: Contents of private conversations. Interests and opinions expressed online that could harm real-world relationships. Habits and characteristics that could signal insurance, credit, or crime risk. Political activity far from mainstream. Relationships with controversial or high-risk people. Evidence of excessive wealth for your context.

The fact that person with your metadata exists and does normal life things like having a home, a job, a cell phone, and a bank account is always going to be well-known. This information is more or less neutral. The real secrets are those which might prompt some actor (friend, lover, ex-spouse, family member, boss, insurance underwriter, lender, police, secret police, conman, vigilante, person who is wrong on the internet, etc) to turn against you, or to do worse damage than they would otherwise.

[tokyodude]

Kind of wish the EFF or some group similar would sue or push to have the law require not using that info as ID with fines for non-compliance.

It's inexcusable that someone can pretend to be you, sign up for stuff at various services, and some how that ends up being your responsibility to fix. It should be the various businesses who failed to correctly identify you and they should be financially liable, not you who had ZERO to do with it.

[closeparen]

We’d need a stronger government-backed identity/authentication scheme to replace it, which civil liberties groups like EFF vehemently oppose.

[tokyodude]

do we need government backed id? is there no other solution?

[closeparen]

As long as there are property rights, contracts, and taxes, yes. Whatever the courts accept as proof that you own an asset or owe a debt is government backed ID. We only choose the quality and security properties of that system.

[SL61]

> It's important to me that my physical address not leak

How do you avoid the people-search sites coming up in Google? When I search my name, Google instantly provides several Whitepages-like sites with my full name and address. Some of them (actual Whitepages included) provide options for removal, but there are so many and they all pull from the same source that it's a losing battle.

[totesraunch]

Your address is a matter of public record. Obviously one should be much more worried about SSN, passport numbers, and other government issued UIDs.

[sys_64738]

There are leaks and there are leaks. Something like OSNews having a breach is a case of who cares. If it's important info (SSN, Drivers license, passport #) then any company leaking such info should be hammered with $1m fine per leak for each person. These companies which leak valuable information must suffer intolerably so that they never, ever do it again. That means making examples of those companies early in the cycle by having some go to the wall as that's the consequence of such.

I'd also like to see executives be personally liable for the fines too.

[imgabe]

> It's important to me that my physical address not leak, I don't want people or packages showing up that I didn't ask to show up.

What is the likelihood of being a target of this? Are there people out there that you expect might want to mail you an unexpected package or stalk you at your home?

I get that there are people who have stalkers and such, but for the average, random person, what is the likelihood a criminal is going to pick their name and address out of some leaked information and...what? Mail them a bomb? Travel from Estonia or wherever the hacker lives to burgle a house in the US? Why? There's no point to doing that.

[quanticle]

>What is the likelihood of being a target of this? Are there people out there that you expect might want to mail you an unexpected package or stalk you at your home?

As we see in the instances of so-called "revenge porn", you don't have to be famous to be the victim of these tactics. It just takes one person who becomes annoyed enough to use some of these tools and then you're left with an expensive and time consuming mess.

Did you have a nasty break-up? Fire someone? Do you have a business rival who would like to see your reputation ruined? Did you leave a comment on a website that just happened to offend the wrong person [1]? The tools to completely ruin your life are becoming easier and cheaper to wield, and the costs of defending against them are only increasing.

Even if the likelihood isn't high, the consequences are severe enough that you should take the risk seriously. Objectively, the likelihood of you getting robbed isn't that high either, but you lock your doors and don't leave valuables sitting out in your car either.

[1]: https://gizmodo.com/when-a-stranger-decides-to-destroy-your-...

EDIT: note that in the link above, the attacker wasn't even using non-public data. Imagine how much more damage someone with the ability to gain access to bank accounts, etc. could have done.

[imgabe]

> Did you have a nasty break-up? Fire someone? Do you have a business rival who would like to see your reputation ruined?

If you were dating someone, worked at the same company, or even in the same industry and know the same people, they do not need a data leak from Marriott to get your address. That has nothing to do with data leaks.

Maybe, maybe, you could conceivably piss off some Mr. Robot Darknet-wizard on a forum who would then spend hours combing through leaked data to try to figure out who you are so they could mail you some anthrax, but I'm going to put that at "get hit by an asteroid" level of things to worry about.

As far as "take the risk seriously", what is there for an individual to do? I have zero control over the data security practices of Equifax, Marriott, or any other major corporation. I can just avoid their services, but that would basically entail living completely off the grid and being a hermit. If it were something as simple as locking a door, or putting your backpack in the trunk, yeah, people would do it. But all of this "the sky is falling, freak out now!" propaganda, comes with absolutely zero actionable items that the average person can do. I'm not going to waste my life being worried about things I have no control over.

[quanticle]

Maybe, maybe, you could conceivably piss off some Mr. Robot Darknet-wizard on a forum who would then spend hours combing through leaked data to try to figure out who you are so they could mail you some anthrax, but I'm going to put that at "get hit by an asteroid" level of things to worry about.

The entire point of that article I linked was that the person doesn't have to be anywhere near you to cause you real damage. The woman who posted the false allegations to the homebreaker site was thousands of miles away. Heck, if you look at instances of "swatting" [1], it's entirely possible to people in mortal danger from thousands of miles away with little more than a phone. Are the people who are doing the swatting "Mr. Robot darknet wizards"? No, they're bored viewers of Twitch streams who think getting someone potentially shot is a barrel of laughs.

I'm not going to waste my life being worried about things I have no control over.

And this is why data-breaches will remain depressingly normal for the foreseeable future. Companies know that there are zero consequences, specifically because of this attitude. If data breaches were treated like chemical spills, companies would be much more proactive and careful about what data they collected, who they shared that data with, and how they secured that data. But companies know that consumers don't care, because "It's only data," and as a result they will continue to underfund data security and make us eat the externalities in the form of having to spend time and money getting transactions reversed.

[1]: https://mashable.com/2017/12/29/swatting-death-andrew-finch/...

[imgabe]

The article doesn't say how the swatter got the victim's address. Where they somehow able to cross-reference the streamer's twitch ID with their credit report in the leaked Equifax data? If not, I'm not sure what one has to do with the other.

> If data breaches were treated like chemical spills, companies would be much more proactive and careful about what data they collected, who they shared that data with, and how they secured that data.

Actually, on a personal level, I am treating data breaches exactly the same as chemical spills. I personally have about as much influence on one as the other, which is to say, none. If a law comes along, I'll support politicians who vote for it, but that's about it. Again, what precise, actionable steps are you proposing for the average person to do? I'm looking for something besides "be scared and angry all the time" because that is as unpleasant as it is ineffective.

[corvallis]

I worked in a prison facility for three years, where all the inmates knew my first and last name, which is unique (I'm probably the only person with my first/last name in the world). If you google me, you can find my entire immediate family, including home address, home worth, names, occupation, ages. Many of the inmates were able to observe my car make/model/license plate, my arrival and departure time to work, etc. Though I had good rapport with the inmates and believe I did right by them, I still have a nagging fear that a released inmate could track down a family member or show up at our home. These are not dumb people. In fact they are quite creative with plenty of street smarts.

I am not a unique/unusual/margin case.

Saying "there are some people who have stalkers and such" discounts large swaths of (mostly) women who have been victimized, far more than a non-victim would ever realize.

This is a very real concern for more than an insignificant number of people. We are just people who you would not necessarily realize exist.

[FrequentPine]

I'm touched that the e-stonia marketing campaign has ended up at the point where people think hackers only come from Estonia. But do not worry, your house is safe - we only burgle jewellery shops in Finland.

[miguelrochefort]

> It's important to me that my physical address not leak, I don't want people or packages showing up that I didn't ask to show up.

Because you think your physical address doesn't otherwise exist? Or are you talking about packages personally addressed to you?