[alwa]

It says the company claimed that the credential leak was discovered and remediated 18 months ago, meanwhile the leaked credentials were still working as of a month ago.

Is this level of governance and sophistication really typical of vendors in this space? Sprawling enterprises I can imagine losing track of the odd place or two where the credentials are used, but a vendor who only does one thing, specifically a high-trust thing like this?

Even if they don’t have the wherewithal to be thorough in-house, am I confused to imagine that such a firm would have to carry insurance, which would tend to bring in specialists to make sure this kind of remediation is done right?

[dragonwriter]

Its not a high-trust thing, these vendors exist largely because it gives the organizations with direct relations with consumers a step of removal when a breach occurs; they are blame-outsourcing firms.

[judge2020]

Sure, but companies also don’t want to deal with building the system themselves (especially if you want to support multiple countries) and dealing with potentially doing something wrong like violating anti-discrimination laws.

[lesuorac]

Surely you have some reasonability to vet your supply chain.

Not to say that your vendors have to be perfect, but if they have a known credential leak for 18 months that's pretty negligent.

[jdp23]

Yes, it's very typical. There are almost never any consequences for actions like this.

[EasyMark]

Why are they keeping a copy is what I’d like to know. It’s enough to know they check it, and verified it, so then they can delete it. Why keep copies at all ??or at least blank out critical parts that aren’t public knowledge. This is so stupid.

[rblatz]

Retention policies are likely set by the client. That’s how it works with the vendors I’ve worked with in this space, but I haven’t worked with this specific vendor.

[olalonde]

Probably because government regulations require it. I know it's a requirement for AML/KYC which many of these companies are subject to.

[BoredPositron]

Maybe but why are they still hot?

[threecheese]

They have to be hot, otherwise they couldn’t monetize that data in every other way.

[olalonde]

Hot?

[BoredPositron]

Backblaze has a nice blog post about it.

https://www.backblaze.com/blog/whats-the-diff-hot-and-cold-d...

[chefandy]

If you need to check someone's government ID, you probably expect to have to go to court or otherwise deal with the government over it at some point. Being able to show why you thought it was someone, not simply that you thought it was someone, is important.

[hiatus]

Even notaries don't need to keep copies of licenses or selfies on hand for court, just their notarial register.

[chefandy]

Notaries have legal authority to affirm positive identity. If these companies got notarized documents from each of their customers, I really doubt they'd hire this company.

[ElemenoPicuares]

... but the register can be used as evidence in court.

[alias_neo]

You're right, and I think it's wrong to do it this way.

We have various private companies taking copies of our ID; in the UK, you'll have scans of your passport/driving licence taken for various reasons.

We shouldn't have to trust them to get it right; and I suppose the threat for them is fines if they don't, but it's not good enough.

Probably, a more solid solution would be to offer a government ID service where these companies check against a central database that already holds your information and then they have to keep nothing.

If I hire a car, I provide the rental agency a code that gives them temporary access to my driving record to ensure it meets their requirements, it's a one-time code and I request it when required and provide it to them; something similar could be adopted for other purposes if they have a legal requirement to verify your identity.

[chefandy]

I agree that it's a bad approach, though I'd be skeptical of a technological solution. And while a centralized government ID service would solve those problems, it would probably cause a pretty huge privacy backlash. I don't think there is a clean solution here.

[wepple]

> but a vendor who only does one thing, specifically a high-trust thing like this?

They’re not in the business of being trustworthy or secure, it’s just another software shop trying to grow product.

> which would tend to bring in specialists to make sure this kind of remediation is done right?

Ideally, sure. In reality an insurance company has many thousands of customers, they can’t possibly do any real assurance beyond basic compliance. Managing access and credentials is a hard problem for well staffed security teams, let alone a single compliance auditor.