[neilv]

Of course they leaked the data. Any seasoned techie could've seen that coming from the start.

One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence.

Then, gazing at the obliterated company, other companies will try to get legislation to let them let them off the hook, but some of those companies will decide the party of recklessness is probably over, and that they need to start acting responsibly and competently.

[throwaway48476]

The problem is there are zero consequences for leaks. Customers should be owed automatic compensation for the companies giving their data away.

[AdamN]

There should be nothing to leak. The record of verification should be a signature saying what was verified and how and when and nothing about the underlying documents/images/data off of which the verification was based.

[lotsofpulp]

That is needlessly complicated. The problem is the US federal government does not provide identity verification API as an infrastructure service. And they easily could using the USPS’s physical locations and their workflow in processing US passport applications, which already involves identity verification.

Or even just coordinating the 50 states’ motor vehicle commissions or whatever since they are also verifying identities to issue drivers’ licenses and state identification cards.

[csthrowathrow]

A friend applied for a job in the UK civil service - you were required to verify your identity by giving data to a third party, for profit company (and paying for the privilege). All of the companies had recently had significant data breaches. One of them - right there on the government provided guidance - lied about the company (Post Office) to imply a historied bastion of trust. It was blatant.

Verification could have been done using government data, but Tories have to also make a profit off of everything so they instead chose to give every civil service applicants data away to companies with a track record of data leaks.

[alias_neo]

Exactly this. Even non-civil servants are required to sign up with one of these services for certain government ID accounts.

I don't recall which it was now, but I had to choose from a bunch of providers (I selected Post Office) when I registered for something Gov related a few years back. I don't remember what now since I haven't used it since, but PO still has the details and provides auth for a government service for me. Insanity.

[m11a]

I do honestly think the real reason for this outsourcing is because the Passport Office and DVLA don't provide their databases for identity verification purposes, even to other government agencies, aside from say the security services and police.

Even in banking, where the government mandate thorough KYC/ID vetting, no APIs are made available by the government to actually verify a copy of ID is legitimate. So you're left looking at whether it "looks" correct.

For better or worse, of course, but there's an argument to be made that the refusal of the govt to provide "ID verification as a service" is pro-privacy.

[throwaway48476]

There are monied interests that do not want a tight American ID system.

[jandrewrogers]

It is more that the Federal government is Constitutionally prohibited from mandating such a thing, the most they can do is ask nicely and hope for compliance. Coordinating the several dozen States, which can do it, is like herding cats. This is further complicated because there are large factions of both Democrats and Republicans that are against it for a litany of unrelated reasons, so the resistance to it is robust and bipartisan.

It has little to do with "monied interests". It is primarily the product of nigh insurmountable legal and political hurdles.

[cyberax]

Where does it say in the Constitution that the Fed can't operate a unified ID system?

[jandrewrogers]

The Federal government can build one but they can’t require it or make people use it, and an ID you can opt out of is useless. Only the States have that authority. This is settled law with a lot of precedent, and largely the reason the US has no national ID system no matter which politician runs the country. Courts have consistently held this to be outside the narrow Constitutional authority of the Federal government.

Having a mandatory Federal ID would require a Constitutional amendment, but since the States have refused to do it voluntarily it seems exceedingly unlikely that a super-majority of States would ratify an amendment that forces them to do it.

[HWR_14]

They can operate a national ID system. For instance SSNs and passports. They can also force states to do things (like RealID).

[philipov]

The constitution doesn't say what the federal government is disallowed from doing. The constitution says what the federal government is allowed to do, and they are not allowed to do anything it doesn't say.

[kelnos]

I don't think you need to really coordinate all the states. Each state can provide their own ID verification system. Yes, it's a pain that every product wanting to use it will have to do 50 different integrations rather than one, but ultimately things will converge to a more or less standardized API (or a few of them).

Of course it's dumb that taxpayers will have to pay for 50 of these things through their state taxes instead of one of them through their federal taxes.

Then again, what's most likely to happen is that the states will outsource it to a private company like this one, and we're no better off.

[mschuster91]

> Coordinating the several dozen States, which can do it, is like herding cats.

... or a matter of finding the correct leverage. Drinking age 21, for example, got bullied through by threatening to cut highway budgets [1].

[1] https://en.wikipedia.org/wiki/National_Minimum_Drinking_Age_...

[KoftaBob]

What are these monied interests, and what incentive do they have to prevent a "tight American ID system"?

[MiguelX413]

What are they?

[kevin_thibedeau]

Agriculture and food processors want their undocumented workers.

[simondotau]

The transition to documented humanoid robots might take less than a decade.

[mindslight]

And one of the major causes of that problem is that there is no US equivalent to the GDPR, even as the current ID systems are being abused quite thoroughly. Until we have something like the GDPR to prevent companies needlessly demanding personal information, simply making ID verification easier would mean even more places asking for identifying information, using it to build even more surveillance databases, and eventually leaking it all. For starters, imagine that every website currently using SMS login nags as an excuse for collecting phone numbers would switch over to requiring full legal names, inescapable ID verification, and then hard linking their collection of dossiers with the rest of the surveillance industry.

[lttlrck]

Why co-opt USPS and not ID.me ?

[lotsofpulp]

Because the US government already owns the USPS. And you need physical offices and employees everywhere to verify people in person.

[ignoramous]

> zero consequences

Zero fucks given: "None of those companies responded to multiple requests for comment from 404 Media."

[swatcoder]

Are you suggesting that bulk-buying a year of Experian credit report access for the few people who haven't already won a subscription from some other leak isn't a consequence? Or that being able to see your own credit report isn't compensation enough? Heresy!

/s

[gotodengo]

For various reasons I started to open a bank account with Mercury, before deciding to use another provider.

When I said I'd no longer be finishing the application and to please delete my passport info, first they ignored the second part. When I replied again asking them to delete my data they replied about KYC laws and assured me the data was securely stored of course.

At that point I gave up. Maybe they could delete the data if I fought, maybe their hands were tied, maybe me fighting would end up flagging my info as a money laundering risk. But I immediately imagined exactly this leak happening.

They're not the only vendor affected that had my data, nor is this breach the first, but that's the one that stings the most.

Anecdotally I'm being swarmed by text message spam for the first time in months. I have to assume people are running through new breach data to find live numbers.

[input_sh]

Yes, their hands are tied. KYC requires the banks to keep the data for five years after account termination.

One of many, many shitty things introduced by the Patriot Act that we now just live with.

[kelnos]

GP was never their customer, though. They started filling out the application to open an account, got past the ID verification step, and then decided not to complete the new account process.

Likely the issue is that they just didn't think of this possible case, and there's no way to delete the ID information, and the CS person didn't want to go through the extra work to find someone who could approve it and/or get it done.

[TeMPOraL]

I understood GP to have started but not finished the process of opening account. Does KYC still require banks to keep the data in this case?

[input_sh]

IANAL, so I'm not gonna attempt to interpret it, but here's how it's phrased:

> Recordkeeping. Section 326 of the Act requires reasonable procedures for maintaining records of the information used to verify a person's name, address, and other identifying information. The proposed regulation sets forth recordkeeping procedures that must be included in a bank's CIP. Under the proposal, a bank is required to maintain a record of the identifying information provided by the customer. Where a bank relies upon a document to verify identity, the bank must maintain a copy of the document that the bank relied on that clearly evidences the type of document and any identifying information it may contain.6 The bank also must record the methods and result of any additional measures undertaken to verify the identity of the customer. Last, the bank must record the resolution of any discrepancy in the identifying information obtained. The bank must retain all of these records for five years after the date the account is closed.

[kelnos]

> a bank is required to maintain a record of the identifying information provided by the customer.

They didn't complete the application, though, and so were never a customer of the bank. So this shouldn't apply.

[1oooqooq]

search for their board and start the process with each one of them up to the public data allows.

[pylua]

They are probably outsourcing to a vendor who will do god knows what with it

[DannyBee]

"One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence."

Principled lawyer who knows about tech here: This won't happen.

1. It's probably not gross negligence - gross negligence is an extreme departure from ordinary standards of care - the ordinary standard here seems to be to suck at security :)

Legislation could establish a standard of care here and make this kind of thing gross negligence, but that hasn't really happened yet.

It's also not obvious they owe a duty of care to anyone in the first place, without which negligence is impossible (at least regular old negligence) - this also needs legislative fixing unless you want to end up arguing about it forever.

2. Damages are basically all speculative - what is your actual injury here, and how much can you prove the value of it. Lots of people on HN love to say how much X or Y is worth. What can you actually prove in terms of real loss?

It's fun to argue speculative loss (ie the value of your personal information maybe being stolen in the future, etc), but most cases are about real loss.

In practice where it's too hard to calculate we often end up with statutorily set damages. That also hasn't happened here.

Sorry to burst your bubble - without a bunch of legislation here, nothing is going to happen outside of the regular old class action lawsuits and $5 coupons.

[1oooqooq]

> 1. It's probably not gross negligence - gross negligence is an extreme departure from ordinary standards of care - the ordinary standard here seems to be to suck at security :)

how hard it is to find a single company which does it right to testify? and then defense would have to find experts and several other legal counsels from similarly sized companies willing to testify that they also "do it wrong as a norm", with the extremely high risk of being included in the malpratice claim if the defense fails.

[tptacek]

That single company will be setting an extra-ordinary standard, so that doesn't help you.

[1oooqooq]

not if you frame it as "look at this randomly selected company pretty standard security practices"...

[tptacek]

If you find a company with strong security, it won't be randomly selected.

[JohnFen]

> Any seasoned techie could've seen that coming from the start.

At this point, it's pretty safe to just assume that any personal data any company has about you will be leaked sooner or later.

[withinboredom]

I mean, if you live forever and cannot die by any means, your odds of getting stuck somewhere approaches 100% (fall in a pit, landslide, fall overboard on a boat, stuck in the sun, lost in space, etc).

I imagine it is the same for data. The longer it is available, the more likelihood of it getting out of the company.

[2OEH8eoCRo0]

> make one of these companies truly pay for their gross negligence.

I think our whole industry is rotten and we need to drastically rethink a lot of what we do. This is unacceptable and it shouldn't be this hard. We need a reckoning.

[A4ET8a8uTh0]

We might, but until average person does not consider it an issue ( and Equifax breach[2] proved it is merely cost of doing business[1] -- ~400 million out of $3,362 million profit in 2017 ), it will not be an issue. I am annoyed, but I have been annoyed for a long time. I am just waiting for the rest of the non-technical people to catch up, because it eventually should. But then... I am an optimist.

[1]https://www.ftc.gov/enforcement/refunds/equifax-data-breach-... [2]https://en.wikipedia.org/wiki/2017_Equifax_data_breach

[hot_gril]

It's kinda impossible to give out DL, SSN, etc to so many companies and not have it leak. If these theoretical lawsuits scared companies enough, they might pay some centralized third party to handle the verification for them, but bad things follow from that.

The federal and state governments hand out these IDs in the first place. Shouldn't they be the ones to verify them?

[fullspectrumdev]

Honestly, I hope Ron Wyden (I think his name is, US politician) takes this up - he has previously done excellent work calling companies to be accountable for such invasive and insecure practices

[ryandrake]

Problem is, "Evil Hackers" always get the blame rather than the negligent companies, who play the victims. They trot out all the usual flawed analogies about locked doors and burglars, to excuse their negligence, and it works! So, the only legislation we ever see is to be Tougher And Tougher On Hackers instead of holding these clown companies responsible for the data they act as custodians of.

[singleshot_]

For negligence to arise there must be, inter Alia, duty and proximate harm. I think you’ll find the identity services have a duty to their contractual partner, the website, but not to the victim whose identity was stolen. And there’s a circuit split as to whether any of these people were even harmed.

While litigation seems appealing, the answer here is legislation.

[arp242]

Sometimes there's probably negligence involved; sometimes not. You don't know without having access to the specifics. Always blaming "negligent companies" is just as wrong as always blaming "evil hackers".