back to article Equifax mega-leak: Security wonks smack firm over breach notification plan

Credit reference agency Equifax has been criticised for its breach response in the wake of the disclosure on Thursday of a megahack that affected the data of up to 143 million people in the US alone. The credit reference agency admitted that criminals may have been able to access data including names, social security numbers, …

Go to the organ grinder..

Theres no way that I'm signing up and waiting to find... oh wait. The unwashed in the UK don't even get to do that.

They've a UK presence. So complain loud and hard to the ICO direct. There is no route to complain direct to Equifax so you've exhausted their complaints route. If there are enough complaints at the ICO every single time there is a breach maybe just maybe they will get off their fat backsides and do something.

Also ask if your financial companies use Equifax. If they do start withdrawing your services from them and tell them why. Make them care by affecting their bottom line and maybe stupid stuff like this will actually get dealt with.

30
0
Anonymous Coward

Re: Go to the organ grinder..

It's a nice thought but Experian/Equifax are used by everyone nearly so you can't avoid them. Also it's not just financial companies anymore, they hold data on all your payments to utilities and services. It's a crafty way to build up better profiles by offering exchange of information with companies. I remember years ago when working in Telecoms they started doing it.

21
0
Silver badge

Re: Go to the organ grinder..

However this shouldn't be allowed after 25th May 2018 as the UK version of GDPR will be in place. You can refuse to have your data shared with Equifax and the company involved cannot withhold a product from you unless they can prove it is required for the purposes of fulfilling a contract.

they may be able to claim justification for the contract bit in gaining your credit profile but them creating extra information beyond that on your profile or the credit reference agency utilising it for marketing or selling it would not be allowed.

8
0
Anonymous Coward

Re: Go to the organ grinder..

Can you complain to the ICO if you don't know if you've been affected? The ICO obviously already know about the breach so until they state who was affected you can't take a complaint much further.

5
0

This post has been deleted by its author

Anonymous Coward

Re: Go to the organ grinder..

No you are wrong and it is very different to the DPA. Under the DPA customers who had a relationship with a supplier were fairly free game when it came to further utilisation of their data as long as it was specified in their data protection registration.

I never said it was contractual arrangements - as in you can write it into a contract, it was for the contract bit of the GDPR (Section 6(1)(b) to be precise).

this states: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Which is the reason they will use as justification for the requirement to make use of a credit reference agency .

Legitimate interest is not as broad as you seem to think it is. There is a significant caveat that except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. . If you look at the guidelines relating to this clause you can see that it is very limited in scope - you can't just declare that we have an interest in marketing to our customers so we can carry on doing it.

The primary justification is definitely that explicit consent is required and preferred. This can't be in a privacy policy or general terms and conditions. Therefore if I do not state that my details cannot be used for marketing purposes, then they can't and a service can not normally be withheld because of it.

If you think the DPA and the UK version of GDPR are functionally the same then I suggest you go back and read them carefully soon, because you may have a rude awakening and the fine is not to be sniffed at.

4
0

This post has been deleted by its author

Silver badge

Re: Go to the organ grinder..

Nobody knows how GDPR will pan out yet, and what the courts will consider acceptable under the legitimate interested justification.

Google and Equifax will be arguing for liberal interpretation. I'm hoping that the AC above is correct. It's hard to see a legitimate interest in banks sharing transaction level information just so they can be members of a club though.

1
0
Silver badge

Re: Go to the organ grinder..

Sorry, been thinking about this a bit more. The banks (and Facebook and Microsoft) all rely on a consent clause in the contract at the moment. That means that they currently don't believe that the necessity criteria is met (or that there's no harm in requiring consent just in case) even under the UK's more lax interpretation than other EU states.

If that's the case then the necessity justification won't be available post-GDPR either, because nothing much is changing there, and they'll have to rely on one of the others. It's not life or death, there's no public interest, preventing crime is a stretch so there really is only consent or a very optimistic "legitimate interest".

0
0
Anonymous Coward

Re: Go to the organ grinder..

"Direct marketing is specifically called out in the GDPR as a legitimate interest..."

No it isn't the only place is in recital 47. Although that states The

processing of personal data for direct marketing purposes may be regarded as carried out

for a legitimate interest. The key is the 'may' bit which has been discussed ad infinitum on various channels. The consensus is that this only applies if it would not have been possible to get explicit consent at that time and definitely does not apply to a second level recipient of that data.

The whole point of explicit consent was to allow the data subject to decide what their data could be used for. If a company was allowed to override this just by saying it was in their interest then this would negate the need for explicit consent in nearly every case.

Quite a good break down of it is here: https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/

Which states:

"Therefore, marketing and sales organizations would be ill advised to skip consent collection and instead rely on legitimate interests to justify, for example, tracking prospects’ online behavior based on site visits, email engagement, IP address location tracking, etc. to show behavioral ads or create sales lead scores.

For those insisting on the possibility of a blanket, categorical affirmative interpretation of this last sentence as absolving all direct marketers of the need to ever obtain consent, Recital 70 firms rejects this possibility:

(70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

It is therefore unambiguous that direct marketers must obtain consent as a rule, unless they are able to prove legitimate interest in particular cases where data subjects reasonably expect such data processing to take place, as per outlined in Recital 47."

Finally you mention the ePD but that is not the UK law. The UK law is PECR 2003 (latest amendment 2016)which was putting the ePD into UK law.

There is no grounds for you to apply for a financial service and end up having marketing sent to you from a third party company due to your inclusion on credit reference agency file without your explicit and unambiguous consent.

1
0
Trollface

Re: Go to the organ grinder..

Only folks with low credit scores complain about Equifax.

0
4
Anonymous Coward

Re: Go to the organ grinder..

Wait until July 2018. Sue them then. It'll be a whole lot easier.

0
0

Re: Go to the organ grinder..

Under GDPR Legitimate Interests will become the refuge of the terminally desperate.

0
0

Re: Go to the organ grinder..

Interestingly, none of the responses in this otherwise rather good geeky brainstorming thread have addressed any of the three biggest GDPR vulnerabilities of the data brokers. Keep working in it, folks. It's going to be fun.

0
0
Silver badge

Alternatives

I've come across this marvelous alternative to online credit. It involves small paper tokens. You can exchange some of the tokens (called cash) for a secure storage facility called a mattress - a one-time expense, no recurring charges.

16
8
Silver badge

Re: Alternatives

This isn't about credit, it is about credit scoring. They'll hold information on you anyway if you have had any transactions with any of their customers.

12
0
Anonymous Coward

I surprised they haven't set up a call centre in Nigeria to deal with it.

26
1
Silver badge

How do you know they haven't? :)

2
0
Silver badge

'cause there are some lower case letters?

Just sayin.

0
0
Anonymous Coward

Are they the ones with the talking dog, idiot manbaby and dead eyed female who's never out of pyjamas? Not that I really care.

0
0
Anonymous Coward

It's the idiot talking dog in pyjamas.

0
0

I think they're the ones with the idiot who thinks providing them with his personal and financial details for free makes checking his credit score some sort of game. Or that could be Experian, they're basically the same tbh - privacy invading leeches who hold records on you without your consent and provide no service in return (to individuals at least).

9
0
K
Silver badge

Would they be subject to GDPR rules?

Interesting to understand the future impact of the new EU rules, especially if they were holding UK/EU citizen data.

0
0
Anonymous Coward

Re: Would they be subject to GDPR rules?

Short answer: yes.

8
0
Silver badge

Likely cause

So the talking head thinks that it was probably an SQL injection attack.

No proof at the moment, but if it does transpire to be the case, then for their company's gross incompetence, every one of Equiux' directors should have their knackers publicly nailed to a tree, in front of a drunk audience of hooting, jeering peasants.

For the two ladies of the board (being a gentleman myself) I'd only require that they have one toe nailed to the same tree.

13
0
Anonymous Coward

Re: Likely cause

If true, I'm amazed that those idiots don't have defenses. Where convenient, for years I've had libraries not only to immunize myself, but also to auto-log all SQL injection attacks for subsequent analysis/profiling and, if I'm lucky, identification for turning the tables on unexpectedly careless players.

0
0
Silver badge

How is their response "good"?

A special purpose sign-up site with a domain name (www.equifaxsecurity2017.com) that couldn't look more like a phishing site if it tried, offering one pathetic year of "you're fucked" notification and no compensation. And you're not even their customer in the first place!

16
0
Anonymous Coward

Re: How is their response "good"?

> And you're not even their customer in the first place!

But you are if you take up the "free" service. In 12 months time it will probably auto-renew and they'll start charging you for it.

This could all be one huge marketing exercise.

12
0
Bronze badge

Re: How is their response "good"?

I was once offered the free credit monitoring (some online store that will remain unnamed). Obviously, I just ignored it as sharing more information than leaked by the store with some 3rd party (saying "trust us") would just add irony to the situation. I guess I was not cynical enough to envision auto-renewal. Thanks for the insight.

3
0
Silver badge

Re: How is their response "good"?

I think it was the sarcastic "good".

If not, one should flush those contented "security researchers" down the loo illico presto.

Most belong there anyway, being glorified mechanics looking for flaws in systems built by peasants led by donkeys.

0
0

Re: How is their response "good"?

oh, it's even worse. Someone investigating that website discovered that the "test" to see if your data was compromised always returned a positive result to ensure the maximum number of people sign up for their paid service.

0
0
Silver badge
Boffin

Class action lawsuit.

This is a major class action lawsuit in the making.

There's no denial as to the harm this can cause because it makes it easier for the crooks to target individuals and to steal identities.

There is also no excuse.

They should be offering free credit monitoring for the next 5 years.

12
0

It should be...

It should be for life. People can't change their date of birth or social security number. They also shouldn't have to move house to avoid being scammed because some fuck witted company can't keep its data off the internet.

18
0

Re: Class action lawsuit.

Let me get this straight ... we trusted them with our most personal details which got leaked, and so to try and make us feel better they'd like to offer us another year of trusting them with our most personal details? Sounds great, where do I sign?

8
0

Re: Class action lawsuit.

Not exactly. Someone else trusted them with your personal data, which has now got leaked. As mentioned above, they are now using it as a marketing opportunity to sell you their dodgy products.

4
0
Joke

As long as it wasn't anything important....

"The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers."

6
0
Anonymous Coward

Re: As long as it wasn't anything important....

It's worth flagging up that US S.S. numbers are not the analogue of UK National Insurance numbers (which are not fit for purpose anyway. But that's for another fuck up).

They're leveraged into a lot of commercial and government systems.

Any breach which means they can't be trusted is catastrophic.

9
0
Bronze badge
Angel

Re: As long as it wasn't anything important....

It's worth flagging up that US S.S. numbers are not the analogue of UK National Insurance numbers (which are not fit for purpose anyway. But that's for another fuck up).

They're leveraged into a lot of commercial and government systems.

Just like the UK National Insurance numbers. Excellent. ;-)

3
1
Silver badge
Unhappy

Re: As long as it wasn't anything important....

"It's worth flagging up that US S.S. numbers are not the analogue of UK National Insurance numbers"

their TRUE usage is as "taxpayer identification numbers". There are similar numbers for corporations. You can't legally work without one, because your income is reported to the IRS using "that number".

aside from the fact that "Social Security" is in itself a misnomer, oxymoron, etc. - there is NO security, and it's not "social" at all - it's a tax collection number.

4
1
Silver badge
Trollface

Wot?

You means Wordpress and crusty kludgy websites with 3 dozen external 3rd party servers and multiple scripting languages that also uses an unsecure phone app are not the Interwebs?

Get with the times old farts!

5
0
Anonymous Coward

They're part of the problem

Equifax - Hah! They got me turned down for a loan here in 'Murica back in the spring. Credit score was 'too low'. I got their "one per year" free credit report. No credit cards listed. And that wasn't a surprise, because I don't have any credit cards, because I don't like paying interest. Turns out, if you don't have any credit cards listed on their files, your credit score is so low, you can't get a loan. Talking around, I was told, to raise my credit score, get a credit card or two. Ooops, I haven't done that yet. And now, ooops, if I had, I'd be SCREWED. So now, every person who has gotten a credit card to raise their credit, is SCREWED. Hah!! Experian and its [censored]-poor security is part of the problem, not the solution.

6
3
Silver badge

Re: They're part of the problem

The US credit scoring system is not fit for purpose anyway. What you get is a snapshot, so the day before I pay off a credit card bill my score can be noticeably lower than the day after. It fails to note that this is a repeating pattern and actually represents a sensible and responsible use of credit.

As for paying interest, if you're doing that on a credit card then you're using it wrong.

5
0
Anonymous Coward

Re: They're part of the problem

"As for paying interest, if you're doing that on a credit card then you're using it wrong."

Personally, I agree. That's why I don't hold credit cards, I don't pay them off promptly. So, no credit cards for me, so I won't have to pay interest.

But repayment isn't what the bank is looking at when it runs a credit score. I have confirmed with a former bank employee: For the CONSUMER credit score, it tells the bank your likelihood of paying them income, i.e. interest. It has nothing to do with actual tendency to repay a loan. On a BUSINESS credit score, the bank actually checks out the likelihood of repayment.

2
2
Silver badge

Re: They're part of the problem

And now, ooops, if I had, I'd be SCREWED

Sadly, AC, you're STILL screwed, because Equifux have spewed all your details to the world. The fact that you don't have a credit card to exploit will be immaterial, because at this very moment there's probably a house full of Bulgarian crims making applications in your name, with all your details. And the idiots at the credit card companies are going "hey, great, a new mark with no cards and no outstanding loans! He'll be a low risk, lets give him a card with a limit as much as he wants!"

5
0
Anonymous Coward

Re: They're part of the problem

Bulgarian crims? Hey, don't be so mean to the Ukrainians and Byelorussians!

0
0
Anonymous Coward

US consumers - we're all screwed

US consumers - we're all screwed. Out of 143 million, Equifax will notify only 209 thousand. That's 0.15% (not fifteen percent, that's 15 hundredths percent) of the consumers affected. Sounds like inadequate notification to me, smells like class action lawsuit.

Read below, scraped direct from the Equifax web site:

"potentially impacting approximately 143 million U.S. consumers. "

"The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers,"

"Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted."

5
0
Silver badge

Re: US consumers - we're all screwed

If it does go class action, I would like to see a settlement that drives out of business. Also, I would like the DO(in)J actually do something worthwhile and nail some the C-suite for vacation in Club Fed. That is the only way companies will take notice; no job with the possibility of prison.

8
1
Anonymous Coward

CC hacked starting mid-August Thank you Equifax!

BEWARE!

Equifax site reported me as NOT at risk when I checked Thursday after the announcement.

If I had not glanced at my CC statement Friday it would have reached several thousand dollars and gone on for a few more weeks before I got my bill and noticed it.

Subtle hack too. Charged a few hundred dollars (amount varied a little each time) every few days to what looked like a educational magazine/bookstore site. Usually my card company catches these right away and notifies me. I had to call them.

6
0
Silver badge

Re: CC hacked starting mid-August Thank you Equifax!

I got a text from Chase security (my credit card provider) on Monday asking if a particular transaction was legit. It was for 45 cents. They cancelled the charge and issued me a new card.

I'm pretty sure that's unrelated though as it says only a small number (220K) of credit cards were compromised. I'd presume the ones compromised would be from people who would have actually had reason to pay Equifax for something and had given them their credit card number. If you hadn't done that, I think your CC hack, like mine, was just coincidence. I use that card to buy stuff online all the time (I use paypal where I can, but a lot of places don't take it) so I'm not surprised it happens every few years. Doesn't cost me any money, and it isn't the only credit card I have (but the only one I ever use online) so NBD.

0
0
Silver badge

Right now on the Equifax site

'Identity theft and data breach white paper

'Almost three quarters (73%) of GB adults online think that companies should tell them that they have experienced a data breach and 63% would expect to be notified of a breach within hours.'

https://www.equifax.co.uk/data-breach/react.html

Hope the executives who sold $2 million of shares last week don't have anything to hide - such as prior knowledge of the breach.

8
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017