back to article Equifax reveals full horror of that monstrous cyber-heist of its servers

Equifax has published yet more details on the personal records and sensitive information stolen by miscreants after they hacked its databases in 2017. The good news: the number of individuals affected by the network intrusion hasn't increased from the 146.6 million Equifax previously announced, but extra types of records …

Page:

  1. corestore

    And how...

    If we're sufficiently angry about this, can we tell Equifax "I don't trust you to hold my data; I require you to delete every piece of data you hold on me"?

    It would seem a reasonable request in the circumstances - but is it possible? If not, data protection laws are worth very little. We need the ultimate sanction, as individuals, of being able to easily compel companies and organizations to delete all identifiable data they hold on us.

    1. Jusme
      Unhappy

      Re: And how...

      Even if you could, and they did, good luck getting credit / buying a house / car / burger once you have no credit references.

      1. corestore

        Re: And how...

        Well if it's possible for anyone to delete their data, the presence or absence of that data can no longer be relied upon; it'll break entirely away from the 'everyone leaves a data footprint' way of thinking that seems to have grown up with remarkably little question or oversight.

      2. Mark 85 Silver badge

        Re: And how...

        Nope...there's two other companies just a big who do the same thing. So there's a 1 on 3 chance of some company saying "no" if they only check Equifax. If the company says "no", then tell them to check the other two if they want your business.

      3. Anonymous Coward
        Anonymous Coward

        Re: And how...

        @Jusme

        Why are people down voting you? Do people not understand how credit reference agencies work? Have people not been to burger king lately? I went the other day and it was £7.15 for a burger meal (basic whopper, Lancaster services), I only go to burger king every so often to remind myself why I don't go to burger king, same with McDonalds.

        1. Doctor Syntax Silver badge

          Re: And how...

          "Have people not been to burger king lately? I went the other day and it was £7.15 for a burger meal"

          And why should you need Equifax or its lookalikes for that? There are totally anonymous credit reference services you can use provided by the Bank of England and the Royal Mint.

          1. Anonymous Coward
            Anonymous Coward

            Re: And how...

            @Doctor Syntax

            Quoting the original comment "buying a house / car / burger" was my reasoning for the burger reference. Equinefax because it's probably horse anyway,

            1. Woodnag

              Equinefax...

              Equinefax... because their data management is the horse's arse.

        2. not.known@this.address Bronze badge
          Trollface

          Re: And how...

          Maybe try a 'proper' Bugger King shop rather than the overpriced abominations that you find at "service" stations (although I suppose DIS-service stations, whilst much more accurate, would not be good for their business model)?

          I've never really found the cost of the meal* to be a particular reason for avoiding fast food chains - the taste and texture (or lack thereof) provide much more compelling reasons...

          *Here in the UK we have a load of adverts telling us that "Kiddie X" wants "Product Y" from The Golden Arches but "Mommy Z" isn't sure that it's safe - cue Doctor Devidence showing us that the cows really are cows, the chickens really are chickens and the fries... funnily enough, they don't get mentioned (I'll leave you to draw your own conclusions on that).

          I'm sure it's all perfectly safe really (as long as you're a penguin or have an infinite number of limbs) but I cannot help wondering if C.M.O.T. Dibbler might not have gotten in the food chain somewhere...

        3. Jtom Bronze badge

          Re: And how...

          Some of us have absolutely no need for credit. I have the funds to but new cars, condos, even Whoppers from Burger King. What I don't want is getting harrassed from debt collectors trying to collect on debt resulting from ID theft.

          1. Jellied Eel Silver badge

            Re: And how...

            What I don't want is getting harrassed from debt collectors trying to collect on debt resulting from ID theft.

            Agreed. I've had that happen a couple of times, and it's painful. Letter arrives saying I owe X and pay now, followed by calls. Calls ask for me to confirm my security details, ie supply some random caller with personal information they may not be entitled to, or trusted with. I told the last one that I wanted all communications in writing, starting with a detailed explanation of why they thought I owed them money, ie copy of any contract. When I told them not to call again, they said that 'was not going to happen', and it took a little convincing to point out that the ICO/Ofcom could make that happen.. Although that would require them to actually take action against scumbag DCAs

          2. Eddy Ito Silver badge

            Re: And how...

            The freeze system we currently have seems to be working nicely for me. I've had a company ask if I would allow them to access my report "for identity check purposes". My response was to say I'd be happy to allow them access to Experian, TransUnion, or Innovis but not Equifax. Oddly they managed without it and I didn't have to unlock any of the reports. I'm thinking this whole credit bureau system is just a way for companies to be lazy but when pressed they really don't need it or find a way around. It's starting to look a bit like the emperor's new clothes to me.

            @AC, £7.15, really? I must be out of touch but then I stopped going to such places when the "milkshakes" started to resemble soft pykrete.

    2. Mr Dogshit Silver badge

      Re: And how...

      If you live in the European Union, after 25th May, that's exactly what you'll be able to do.

      That's exactly what I'm going to do.

      1. tip pc

        Re: And how...

        I’ll be writing to all 3 telling them to send me all they know about me and then delete it all.

        1. Herring`

          Re: And how...

          It's difficult to see what legal basis they would have for refusing a "right of erasure". There's no statutory reason for them holding the data (that I'm aware of) they are holding it under "legitimate interest" so it can be deleted.

          The thing is, the credit reference agencies have managed to insert themselves into the finance industry as a necessary part of the process. If they can no longer be depended upon, then that changes things for a lot of companies - some companies do a credit check on recruitment even. GDPR + this data breach could have some fairly wide-ranging impacts.

          1. Anonymous Coward
            Anonymous Coward

            Re: And how...

            because banking is my guess.

            1. Adam 52 Silver badge

              Re: And how...

              At the conferences I've been too the banks have been taking a much firmer line than everyone else. They argue that they are required by banking regulations to prevent fraud and verify identity, and using a credit reference agency is a means to do that, so they are covered by the legally required reason for processing. The hole in that argument is what other data they share.

              One particular (American owned) bank openly said that they'd carry on exactly the same as before and ignore GDPR because all of their processing was necessary.

              If anyone wants to feel a bit sad, have a look at the AA's new GDPR terms and see what they consider legitimate interest.

              1. Doctor Syntax Silver badge

                Re: And how...

                "If anyone wants to feel a bit sad, have a look at the AA's new GDPR terms and see what they consider legitimate interest."

                Any company who decides that what they consider legitimate interest is going to have to persuade the relevant regulator that they agree. Remember that it's trying to bend the rules that brings the really big fines.

              2. Anonymous Coward
                Anonymous Coward

                Re: And how...

                They, like everyone else, can claim legitimate interest. However, they need to be able to back this up with documentation that the ICO, or body in other EU countries, will consider is acceptable and that the interest is not overriding that of the data subject. Short version: the interests of the data subject can override the interest of the organisation. Quite a lot of shit will hit quite a lot of fans until these idiot companies actually understand the legislation.

          2. DaveTheForensicAnalyst

            Re: And how...

            "It's difficult to see what legal basis they would have for refusing a "right of erasure". There's no statutory reason for them holding the data (that I'm aware of) they are holding it under "legitimate interest" so it can be deleted."

            They can hold the data without consent under "legitimate interests", as long as your fundamental rights or freedoms aren't obscured.

            On top of that, there are government loopholes at a UK level.

          3. kernelpickle

            Re: And how...

            Well, your silly little GDPR doesn't give you the ability to exist outside of society--and whether you like it or not, modern society has been built upon CRA's like Equifax, Experian, and TransUnion.

            If you were to allow people to apply these insane rules to every organization that they don't trust, you'll have the foil hat brigade telling the police, and other government agencies that they don't trust them--which opens a loophole for all sorts of ne'er do wells to disappear of the official radar.

            What about creditors? If someone owes money to someone they don't trust, what would stop them from filing a request to effectively block them from being able to collect on debts that are owed?!

            Clearly, that simply cannot be how this ridiculousness is intended to function. I don't care how progressive you Europeans think you are, there's just no way that any government, let alone all of your collective governments, would agree to give citizens the right to avoid debts and law enforcement by filing some paperwork.

            It would also break the secondary market for debts as well, because if companies can't share that information, they can't sell your debts to anyone else--which is an annoying and sketchy practice to be sure, but it's big business and big business usually wins over private citizens.

            If indeed you are correct in your interpretation of the law, clearly it was an oversight, and will surely break the system. It would literally plunge the EU into the dark ages, because you'll all have to live without credit and switch to using hard or cryptocurrency for any/all transactions--good luck with that!

            1. Pascal

              Re: And how...

              > "It would also break the secondary market for debts as well, because if companies can't share that information, they can't sell your debts to anyone else"

              Oh, the humanity! What would we ever do if that insane, mafia-like "secondary debt market" system disappear? We'd have to shutdown society or something.

              Secondary debt racketeers are just about as useful to society as pedophiles and murderers, and should be treated the same.

            2. Extreme Aged Parent

              Re: And how...

              Although I do not like what you say, you are correct, and right in saying it.

              We at the bottom of the 'food chain' have no say in what or how we are ruled, e.g. the UK is called a democracy, but really we are in an elected dictatorship, which might or not change every 5 years, and we those of us at the bottom have very little real say in what happens.

              These Equifax companies are run by big business, they control the money, ergo they control us.

              You want out, they have got you covered in all ways, so no way out for you my friend!

              1. Anonymous Coward
                Anonymous Coward

                Re: And how...

                "Let us control the money of a nation, and we care not who makes its laws"

          4. c1ue

            Re: And how...

            I'm no fan of banksters, but credit reliability is very much a "social good" in financial terms.

            The individual who has bad credit is highly incentivized to kill all such data, for example.

            And if you say that this can be compensated for - it can, but the cost is treating all people with little or no credit history as bad credit. This penalizes those who legitimately are just starting their financial histories (usually young people).

            The management of fraud and other criminal activity is another legitimate use case although personally I think credit ratings enable far more than disable. Many of the more sophisticated criminals know very well how to jack up credit ratings artificially.

            1. 2+2=5 Silver badge

              Re: And how...

              > I'm no fan of banksters, but credit reliability is very much a "social good" in financial terms.

              This is true - that credit reliability is a good thing. But Equifax do much more than provide a credit reference check once in a blue moon when you take out a loan or another credit card.

              They sell 'anonymised' data to anyone that wants it. If, for example, MacDonalds want to open a new restaurant in my area they can go to Equifax and buy socio-economic data to see if the area is going to be profitable or not. The only way Equifax can service that request is by keeping tabs on my salary, my mortgage and other loans every month; and do the same for everyone in the area.

              That is nothing to do with providing a credit reference service and just because they have a nice profitable sideline business doesn't mean that they have a legitimate interest in my and my neighbours' data.

          5. Skoorb

            Re: And how...

            Yeah. There is a statutory basis for CRAs to hold your data, that's the thing.

            The ICO rejected complaints that this breached the DPA because CRAs only had consent to hold account information for the duration of the credit account. It said that the retention of such data was permitted under paragraph 6 of Schedule 2 to the DPA because it was necessary for the purposes of the legitimate interests of lenders (so that they could make informed lending decisions) and the information was not retained longer than was necessary for that purpose (i.e. 6 years).

            Similar wording is being placed into the "new" Data Protection Act that is going to replace the old DPA on May 25th to be GDPR complaint.

            The ICO issued a note on this back in 2006.

      2. DaveTheForensicAnalyst
        Facepalm

        Re: And how...

        There is a "Legitimate Interests" loophole under Regulation (EU) 2016/679 (47) which will allow them to reply with a nice "Go away and pester us no more" letter I'm afraid.

        1. Doctor Syntax Silver badge

          Re: And how...

          There is a "Legitimate Interests" loophole under Regulation (EU) 2016/679 (47) which will allow them to reply with a nice "Go away and pester us no more" letter I'm afraid.

          And if the interests they cite aren't legitimate that's a letter that gets forwarded straight to the ICO or whatever you local regulator is.

          1. Adam 52 Silver badge

            Re: And how...

            "And if the interests they cite aren't legitimate that's a letter that gets forwarded straight to the ICO or whatever you local regulator is."

            Trouble is, the ICO is going to be getting thousands of these on May 28th and is going to have to triage in some way. The banks are already regulated by the FCA so I expect them to be way down on the list.

        2. corestore

          Re: And how...

          I think you miss part of my point.

          This is a case where the company has very publicly demonstrated failure to keep some very important personal data safe; that's _why_ the story has been such a big deal.

          I'm asserting that, quite apart from the general principle, such cases are ones where 'severe breakdown in trust' _overrides_ any concept of 'legitimate interests' and would (or should) allow the subject to compel the deletion of data. It's especially egregious in the case of credit reference agencies, as the subject has NO direct contractual relationship with the agency; they're not in any sense a 'customer' of the agency, and they're not free to 'take their business elsewhere' in a free market.

          That's why credit reference is an example of a special case where 'legitimate interests' is (or should be) FAR less compelling even under existing law.

        3. Anonymous Coward
          Anonymous Coward

          Re: And how...

          It is not a loophole, they need to be able to prove why it is a legitimate interest, and why the data subjects interest do not override that interest. This is all part of the regulation, try reading it.

          1. DaveTheForensicAnalyst

            Re: And how...

            From the ICO...

            "It is our view that the condition for processing below covers the sharing of account

            data with the credit reference agencies for the duration of a contract and six years

            beyond."

            “The processing is necessary for the purposes of legitimate interests pursued by the

            data controller or by the third party or parties to whom the data are disclosed, except

            where the processing is unwarranted in any particular case because of prejudice to

            the rights and freedoms or legitimate interests of the data subject.”

            "We take a wide view of the legitimate interests and we consider that it is in the

            interests of other creditors to make informed lending decisions. It is important to note

            here that the fact that the processing may be seen by some to prejudice a particular

            individual (for example, someone with an adverse entry on his credit reference file

            may not be able to obtain credit facilities) does not necessarily render the whole

            processing operation prejudicial to all individuals."

        4. 2+2=5 Silver badge

          Re: And how...

          There is a "Legitimate Interests" loophole under Regulation (EU) 2016/679 (47) which will allow them to reply with a nice "Go away and pester us no more" letter I'm afraid.

          A legal test case may be required to see where that 'legitimate interest' stops. For example, if I apply for a loan, the bank wanting to provide that loan has a legitimate interest in my credit worthiness. However the company providing the credit worthiness service doesn't - on the grounds that their relationship is with the bank not with me.

      3. Anonymous Coward
        Anonymous Coward

        Re: And how...

        they will laugh in your face (politely) and tell you to fuck off. There's a large number of gateway clauses in that well-meaning EU fart, generally to do with "unless required for the purpose of organization"

        ...

        Here, long live wikipedia:

        "Data may not be processed UNLESS there is at least one lawful basis to do so

        (...)

        Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.

        (...)

        i.e. you want mortgage? Sign here, here and here. And here are the terms and conditions, if you care to read them. You're not under obligation to sign, mind you!

        Here's another one:

        (unless)

        "Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child."

        You think your interests as a "data subject" or fundamental rights and freedoms override the "purposes of the legitimate interests pursued by the controller or by a third party"? - such as exifucks? Sure, go squeal to high heavens, TAKE. YOUR. TIME. Or sue us, and we'll look at your mortgage application again, say, in 2038. Morning or afternoon?

        On top of which there are those endless exceptions about terrorism, the wonderful catch-all, i.e. "Lawful interception, national security, the army, the police, justice". But that's a different matter.

        1. Benjamin 4

          Re: And how...

          And if I didn't want a loan, or car finance, or a credit card or any other credit related product and asked them to remove my details accordingly then what would they do then?

          1. Anonymous Coward
            Anonymous Coward

            Re: And how...

            "And if I didn't want a loan, or car finance, or a credit card or any other credit related product and asked them to remove my details accordingly then what would they do then?"

            Probably ask you if you didn't need insurance of any kind (car, life, property, etc). You'd be surprised by the amount of non-credit stuff that credit reference agencies are used for these days.

        2. katrinab Silver badge

          Re: And how...

          "necessary for the performance of a contract"

          is not the same as it's in the contract.

          In order for them to collect your mortgage payments, and hand back the title deeds when you finish paying it, is it necessary for the bank to tell Equifax every month that you made your mortgage payment on time, or not as the case may be?

          1. Killfalcon Bronze badge

            Re: And how...

            To be honest, the chances are that the US credit agencies *will* just delete any EU citizen's data on request - it's not their primary market, and probably not a fight worth having.

            If you have the misfortune of living within the US credit market, you're going to have a bad time.

            1. fidodogbreath Silver badge

              Re: And how...

              To be honest, the chances are that the US credit agencies *will* just delete any EU citizen's data on request

              These companies don't delete, they "delete." Data is a fetish for them, like the 'souvenirs' that serial rapists keep.

              They'll just add a flag to not surface your records in response to external queries. Rest assured that your data will still be sitting in the same poorly secured database, waiting for some script kiddie to steal it using a five-year-old vuln...

      4. Aitor 1 Silver badge

        Re: And how...

        Good luck buying a house.. and I rather doubt they will comply.

    3. ToddRundgrensUtopia

      Re: And how...

      It's possible from the 25th May, yes. One of the basic tenets of the GDPR

    4. bombastic bob Silver badge
      Stop

      Re: And how...

      considering that we never really gave permission to Equifax to collect all this crap, but rather OUR BANKS DID IT FOR US, who can you blame?

      I think "they" have too much power. WAY too much.

  2. Anonymous Coward
    Anonymous Coward

    These hackers need to up their game and start stealing peoples debt. Why that's a nice 2k loan you have there it would be a shame if someone cleared it off. They have the details now.

    1. Anonymous Coward
      Anonymous Coward

      In Project Mayhem

      We have no names.

    2. gnasher729 Silver badge

      Great idea. "We couldn't help noticing that you owe £213,417 on your mortgage. For payment of 2 bitcoins, we will reduce that amount to £113,417"

  3. Mark 85 Silver badge

    I do believe that Equifax should a) send letter to everyone who's data was taken along with a check for say... $100. That alone (just the letters) would cost them a small fortune. b) When they're done with the letters, nuke the whole damn company (make sure to get board and officers) from space. They don't deserve to exist.

    1. David Nash Silver badge

      "I do believe that Equifax should a) send letter to everyone who's data was taken along with a check for say... $100."

      They already did...the letters at least. I received one. They outlined my options, which don't amount to much really, so I haven't done anything.

      1. Jtom Bronze badge

        Yeah, I got the letter, too. Didn't you love the irony of it? We have the option of getting free credit monitoring service from another company. We just have to provide that company with our name, date of birth, address, Social Security number, driver's license number, account numbers, etc.....and pray that having that info in yet ANOTHER database doesn't cause problems in the future.

        No thanks.

        1. Eddy Ito Silver badge

          I think that must be a UK only or maybe EU thing. Here in the US I didn't get a letter but still showed up in the online check and I know several others in the US who never got a letter either.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019