offered a free comprehensive ID protection service
Because people are going to trust these fuckers again?!
UK financial service regulators only learned of this year's Equifax mega-breach through media reports. The admission comes in correspondence from the Financial Conduct Authority (FCA) released by Treasury Committee on Tuesday. A letter from the FCA to Nicky Morgan MP, chair of the Treasury Committee, confirms that the …
I got mine yesterday.
They do so very helpfully (please note intended sarcasm) offer two other companies, Noddle (CallCredit) and Clearscore as alternatives. It's for 12 months and if you wish to continue you get another 12 months free but after that...
However, it's not a case of you trusting them, you don't get a choice unless you actively look for companies that do not use Equifax and are honest about not using them.
Basically were all screwed and not much you or I can do to fix it.
I got mine yesterday, too. I especially liked the part that said hackers may have captured even more personal information, and I could get specific information on what data of mine was compromised if I logged in and provided the last SIX digits of my Social Security Number (the missing first three were based on the location where you applied for your number, and could be easily determined by trial and error). Yeah, that's just what I want, yet another database they have with my personal data.
The letter states that you will have to supply some information to set the services up.
I read that and instantly thought "are you having a fucking laugh?", I'm going to give you more information when you couldn't keep my other information safe. You have more chance of finding a completely secure, robust, useful and profitable IoT device.
Equifax are useless with addresses.
They cannot agree that I'm on the Electoral Roll since the Electoral Roll in Edinburgh doesn't use the Postcode Address File (it uses the Rates valuation scheme of old).
Experian and Callcredit both managed to put together all the records, Equifaxs response was "get your bank to change your address"
I personally would put the whole management team in the clink,seize the personal assets of everyone who profited from the decision to ignore their responsibility to the data owners, staff, shareholders family members you name it, everyone who got a cut in exchange for exposing a large part of the western world.
They did this for money and so that is how you must punish the majority so that in the future,others who care only for "the bottom line" know that the decision to ignore security is too expensive to consider repeating.
For a f*kup of this order the company and all data collected needs to be destroyed along with any copies of the data held by "third parties", a clear message to everyone else in their market that it means their ass if their security get breached.
You'd end up jailing innocent people.
We need out financial regulators to have tie-in powers with the police to enable seizing of company assets/e-mail servers and accounts quickly, then using that along with paperwork to identify the guilty parties. Not simply jailing people because of their post within a company.
In every company there are good and bad people, we need to ensure the good ones remain to change company culture.
re: Equifax : I think it has all been said
re: UK regulatory response : Why on earth is Equifax allowed to come with this feeble, insufficient, late, lacking response? Our laws and regulations that weak - or are we just going to believe Equifax when they say: Sorry, but there wasn't really anything there.
Why on earth is Equifax allowed to come with this feeble, insufficient, late, lacking response? Our laws and regulations that weak - or are we just going to believe Equifax when they say: Sorry, but there wasn't really anything there.
Because the FCA have no big stick with which to beat Equifax Inc with, since it is not a UK company? I imagine the FCA only has powers over the UK subsidiary, not the far more substantial US corporation. It's probably a bit like having the power to summon your pet hamster to answer for your activities. Possibly quite scary for the hamster, but it isn't going to hurt you much.
> Because the FCA have no big stick with which to beat Equifax Inc with, since it is
> not a UK company? I imagine the FCA only has powers over the UK subsidiary, not
> the far more substantial US corporation.
Indeed, it'd be the organisation known as Equifax Limited (formerly Equifax Plc), which made around £24m in pre-tax profit mon £115m of income last year, which they'd have powers over (as Equifax US isn't trading in the UK). The FCA/PRA do have fairly severe powers available to them, including licence revocation, banning individuals from workng in the sector, and custodial sentences for senior managers (if they chose to use them, and upon successful prosecution, obviously)...
I'm calling bullshit on the data accessed and the numbers affected, both myself and my partner received the letter yesterday.
It's very unlikely that they segmented other data securely from the database accessed, especially the address.
It's OK though because I will keep this letter and Equifax can be accountable for any clean up of credit file that needs to be done if someone uses our name to get credit.
I last had dealings with Equifax two years ago when they decided that my father was now the occupant of my house due to their crappy data matching.
No improvement from 17 years before when they decided that I should have some random's defaulted catalogue debt attached to my file because we shared the same surname.
Bunch of incompetent morons.
If it was up to me, I'd shut the company down in the UK and forbid anyone to do business with them. If these companies face no real problems after loosing everyone's data why should they care? Shut them down and maybe the other companies will notice and start to care about security.
Equifax said it began notifying the customers most exposed by letters posted on October 13. "Consumers who have potentially had their driving licence numbers or...
Two points spring to mind: firstly are they only notifying those "most" exposed? What about those "slightly" exposed? Secondly, how the hell did Equifax get hold of Driving lIcence numbers, and why? Were they willingly handed over by the owners themselves?
I fnd myself wondering if the FCA and ICO should be laying down the law and stipulating what data may be requested (and thus stored ready for later theft) and what data must not. Exactly how Equifax obtained this (sort of) information must be the subject of a specific enquiry. What else was sitting there pending misappropriation?
Probably obtained via credit checks made by car hire companies?
Sounds doubtful; if I pay for a hire car - or anything else for that matter - by credit card then what credit check would be needed? The CC company decided I was a good risk, and the car hire company has no need to conduct further checks.
Doesn't mean they don't though, but if that was going on I would hope that the FCA / ICO would step in and tell them to stop it on data protection grounds.
> Probably obtained via credit checks made by car hire companies?
> Sounds doubtful; if I pay for a hire car - or anything else for that matter - by credit card then what
> credit check would be needed? The CC company decided I was a good risk, and the car hire
> company has no need to conduct further checks.
If you let someone drive your vehicle without taking all reasonable measures to ensure that they are legally entitled to do so (licence, insurance), you are liable to prosecution as a result. Car hire companies generally will ask to see your driving licence to head off this liability. Doesn't mean that they have any busines forwarding it to the credit agency, though.
Driving licence numbers will have been harvested from people trying to get car insurance quotes and passed to equifax for insurance fraud checking, and that will be their excuse for keeping it until year infinity + 1. I notice the usual suspects on the price comparison websites tempt you into giving driving licence numbers for "better quotes."
An example needs to be made of Equifax. I think the last 10 years of their UK subsiduaries' profits is a good starting figure for a fine for criminal negligence, ought to bring the risk-reward ratio into the realms of reality, rather than the current situations of no risk, all reward for profiteering from our data.
Call Credit refused to remove erroneous data from my Credit Report depsite me having provided them with all the evidence they had asked for. It was only when I contacted the Financial Ombudsman and they got involved that it got cleared up. I then was paid compensation by CallCredit themsleves, and also Cabot Financial who also refused to stop chasing me for someone else's debt. Simialr situation with Liverpool Victoria, however they repsonded very quickly when I pointed out their error, and offered me £250 as an apology.
Its a requirement for a financial institution to check when a new customer is taken on to ensure their details are correct, to prevent fraud etc. However, doing this via a third party is idiotic, there have been cases where people cannot open accounts because the third party organisation has effective data.
Then we have the issue where they loose data to hackers.
Bonafide financial organisations, vetted by the FCA, should allow inter financial organisation verifications, cutting out the third party organisations completely. There is no need for these organisations.
BTW aren't Equifax involved with HMRC in some new contract?
Is there much use for GDPR if companies like TalkTalk and Equifiax have already released everyone's information? Can companies state that future breaches dont matter as much as the information is already in the public domain?
Mines the one with the list of everyone's name and addresses in the pocket
Should be as simple as this. You need a licence to hold personal data. It can be revoked. If it IS revoked, you need to delete the personal data as you are no longer considered fit to hold it.
Not really that complex. Of course anyone relying on data from someone who didn't have a licence to hold it would be on VERY Dodgy ground, legally.
Which would basically screw their business model completely. Which is what they deserve for this.
Canada's still being fed the low numbers bullshit by Equifax claiming that only 8000 people were affected.
Yup, pull the other one.
We need a category of criminal or civil law that makes it possible to go after the personal assets, trigger dismissal, or even send to jail executives that commit gross negligence during the carrying out of their duties. A company might be guilty but the problem is that these folk can cash out on bonuses during the years that their bad decisions inflate profits. And, then, at worse they get a gold parachute to ease their way out and their successors and company staff are left to deal with the mess.
So to keep these folks honest, you need the possibility of personal losses, not just the certainty of gains when they game the system.
That goes for anyone in the Equifax executive decision chain that under-budgeted their security systems, if that is proven to be the case.
I got one of these missives, as did my wife. I've tried calling the "helpline" (largely to vent my spleen rather than in the hope of any real action) only to be met with the usual robotic: "Thank you for calling Equifax, please choose from one of the following three options". Option 1 is the one you need if you are calling about their "data breach service" (nice name, sounds like a new product). Pressing that number reults in the repetition of the same message. As does pressing any other bloody number.
So they can't even get a fucking answer system robot to function correctly.
For any of you familiar with the basic principles of the data protection act, please humour this theory.
1] Any UK co. I do business with as a statutory duty of care to protect my PII
2] I have no legal relationship with Equifax, so they’re not accountable to me. But any company I have a relationship with, who shares my data with Equifax, are.
3] Equifax have categorically been proven not to be competent and secure data processor
4] As a UK citizen, my data had no business being visible through a US website
So what would happen if I write to all my bank and utilities stating that they are in default breach of the DPA and I prohibit them from sharing any more of my data with Equifax.
Should they continue to do so, they are in further breach of the DPA to continue to expose my data to a third party that is no longer trustworthy or competent.
A further angle would be anyone wanted to switch suppliers and get out of contract early, could they claim breach of contract and walk – contract voided by the supplier because they have failed in their implied or explicit duty of care under the DPA.
A letter from Equifax has arrived today: my date of birth and tel no were hacked in May.
1.Why is this 6 months late?
2.Why offer to set up a Protect service by phone, then tell me when I call that it must be done online?
3.Why would I hand you more credit card and bank details so that you can 'protect' them?
Biting the hand that feeds IT © 1998–2019