Why are the details of 700,000 non-US "customers" included in along with test data?
UK Treasury Committee chairman calls on Equifax to answer for breach omnishambles
Equifax may soon face the wrath of UK politicians after the chairman of the country's House of Commons Treasury Committee demanded answers from the firm over its handling of its recent data breach. Nicky Morgan MP has written to the chief executive of Equifax Limited asking for further details about the scale of the breach, …
COMMENTS
-
-
-
-
-
Thursday 12th October 2017 17:50 GMT Anonymous Coward
GDPR is coming in, they may be starting to give a shit.
No. At talks, the ICO representatives repeatedly state they dont want to impose monetary penalties on companies for failure and dont want to be seen as an "always fining" regulator. The only fines they want to give out are to telesales companies...
They go to great lengths saying GDPR shouldnt change anything "because you are all compliant with the DPA1998 anyway." Not sure if it is meant sarcastically or if the ICO really does think companies give even a tiny fraction of a toss about personal data.
-
-
-
-
Thursday 12th October 2017 10:26 GMT Lysenko
Why are the details of 700,000 non-US "customers" included in along with test data?
Quite possibly they were the test data. For a predominantly anglophone country like the USA, the logical countries to source customer name lists for testing are UK, Canada and Australia. You can't use random strings in place of names[1] (cardinality is all wrong, so index optimisation would be too), you don't want data from "foreign language" countries and you certainly don't want to be using actual Americans (because: Tort Lawyers).
[1] Yes, I know there are ways around that but they require a degree of competence and attention to detail that these people clearly didn't see the need for on the payroll.
-
Friday 13th October 2017 11:03 GMT Anonymous Coward
Re: Why are the details of 700,000 non-US "customers" included in along with test data?
Anecdotally confirmed: after my employer was taken over by a US multinational, they were completely startled and nonplussed when we pointed out that moving databases stuffed with PII over to the US without any notification or oversight about what they did with it was possibly illegal. They were going to be using real mail spools for testing.
-
-
Friday 13th October 2017 10:20 GMT VinceH
"Why are the details of 700,000 non-US "customers" included in along with test data?"
Because Equifax fucked up - this data was stored in the US in error; the result of a "process failure."
Equifax knew they'd fucked up - this process failure was supposedly corrected in 2016.
But Equifax have clearly fucked up the correction of the fuck up, given that the data was still there to be hacked in May 2017.
And, of course, they also fucked up by not keeping up with patches, resulting in that hack.
-
-
Thursday 12th October 2017 10:15 GMT rmason
Will keep rising
This number will keep going up, it's clear the breach is a large one, and they hold information on practically everyone of adult age in the UK.
Anyone who has ever had any sort of financial product, or even those who have tried but always failed.
The number of breaches will end up being quite close to "All of you" I think. Or so close as not to matter.
-
-
Thursday 12th October 2017 18:27 GMT Alan Brown
Re: Will keep rising
"only people who have had an account with Equifax (signed up for free credit report etc."
Or one of Equifax's myriad sock puppet companies.
In this instance, "customers" have an "account" with Equifax whether they know it or not. I DPA section 11'd them (and a few other companies) a few years back after I discovered they were selling marketing data containing my details. They made it clear they whilst they'd tag my account to not sell anything they would be keeping the data on file.
-
-
-
Thursday 12th October 2017 10:27 GMT }{amis}{
This will continue.......
The problem i have with the reporting of these kind of breaches is that the evaluation of the amount of data lost and what kind of data is affected, is done by the same bunch of idiots that caused the mess in the first place.
If we want to move protection against this kind of problem forward, we to to have a legal mandate that the evaluation and remediation is done by a qualified third party at the companies expense and the report is openly published.
That way they end up with a bill that fits the mess that they caused and their is no squirming away from the reputation damage.
-
Thursday 12th October 2017 11:15 GMT Detective Emil
Re: This will continue.......
Agreed. Although victims of enormous breaches who get sued do tend eventuallly to call in third-party forensic teams at vast expense so as to have an assesment of the damage that has a chance of standing up in court. These teams tend to find that the problem was even bigger than first thought, and the information, if released at all, is released late on Friday on the west coast.
-
-
This post has been deleted by its author
-
-
Thursday 12th October 2017 14:17 GMT Lion
Pretty Please - oh please
The governments of Canada, Australia, UK and Brazil approached Equifax with kit gloves. In other words, they said 'Please, when you get around to it, let us know how many of our citizens are at risk' They would have waited without any sense or urgency if it had not been for this huge backlash from the public. Now they feel the need to nudge Equifax for answers, so they have followed up with a 'Pretty Please'.
Equifax is feeling a degree of pressure from the US government, but that is just a show. The curtain will fall in a few months and that will be the end of it. Lawmakers will not punish Equifax (no fines) or change the credit reporting industry anytime soon.
They care not for anybody beyond their borders.
Governments outside the US have allowed credit reporting bureaus to operate in the manner in which they do.They know how this breach happened. They know how Equifax responded to the breach. They know their citizens have been compromised. There is no need to wait for Equifax to respond with their letter writing campaign. Nothing should be stopping governments at this time, other than their indifference, from immediately producing stringent legislation to regulate this industry. - prioritize it and pass it. Follow up with a compensation calculation for victims and forward that to Equifax.
-
Thursday 12th October 2017 14:19 GMT JMiles
Any company that submitted data to Equifax is in trouble...
... when a company tells you they'll share their info with credit reference agencies they remain responsible for what happens to the data once they send it off. Once in a while I wish we did have the litigious ambulance chasing lawyers in the UK like they have in the US and can sueball Equifax into non-existence.
-
Thursday 12th October 2017 14:38 GMT Anonymous Coward
Equifax are utter scum
i've been asking them since the start of the year to correct information they are reporting about me and I'm going around in circles, and keep closing the case. I've complained to the ICO and they are worse, absolutely no response from them.
I'll try the FSA next and see how i get on.
they have a duty of care to ensure the information they hold on all of us is correct, which is I think why they all have free access to your credit scores now (clearscore, money something and experians thing).
Considering the impact an error can have on your ability to work, rent or buy there should be greater oversite of their operations.
-
Thursday 12th October 2017 15:09 GMT Graham Cobb
Regulation of credit references
The credit reference business needs some serious regulation. Yes, credit checks (for businesses and individuals) are important to keep our economy functioning but the processes and data behind that should be extremely heavily regulated (one level down from health data).
Reform should mean that data kept must be limited to a small number of permitted categories, all recent and personal (not hearsay or "linked"), with the sources clear, and limited to clear factual data which can be easily either confirmed or refuted and immediately fixed without the co-operation of the source. The data subjects must be able to see all data held on them, all requests made, and all analysis/reports made and the data subject must be able to put blocks on access to their data from certain sources or for certain types of requests (understanding that that might mean they are refused credit).
Yes, this would make credit reporting less useful -- with a higher risk of bad debt. But so be it -- the economy won't collapse over that. That should be the price paid by an industry which gets a free pass in terms of receiving, keeping, and processing, personal data without permission.
-
Thursday 12th October 2017 17:09 GMT Anonymous Coward
GDPR
I imagine, that when GDPR comes in next year, they will find that a reasonable percentage of the country requests their data be deleted.
How will the financial companies that abuse this info already cope then?
Will you keep your data in the credit bureaus when they are so "trustworthy"?
-
Sunday 15th October 2017 20:09 GMT ThatOne
(Don't know if my post will ever appear (apparently 50% of my posts never made it through), but here goes:)
Hearing people one might think GDPR is some savior who will right all wrongs. I fear it isn't and it won't.
It's just a law, and it depends on how (and if) it's applied. For instance I wouldn't be surprised if Equifax is forgiven because well, you know, accidents happen, and my friends' friends are my friends too (Who cares about users. Rabble, all of them. No matter what happens to them there always will be enough around to keep us afloat.).