And what the hell is all this data on UK citizens doing on their US based servers?
Not that we have time to get the EU to administer a kicking before we lose EU protection.
Last month, US credit score agency Equifax admitted the personal data for just under 400,000 UK accounts was slurped by hackers raiding its database. On Tuesday this week, it upped that number ever-so-slightly to 15.2 million. In true buck-passing fashion, at the time of writing, Equifax hadn't even released a public statement …
As the Athenian said to the Melians, "... you know as well as we do that right, as the world goes, is only in question between equals in power, while the strong do what they can and the weak suffer what they must".
The USA considers itself the 800 lb gorilla, and doesn't much care what European legislators do or say.
On further reflection, the US administration doesn't even care very much what American legislators or judges say and do. Or the people who wrote the Constitution and the Bill of Rights.
"If the President does it, it's not illegal". - Richard M. Nixon
"The Constitution is just a goddamned piece of paper". - George W. Bush
Is it? My heart bleeds.
How about we reduce it to £2,000 per real person out of the 13.8 million records not triggering a 'you're in the shit, it's our fault but don't dream we'll clean up the mess' letter.
Assuming half those 13.8m are duplicates and test data that's only £27,800,000,000. We can be reasonable.
"And what the hell is all this data on UK citizens doing on their US based servers?"
This is a question that needs to be properly addressed. As yoganmahew pointed out in response to a previous article on this:
Regrettably, the investigation shows that a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.
This 'process failure' was supposedly corrected in 2016... yet the data was subject to the hack in May 2017. We can only assume that the correction was to stop data being sent to the US, but not to actually remove the data that was already there as a result.
Not only, but also:
The information was restricted to: Name, date of birth, email address and a telephone number, and Equifax can confirm that the data does not include any residential address information, password information or financial data.
But now it's "names, home and email addresses, telephone numbers, and account recovery questions" - so the 'process failure' resulted in more data being stored in the US than Equifax claimed (reading between the lines of their statement at the time - they didn't say what was stored due to this 'process failure', only what was accessed).
This needs to be dealt with properly - full fat legal action and fines, not just the usual mild slap on the wrist.
Any answers to security questions – such as your mother's maiden name – given to Equifax during an account signup should now be considered compromised, the NCSC warned, and should be changed for other websites, if possible.
Mum? Hi, yes, listen, I need you to change your maiden name to something different...
Yeah, but look, it's not me, it's the government...
Well can't you forge your birth certificate, or something?
Ok, ok, forget I asked...
Fully agree that it wouldn't take a dedicated miscreant very long to retrieve such info but here's the question that follows the suggestion that people should use some other value.....
Who is going to feel happy telling lies to a credit rating agency - knowing that the leeches share info and that getting wrongly flagged with one can make life just that little bit awkward.
The better approach is surely to educate the agencies (and others) so that they stop asking for it in the first place?
"Who is going to feel happy telling lies to a credit rating agency[?]"
Perfectly put. That is the exact dilemma that faces all would-be honest, decent citizens living in a world dominated by filthy, corrupt corporations and filthy, corrupt politicians.
Should we try to behave honestly and decently, and get it in the neck over and over and over? Or should we try to play them at their own game - which entails more or less trying to play football uphill on a vertical pitch where the opposing team does not have a goal?
Do the credit agencies even check your mothers maiden name or do they just use it as a security question? I have only ever given my mother's maiden name to banks when I opened an account, not even to credit card companies or Equifax itself when I had an account with them.
Unfortunately I did use the same fake maiden name I used with Equifax at other companies such as my mobile phone provider.
Fortunately I have used a password manager for several years so no account has the same password and the majority of accounts with money involved have two-factor authentication.
That would entirely depend on what documentation you kept, where you flagged up the potential flaws and were overruled by manglement on the grounds of cost.
Or if the hack is down to your failure to follow the recorded design spec because you couldn't be bothered/knew better.
Basically get everything in writing.
The better approach is surely to educate the agencies (and others) so that they stop asking for it in the first place?
With the additional benefit of the end of consumer credit from anyone but banks, with the concommitant collapse of the car, consumer electronics, interior design, package holiday and subscription media industries! Sounds like heaven to me, though most of the rest if the population will be a bit lost for a few years
> You shouldn't be putting the real answer in
OK so not only do we have the wacky combinations of numbers, letters, symbols, uppercases etc. for passwords - each of which must be unique as sites are always getting hacked - when the inevitable happens and can't for the life of me remember what particular weird series of ASCII I used for a particular site, I click the password reset link only to then try and remember what fake maiden name / first pet / first school I used.
Where does it end?
Boycott the Internet for a day with a switch off your router day, preferably on Black Friday. Advertise clearly why the boycott has been called so these numpties understand. Even the Telco's will get the message then.
Better yet make it for a whole weekend.
You can't lie about your Date of Birth when applying for Credit......well you can, but it's Fraud!
This is good reason to store mandatory personal data in a hashed form like passwords.
i.e. The bank don't know your DOB, but if you give them a date they can check if it's the same as before.
"Mum? Hi, yes, listen, I need you to change your maiden name to something different..."
In my case this would be an interesting conversation as she's been dead for quite a while.
But I've always lied about that particular piece of data, anyway, and never the same lie to different data-slurpers. My mum has *lots* of "maiden names".
I wonder whether that makes me part of the "duplicates" the Equifax kleptos talk about?
@Doc Syntax:
According to Equifax, 700,000 Brits have been seriously violated. If we assume that about 75% of the population are >=18 and there are 65M Brits then 700,000/(0.75 * 65,000,000) = 1% of the working population. Or you can go with the GDPR and probably DPA infringing value of 15M instead of 700,000.
In the UK we don't have security by SSN but then, me and the wife managed (~2005) to order a birth cert for my brother in law and then a passport for him with minimal hassle.
To be honest it only really occurred to me what we'd done/got away with a bit later: but at least he got to go on holiday 8)
"Yep, all you need is name, date and place of birth. No evidence of identification of the requestor is required."
STILL?
I remember reading that in "Jolly rogers cookbook" and other such subversive docs passed around on BBSs , but that was a long time ago , when we knew F*** all about security - all passwords were default etc.
I would have bet my house that since then , with the rise of ID fraud , someone in authority might have stumbled on the idea of not handing out anyones ID documents to anyone else without any form of verification.'
In fact why the fuck do they do that? Its akin to me ringing the passport office and saying can I have a duplicate of Boris Johnson's passport please?
"it is still possible to obtain a Birth Certificate for anyone with minimal effort"
Freely available to anyone who asks and pays the fee.
"and then use this to request a UK passport "
The method used should have been sealed in the 1960s. After all it's the registrar of Births _DEATHS_ and marriages, so it's not as if the relevant disqualification document is filed in another government department.
(FWIW, many countries _do_ tag records with a death date specifically to ensure that ID documents in the name of dead children can't be obtained. The UK seems to think this is too hard despite it being a known vulnerablity long before Frederick Forsythe wrote about it.)
"...me and the wife managed (~2005) to order a birth cert for my brother in law and then a passport for him with minimal hassle."
Isn't it amazing how a document which is _explicitly_ "Not an identification document and must not be used as one" is a core requirement for obtaining what _ARE_ identification documents?
"Are they implying that their customers (i.e. other companies) hand our security responses over to Equifax along with everything else ?"
No, us poor bastards who never wanted anything to do with them and did not consent to them collecting as much data as they could on us , are ok, presumably. However a large number of people decided to create an account with Equifax to find out what rating they gave them ( or other people ) . They are the ones who lost the security info etc.
"However a large number of people decided to create an account with Equifax to find out what rating they gave them ( or other people ) . They are the ones who lost the security info etc."
Because there is no point applying for finance - be it a credit card, mortgage, car finance etc. if for some reason there is a black mark on your record.
Applying for credit and being declined puts a very very very dark blue mark on your record (lenders hate it).
Also, given the amount of hacks going on, it is useful to keep a close eye on your credit record for $UNKNOWN_CREDIT_CARD
"us poor bastards who never wanted anything to do with them and did not consent to them collecting as much data as they could on us , are ok, presumably."
I DPA section 11'd them a few years back. Their response made it clear that whilst they were complying with the law (removing all marketing data and ensuring information was not sold on), they would NOT remove any of the other data held.
Quite frankly, feeding Equifax management into a woodchipper feet first would be too kind.