Equifax Security Breach Is A Complete Disaster... And Will Almost Certainly Get Worse
Furnished content.
Okay, chances are you've already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven't, you need to pay more attention to the news. I won't get into all the details of what happened here, but I want to follow a few threads:First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it's not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was...) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it's set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user -- "Edelman" -- the name of a big PR firm.Not surprisingly, it didn't take long for various security tools to warn that the site wasn't safe.And, when Equifax pushed people to its own "TrustedID" program to supposedly check to see if you were a victim of its own failures... it just started telling everyone yes no matter what info they put in:So, yeah, what the hell did Equifax do during those six weeks it had to prepare? Oh, well, a few of its top execs used the delay to sell off stock, which may put them in even more hot water (of the criminal variety). Also, just days before it revealed the breach, and long after it knew of it, the company was talking up how admired its CEO is. This is literally the last tweet from Equifax prior to tweeting about the breach (screenshotted, because who knows how long it'll last):I can't see any scenario under which Smith keeps his job. And it seems likely that many other execs are going to be in trouble as well. Beyond the possible insider trading above, there's already scrutiny on its corporate VP and Chief Legal Officer, John J. Kelley, who made $2.8 million last year and runs the company's "security, compliance, and privacy" efforts.And despite six weeks to prepare for this, the following was Equifax's non-apology:We apologize to our consumers and business customers for the concern and frustration this causes. That's a classic non-apology. It's not apologizing for its own actions. It's not apologizing for the total mess it's created. It's just apologizing if you're "concerned and frustrated."Oh, and did we mention that the very morning of the day that Equifax announced the breach, it tweeted out about a newsletter it published about how "safeguarding valuable customer data is critical." Really (again, screenshotted in case this disappears):What the fuck, Equifax? Should we even mention that Equifax has been a key lobbying force against data breach bills? Those bills have some problems... but, really, it's not a good look following all of this.And while there was some concern that signing up to check to see if you were a victim (again: look, you probably were...) would force you out of being a part of any class action lawsuit, that's since been "clarified" to not apply to any class action lawsuits over the breach. And you better believe that the company is going to be facing one heck of a class action lawsuit (a bunch are being filed, but they'll likely be consolidated).That's all background of course. What I really wanted to discuss is how this will almost certainly get worse before it gets better. More than twelve years ago, I wrote that every major data breach is later revealed to be worse than initially reported on. This has held true for years and years. The initial analysis almost always underplays how serious the leak is or how much data is leaked. Stay tuned, because there's a very high likelihood we'll find out that either more people were impacted or that more sensitive information is out there.And that should be a major concern, because what we already know here is stunning. As Michael Hiltzik at the LA Times noted, this is the mother lode of data if you want to commit all sorts of fraud:The data now at large includes names, Social Security numbers, birthdates, addresses and driver's license numbers, all of which can be used fraudulently to validate the identity of someone trying to open a bank or credit account in another person's name.In some cases, Equifax says, the security questions and answers used on some websites to verify users' identity may also have been exposed. Having that information in hand would allow hackers to change their targets' passwords and other account settings. Other data breaches may have been bigger in terms of total accounts impacted, but it's hard to see how any data breach could have been this damaging. For over a decade, we've pointed out that credit bureaus like Equifax are collecting way too much data, with zero transparency. In fact, back in 2005, we wrote about Equifax itself saying that it was "unconstitutional and un-American" to let people know what kind of information Equifax had on them. The amount of data that Equifax and the other credit bureaus hold is staggering -- and as this event shows, they don't seem to have much of a clue about how to actually secure it.At some point, we need to rethink why we've given Equifax, Experian and TransUnion so much power over so much of our everyday lives. You can't opt-out. They collect most of their data without us knowing and in secret. You can't avoid them. And now we know that at least one of them doesn't know how to secure that data.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 09-Sep-2017
path: /Policy | permalink | edit (requires password)
Intelligence Oversight Committees Are Being Stocked With Former Intelligence Agency Employees
Furnished content.
RESOLVED: this nation's intelligence oversight is indisputably useless. It's about 99% joke and 1% Ron Wyden dog-whistle questions that go unanswered for months or years. Committees on both sides of the legislature are composed mostly of surveillance cheerleaders and flak catchers profoundly uninterested in performing actual oversight. Reform efforts tend to take place despite the intelligence committees, rather than because of them. Every so often, positive changes are made for purely partisan reasons.Super-friendly "oversight" committees aren't helping hold our nation's multiple intelligence agencies accountable. But it goes deeper than lawmaking fanboys/girls holding prominent positions in intelligence committees. The desire to limit accountability traces back further than the front-mouths lobbing softballs to IC leaders at Congressional hearings. As Tim Johnson and Ben Wieder report for McClatchy News, the intelligence community has been stocking committees with home teamers for years.Lawmakers assigned to oversee the sprawling U.S. intelligence apparatus rely strongly on a staff that in recent years has included scores of onetime spooks, analysts and lawyers who previously worked at the spy agencies under scrutiny.According to a comprehensive analysis by McClatchy, at least one-third, and perhaps far more, of the professional staff members who carry out the work of the House and Senate intelligence committees are themselves veterans of the agencies that the two panels oversee. Really not a problem, I suppose, if the other two-thirds are staunch civil rights defenders and privacy advocates. But of course they're not. They're just more government employees, many of whom find defending the status quo to be a more sensible career path, one that starts with idealism (sometimes) and ends with a pension, with very little forward momentum during the intervening years.The "intelligence community" term attempts to humanize a hulking behemoth bristling with surveillance apparati, currently hoovering up $80 billion every year. And that estimate is likely on the low end, as these agencies have another, entirely-opaque budget to utilize on top of this.The other low estimate at work here is McClatchy's guess at the number of former agency employees currently working for the intelligence oversight committees. It's not always easy to sniff out the origins of staffers, especially if they've possibly spent some time engaged in clandestine activities.McClatchy’s analysis determined the staffers’ backgrounds based on searches of LinkedIn profiles, congressional records, executive profiles and in a handful of cases, press reports, obituaries or personal interviews in which the former or current committee staff members publicly acknowledged their own intelligence background.In dozens of cases, McClatchy could not determine whether a given staff member had worked in intelligence. Some have left almost no trace on the internet, itself perhaps a telling sign of a sensitive prior professional life. According to staffers who spoke to McClatchy, the one-third estimate is way, way off. One said "all but a couple" of staffers he worked with came from intelligence agencies. Others estimated IC oversight market saturation to be 50-75%.Obviously, a dearth of intelligence experience would be less than useful for oversight committees. Experience is extremely useful but in cases where oversight is already severely lacking, stuffing the roster with IC picks is guaranteed to result in the sort of non-oversight we've become accustomed to. Not only are staffers likely to advise against additional accountability and lobby against reform efforts, they're also likely to know how to ensure any reform efforts are shot full of exploitable holes by the time they hit the president's desk.And there's no good way of fixing this that won't leave other government committees tied up in policies that prevent them from hiring anyone with subject matter expertise. Pretty much the only thing that can be done is sitting back and marveling at the breadth of the intelligence community's regulatory capture.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 09-Sep-2017
path: /Policy | permalink | edit (requires password)
|
|
