And what the hell is all this data on UK citizens doing on their US based servers?
Not that we have time to get the EU to administer a kicking before we lose EU protection.
Last month, US credit score agency Equifax admitted the personal data for just under 400,000 UK accounts was slurped by hackers raiding its database. On Tuesday this week, it upped that number ever-so-slightly to 15.2 million. In true buck-passing fashion, at the time of writing, Equifax hadn't even released a public statement …
As the Athenian said to the Melians, "... you know as well as we do that right, as the world goes, is only in question between equals in power, while the strong do what they can and the weak suffer what they must".
The USA considers itself the 800 lb gorilla, and doesn't much care what European legislators do or say.
On further reflection, the US administration doesn't even care very much what American legislators or judges say and do. Or the people who wrote the Constitution and the Bill of Rights.
"If the President does it, it's not illegal". - Richard M. Nixon
"The Constitution is just a goddamned piece of paper". - George W. Bush
Is it? My heart bleeds.
How about we reduce it to £2,000 per real person out of the 13.8 million records not triggering a 'you're in the shit, it's our fault but don't dream we'll clean up the mess' letter.
Assuming half those 13.8m are duplicates and test data that's only £27,800,000,000. We can be reasonable.
"And what the hell is all this data on UK citizens doing on their US based servers?"
Regrettably, the investigation shows that a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.
This 'process failure' was supposedly corrected in 2016... yet the data was subject to the hack in May 2017. We can only assume that the correction was to stop data being sent to the US, but not to actually remove the data that was already there as a result.
Not only, but also:
The information was restricted to: Name, date of birth, email address and a telephone number, and Equifax can confirm that the data does not include any residential address information, password information or financial data.
But now it's "names, home and email addresses, telephone numbers, and account recovery questions" - so the 'process failure' resulted in more data being stored in the US than Equifax claimed (reading between the lines of their statement at the time - they didn't say what was stored due to this 'process failure', only what was accessed).
This needs to be dealt with properly - full fat legal action and fines, not just the usual mild slap on the wrist.
Any answers to security questions – such as your mother's maiden name – given to Equifax during an account signup should now be considered compromised, the NCSC warned, and should be changed for other websites, if possible.
Mum? Hi, yes, listen, I need you to change your maiden name to something different...
Yeah, but look, it's not me, it's the government...
Well can't you forge your birth certificate, or something?
Ok, ok, forget I asked...
Fully agree that it wouldn't take a dedicated miscreant very long to retrieve such info but here's the question that follows the suggestion that people should use some other value.....
Who is going to feel happy telling lies to a credit rating agency - knowing that the leeches share info and that getting wrongly flagged with one can make life just that little bit awkward.
The better approach is surely to educate the agencies (and others) so that they stop asking for it in the first place?
"Who is going to feel happy telling lies to a credit rating agency[?]"
Perfectly put. That is the exact dilemma that faces all would-be honest, decent citizens living in a world dominated by filthy, corrupt corporations and filthy, corrupt politicians.
Should we try to behave honestly and decently, and get it in the neck over and over and over? Or should we try to play them at their own game - which entails more or less trying to play football uphill on a vertical pitch where the opposing team does not have a goal?
Do the credit agencies even check your mothers maiden name or do they just use it as a security question? I have only ever given my mother's maiden name to banks when I opened an account, not even to credit card companies or Equifax itself when I had an account with them.
Unfortunately I did use the same fake maiden name I used with Equifax at other companies such as my mobile phone provider.
Fortunately I have used a password manager for several years so no account has the same password and the majority of accounts with money involved have two-factor authentication.
That would entirely depend on what documentation you kept, where you flagged up the potential flaws and were overruled by manglement on the grounds of cost.
Or if the hack is down to your failure to follow the recorded design spec because you couldn't be bothered/knew better.
Basically get everything in writing.
The better approach is surely to educate the agencies (and others) so that they stop asking for it in the first place?
With the additional benefit of the end of consumer credit from anyone but banks, with the concommitant collapse of the car, consumer electronics, interior design, package holiday and subscription media industries! Sounds like heaven to me, though most of the rest if the population will be a bit lost for a few years
> You shouldn't be putting the real answer in
OK so not only do we have the wacky combinations of numbers, letters, symbols, uppercases etc. for passwords - each of which must be unique as sites are always getting hacked - when the inevitable happens and can't for the life of me remember what particular weird series of ASCII I used for a particular site, I click the password reset link only to then try and remember what fake maiden name / first pet / first school I used.
Where does it end?
Boycott the Internet for a day with a switch off your router day, preferably on Black Friday. Advertise clearly why the boycott has been called so these numpties understand. Even the Telco's will get the message then.
Better yet make it for a whole weekend.
You can't lie about your Date of Birth when applying for Credit......well you can, but it's Fraud!
This is good reason to store mandatory personal data in a hashed form like passwords.
i.e. The bank don't know your DOB, but if you give them a date they can check if it's the same as before.
"Mum? Hi, yes, listen, I need you to change your maiden name to something different..."
In my case this would be an interesting conversation as she's been dead for quite a while.
But I've always lied about that particular piece of data, anyway, and never the same lie to different data-slurpers. My mum has *lots* of "maiden names".
I wonder whether that makes me part of the "duplicates" the Equifax kleptos talk about?
According to Equifax, 700,000 Brits have been seriously violated. If we assume that about 75% of the population are >=18 and there are 65M Brits then 700,000/(0.75 * 65,000,000) = 1% of the working population. Or you can go with the GDPR and probably DPA infringing value of 15M instead of 700,000.
In the UK we don't have security by SSN but then, me and the wife managed (~2005) to order a birth cert for my brother in law and then a passport for him with minimal hassle.
To be honest it only really occurred to me what we'd done/got away with a bit later: but at least he got to go on holiday 8)
"Yep, all you need is name, date and place of birth. No evidence of identification of the requestor is required."
I remember reading that in "Jolly rogers cookbook" and other such subversive docs passed around on BBSs , but that was a long time ago , when we knew F*** all about security - all passwords were default etc.
I would have bet my house that since then , with the rise of ID fraud , someone in authority might have stumbled on the idea of not handing out anyones ID documents to anyone else without any form of verification.'
In fact why the fuck do they do that? Its akin to me ringing the passport office and saying can I have a duplicate of Boris Johnson's passport please?
"it is still possible to obtain a Birth Certificate for anyone with minimal effort"
Freely available to anyone who asks and pays the fee.
"and then use this to request a UK passport "
The method used should have been sealed in the 1960s. After all it's the registrar of Births _DEATHS_ and marriages, so it's not as if the relevant disqualification document is filed in another government department.
(FWIW, many countries _do_ tag records with a death date specifically to ensure that ID documents in the name of dead children can't be obtained. The UK seems to think this is too hard despite it being a known vulnerablity long before Frederick Forsythe wrote about it.)
"...me and the wife managed (~2005) to order a birth cert for my brother in law and then a passport for him with minimal hassle."
Isn't it amazing how a document which is _explicitly_ "Not an identification document and must not be used as one" is a core requirement for obtaining what _ARE_ identification documents?
"Are they implying that their customers (i.e. other companies) hand our security responses over to Equifax along with everything else ?"
No, us poor bastards who never wanted anything to do with them and did not consent to them collecting as much data as they could on us , are ok, presumably. However a large number of people decided to create an account with Equifax to find out what rating they gave them ( or other people ) . They are the ones who lost the security info etc.
"However a large number of people decided to create an account with Equifax to find out what rating they gave them ( or other people ) . They are the ones who lost the security info etc."
Because there is no point applying for finance - be it a credit card, mortgage, car finance etc. if for some reason there is a black mark on your record.
Applying for credit and being declined puts a very very very dark blue mark on your record (lenders hate it).
Also, given the amount of hacks going on, it is useful to keep a close eye on your credit record for $UNKNOWN_CREDIT_CARD
"us poor bastards who never wanted anything to do with them and did not consent to them collecting as much data as they could on us , are ok, presumably."
I DPA section 11'd them a few years back. Their response made it clear that whilst they were complying with the law (removing all marketing data and ensuring information was not sold on), they would NOT remove any of the other data held.
Quite frankly, feeding Equifax management into a woodchipper feet first would be too kind.
"After all, we're not customers of Equifax who can refuse to provide data for its servers – it just collects it all, one way or another, and sell it on to others."
The way in which it collects it needs to be looked at. If you as a data subject pass data to some company who then passes it on to Equifax then that company needs to be held liable. Either that or Equifax needs to be held liable in a UK court. I'd like to know what the ICO is doing about this. A quarter of the UK population is affected. Perhaps if everyone who gets one of these letters were to write to their MP to raise the matter in Parliament it might actually be borne on the Home Secs - both of them - that this privacy thing needs to be taken a bit more seriously.
I don't think you understand just how lax UK law is regarding the cavalier way retail organisations, financial institutions and a plethora of others to whom Joe Public by necessity gives his personal details, are allowed to pass on that information to the 'big three' credit reference agencies: Experian, Equifax and CallCredit:
I've just checked that link and I'm incensed and somewhat frightened at the same time. Just by opening an account in the UK, you are automatically included in one or more credit reference agency's files. Is there any mention of that in your Ts & Cs when you open the account ? I'm guessing maybe, but maybe not. Can you opt out if there is ? Hah !
That takes me to wondering how things are managed in France. Banks lend money (sometimes), so they have a customer history. Do they share it and how ? I know that there is a national register of people that are forbidden from having a checkbook or credit/debit card, but that is not managed by a private company.
> "Just by opening an account in the UK, you are automatically included in one or more credit reference agency's files. Is there any mention of that in your Ts & Cs when you open the account ?"
Yes, the words "credit reference agency" (Equifax, Experian, et al) are normally found in the terms for any financial product or other credit-bearing facility (i.e. all current accounts, credit cards, mail order with buy-now-pay-later, etc). The terms will also include mention of "fraud detection agencies" (SIFAS) for financial products.
> "Can you opt out if there is ? Hah !"
Other than not applying for the product, nope (essentially, the credit reference agency's data is integral to their decision making process for whether to offer you credit). They're still affected by the DPA if they should lose your data, though (i.e. you could bring a civil case against them for damages due to loss or distress as a result of the data leak*, and/or get fined by the ICO [currently £500k max]).
* see Vidal-Hall v Google.
So I don't have an "account" with Equifax, nothing I can log in to, so there is no password or mother's maiden name to steal. But obviously Equifux still have loads of data about me to lose/leave on the bus/park bench. But the way they tell it, it is account details etc that were stolen. How does that play for peeps like me with no account?
Basically, your up the creek without an oar. An "account" can mean you actually opened one to verify your info or they opened one in response to a enquiry. Same for us in the States. The badguys can own us and we'll never know unless we actually opened an account. That is until we go for a loan, credit card, bank account, etc.
> All credit agencies should be made to contact all subjects with details on what data they hold and if it was compromised.
Better yet, all of them should be obliged to submit data they hold to the data subject for validation annually, and pay for that validation at a rate of (say) £5 per item in the record. And for that matter, not just credit reference agencies, but any organisation - including, separately, each government department and agency.
This is just one of the problems of UK citizens relying on American companies, especially when the shit hits the fan. We're always going to be second class citizens, assuming we get any consideration at all.
Taking any sort of remedial or punitive action against American companies is also rather difficult. Even their own government doesn't seem to care, so what hope do we have?
And anyway, what reasonable expectation should we have of the US government respecting our privacy enough to want to do anything about this at all, given that they are by far the greatest violators of it (yes, still to this day).
It also doesn't help when our fanatically neoliberal politicians (which these days is basically all of them) "deregulate" things to the point where an American arms dealer is put in charge of the UK Census (except in Scotland, where the British arm of a US torture contractor was given the job). Not that the UK government has ever even pretended to care about our privacy anyway.
Our private data in their hands.
I’m a UK citizen, no I don’t trust ANY US company, but I guess my details are with Equifax, but not through my choice. Perhaps the solution right now is for all UK companies that pass on details to Equifax to write to their customers and fess up and start offering significant compensation.
Almost as legit as the email I got, allegedly from my company's HR dept, saying that we were getting a years credit monitoring for free - just click on this link that looks like it has the company name in it, but is actually on the wrong domain, and it's been leet-ified and so looks like myC0mpany.mp2.io domain.
"if they're anything like as useless as our HR department."
You misunderstand the purpose of a HR department.
It is not there for staff protection or assistance, it is there to protect the COMPANY from the staff. Being useless and difficult to deal with is not an accident.
Any statements to the contrary are pure bunkum.
When did we enter the "alternate universe" where if a company lends people money thinking they are me, is it my problem?
Why isn't it:
"Hey Mr. banker.. Someone fooled you into giving them money? Sucks to be you!"
Because I come from a small community, I could probably get the mothers maiden name, place of birth, and date of birth of many of the people I was in school with (most have their birthday listed on facebook, and I already know the year they were born)
It shouldn't be information I should need to keep private anyway.
If you lend "me" money, you should have no right to force me to pay, or blacklist me, or ruin my reputation, if I say it wasn't me, unless you can get it proven in a court of law. Until then, anything you say or do should be considered slander or libel.
"Mitchell and Webb" put it rather eloquently: https://youtu.be/CS9ptA3Ya9E
Any answers to security questions – such as your mother's maiden name – given to Equifax during an account signup should now be considered compromised, the NCSC warned, and should be changed for other websites, if possible.
About five years ago, we started to see large UK public sector bodies reject things such as Mother's Maiden Name when configuring security questions. As others have pointed out, it's too easily known and some users will simply consider it to be immutable - they will refuse to misrepresent mum's maiden name. Date of Birth falls into the same category.
The silly thing is - this isn't friggin' brain surgery (or rocket science). Ten years ago, at least one UK bank saw the merit in allowing customers to define their own memorable question - it can be as simple as first Car/first pet/first office location/first love. It strictly speaking doesn't actually matter as at the end of the day, it's only a string of alphanumeric characters.
Perhaps it's about time we started to define a list of questions that are best avoided - and point to the Equifax incident as that watershed moment when it was decided that things had to change.
Why is a "memorable question" considered an authenticator separate from a password? It is still "something you know". As you point out, it's only a string of alphanumeric characters, but, I'd suggest, inherently more vulnerable than a password.
We can tell people to keep their password secret and they might do that, but if you tell someone to think of a memorable question, they are going to pick something that is significant to their identity, and therefore something they are likely to discuss with others. Aside - are those, "find your drag queen name" (and similar) games where you use the name of your first pet and the name of the street where you grew up just social engineering to reveal this sensitive information?
There is no need for a list of questions that are best avoided because it's ALL of them. Anything about me that is memorable is not secret, and anything about me that is secret is not memorable.
Your right that memorable questions are inherently more vulnerable than a password. Although in truth, they should ONLY be used to reset a Password by sending an email to the registered address (requiring any hacker to also have access to the registered email address in order to access the account) this is not always the case.
But the fact that we have these memorable questions is more of a sign of the failure of our current password regimes. Hell we need passwords for everything these days. Just here at work I have 4 different passwords for various systems in the office, None of which are allowed to be the same and all of which need to be changed every month. I'm an engineer, but even I make mistakes trying to remember which one has a capital in it, which one doesnt, which one is longer, what number am I up to in my never ending climb through the year.
Whilst People are stuck trying to remember things like this, then unfortunately there will often be a need for memorable questions. Unfortunately most Password Systems at the Moment dont allow the sort of xkcd System (correcthorsebatterystaple) which is much harder to crack but easier to remeber because they want capitals, numbers, and special charachters included (and usually limit password size).
It's just an unfortunate side effect of where we are with security right now. If you can come up with a better System, you'll make a Million! :)
@ lglethal - Since NIST and GCHQ are now recommending not forcing regular password changes, it sounds like you need a new CISO in your office, preferably one who's heard of SSO. Current standard practice is broken (why limit the password size when you are hashing it?), and the "fix" of using memorable questions is like putting a band-aid on a compound fracture. Unfortunately, it is cheap.
PKI with certificates stored on secure smartcards or USB tokens would be a better system but the initial cost is high, the learning curve is steep, and the real benefits come when a critical mass of service providers accept the same certificates, so I'm not rolling in Millions yet ;(
> "Why is a "memorable question" considered an authenticator separate from a password?"
Because it gives a level of protection when someone who re-uses their password between sites has their account compromised on another site, and someone tries to interact as them on yours. Obviously, this is assuming the other site doesn't ask the same question/get given the same information, which may not be a valid assumption.
Yes, you could use 2FA via phone, but (a) there are some documented and well-known security issues with that which have been covered by The Register previously, (b) not everyone has or can use a smartphone, (c) implementations for dumb-phones that use time-bounded codes sent via SMS are not user-friendly* (had the SMS turn up about 4 hours after it was requested, and the "usable window" for it had expired), and (d) not everyone owns or can use a mobile phone.
* bonus usability points to MS on this one, whose system will send the code through to your designated phone as an audio call (i.e. ring you), rather than insisting on transmission via SMS (or equivalent).
"(c) implementations for dumb-phones that use time-bounded codes sent via SMS are not user-friendly* (had the SMS turn up about 4 hours after it was requested, and the "usable window" for it had expired)"
I've also experienced the situation where there is no phone signal indoors, which involved going outside and walking until reception kicks in and the SMS message arrives.
By the time I got back to the computer, the code had expired.
"Aside - are those, "find your drag queen name" (and similar) games where you use the name of your first pet and the name of the street where you grew up just social engineering to reveal this sensitive information?"
Yes. I've been pointing this out to people for many a year - usually when anyone relays them to me. Many people pass them on innocently on social
engineering sites, thinking they're a bit of fun, but they often reveal potentially valuable data.
"we started to see large UK public sector bodies reject things such as Mother's Maiden Name when configuring security questions."
Of course if a company asks for this online and you put in "FuckOffCuntFace", it's going to make for some interesting times if you phone up and they decide to bring up the answer to that question.
I just checked the Equifax UK site and came across this text about the incident:-
Although Equifax’s UK business was not breached, the attack regrettably compromised the personal information of a range of UK customers. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.
Nice use it for the term "process failure" - suppose it sounds better than "management fuck up". Hey I know, let's blame the process rather than those that implemented it. Some may say criiminal negligence absolved in the same way as a bank robber claiming a process failure in their method of withdrawing money.
Hang on - Equifax are a publicly traded US company, so they come under the Sarbanes-Oxley act. Yes, SOX is primarily intended to prevent CxO fraud, but it has other elements to protect the integrity of financial reporting and shareholder value, such as securing critical systems and regular audits.
Failure to meet the required standards means CxOs can be personally fined or imprisoned. So are the SEC pursuing a prosecution?
Welcome to your wonderful free and open society guided by the ( human written ) algorithms of machines, start breaking down the walls and boundaries and feel the love pour in. Oh wait, you mean if we hand over control of complex global systems to machines with no more "sense" than a ZX81, machines we're barely able to fully understand running complex networks of interaction we simply cannot comprehend, things will start f**king up in a serious way?
Well blow me down, who'd a thunk handing over all that to a bunch of spotty CS college dropouts with a single year of studying humanities and ecology systems and with very little world experience, would dump us in this big old fecking mess!
For everything they have. That's the only way anything will ever change. The government (of both the UK and the U.S.) will refuse to take serious steps against any major information aggregator, because these companies are wired into law enforcement, intelligence agencies, tax authorities and politically active financial sector companies.
Industry-level joint development of Apple's 'Secure Enclave' system to get to a stage where it would 2-factor requests for information/authorisation and just releas a Yay or Nay without ever releasing or sharing the actual data...? Is it not time for this to be embraced on a much wider scale?
Why would you need to use Apples version? It just a hardware security module, the same thing that is in a smartcard, or what is in every PC from the last 5 years (TMP).
It doesn't happen in most countries as it costs too much, people dont want it (national ID card in the UK), it can go wrong, can still be hacked. Some countries have done it and its worked well, others, not so well.
The problem is, the card is your proof, your data is still stored in a Database controlled by the government or outsourced to a company to run. That can still be hacked, data stolen, changed etc. Then used in countries that don't use your ID card.
"The problem is, the card is your proof, your data is still stored in a Database controlled by the government or outsourced to a company to run. That can still be hacked, data stolen, changed etc. Then used in countries that don't use your ID card."
If only we could have a system that allowed the data held on a card to be trusted. Say by a combination of digital signatures and encryption.
.You are actually talking about about Attribute exchange, the technology is in development and there are standards currently being defined see www.openidentityexchange.org/ for further information. The combination of attribute exchange coupled with User Managed Access where users are given a portal to manage which explicit permissions they have granted for organisations to use data could provide a way to mitigate issues like this. Or it may provide a huge attack face for the back hats.
The Concept of the secure enclave does exist with the GOV.UK Verify ID service which is in production and used to establish user identification for a number of central government services (https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify), the number of Central Government services using GOV.UK Verify to authenticate users is increasing and there are pilots taking place to allow the online checking of eligibility to services within Local Government are taking place at the moment. Usage will grow over time and access to the service for commercial organisation is in the pipeline.
The problem with GOV.UK Verify is that it outsources / delegates the verification process to third parties, including credit reference agencies...
So the security and verification it provides are just as vulnerable as it's weakest link.
Hello Experian, Verizon...
"“We are aware that Equifax was the victim of a criminal cyber attack in May 2017," the NCSC said in a statement today."
No. They're not the victim. They dropped the ball, and they've obviously been dicking about for years with the way they have handled data that, in all fairness, doesn't belong to them.
The 15.2 million people who have had their details stolen, they're the victims.
"We are aware that Equifax has been criminally negligent in protecting personal details of people and are going to enforce new rules that any UK company sending details of citizens abroad are held liable for any losses incurred through that third party's negligence." Is what it should have said.
basically, EVERYBODY on their UK database (given that the rest of the population is on database with other, equally reliable credit rating agencies).
Great news for those unfortunates who used the same, or some of the same details elsewhere. How many maiden name does your mother have? They could start to probe those details against, major e-mail providers, for a start. You never know, out of 14 milions, at least, what, 10% should let you into the inbox, and then, well, it's a wide world of info in there...
CEO Rick Smith also jumped ship, taking his $90m retirement pot with him.
That's well earned money, he will deserve his gold member card at the Club.
I wonder what happened to the IT underling who was accused of wrongdoing... I doubt (s)he got a golden parachute, didn't (s)he?
I hope so! If I get one of those letters then I'll be contacting my lawyer and seeing what he says. We may be able to claim for free fraud insurance etc :-). But we can't do anything until we get confirmation that we're affected.
If you get a letter, do not loose it. It may be vital in your case as proof you're affected. In addition if anyone wants to see it send copies, not the original.
"Is the only real question here, can I get some wonga out of em?"
I'm wondering what is involved in the "free" credit/fraud protection they are offering and how much time and effort the victims will have to put in to checking and maintaining that protection, potentially for life. I wonder if a small claims court action would be in order to compensate for the time spent in tracking all this stuff?
"The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry"
I know in the age of being open on social media that they may regard DOB as not an issue as lots of people (foolishly) splash it around - I beg to differ.
I use false DOB everywhere I possibly can, as its a key identifying factor, except for things where I legally have to give my actual DOB (e.g. my bank for openinga n account). So my real DOB is out in the wild, coupled with a name far less common name than "Jane Smith" style of name, that gives neer do wells compromising data about me (as after all, quite likely to have been some other "hack" (read sloppy / non existent security practices) that could let bad actors join other information about me with the DOB.
Until DOB leaked via equifax, someone would have needed to hack my doctors, bank etc. for my DOB (or social engineered by asking relatives / close friends my DOB) - i.e. needed to make an effort, they would not have got it via social medial, internet searches etc.
Pretty much the same applies to me - but with social media, even if you've given a fake DOB and/or made sure its not made visible (preferably both), you still have the issue of those who know you wishing you a happy birthday on the day in question on those sites.
I've always discouraged this*, but it doesn't stop some from doing it. All I could really do when that happens is try to unlink it somehow. For example on Facebook IIRC it was possible - and perhaps still is, dunno - remove a third party comment from your wall/timeline. Although even if you do, the comment will still be on their timeline.
* Not for this specific reason, but just because I'm a grumpy old bastard, and I have no interest whatsoever of celebrating (or even being reminded of) my birthday, online or IRL.
If you really feel strongly enough - specify that all future dealings are with institutions that don't use Equifax. If they do - drop them and tell them why.
You can get free reporting from Noddle.com and see who is doing searches and which agency are used - start hitting Equifax customers and they will pay attention and so will Equifax.
"Winning is about a deep understanding of your own strengths and weaknesses as well as the enemies. What is wholly missing in enterprise IT security is the latter: a strategic sense of vulnerability has given way to an unearned confidence in security products and best practices, comfortably layered into the localized IT bureaucracy that rejects change, embraces process over results, and like the French admiring their Maginot line, imagines they are safe."
because from this article it seems that they just directly ask companies for it https://www.inc.com/associated-press/equifax-data-money.html
"......They gather as much information about you from lenders, aggregate it, and sell it back to them," said Brett Horn, an industry analyst with Morningstar.
Letter from Equifax (Qui?) received a few days ago...
What exactly is the perceived wisdom about how to proceed - can't tell from the many comments I've already read?
& as a Techno-dweeb would be grateful for some objective, clear-headed advice. The May! hack a reality; no turning back - what does any individual affected do now that's smart, practical, relatively 'safe'?
If Equifax personnel aren't answering the 'phone anyway... & it's already been pointed out - would you really want to add personal detail to info you didn't know the Co. had about you in the first place, particularly under these circumstances?!
Never heard of the other 2 Credit Providers either...
Some positive, even mildly-reassuring, thoughts would be appreciated.
Biting the hand that feeds IT © 1998–2022