How about a token fine..
Say $100 or 1hr prison time for the Directors, fot each and every persons data they "lose"
Credit reference agency Experian has suffered what it somewhat understatedly described as a "data breach" after the firm itself transferred the details of 24 million South Africans to one individual. The credit reference agency admitted on its South Africa website that the "isolated incident" took place over what it said was a …
If he feels their response is comforting, I'd love to know his idea of uncomfortable, maybe BDSM?
How the F did anyone give the material so easily - don't they have safeguards to prevent this kind of thing?
And how can they be sure there aren't multiple copies of this info elsewhere? You impounded an actual computer, great. What about the cloud? Going to impound that?
As a consumer, I'm getting afraid to read these articles anymore, it's so depressing.
All the US credit agencies seem to be in a race to the bottom. Are Experian worse than Equifax? And if we shut them all down, what will their inevitable replacements look like?
I agree it's a problem, but I think the solution is tighter regulations and penalties for the incumbents, on the grounds that they're the devils we know.
They do have too much power.
I've discovered that if you don't have a rating - you fall off their records after some years with no use of credit and always paying any bills (no strikes on that permanent record your mom warned you about) -
Then the US social security administration will not let you create the standard "MySSA" account online for dealing with the various issues one encounters with social security.
No big deal?
Well, with the paperwork reduction act, they no longer really have facilities to handle you any other way. Yes, there's a phone number - you wait for an hour after an insane - 45 minute tour of the system with a robot asking questions, to get to someone who doesn't normally deal with customers and doesn't know why their phone rang. This may be good, no one else gets through because they hang up during the 2 hour wait - or their battery runs down,, and the person is often nice as they aren't on a firing line all the time.
I've had doctors demand some info from the SSA "this week" for qualifying for a particular fee schedule - and the only way I can get that is ask via mail in writing - takes about a month.
I called SSA to find all this out - the rep said "well, if Experian or Equifax doesn't have you, we have to assume it's some kind of ID fraud, everyone legit is a debt slave".
The US government doesn't know their own citizenship. Let that sink in.
Virtue is therefore penalized, and a private agency has far too much power. There's less than a snowflake's chance in hell this will change - they also sell the governments of the world data on you that they couldn't get legally otherwise, and it's the kind of data that makes Google, MS and others look like they are selling catnip in the marijuana market.
The definition of Fascism used to be some sort of crony public-private partnership. Dunno why people are just now using that word again - it's been quite a few changes of political power and this kind of thing has been going on for all of them - not just the current objects of hate.
The primary purpose of any business is to make money.
The specific value proposition of credit agencies is consumer-credit pricing, which is mostly a matter of risk assessment for lenders. Risk assessment is probabilistic and applies to aggregations of borrowers, so there's a certain level of noise - inaccuracy in the data - which is optimal for the credit agency, where its affect on their profits is less than the cost of improving accuracy. So they're happy to tolerate a certain amount of borrower-side fraud, such as identity theft. In fact, they've learned to monetize that by selling add-on products such as credit monitoring.
Similarly, there's a point of diminishing returns on protecting the confidentiality of their data from fraudulent customers (i.e. lenders and others interested in credit ratings). Past that point, fraud becomes an externality - it's not worth them trying to prevent it.
The only way to fix that problem is to convert the externality into a direct cost that's greater than the marginal profit of ignoring it. Sometimes market forces can do that, but the oligopoly of credit agencies in the US, and the fact that consumers have almost no effect on which ones are used by lenders and other customers, makes the market a non-starter in this case. That leaves only regulation.
All you have to do is setup a small business claiming to be a credit reference agency then buy the electoral register from your local council. Who sell it stupidly, stupidly cheaply to them. Or apply to run as a councillor and you can request a copy or just visit your local library who gets given a copy.
There are some more "fun" details missing from this coverage. In the Business Insider article it's mentioned how the breach^Wsnafu happened on 24 and 27 May, but that they only detected it 22 July. And not because of some regular security audit or such. No, they tried and failed to contract the person on their mobile. It then took until 18 August for the Anton Piller raid to be executed.
The most precious part is probably this
"The company also reiterated that it believes the breach was not that big a deal, as the "consumer information concerned was publicly available information"."
None of the items, on their own, is super secret, but in combination provides a very convenient identity-theft kit. The data included national ID numbers, telephone numbers, email addresses, physical addresses, and such. All very useful tid bits if you want to open accounts or answer know-your-customer challenge questions.