[gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
John Bambenek
jcb at bambenekconsulting.com
Tue Feb 13 17:00:53 UTC 2018
Ok, so you agree with my in principle and we're just haggling over the
details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
>
> You are still looking at the wrong end of the horse. Privacy is not
> the choice, it is the default. Divulging data is the choice.
>
>
> Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
>>
>> Exactly right. As far as I'm concerned if we made privacy a free
>> choice, make the fields optional for all I care, and whatever they do
>> make is public... we have solved this problem.
>>
>> People who ACTUALLY protect society against privacy threats have the
>> data to do their jobs, consumers who want privacy have a free option
>> for it, and registrars can be in compliance with the law.
>>
>>
>> On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
>>> This is just an example but there is a lot of damage that can be
>>> caused with data being exposed. In our case we have phone numbers,
>>> addresses, emails which is required to verification.
>>>
>>> This takes us to issue of consent.
>>>
>>> On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg
>>> <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>> wrote:
>>>
>>> Let's be honest here, we're talking about phone numbers and
>>> email addresses. The threat model is RADICALLY different with
>>> the data we are talking about.
>>>
>>>
>>> On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
>>>>
>>>> Undeterred by the fact that noone has responded to my last
>>>> post, I offer the following update to the Equifax breach to
>>>> further illustrate my point. As many companies have found out,
>>>> you don't find out what you've got till it's gone.....a further
>>>> reason for data minimization and short retention periods.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> To:
>>>>
>>>>
>>>> http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
>>>> <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/>
>>>>
>>>>
>>>> *Equifax hack worse than previously thought: Biz kissed goodbye
>>>> to card expiry dates, tax IDs etc*
>>>> Pwned credit-score biz quietly admits more info lost
>>>> By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
>>>>
>>>> Last year, Equifax admitted
>>>> https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/
>>>> <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/>
>>>> hackers stole sensitive personal records on 145 million
>>>> Americans and hundreds of thousands in the UK
>>>> https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/
>>>> <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/>
>>>> and Canada.
>>>>
>>>> The outfit already said cyber-crooks "primarily" took names,
>>>> social security numbers, birth dates, home addresses,
>>>> credit-score dispute forms, and, in some instances, credit card
>>>> numbers and driver license numbers. Now the credit-checking
>>>> giant reckons the intruders snatched even more information from
>>>> its databases.
>>>>
>>>> According to documents provided by Equifax to the US Senate
>>>> Banking Committee,
>>>> and _revealed this month by Senator Elizabeth Warren (D-MA)_,
>>>> https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc
>>>> <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc>
>>>> the attackers also grabbed taxpayer identification numbers,
>>>> phone numbers, email addresses, and credit card expiry dates
>>>> belonging to some Equifax customers.
>>>>
>>>> Like social security numbers, taxpayer ID numbers are useful
>>>> for fraudsters seeking to steal people's identities or their
>>>> tax rebates, and the expiry dates are similarly useful for
>>>> online crooks when linked with credit card numbers and other
>>>> personal information.
>>>>
>>>>
>>>> *Contradictory*
>>>>
>>>> "As your company continues to issue incomplete, confusing and
>>>> contradictory statements and hide information from Congress and
>>>> the public, it is clear that five months after the breach was
>>>> publicly announced, Equifax has yet to answer this simple
>>>> question in full: what was the precise extent of the breach?"
>>>> Warren fumed in a missive late last week.
>>>> https://www.warren.senate.gov/?p=press_release&id=2317
>>>> <https://www.warren.senate.gov/?p=press_release&id=2317>
>>>>
>>>> Equifax spokeswoman Meredith Griffanti stressed to The Register
>>>> today that the extra information snatched by hackers, as
>>>> revealed by Senator Warren, belonged to "some" Equifax
>>>> customers. In other words, not everyone had their phone
>>>> numbers, email addresses, and so on, slurped by crooks just
>>>> some. How much is some? Equifax isn't saying, hence Warren's
>>>> (and everyone else's) growing frustration.
>>>>
>>>> The senator is a cosponsor of the _proposed Data Breach
>>>> Prevention and Compensation Act, _
>>>> https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/
>>>> <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/>
>>>> which, if passed, would impose computer security regulations on
>>>> credit reporting agencies, with mandatory fines that would have
>>>> led to Equifax coughing up $1.5bn for its IT blunder.
>>>>
>>>> Some regulation or punishment is obviously needed.
>>>>
>>>> No senior Equifax executives were fired over the attack instead
>>>> the CEO, CSO and CIO were all allowed to retire with
>>>> multi-million dollar golden parachutes. The US government's
>>>> Consumer Financial Protection Bureau promised a full
>>>> investigation into the Equifax affair, and then gave up. On
>>>> February 7, an open letter [PDF]
>>>> https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf
>>>> <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf>
>>>> from 32 senators to the bureau asked why the probe was dropped,
>>>> and the gang has yet to receive a response. ®
>>>>
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>
>>> --
>>> --
>>>
>>> John Bambenek
>>>
>>>
>>>
>>> --
>>>
>>> Regards
>>> Nanghaka Daniel K.
>>> Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead
>>> - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018
>>> Mobile +256 772 898298 (Uganda)
>>> Skype: daniel.nanghaka
>>>
>>> ----------------------------------------- /"Working for Africa"
>>> /-----------------------------------------
>>>
>>>
>>>
>>
>> --
>> --
>>
>> John Bambenek
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
--
--
John Bambenek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/cc388d14/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list