[gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

Tue Feb 13 16:48:27 UTC 2018

Let's be honest here, we're talking about phone numbers and email
addresses. The threat model is RADICALLY different with the data we are
talking about.

On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
>
> Undeterred by the fact that noone has responded to my last post, I
> offer the following update to the Equifax breach to further illustrate
> my point.  As many companies have found out, you don't find out what
> you've got till it's gone.....a further reason for data minimization
> and short retention periods.
>
>
> 	
>
> 	
>
> 	
>
> 	
> To: 	
>
>
> http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
>
>
> *Equifax hack worse than previously thought: Biz kissed goodbye to
> card expiry dates, tax IDs etc*
> Pwned credit-score biz quietly admits more info lost
> By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
>
> Last year, Equifax admitted
> https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/
> hackers stole sensitive personal records on 145 million Americans and
> hundreds of thousands in the UK
> https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/
> and Canada.
>
> The outfit already said cyber-crooks "primarily" took names, social
> security numbers, birth dates, home addresses, credit-score dispute
> forms, and, in some instances, credit card numbers and driver license
> numbers. Now the credit-checking giant reckons the intruders snatched
> even more information from its databases.
>
> According to documents provided by Equifax to the US Senate Banking
> Committee,
> and _revealed this month by Senator Elizabeth Warren (D-MA)_,
> https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc
> the attackers also grabbed taxpayer identification numbers, phone
> numbers, email addresses, and credit card expiry dates belonging to
> some Equifax customers.
>
> Like social security numbers, taxpayer ID numbers are useful for
> fraudsters seeking to steal people's identities or their tax rebates,
> and the expiry dates are similarly useful for online crooks when
> linked with credit card numbers and other personal information.
>
>
> *Contradictory*
>
> "As your company continues to issue incomplete, confusing and
> contradictory statements and hide information from Congress and the
> public, it is clear that five months after the breach was publicly
> announced, Equifax has yet to answer this simple question in full:
> what was the precise extent of the breach?" Warren fumed in a missive
> late last week.
> https://www.warren.senate.gov/?p=press_release&id=2317
>
> Equifax spokeswoman Meredith Griffanti stressed to The Register today
> that the extra information snatched by hackers, as revealed by Senator
> Warren, belonged to "some" Equifax customers. In other words, not
> everyone had their phone numbers, email addresses, and so on, slurped
> by crooks just some. How much is some? Equifax isn't saying, hence
> Warren's (and everyone else's) growing frustration.
>
> The senator is a cosponsor of the _proposed Data Breach Prevention and
> Compensation Act, _
> https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/
> which, if passed, would impose computer security regulations on credit
> reporting agencies, with mandatory fines that would have led to
> Equifax coughing up $1.5bn for its IT blunder.
>
> Some regulation or punishment is obviously needed.
>
> No senior Equifax executives were fired over the attack instead the
> CEO, CSO and CIO were all allowed to retire with multi-million dollar
> golden parachutes. The US government's Consumer Financial Protection
> Bureau promised a full investigation into the Equifax affair, and then
> gave up. On February 7, an open letter [PDF]
> https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf
> from 32 senators to the bureau asked why the probe was dropped, and
> the gang has yet to receive a response. ®
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- 
--

John Bambenek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/e9b2de04/attachment-0001.html>