[gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

John Bambenek jcb at bambenekconsulting.com
Tue Feb 13 17:00:53 UTC 2018 

Ok, so you agree with my in principle and we're just haggling over the
details now. Flip a coin for all I care, opt-in/opt-out and move forward.

So let's do that. When can we implement?


On 2/13/2018 10:58 AM, Volker Greimann wrote:
>
> You are still looking at the wrong end of the horse. Privacy is not
> the choice, it is the default. Divulging data is the choice.
>
>
> Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
>>
>> Exactly right. As far as I'm concerned if we made privacy a free
>> choice, make the fields optional for all I care, and whatever they do
>> make is public... we have solved this problem.
>>
>> People who ACTUALLY protect society against privacy threats have the
>> data to do their jobs, consumers who want privacy have a free option
>> for it, and registrars can be in compliance with the law.
>>
>>
>> On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
>>> This is just an example but there is a lot of damage that can be
>>> caused with data being exposed. In our case we have phone numbers,
>>> addresses, emails which is required to verification. 
>>>
>>> This takes us to issue of consent.
>>>
>>> On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg
>>> <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>> wrote:
>>>
>>>     Let's be honest here, we're talking about phone numbers and
>>>     email addresses. The threat model is RADICALLY different with
>>>     the data we are talking about.
>>>
>>>
>>>     On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
>>>>
>>>>     Undeterred by the fact that noone has responded to my last
>>>>     post, I offer the following update to the Equifax breach to
>>>>     further illustrate my point.  As many companies have found out,
>>>>     you don't find out what you've got till it's gone.....a further
>>>>     reason for data minimization and short retention periods.
>>>>
>>>>
>>>>     	
>>>>
>>>>     	
>>>>
>>>>     	
>>>>
>>>>     	
>>>>     To: 	
>>>>
>>>>
>>>>     http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
>>>>     <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/>
>>>>
>>>>
>>>>     *Equifax hack worse than previously thought: Biz kissed goodbye
>>>>     to card expiry dates, tax IDs etc*
>>>>     Pwned credit-score biz quietly admits more info lost
>>>>     By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
>>>>
>>>>     Last year, Equifax admitted
>>>>     https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/
>>>>     <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/>
>>>>     hackers stole sensitive personal records on 145 million
>>>>     Americans and hundreds of thousands in the UK
>>>>     https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/
>>>>     <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/>
>>>>     and Canada.
>>>>
>>>>     The outfit already said cyber-crooks "primarily" took names,
>>>>     social security numbers, birth dates, home addresses,
>>>>     credit-score dispute forms, and, in some instances, credit card
>>>>     numbers and driver license numbers. Now the credit-checking
>>>>     giant reckons the intruders snatched even more information from
>>>>     its databases.
>>>>
>>>>     According to documents provided by Equifax to the US Senate
>>>>     Banking Committee,
>>>>     and _revealed this month by Senator Elizabeth Warren (D-MA)_,
>>>>     https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc
>>>>     <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc>
>>>>     the attackers also grabbed taxpayer identification numbers,
>>>>     phone numbers, email addresses, and credit card expiry dates
>>>>     belonging to some Equifax customers.
>>>>
>>>>     Like social security numbers, taxpayer ID numbers are useful
>>>>     for fraudsters seeking to steal people's identities or their
>>>>     tax rebates, and the expiry dates are similarly useful for
>>>>     online crooks when linked with credit card numbers and other
>>>>     personal information.
>>>>
>>>>
>>>>     *Contradictory*
>>>>
>>>>     "As your company continues to issue incomplete, confusing and
>>>>     contradictory statements and hide information from Congress and
>>>>     the public, it is clear that five months after the breach was
>>>>     publicly announced, Equifax has yet to answer this simple
>>>>     question in full: what was the precise extent of the breach?"
>>>>     Warren fumed in a missive late last week.
>>>>     https://www.warren.senate.gov/?p=press_release&id=2317
>>>>     <https://www.warren.senate.gov/?p=press_release&id=2317>
>>>>
>>>>     Equifax spokeswoman Meredith Griffanti stressed to The Register
>>>>     today that the extra information snatched by hackers, as
>>>>     revealed by Senator Warren, belonged to "some" Equifax
>>>>     customers. In other words, not everyone had their phone
>>>>     numbers, email addresses, and so on, slurped by crooks just
>>>>     some. How much is some? Equifax isn't saying, hence Warren's
>>>>     (and everyone else's) growing frustration.
>>>>
>>>>     The senator is a cosponsor of the _proposed Data Breach
>>>>     Prevention and Compensation Act, _
>>>>     https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/
>>>>     <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/>
>>>>     which, if passed, would impose computer security regulations on
>>>>     credit reporting agencies, with mandatory fines that would have
>>>>     led to Equifax coughing up $1.5bn for its IT blunder.
>>>>
>>>>     Some regulation or punishment is obviously needed.
>>>>
>>>>     No senior Equifax executives were fired over the attack instead
>>>>     the CEO, CSO and CIO were all allowed to retire with
>>>>     multi-million dollar golden parachutes. The US government's
>>>>     Consumer Financial Protection Bureau promised a full
>>>>     investigation into the Equifax affair, and then gave up. On
>>>>     February 7, an open letter [PDF]
>>>>     https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf
>>>>     <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf>
>>>>     from 32 senators to the bureau asked why the probe was dropped,
>>>>     and the gang has yet to receive a response. ®
>>>>
>>>>
>>>>     _______________________________________________
>>>>     gnso-rds-pdp-wg mailing list
>>>>     gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>     https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>     <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>
>>>     -- 
>>>     --
>>>
>>>     John Bambenek
>>>
>>>
>>>
>>> -- 
>>>  
>>> Regards
>>> Nanghaka Daniel K.
>>> Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead
>>> - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018
>>> Mobile +256 772 898298 (Uganda)
>>> Skype: daniel.nanghaka
>>>
>>> ----------------------------------------- /"Working for Africa"
>>> /-----------------------------------------
>>>
>>>
>>>
>>
>> -- 
>> --
>>
>> John Bambenek
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- 
--

John Bambenek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/cc388d14/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list