Senator to Ex-CEO: Equifax Can't Be Trusted with Americans' Personal Data

This is the choice quote:<p>&gt; &quot;This simply is not a company that deserves to be trusted with Americans&#x27; personal data,&quot; said Sen. Sherrod Brown, D-Ohio,<p>Obviously this quote leaves out a lot of nuance, but I like it and I like what Senator Brown has said in general. What Equifax has let happen is very bad, and I think moral judgments and perhaps even shame (which is how a society can enforce morality) should be brought onto its leaders individually.<p>I hate how businesses and business persons have been making horrible, destructive decisions for decades (not that humans in all fields weren’t beforehand) and have been escaping any kind of shame. Indeed they’ve been praised in many cases.<p>If you look at the top-level pages on Wikipedia (there are about 11 of them), one of them is for “Society”. About a third way down you’ll see “Business” listed under Society. I think this is a good reminder that business is a part of and functions for society, not the other way around.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Portal:Contents&#x2F;Society_and_social_sciences" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Portal:Contents&#x2F;Society_and_so...</a>

I think they have to be careful not to focus on Equifax only. Instead they should think about systems where such a breach is just not possible. It&#x27;s only a matter of time until other companies like credit card companies get breached. Same for Google and Facebook. We need a system where an individual can hand over information one a case-by-case basis and revoke that information anytime.

Meanwhile, &#x27;The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.&#x27;<p><a href="http:&#x2F;&#x2F;www.politico.com&#x2F;story&#x2F;2017&#x2F;10&#x2F;03&#x2F;equifax-irs-fraud-protection-contract-243419" rel="nofollow">http:&#x2F;&#x2F;www.politico.com&#x2F;story&#x2F;2017&#x2F;10&#x2F;03&#x2F;equifax-irs-fraud-p...</a>

Meanwhile:<p>- Former Equifax CEO is walking away with 90 million dollars.<p>- Equifax&#x27;s stock price (NYSE:EFX) is recovering.<p>- Equifax is being awarded contracts and continues to serve as a credit bureau.<p>- The leaked information is being traded among fraudsters, and will remain to be traded for years.<p>Welcome to the golden age of bullshit.

While it is always &quot;fun&quot; (for some definition of the word fun) to pile on, and sometimes watch the otherwise clueless elected officials to get soundbites at the expense of a hapless CEO of a company that did bad things, or allowed bad things to happen on their watch ... the bigger picture is one of what sequence of events enabled this to occur. Placing the blame on an OSS component, or a &quot;sole IT&quot; person is both unfortunate, and generally wrong.<p>None of this would have come to fruition had the business model not been one of &quot;lets gather and curate high value information and intelligence about individuals&quot;, without an appropriate &quot;gee, we have high value intelligence and information on individuals, maybe we should design our systems so that in the event of a failure of a security system, damage would be minimal.&quot; When you aggregate, curate, sell access to high value information, you damned well better have a good and fail safe security model. So if your DCs are overrun with hackers, the data exfiltrated would be unusable.<p>More specifically, the principle I claim to be implicitly at play here is, with great power and&#x2F;or information, comes great responsibility. Pointing fingers at lower level subordinates for their possible failings ... opening up and exposing the entire business model&#x27;s core weaknesses in terms of data protection, and data access integrity and control ... means that the organization has simply failed to maintain, audit, test, and verify that its control systems are adequate to the task. Blaming an OSS component for all the damage means that the rest of the systems were not designed and built to the necessary level of safety and security.<p>This is part of what I find unconscionable. They attempt to absolve themselves of blame by pointing fingers.<p>When an organization does crap like this, you know they have many other problems. And yes, you cannot, and should not trust them going forward. If data was exfiltrated from them (and it was), is it possible that their data was altered in situ? Yes, yes it is.<p>They should not be allowed to have such data in their control again. Seriously, if you can&#x27;t control access to the data, you can&#x27;t have the data.

I was thinking, would it be a viable solution for the government to employ pen testers to test companies like banks&#x2F;ISPs etc? It would more than pay for itself from the fines they would impose to those that hold sensitive citizen data and fail to hold high standards of security.

Call me cynical, but it&#x27;s not going to change anything:<p>* Equifax won&#x27;t have fines levied against it<p>* C-level staff won&#x27;t have to pay fines (because they put in place or rewarded a corporate culture that made security a low priority)<p>* Banks and other institutional customers won&#x27;t stop using Equifax<p>* No additional regulation will be created<p>It&#x27;s all theatre; we&#x27;ll have &quot;thoughts and prayers&quot; directed our way while nothing of substance changes.

Duh, Senator. We knew this when Experian got hacked.<p>Experian, Equifax, TransUnion, and any other credit bureaus are going to fail to protect people&#x27;s personal data. There is no such thing as &quot;unhackable&quot;, they are the biggest honey pots, and the majority of the Information Technology hiring pool is incompetent. The majority of competent candidates are underpaid or underappreciated and so they don&#x27;t care as much as we need them to.<p>Put all these things together and you have inevitable disaster after disaster after disaster.<p>Credit Bureaus are old-think. They are unsafe, unsecure, and they don&#x27;t fit with Future-Era lifestyle.<p>Something better is required.

Is that before or after the same senators awarded Equifax a $7.5M no-bid IRS contract? &lt;grin&gt;

This whole credit tracking industry is so unconstitutional it&#x27;s crazy. I hope that this awakens people to the fact that their identities and personal data _should_ be theirs, and that they should fight tooth and nail to grant access to it. Centralizing information such as this is a &quot;single-point-of-failure&quot;, or it is in spirit.<p>I wish I had suggestions, but feel the something like a blockchain or other ledger is a step in the right direction. This Ted talk on the subject is interesting <a href="https:&#x2F;&#x2F;www.ted.com&#x2F;talks&#x2F;don_tapscott_how_the_blockchain_is_changing_money_and_business" rel="nofollow">https:&#x2F;&#x2F;www.ted.com&#x2F;talks&#x2F;don_tapscott_how_the_blockchain_is...</a>

Total dodge of the ssn as authentication issue

No one can.