As you’ve likely heard by now, half the country just had their personal financial info compromised due to a security breach at Equifax, including social security numbers. I don’t think people quite understand the gravity of this yet, so I’m writing this post to shed some light on the wide range of potential abuse this allows. For example, there’s nothing stopping the attackers from calling up other institutions you’re a member of and gleaning even more information about you after ‘verifying’ your identity via SSN. They can then use that information to make it easier to steal more info from another source– do this just a few times and you’ll likely end up with every single piece of data you’d need to effectively have complete control over a person’s life.
This isn’t just another breach, this is a master breach. It’s exponentially worse than every breach before it since having this information will easily allow access to other information. It’s effectively the same as if they stole a master key which can open half of the houses in the united states, and can now rifle through all their financial, governmental, and medical documents at will.
Unfortunately for everyone, due to the fact that it’s not possible to get your social changed, the attackers will likely be able to sell and abuse this leaked database for years to come. The black market value is not going to go down unless we have a concerted, countrywide effort to change how business, industry, and government thinks about personal verification and identification. It gives me a headache thinking about how to solve this without accidentally allowing the hackers and their buyers the ability to convert someone’s SSN into whatever new identification scheme and locking the real person out of their, well, out of their entire identity. What a disaster.
It shouldn’t have to come to this but maybe it’s time we mandate the security of personal information when it’s used to generate a profit. There’s no reason a company I’ve never done business with should be able to trade and deal with all my details for cash without my consent in the first place– my information should be considered off limits to companies who only want it so they can increase their profit margins. At the very least I think we need to restrict them to only being able to handle names, addresses, birthdays, and some sort of security token. If they need more information to be able to profit from it, they should send us a letter and we’ll get back to them, the same way in which companies like Equifax require you to submit an Arbitration Clause Opt-Out form.
As far as Equifax is concerned, they need to burn and made an example of. Borderline malicious negligence like this, in my harshest opinion, should be met with jail time. Drug dealers get more than 20 years for growing a plant and selling it to a few people, why shouldn’t a company who opens up such a floodgate of potential criminal attacks against half the united states serve a similar sentence? Shut the company down if you have to, prosecute the executives who had anything to do with this as well as the board of directors who put them there, and punish them until every corporate executive in the country is terrified of what will happen if they allow a repeat of this to ever happen again. The current system of corporate punishment seems almost entirely monetary, giving the impression that it only ends up punishing the shareholders, the customers, and the CEO who is there to take blame away from the tenured Board of Directors– and even then, they seem to just have to stick to a script given to them by their crack team of corporate lawyers and they almost always get away scot-free, careers totally intact.
There is clearly little to no sense of responsibility or ethics at corporations like Equifax, it’s about time we fixed that with a sense of accountability. By making it clear they are liable for any tangible damages they cause to society, much like an ordinary street criminal is held accountable for his actions against his community, we might just be able to bring to corporations the very things which their lack of causes many to loathe their practices: ethics, culpability, and a basic respect for the people of our country. It’s really not an extreme measure considering they personally caused such a catastrophic hit to what might as well be considered national security at this point. Corporations are considered people, after all… it’s about time we required of them the same set of just principles expected of all of us real people.
Anyway, as far as I’m concerned Equifax had no business storing my information in the first place, doing so in such a careless way on top of that is such a monumental mistake that there’s no reason the company should survive (ESPECIALLY considering this happened before only a few years ago on a smaller scale). Making sure their sales product, our sensitive information, was as secure as possible should have been printed in bold at the top of their corporate mission statement. If I managed to bungle my customers’ trust in me like that my business would fail almost immediately, it’s about time we allow the corporate titans to fall when they make such damaging blunders so that a more responsible replacement can get a better chance to compete in the free market.
As far as the scope goes, this company allowed what will soon become known as the most damaging cyber attack of all time, resulting in effectively an infinite number of potential damages. There’s an endless amount of attack risks created from this besides just basic financial identity theft: online stalking and harassment since it’d be trivial to find out where someone lives or has moved to, de-anonymization of vulnerable persons, having your mail maliciously redirected could easily result in the literal theft of your identity in the sense that you may no longer be able to verify your own identity, nearly every online service which is critical enough to require photo ID verification such as web hosts are now vulnerable to rather trivial social attacks via tech support manipulation and good photoshop skills, not to mention the potential real-world mischief that people could try such as going to the emergency room under a target person’s SSN potentially costing them tens of thousands of dollars, canceling utilities randomly in order to disrupt a person’s day-to-day life, terminating car loans resulting in car repossession. The only limit to the potential damages is the creativity of the attackers, and with this level of access the chaos we’re soon about to see is going to be unprecedented. Social engineers spend so much time trying to scam employees into revealing an individual person’s social security number; Equifax just gave them free rein to skip that part entirely and proceed to the ‘fun’ part of being able to have someone’s life and internet presence entirely in their fingertips, plus maybe even profit from it just like Equifax did.
Half the people in our beloved country are being substantively threatened by the whims of a single hacker. I used to consider the technologically paranoid to be nutjobs, but what if our 2017 SkyNet equivelant was the complete grinding to a halt of all services which require verification? The way I see it, the only thing preventing that from happening are the decisions the hackers and their potential buyers will soon make. If they decide to simply publicly release this information in order to induce absolute anarchy then, well, we’re going to have a national crisis on our hands.
- The Great Equifax Data Leak of 2017 - September 9, 2017
- Windows Insider Preview install failure, “Reverting back to previous build” and Error 0x80240fff - January 17, 2017
- Dangerous Scam Calls Looking to Take Advantage of Unsuspecting Victims - January 7, 2017