>He says drivers should freeze their credit and change their account passwords.
As in, all 28 million drivers?
28 million people dealing with this level of inconvenience is astounding, and a clear-cut example of why the penalties for data leaks need to... well, at least start existing, by one means or another. Also worth noting I don't see SSNs, CC info, or any passwords included, so this just seems to be a standard thing people say regardless.
I started with this thought half-jokingly, but now I think I'm serious:
Every single SS# needs to be made public, along with the assigned name. Not just known-breached, but somewhere where it's obvious that anyone could look it up as easily as looking up a phone number or mailing address. Somewhere so public that everyone else knows that they're no longer "secret."
Using Social Security numbers as some sort of proof you're who you say you are is batshit crazy these days. But we all pretend that it's still secure somehow. If there was an embarrassingly public list of all SS#s, then banks would be forced to improve their vetting of applicants.
At the same time, the onus needs to be on a financial institution to prove that I opened an account. If I discover a line of credit in my name, all I should need to do is disavow it, and make the lender prove that I was the one who authorized it.
Yes, this will increase the cost of doing business. But that increased cost is already here, just born randomly and disproportionately by the victims of "identity theft."
Want to issue a credit card with a $15,000 limit? Have the applicant walk into a branch, provide a thumbprint take their picture. Or get them on a video call standing in front of their house, attesting that they're the person they say they are. Or if you think that's too inconvenient you can take on all the risk if the borrow later disavows the debt.
A piece of paper or online form with the magic numbers is just not enough.
> Or if you think that's too inconvenient you can take on all the risk if the borrow later disavows the debt.
They are already required by law to assume the risk for fraudulent charges. It's just a mess and hassle for consumers.
It's like leaving packages on doorsteps without signatures. Apparently they just make more money eating the occasional fraud losses than the price of doing something safer.
I’m not talking about fraudulent charges, but entire accounts. Credit cards and car loans opened using someone else’s identity. When that happens today, the victim can spend years trying to unravel the mess and repair their credit files.
In my case, a phone line for a ‘drug dealer’ that was eventually tapped by law enforcement. The phone company tried to stick me with 3k$ in fees. Initially, the only correct information on the account was my address — they had verified nothing else.
I have said for a long time that SS numbers, birthdates, mother's maiden name, place of birth, date of marriage, street you lived on 10 years ago, all the standard "secret" info should be presumed public if not in fact made public. None of that is hard enough to dig up that it should be relied upon to prove identity.
ever since the pandemic started, at work we've had a a chat channel for "socializing" with each other. One day someone posted a topic. Something like, "Tell us about where you grew up". And the head of security immediately replied and said, "let's talk about something that isn't a common security question".
I admit that I think that was 100% unnecessary, expecially in this situation, to put the kibosh on the conversation. But it made me realize how insane it is that something that is a common "get to know you" type question (tell me about where you grew up? (street, school etc) Tell me about your parents? (maiden name)) are also a common "security" questions.
Also, side note. I NEVER use real answers to those questions. I treat it as an extra password and store it securely that way. No way I'm going to turn my mother's maiden name (easily searchable if you know my full name) into a password!
Whenever I am forced to do surveillance based "authentication" (where they ask you all those questions about your past), I pretend to forget everything I know about my own life and just answer the questions using web searches (eg what city is some popular street in). I reckon this is a good way to avoid confirming any data that they only half know. So far I have not failed to "verify" using this technique.
The penalty for mishandling mandatory/essential data like social sec numbers, medical and driving records should be much much higher than just normal PII data. It’s not like I can opt out of having a social security number. It’s forced on us and then we can get completely screwed over if someone we didn’t even know had the info allows it to be breached. Also this nonsense about allowing government contractors in and out of information critical systems like that needs to go away. It’s only done because they can’t attract talent with competitive government wages.
I don’t agree. We need certifications for people who handle the data and better training. We should also require basic things like hashing passwords and having clouds where it is much harder to put data in public buckets.
All it takes is one junior employee to make a mistake one day copying a file.
So annoying. This silly insurance software company can just cover their trivial costs from the breach with insurance. It needs to be more expensive to allow a breach than to ignore security. Thank you Vertafore. Maybe we should all stop by your office and thank you in person - oh, you’re not anywhere near Texas! What a lovely mission statement you have:
It’s our mission to provide exceptional service and powerful insurance technology so you can focus on what matters to you – people.
Let's see: 10k/record x 28M = $28e11 or 2800 bn. Quite a bit more that Finland's GDP in 2019. That kind of debt amounts to a corporate death sentence if ever enforced. Too bad it's only for medical records.
The wave of Medicare and identity fraud that follows will cost billions. I have family in other states that can’t draw unemployment because someone is already drawing it for them because of state breaches like this. It’s going to be an absolute disaster.
As in, all 28 million drivers?
28 million people dealing with this level of inconvenience is astounding, and a clear-cut example of why the penalties for data leaks need to... well, at least start existing, by one means or another. Also worth noting I don't see SSNs, CC info, or any passwords included, so this just seems to be a standard thing people say regardless.