[HN Gopher] Crooks threaten to leak 3B personal records 'stolen ...
___________________________________________________________________
Crooks threaten to leak 3B personal records 'stolen from background
check firm'
Author : rntn
Score : 92 points
Date : 2024-06-03 20:07 UTC (2 hours ago)
(HTM) web link (www.theregister.com)
(TXT) w3m dump (www.theregister.com)
| wdb wrote:
| Fascinating. I always request my details to be removed after
| completion so if my details are leaked they have a problem.
| Rygian wrote:
| > according to the VX team: "The database DOES NOT contain
| information from individuals who use data opt-out services.
| Every person who used some sort of data opt-out service was not
| present."
|
| You're good, perhaps! The rest are opted-in for a data leak.
| r00fus wrote:
| This is a great example of why everything should be opt-in
| given the risk the individuals incur, not to mention the
| company.
|
| If society appropriately disincentivized data collection, we
| could even get to where companies don't see customer data as
| an asset instead more as a liability.
| xkcd-sucks wrote:
| It seems hard to disincentivize "data" in the same way it's
| hard to disincentivize "cocaine", e.g. to most companies
| "10 kg of cocaine" is a liability but there exist certain
| companies generally staffed by more unpleasant people who
| make it their business to treat it as an asset.
|
| Which means going to a different layer / structural
| solution maybe. How does the value of data go to zero?
| rusk wrote:
| Lots of companies ran a mile from data once GDPR dropped
| and it's pretty much a standard threat model for new
| information architectures
| onemoresoop wrote:
| Nothing meaningful should stored due to data leaks
| liability, period. Now if data really leaks out users
| should be able to sue and get compensated. If companies are
| made to pay they'll clean up their act fast.
| adamomada wrote:
| Your details just go into a different file, and you show as sus
| on the next background check.
| londons_explore wrote:
| This is why I don't use those privacy services. An awful lot
| of companies use background checks as a decider on if they
| are going to offer you service, or to give discounts to low-
| risk customers.
|
| I might end up paying extra because my insurance company
| decided I didn't fall into their 'lowest risk' bucket because
| my background check came back as "we have never heard of this
| gal" because I once used a data privacy protecting service or
| they can't find my facebook/linkedin/twitter.
| namaria wrote:
| So your rationale is to avoid seeking out privacy on the
| off chance that you might not get the biggest discount
| available when buying insurance?
| londons_explore wrote:
| or a mortgage, credit card, or bank account, yep.
|
| There is easily a 10x difference in insurance prices
| between "known good customer" and "probably fraudulent
| customer" - and that difference is the difference between
| being able to own your own house (with mortgage to begin
| with) and renting for life.
|
| Most people would value owning their own home over having
| some computer system using their data to select one ad
| over another.
| namaria wrote:
| While there might be such a difference in price, equating
| trying to avoid data collection through legitimate means
| with being flagged as a probable fraudster and having to
| pay 10x is not sound reasoning.
|
| If people were routinely getting gauged like this for
| trying to opt out of something, there would be a pretty
| huge story in that and I doubt it would go unreported.
| pessimizer wrote:
| Caring about privacy puts you on a list. It's like
| responding to spam asking to be taken off the mailing
| list; you're just verifying that you're someone they
| should be paying attention to.
| namaria wrote:
| I'd much rather be in a list for exercising my rights and
| upholding my convictions that cowering in fear of
| imagined damage for not toeing an arbitrary line.
|
| Sounds like a pretty awful way to live. Honestly I'm
| shocked to hear such a conformist and timid opinion
| uttered in a forum called Hacker News.
|
| Even if you play the 'actually this is a VC connected
| corporate forum' what sort of entrepreneur lives by this
| sort of preemptive self censoring?
| johnea wrote:
| So, one criminal gang steals data from another criminal gang, and
| then sells it to a 3rd criminal gang.
|
| Sounds like capitalism is functioning as intended...
| dmitrygr wrote:
| This will continue until we make having a huge collection of
| personal data into a liability and not an asset for companies.
| Actual jail terms for CEOs for leaks would be a wonderful start.
| Or, at least, we should have fines that are not wrist-slaps. For
| example, a fine of $1000 paid to each individual per leak would
| be a good starting point. Then, companies will properly start
| minimizing the amount of data they store, in fear of a crippling
| loss.
| hedora wrote:
| Also, the money should go into an escrow account with a list of
| claimants. Some neutral third party should handle getting the
| checks to individuals.
|
| That way, there's no financial incentive to make it hard to
| claim damages, and people won't need to bother filling out a
| form every few weeks to claim the cash.
| robertonoa wrote:
| > a fine of $1000 paid to each individual per leak would be a
| good starting point
|
| They would just fold the company and start another? Most data
| brokers do not have 3 trillion dollars.
| dmitrygr wrote:
| Some people will still get some money. And spinning up a new
| company still has costs. However, this is precisely why this
| is the second-best option, after actual jail time for actual
| CEOs. Then they can fold whatever they want in their prison
| cells
| Gibbon1 wrote:
| Can make the board personally liable.
| tithe wrote:
| Can't you do this via class action seeking to demonstrate
| negligence?
| csdreamer7 wrote:
| At best the fees class action lawyers would charge would
| change that $1000 into $0.10.
|
| I already pay taxes; why not have the government do their
| job and protect my digital information and fine the
| companies and their executives so they learn to care
| about it. The government allows the corporate barrier to
| be pierced if employee salaries are not paid.
| gagagaga7 wrote:
| They will need to be insured for that amount then. Can't
| afford to insure against that liability? Can't legally
| operate.
| dcist wrote:
| Agree with this. An insurance requirement would solve this
| problem. It would also incentivize robust security audits
| by the insurance companies and the data collectors.
| wing-_-nuts wrote:
| 'Crippling loss'? Haha. Look at the equifax debacle. They set
| aside some paltry amount of money for the class action, almost
| instantly ran out and then everyone collectively shrugged.
|
| Regs are rarely ever meant to actually favor the average
| citizen over the corporation. Just look how quickly the
| consumer protection agency was killed.
| JackYoustra wrote:
| The CFPB survived the lawsuit against it?
| FireBeyond wrote:
| Then they offered free enrollment in their credit protection
| services.
|
| But... you had to supply a credit card to enroll.
|
| And... after six/twelve months they'd automatically roll you
| over to their highest tier plan, and start billing you.
|
| It might as well have been a promo scheme.
| pknomad wrote:
| I agree with your sentiment but I feel like that's an
| impossible expectation/standard to set for certain companies
| that don't have the luxury of dropping data whenever they see
| fit. For example consumer banks abide by the Bank Secrecy Act
| which mandates the banks to keep wire records that exceed $100
| for at least 5 years.
| toomuchtodo wrote:
| https://news.ycombinator.com/item?id=40203558
| ipaddr wrote:
| A simple tax on every personal record you hold would work.
| flemhans wrote:
| Could be paid to the person instead of the government
| fwip wrote:
| Would be nice, but wouldn't that limit the taxable set of
| data records to those that have enough info to route
| payment to? Either paid directly by the company, or enough
| information for the government to identify you.
| nox101 wrote:
| That sounds like unintended consequences to me.
| CamperBob2 wrote:
| Best metaphor I've heard is that personal data should be
| treated like toxic waste. If you're a company that works with
| it, it should only be because you have to, not because you want
| to. And then, you want to keep as little of it around as
| possible. You definitely don't want to leak it, because then
| the EPA will come down on you like a ton of bricks. All of your
| processes should be geared toward minimizing or eliminating
| exposure to it whenever possible.
|
| Unfortunately, companies are incentivized to treat personal
| data like something to be aggressively gathered and hoarded
| instead... but not necessarily like something to be guarded
| against leakage.
| rootusrootus wrote:
| Maybe as this becomes so ubiquitous, we will finally see
| 'identify theft' recognized as BS. If you allow someone who is
| not-me to pretend to be me and rip you off, this is not ever my
| problem; it's yours.
| zippergz wrote:
| Cue the posts complaining about how impossible it is to do any
| transaction online because you have to provide so much proof
| (and the companies collecting even MORE data about us, to later
| be stolen).
| svachalek wrote:
| Most transactions online use some kind of payment system,
| which is vulnerable to various forms of fraud and hackery but
| not "identity theft". "Identity theft" (and GP is right that
| this is a made up crime to discount corporate greed and
| laziness) occurs during an application for credit, which
| doesn't need to be a common and easy process.
| barbazoo wrote:
| And even that has been solved by more privacy forward
| societies. For instance PostIdent in Germany where you
| verify your identity with a trusted third party.
| Nuzzerino wrote:
| From the opt-out link:
|
| > If you are a California, Virginia, Colorado, Connecticut, or
| Utah resident, you have the right to request that we delete
| personal information that we collect about you, subject to
| certain exceptions.
|
| I think it's time to require this on a national level. This is
| getting ridiculous.
| aljgz wrote:
| That's a step forward, but not a solution. There are so many
| firms collecting data on everyone. There should be something
| similar to a "National no call list". If you register there,
| all firms should delete your information or face consequences.
| radicaldreamer wrote:
| Unfortunately this will be used to discriminate against
| people when applying for a loan or a job, so we must make it
| illegal to discriminate when these data brokers return
| nothing for a search because someone has opted-out.
| nickff wrote:
| If you're going to make it illegal for anyone to use the
| data broker information to make decisions, you should just
| ban the data brokers from existing.
| anon373839 wrote:
| Bingo. This is clearly the answer. However, law
| enforcement buys from data brokers, so it will never
| happen.
| Arrath wrote:
| Ideally, yes.
| jjtheblunt wrote:
| Firms don't seem to face consequences for violating the no-
| call list, as people notice FCC does not seem to stop spam
| calls or texts.
| ethbr1 wrote:
| It ebbs and flows. Afaik, most of the spam calls and text
| tend to "leak" through over international agreements, until
| the carriers block them.
| weikju wrote:
| so register in a central database to not be registered in a
| bunch more central databases? Then the one "do not collect
| data" list will be leaked over and over?
| faeriechangling wrote:
| The national do not call list isn't effective so I can't
| advocate for another one as a solution UNTIL the first
| implementation is fixed.
| KennyBlanken wrote:
| https://en.wikipedia.org/wiki/Nirvana_fallacy
|
| see also: overton window.
|
| The one thing conservatives in the US do very well is be
| willing to accept any step in the direction they want -
| usually by taking an extreme position to "anchor", and then
| eventually retreating to a position that's still in the
| direction they want to go.
| s_dev wrote:
| It's enlightening to see read comments from this forum when
| GDPR was being introduced. It was just seen as pesky
| legislation designed to trap people needlessly in red tape and
| not legit privacy protections. I think a lot of Americans are
| coming around to sense -- now seeing US companies consistently
| abuse their data. The US should have similar legislation to
| protect Americans.
|
| Here's an example:
| https://news.ycombinator.com/item?id=17154971
| rkagerer wrote:
| Or legislate these things have to be opt-in. I remember when
| politeness dictated you ask someone before even taking their
| photo.
|
| I think the companies collecting personal information assume
| they have more entitlement to it they they actually do, and are
| on the wrong side of the law - especially when breaches like
| this result in real damage. I'd like to see a few really harsh
| class action lawsuits bite them in the ass and leave behind bad
| enough scars that other firms begin to see personal data as a
| liability not as asset.
| WhackyIdeas wrote:
| How has this American data broker got my data when I am a British
| citizen? Wtf?
| pbhjpbhj wrote:
| Where did you check that your data was in the leak?
| FireBeyond wrote:
| Apropos of anything else, because these companies couldn't care
| where or who you are. The more data they can slurp up on more
| people, the better and more valuable their databases sound.
| Y_Y wrote:
| Crooks threaten to leak data stolen from other crooks.
| hn_throwaway_99 wrote:
| The thing I don't understand is how, with SOOO much leaking of
| nearly everyone's personal data who is a US citizen, can KYC
| requirements (that is, what is required to own a bank account in
| someone's name online) still be so low. In many (most?) cases all
| you need is full name, address, date of birth, social security
| number, possibly also phone and/or email. If those pieces of
| content correlate with each other, and there is no other
| suspicious information about the account opening request, the
| account is likely to be opened.
|
| All that information is _essentially_ semi-public these days for
| nearly all US citizens. How is this still allowed for KYC
| purposes?
| lettergram wrote:
| It's the validation of that info that is KYC
| ethbr1 wrote:
| Is there really validation in the current system though? Or
| is it simply providing self-consistent (publicly available)
| details?
|
| KYC in an environment where all the data points are openly
| available looks very different.
| lijok wrote:
| There is. Liveness checks prove the user submitting the
| info is the user in the documents.
| markus_zhang wrote:
| OK great, we are being leaked left and right. You know what, we
| should just demand $10 per collection. Collect and leak whatever
| you want, because I cannot stop you, but you need to pay me.
___________________________________________________________________
(page generated 2024-06-03 23:01 UTC)