We’re losing the confidence game
Oops! Equifax, one of the big three consumer credit reporting companies, said Thursday that hackers had stolen its data on 143 million Americans, including our Social Security and driver’s license numbers, names, addresses and birthdays and — there’s more! — the account-recovery answers we’ve submitted to sites across the internet, like where you met your spouse, the name of your oldest friend and the color of your first car.
Basically, everything a bad guy, whether common crook or state actor, would need to convince your bank or phone company or board of elections that they’re you.
“This is clearly a disappointing event,” the company’s chairman and chief executive said in an understatement for the ages, “and one that strikes at the heart of who we are and what we do.”
He didn’t mention the part where other executives — including the chief financial officer and the president of U.S. information solutions — sold off $1.8 million in stock in the days just after the company discovered the theft back in July. (Equifax says those execs hadn’t been informed yet about the breach.)
He did mention the black-comedy insult-to-injury website they’ve set up where you — or anyone who thanks to Equifax is able to impersonate you — can put in your last name and the last six digits of your Social Security number to see if you’ve been “impacted” by the hack. You also need to fill out a captcha, one of those programs intended to distinguish humans from bots. That program was broken for some users, though, who were unable to proceed past the automated gatekeeper.
If you’re able to establish your humanity to the code’s satisfaction, you then receive one of three messages: that you were impacted by the breach, that you were not impacted by the breach, or — with no answer to the question of whether or not you were impacted! — a date to return and sign up for the company’s so-called TrustedID Premier service, which usually runs $14.95 a month and up:
“Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process” for various protection and monitoring services, “all complimentary to U.S. consumers for one year.”
This, from the company that also sells other companies your 0-1,000 Confidence Score “to more precisely measure (your) risk profile.” Confidence, man! Online, you are the sum of your information. The more of it gets out there, outside of your ownership and control, the less of your life is in your own hands.
The New Yorker cartoon gag a quarter century ago was that “On the internet, nobody knows you’re a dog.” On the internet now, nobody knows if you’re you. Lots of people you don’t even know exist know all about you, though.
The stuff of your private life is their private profit.
Our information stolen from Equifax is likely another treasure trove for, among others, the Chinese, to match up with the 23 million security records hackers stole directly from the U.S government — the ones where Americans disclose their finances, travel and health records, family and friend networks, online usernames and passwords, fingerprints and much more to be vetted for security clearance to our national secrets, such as they are.
This latest mega-leak, which may be the death knell for Social Security numbers as “secure” identification, comes months after the National Security Agency’s crown jewels — the so-called zero-day exploits that companies didn’t know existed — were stolen and some of them put up for sale on the dark web. One of those exploits was then used to shut down various computers and hold them for bitcoin ransoms in what was presented as a “regular” criminal enterprise but may in fact have been a test-run by the Russian government that ended up briefly shutting down much of Britain’s medical system.
A government that can’t protect its own secrets, and that stands by and lets private corporations price out and buy insurance against broadly predictable unnatural disasters, effectively guarantees an eversinking national Confidence Score.
We’ll see if anyone at any level of our government steps up to hold people accountable for the Equifax mess. Even that — and I’m not holding my breath, a decade after the bankers who nearly collapsed the world economy escaped unscathed — would be only the barest start to fixing a system many if not most Americans now think is rigged.
In an era of rapid disruption, we need enforceable rules, honestly enforced, to protect our privacy, and us, from the for-profit institutions that increasingly know more about us than we know about ourselves.