Equifax, yet another catastrophic leak: the old world can’t get away with this stuff anymore

Posted on Sep 11, 2017 by Rick Falkvinge

Equifax leaks 143 million social security numbers, and the tech world stands jawdropped, while the mainstream press treats it as a sideline note. This treatment of security on the sidelines is exactly what caused the conditions for the leak in the first place, like last month’s catastrophic leak, and next month’s, and the one after that. It can no longer be okay for the old world to treat the Internet as an intriguing but harmless toy.

As Ars Technica observes, the Equifax leak is probably the worst leak ever in terms of identity theft risk: almost 150 million identity records with the complete dataset of what’s required to apply for credit, such as your social security number, date of birth, and home address. The perfect dataset to capture almost anybody’s identity in bad faith.

But it doesn’t stop there. It’s not just Equifax that has the worst leak ever. For example, the US government leaked some 20 million records from its own top-secret personnel database. It’s not just the US government, either.

Equifax is the worst leak ever, as stated. Maybe. Up until this month. Next month there’s something worse. Again. And again.

It’s catastrophe, on catastrophe, on catastrophe. The words will cease to have meaning if this is going to be the modus operandi. “Catastrophe” is on its way to become a new word for “just another million-record leak, like the one yesterday”.

But the problem is that it is a catastrophe. Every one of these leaks. Every single time. And it’s always based on one of two things: one, sloppy security and outright amateurishness (see MtGox for a terrifying billion-dollar example); or two, old-world thousand-dollar-suited know-betters who don’t consider this internet fad to be worthy of attention, and therefore let less important people without budgets deal with it on a little to the side of the things they consider important (see point one).

Compare the strong message that was sent to members of U.S. Congress during the net fightback against SOPA, loud and clear: “It is no longer okay to not understand how the Internet works”. In a similar vein, it is simply no longer acceptable for thousand-dollar-suited management to not understand how basic information hygiene works.

Did you notice this leak was almost exclusively broken by tech press, and wasn’t in mainstream press until several days after the story had already been discussed everywhere? And that practically none of the mainstream outlets have any educated analysis or commentary that would have been an absolute requirement for, say, a Middle Eastern geopolitical story? This is a telltale sign of unacceptable priorities — Fleet Street is as inexcusably ignorant of the new world as Wall Street.

New data suggests Equifax may be hit with a 70-billion-with-a-B lawsuit over the leak. At the end of the day, maybe this kind of liability will be the unfortunate path of the future. For they won’t actually close the holes; they’ll just create a new “information malpractice” insurance market, with every bit of ignorance going on as before.

Compare this to a leaking pipe. We understand why a pipe leaks water. We know if the leak is dangerous to the function of the system, which the pipe is a part of. We know how to fix it. It is fundamental engineering. So is information engineering. Data will always be vulnerable to some degree (as will pipes), but we should be a lot better than shrugging our shoulders at yet another catastrophic leak.

We stopped shrugging our shoulders at yet another water tower collapsing from leaks long ago, about four thousand years ago. There should be no acceptance of shrugging shoulders at this.

Privacy really remains your own responsibility.