Equifax finally publishes a tally of what got breached when it left 146.6 million credit files unsecured


Originally published at: https://boingboing.net/2018/05/08/its-very-very-bad.html


Give it away give it away give it away now
Give it away give it away give it away now
Give it away give it away give it away now

“If you see information on your Equifax credit report that you believe is inaccurate or incomplete, simply file a dispute, and we’ll look into it right away.”

Give it away give it away give it away now
Give it away give it away give it away now
Give it away give it away give it away now


I just don’t see how this system can be used anymore. For a breach of trust of this magnitude, Equifax needs a smack down of biblical proportions. Instead, I’ll bet they get bonuses.




OK … 146M social security numbers exposed.

US population is 325M. Remove children under 18, who theoretically don’t have credit histories and shouldn’t find themselves in Equifax’s database. They’re 22.8% of the population, or around 74M. Next, remove the 26M adults who have no credit history at all (that number could be as high as 45M if you count those who have nearly no credit history, but let’s go with the lower figure. Take off another 10M illegal immigrants who presumably don’t have SSNs. So we have about 215M Americans who potentially have SSNs that could be exposed and abused, and it looks as if the Equifax hack exposed 2/3 of them.

Can we please finally stop using SSN as a secret identifier or passcode for anything whatsoever now?


Here! Here! You wanna see some panic? Tell the fake bureaucrat* that it’s a Federal Offense to use the SS# as an ID, and that they’re required by Federal Law to use something - anything - else as your ID number.

Fake Bureaucrat: The GED that’s now a fake nurse watching you pee in a cup. The utility companies who try to bully you into giving them your SS#. Your banker who wants to ‘verify your account’ when you call to complain about their data breach, the Indian boiler room walla trying to collect on your student loan…


Congress has carved out so many acceptable and required uses of your SSN as an ID that your assertion seems a bit off. Federal law mandates that state Departments of Motor Vehicles, tax authorities, welfare offices, and other governmental agencies request your SS number as proof that you are who you claim to be.


Those aren’t Fake Bureaucrats, those are REAL bureaucrats. Your bank, the pee test place, the utility companies - they’re the private sector, and are forbidden to use your SS# for ID purposes. The bank gets to use it to report to the IRS, but they don’t get to use it as your account confirmation or password for your transactions with them.

Justice Department SS# usage overview


So I read your link and it doesn’t seem to say what you imply it says. Your link only says that governmental agencies cant deny you benefits or services based on your refusal to provide your SSN. It then goes on to list all the ways you can be denied benefits or services if you refuse to provide it.
There seems to be no remedy for private entities requesting your SSN and then denying service when you refuse to provide it.
Maybe I’m missing something important. Can you direct me to where in your link it says banks cant use your SSN for account confirmation?


Only the government is limited in the uses that it can put your SSN to. For the most part, private companies are free to request and use your SSN, and indeed to not do business with you if you fail to provide it.


AHA! That right there! They can request it, but they can’t require it!


Look, if you two want to believe that the private sector has MORE right to your SS# than the Government that actually issues them, well, go right ahead and keep forking it over to any schmuck that tells you that.

"Social Security Number 2010 Legislation. … It provides that: “It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his social security account number.”Jun 21, 2010

Social Security privacy law of 2010


No one here needs to believe anything because objective facts require no belief. We aren’t discussing religion here. Additionally, no one said the private sector has more or less rights than anything else. What has been said is that you keep asserting something that is not true. Counterfactual statements happen all the time so I thought I’d ask for some evidence because maybe I had it wrong. Re-posting the same information which in no way supports your assertion is a very odd choice.

I think you should read what you keep linking because it doesn’t say what you seem to think it says.

And if you refuse they can tell you to piss off because they won’t do business with you anymore.

Wait… are you just trolling?


Okay, you win!


Buddy, it’s not about winning anything. It’s about standing up to lies and counterfactual statements because there is entirely too much of that going unchallenged these days.


But if they refuse to do business with you… isn’t that essentially requiring it? You can say no, but then you don’t get what you wanted either.

It would be fun to be in a situation where they ask for your SSN, you go on to the dark web in front of them, navigate to the Equifax dump, find your name on a list (I’m just guessing how this crap works), and say, “Ahah! Here it is.” and show them your phone screen. “You have your proof. Can I have my money now?”

When I was in the USAF in the mid 80s, we had to write our SSN and drivers license number – in the open – on any checks we wrote at base facilities. It was recommended that we have them printed on our checks to save time. Pre-internet lack of security. I probably still have checks from that time in a box somewhere in my house.




You know what really, really pissed me off about this?

Equifax, who’s business is Credit Ratings and Identity Management, who is the #1 place who you have to worry about regarding identity fraud, has a breach and doxes millions of people.

By law, they are required to provide free credit monitoring for a year.

Those fine gentlemen used this to sell their fine credit monitoring service by basically giving a free year (with an agreement that at the end of the year they will bill you).

Their agreement with the US government for not placing every single employee in jail for the rest of their lives should have been that those services are now free to all comers until the end of time. If they make money verifying identities, they should not be allowed to sell additional services to prevent fraud from their own systems. It is obvious by them selling the serices they can do more to protect identities.


Its a protection racket. Plain and simple.


They are in the legally enviable position of being in the business of being able to libel you by passing on whatever derogatory information anybody that claims you owe money to tells them without having to do anything to ensure that information is correct other than saying “he disputes this” if you complain.