Chinese Hacking Is Alarming. So Are Data Brokers.

Feb 10, 2020 · 147 comments
AusTex (Austin TX)
If it wasn’t the Chinese but instead some White Supremacist Group it would still be a crime and Equifax should still be sued out of existence for allowing it to happen.
NH (Boston, ma)
I work in marketing for a major financial institution and they (along with most others) severed their relationship with Equifax after this breach. They now only use data from Experian and TransUnion - the two remaining credit bureaus - well until those get breached that is.
Chin Wu (Lamberville, NJ)
Given the lax security, a high school kid could have hack Equifax. Millions of people's personal info would be all over the net. Why is DOJ going after hackers in China, when obviously no one will be facing US ail time ? Why not go after Equifax?
Steve Kay (Ohio)
@Chin Wu They’re going after Chinese hackers because they committed a crime. Quite simple really.
virginia (so tier ny)
Thank you so so much for reporting on this. Equifax gets to amass personal data "legally" (because oversight is either complicit, asleep or incompetent). Equifax maintains a system that is insecure and then squacks because someone breaks into it and steals our unprotected personal data that Equifax put there insecurely. Round and round, then four People from China are charged with this "crime". Equifax is hiding behind the Justice Dept. and the foreign nationals upon whom "blame" is foisted will most likely never shoulder any consequences. Cut out this side track, Equifax is to blame for not securing what is took and said it could secure! Imagine if instead of data they were a bank, amassing deposits. It'd be a bit harder to toss blame at anyone else and their business would be tanked.
T (USA)
"China is behaving a lot like any other data broker. The big difference is that it isn’t paying" - Is Equifax (or any of the other 'data brokers') paying for our data? I don't think so. These data 'brokers' are the worst kind of parasites- greedily collecting and carelessly exposing our data. The whole credit system needs an overhaul to remove the perverse incentives to abuse data. Maybe we should move all of our personal banking/insurance/credit related business to EU-based companies?
Mike Waters (Brighton, MI)
Don't worry Equfax. I am sure the justice department will recommend a shorter sentence. I can't wait to see the class action lawsuit however. You did say 145,000,000 americans. Wow that's alot of zeros.
Hedonikos (Washington)
Everyone asks how this is legal. Really? Maybe I am just so cynical anymore I shouldn't express an opinion here but I think the reason it is legal for these credit companies to basically expose you to the rest of the world is MONEY! Equifax found a stooge to help them. His name is Barr. You can bet that he has helped to take the heat off Equifax by charging these Chinese guys. Want to know why Congress is not doing anything to protect American's personal information? Because any and all possible bills that have been written to tackle this injustice to the common man are being sat on (literally maybe?) by McConnell. I can't believe that one person can hold this much power over everyone. I only wish I could state what I think. But I won't. It would only get me a visit from the Secret Service. (SS?)
Godzilla De Tukwila (Lafayette)
These corporations need to be regulated. But more important, our entire regulatory systems need to be overhauled. (1) Start funding and staffing the SEC, EPA, IRS, the Consumer Protection Agency, and other regulators so the can meaningfully go after white collar crime and tax evasion by wealthy individuals and corporations. (2) Enforce and strengthen laws that prevent government regulators and industry folks from moving back and forth between between the two. Many corporations have non-compete clauses in their contract with workers. Perhaps its time for the government to create and enforce 'non-compete' clauses for those charged with enforcing regulations? That would include 'consulting' jobs where they are not directly hired but share their expertise. (3) We need federal protections on privacy. That includes not just our financial data, but our internet history, our medical records and our DNA. And as in Europe, we should have the right to be forgotten.
Howard Beale II (Los Angeles)
More scrutiny and regulations AND penalties to these data gathering companies AND their complicit complacent executives who allow breeches to occur. And by data gathering I also mean Facebook, google and the rest of ‘social media’ as well as lousy equafax and the other credit bureaus.
Michael Glenn Williams (Marina Del Rey)
Many things to raise. 1) How do people find out if their information was part of the stolen info? There was a settlement in which people could receive a small payment, but they would have to apply. Google has recently provided a service to tell people to change their passwords because their username was part of a hack. 2) The security policies in the company were horrible. No use of encrypted data. No use of multi-factor authentication. No use of password hygiene. No use of role based policy. 3) What is the point of indicting foreign nationals if they are out of the reach of the law? To show off how hard we worked to identify the specific individuals, with spying and forensic analysis of the hack? It seems really odd that the hackers had two servers in direct contact with hacked servers within the Equifax network. Why do a "give away" sort of thing like that? 4) Wrt private data harvesting, credit data is particularly troubling, since there is no opt-in / opt-out process. The data is not provided by the individuals who are being profiled. And credit data rarely is a positive thing, it's mostly punitive.
markd (michigan)
I like the EU's idea that the data companies have to have your permission to share your information before they do it. I can see a thriving business for people who want to be "disappeared".
DAB (encinitas, california)
As a retired Luddite, I don't carry a smart phone and don't do business, with a few exceptions, with companies that require me to set up an account with them. Why should I give any personal information to XYZ company to order its products?
Leopold (Reston, VA,)
During an interview with an Equifax executive eager to talk about their wonderful new machine learning and other data analytics tools, I asked about The Hack. Since the company is in full damage-control mode, that was the end of the interview....
Ross (CO)
"Does China now know as much about American citizens as our own government does?" Probably. But the real question is why our own government is amassing dossiers on every aspect of our lives? The ever encroaching police state complains of "going dark" because of personal encryption, even though the digital world and our total lack of effective privacy laws make this the Golden Age of Surveillance. I'm far more worried about our authoritarian law enforcement agencies than I am about the Chinese.
ondelette (San Jose)
I'm not sure I totally agree with everything in this article. I do agree that perhaps these people should not have this data unless there are more restrictions on them, including more criminal liability for negligence or deceit. But on the specific attack itself, I got suspicious when Mr. Warzel failed to mention how long it was between the Apache struts fix being available and the Chinese intrusion. That omission doesn't seem to have been so innocent in building the narrative. It was 2 months. So then I started thinking of all the ways that could have happened. At first, like Mr. Warzel, I thought of lax corporate policies and time wasters corporate structures and profit motives, etc. Eventually, my cooler head prevailed. How much work was involved with the patch? I went and looked up a better description of the breach. One exists, it's a 2017 Ars Technica article called, "Failure to patch two-month-old bug led to massive Equifax breach." I highly recommend. In the article, it says,"As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions." Index of suspicion very high for no can do in 2 months. Best place to get that estimate? The Ars commenters. In particular, a commenter handled "Ishkabibbel". Well worth reading his comment before reaching for the torch and pitchfork and heading outside.
Chris (SW PA)
You are the property of those who own the government. Why should property have the right to speak? But seriously. the government is owned by corporations so you have no recourse and the laws will never protect you. That is not what the laws are for . The laws are for protecting the wealthy, who are above the law, and beating down the serfs who should know their place. And many of you are good serfs who will always select cruel masters. Jobs jobs jobs and jobs. You need a job working for one of the owners so they can become rich off of your labor. You are a commodity and don't you ever forget it. Your denial of that is helpful for the masters.
DSD (St. Louis)
Who gave private corporations the right to collect all of my personal information and then sell it for profit and expose it to the evil Chinese Dictatorship? Fraud and corruption rule America.
PA (Fox Island)
It is incredible to me that companies that collect my data without my permission and then do not safeguard it are not held financially liable in any way that forces them to change their behavior or leave the business. Nearly all of the major data breaches are due to negligence on the part of the company that was breached. There is no financial incentive for these organizations to spend the dollars that would keep their own "stolen" data safe. Why is any company still in business that loses the personal data of tens of millions of people? Since I did not give Equifax or any other firm permission to have my data, I view it as stolen. If I want to see it, I need to pay in some way, so it is held hostage. To make matters worse, this data that I cannot access or correct that belongs to me holds the keys on what happens to my life. It is beyond an outrage.
Steve Kay (Ohio)
After one of the largest, and arguably the most damaging, data breaches Equifax has the temerity to sell themselves as an identity protection service. They can’t even protect their own data.
Mike (Pittsburgh, PA)
This will continue until our spineless legislators in Congress enact a U.S. version of Europe's GDPR and mandate severe fines for companies like Equifax that fail to implement basic computer security measures. There's simply no excuse for not encrypting sensitive data! As for the admin/admin account, that's a prime example of a company lacking even a semblance of concern around computer security. This is where hugely punitive fines and criminal charges should occur...
Avatar (NYS)
Much to say on this topic. First of all the security breach lies in the C-level suite at Equifax. Not implementing security practices and policies is criminal, and the CEO and others should be prosecuted to the fullest extent of the law. Along with heavy fines. Money is the only thing these people understand, so you have to hit them in their wallets. Second, data-gathering institutions, both governmental and private, including web browsers, should, by law, forced to delete their entire databases annually. There’s no reason to hold onto the information for years, with rare exceptions, and we need strong laws, enforced, to try and roll back this complete invasion of our privacy. A tall order, for sure. Third, we have all allowed a tracking device to be placed on ourselves, in the form of our smart phones. Phones should have an option to block tracking. I don’t mean just Location settings. I mean a filter that would block all of our data from being seen. Yes we have allowed it, but it’s also the “system” placing us like frogs in a pot on slow boil. Of course, with the rise of fascism, including here at home, and the malevolent and insatiable greed, fomented and supported by the most criminal administration in our nation’s history, this will not happen, unless we get very serious about it. Folks, please remember next Winter is Coming, in November 2020. Let’s throw these reprobates out of office. It’s a start.
PC (Aurora, CO.)
@Avatar, well put. Good suggestions, all.
Freonpsandoz (CA)
Equifax seems to do this regularly, then their cohorts at Lifelock are suddenly all over the TV with ads for protection: "Nice poisonal data you'se got dere. Sure would be a shame if somethin' was to happen to it." Isn't it "tyranny" when our elected representatives are beholden to corrupt institutions like Equifax? Isn't there a specific Constitutional Amendment that empowers us to overcome said tyranny?
Cathykent78 (Oregon)
If this doesn’t give you pause then you better just bury your money in the backyard and slip people written messages on edible paper, this is right out of a John le carre novel
John (NYC)
I get the sense of outrage. I'm right there with you. But consider. They don't need your permission of siphon up your data. Why should they? You're in the public domain, not a locked down State. You leak information with every step you take within it. They're just following along behind scooping up all you emit. So you want them to stop? Then stop leaking. I know, I know...what a ridiculous thing to say, public domain and the like...it's my data (and such)! Yes, it is. But do you leave your wallet on the ground? Do you wander the public commons in the real world, parks and malls, showing everything you are to every stranger that passes by? Of course not. So maybe we should flip the logic of this discussion? It isn't the responsibility of an Equifax, et.al., to keep your information secure. Well...it IS an obligation of their business model, true enough. But it's YOUR RESPONSIBILITY to stop leaking your data. How to do this? I dunno....fake your presence out on the 'Net. Hide behind VPN-like avatars. You don't leave your wallet in the hands of the businesses you physically visit do you? Don't leave any information in the hands of vendors and businesses. Now I know that's a tough sell. Perhaps even impossible. But it's the mindset you need to inculcate into yourself. The 'Net is not a safe zone. It is a public space. You need to comport yourself accordingly. Just some thoughts worth about that much. John~ American Net'Zen
Steve C (Boise, Idaho)
@John Some things in the public domain shouldn't be there. Here in Idaho your political party affiliation, including "unaffiliated," is in the public domain in the Secretary of State's office. An Idahoan can't register to vote without declaring affiliation. Whether an Idahoan voted or not in a specific election (but not how you voted) is also publicly available. That includes primaries. It's then pretty easy to draw up a database of, say, registered "unaffiliated," cross check that list for those who regularly voted in X political party's primaries and come up with a database of X leaning independents, whom X party activists especially target in canvassing. It doesn't take much to figure out who might be a strong supporter of political party X or antagonistic to party X, or lies somewhere in between, and direct canvassing accordingly. Information about party affiliation and voting habits shouldn't be available to anybody who wants it and use that very specific information -- full name, address, political tendencies -- to hassle targeted people. Yet, there it is, in the public domain without the person's permission. Justice Brandeis believed in "the right to be let alone." With person specific targeting in their canvassing of people who have not knowingly given out their private information, political activists are violating that right.
Neil Austrian (Austria)
IQVIA is anothersuchcompany selling your health, medical and pharmaceutical data without consent. More here: https://medium.com/@bertcmiller/the-unauthorized-sale-of-your-health-data-is-coming-to-an-end-cd91edd519b3
Cicero (Atlanta)
Dismantle Equifax now!
rjon (Mahomet, Ilinois)
I’m a decidedly old geezer largely out of the loop with respect to my digital surround, or at least I try to be. But if I was young I would be be personally quite worried about what the Times’ “The Privacy Project” has been revealing about what the world (the whole danged world) is becoming. We’ve always had to deal with predatory behavior—the snake oil types—but the misuse of digitization is giving us snake oil on steroids. Us curmudgeons, who may not think of the Googleplex as Mecca, also have a duty, I think, to warn about what’s being lost when privacy is being lost—which far too many think is a progressive development. The Privacy Project also addresses this loss, although somewhat obliquely. What’s being lost? This is just a teaser: liberty, dignity, justice.
Suppan (San Diego)
The look back on Equifax's incompetent handling of this vast trove of information, our government's lax or indifferent attitude, that is one thing. But the more pressing questions are: 1. What is the PLA doing or intending to do with this data? Were they hacking the systems for practice or with intent to use the information against American nationals? Chinese dissidents? American business executives? All of the above? 2. If the Chinese government were to use the data to torment a US citizen or resident, what can that person do? Is the US government in a position to protect them? Or is Chinese business more important? Think of the Khashoggi murder and our nation's inaction as one reference point. 3. What are methods people can use to protect our data and ourselves in this atmosphere? 4. If the Chinese state were to collapse, as the Soviet state did in 1989, what will happen to the "loose data", akin to loose nukes of 1989 era? Will they become part of a blackmarket criminal underground business? Are they already a part of the criminal underground? Is the US government in ANY position to protect its citizens, residents and institutions from this threat? Looking at the ransomware attacks, the IRS fraud callers swindling over a billion dollars from Americans, what are the chances that we can depend on our government or any of the private corporate tech behemoths to help our people? Why has the multi-billion dollar media industry not raised this? Were they too busy hyping?
Cy (Washington)
Don't worry Experian, you'll be up in here soon enough. After all, you're already spamming me with gaudy credit card offers even though I should be in debtor's prison. And every six hours between emails seems rather desperate.
rabbit (nyc)
I also want to opt out. These credit companies base judgements on our credit worthiness based on some facts but not others. While clever people can game this system, honest people who don't want to live in a calculating way often lose out. This means doors shut all around, calls don't get answered, invisible walls rise and no one will explain why. It is tempting to want to drop out entirely, if this is still even possible. How absurd to trust Big Tech and Big Money in any form to make considered, sensitive judgements truly based on the Public Good. The threat here is not Big Government, but privatized and unaccountable systems that commodity human lives, a nightmare version of capitalism. This is why the political middle will not hold. The rot is deep. And it has spread globally, there are sinkholes from Sri Lanka to St Louis. No wonder rats and trolls are scurrying everywhere on their errands. The online world is a haunted house, sighing with ceaseless desires and dreams of crime.
kjeld hougaard (myanmar)
maybe the chines could have bought information from the brokers?
Paul Henson (Springfield)
The Chinese didn’t have to hack Equifax, they could have purchased the info from Equifax who is more than willing to sell it for $2 a head. I’m not kidding. I used to buy it
Peter Mitchell (Greensboro, NC)
My take-away from this story is that global hackers probably have most of the documents that the White House is trying to hide from the recent impeachment inquiry. Knowledge is Power, so these hackers are just sitting quietly, waiting for the right opportunity to "ask our Government to do them a favor".
Randy L. (Brussels, Belgium)
This is one reason I support Mr. Trump's tariffs against China.
Cathy (Hopewell Junction, NY)
Equifax stole my personal data, without my consent, and released it to the Chinese. And the government was fine with it. I never consented to have every purchase I made, every payment I made every transaction I made, become part of a cabal's database that would be sold to others to affect my ability to do anything - pay for my kid's college, buy a car or house, rent a place, get a job. And I never consented to Equifax to use that data to make money, even as they continue - and I have not found a way to stop them, even though I follow their policy - to concatenate me with a person in another state who shares my name, but not my credit rating. I cannot stop them from selling false and damaging data about me. My credit is not good because of Cathy in Connecticut. I have no power - not to control my data, not to protect my data and not even to demand that at the very least the data they stole and sold be correct. Yes, the Chinese are a threat, but to me personally? Equifax is the bigger threat with bigger impact on me. They are unregulated, and able to sell anything at all, regardless of the damage it does, with for all intents and purposes, no governmental oversight and no incentive to be sure that they protect me or represent me truthfully and factually. And my government cheers them on. Regulations are for weaklings.
Ted (NY)
We need legislation to protect privacy. Right now it’s a free-for-all with all sorts of companies amazing personal information form an unwitting public and selling for profit. Facebook should be shut down.
Blackmamba (Il)
What should anger and embarrass Americans is not what is illegal but what is legal . Equifax didn't ask for nor get my permission to collect nor share my data. Any more than Chinese intelligence operatives. Equifax needs to be busted and regulated up. Equifax needs to be fined and sued up and pay damages for it's invasion of privacy, theft of personal information and negligence. Equifax needs to go the way of Arthur Anderson and Enron. Next up the social media companies like Facebook, Google and Twitter etc. for deceptive business practices, invasion of privacy, price fixing, monopoly, tools of foreign intelligence, tools of partisan politics etc. Then the opioid dealers and makers like Purdue Pharma, CVS, etc. Then the new gilded age robber barons malefactors of great wealth like Jeff Bezos and Amazon and Mark Zuckerberg and Facebook etc. Finally, a few years ago it was discovered that Chinese intelligence hacked U.S. Government employment records for years before being caught and stopped. So our government shouldn't be so smug about Equifax failures. And none of these indicted Chinese are going to be showing up in an American federal court to face justice any more than the Russian intelligence operatives indicted by Bob Mueller. Cyber warfare is exactly what you would expect as the asymmetric military balance strategy against America. America annually spends as much on it's military as the next eight nations combined including 10x Russia and 3x China.
Gowan McAvity (White Plains)
As soon as the hack occurred Equifax started bombarding me with with offers of two years of "free" credit monitoring. What happens after that? I can't seem to unsubscribe enough...they always find a way to my inbox with "credit alerts" I did not solicit and do not exist. I am beginning to believe they collaborated with the Chinese hackers, that they are no better than supposed illegal hackers, and have thrown away any fiduciary impulse to revel in the riches of data collection. They should be broken up as a company.
arvay (new york)
Essentially -- lazy, incompetent and entitled corporate management permitted the hack. Apparently the goal was to undermine US intelligence efforts -- so consumers face little or no harm.
PAN (NC)
Why spy, surveille and stalk Americans? That's where the astronomical wealth comes from as they drill baby, drill into our private lives. "Does China now know as much about American citizens as our own government does?" Actually, it's worse - China knows as much as America's private data broker privateers do who don't pay for it either - and Americans have no way to opt out!!! Why is Equifax still in business? Can I have my data deleted? Of course not! Yet it is MY data, more valuable than a celebrity's image. What's the difference indeed! The only time it would be different is if I, as a private individual, did to the data brokers what they're doing to me. I'd be thrown in jail as a hacker or industrial spy - go figure. Companies and corporations have more rights in America than it's own citizens. Look how the political party of the wealthy treats its own citizens - even using Russian hackers, Cambridge Analytica, Twitter and Facebook to do its dirty work against us, doubling down again to rig and steal yet another election this coming November. Amazing how astronomical levels of wealth can still be had off of shear incompetence in this country.
Sean Daly Ferris (Pittsburgh)
trump tore up the Iranian nuclear deal because it didn't include ballistic weapons. He just signed a trade agreement with a country that stole the identity of one hundred and forty million of its citizens.
Objectively Subjective (Utopia’s Shadow)
Comparing the Chinese government and Equifax in legal terms is not useful: “one is corporate and legal and the other geopolitical and decidedly not legal.” Is what China did illegal? Not in China, apparently. And is what Equifax did legal? Not in the EU... and how many EU citizens had their data compromised in the Equifax hack? No doubt many. I know of at least two personally, and I don’t generally ask people about such matters. So let’s not pretend that one is morally right or wrong based upon whether it’s “legal.” These companies are playing fast and loose with our personal information that they got through spying on us. It is immoral, regardless of the legalities. The inability of the US government to protect its citizens from spying, corporate or nation-state, is an indictment of the US government being captured by the very corporations it should be regulating. We need a government that will protect citizens, not corporate business models, especially those based upon exploiting citizens for value against their will. And, it should not need to be said, but this is not just a moral imperative, it is a national security threat. How many people with access to sensitive government information had their information stolen? We know that such information makes them more vulnerable to blackmail, other kinds on influence, or even further hacks. Shut down Equifax and other data miners.
Stephen Merritt (Gainesville)
The law needs to recognize that our data belongs to us, and that it doesn't stop belonging to us because we use someone's app, or are patients of a medical practice, or for any other reason. So many people are making money off of our data that I don't have much hope of the necessary changes being enacted (and I fear that, even if the changes were made, somehow the court system would discover that companies had a constitutional right to use and sell our data). Still, we have to try.
Ann (VA)
Yahoo's email accounts were hacked not too long ago. As part of the settlement in the case filed against Yahoo customers could either receive some limited $$ or receive free creditor monitoring for a period of time. The problem with opting into the settlement: you had to provide, at a minimum your name, date of birth and social security number. You've gotta be kidding! They couldn't protect your info, now they want you to give them the rest of info they may not have. when you log into your email account they're constantly asking you to provide your phone number, presumably to "protect" you if you lock yourself out of your account. I guess I'll skip the settlement in it's entirety. Not worth it to me to provide the rest of my info so they can compare it to what they already have. I've stopped even using my real name on Facebook. I created another profile; and gave a fictional name and DOB. I won't post pix. The amount of info collected scares me. If you google something, ads relating to that follow you from site to site. I went to an auto parts store to purchase something for my car. Before I could pay the cashier asked for my name, address and phone number. I declined to provide it. Data collection of personal info has become so routine we don't even think twice about it anymore. I don't know where we're headed but it frightens me.
Walsh (UK)
I haven't been through every comment, but what seems to be missing is an open market technical solution. People want a new entity which would deliver more accurate assessment in a more responsible and secure way. Why doesn't such an entity start up fresh?
RobF (Midwest)
Credit bureaus should be required to hold and segregate regulatory capital similar to a bank, based on the amount of data they hold. If they are breeched, there should be codified fines that make it prohibitively expensive to have sloppy work practices. Hit them hard where it hurts.
David (Portland, Oregon)
Thank you for this informative article clarifying how Equifax is no hapless victim. I am deeply troubled by the fact that the U.S. government appears to have a contract with Equifax under which the Social Security Administration continues to use Equifax as the source of information to verify the identity of individuals applying for Social Security benefits. How did Equifax get this government contract? How can Equifax keep this government contract after negligently or recklessly failing to protect data? We have been told by experts to freeze Equifax accounts. The Social Security Administration continues to ask applicants to unfreeze Equifax, at least temporarily, to help the government consider an application for government benefits. I doubt that the government should have ever contracted with Equifax. I am believe that they should cancel the contract now that Equifax’s gross incompetence reduced Equifax’s reputation to the point where experts tell the general public to freeze Equifax information. Equifax can no longer effectively perform the terms of the contract. We can no longer pretend that Equifax will reasonably protect data. What is going on?
Andy Jo (Brooklyn, NY)
Credit scores are something that should be relegated to a financial trash heap. Anything which can give a low credit rating to someone who has no debt of any kind and who, maybe, owns their home outright (or rents and pays on time) is invalid on its face. The reality is that all it measures is one's willingness to go into debt. It only works if you have debt -- it says nothing about you as a reliable actor in the financial marketplace. It is useless. Its one triumph (if we can call it that) is to terrify all of us into taking out credit cards. Every single financial writer (with some very specific exceptions such as Dave Ramsey) advises keeping credit cards so one can have a "credit history". Every bit of information (print or online) I have ever read about mortgages talks about the credit score. We need to ask the obvious question -- who has benefited from this? Not the collective of the American people -- that's for sure. Not that long ago, before these metrics were developed, banks would put one through a process where one had to bring evidence of income, rent and utility payments on time, credit card payments on time, etc. All of this was on paper, of course. Today? Not so much. We need to question whether the ease of taking out credit accounts, facilitated by the credit score, is actually a good thing. I have come around to believing that it is not.
Bill Virginia (23456)
Because of this data breach I suspended my credit in 2017 right after the hack. It took a month because all 3 credit bureaus were swamped with requests and at time and they were not wanting consumers to do this. It didn't take a genius to realize that if the credit bureaus are being hacked there is zero safety in the system. This data should now be "locked" for everyone with a process to release. Merchants and Banks hate that idea as it slows "impulse" purchasing. The vaunted "cloud" has been hacked too, again Chinese, and this proves the Internet is not a safe place for information. I think you will see some changes as personal information on the internet is never safe! Really a bad way to store information as the hackers are winning!
RHR (France)
As usual the US is behind the regulatory curve with regards to data protection. It should be possible to opt out of having your personal data stored and used in ways that are definately not to your advantage as it is in Europe. There should be heavy penalties for negligence like that shown by Equifax and let's not forget that Equifax is just the latest eample of many. Two questions we should be asking are - why is it taking so long to bring this under conrol and close these obvious vunerabilities? and second, what is happening to this data after it is stolen? There should be research done to establish how the data is being used in order to close as yet unseen further weaknesses in our systems.
George (Fla)
@RHR - Another question how many lobbyists does Equifax employ in Congress? Lobbyists rule the government, just look at amount of lobbyists in this “administration “! 281 at last count.
Trina (Indiana)
It's the same story, software updates ignored, passwords posted on wall for all to see, failure of resetting factor administrative /passwords via the router is all too common. IT departments consisting of a third party contractor called in only when something doesn't work. Until companies are heavily fined, victims of data breaches get millions of dollars each in compensation, this will continue. I would suggest jail time, but that's a moot point. The dearth of cybersecurity funding and expertise consistently threatens US Infrastructure. Until we get a cohesive plan and wisely spend the billions of dollars needed to maintain cybersecurity, the US will be considered an "open town" by foes.
Pamela L. (Burbank, CA)
When so much money is involved in the gathering, analysis and sale of our data for mostly nefarious purposes, it's unlikely much will be done to control or punish those responsible for it's theft, manipulation or use on the black market. Unfortunately, we've lost control of our personal data. It started the moment we clicked on the "I Accept" buttons on many websites. We didn't keep up with the speed and ease of such data-gathering and we didn't pass laws to prevent its monetization. Our data has been weaponized. Many countries want to gather it to use against us in our upcoming election, to get us to reveal national security secrets and to get an edge on us for competitive purposes. I want to erase all my personal data and I'm not a fan of AI facial recognition, location services and marketing targeting. Start demanding that our government and various, highly trafficked websites start to protect us. We have the power of our pocketbook. If these businesses don't protect our data, take your business elsewhere.
Steve C (Boise, Idaho)
We need a very simple rule governing all databases: Nobody's private information is in a database without the consent of the person listed in that database. (Read Roger McNamee's 2019 book "Zucked".) The current existence of databases with private information and without the consent of those in them are privacy violations in any ethical sense, even if they are not illegal. If some agency wants to establish a database without the approval of the people in it, presumably for the public good -- such as a sex offender database -- then such a database should be expressly approved of by some legal mechanism -- a law, a court order -- which the public or the public's representatives have input to.
NOTATE REDMOND (TEJAS)
Get a hold of Equifax and freeze all your information immediately.
Suburban Cowboy (Dallas)
Freezing your information keeps the legitimate users out, not the nefarious overseas cyber thieves who hack in regardless.
Morgan (Minneapolis)
Use the internet or have a phone? That company is collecting data. The times does it. Also want to know how equifax gets your data? Your bank shares your information with them. You agreed to let your bank do this when opening up your account. Virtually all banks share their information with equifax/transunion/experian/fico because the more data points the more accurate the score.
Viv (.)
@Morgan There's no such thing as an "accurate" score because there isn't one score. The one they check to offer you a mortgage isn't the same one they use for a car loan. Both of those are different from the one they use for a business loan, employment and rentals. If "accuracy" had anything to do with it, the people with the best scores would be the ones who pay their bills. In reality, the people with the best scores are those who sign on to credit products and have a low credit utilization rate. All things being equal, the guy with multiple credit lines has a higher score than the same guy who didn't sign up for that. In reality, a credit score is nothing more than an indication of how amenable you are to buy credit products.
Desmo88 (Los Angeles)
It’s about time these corporate data gangsters were exposed. Great article. If decisions are based on digital data, why isn’t our most personal as stout as blockchain??
Frank McNeil (Boca Raton, Florida)
Many federal employees have been Thrice Bitten -- by the Chinese, OMB and Equifax. And none of the miscreants has had to pay affected Americans for their misconduct, though praise is due the feds for identifying the Chinese intel agents. They, like Kremlin cyber spies from the Internet Research Agency who meddled in our 2016 Presidential elections will probably never be apprehended but the USG's negligence in not pursuing some degree of restitution from Equifax tells who owns the government.
ag (Springfield, MA)
In January, I was informed by a previous healthcare system I was enrolled in that my personal information may have been stolen by hackers. Not to worry, though, because Equifax had been hired to provide free credit monitoring and identity theft protection services for the next two years. Doesn't exactly inspire confidence does it?
BayStateBreakdown (Boston)
@ag Well, unfortunately, you also live in Massachusetts where you filled out an annual City census form with all your personal information including name, home address and date of birth. That gets published by the Springfield, MA, town clerk for everyone, including the data brokers. Ridiculous old law: www.baystatebreakdown.com This was a great article with a clear message.
George M. (NY)
The blame should be 50-50 between Equifax and the US Government, as both have been about equally careless. Had the US Government enacted laws that would appropriately address today's technological environment and impose severe penalties on violators (similar to the EU's GDPR), this sort of thing could be largely avoided. Since there is no severe enough penalty imposed on Equifax, what's there to force them or any other similar company (Experian and Transunion come to mind) to do due-diligence in handling sensitive personal information known as PII? This is another example of unfettered capitalism. Money is more important that the American people.
Larry Figdill (Charlottesville)
Another major problem with Equifax and other credit reporting agencies - one cannot even choose which one you want to use. After the 2017 Equifax breach (which included my data) I decided that they didn't deserve my "business." When I needed a credit inquiry after that, I learned that you don't even have a choice which agency will be used. Because of the breach I have put a freeze on all three of my credit "accounts". The inability to choose one for a credit check makes this really difficult, because it requires me to temporarily unfreeze all 3 accounts to get a credit check. As a result, I have not applied for a couple of new credit cards I wanted (but don't need very badly). I will only unfreeze my credit accounts for major things like a mortgage or buying a house.
Steve Fankuchen (Oakland, CA)
Many commenters blame the government. I would suggest people look in the mirror for the real culprit. It is we, the American people, who have entrusted all this information to the internet. It is people, not their government that is at fault, though had we had real leadership these past few decades, we might have spared ourselves web dependency and addiction. Countries are going to spy, corporations will pretend they are secure and have your interest at heart, politicians will rarely lead, and the large majority of people will self-delude for the sake of convenience, gossip, and their daily fix of electronically induced endorphins. The internet cannot be meaningfully regulated. Do you really think these four indicted guys will ever be brought to trial? And if Experian moves to Russia, what can you do? No, there is no free lunch, and if people really hope to regain any control over their personal information, they will have to get off the internet. Hard? Most certainly! Impossible? No! In a real sense, how much you care about something can be measured by what you are willing to give up. There is no privacy or security on the internet, nor can there ever be, and as much as we hate to admit it, the bad guys (however you choose to define them) are as smart as the good guys and are often more motivated. You want change? Remember Kent State, Jackson State, Emmett Till, Mickey Schwerner, James Chaney, Andrew Goodman, Medgar Evers, Viola Liuzzo. Yes, there is no free lunch.
Michijim (Michigan)
The entire industry of amassing data on Americans is a direct result of how our elected officials have defined private information for individuals. We live in a nation in which corporations have paid enormous sums of money to politicians to insure the loosest definition is codified in law as it applies to US citizens. Until Americans start turning politicians out of office for not voting the will of their constituents we can expect this phenomena to continue to grow.
Daniel Kauffman (Fairfax, VA)
Maybe we ought to look at what’s true. Sovereign states routinely act beyond the scope of some legal norms in pursuit of an edge. Individuals implicitly and explicitly tasked with the duty discussed here have increasingly shown high levels of unreliability. These are nothing if not first and foremost internal failures. The New York Times deserves credit for assembling information about privacy. Unfortunately, it appears it has come years after the public adjudicated the matter and decided it was a lost cause. Still, thanks for the post-mortem. If we decide on a different direction in the future, the cause of death report could be useful.
Steven Dunn (Milwaukee, WI)
The fifty year-old warning that storing personal data on computers threatens civil liberties and our "very humanity" is prophetic indeed--and stated at time when computers were the size of rooms with a fraction of the power a smart phone. We are helpless against these giant corporations like Equifax, which gather our information without our consent. Giant banking companies are abetting this. I get constant messages from my credit card companies and bank urging me to use "online" payments or banking--for their convenience, not mine. The more we place our lives on the Internet the more we place our personal data and our privacy at risk. When we lose our privacy we lose a sense of self--the "humanity" aspect of the 1970 quote. We need stronger government regulations and oversight over these monopolistic corporations; they cannot be trusted.
Jim Wilkins (San Francisco)
Equifax, Transunion and other data collectors are lightly regulated and are allowed to amass our data without our knowledge or consent. In European countries this nonsense isn’t allowed but here in the US “free market “ (I.e. anything goes as long as it benefits corporate interests) we are required to check our credit scores (for a price) and correct often-incorrect information in our file because it was put there without our knowledge. This country is turning into a bad joke
Bill Ormusun (California)
I honestly don’t know why Equifax is allowed to exist anymore. It should have been legislated out of existence the minute this hack became known, and maybe before. I wish Warren (of all people) was more outspoken on this.
margaret_h (Albany, NY)
Let us not forget the hacks of the Pentagon, Navy, etc.
pb (calif)
Equifax was not even penalized for their egregious action. Do we really believe three Chinese soldiers committed this act and AG Barr found them? What a joke!
RobF (Midwest)
The Chinese military has amassed a large cyber disruption and hacking capability. So yes, I do believe it. As for AG Barr, what is he supposed to do, ignore it?
JCallahan (Boston)
An absurd false equivalency. Marketing intelligence is hardly the same as a Chinese hack of SS numbers. Focus on the real issues and spare us the hysteria.
BayStateBreakdown (Boston)
@JCallahan Perhaps you didn't read until the end where Mr. Warzel wrote "In an endless cyberwar, information is power." Call it marketing, call it hack, call it whatever you want. The end result is equivalent and that is the collection and assemblage of data on you. Sounds pretty real. It doesn't help that your Boston City clerk (actually elections dept in Boston ) publishes your name, home address and date of birth: www.BayStateBreakdown.com
C. M. Jones (Tempe, AZ)
I thought the free market was supposed to solve problems like this one.
AR (San Francisco)
Why should I care if allegedly the Chinese stole the data? The Chinese didn't make Wells Fargo steal its client's money. The Chinese aren't denying my health care. The Chinese didn't cause the collapse of the US economy. Wall Street did. Wall St. laid off millions. The Chinese didn't foreclose on millions of people's homes, Wall Street did. People sneer about the Chinese regime's use of a "social score." That's precisely what the "credit score" is already in the US. Our enemy is right here, the billionaire ruling class and their government, and their twin parties of millionaires. My enemies are not foreign.
Jenniferlila (Los Angeles)
Equifax makes me feel both outraged and helpless. I want all the data this unethical, inept and greedy corporation has on me erased, I never gave permission to Equifax to gather and save and share personal details on my life. And yet they do. And there’s nothing to be done about it.
William (San Diego)
@Jenniferlila Actually, there is something you can do, since you live in California. As of 6+ weeks ago, you can require a credit reporting agency to not sell your data and force them to remove old data from their system. When you go to the credit bureau's web site and log in, you should see a banner that directs you to a series of questions, and after a dire warning that you're not going to get the"benefit" of "targeted offers" you simply click the box for NO! DON'T SELL MY DATA. You might want to contact your local assembly person and/or state senator about your of your desire that they extending this ban to the likes of Google, Facebook, Amazon, etc. That law is scheduled to be discussed in the next assembly/senate session, let your feelings be known, we have a very progressive government in California and with a little push, I'm sure the reach of restrictions will expand. Good luck.
George M. (NY)
@Jenniferlila You're right about not having given permission to Equifax to gather and keep your personal information, but you need not look any further than our careless and inept government for not enacting the appropriate laws to match technology.
Jacquie (Iowa)
@Jenniferlila "Equifax, by way of apparent negligence, was also responsible for the theft of our private information by a foreign government." I too am outraged that Equifax could care less about the safety of our personal information. Equifax was negligent and should be held responsible.
Teachmehow2douglas (Los Angeles)
What do you think would happen to interest rates and the economy if banks couldn’t use data to make informed lending decisions? Oh wait, we can answer that question. Banks stopped responsibly using lending data before 2008 when the banks failed and we had the biggest recession since the Great Depression. Let’s go back to that for the sake of complaining about credit reports.
Rob Kadar (NJ)
I hate the credit reports agencies and the credit reporting industry. A bigger scam operation on the American public I am not aware of. First they collect our data without our consent. Then they come up with these bogus credit scores to control us, keep us in line and make us doubt our worth. Then they charge us to view it. And if we find errors, they make us jump through hoops to get them corrected. Then they don’t even work to protect the data from Chinese hackers. When the revolution comes, they’ll be the first to go.
Dennis (Missouri)
Quite frankly, in 1975 I called for the eliminatiojn of the three credit reporting agencies due to their combined inaccuracies of data. Also, they eliminated personal banking and professional relationships that benefited borrowers. Now, once again, we have a national security problem with these agencies due to foreign interference and stolen data. This situation is beginning to seem normalized as a way to make revenue to "supposedly protect" one's information. I call this "profit over privacy." Please call it what you may; fleecing and etc. The dealmaker in the White House while campaigning today, failed to even address this national security issue; reportedly he was too busy degrading Americans in New Hampshire. What else is new?
EBurgett (CitizenoftheWorld)
Great column. This why the US needs EU-style privacy laws. Many users in the US are completely unaware that they are disclosing sensitive personal information on the internet, because the federal government allows private companies to collect it - without much oversight. This is not because the Federal government cannot do privacy. As we have seen in the case of Trump's tax documents and school transcripts, data security can be watertight. But it is not in the case of American consumers, because the likes of Zuckerberg have spent millions to convince politicians that online privacy laws would be the end of American tech. Once more, the US got the best Congress that money can buy...
Bruce Arnold (Sydney,)
[W]hat’s the difference between the Chinese government stealing all that information and a data broker amassing it legally without user consent and selling it on the open market? The more interesting question is what's the difference between Equifax selling all that information to China and Equifax negligently allowing all that information to dribble out without China's having paid for it. (Other than the obvious impact on Equifax's bottom line.) Yes, it's wrong for China to steal the stuff. But isn't it wrong for Equifax to want to sell that stuff?
Suburban Cowboy (Dallas)
The difference is: one is legal and one is not. In other words, the US is willing to have laws of hacking in computers but not laws on privacy of data.
Kevin Cahill (Albuquerque, NM)
Excellent essay.
Grace (Bronx)
Where was the Obama administration (e.g., Eric Holder) when all this happened?
AR (San Francisco)
Taking his cut of the proceeds.
Run From Nothing (Brooklyn)
Comparing the Chinese embryo intent with the grey area selfishness of the data abusers , is absurd.
Capitalism4Ever (Staten island, NY)
I guess China is a pretty big problem, isnt it? Perhaps Trump knows what hes talking about.
W in the Middle (NY State)
Charlie, kudos... As with Krugman, when he gets something right – gotta give a shout-out... These internet-scale vulnerabilities preceded online social media by at least two decades... And nobody gives companies like E anything by frivolity or choice – or gets anything from them for free... Bluntly, much of the blame can be laid squarely at the feet of SW suppliers who treat IT security for these sorts of databases as some sort of add-on bolt-on MCAS – often in high-cost maintenance revs – rather than building it in, inherently… As Apple does for iPhones… Bill Barr, first you want a backdoor – then you complain about who’s letting themselves in, and raiding the pantry... Apparently, there’s no pleasing you… PS Bill, you’re actually getting a lot of this right… I’d like to have snarked that they’re actually coming in through a lot of windows that were left open – but then I’d have the other Bill vexed at me… You know – the really scary one… No – not David Carradine… The really really scary one…
Walter Ingram (Western MD)
Great news for the President. Another source to cull for information or disinformation, on his political opponents from. China, if your listening!
DAWGPOUND HAR (NYC)
Chinese hacking is more than alarming: https://learningenglish.voanews.com/a/us-officials-report-increase-in-chinese-economic-espionage-cases-/5278404.html It is an existential threat to our existence as is Russia too, among others. Data brokers? Yes they are as well. Okay.
Mua (Transoceanic)
"China, if you're listening!" Why is it ok for Russian operatives to hack DNC servers, run robot propaganda through facebook and FOX News to assist in the appointment of an illegitimate, fraudulent president who is all but a fascist dictator, but not ok for China to hack big brother Equifax-- a criminal organization if there ever was one? What's the art of this deal? Why does Billy Barr care about this, but not that? No quid pro quo from China for the trump crime syndicate? Is that the problem? They just need to pay up, right? More extortion will make it ok, right?
Observer (USA)
Break it down – Russia's the weakest superpower, so it's actively working to pull Trump's strings , while weakening America so it can try and move up a notch in the superpower pack. Russia wants a weak America, and Trump wants a weak America too, because the weaker it gets, the stronger he gets and the more money he can steal from the coffers. So there's the deal. China, on the other hand, doesn't need any deal with Trump or America. It's the rising superpower, and is content to sit back and watch America fall apart as it gets looted by Trump, knowing that it will be the leading superpower in just a few decades at most, But right now China's getting a lot of sympathy in the press, and since Trump hates it when the news of the day is about anything besides him, Trump and minions decided to throw this old and stale Equifax hack into the news cycle, to try and remind everybody that China's bad and doesn't deserve any sympathy for all the regular citizens dying there.
A Datum (Southwest US)
Call your congresswoman and demand legislation that requires companies to protect and safeguard Personally Identifiable Information (PII) with encryption. These are the basics. Storing PII in plain text is idiotic. The correct response to Equifax and others saying “but they were scary Chinese hackers” is simply “be better”.
Dennis (Missouri)
@A Datum I've been calling for legislation to eliminate and or curtail collection of personal data by these credit agencies since 1975. Sadly, the truth is "the Congress is not interested in this issue," as profit is more important than privacy and incorrect data collected has always plagued these bureaus. The truth is, "Congress could care less." Thank you for your post!
Ars (Baltimore, MD)
Sure. Opt out. Opt out of credit cards, loans, bank accounts. Opt out of having a job, since a credit check is often necessary for employment. Just opt out of life! This article is painfully stupid. Equifax, and like companies, are absolutely necessary to a modern, efficient, productive economy.
KKnorp (Michigan)
It’s a shame Republicans neutered the Consumer Financial Protection Bureau. Instead we should give it real teeth and let it hold Equifax et al accountable for selling us out. Elect government officials who will prioritize your privacy rights.
Joe Cottonwood (Arlington)
Man Equifax sure did get let off easy such a little amount to pay for such a large company. Furthermore if a company's privacy culture was as bad as Equifax it's likely it hasn't improved since the hack, and the best part there is no shame on their part and they get to play the victim with the recent announcement. Awful company
Cailin (Portland OR)
Glad to see this article pointing out that despite Billy Barr's big blustering indictment of the Chinese army hackers, Equifax's failures to protect our --OUR--personal data is not mentioned from the Justice Department's podium. Instead Equifax is named as a "victim".
SB (Louisiana)
If agents of Chinese government are guilty of hacking us then Equifax is equally guilty of coercing and abusing our data. The US government can easily indict Equifax execs and make them pay. But they won't. Instead Equifax will blame China and declare itself a victim. it will happily collect more data and sell it to us. The US government is deliberately misleading its own people.
ScottC (NYC)
The reaction to the Equifax saga is really quite hilarious. We are stricken with fear at the prospect of an evil communist power now possessing highly detailed personal information about 145 million Americans! How about the fact that a soulless, profit -obsessed American corporation possesses highly detailed personal information about 145 million Americans? What, you think your data is safe in Equifax’ good hands? How much of that data is sold to other soulless profit-obsessed corporations? Or provided to the US government for its own purposes. If and when our country is ever destroyed, it is certainly more likely to be from within (See: Donald Trump) than from the outside.
sam (flyoverland)
Thank you for one of the most common-sensical, logical and needed pieces I've read in some time. Why indeed are the 3 credit bureaus allowed to collect something they dont own, refuse to let you opt out, and be allowed to make money on the whole thing? utterly ridiculous. What I cant wait for is if Bernie, Bloomberg or Biden wins, they appoint Elizabeth Warren to play the same role at Treasury as FDRs did, and the billionaire boondoggle blood bath begins. Equifax, like Perdue Pharma crooks should have before filing for bankruptcy, should have the assets seized by the government, liquidated and the victims (not their lawyers who typically eat 75% of the money in class actions) compensated. The "shareholders" should not only get nothing for their losses, they should be prevented from claiming losses on their income taxes. Maybe next time, they'll quit funding companies doing questionable business if they know they may come out of it penniless.
Steve Fankuchen (Oakland, CA)
The main issue is not that the Chinese hack into government and corporate databases, the latter with negligent acceptance. Rather, it is why we, the American people, have entrusted all this information to the internet. And yes, it is us, not the government that is at fault, though had we had real leadership these past few decades, we might have spared ourselves web dependency and addiction. Countries are going to spy, corporations will pretend they are secure and have your interest at heart, politicians will rarely lead, and the large majority of people will self-delude for the sake of convenience, gossip, and their daily fix of electronically induced endorphins. There is no privacy or security on the internet nor can there ever be, and as much as we hate to admit it, the bad guys (however you choose to define them) are as smart as the good guys and are often more motivated. The other question this article begs is why there is no enforcement mechanism when security vulnerabilities are discovered. If Experian was informed of the problem two months before the attack, why do we not have the legal means to force closure of the vulnerability? (That's a rhetorical question. We all know the answer.) Why are the individuals who made the decisions to allow the exposure of your personal info not subject to criminal penalties? Why are corporations allowed to simply consider fines a cost of doing business? (Another rhetorical question.) Most important: when will people say, "Enough!"
George M. (NY)
@Steve Fankuchen "Rather, it is why we, the American people, have entrusted all this information to the internet." While you do have a point regarding such internet based apps as Facebook, you are mistaken when it comes to the credit companies like Equifax, Experian, Transunion, etc. We, the American people do not entrust our sensitive information to them, but our careless government that has not enacted laws to protect us. And it is all because of capitalism, where the almighty dollar is more important than the human being.
Viv (.)
The credit rating agencies only have power over individuals because employers (including the government) and landlords give them power. They're the ones who want a "morality check" on prospective employees and tenants because a police criminal record check is no longer good enough. The solution is simple: stop buying their credit scores. If someone is really bad with money, there are already court records on them when their creditors took them to court. You don't need Equifax to tell you anything. Credit scores are bogus and don't live up to their marketing hype - as they were forced to admit in various state courts when people sued them. Remember the excellent S&P ratings of companies just before the financial crisis? How about the tech bubble companies? Good ratings reflect nothing but one's willingness to pay for a good rating.
Ars (Baltimore, MD)
@Viv Such a simple solution! Stop buying credit scores! Did you ever consider why banks, landlords and potential employers would pay good money for them? Maybe, just maybe, because they are needed and well with it. The people putting their money at risk are not stupid.
Viv (.)
@Ars Europe survives just fine in their rental market and consumer credit market without credit rating agencies. People with unpaid debts are eventually sued, and it becomes part of the public record. You don't need to pay anyone for that information, least of all a credit rating agency. People pay good money for a lot of useless and ineffective things despite repeated scientific evidence that they don't work. Hair growth serums. Pills that claim to enlarge your male member. Weight loss pills. Numerous lawsuits in NY allowed credit rating agencies to prove that their marketing claims are true and discriminatory against poor people. They all failed to prove their case. That's why NY state has the Credit Check Law that prevents employers from considering credit ratings in hiring decisions. An employee with a good credit rating is just as likely to steal from you or sell your secrets as one with a bad credit rating. Witness every single person who was a government whistle blower or sold American secrets to China, Russia, etc. Nobody did it for money. They did it for ideological reasons, because they believed that what was going on was wrong.
Andy Jo (Brooklyn, NY)
@Viv What you have said is so true. I do, however, have one small quibble with what you have said about those who sell secrets. In my lifetime (I am over 50), the majority of spies (people who have sold secrets to a foreign power) have done it for money. Not all, of course, but most. One shining example was Robert Hanssen. If you think about Chelsea Manning, you are correct. She didn't "sell" secrets, per se. I believe that she, herself, was disclosing information because of a personal/moral conviction, but I do question the motivation of those to whom she gave the information (and who put her in mind of sharing the info in the first place through possible manipulation).
Bruce1253 (San Diego)
Europe is working on or has in place laws that allow each person to control their own personal data. It is an opt in system, you must give permission for someone to gather your data and sell it. The US has no such system, our market place is the wild west, whatever you can get away with you can do. We need to do two things: Stop doing business with China, they are our enemy and its time we recognized that and treated them accordingly. Pass personal privacy legislation on the European model.
operadog (fb)
@Bruce1253 Don't you know Bruce 1253 that "REAL Americans" don't do what Europeans do. Wouldn't be patriotic.
William (San Diego)
@Bruce1253 You live in California! Unless they moved the border last night - with Trump you never know! Because of your state of residency you can opt out of allowing the credit bureaus selling your data or retaining your old data beyond its useful life (7 years).
Bruce1253 (San Diego)
@William It is a beginning, but no where close to where it needs to be.
AmarilloMike (Texas)
When did I give Equifax permission to gather data on me? I don't remember giving permission. Shortly after the hack Equifax said I could check and see if my data was taken, no charge. So I went to their website to do just that and they had a terms and conditions I would have had to agree to to check to see if they had let my data be stolen. Within those terms was an agreement not to sue them. So I backed out of the site. I froze my Experian data and my data at the other credit rating services. Then I needed to open an online account with Social Security Administration as I had reached the age of Medicare enrollment. Except Social Security wouldn't open an account as I had frozen all my credit data. I ask again, when did I give permission to Equifax to gather up my data and retail it? When did I give permission for Equifax to be the authority for validating my Social Security identity? I have received many proffers from Equifax to protect my personal data from theft, like the LifeLock service. Right. Equifax had been allowed run wild in the virtual world without any repercussions for gross negligence or even outright skulduggery. I hope someone hacks all the identities of the highest paid thousand employees and ruins their credit, takes over their identity, and steals their checking accounts. And I hope they all have to go, in person, to northern Iowa in January and then coastal Mississippi in August to get it straightened out.
Ars (Baltimore, MD)
@AmarilloMike If you give information to another by, for instance, taking out a loan or applying for a credit card, you have lost control of it. It isn't "yours" anymore. Read what you loan application and the terms and conditions of your loan state. You might be surprised that you DID give permission.
AmarilloMike (Texas)
@Ars Fair enough. But if it is not "my" data, why would I need to pay Equifax of LifeLock to protect it?
Liz C (Portland, Oregon)
@AmarilloMike — I’m puzzled about the Social Security refusal you mention. My husband and I froze our credit years ago, and later, when we began getting Social Security (via online deposit), nobody refused us.
Ryan M (Rhode Island)
Companies like Equifax are as much an existential threat to our right to privacy as the Chinese government’s facial recognition campaigns. In most tech companies you could be fired for failing to encrypt the data you manage or for using “admin” as your login and password. Until we as citizens demand our legislators hold these companies to task, we will continue to be the unwitting product they sell. How can we let them sell our privacy for zero compensation (with no available opt out), and then let them blame a hostile foreign government for stealing data, now the most valuable commodity in the world? Time to wake up and put them out of business.
Steve Fankuchen (Oakland, CA)
The main issue is not that the Chinese hack into government and corporate databases, the latter with negligent acceptance. Rather, it is why we, the American people, have entrusted all this information to the internet. And yes, it is us, not the government that is at fault, though had we had real leadership these past few decades, we might have spared ourselves web dependency and addiction. Countries are going to spy, corporations will pretend they are secure and have your interest at heart, politicians will rarely lead, and the large majority of people will self-delude for the sake of convenience, gossip, and their daily fix of electronically induced endorphins. There is no privacy or security on the internet nor can there ever be, and as much as we hate to admit it, the bad guys (however you choose to define them) are as smart as the good guys and are often more motivated. The other question this article begs is why there is no enforcement mechanism when security vulnerabilities are discovered. If Experian was informed of the problem two months before the attack, why do we not have the legal means to force closure of the vulnerability? (That's a rhetorical question. We all know the answer.) Why are the individuals who made the decisions to allow the exposure of your personal info not subject to criminal penalties? Why are corporations allowed to simply consider fines a cost of doing business? (Another rhetorical question.) Most important: when will people say, "Enough!"
RHR (France)
@Ryan M "Until we as citizens demand our legislators hold these companies to task, we will continue to be the unwitting product they sell." This is the crux of the problem and the reason that these massive thefts of data continue to occur. We should be outraged and demanding change to our privacy laws but we are not. We are asleep at the wheel in a fast moving car and have been for quite some time which is why over the past ten years are personal privacy has been so outrageously compromised.
SP (Los Angeles)
Why do we have crippling sanctions against Iran, North Korea, and Venezuela when those countries have done us no real harm, but the one country that really has endangered the average American (China) is our biggest trading partner?
Kevin (Colorado)
This is the tip of the iceberg, how many vendors service firms in other parts of the economy, and the "customer" (usually a large firm) dictates to the vendor that anyone accessing information related to their business has to furnish personally identifiable information beyond their name, such as date and place of birth, social security numbers, and in some cases they want information that is almost on par for someone going for a federal security clearance. This is extremely prevalent in IT, other sectors of the economy, and for someone needing a contract job badly, who knows how far they can go. Last, looking at the laws of probability, what would the mean time before someone who has all that information in an Excel spreadsheet leaves their laptop in a Starbucks or whatever form of transportation they were using. We need some legislation on what your employer can hand out to their customers in order to obtain or maintain business, with exceptions for National Security Agencies or Federal, State, and local law enforcement
Mike Cullen (Colorado Springs)
"But what’s the difference between the Chinese government stealing all that information and a data broker amassing it legally without user consent and selling it on the open market?" This is an excellent question and one I am certain tech companies don't even want to come close to discussing.
A reader (HUNTSVILLE)
@Mike Cullen One difference is hackers like the Chinese Government sell the data to crooks that steal your identify and then to access your banking accounts so as to steal your money. Changing passwords every once in a while is a great way to stop this. Actual data brokers are not stealing your identity but want to lead to part with your money by buying things you did not know you needed.
plages (Los Gatos, California)
@Mike Cullen Besides, it came from Barr, so, so much of what was stated you may have to swallow a grape fruit, as in the sky is falling, and so much for honesty from this wonderful truth telling government!
Eatoin Shrdlu (Somewhere On Long Island)
Simple new law needed: It will be a Class A Felony, one count per datum, for any governments, corporations, partnerships and/or individuals on their own, or as employees, doing businesses within the United States or with persons in the United States to engage in, or conspire to (including the writing of code) to collect, possess, combine, trade or sell any information on any current, past or prospective customer or employee not critical to creating, processing, shipping, delivering, making payroll, evaluating employee job performance or payment of local, state or federal taxes, or compliance with US or state law or regulation, (or in the case of a government, legitimate law enforcement activity - defined by each individual law on the gathering and maintenance of records.) It will be an additional Class A Felony, per datum to keep 'unnecessary data' on a data storage device directly or indirectly connected to the Internet for more than a period defined by a negotiable agreement to insure information regarding proper orders/requests/complaints remain in progress. Public information, as defined by the Freedom of Information Law amended for Data, and most records of government other than those covered by the Privacy Act and Health Care Privacy Act, as amended for data on government systems will not be affected by this law. Record keepers may request the privilege of those identified in records to maintain them on- or off-line. (An off-line record is one isolated from the 'net.)
A. Reader (Birmingham, AL)
@Eatoin Shrdlu Define "datum." Is a person's last name a datum? Is a person's first name a datum? What about middle name versus middle initial, one datum or two? Is the street number of a physical address a datum? Is the street name of a physical address a datum? Or do street number _and_ street name, properly combined, comprise a datum? Is the city name a datum? Is the state name a datum? What about the ZIP code? Do you count the five-digit ZIP code as a distinctly different datum from the ZIP+4 version? Is the term "Main Street" a datum or a only metaphor? Does "Main Street" become a datum when combined with the municipality name, for example, "Middletown"? Or does "Middletown" only become a datum when combined with the state in which it is located? My point is to think critically about what constitutes a granular, discrete, atomic "datum" for the purpose of Class A felony in your proposal. (For that matter, "Class A felony" is a legal term that I suspect neither of us can rigorously define.)
rbitset (Palo Alto)
On the NY Times Privacy Project is an article titled "The Government Uses 'Near Perfect Surveillance' Data on Americans". That article describes how the U.S. government bypasses the courts to purchase information that otherwise would require a court order. Presumably what was illegal about this is that the Chinese didn't pay Equifax for the data.
M (Detroit)
China is apparently guilty of hacking Equifax. I'm not in favor. What I am even less in favor of is what Equifax, Experion, Trans Union and every other company, web site and local, State and Federal governments so inclined is doing. Indiscriminately collecting every piece of personal information they can get - all without consent. They create algorithms of undiscoverable merit that form the basis for more companies making decisions about you and I. We are without much meaningful recourse on any of it. I am no less angered by that stealing. Thus far the Congress has shown little meaningful interest in setting limits that give citizens equal footing. We have lots of work ahead of us. Wouldn't it be wonderful to have leaders who have our backs, rather than having to push them toward efficacy year after year with ridiculously poor results.
reid (WI)
As the call for an opt-in method of collection (having to give explicit permission to our banks, credit card companies and anyone else who touches our finances in any way BEFORE any information is collected, or forwarded to such big data black-holes) may mount, our lawmakers will tisk-tisk us saying that all will be well, and that without such big collections, modern commerce will be difficult. Who would want any impediment to obtaining easy credit? We as consumers must be relentless in hammering away at the lawmakers to have this hole dammed so we can begin to take back control of our information.
skier 6 (Vermont)
@reid One way to fight Equifax, and other data brokers, is to freeze your credit files, at the big three, Equifax, Trans Union and Experian. I did this , and each ones sends you a PIN number, so that only you can unlock your credit file, say to apply for a car loan. You can unlock your file for a limited period of time, for a loan application. That way you deny these data brokers, access to sell your credit files to others. Also, if your SSN number and other info has been compromised, no one else can fraudulently apply for a loan in your name.
Hacked (Dallas)
This is an act of war. And what will congress do?
Mike (NYC)
Absolutely how dare China steal data, they should pay for it like everyone else!
Bruce Arnold (Sydney,)
@Hacked -- So what's the act of war? That a foreign government pilfered some information that it could have bought? That seems more like an act of theft than an act of war.
Rob Brown (Keene, NH)
Do read the app details. Just click accept.
RER (Mission Viejo Ca)
I've never understood why a company like Equifax can accumulate my financial information without my consent, associate a score to it and sell it to other people. and to make it worse, they try to sell my own data to me! How is this legal?
Joyce Con (Jackson, NJ)
It should not be legal. Especially when you try to get it corrected but cannot because of all the red tape they put you thru. Part of the settlement should have included a first class customer service center for all the consumer credit agencies that could quickly research and add delete or modify the error or alleged error. All of this is very possible. In addition government agencies are very quick to add liens and judgements to your consumer agency reports but very very slow to take them off.
Eric (Hudson Valley)
@RER It is legal because there is no law against it.
Triogenes (Mid-Atlantic)
@RER It is illegal. Unfortunately, only in Europe. The European General Data Protection Regulation (GDPR) mandates that, except in very few cases, personal data can only be used for the specific purposes for which it was collected. It must also be carefully protected, and deleted when no longer relevant or necessary. There are harsh penalties (maximum €20 million or 4% of turnover, whichever is greater) for failure to conform. Of course, these add extra costs to business, about which US firms have complained loudly. The shoddy US standards of data protection can simply be seen as another manifestation of companies privatizing profit while socializing risk. Standard behavior, in other words. It's worth noting that one mid-decade phenomenon that occurs much less often these days is the large scale loss of credit card information. Why? Because the targets of such losses, such as Target and Home Depot where hit with draconian penalties by the credit card firms and security standards were immediately improved. Most importantly, the card companies, faced with huge losses, finally implemented Chip-and-PIN. The answer to the data protection issue therefore, is regulation. Data controllers need to be terrified of the consequences of losing customer data (as they are in Europe). Only then will the problem be properly addressed.
RMurphy (Bozeman)
If the US government nationalized the credit bureaus it would cause an uproar. So why does leaving it in less secure hands that are beholden to stockholders and not the people not scare the living daylights out of us?
Irish (Albany NY)
Interesting that they blame 4 individuals instead of just China as a country and the attack as an act of war. Why? US is afraid of China and doesn't want to call it an act of war... They don't want the insurer behind Equifax to get out of paying for an act of war...
Latest
With Western Weapons, Ukraine Is Turning the Tables in an Artillery War
Teens Turn to TikTok in Search of a Mental Health Diagnosis
An ‘Army’ of Volunteer Sleuths Are Out Hunting for Your Stolen Car
Biden’s Agenda Hangs in the Balance if Republicans Take Congress
Twitter, Once a Threat to Titans, Now Belongs to One
Is It Worth the Risk to Sublet an Apartment Illegally?
Spelling Bee Forum
Scarred by War, Ukraine’s Children Face Years of Trauma
For Rishi Sunak, Family Wealth From Outsourcing Adds to a Secretive Fortune
Are Prebiotics Important for Gut Health?
Many Military U.F.O. Reports Are Just Foreign Spying or Airborne Trash
How Radio Powers Ron Johnson, a Many-Time Caller to His Longtime Listeners
Prescribed Burns Are Encouraged. Why Was a Federal Employee Arrested for One?
Beaches? Cruises? ‘Dark’ Tourists Prefer the Gloomy and Macabre
Elon Musk Takes Twitter, and Tech Deals, to Another Level
Still the Biggest Skeleton in the Game?
Why USB-C Is the Meryl Streep of Cables
The Pelosis and a Haunted America
A Compromise on Immigration Is Possible. This Bill Could Make It Happen.
On Affirmative Action, What Once Seemed Unthinkable Might Become Real
See also
The Pelosis and a Haunted America
Beaches? Cruises? ‘Dark’ Tourists Prefer the Gloomy and Macabre
Are Prebiotics Important for Gut Health?
Teens Turn to TikTok in Search of a Mental Health Diagnosis
Is It Worth the Risk to Sublet an Apartment Illegally?
On Affirmative Action, What Once Seemed Unthinkable Might Become Real
Many Military U.F.O. Reports Are Just Foreign Spying or Airborne Trash
Still the Biggest Skeleton in the Game?
Prescribed Burns Are Encouraged. Why Was a Federal Employee Arrested for One?
An ‘Army’ of Volunteer Sleuths Are Out Hunting for Your Stolen Car
Spelling Bee Forum
How Radio Powers Ron Johnson, a Many-Time Caller to His Longtime Listeners
Elon Musk Takes Twitter, and Tech Deals, to Another Level
A Compromise on Immigration Is Possible. This Bill Could Make It Happen.
Biden’s Agenda Hangs in the Balance if Republicans Take Congress
Why USB-C Is the Meryl Streep of Cables
Scarred by War, Ukraine’s Children Face Years of Trauma
Twitter, Once a Threat to Titans, Now Belongs to One
With Western Weapons, Ukraine Is Turning the Tables in an Artillery War
For Rishi Sunak, Family Wealth From Outsourcing Adds to a Secretive Fortune