Re: [ISN] Credit agency reports security breach

From: InfoSec News (isn@private)
Date: Fri Mar 19 2004 - 03:37:45 PST

Next message: InfoSec News: "Re: [ISN] Symantec: Boom Times For Hackers (Two messages)"

Previous message: InfoSec News: "[ISN] New Bagle Worm Variant Can Run Without Launching Attachment"
Maybe in reply to: InfoSec News: "[ISN] Credit agency reports security breach"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Adam Shostack <adam@private>

This is an interesting story from the economic perspective on several
ways.  Most important is the risk transfer that Equifax is implicitly
engaging in:

1) We screwed up.

2) We're telling our customers ("potential creditors") to "carefully
confirm the consumer's identity."

3) We're giving affected consumers a subscription to a service that
monitors us.

It's no longer our problem.  We've created this problem through out
security failings.  You go deal with it.

Now, its not clear how much Equifax invested in security.  "Enough"?
Maybe.  We all know that how ever much you invest, there are risks.
Ideally, your spending causes those risks to shrink, or allows you to
catch a problem faster.  It seems that the second probably happened
here.

But the right investment is a matter of economics, and the reality of
the risk transfer is that Equifax has to make a decision about
securing your information, and when it's stolen, it hurts you more
than it hurts them.  (Try calling to opt out of their database.)  So
the rational manager chooses to not invest as much in securing data
about me as I would.

So there's an issue of risk transfer, and there's an issue of the
moral hazard it creates.  And so we'll see more of these.

Adam


On Thu, Mar 18, 2004 at 02:32:25AM -0600, InfoSec News wrote:
| http://www.computerworld.com/securitytopics/security/story/0,10801,91319,00.html
| 
| By Carly Suppa
| MARCH 17, 2004
| TORONTO 
| 
| MARCH 17, 2004 - TORONTO - More than 1,400 Canadians, primarily in the
| provinces of British Columbia and Alberta, have been notified of a
| major security breach at Equifax Canada Inc., a national
| consumer-credit reporting agency.
| 
| Equifax confirmed yesterday that it discovered the breach in late
| February and has notified affected consumers via registered mail
| asking that they contact the agency to review the contents of their
| respected credit files.
| 
| According to reports, access was gained to the personal, detailed
| credit files of more than 1,400 people. The files contained social
| insurance numbers, bank account numbers, credit histories, home
| addresses and job descriptions.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "Re: [ISN] Symantec: Boom Times For Hackers (Two messages)"
Previous message: InfoSec News: "[ISN] New Bagle Worm Variant Can Run Without Launching Attachment"
Maybe in reply to: InfoSec News: "[ISN] Credit agency reports security breach"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 19 2004 - 06:15:39 PST