Forwarded from: Adam Shostack <adam@private> This is an interesting story from the economic perspective on several ways. Most important is the risk transfer that Equifax is implicitly engaging in: 1) We screwed up. 2) We're telling our customers ("potential creditors") to "carefully confirm the consumer's identity." 3) We're giving affected consumers a subscription to a service that monitors us. It's no longer our problem. We've created this problem through out security failings. You go deal with it. Now, its not clear how much Equifax invested in security. "Enough"? Maybe. We all know that how ever much you invest, there are risks. Ideally, your spending causes those risks to shrink, or allows you to catch a problem faster. It seems that the second probably happened here. But the right investment is a matter of economics, and the reality of the risk transfer is that Equifax has to make a decision about securing your information, and when it's stolen, it hurts you more than it hurts them. (Try calling to opt out of their database.) So the rational manager chooses to not invest as much in securing data about me as I would. So there's an issue of risk transfer, and there's an issue of the moral hazard it creates. And so we'll see more of these. Adam On Thu, Mar 18, 2004 at 02:32:25AM -0600, InfoSec News wrote: | http://www.computerworld.com/securitytopics/security/story/0,10801,91319,00.html | | By Carly Suppa | MARCH 17, 2004 | TORONTO | | MARCH 17, 2004 - TORONTO - More than 1,400 Canadians, primarily in the | provinces of British Columbia and Alberta, have been notified of a | major security breach at Equifax Canada Inc., a national | consumer-credit reporting agency. | | Equifax confirmed yesterday that it discovered the breach in late | February and has notified affected consumers via registered mail | asking that they contact the agency to review the contents of their | respected credit files. | | According to reports, access was gained to the personal, detailed | credit files of more than 1,400 people. The files contained social | insurance numbers, bank account numbers, credit histories, home | addresses and job descriptions. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Mar 19 2004 - 06:15:39 PST