Re: [ISN] Credit agency reports security breach

From: InfoSec News (isn@private)
Date: Fri Mar 19 2004 - 03:37:45 PST

  • Next message: InfoSec News: "Re: [ISN] Symantec: Boom Times For Hackers (Two messages)"

    Forwarded from: Adam Shostack <adam@private>
    
    This is an interesting story from the economic perspective on several
    ways.  Most important is the risk transfer that Equifax is implicitly
    engaging in:
    
    1) We screwed up.
    
    2) We're telling our customers ("potential creditors") to "carefully
    confirm the consumer's identity."
    
    3) We're giving affected consumers a subscription to a service that
    monitors us.
    
    It's no longer our problem.  We've created this problem through out
    security failings.  You go deal with it.
    
    Now, its not clear how much Equifax invested in security.  "Enough"?
    Maybe.  We all know that how ever much you invest, there are risks.
    Ideally, your spending causes those risks to shrink, or allows you to
    catch a problem faster.  It seems that the second probably happened
    here.
    
    But the right investment is a matter of economics, and the reality of
    the risk transfer is that Equifax has to make a decision about
    securing your information, and when it's stolen, it hurts you more
    than it hurts them.  (Try calling to opt out of their database.)  So
    the rational manager chooses to not invest as much in securing data
    about me as I would.
    
    So there's an issue of risk transfer, and there's an issue of the
    moral hazard it creates.  And so we'll see more of these.
    
    Adam
    
    
    On Thu, Mar 18, 2004 at 02:32:25AM -0600, InfoSec News wrote:
    | http://www.computerworld.com/securitytopics/security/story/0,10801,91319,00.html
    | 
    | By Carly Suppa
    | MARCH 17, 2004
    | TORONTO 
    | 
    | MARCH 17, 2004 - TORONTO - More than 1,400 Canadians, primarily in the
    | provinces of British Columbia and Alberta, have been notified of a
    | major security breach at Equifax Canada Inc., a national
    | consumer-credit reporting agency.
    | 
    | Equifax confirmed yesterday that it discovered the breach in late
    | February and has notified affected consumers via registered mail
    | asking that they contact the agency to review the contents of their
    | respected credit files.
    | 
    | According to reports, access was gained to the personal, detailed
    | credit files of more than 1,400 people. The files contained social
    | insurance numbers, bank account numbers, credit histories, home
    | addresses and job descriptions.
    
    [...]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Mar 19 2004 - 06:15:39 PST