Should Users Be Excluded?
The silent war of powers on the web! I’ve been looking forward to Lyuben Todev’s insights into The Equifax Hack. I’m sharing his “translation” of the situation. There is more to what we hear from most resources. Check it here:
“I decided to wait a bit before commenting on this topic – so the dust can settle a bit, and the truth can shine. I agree with +Shawn Tuma – we as a society have a short memory. So stories like this one need to be repeated every once in a while, so we might remember what happened.
To summarize – the personal information of hundreds of thousands of people was stolen. The reason was a vulnerability in software which was identified in early 2017 but was not patched by the Equifax team. The sad part is not the allegations that the chief security officer did not have the qualification for the job, but the fact that this vulnerability was not dealt with in time and that the breach was not disclosed for more than a month.
This means that while Equifax knew about the stolen data from the end of July, it did not notify the users of its services (who are just providing the data of the third party to check for identity theft), nor anyone else till September. This means that if the data was going to be used for identity theft, most victims would be caught unaware that the breach had happened and their personal information is available to malevolent persons. In this regard the reaction of Equifax is similar to that of Yahoo from the series of data breaches in 2016, which means that the latter has not been a lesson – neither in cyber-security nor in responsibility.
What should have happened – Equifax should have immediately notified any person affected by the breach, as well as any authorities who might check for signs of identity theft related to these persons. And after that, the company should have paid compensation to the affected persons. Because it is not enough to know, you have to be compensated for the problems the theft of your personal data means. And these problems are practically related to the need to constantly be looking over your shoulder or checking your bank statement.
And here is the important point as Gavin G. Smith points out in his book The Hangman’s Daughter, a corporation is beyond notions of good and evil. It operates in terms of profit, so to stop it from doing something it is not enough to prohibit it. The breach of the prohibition should be so expensive, that it outweighs the positive effects of the said breach.
+Shawn Tuma mentions punitive measures – but when we are talking about victims, it is not enough to punish the guilty party. It is necessary to provide some restitution to the victim. And that is the matter nobody is discussing – because there are no measures for restitution suggested for discussion. This means that users are effectively excluded from the calculation. But all punitive measures, all incentives should be aimed at providing a safe environment for our personal data.”
Originally shared by Shawn Tuma