In the aftermath of possibly Australia’s biggest data breach, Optus offered customers “most affected” a free subscription to an identity-protection service, provided by credit-monitoring company Equifax Protect. Presumably, this offer still stands for the people whose details were leaked before the hacker apparently deleted all their posts this morning.
Now, where have we heard the name Equifax before? Turns out, if you google “Equifax data breach”, Optus’ offer isn’t the only news story that comes up. For example, there’s this from The Washington Post, September 7, 2017:
The credit reporting agency Equifax said Thursday that hackers gained access to sensitive personal data — Social Security numbers, birth dates and home addresses — for up to 143 million Americans, a major cybersecurity breach at a firm that serves as one of the three major clearinghouses for Americans’ credit histories.
Equifax said the breach began in May and continued until it was discovered in late July. It said hackers exploited a ‘website application vulnerability’ and obtained personal data about British and Canadian consumers as well as Americans. Social Security numbers and birth dates are particularly sensitive data, giving those who possess them the ingredients for identity fraud and other crimes.
Equifax also lost control of an unspecified number of driver’s licences, along with the credit card numbers for 209,000 consumers and credit dispute documents for 182,000 others. The company said it did not detect intrusions into its ‘core consumer or commercial credit reporting databases’.
Oh, cool.
Of course, it’s the right thing that Optus are being more hands-on than it previously has been regarding the breach, and we’re sure Equifax has done some serious work on its security in the intervening five years — if for no other reason than to avoid another fine of more than half a billion dollars.
But it points to a problem with most solutions offered after a massive data breach. Like the proposal floated by Home Affairs Minister Clare O’Neil that companies provide banks with details of stolen data after a breach — they always seem to involve handing one’s data to yet another company which could in turn be compromised.
