| ▲ | hk__2 3 hours ago |
| > the data stolen in the breach could include full names, dates and places of birth, mailing and email addresses, and phone numbers on an undisclosed number of citizens Nothing really new here sadly, this information about me have leaked half a dozen of times in the past 2-3 years or so. These things will never change if the only penalty the company/agency gets is "send a message to your users saying you are sorry and that it won’t happen again". |
|
| ▲ | nout 2 hours ago | parent | next [-] |
| Or maybe the government should not require companies to KYC you for every little stupid thing or action you do in this world. What happened to requiring only the information that's actually required? Why do I need to be KYCd in the systems when buying banana, ordering delivery, etc. Because of the inevitable breaches and leaks - KYC is the illicit activity. The selling point of KYC was preventing fraud and money laundering. It doesn't actually do that. Search for "largest money laundering settlements" and you will find 5 banks and one crypto scam. |
| |
| ▲ | traceroute66 36 minutes ago | parent | next [-] | | > Or maybe the government should not require companies to KYC you for every little stupid thing Actually.... Say what you like about the French today, but one good thing they have is an electronic service[1] where you can generate single-use KYC ID: - That only discloses minimum information required
- For a specific recipient organisation
- For a specific duration
- For a specific use-case by that organisation
More countries should provide this sort of KYC tool.[1]https://france-identite.gouv.fr/usages/le-justificatif-d-ide... | |
| ▲ | michaelje an hour ago | parent | prev | next [-] | | The overreach on access and then storage will be a meaningful issue we will have to reckon with more and more. Companies are acquired, companies die. What happens to your data in 5, 15, 50 years? It doesn’t just disappear. From a few months back: https://mjeggleton.com/blog/your-data-never-dies | |
| ▲ | MattDaEskimo 2 hours ago | parent | prev [-] | | Might be cheaper & safer to buy an identity than use my own. |
|
|
| ▲ | concinds 2 hours ago | parent | prev | next [-] |
| Penalties don't work for government agencies. Taxpayers would pay for it and it doesn't act as an incentive. The way to fix it is to empower one government agency to do aggressive pentesting against every other agency, hospitals, banks, infrastructure, and big corporations, with salaries matching the private sector. Impose a legally-enforced deadline to fix any issues, with a fine (for private actors) or demotion of the guy in charge of infosec (for state agencies). Forget compliance checklists, KPMG "audits" and all that crap, just have government-sponsored hackers trying to get into everything like an attacker would. France seems to have had a ton of government hacks in the past year at various levels, so it's sorely needed. |
| |
| ▲ | 2 hours ago | parent | next [-] | | [deleted] | |
| ▲ | mcmcmc 2 hours ago | parent | prev | next [-] | | > Penalties don't work for government agencies. Taxpayers would pay for it and it doesn't act as an incentive. This is the same as the rogue police problem in the US. What needs to happen is a shift to personal liability for those responsible. | | |
| ▲ | signatoremo 2 hours ago | parent [-] | | Personal liability? Are you also against no blame culture that is prevalent in the tech world? |
| |
| ▲ | spwa4 2 hours ago | parent | prev | next [-] | | You don't seem to realize the difference between those 2. > The way to fix it is to empower one government agency to do aggressive pentesting against every other agency, hospitals, banks, infrastructure, and big corporations, with salaries matching the private sector. Impose ... And now you've got private people empowered to attack specific government officials. In fact, that's their job. Btw: you forgot to specify "in public", and that needs to be how it works, otherwise it will just result in officials attacking this security agency. Oh, AND you're giving government officials an obvious point of attack: "salaries matching the private sector". > Forget compliance checklists, KPMG "audits" and all that crap, just have government-sponsored hackers trying to get into everything like an attacker would. You mean forget the way even the dumbest of the dumb can "provide security"? Do you think government officials in France got their position based on their IQ? Of course this is the only way it can work, but this needs a very un-French form of government to get it to work. | |
| ▲ | ihsw 2 hours ago | parent | prev [-] | | [dead] |
|
|
| ▲ | xp84 2 hours ago | parent | prev | next [-] |
| Hey now, don’t forget the offer of “free credit monitoring for a year” - I feel like at this point I’ve gotten so many of those that if I signed up for them all, I’d have my personal info in twice as many probably-hackable locations as I do already. |
|
| ▲ | throwup238 3 hours ago | parent | prev | next [-] |
| Wait, you don’t even get a month of free credit monitoring? |
| |
| ▲ | tcgv 3 hours ago | parent | next [-] | | My full name, phone number, and address were leaked by TAP Air Portugal about five years ago, along with the details of my parents who were on the same booking. Since then, my dad has been targeted by those types of scams where a fraudster impersonates me to ask for money. I never received a notification from TAP; I only found out a year later through my Google One security feature. I certainly didn't get an apology—much less a free travel ticket! | | |
| ▲ | Brybry 2 hours ago | parent | next [-] | | The world of today is so weird sometimes. When I was a kid most adults' full name, phone number, and address were available for free in the phone book. | | |
| ▲ | Macha an hour ago | parent [-] | | If the scam success rate is 0.1%, and it takes days to comb a phone book and put together a list of potential relationships and takes a human 10 minutes per phone call, the economics of scamming works out a lot less profitable than importing a data leak and emailing or robocalling everyone in the list. |
| |
| ▲ | ghm2180 2 hours ago | parent | prev | next [-] | | I do use an email alias everywhere. But I don't believe you can do the same with phone numbers. I tried using my twilio rented number and there is a way systems use to figure out if that is a real number for a person or a VoIP one. Though it is sometimes successful in use for signups and hence spam reduction. | | |
| ▲ | Scoundreller 2 hours ago | parent [-] | | Could set up 6 digit long extensions and only ever issue a few hundred of them in total. Guess wrong 3x and goodbye. Can also set some/most/all to go to voicemail so they can get in touch with you, but not really. Or blackhole the invalid extensions to /dev/null voicemail but then you run the risk of legit misdials and you never get some important message. The real vs “fake” number issue could be worked around by having your cell phone provider forward all calls to your VoIP number. It’s baked into gsm, don’t need a phone after initial setup: https://www.geckobeach.com/cellular/secrets/gsmcodes.php |
| |
| ▲ | tiagod 3 hours ago | parent | prev | next [-] | | That TAP data was leaked on a tor hidden service, in multiple files, and download was extremely slow on the days following the leak. One of the files was much smaller, and my friend had the bad luck to have his data in that one. His phone was spammed so incessantly he had to change his number almost immediately. | |
| ▲ | VadimPR 3 hours ago | parent | prev | next [-] | | I'm dissatisfied about the TAP leak as well! I was affected, and like you, didn't even receive a notification - nevermind compensation for having leaked my personal data to the dark web enabling all sorts of shenanigans that make my personal life difficult. | | |
| ▲ | nunobrito 3 hours ago | parent [-] | | About 2 million portuguese there. Basically all active portuguese adults that have enough financial conditions to travel by airplane. It was a fantastic leak, based from an excel file asked by a marketing department which forgot it inside a shared folder on the hacked (private) server. There was far more info there than just that, also included the details of employees and more interesting if they were on medical leave. Curiously enough many of those employees were family members from politicians and well-known people. Some of those in long term sick leave were receiving a monthly salary while conducting live shows on festivals during the summer. Nothing happened on the news. They all went silent about this case. | | |
| |
| ▲ | lostlogin 2 hours ago | parent | prev [-] | | > I never received a notification from TAP They have been reporting millions in profits despite rising costs. What you propose would further elevate costs. Shareholders don’t want that. |
| |
| ▲ | gus_massa 3 hours ago | parent | prev | next [-] | | I'm not sure about France, but here in Argentina all this info is assumed to be public. If you want a credit at a bank or shop, they ask for a physical copy of the national ID [1], probably a photocopy too, an electricity or water bill and perhaps other paperwork that is hard to get (verified phone number???). [1] Do you want my number? It's inside this list: for i in range(1E9):
print (i)
| | |
| ▲ | vladvasiliu 2 hours ago | parent | next [-] | | It's supposed to be identifying information here. Usually, you can just send copies of those documents, which means that if you're looking to impersonate someone, you can easily produce fakes. And since everyone and their grandmother asks for these, people don't bat an eye and send them. The coup de grace of security in France is signatures, though. Now, since you can't produce a physical signature over the internet, they'll ask for your phone number and send you a text with a code. Once you've entered it on their web form, you've proved undoubtedly you are who you say you are. | |
| ▲ | jerf 2 hours ago | parent | prev | next [-] | | "Do you want my number? It's inside this list:" You might find it interesting to learn a bit about information theory. The entire purpose of your specific number is precisely to identify which number in that list is yours. Having the list of all possible numbers is irrelevant. Conceptually you can model that as everyone has that, all the time. But that's not enough to do anything with, because having that list entire list means you have zero information. If you say "it starts with an 8", you've eliminated 90% of the possibilities. Now you have log2(10) bits of information, but you haven't nailed it down yet. For each additional number you give you give that many more bits until you nail it down. This is a common misconception people have. I remember someone who claimed to have copyright all possible melodies by virtue of having printed them out and thus enumerated them. But that is meaningless, because the entire job of naming a specific melody is precisely the nailing down of which one you mean. Expanding the list of possibilities you might mean is actually a reduction in the amount of information, despite the superficial appearance of listing more numbers out, and when you expand the possibilities out to "all possible instances of the thing" you're actually at the minimum of information, not the maximum. | |
| ▲ | dspillett 2 hours ago | parent | prev | next [-] | | > in Argentina all this info is assumed to be public Same here. You can probably can find my address and phone numbers fairly easily from my name by a number of methods. That doesn't mean it isn't bad when an organisation spews out, or allows to be sucked out, huge numbers of people's data. With a leak like this it is practical to try scam everyone the list, searching for each person's details individually, and having to enumerate those people in the first place⁰, would mean no such attack would scale in a way to make it worthwhile bothering¹. -------- [0] This seems strange when you first think it, but: the most important thing being on such a list says about you, is that you are a real existing person, whose identity could be exploited somehow. That fact is what makes any other information valuable. [1] except for high-worth targets, which is why spear-phishing is a thing | | |
| ▲ | gus_massa 2 hours ago | parent [-] | | > That doesn't mean it isn't bad when an organisation spews out, or allows to be sucked out, huge numbers of people's data. I completely agree. |
| |
| ▲ | 2 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | 3 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | Traubenfuchs 3 hours ago | parent | prev [-] | | If you are that unconcerned, why do you not provide us with your information right here and now? |
| |
| ▲ | Thaxll 2 hours ago | parent | prev | next [-] | | The credit system is not the same in Europe, first of all there is no such thing as credit rating and what not. People don't have credit card like the one in US and Canada. The vast majority use a debit card. | | |
| ▲ | csnweb an hour ago | parent | next [-] | | We do very much have credit rating in Germany, might be very different than the one in the US, don’t know theirs. | |
| ▲ | jampekka 2 hours ago | parent | prev [-] | | In UK there is. :( | | |
| ▲ | ifwinterco 2 hours ago | parent [-] | | Nothing like america though, lots of people (maybe the majority) cruise through life with 1-2 credit cards and occasionally apply for a mortgage without ever really thinking about their credit rating. Being obsessed or even thinking about your credit rating in the UK is a bit of a minority reddit pursuit not something normal people do. (Of course if you default on stuff you will need to think about it) |
|
| |
| ▲ | freedomben an hour ago | parent | prev | next [-] | | Heh, for real, it's maddening how often this is the "solution" to any breach. It's especially lovely when it comes from multiple companies at the same time, that may or may not have leaked your SSN. | |
| ▲ | dboreham 2 hours ago | parent | prev | next [-] | | Fairly sure this is an ironic comment. (Credit monitoring is the useless thing companies give people in the US when their information is leaked -- everyone in the industry knows it's laughably unrelated to private information disclosure). | |
| ▲ | sofixa 2 hours ago | parent | prev [-] | | There is no such thing in France (or most countries for that matter). It's a pretty absurd system that gamifies and profits off heuristics, and results in a Kafkaesque nightmare where you can't get a job, rent a place or get a loan because of an arbitrary value assigned by a company with a profit motive. One that has no incentive to get things right or even get the right person. How things work in France is much simpler and better. When you apply for a loan, the lender checks with Banque de France (national bank) if you have outstanding debts and if you've defaulted on any debts in the past 5 years. That's it, that and your proof of revenue is all they need. |
|
|
| ▲ | rectang 2 hours ago | parent | prev | next [-] |
| Seeing another one of these breaches had me returning to look at local-first software. https://lofi.so I feel like if we're going to make progress in preventing wholesale data breaches it will be through architectural innovations that attack the problem of why a trove of concentrated data needs to exist. Even if the government needs to be a central authority, are there ways to house the data that limit the blast radius? I'm sure there are innumerable arguments why this can't help, but when the mainstream alternative is despair and helplessness, progress will be made in the margins. |
|
| ▲ | isodev 2 hours ago | parent | prev | next [-] |
| With everyone doing online “identity” verifications, all these details and more are already available to data brokers. Persona.. I mean Palantir even has a short video of you from your “liveness check” to go with the scan of your ID. |
| |
|
| ▲ | dawnerd 2 hours ago | parent | prev | next [-] |
| The problem though is when its from a gov agency it validates previous breach data making it more valuable. |
| |
| ▲ | dylan604 2 hours ago | parent [-] | | Depends. According to DOGE, voter registration databases have people listed as 150 years old or deceased people receiving monthly government checks. Obviously a different govt than TFA, but govt databases are no less prone to inaccurate data. They are still run/managed by humans regardless of the govt in question | | |
| ▲ | dawnerd 2 hours ago | parent [-] | | That DOGE info was a very small portion of the data and considering who it came from you have to take even that with a grain of salt. There's always going to be inaccuracies in any dataset, no avoiding that. |
|
|
|
| ▲ | Ales375 2 hours ago | parent | prev | next [-] |
| GDPR has solid fines for data breaches, but this doesn't work for government agencies. Just someone else's money going from one government pocket to another.
What they need is an automatic firing of the head of the government agency that suffered a breach. No question asked. |
| |
|
| ▲ | ge96 3 hours ago | parent | prev | next [-] |
| > Nothing really new here sadly Facts at Equifax |
|
| ▲ | reaperducer 2 hours ago | parent | prev | next [-] |
| These things will never change if the only penalty the company/agency gets is "send a message to your users saying you are sorry and that it won’t happen again". So, you want the French government to fine the French government so the French government uses French taxpayer money to pay the French government for the French government's mistake? |
|
| ▲ | paulddraper 2 hours ago | parent | prev | next [-] |
| > if the only penalty the company/agency gets What is the penalty for the government? |
| |
|
| ▲ | shevy-java 2 hours ago | parent | prev | next [-] |
| Not disagreeing with you, but: > These things will never change if the only penalty the company/agency gets is I do not think penalties can prevent these situations. Perhaps they may be less frequent; perhaps people would get more compensation, but ultimately I do not think these can be prevented. The first consideration is why the data has to be stored in the first place. Naturally one can say "the government needs to know who is a citizen and who is not", and I can understand this rationale to some extent, but even then I wonder whether this has to be correct. Perhaps we could have a global society without any requirement to be an identifiable citizen per se. Things such as mandatory age verification-sniffing to never become an issue, because it is not needed and not possible and nobody would have an addiction-need to sniff for that data (we know Meta and co want that data, this is why their lobbyists run rampage via the "but but but somebody protect the children" lie). |
|
| ▲ | itopaloglu83 3 hours ago | parent | prev [-] |
| [flagged] |
| |
