Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Security The Internet

Equifax Made Salary, Work History Available To Anyone With Your SSN and DOB (krebsonsecurity.com) 169

An anonymous reader quotes a report from KrebsOnSecurity: In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax. At issue is a service provided by Equifax's TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that "Your personal information is protected." "With your consent your personal data can be retrieved only by credentialed verifiers," Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits. Sadly, this isn't anywhere near true because most employers who contribute data to The Work Number -- including Fortune 100 firms, government agencies and universities -- rely on horribly weak authentication for access to the information.

This discussion has been archived. No new comments can be posted.

Equifax Made Salary, Work History Available To Anyone With Your SSN and DOB

Comments Filter:
  • Remember when? (Score:5, Interesting)

    by whoever57 ( 658626 ) on Monday October 09, 2017 @10:55PM (#55340935) Journal

    Remember when people mocked the credentials of Equifax's former CIO and other people pushed back because many people in the field didn't have traditional background?

    Well, it looks like security was a systemic failure at Equifax, so perhaps it's actually time to suggest that someone with a music degree wasn't qualified for the job?

    Let's face it: success is defined as no known security breaches, yet, this could be down to luck rather than skill. Either no-one successfully targeted her prior employers or any breaches never became public.

    • Re:Remember when? (Score:4, Insightful)

      by Anonymous Coward on Tuesday October 10, 2017 @02:42AM (#55341431)

      To be fair you don't need a degree in something to be good at it, work history is just as important.

      So, would you rather have:

      Someone with a music degree but 20 years in the IT industry

      Or

      Someone with a comp. sci. degree but 20 years in the music industry?

      I know which I'd choose. A comp. sci. or similar degree means jack shit if you've never put it into practice.

    • by epine ( 68316 )

      Well, it looks like security was a systemic failure at Equifax, so perhaps it's actually time to suggest that someone with a music degree wasn't qualified for the job?

      Jaron Lanier [wikipedia.org]

      Knuth Discusses Bach, Pipe Organs, And CS [youtube.com]

      You: I'm not sure about this hire. Are we really, really, really sure he hasn't got a music degree? I smell a rat.

      Now go back to your mother's cave, little boy.

      Because the music degree itself is not the problem.

  • Wait, what? (Score:5, Insightful)

    by SeaFox ( 739806 ) on Monday October 09, 2017 @10:57PM (#55340943)

    The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it.

    What business is it of a potential employer what I was paid by my previous employers? All that does is weaken the applicant's position when it comes time to negotiate a starting salary.

    • Re:Wait, what? (Score:5, Insightful)

      by Pfhorrest ( 545131 ) on Monday October 09, 2017 @11:04PM (#55340967) Homepage Journal

      That's why employers like that service and provide data to it. Same reason lenders like the basic credit reporting service and provide data to it. So the people in power have numbers to justify keeping you in your place.

      • When I hire, I do want to know people's salary and employment history in detail-- not especially for negotiating compensation, although the most recent salary often gives some indication of where they should be.

        The main issue is to understand where their career is going-- are they changing jobs every two years because they were fired, or because they found better jobs? Did they take a year or two off that might be relevant (generally it isn't, but certain other patterns can make it a point of consideration

      • Re:Wait, what? (Score:4, Interesting)

        by Solandri ( 704621 ) on Tuesday October 10, 2017 @11:20AM (#55343537)
        That's the problem though. This isn't your secret data. This is data that's shared between you and another party. And the other party is the one opting to share it with the credit agency.

        Logically, arguing that the other party shouldn't be allowed to share this info without your permission, is equivalent to arguing that you shouldn't be allowed to write a Yelp review of a restaurant without first getting the restaurant's permission.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it.

      What business is it of a potential employer what I was paid by my previous employers? All that does is weaken the applicant's position when it comes time to negotiate a starting salary.

      It's not a bug. It's a feature. In fact, it's pretty much the whole point.

    • by rsilvergun ( 571051 ) on Monday October 09, 2017 @11:35PM (#55341069)
      our entire economic system was rigged against the working class. Good thing that would never happen.
    • by mark-t ( 151149 )
      It's less of an employer's business and more the business of someone you are getting a loan from or obtaining a line of credit.
      • by Anonymous Coward

        It's less of an employer's business and more the business of someone you are getting a loan from or obtaining a line of credit.

        Even then, they should just share your credit score and not any other salary information. If your loan institution wants that you can provide W2 or paystub from your place of employment.

        • by mark-t ( 151149 )
          Not necessarily.. your credit score is a gross assessment of your general credit risk, but does not tell one anything about your ability to pay back loans of a given size, and while a paystub can confirm to many that you are presently employed, it says absolutely nothing about how long you've actually been employed, and how stable that income actually is.
          • by lucm ( 889690 )

            Not necessarily.. your credit score is a gross assessment of your general credit risk, but does not tell one anything about your ability to pay back loans of a given size, and while a paystub can confirm to many that you are presently employed, it says absolutely nothing about how long you've actually been employed, and how stable that income actually is.

            I completely agree, the score doesn't give the whole picture. I've seen records with bankruptcies getting a better score than records with a collection history that had no outstanding balance.

            The system is absurd. Years ago, someone I know got a call from Visa asking when her bankruptcy would be finished so they could send her a new card. I couldn't believe it, but now that I've seen my share of credit reports I have no doubt that this happens a lot. Even a history of bad checks barely move the needle.

            • One of your mistakes is thinking that that score represents your credit risk in some way.

              That score represents how profitable you are to them.
              • Certainly Australia. No way salary let alone detailed credit history can be accumulated by a private company and sold.

                Mind you, we became a bit more like the US recently (2014) with watering down of these laws with no good reason and far too little debate.

    • by lucm ( 889690 )

      The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it.

      What business is it of a potential employer what I was paid by my previous employers? All that does is weaken the applicant's position when it comes time to negotiate a starting salary.

      We use this kind of service at the office and it's mostly garbage. The data is not normalized, it's full of arbitrary formats. Some are clearly hourly rates, some are either hourly rates or possibly annual salary in thousands, some use the same lingo as bank account figures like 5FH (5-figure high) or Moderate 6. The end result is that while you may be able to have an idea of what a candidate possibly made at a previous job, you have no easy way to put it in perspective because you can't aggregate shit.

    • All that does is weaken the applicant's position when it comes time to negotiate a starting salary.

      Yes.

      • by Ihlosi ( 895663 )
        Yes.

        "So you're looking for someone who is smart enough to do this highly-qualified job, yet uninformed enough not realize they are being underpaid?"

        • There is nothing about not realizing. You see, the best fruit of the progress is so much technological disparity between power and masses that the former could be completely smug about it.

    • by AmiMoJo ( 196126 )

      You answered your own question there. Employers seem to have an attitude that you shouldn't get a big pay increase because if you were worth that much your previous employer would have paid you more. They also like to pretend it's an indication of market rate.

      Of course if it's a massive pay cut that's fine, market rates etc.

      The stupid thing is that this just punishes loyalty and encourages people to change jobs every few years just to get salary bumps.

    • Comment removed based on user account deletion
    • by Anonymous Coward

      Years ago in order to get a job, I took a pretty low starting salary.

      I moved to another job after a couple of years because that company treated us like shit.

      Anyway, upon looking for another job, I find out that I was being paid about a third less than my peers.

      When I told my real salary to the recruiter and that I wanted to be paid the same as my peers - same experience and skills - I was told that I was being unreasonable to expect an employer to give me that much of a raise. She found me something and t

  • When is enough, enough, and the peasants rise with pitchforks, rakes, and torches? (none of those stinking tiki torches though)

  • by sconeu ( 64226 ) on Monday October 09, 2017 @11:15PM (#55341005) Homepage Journal

    Time for the corporate death penalty. If "corporations are people", then they can get the death penalty.

    Yank their charter. And, if possible, blacklist their CxOs.

    • If "corporations are people", then they can get the death penalty

      Corporations are people in the sense that soylent green is people: they are composed of people. So you are saying that you want to put all the shareholders of a corporation into the electric chair. Doesn't seem like a good idea. In fact, it's exactly the sort of thing that corporations were created to prevent.

      • by Anonymous Coward

        The point he's making is that, through legal trickery, corporations are treated as legal entities just like people. Except when it suits the people who own them; then they mysteriously become collections of people again so that it's hard or impossible to hold them to any normal standard of accountability. To avoid this double standard it should be possible to effectively prevent a company from damaging society any further in the same way that we can lock up criminals. Not that it will ever happen - the "inv

    • by lucm ( 889690 ) on Tuesday October 10, 2017 @02:36AM (#55341417)

      if possible, blacklist their CxOs.

      Marissa Mayer made roughly $900,000 for every week she spent at Yahoo, while driving the company into the ground. And yet her name was mentioned as a possible new CEO for Uber.

      There's no blacklist for those people

      • by AmiMoJo ( 196126 )

        Mayer destroyed Yahoo, and is now being considered to destroy Uber. I don't see a down site to this.

      • by Ogive17 ( 691899 ) on Tuesday October 10, 2017 @06:27AM (#55341939)
        Oh, I didn't realize Yahoo was have such great success before Meyer.

        She didn't drive them into the ground but she also didn't save them.
        • by lucm ( 889690 )

          Yes she did. Yahoo was struggling but profitable before Mayer.

          She sabotaged all the cash cows, like the women website (shine) because she felt it was tacky. She replaced it with immensely expensive bloggers that the usual Yahoo users didn't care about (like Katie Couric) and fancy fashion blogs that she liked but that drove away the millions of loyal users. Ad money dwindled down as she tried to attract sophisticated users that didn't want anything to do with Yahoo and scared away the peasants that were the

      • by Anonymous Coward on Tuesday October 10, 2017 @07:25AM (#55342163)

        Yahoo was dead before Marissa Mayer came along.

        The fact that she's a completely worthless tool who just pumped enough stock price to bail out the venture capitalist and investment firms by selling it for something rather than watching it disintegrate into nothingness has nothing to do with if Yahoo was going to survive or not.

        Yahoo was already dead.

        Mayer did exactly what she was hired to do, sell it before it was a complete and total loss to investors.

        She's not a CEO thats good at running a company, she's a CEO that you put in place when you want the company dead with the least amount of pain as possible and a great scapegoat

        • by lucm ( 889690 )

          She's not a CEO thats good at running a company, she's a CEO that you put in place when you want the company dead with the least amount of pain as possible and a great scapegoat

          I see that you buy into the "glass cliff" narrative, but the truth is that no, she wasn't hired to sink the company. She was hired because board members thought that she had played a key role in creating Google and that she could bring some of that magic to Yahoo.

          The same board members who hired her tried repeatedly to get rid of her. See this famous letter:
          http://www.starboardvalue.com/... [starboardvalue.com]

          Don't rewrite history. She was given all the money and power she needed, and she failed, full stop.

      • Yahoo was a failing company before Mayer got anywhere near it. She failed to save it. At worst, maybe you could make an argument that she hastened its demise.

        At the same time, when a company is on its last leg like that, you only really have two choices:

        1) Accept that it's going to fail and try to stretch things out as long as possible.
        2) Take a gamble and try to rescue it. If it doesn't work, you may be hastening its demise.

        I don't know all the details, so I'm not going to try to argue whether she

        • by HiThere ( 15173 )

          Based on various different news reports, I'd say that she was a very bad CEO, but not a truly terrible one. Yahoo was dying, and nobody was going to save it, so she ended up with the job of killing it in the most profitable manner. She killed it in a profitable manner. She hurt more people than she needed to in the process, and she was greedy, but nobody was going to do a job like that for idealistic reasons.

          • Well that raises a question for me: If her job was to kill Yahoo in a profitable manner, and she killed Yahoo in a profitable manner, then was she a bad CEO?

            • by HiThere ( 15173 )

              She hurt a lot more people than she had to, and she was greedy. So yes, she was a bad CEO.

        • by lucm ( 889690 )

          I'm not going to try to argue whether she was a good CEO or bad one, but it's not like Yahoo was a thriving company with a bright future.

          Yahoo was making a profit between 1 and 4 billions per year, for the 10 years prior to Mayer. Now the company doesn't exist.

          Feel free to be nonchalant with billions of dollars, millions of users and tens of thousands of employees if you want, but this was real money for real people, and now it's gone.

  • by Reverend Green ( 4973045 ) on Monday October 09, 2017 @11:50PM (#55341111)

    Site designed to help capitalists to abuse workers is abused by non-capitalists. I feel profound indifference.

  • If corporations are people, give that bastard the electric chair.

  • âoeWith your consent your personal data can be retrieved only by credentialed verifiersâ

    However, without your consent, weâ(TM)ll share it with anyone that offers us money. And we never seek your consent.

  • ...you are golden? Good to know!!

  • Dox Congress (Score:5, Insightful)

    by Required Snark ( 1702878 ) on Tuesday October 10, 2017 @01:21AM (#55341285)
    The only way to wake the government up is to stick a red hot poker up it's collective ass. In this case Congress has spent decades sucking up to self serving business dimwits who think security is a waste of money. The answer: dox every member in Congress, both House and Senate. That would get their attention.

    It's not like their info isn't already compromised. Between Equifax and all the other leaks, particularly the Office of Personal Management fiasco, everyone who gets a government paycheck can easily have their identity stolen. It's a dead certainty that both the Russians and the Chinese can impersonate anyone in the government online almost instantly. It's a security nightmare that has been covered up. Showing how completely screwed all our security is would be a public service. It would force government and business to behave responsibly for a change.

    The really ballsy move would be to apply for credit cards for all of Congress and then go to Amazon and buy a sex toy packing, one for their office and one for their home. It would be suicidal at the level of Kim Dotcom or Assange, but it would be funny. You could have a great laugh in Gitmo when the FBI is tasering your eyeballs.

  • by doctorvo ( 5019381 ) on Tuesday October 10, 2017 @02:28AM (#55341393)

    Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans

    Sweden makes tax returns public with no apparent ill effect. The US already makes real estate values, ownership, and taxes public, and we should do the same thing for income tax returns.

    • Agreed. The problem isn't public access to information it's limited private access to information. Some of the comments above about corporations using the information as leverage are missing the point. The leverage doesn't extend from their access to the information, it extends from their unique access which the employee doesn't have.

    • by Anonymous Coward

      Sweden also has a rational worker protection system and isn't an economic titan. You can't just copy/paste policy onto the US without the infrastructure and culture that makes it work and expect the same results.

    • by PPH ( 736903 )

      Just another reason to be a sole proprietor/contractor. Who else did I or do I work for? Sorry, that's privileged information. How much did I or do I earn? That varies, sometimes by an order magnitude. Do you really want to pay my top rate when I might be negotiating a lower one with you just to do some interesting work.

      And 'work history' is also a tool of corporate espionage. When you are a key person in an industry, who you are working with will give competitors an idea about new products and strategic d

      • by godrik ( 1287354 )

        And 'work history' is also a tool of corporate espionage. When you are a key person in an industry, who you are working with will give competitors an idea about new products and strategic decision making.

        Interesting, I never thought of that. Though for most employment/global statistics usage, history 2 years back might just be good enough.

      • Just another reason to be a sole proprietor/contractor. Who else did I or do I work for? Sorry, that's privileged information.

        Not if your tax returns were public.

        And 'work history' is also a tool of corporate espionage.

        By definition, obtaining government-published data is not "corporate espionage".

        When you are a key person in an industry, who you are working with will give competitors an idea about new products and strategic decision making.

        And the problem with that would be... ?

        • by PPH ( 736903 )

          Not if your tax returns were public.

          I'll incorporate overseas in a country with strict privacy laws.

          By definition, obtaining government-published data is not "corporate espionage".

          My companies' government won't publish data.

          • Well, the fact that you throw a hissy fit over publishing your salary doesn't amount to a rational, convincing argument against such a policy.

You know you've landed gear-up when it takes full power to taxi.

Working...