Share this page!

Cory Doctorow Profile picture
Twitter logo
30 Apr, 38 tweets, 12 min read
The nonconsensually compiled dossiers of personal information that @experian_us assembled on the entire population of the USA may currently be exposed via dozens, perhaps hundreds, of sites, thanks to a grossly negligent security defect in Experian's API.

1/ KC Green's (https://kcgreendotcom.com/) infamous "This
The breach was detected by @BillDemirkapi, a security researcher and @RIT sophomore, and reported on by @briankrebs, the excellent independent security reporter.

krebsonsecurity.com/2021/04/experi…

2/
Experian, like Equifax, has unilaterally arrogated to itself the right to collect, store and disseminate our personal information, and, like Equifax, it faces little regulation, including obligations not to harm us or penalties when it does.

3/
Experian's API allows criminals to retrieve your credit info by supplying your name and address, information that is typically easy to find, especially in the wake of multiple other breaches, such as @doordash's 5m-person 2019 breach and @drizzly's 2.5m-person 2020 breach.

4/
Demirkapi explains that the API is implemented by many, many sites across the internet, and while Experian assured Krebs that this bug only affected a single site, it did not explain how it came to that conclusion.

5/
Demirkapi discovered the defect while he was searching for a student loan vendor. There is a way to defend yourself against this attack: freeze your credit report. Credit freezes were made free (but opt-in only) in 2018, after the @Equifax breach.

krebsonsecurity.com/2018/09/credit…

6/
Indeed, you may have already been thinking about the Equifax breach as you read this. In many ways, that breach was a wasted opportunity to seriously re-examine the indefensible practices of the credit-reporting industry, which had not been seriously scrutinized since 1976.

7/
1976 was the year that Congress amended the Equal Credit Opportunity Act after hearing testimony about the abuses of the Retail Credit Company - a company that swiftly changed its name to "Equifax" to distance itself from the damning facts those hearings brought to light.

8/
Retail Credit/Equifax invented credit reporting when it was founded in Atlanta in 1899. For more than half a century, it served as a free market Stasi to whom neighbors could quietly report each other for violating social norms.

9/
Retail Credit's permanent, secret files recorded who was suspected of being gay, a "race-mixer" or a political dissident so that banks and insurance companies could discriminate against them.

jacobinmag.com/2017/09/equifa…

10/
This practice was only curbed when a coalition of white, straight conservative men discovered that they'd been misidentified as queers and commies and demanded action, whereupon Congress gave Americans limited rights to see and contest their secret files.

11/
But these controls were never more than symbolic. Congress couldn't truly blunt the power of these private-sector spooks, because the US government depends on them to determine eligibility for Social Security, Medicare and Medicaid.

12/
It's a public-private partnership from hell. Credit reporting bureaux collect data the government is not legally allowed to collect on its own, then sells that data to the government (Equifax makes $200m/year doing this).

web.archive.org/web/2017100420…

13/
These millions are recycled into lobbying efforts to ensure that the credit reporting bureaux can continue to spy on us, smear us, and recklessly endanger us by failing to safeguard the files they assemble on us.

14/
This is bad for America, but it's great for the credit reporting industry. The Big Three bureaux (Equifax, Experian and @Transunion) have been on a decade-long buying spree, gobbling up hundreds of smaller companies.

15/
These acquisitions lead directly to breaches: a Big Three company that buys a startup inherits its baling-wire-and-spit IT system, built in haste while the company pursued growth and acquisition.

16/
These IT systems have to be tied into the giant acquiring company's own databases, adding to the dozens of other systems that have been cobbled together from previous acquisitions.

17/
This became painfully apparent after the Equifax breach, so much so that even GOP Congressional Committee chairs called the breach "entirely preventable" and the result of "aggressive growth." But they refused to put any curbs on future acquisitions.

thehill.com/policy/technol…

18/
A lot has happened since Equifax, so you may have forgotten just how fucked up that situation was. Equifax's IT was so chaotic that they couldn't even encrypt the data they'd installed. Two months later, they "weren't sure" if it had been encrypted.

searchsecurity.techtarget.com/news/450429891…

19/
SIX MONTHS before the breach, outside experts began warning Equifax that they were exposing our data:

vice.com/en/article/ne3…

The ONLY action Equifax execs took? They sold off a shit-ton of stock:

bloomberg.com/news/articles/…

20/
The Equifax breach exposed the arrogance and impunity of the Big Three. Afterward, Equifax offered "free" credit monitoring to the people they'd harmed. One catch: it was free for a year; after that, they'd automatically bill you, annually, forever.

web.archive.org/web/2017091102…

21/
And you'd pay in another way if you signed up for that "free" service: the fine print took away your right to sue Equifax, forever, no matter how they harmed you:

ibtimes.com/political-capi…

22/
The credit bureaux bill themselves as arbiters of the public's ability to take responsibility for their choices, but after the breach, the CEO blamed the entire affair on a single "forgetful" flunky:

engadget.com/2017-10-03-for…

23/
Then he stepped down and pocketed a $90m salary that his board voted in favor of:

fortune.com/2017/09/26/equ…

24/
Of course they did! His actions made the company so big that even after the breach, the IRS picked it to run its anti-fraud. Equifax got $7.5m from Uncle Sucker, and would have kept it except that its anti-fraud site was SERVING MALWARE:

cbsnews.com/news/equifax-i…

25/
Equifax eventually settled all the claims against it for $700m in 2019:

nypost.com/2019/07/19/equ…

But it continued to average five errors per credit report:

washingtonpost.com/technology/201…

26/
And it continued to store sensitive user-data in an unencrypted database whose login and password were "admin" and "admin":

finance.yahoo.com/news/equifax-p…

27/
Congress introduced multiple bills to force Equifax, Experian and Transunion to clean up their act.

None of those bills passed.

axios.com/after-equifaxs…

28/
The IRS shrugged its shoulders at America, telling the victims of Equifax's breach that their information had probably already leaked before Equifax doxed them, so no biggie:

thehill.com/policy/cyberse…

29/
Since then there have been other mass breaches, most recently the Facebook breach that exposed 500m people's sensitive data. That data can be merged with data from other breaches and even from "anonymized" data-sets that were deliberately released:

pluralistic.net/2021/04/21/re-…

30/
And while you can theoretically prevent your data from being stolen using the current Experian vulnerability by freezing your account, that's not as secure as it sounds.

31/
Back in 2017, Brian Krebs reported that Experian's services were so insecure that anyone could retreive the PIN to unlock a frozen credit report by ticking a box on a website:

krebsonsecurity.com/2017/09/experi…

32/
That was just table-stakes - it turned out that ALL the credit bureaux had an arrangement with AT&T's telecoms credit agency that was so insecure that ANYONE could unlock your locked credit report:

krebsonsecurity.com/2018/05/anothe…

33/
These companies came into existence to spy on Americans in order to facilitate mass-scale, illegal financial racist, ideological and sexual discrimination. They gather data of enormous import and sensitivity - data no one should be gathering, much less retaining and sharing.

34/
They handle this data in cavalier ways, secure in the knowledge that their integration with the US government wins them powerful stakeholders who will ensure that the penalties for the harm they inflict add up to less than profits those harms generate for their shareholders.

35/
This is why America needs a federal privacy law with a "private right of action" - the ability to sue companies that harm you, rather than hoping that federal prosecutors or regulators will decide to enforce the law.

pluralistic.net/2021/04/16/whe…

36/
Experian promises that this breach only affects one company that mis-implemented its API. We would be suckers to take it at its word. It didn't know about this breach until a college sophomore sent in a bug report - how would it know if there were others?

37/
If you'd like an unrolled version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog: pluralistic.net/2021/04/30/dox…

Image:
@kcgreenn (modified)
kcgreendotcom.com

eof

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Cory Doctorow

Cory Doctorow Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @doctorow

Cory Doctorow Profile picture
2 May
@About_Medicine Think of a loan. You ask me for a $10,000 loan to buy a car, and you offer the car as collateral. You pay some upfront processing fees, a downpayment, and a monthly fee. If you default, I can repo the car. That's a normal loan.
@About_Medicine But now I turn around and sell someone else the right to collect your payments from the loan. Say you're paying $200/month, and with interest, you will spend 8 years paying it back. If you miss a payment, you'll get hit with penalties.
@About_Medicine If you default on the loan - miss three payments in a row, say - the car gets repoed. The repo man wants paying, and the car has depreciated, so there's a chance that whoever buys that loan won't see the full amount.
Read 29 tweets
Cory Doctorow Profile picture
1 May
The annual Locus Awards finalists have been announced and I am thrilled to pieces to see my novel ATTACK SURFACE, a standalone book in the Little Brother universe for adults, in the final ten for Best SF Novel!

locusmag.com/2021/05/2021-l…

1/
Even more exciting than making the top ten is the company it puts me in: the other finalists are:

* Machine by @matociquala
* Unconquerable Sun by Kate Elliott
* Agency by @GreatDismal
* The Relentless Moon by @MaryRobinette
* War of the Maps by @UnlikelyWorlds

2/
* The Ministry for the Future by Kim Stanley Robinson
* The Last Emperox by @scalzi
* Network Effect by @marthawells1
* Interlibrary Loan by Gene Wolfe

(also excited to see @torbooks, my publisher, next to so many of those names!)

3/
Read 4 tweets
Cory Doctorow Profile picture
1 May
In 2008, I traveled to the world's largest scientific data-centers for a @nature story. No matter whether the labs were devoted to internet archiving, the human genome, or the Higgs boson, they had two things in common: vast server farms, and @xkcd.

nature.com/news/2008/0809…

1/ One frame from XKCD's 'Type...
Randall Munroe's webcomic is so unabashedly geeky, so unafraid to be obscure or format-breaking, so affectionate and knowing about the triumphs and pitfalls of science that it is absolute catnip for scientists.

2/
Last week, Munroe published strip #2456, "Types of scientific paper," a 3x4 grid of thumbnails of journal articles with titles like, "We put a camera somewhere new" and "My colleague is wrong and I can finally prove it."

xkcd.com/2456/

3/ XKCD 2456, Types of Scienti...
Read 17 tweets
Cory Doctorow Profile picture
1 May
Today's Twitter threads (a Twitter thread).

Inside: Political economy vs inflation; and more!

Archived at: pluralistic.net/2021/05/01/may…

#Pluralistic

1/ Image
On May 7, the Gaithersburg Book Festival is featuring me in an interview conducted by John Scalzi; we pre-recorded the event but I'll be in the live chat for the premiere.



2/
Political economy vs inflation: Larry Summers is a dope.



3/
Read 15 tweets
Cory Doctorow Profile picture
1 May
As Biden lays out ambitious plans to stimulate the US economy and fight inequality with new money creation (spending) and money destruction (higher taxes on corporations, capital gains and the right), a firing squad of economists assembled to issue dire inflation warnings.

1/ A photo from an anti-auster...
(If you'd like an unrolled version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:)

pluralistic.net/2021/05/01/may…

2/
They're repeating the economic doctrine of the pasty 40 years, an austerity doctrine that focuses on the inflationary risks of "deficit spending" (when governments don't tax as much money out of the economy as they inject in the same year).

3/
Read 41 tweets
Cory Doctorow Profile picture
1 May
The Incredible Shrinking Man (1957) atomic-chronoscaph.tumblr.com/post/649948732…
The Incredible Shrinking Man (1957) atomic-chronoscaph.tumblr.com/post/649948732…
The Incredible Shrinking Man (1957) atomic-chronoscaph.tumblr.com/post/649948732…
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @doctorow has new unrolls!

Check out other threads from @doctorow!

Read all threads by @doctorow