"there were no email addresses in the social security number files. If you find yourself in this data breach via HIBP, there's no evidence your SSN was leaked, and if you're in the same boat as me, the data next to your record may not even be correct. "
Seems like Troy is skeptical about this being a real full breach?
You probably are posting this as a joke, but without a clear technical solution to this problem, flooding the industry with bullshit data seems like a great avenue.
I have a silly standup joke along these lines, about how I'd Google things crazy things like "circus lawyer" or "giraffe mitigation tactics" to throw the algorithm off every now and then.
My friend is a thriller writer and is convinced he’s on some FBI list. He’s googling stuff such as “how to dissolve a body with quicklime” and all sorts of other fun stuff while researching for his books.
The quicklime method shouldn't be particularly fast, at least that's what my chemical intuition says (CaOH2 is barely soluble in water). What a bad name!
In the most general context it means "with the characteristics of the living" (as seen through a middle ages lens).
In the context of "quicklime" the quick refers to the heat of the reaction when making lime for slaking on walls, etc.
"Quick" historicaly has been applied to plants and animals (alive), rivers and streams (moving), coals, fires, quicklime (burning, heat producing, glowing), to speeches and pamphlets (Lively, full of vigour or sharp argument), to tastes, to smells, and more.
The full blown Oxford English Dictionary entry for quick is a lengthy one, multiple cases and variations over a page and more.
that was the idea behind certain applications and add-ons that would browse around to popular websites and randomly click ads so that marketers couldn't tell your actual interests from fake ones.
Unfortunately that strategy is deeply flawed and dangerous because nobody cares if the data they have on you is accurate or not. They still can, and still will, use it against you at every opportunity. Every scrap of data they have, accurate or not, can be used to hurt you.
The only way to flood data brokers with garbage data that can't hurt anyone is to fill it with entirely fictitious people who somehow can't be mistaken for any actual people. Even that runs the risk of hurting real people though. For example, an insurance company might go to a data broker and ask for the number of people within a certain neighborhood or zip code who bought fast food more than once a week in the last year and how many have a gym membership. If the number of frequent fast food buyers is higher than it was last year and/or the number of gym members is lower the insurance company might decide to raise the rates of every single member within that neighborhood or zip code. Even fake people could skew those numbers if their fake data said they lived in those zip codes or neighborhood and ate out a lot or didn't have a gym membership. Indirectly, the fact person is mistaken for being a real one in that community.
The best way to deal with data brokers is to regulate them with strong data protection laws. Anything you give them risks hurting someone and gives them another data point to sell.
I doubt it, since nobody is being denied housing or services. Health insurance companies have plenty of data to back up their practice. Your zip code might be the single most important predictor for longevity (https://time.com/5608268/zip-code-health/).
More importantly, your insurance company is never going to tell you that that's why they raised your rates. You're just going to see a high bill. Same way that a potential employer isn't going to tell you that you didn't get the job because of something you said on social media 14 years ago, or because the information they got from a data broker says you drink a lot. You just get ghosted.
That's the problem with surveillance capitalism. Even as all that data increasingly impacts your life you're almost never aware that it's happening and have no ability to appeal or correct the record.
Isn't something like regulation with strong data protection laws a bit late at this point? It seems fair to say that most people alive are already scooped up in 1 large data breach or another.
And that data has been made public likely in some form, and is probably replicated to dark corners of the planet.
Don't get me wrong, regulation on these industries seems like a no-brainer, but it seems unlikely to remediate the damage already done.
That's kind of true. Preventing the sale of it will make it harder for it to be used against you. Even if scammers can still buy or download your data from the darkweb your future employers and the companies you interact with are a lot less likely to go that far to get their hands on it, so all that data being out there will impact your life less and less. Even better, fewer places will be collecting new data about you. Your social security number and date of birth don't really change, but your income, medical conditions, home address, spending habits, sex life, and location history do.
You can never know what might prejudice someone else against you. Maybe you get flagged as being gay when you aren't, or as holding certain religious or political views that you don't. Extremists, activists, and protestors can go to a data broker and buy up lists of people to harass or attack. Data brokers have already been caught collecting data on people who visited Planned Parenthood locations and selling that data to anti-abortion groups.
You could be incorrectly flagged as having more money than you do, causing companies to charge you more than they charge your neighbors for the exact same items. Discriminatory pricing has been happening for a very long time. Just using a different browser can cause prices for some online services to change. (https://www.bostonglobe.com/business/2014/10/22/online-shopp...) For example, Apple users might be seen as having/spending more money and so the prices they get for hotels and airfare can be higher. Increasingly, brick and mortar stores have been trying to get in on the action too. (https://link.springer.com/article/10.1057/s41272-019-00224-3)
If you have a browser extension that randomly visits sites and clicks on ads. Maybe it clicks a bunch of ads for alcohol or marijuana. Maybe it clicks on ads for mental health services, addiction/recovery services, or suicide hotlines. That data can be used against you in court during a divorce/child custody case. It might make a company less likely to hire you. It might cause your health insurance company to charge you more.
Maybe it clicks on ads for DUI attorneys and suddenly your auto insurance rates go up. The company isn't going to tell that's why. They might not even know why. their algorithm just decided you were more high risk than before.
Any data for sale, accurate or not, is going to be used against you. The people paying data brokers for information about you aren't doing it because they want to help you. They want to help themselves at your expense. And its insane how many people are buying up that data and using it whenever they feel it might give them even the smallest advantage. Companies are using that data to decide things like how long to leave you on hold when you call them. (https://www.nytimes.com/2019/11/04/business/secret-consumer-...)
That has been my strategy for the last decade or so, Unless I have a solid reason to I never use my real name when placing orders and generally never the same fake name twice, always use a virtual credit card, if it's a non-physical product I don't even use my real address. I have some old phones I throw pre-paid sim cards into when I need to do number confirmation. The goal is to create a little consistent linkable data to me and at least generate some noise in all these data broker collection processes.
I do the same, I worry that eventually someone's going to need to see my driver's license and refuse me because my ancient account info doesn't match.
"It says here that this shipment is for Firstname Lastname at 1 Main St, Yourcity, born January 1st in the same year as you. Your license has a different address and different birth day and month, so you're not the same person."
In fact there are far fewer valid Socials. They follow a system where guessing a number of digits is fairly determined based on year and state of birth
While I have never dealt with one of the paid services someone ran one on me as an example of what is out there (nothing malicious about it) and just about everything on it was accurate or close to it. Only one thing on it wasn't at least pretty close to the truth--it had me living in a state I've never set foot in. And quite a few other people seemed to have the same address at one point or another.
I'm in the UK so I have no Social Security Number, and I still got the HIBP e-mail.
When I looked into it, it turns out the "original" breach is comprised of files named ssn.txt and ssn2.txt which only contains Americans details, and doesn't contain any e-mail addresses.
It seems what happened is there was one leak of US SSNs which the leakers attributed to NPD, then some people bundled that leak up with a bunch of other data (including e-mail addresses and details of non-americans) and who knows if the latter data actually came from NPD?
I don't think it's a "full" breach because I assume that would include many tera/petabytes of original source documents rather than just a CSV of PII, but it's definitely a real breach.
I looked up several family members and although most of the phone numbers and addresses were out of date, they were accurate as were the listed social security numbers. However, it didn't include any of the more recent immigrants in the family or myself, possibly because I take opsec seriously.
Funny enough it looks like it has data for Tom Brady, former FBI director James Comey, Barack Obama, and Donald Trump (just some of the names that popped into my mind to look up).
Seems like Troy is skeptical about this being a real full breach?