It's also extortion. "Please pay us money to solve the massive problem we created." I don't know how it's legal.

Not saying it would be great in the short term, but I wonder how it would play out if the entire database was made widely available. It seems like it would be a lot harder to enforce a debt if the borrower was originally identified based on "secrets" that were well known to be public at the time. Maybe then they would come up with a better authentication scheme than "what color was your first car?"

It would be an awful lot like the end of Fight Club. Destroy credit records, or reduce them to meaningless, either way the economy would collapse.

People can complain all they want about credit, but the reality is that it exists as a financial service because loaning things with interest is probably older than agriculture in human society. We've just gotten very good at risk assessment, and this going public would ruin our ability to assess risk for years.

Honestly, the credit industry ought to be the ones raging against Equifax's fuck up. If only all the other credit bureaus weren't on eggshells hoping they're not next.

Credit and existing credit records would still be easily available.

The only change would be that you need to present photo ID in person to open new credit lines... which doesn't seem that unreasonable really.

How have we got very good at assessing risk?

So far, I have had three phones signed up in my name (essentially stolen from the suppliers), can't easily get a mortgage because I own my own company, somehow making me riskier than people who earn half my income, and in the past had my credit card limit extended to £10,000 without asking when I was almost broke.

To me that doesn't sound like they're good at assessing risk at all, they're just blindly following extremely simple algos instead of knowing their customers.

The records wouldn't be rendered meaningless any way, the fundamental of a credit report is how much debt you already have and if you ever miss payments or have judgements against you. Then a lender compares that to your income.

> It would be an awful lot like the end of Fight Club

The film ended that way. The novel had a different, more Palahniuk-ish ending. Spoil it for yourself if you must at https://en.wikipedia.org/wiki/Fight_Club_(novel)

> interest is probably older than agriculture

Offtopic I know, but quantitavie economics and bureaucracies were both borne out of agriculture; before that value was subjective.

Maybe then enough people at the same time would pressure state and federal legislators to regulation suspicious data brokers and creditors (and/or address insufficient/broken authentication in new credit accounts).

The Target breach was the thing that finally catalyzed the move from magstripe ccs to EMV ccs. I think we are currently on the precipice of the point when we need to move towards a second factor of authentication ("something you have" or "something you are" in addition to the lots of "something you know" that the current credit bureau system uses).

What would happen if the DB was widely available and many many people just randomly and inexplicably opened as many ranom accounts as possible - it would cause chaos in the economy.

What would an accurate "what if" scenario like this look like?

That's the first five minutes. Then the market for new consumer credit would seize up, banking share prices would flip out, and talking heads on cable would have something new to hyperventilate over.

Overall, many thousands of folks would have their home plans/vacation/card-flipping/whatever plans screwed up, some thousands would have a more severe financial problem, the banks would muddle through, "we'd" rebuild the financial-surveillance system over again, and it would probably be less stupid in some ways at the cost of being more uniformly intrusive.

The legal term is racketeering (https://en.wikipedia.org/wiki/Racketeer_Influenced_and_Corru...).

The thing is, up until now, there was a false sense of security that if someone didn't have your SSN, they couldn't open up financial accounts as you. And there was little being done to protect people whose SSNs are already disclosed in some way.

With such a large percentage of our social security numbers being potentially outright public, financial institutions need to stop assuming that an account holder is legitimate because they provide an SSN. And it is in their best interests to do so, since they end up on the hook in most cases for fraudulent accounts (after putting you through an awful process to prove it isn't yours).

For example, rather than letting someone sign up for an account with the SSN as a verification of identity, new credit accounts could potentially be considered probationary (or just outright not created) until a one-time code is mailed to the credit holder's established home address (based on their existing credits and payment history) as confirmation that the real person with that SSN authorizes that transaction. While such a step would not be completely impossible to defeat, it would mitigate attackers on the other side of the globe opening fraudulent accounts.

Agreed. If you used medical services in any significant way before 2010, your SS and birthdate was all over the place in insurance and medical records.

> It's going to cost everyone thousands of dollars over their lives for credit fraud protection.

In my mind, the Just thing to do would be for Equifax to offer ongoing fraud protection to all of their customers affected by this leak. (Gosh, that might be expensive!)

I mean sure, if they can't make fraud-avoidance part of their fundamental business model.

This issue has existed before the hack. None of these companies give a shit about security. Maybe this will change things.

They won't care until they have to personally pay out of pocket. Many of us probably will, but they won't.