Corporations really are amazing. They are, simultaneously, in a superposition of getting away with crimes because they don't exist, and providing goods and services and benefitting shareholders because they do. Remarkable.
I understand the sentiment but while big companies can break the law with impunity you certainly can't. Companies can ignore IP law and any other law they want and they will very likely profit from it, even if they manage to get caught and earn a tiny slap on the wrist. If you on the other hand break even a minor infraction the state will throw the book at you with everything they have, your criminal record will mean that you will struggle to get work and housing, and you can lose everything.
Then they disrespect IP laws on even bigger scale and use all of your code/text/images to train generative tools they sell for money. Can't stick it to them...
I suppose that you’ve got the case law to back up your assertions about disrespecting IP laws? Or is this just another case of a developer thinking that they know how the legal system works.
I'd start there, but I'm fine with holding companies accountable as a whole at a certain point. A corporate death penalty could be a useful tool. At this point though I'd take just about any meaningful consequences for corporations that take actions which would land you or I in massive amounts of trouble.
They were accessing a system via internal endpoints not released to the public. They were also using stolen credentials a former employee of songbird brought over to ticketmaster, and accessed devices using stolen credentials. If that isn't "hacking" then the word has lost all meaning.
IANAL but this is textbook unauthorized access of a computer as has been drilled into me in every boring corporate training I do for my security work and thus is "hacking".
Telling the judge "but I wasn't wearing my black hoodie while listening to K-pop while doing it!" is going to be about as effective as telling the judge the legal code can't be trusted because it's not backed by a CI/CD system adhering to Agile practices. (Which a non-trivial number of Hacker News posters probably think would work.)
Let's put it this way - if he held on to his badge/keys to enter a building and used these credentials to access a computer system without authorization, then yes, it would be called hacking. The word hacking gets thrown around in dumb contexts sometimes, but this is perhaps the clearest use of the word "hacking" I can think of.
Like, what would make this hacking to you? The way an attacker gains credentials to access a system does not really matter. If he socially engineered these credentials, it'd still be hacking.
Let's put it this way: before there were even laws against hacking, if you had a key you shouldn't have and you used to get into a building and steal some IP, if you were charged, it would be with trespass or breaking & entering, not hacking.
The term is appropriate, but it tends to evoke ideas of serious crimes, when hacking can be much more innocuous acts that often don't see much in the way of prosecution.
> Let's put it this way: we wouldn't call it hacking if he had held on to his badge/keys to the building and got the information that way.
If he did that it'd be prosecutable as breaking and entering, and it's perfectly reasonable to use the term "hacking" as the digital counterpart for "breaking and entering".
EDIT: It also looks like you work at Ticketmaster, or at least used to? If that's the case, that's a rather weird thing not to mention in the context of this thread.
To be clear: I agree it was hacking. I'm saying that aside from the IP theft angle, this kind of hacking doesn't usually get heavy handed consequences for individuals. AFAIK, the individual involved was not prosecuted criminally.
I used to work at Ticketmaster. I don't anymore and I didn't at the time of the incident, so it didn't seem relevant to the discussion.
> No, they'd have called it trespassing. That's the point I think I'm making.
No, if someone retains a key to a location after their legal authorization to access the location has been rescinded, and then uses it to access that physical location, that is breaking and entering.
Regardless, "if they committed this crime with physical means instead of digitally, there would be a different criminal charge and a different word for it" is a point that is not particularly insightful, relevant, or interesting to discuss.
Breaking and entering requires the use of force. Absent that, it is trespass.
The claim was that individuals suffer bigger consequences than people. The person involved was not fined $10 million. AFAIK, they were not prosecuted criminally.
> Breaking and entering requires the use of force. Absent that, it is trespass.
No. This is right up there with "you can't report a person missing until it's been 24 hours" for most common popular legal misconceptions. It would be prosecutable as breaking and entering.
> The claim was that individuals suffer bigger consequences than people. The person involved was not fined $10 million. AFAIK, they were not prosecuted criminally.
Yeah, and that's not the comparison OP was making. If that's what you took away, read again, because you missed their point entirely.
> An individual did do this. They did not go to jail.
Right, and that's not the point OP was making.
> Trespass vs. B&E is nuanced, and I'm definitely oversimplifying it. The "misconception" is widespread enough that it includes lawyers
I'm guessing you didn't bother to read the link you dropped, because it actually undermines your entire claim. Before you pat yourself on the back, you might want to look up what qualifies as "use of force". It's not the way you seem to be using the word.
The only lens through which what you're saying is even vaguely correct is that some states don't have a specific statute of "breaking and entering", instead prosecuting it as "criminal trespass", but even then it's a distinction without a difference: it's prosecutable as a charge for using force to gain unauthorized access to a location with the express intent of committing a felony.
In any case, this whole discussion is pretty pointless, because as I already said, the fact that there's a different word used when the crime happens in meatspace vs. cyberspace is wholly uninteresting and not relevant to the original topic, and - as I also already said - you have clearly misunderstood the crux of OP's statement and so there's no point in continuing down this rabbithole.
> I'm guessing you didn't bother to read the link you dropped, because it actually undermines your entire claim. Before you pat yourself on the back, you might want to look up what qualifies as "use of force". It's not the way you seem to be using the word.
>
That's a good guess, but wrong.
> The only lens through which what you're saying is even vaguely correct is that some states don't have a specific statute of "breaking and entering", instead prosecuting it as "criminal trespass", but even then it's a distinction without a difference: it's prosecutable as a charge for using force to gain unauthorized access to a location with the express intent of committing a felony.
I mentioned that trespass vs. B&E is nuanced, and that I was definitely oversimplifying it. If someone was curious they might have investigated this matter for the relevant jurisdiction. They might even have some familiarity with the case. But that would indeed require more curiosity than someone who doesn't even read a link before they drop it.
> In any case, this whole discussion is pretty pointless, because as I already said, the fact that there's a different word used when the crime happens in meatspace vs. cyberspace is wholly uninteresting and not relevant to the original topic, and - as I also already said - you have clearly misunderstood the crux of OP's statement and so there's no point in continuing down this rabbithole.
Or maybe I just wasn't doing a good job of being clear on the point. There was both an individual and a corporation at fault in that specific case, so you don't have to speculate as to which party was more severely punished. The OP's assertion is flat wrong.
No they don't. Rules for companies and individuals are different in this country, unless you possess some secret to getting away with potentially ruining the lives of 1.5 times the population of the United States with the financial equivalent of a slap on the wrist.
I feel sad saying this: I don't think it's right, but I worry less and less about these as time goes on; Not because I don't think it sucks, but because my information has been in so many breaches up to this point that I'm not sure what value there is left in any data that might appear in subsequent breaches.
Whenever HIBP sends me a notice I just think "oh well, add it to the pile". By this point I just assume any info I share with any company WILL be leaked eventually. Which is why I'd like to see an equivalent of the GDPR in the US, because companies won't do the right thing (collect the minimum necessary) unless they're legally forced to.
My favorite is when a credit bureau like Experian leaks your info and offers free monitoring as compensation - but you have to give them your info again to get the free monitoring.
In my case my partner (Abby) made a new friend (Brandy). Brandy called me a few times while we were coordinating social activities. Brandy’s soon-to-be ex-husband (Malicious Michael) saw the late-night phone calls on the phone bill records, looked up my phone number, saw that I was a man, assumed she started dating me, and became completely obsessed with me.
Now I get about 30 texts and 12 emails from Mike every day, all of them very deranged and alarming. I have never met, interacted, talked with, responded to, or crossed paths with Mike.
But suddenly I have to worry about how even these relatively benign leaks might impact his ability to find me or attempt to fuck up my life.
Reply to the texts with "dick pics"...but of horse or cow penis. Chances are pretty good he will block you or just stop soon after the first.
For email...auto reply with links to https://en.wikipedia.org/wiki/Goatse.cx
or go for the the rabbit hole and toss out a random OnlyFans /Ashley Madison / Grinder page.
I had a vaguely similar (but way less threatening) situation years ago. Fortunately Brandy alerted me to Mike’s awareness and anger, and gave me his number.
I blocked it immediately. So he might have texted me a bunch of angry stuff. I’ve no idea. I never saw it.
Block him. He’ll get bored. I wish you the best, it’s not nice.
I don’t block so that I have an evidence file in case I need it. However, I do not ever respond, so it’s effectively the same experience as being blocked.
> Based on data provided to us by the Threat Group responsible for the compromise, we can assert with a high degree of confidence the data is legitimate. Date ranges in the database appear to go as far back as 2011. However, some dates show information from the mid-2000's.
> NOTE: The data provided to us, even as a 'sample', was absurdly large and made it difficult to review in depth. We are unable to verify the authenticity of financial information. Briefly skimming the PII present in the dump, it appears authentic.
SEC registrants are required to make a disclosure within 4 business days once a cybersecurity incident is deemed by the company to be material to a reasonable investor.
This story was initially circulated two days ago with a blanket statement of “AUS Home Affairs confirms the breach” - which at the time was false because they only acknowledged the rumour.
Whether or not it’s a rumour based on speculation has nothing to do with it. It either is or it isn’t.
> The Department of Home Affairs said it is aware of a cyber incident impacting Ticketmaster customers in response to claims it is part of a data leak expected to impact millions of customers globally.
How exactly "being aware" counts as "confirmation" in this case?
Any other article (outside of those who used ABC Aus as a source) on this matter have specifically used words like "allegedly", "purported", etc.
Any negative news that can influence the share price is material information. A hack, involving payment means, of 500M users is definitely material information.
Also. As the excellent Matt Levine never ceases to repeat : everything is securities fraud.
If you didn't state in your regular filings "our security is poor, we may get hacked", then you lied by omission.
The SEC’s job is the integrity of the securities market. The user would be the concern of a consumer rights authority (the FTC) or a privacy protection one (I don’t think the US has one of those on the federal level?). That the SEC is the way we learn about these things is nothing more than a relatively recent hack, and how widespread the damage from that hackery is going to be is not yet clear.
(E.g. “money laundering” seemed like a reasonable hack for the first couple of decades, but these days banks have turned into an surveillance and enforcement apparatus with a presumption of guilt and no right of appeal.)
I don't make the rules, and it is unfortunate there is still a wide gap between current state and desired end state wrt citizen harm; to understand the rules is to leverage them to arrive at a desired outcome. Code for some hackers, legal and regulatory frameworks for others. Simply different syntax, runtimes, and exception handling.
The reason the investors care is presumably because of the fear that there will be significant, material financial consequences for the business arising from harms that affect the users.
If the expectation was that users were screwed and would not be entitled to any compensation, then the news of this breach would be no more material to the company’s investors than learning the at the air conditioning was set to the wrong temperature in one of the company’s offices for a few hours.
Although I doubt they would buy it back, their customers all hate them, they have the worst reputation, and they've never given any shits about that. So I don't think they'll do any of that anyhow.
> their customers all hate them, they have the worst reputation
Maybe worth pointing out- that's a feature, not a bug.
The value Ticketmaster provides is taking the anger from fans for high prices. The performers (and producers/labels/whatever) want to extract as much value from their fans as they can, and having Ticketmaster look like the greedy badperson prevents their fans from being mad at them.
PS. I just wanted to note, this is by the same outfit also responsible for the Santander break. (Both, apparently, due to a successful breach of an upstream storage provider).-
There's not much press going on for this breach yet. I've never heard of Hudson Rock until I read their report about Snowflake today. Only reputable outlet I've seen make an article yet is BleepingComputer.
A few that might be dangerous. Pfizer, CMS Healthcare, Playstation (Sony), the LA school district, KFC, Freddie Mac (sideshow bob sound...), Capital One, AT&T, Yamaha, Vanderbilt, the Superior Court of California, Square, Siemens Health, Pacific Life Insurance, Ohio Worker's Compensation, Netgear, Micron, HP, Western Union, Warner Music Group, Siemens, Juniper Networks, Forbes, Comcast, City of Tacoma (very financially transparent, cloudy even), Autodesk, and Auburn University.
Also, general informational map of those likely affected based on the Ticketmaster breach at least.
The Snowflake breach supposed affects up to 400 companies with a single credential exfiltration. The world wide web's starting to seem like more work than its worth...
Also, lots of coverage. Just not front and center.
Thanks. Mostly just got curious about how extensive the issues might be. Once I realized TechCrunch had actually tried the accounts and Ticketmaster said they were all real accounts, then it got a bit more serious. (italic emphasis mine below)
> TechCrunch on Friday obtained a portion of the allegedly stolen data containing thousands of records, including email addresses. This included several internal Ticketmaster email addresses used for testing, which are not public but appear as real Ticketmaster accounts. TechCrunch verified on Friday that the records we checked belong to Ticketmaster customers.
> TechCrunch checked the validity of these accounts by running the internal email addresses through Ticketmaster’s sign-up form. All of the accounts came back as real. (Ticketmaster displays an error if someone enters an email address that is already a real Ticketmaster account.)
In addition to the accounts working, which in itself is pretty bad. There's also the internal test accounts.
The intent of GP's comment is to imply the hack is a Snowflake hack that happens to compromise Ticketmaster data. If this was a compromise of a Ticketmaster account that managed their data at Snowflake, Snowflake would have been downstream of the original compromise.
This is a far more scary claim than OP's article, because that means there could be many more compromised customers out there that don't know it yet. It's a bit chilling, knowing some friends might be in deep shit.
On one hand, yes, there's a certain amount of schadenfreude here, because I have on multiple occasions been more or less annoyed by Ticketmaster. On the other hand, because I've used them quite a lot (because for many events, what other choice is there?), I can't say I'm terribly happy that my personal information has been so thoroughly exposed via this hack. And I'm more than a bit frustrated that Ticketmaster/Live Nation have been so careless and sloppy with their security - and employee training and vetting - to allow this to happen.
Boy I sure am glad that Ticketmaster refused to let me change my email address some months back when I was trying to clean up my profile and change the registered address from my_handle@gmail.com to my_handle+ticketmaster@gmail.com.
The actual relevant question is: how many of you make a point of disallowing this? You have to go out of your way to make that not work, given that + is a valid character in email addresses.
This is why my preferred email regex is just .*@.* (I've been talked into .*@.*\..{2,} before as a slightly more restrictive pattern). And I realize there may be times/places this is not satisfactory, but it works for most general cases.
> Only a small minority of my email addresses I've ever had matches that pattern.
The example is illustrative, and not definitive, as to how the simple and innocuous decision about a regex can determine functionality, and it is not about someone going "out of your way to make that not work" to break things.
I don't know if that's what you're trying to say, but what it illustrates to me is how easy it is to quickly cook up a simple regex to filter out certain patterns in email addresses and feel like it's doing the job, while unintentionally breaking things for a large number of people you don't have on your radar.
I think I misunderstood your point before. I thought you wanted to show a regex that _intentionally_ disables it. It also happens to disable a lot more, making it a bad choice. Now I'm thinking that you might actually agree with that.
I work at a place that just recently clamped down on this. We decided to normalize the emails so that we have a column in the db like "email" and then also "normalized_email" where normalized_email has a unique key on it too. This way, people can still make their email look like whatever they want, but they also only get 1 per email inbox.
This was all because people were doing abuse more easily by churning lots of accounts while only needing 1 gmail address. Plugging this gap was a huge deal for us in reducing card testing problems.
This sounds like a very nice compromise actually. I'm surprised it helped with abuse though, since there's a lot of email providers that are easier to create an account with than gmail.
A big part of handling abuse is to recognize that you cannot win - all you can do is better. And a big part of abuse is just raising the bar of sophistication required to abuse you. We went from "any random script kiddie with a gmail account gets infinite accounts easily" to "now someone has to use a custom email domain" (which is easy for us to just banhammer the domain), which both requires sophistication and money. And it makes the banhammer-swing more on par with the amount of effort they have to put in to evade it - banning the domain means go find another domain and pay another registrar fee.
We’ve done this for a long while too. You can use subaddressing, but you’re still limited to one account per “base email”. We also normalize dots and other methods of reusing an email account.
Just changing the delimiter would probably thwart most efforts like this. I self host so am not limited to the + character. So, I currently use name-subaddress@domain. I could easily switch to using underscore as my delimiter. Or I could just use subaddress@domain. This is dead simple and I don’t even have commercial motivation. Good luck!
I mean, sure, but it does thwart the vast majority of users who don’t even know this is an option. Most people don't know you can have an email from someone other than the major providers, let alone on a custom domain or selfhosted.
At the end of the day, nothing will thwart a determined person. But that’s not the goal. If it deters the vast majority of your users from making duplicate accounts, then it’s still a success.
Yes, and another super cool thing is the prevention of accidental screwups where someone typos their email. If the typo collides with an existing account after normalization, it could be (correctly) rejected. Without this normalization index, you could have ronx@gmail pre-existing, someone trying to type "rob.x" typos "ron.x" -- and now a bunch of emails start going out to poor "ronx" (who often doesn't understand what's going on, thinks his account is 'hacked,' etc. Ideally, the system would (for Gmail addresses) reject "ron.x" knowing it's basically tied to an existing user.
> We also normalize dots and other methods of reusing an email account.
Is that limited by domain? gmail's dot handling isn't at all standard; e.g. john.doe@outlook.com and johndoe@outlook.com are different accounts, as are john.doe@icloud.com and johndoe@icloud.com.
Yes. Some of it is handled by our email verification provider while others are done in-house based on real-world experience. We handle a bunch of the major domains that our users use.
You could 'accidentally' prevent it by enforcing some incorrect regexp like [a-zA-Z0-9]@[a-z.]+
Not allowing a '+' to appear in the local part is not even that unreasonable. It's against the standard, but then "My email is this@example.com"@example.com is valid according to the standard so take the standard with a grain of salt.
It's just to illustrate that the standard is more complicated than people might realise. I think you'll have problems getting most systems to accept an email address with two @s in it, but I might be wrong. Either way it would definitely break some (not too well written) code.
Though if possible I'd err on the side of being too permissive rather than too restrictive. In the end the only true way to validate an address is to send it an email.
> Why disallow it, or use it to argue that the standard isn't good?
Because lots of folks fat finger their own e-mail addresses and then complain that a 'site sucks' because signing up doesn't work. Sanity checking to protect people against themselves may be treated as a form of UX: it's probably why some forms insist you type (not copy-paste) your e-mail twice.
I'm perpetually flabbergasted by how anyone thinks this "no pasting" thing is a pro-accuracy idea. As though people would be copying from a bad source. I see this a lot on forms for bank account numbers -- maybe one of the least amenable formats to visually copying down and retyping, since they're never written with delimiters or punctuation. I store them in my password manager, and then some idiotic form wants me to type my 18-digit bank account number, twice, on my phone, where I can't see more than one application at a time.
1password has support for a custom domain. I bought an old generic webmail provider domain that is now defunkt and use that.
I also use random name aliases on each signup. Even if you aggregate multiple breaches I doubt anybody would link it to an individual (me).
The big remaining issue is payments. I use multiple cards and rotate them regularly (I don't have access to privacy.com or similar where I am based).
I believe this is the future - feed each service you signup to a new set of information and keep track in a password managers. Most services don't care what your real name is (I've been using an alias on services like Uber for ~10+ years).
icloud is also a good option - but I don't want to signal being an iCloud user.
How else would it work? It’s incredibly convenient. The option to create a new email is presented on signup forms, or you can open Hide My Email settings and generate one. I have hundreds of emails this way
Like grandparent said: by having a catch-all email address on a domain. Then emails that are being sent to invalid email accounts on that domain end up in that mailbox.
I’m not sure that idea was thought through. An infinite number of addresses that all point to the same inbox is effectively the same as having one address
The point of having multiple addresses delivering to the same mailbox is to be able to use per service custom emails. The grand-grand parent wanted a ticketmaster specific email, so if they sell their data, or it gets leaked, they know from the email address it was from ticketmaster, or another service.
Another commenter in the thread presented how their company "normalizes" gmail addresses by removing "." character and "+..." suffixes, so users don't abuse their system by creating multiple accounts with what is basically the same email. Having a catch-all mailbox allows people to circumvent this "security" measure.
I'm imagining that you actually want to have separate emails pointing to separate mailboxes, and for that case indeed, your solution is better, but for the life of me I can't imagine why anyone would prefer having to check multiple emails, instead of a single one. :D
Yeah I get it, just disagree that it circumvents anything. If emails actually worked this way then leaking the domain would be effectively the same as leaking an email is today. The + scheme doesn’t work because of the aforementioned normalization, and this domain thing wouldn’t work for the exact same reason - whoever had the leaked email could just send an email to <anything-they-want>@<yourdomain> and it’s all the same
I've been encountering lately a surprising number of deliverability problems (as in, the emails never arrive) when I try to use "Hidden" icloud emails and Outlook.com aliases. Switching to gmail suddenly confirmations arrive. It's frustrating. Sample size of a few, but I am starting to think that companies who aren't Google are starting to lose the spam war in a way that is leading to blackholing valid messages :(
Well, you have to go out of your way to prevent it. The sub-addressing complexity is on the email provider side; ticketmaster doesn't have to do anything for it to work except not reject valid email addresses.
In my experience, most but not all sites will accept "+" email addresses.
At my current employer we do allow this. It's handy for testing and not a big deal if we have users doing this to make multiple accounts (they don't gain anything by doing that). But at a previous job it was a bigger deal and we'd strip off the sub-address part because we were trying to match up email addresses across client sites (this was due to a bit of a shady thing the company was doing and part of the reason why I left).
I’m intrigued how it would have made a difference, wouldn’t it be extremely trivial to “clean up” the dataset by just doing a regex and removing all the “+*”. Or are scammers that lazy? Maybe I’m missing something?
It's just an edge case you'd have to devote brainpower and resources to. It may not be a big commitment, but if it only nets you an additional 0.25% valid email addresses or something, it's probably not going to get done.
Even if accepted, Google-style plus addressing seems worthless in most situations, as it is trivial to simply remove the plus sign and everything after it to get your native email address.
You can also use my.handle@gmail.com which I use (with a filter to trash immediately) when I need to sign up for something with a high likelihood of spamming me.
the neater thing about the period method is how no one else but you can know which (if any) position(s) of the period are the "good" one(s) and which are the "giving away that it's likely spam" ones.
I continuously wonder how we keep building multi-billion dollar applications where both basic consumer protections aren’t in place and there’s almost no liability for the companies running them.
A kid working at McDonalds requires a safe food handling certificate, and the store will be shut down if an inspector sees their fridge is too warm.
Hopefully with E2E encryption, passkeys, and the like, the end of days is near for these massive data leaks, but without real consequences, these companies will never realize holding millions of people’s personal information is both a liability as well as an asset.
I might have goofed the analogy. I was trying to illustrate that mature regulations and true liability mean that even McDonalds’ lowest level employees require standardized training. They know that a fridge must be ~40F. But the kid isn’t liable for leaving the fridge open. McDonald’s is. And because they’re liable, they have invested in sensors and alarms on every fridge
Looks to be officially confirmed. I just received the following email from Ticketek Australia:
> Dear Ticketek Customer,
> We are writing to let you know that Ticketek has become aware of a cyber incident impacting Ticketek Australia account holder information, which is stored in a cloud-based platform, hosted by a reputable, global third party supplier.
> We would like to reassure you that Ticketek has secure encryption methods in place for all passwords and your Ticketek account has not been compromised. In addition, we utilise secure encryption methods to handle credit card information and transactions are processed via a separate payment system which has not been impacted. Ticketek does not hold identity documents for its customers.
> Since our third party supplier brought this to our attention, over the past few days we have worked diligently to put every resource into completing an investigation, so that we can communicate with you as quickly as possible. We wanted to notify you early to enable you to take steps to protect your information as a precautionary measure.
> We have also notified the Australian Cyber Security Centre (ACSC) and we are liaising with the Office of the Australian Information Commissioner (OAIC) and the National Office of Cyber Security in relation to the incident.
I assume Ticketmaster are fighting fires at the moment, or it could be coincidence, as I logged in to change my [unique to Ticketmaster] password and the 2FA confirmation appears to be broken, as it gave the same code 3 times and wouldn't accept it, plus the emails to reset the password aren't going out (or are going out slowly).
Hope you hashed, salted, peppered those passwords Ticketmaster. And I hope you were following PCI level 1 correctly otherwise if this is true then you're a bit fucked really aren't you.
> To its critics, it seems Ticketmaster may be experiencing some karma lately for years of being the bane of concertgoers' existence.
Ah yes, karma, that legendary force which revenges itself upon evil businesses like Ticketmaster by checks notes exposing the personal and financial information of their unwilling customers.
This is not verified. Mashable pulled a dirty headline by writing on this based on speculation.
The initial account that shared the sale had no reputation on the forums. But it was then reposted by one of the admins, and that is the only piece of credibility this story has.
Still miss the good ol' days of Mashable, versus the sad state it's in now. And, yes, I know I'm pining for a version of the site that has been dead and gone for a long time now.
Seems like a big deal, but pretty much the only data ticketmaster would have is a stored credit card, address, name, and purchase history. Right? Perhaps passwords are valuable because many folks reuse them across sites.
I don't see appreciable movement in their stock at all.
> I don't see appreciable movement in their stock at all.
That's because there is zero accountability for these breaches and even with a civil case you're looking at pennies per user as compensation.
Better to do that than invest the 10s of millions required to correctly invest in good security practice and hygiene.
This is the classic fight club scenario:
"Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one."
"But you will have to provide a credit card to sign up for it, and after the 6 months you'll be automatically moved to our Platinum $59/mo monitoring plan".
US Only: This is your regular data breach reminder to freeze your credit with all 3 credit bureaus, as well as with NCTUE. It's free to do, easy to lift when you need to, and helps prevent credit fraud (also known, incorrectly, as identity theft).
NCTUE was new to me... I love that they're apparently gathering all this data to sell, but if you don't want your data to be sold, you have to snail mail them or call them...
Why should I have to jump through all these hoops just because some (most?) banks can’t be bothered to do proper KYC before lending money or extending credit?
Most other countries also have similar processes in place, although the exact systems differ from country to country. Check your trusted local cybersecurity website, they should probably have some info on this.
Aside from legal definitions, it's definitely a broadly used term in the public arena as well. According to Wikipedia, it's been used this way since 1964.
> the term came from the banking sector themselves with the purpose of doing so
As far as I can see after a bit of research, that doesn't seem to be the case. Do you recall where you first heard that idea?
> No one has stolen any one's identity.
Nobody thinks that a victim of identity theft is left with no identity. It's figurative language just like your computer firewall isn't there to keep the flames back.
Indeed. I can already predict the outcome here, regardless of their own culpability level, will be a fine less than the profit they bring in during a single week (or probably in 10 minutes if it's the week a Taylor Swift concert goes on sale). And all executive bonuses will still be paid.
I wonder if GDPR fines will get issued. If so hopefully the EU slaps on some processing fees and digital delivery fees and some admin fees and some notification fees on top of the fines.
Theft means "the illegal act of taking another person's property without that person's freely-given consent". The fact that the victim can or cannot still access their property is not in the definition.
Throughout most of human history "taking" meant that the thing is now yours and not theirs. If you had a book, I read it all and wrote my own copy, nobody would call that taking your book, it's copying your book. You can try to change the definition, but depriving something of ownership/use of something is qualitatively very different from making a copy of it, so it doesn't follow that the former should necessarily be treated the same as the latter.
Information has to be modelled differently. Where and how it is manifested is less relevant.
If I told your secrets after we agreed not to share them, it would be a moral violation, even if you still had the copy of the journal that you recorded the secrets in.
I think "stolen" is perfectly fine to use here, but I don't think you're correct. The definition of theft usually involves depriving someone of something, which is why piracy and copyright infringement are not theft. There's a whole wikipedia section dedicated to it for anyone who actually cares about this kind of thing: https://en.m.wikipedia.org/wiki/Copyright_infringement
Lol, if an individual does this, you're going to go to jail. A company does this? Tiny fine. What a world we live in.