> The data also includes a “limited number” of Social Security numbers and government identification documents, such as driver’s licenses [...]
> MoneyGram said the types of stolen data will vary by individual. MoneyGram said that the stolen data also included transaction information, such as dates and amounts of transactions, and, “for a limited number of consumers, criminal investigation information (such as fraud).”
What is this "limited number" weasel word crap? This conveys no information. What's the limit, then? "Limited" could mean anything. It could be "limited" to 100 million for all anyone knows. Why not say the actual number or order of magnitude? It must be damning...
This will be at least my 6th place where this has happened. Yea, it's one more place where identity thieves can get my info. :( What is the fix? Anyone?
It's too far outside the Overton Window: not only should KYC not be mandatory, KYC should be illegal. MoneyGram should not be permitted to collect its customers' personally identifiable information. That's because breaches like this are a national security vulnerability. Privacy is the foundation of civil defense.
This policy will remain outside the Overton Window until several more digital Pearl Harbors like the one that just happened in Lebanon, where Israel was able to leverage its surveillance of Hizbullah members into an almost total annihilation of Hizbullah as an organization. Many other armed forces around the world are going to experience the same thing over the next decade, because it's far too late for soldiers' and politicians' family members to avoid ever signing up for Facebook, Zelle, PayPal, MoneyGram, etc.
I don't know what the landing looks like, but before we get there, this flight may experience some turbulence.
> not only should KYC not be mandatory, KYC should be illegal. MoneyGram should not be permitted to collect its customers' personally identifiable information. That's because breaches like this are a national security vulnerability. Privacy is the foundation of civil defense
Personal opinion: that's a pipe dream and it's never going to happen. Moving money is an extremely vital part of modern economies, and importantly, of underground ones.
You mention Hizbollah - without KYC they would have been able to more easily receive donations from sympathisers and use those funds to buy stuff from everywhere. Their surveillance by Israeili services wasn't online surveillance, because the group has already been burned by advanced Israeli cybersecurity attacks. They were using pagers ffs, do you really think their members were tracked and surveilled online?
And the same would apply for stuff like criminal regimes evading sanctions even more, cartels laundering their money, financial scams like Wirecard proliferating even more.
Look at the crypto space that promised to change that - outside of the absurd lack of practicality, it led to millions of scams, money laundering operations, North Korea abusing it to fund itself, and the like.
Thank you for your brilliantly clear demonstration.
You're welcome.
> should not be permitted to collect its customers' personally identifiable information.
No. They should not be permitted to retain and/or sell that information.
Out of curiosity, why do you think we have KYC laws in the first place?
A sensible approach might be to outsource the KYC process to a central state agency. We already have rudimentary forms of that-- like the fingerprint-clearance cards you sometimes need for working with the vulnerable. Why would it be any harder to grep the database for financial criminals than sex offenders?
Give me the ability to generate a signed certificate that says "hakfoo is not currently denylisted for financial crimes" and let me submit it as part of account onboarding. Maybe include some new, non-SSN, low-stakes identifier so I can't make forty different certificates and pretend to be forty people.
Such an agency can be more privacy forward than any private player: there's no financial motivation for them to be "sharing data with our partners and affiliates", and is structurally disinterested in expanding its reach into other data-grab products (looking at you, credit reporting services).
If the banks and such really have to do some sort of data-derived KYC-theatre-- looking for structuring and spurious patterns-- it could still be done with minimal personal data-- tracking the accounts by UUIDs.
They exist so the obscenely wealthy can have financial privacy via shell companies, and the non-obscenely wealthy can be financially surveilled.
Federal data protection legislation that makes holding onto consumer PI and adjacent data toxic, along with penalties so punitive for failing to properly secure and purge data in accordance with these regulations that it is a corporate death sentence.
“Show me the incentives and I’ll show you the outcome.”
This problem was created by regulation requiring companies to store ID information. More regulation the answer?
You can tokenize the data [1], you can dispose of it after you've used it for the business process [2], you can vault it with a custodian. Lots of solutions. I have implemented more than one in the consumer credit space.
Regulation is usually the answer. More? Better. It ain't gonna regulate itself. Storing and processing data securely is not hard. It is work though. Breaches happen because systems and corporations don't care [3], they aren't exposed to the cost of data loss, as there is none.
Would you prefer the business not store the data, but the government attests to your identity (as part of a proofing request and flow) and also stores the receipt and AML/KYC metadata? There are legal and compliance requirements in the finance space unfortunately, and those are not going away. If identity is a requirement, a system must attest to it, and logs of some type must be created to document the ceremony.
[1] https://en.wikipedia.org/wiki/Tokenization_(data_security)
You don't think there are brand and reputational risks with data breaches, or cost to notify and provide free credit reporting?
Breaches only happen because corporations "don't care"? I guess the US government doesn't care, then?
Event Description Date Agency Number of People Affected -------------------------------------------------------------------------------------------------------------------------
SolarWinds Cyberattack December 2020 Multiple federal agencies Approximately 18,000
U.S. Office of Personnel Management (OPM) Breach June 2015 Office of Personnel Management 21.5 million
U.S. Department of Veterans Affairs Breach May 2006 Department of Veterans Affairs 26.5 million
Georgia Secretary of State Office Breach November 2015 Georgia Secretary of State 6.2 million
Virginia Department of Health Professions Breach May 2009 Virginia Department of Health 8.3 million
Texas Attorney General Office Breach April 2012 Texas Attorney General 6.5 million
Department of Transportation Data Breach May 12, 2023 Department of Transportation 237,000
National Public Data Breach (reported) August 2024 National Public Data Nearly 3 billion
Based on my experience in the space, I can say with some confidence that there is very low brand or reputational risk (or it is so low as to be immaterial) with regards to a breach. $1M-$3M in most cases, which is cost of business (notification campaigns, buying credit monitoring, etc).
Edit: Your examples are outliers, based on the data, and those costs are not brand and reputational, they are settlements or fines (which are rare). If you want to move goal posts, that's a choice. No one is going to stop using Equifax for consumer reporting data or Target because of their cybersecurity posture (ie brand and reputation damage).
https://www.ibm.com/reports/data-breach
https://www.vox.com/the-goods/23031858/data-breach-data-loss...
https://www.idtheftcenter.org/post/itrc-sees-third-most-data...
Wrong.
Heartland Payment Systems - Although the company did not go out of business, it suffered significant financial losses from a major breach in 2008, leading to over $110 million in settlements and fines. This incident severely damaged its reputation and operational capacity.
Target - The retail giant faced a massive data breach in 2013, which compromised approximately 40 million credit and debit card accounts. While Target did not go out of business, the breach led to substantial financial losses, including a $18.5 million settlement with state attorneys general.
Equifax - The credit reporting agency experienced a breach in 2017 that exposed sensitive information of about 147 million people. Although Equifax remains operational, the breach resulted in over $700 million in settlements and significant reputational damage.
MySpace - While MySpace did not directly go out of business due to its data breach in 2016 (which affected 360 million accounts), it lost significant market share and relevance, ultimately leading to its decline as a social media platform.
FriendFinder Networks - This adult entertainment company faced a severe breach in 2016, affecting 412 million accounts. While it has not officially declared bankruptcy, the breach contributed to its ongoing struggles in a competitive market.
Ashley Madison - The dating site for extramarital affairs suffered a data breach in 2015 that exposed the personal information of millions of users. The fallout from this breach led to lawsuits and significant reputational damage, severely impacting its business operations.
NortonLifeLock (formerly Symantec) - Following a series of breaches and security issues, the company faced declining revenues and market share, leading to a significant restructuring and changes in business focus.
Simple answer: Jail
Any company that accesses/uses Personally Identifiable Information (PII) must register a “PII Czar” with the proper authorities. That person (or persons, depending on the size/scope of the PII data) can be held criminally liable in the event of a data breach.
If a jury finds that the PII Czar enacted the correct policies/procedures & took the right precautions, a jury could find them innocent. But if there was willful or negligent handling at the company, the PII Czar goes to jail.
In the US, one of the big lies told at the corporate level is that no one ever sees jail time because the regulators are too underfunded in comparison with large companies. What’s necessary is clear personal ownership of PII and criminal liability in the event of a data breach.
"Don't you need a chairman?" Funt asked.
"What chairman?" Bender exclaimed.
"An official one - in a word, the chief of the establishment."
"I am the chief myself."
"In other words, you expect to do time yourself? Why didn't you say so in the first place? Why did you take up two hours of my valuable time?"
The old man in the Passover trousers became exceedingly angry, foamed at the mouth, fumed, emitted explosive noises, but the pauses between his sentences did not diminish.
"I am Funt!" he said emphatically. "I am ninety years old! All my life I've done time for others! Such is my profession - to suffer for others!"
"Oh, so you're professional figure-head!"
"Yes," said the old man, tossing his head boastfully. "I am Substitute-chairman Funt! I've always done time. At the time of Alexander the Second, the Liberator, at the time of Alexander the Third, the Peacemaker, at the time of Nicholas the Second, the Bloody." And the old man slowly bent back his fingers, counting the tsars. "At the time of Kerensky I also did time. At the time of Military Communism, I did no time, to tell the truth, because clean business disappeared and there was no work for me. But how I did time in the days of the NEP! How I did time in the days of the NEP! Those were the best days of my life..."
Ilya Ilf and Eugene Petrov, The little golden calf. https://archive.org/details/littlegoldencalf0000unse
I hate the double standard where a low level employee can be fired and blacklisted for a black swan mistake, but systemic mistakes get the top levels golden parachutes. So no luxury prisons for execs, either.
Data Fiduciary Duty - you have to use the data you have in the best interest of your client (which isn't allowed to be the advertisers that want the data, nope!), and if that means deleting what isn't necessary, so much the better.
Also, forced arbitration isn't allowed and class action lawsuits result in more than a reward of $3.97 paid five years later with a free year of credit monitoring thrown in.
Make sure you have an identity protection PIN at the IRS.
https://www.irs.gov/identity-theft-fraud-scams/get-an-identi...
It's not a fix but a band-aid so at least people can't file taxes with your SSN.