data was exfiltrated from a corp I did not even know had my data; then they offer to have a privacy abuser (Cloudflare) MitM credit monitoring txns. WTF? - Hack Liberty
links.hackliberty.org
Apparently some company I do business with shared my data with another corp without me knowing, WTF? then that corp who I did not know had my data was breached. WTF? Then the breached corp who could not competently secure the data in the first place offers victims gratis credit monitoring services (read: offers to let yet another dodgy corp also have people’s sensitive info thus creating yet another breach point). Then the service they hired as a “benefit” to victims outsources to another corp and breach point: Cloudflare. WTF? So to be clear, the biggest privacy abuser on the web is being used to MitM a sensitive channel between a breach victim and a credit monitoring service who uses a configuration that blocks tor (thus neglecting data minimization and forcing data breach victims to reveal even more sensitive info to two more corporate actors, one of whom has proven to be untrustworthy with private info). I am now waiting for someone to say “smile for the camera, you’ve been punk’d!”. (update) Then the lawyers representing data breach victims want you to give them your e-mail address so they can put Microsoft Outlook in the loop. WTF? The shit show of incompetence has no limit. (update 2) It’s interesting to note that the FTC as well as a data breach lawyer both recommend that data breach victims take advantage of the free credit monitoring. I’m a bit surprised. As much as I want to cause the breached company to incur a cost for that subscription, it seems like a foolish move to put my sensitive info in the hands of yet another dodgy 3rd party.

A company I have no business relationship with sent me a breach notice stating that criminals got my data. This company is a supplier to many banks, brokerages, insurance companies, etc.

Obviously I want to know which of my banks or insurance companies I am doing business with trusted them with my data. I called and asked. They refused to tell me. But they have made it deliberately complicated. The phone number they gave to breach victims is for a 3rd party call center who knows nothing. So the call center says “we don’t have that info”.

Question: do financial/analytics orgs (or whatever the fuck they are) have a legal obligation to provide data breach victims with the SOURCE of the info? Do they have to tell me which of my banks (or whatever) hired them to be a custodian of my data?

What rights to data breach victims have?

(more background: https://links.hackliberty.org/post/2667522)

(update)
Thanks for all the useful feedback folks! I guess the question that remains is whether there are any federal laws that require the disclosure I am after. I looked up the law for my state here and found no law entitling breach victims to be informed of the source of their personal data. It would help to know the law because the AG, CFPB, and FTC will be limited to the law themselves.

      • NollijEnglish
        2·
        13 hours ago

        This is actually easy enough to do if you own the top level address. E.g. 123 Main St. Just use # or suite unique to the company. It will be up to you to remember that 123 Main St, #874 means it came from your bank.

          • NollijEnglish
            1·
            12 hours ago

            I’ve lived in multiple apartments that use the same style. I suspect it’s not an option for most vertical housing (apartments/condos on top of each other), but townhouse-style apartments are common once you leave the city centers.