home.social

#equifaxed — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #equifaxed, aggregated by home.social.

fetched live
  1. Among the latest data-breach villains: the Washington Post

    Members of the Washington Post’s extended diaspora, meaning both former employees as well as past freelancers, have begun getting an unwelcome reminder of that chapter in their professional lives: a letter from the Post, sent from an address not in the District but in West Sacramento, Calif., informing them of a “Data Security Incident.”

    That inefficient phrase is defensive legalese for “data breach,” which the letter says, in comparably defensive passive voice, happened between July 10 and Aug. 22, 2025, when “certain data was accessed and acquired without authorization” from unspecified Oracle E-Business Suite applications.

    In my case and others, to judge from reports from fellow recipients of this joyless notice, the “certain data” included names and Social Security numbers.

    The letter may not spark any more joy at Oracle, since it describes the vulnerability exploited as a “previously unknown and widespread” flaw. Oracle’s own warning red-flags it as “remotely exploitable without authentication.” But the paper’s disclosure does not address another cause of the data breach: how the Post chose to retain this sort of sensitive data long after it should have stopped being regularly business-relevant.

    Consider my example: The last time I had any ongoing transactions with the Post that should have involved my SSN was 15 years ago. I rolled over my 401(K) after leaving the paper, and Jeff Bezos buying the Post in 2013 resulted in the company transferring my pension and those of other ex-Posties to former publisher Don Graham’s firm Graham Holdings.

    For the handful of freelance pieces I’ve sold to my old shop since then (such as the Jan. 28, 2019 opinion piece headlined “Big tech firms still don’t care about your privacy”), I’ve used the Employer Identification Number I obtained shortly after I started freelancing.

    Yet apparently my SSN was still sitting unencrypted in a network-accessible database last summer, contrary to basic security advice, along with the digits of thousands of other current and former Post employees and contractors. Some had banking details compromised too.

    That’s “thousands” as in 9,720 people, per a filing the Post made with Maine’s Attorney General in November that a few security publications covered at the time. A month later, a former Post employee named Jun Hee Kim filed a class-action lawsuit against the Post on behalf of those nearly 10,000 individuals.

    I have yet to get a notice inviting me to join that class, and the Post’s letter does not mention the litigation. Instead, it offers the usual paltry remedy of a year of identity-theft monitoring, in this case from a firm called IDX.

    I know that’s the standard act of apology not only from covering data breaches but from having my data exposed in them, over and over. I know the drill well enough to have turned “Equifax” into the verb “Equifaxed” and to have frozen my credit more than once.

    So at some level, I’m not surprised at the news of the Post’s data breach so much as I’m surprised that it took this long. Throughout my time working at 15th and L, I saw the Post treat SSNs as carelessly as anybody else did decades ago–even using them as employee IDs, as seen in some of my own admin paperwork from early in this century showing the full nine digits. But it’s still stupid and sloppy that this particular data breach happened not in 2005 or 2015 but in 2025, well past the point when management at the Post should have known better.

    #Cl0p #CVE202561882 #dataBreach #dataMinimization #DataSecurityIncident #EIN #EmployerIdentificationNumber #Equifax #Equifaxed #IDX #Oracle #OracleEBusinessSuite #personallyIdentifiableInformation #PII #SocialSecurityNumber #SSN #TaxIDNumber #wapo #washingtonPost
  2. Among the latest data-breach villains: the Washington Post

    Members of the Washington Post’s extended diaspora, meaning both former employees as well as past freelancers, have begun getting an unwelcome reminder of that chapter in their professional lives: a letter from the Post, sent from an address not in the District but in West Sacramento, Calif., informing them of a “Data Security Incident.”

    That inefficient phrase is defensive legalese for “data breach,” which the letter says, in comparably defensive passive voice, happened between July 10 and Aug. 22, 2025, when “certain data was accessed and acquired without authorization” from unspecified Oracle E-Business Suite applications.

    In my case and others, to judge from reports from fellow recipients of this joyless notice, the “certain data” included names and Social Security numbers.

    The letter may not spark any more joy at Oracle, since it describes the vulnerability exploited as a “previously unknown and widespread” flaw. Oracle’s own warning red-flags it as “remotely exploitable without authentication.” But the paper’s disclosure does not address another cause of the data breach: how the Post chose to retain this sort of sensitive data long after it should have stopped being regularly business-relevant.

    Consider my example: The last time I had any ongoing transactions with the Post that should have involved my SSN was 15 years ago. I rolled over my 401(K) after leaving the paper, and Jeff Bezos buying the Post in 2013 resulted in the company transferring my pension and those of other ex-Posties to former publisher Don Graham’s firm Graham Holdings.

    For the handful of freelance pieces I’ve sold to my old shop since then (such as the Jan. 28, 2019 opinion piece headlined “Big tech firms still don’t care about your privacy”), I’ve used the Employer Identification Number I obtained shortly after I started freelancing.

    Yet apparently my SSN was still sitting unencrypted in a network-accessible database last summer, contrary to basic security advice, along with the digits of thousands of other current and former Post employees and contractors. Some had banking details compromised too.

    That’s “thousands” as in 9,720 people, per a filing the Post made with Maine’s Attorney General in November that a few security publications covered at the time. A month later, a former Post employee named Jun Hee Kim filed a class-action lawsuit against the Post on behalf of those nearly 10,000 individuals.

    I have yet to get a notice inviting me to join that class, and the Post’s letter does not mention the litigation. Instead, it offers the usual paltry remedy of a year of identity-theft monitoring, in this case from a firm called IDX.

    I know that’s the standard act of apology not only from covering data breaches but from having my data exposed in them, over and over. I know the drill well enough to have turned “Equifax” into the verb “Equifaxed” and to have frozen my credit more than once.

    So at some level, I’m not surprised at the news of the Post’s data breach so much as I’m surprised that it took this long. Throughout my time working at 15th and L, I saw the Post treat SSNs as carelessly as anybody else did decades ago–even using them as employee IDs, as seen in some of my own admin paperwork from early in this century showing the full nine digits. But it’s still stupid and sloppy that this particular data breach happened not in 2005 or 2015 but in 2025, well past the point when management at the Post should have known better.

    #Cl0p #CVE202561882 #dataBreach #dataMinimization #DataSecurityIncident #EIN #EmployerIdentificationNumber #Equifax #Equifaxed #IDX #Oracle #OracleEBusinessSuite #personallyIdentifiableInformation #PII #SocialSecurityNumber #SSN #TaxIDNumber #wapo #washingtonPost