Walt.Gregg.Juneau.AK.US (Dec. 17, 2020)

The 2020 Alaska Voter Registration Breach

Consider getting a credit freeze at Experian, Equifax, and TransUninion. You have to contact them separately. Equifax.com/personal/credit-report-services: 800-685-1111; Experian.com/help: 888-397-3742; Transunion.com/credit-help: 888-909-8872. Each will give you a PIN you'll need to unfreeze your credit when you need to.

Don't rely on a fraud alert -- only a credit freeze will do. See preview.tinyurl.com/2015-06-08-krebs-credit-freeze.

This is in reference to the Alaska voter registration database breach. They didn't bother to itemize what was in the database, but I know, so here you go:

I know this because I own the internet. More precisely, I have a copy of my 'Online Voter Registration Summary of Confirmation'. I was pretty shocked that you could change registration without any login -- just the presentation of these very bits of data. And, it turns out, they used a private company only too willing to leak it to the Big Computer, where it can never be recalled. One wonders if someone paid an insider to get the data.

This actually *is* pretty serious. With this pedigree information, it's pretty trivial for an identity thief to open NEW credit card accounts in YOUR name, and even to borrow money from banks in YOUR name. It's also useful to jawbone his way into your existing investment accounts, your retirement accounts, your bank accounts, your credit card accounts, your insurance accounts, medical accounts, the works. (Yes, people do steal medical care using other people's medical insurance.)

Only a credit freeze can protect you. A credit freeze WILL stop most reputable lenders from opening accounts in your name. There's next to no downside. You get a PIN to unfreeze the account when you need to. The state of Alaska ominously -- and wrongly -- warns:

Placing a security freeze on your credit report is an agressive action and will prevent you from engaging in certain transactions that require checking your credit report ....'

Nonsense! When you place a credit freeze, you get a PIN that you can use to unlock your report when you want to apply for refinancing, buy a car, apply for credit, or change insurance companies. It is NOT TRUE that a security freeze prevents your access to credit. It just requires that you grant access while applying.

A fraud alert will not protect you. There's a very long history of creditors ignoring fraud alerts and issuing credit anyway. They pay about as much attention to them as you do to browser security alerts. Where's the button to close out this stupid warning?

Considering signing up for the 1-year free Equifax credit monitoring but limit the data you disclose. Credit monitoring is like a smoke alarm. It won't prevent fire or loss, but it may let you know in time to limit the damage. But do you trust Equifax enough to give them the mother lode? In 2007, they leaked the data of 148 million Americans alone, through failure to timely apply a security patch. This wolf is the company you can hire to keep watch on the internet and dark web for your chickens:

Despite being free for a year, I'm disinclined to give any new data to a proven breacher. I do, however, pay a monthly fee to a different company to do similar monitoring. The trouble is that by giving someone your data to monitor, you risk their compromising that data. This risk could be greater than the value of the monitoring they provide.

It took more time for Elections to notify us than Noah spent couped up in the Ark. The delay is unconscionable. They learned about it on October 26. The postal notification letter is dated December 3. If you consider the postal service 3-day delivery standard, that's 40 days and 40 nights. Like I said, as long as Noah was couped up in the Ark.

Good practice is notification within 3 days. The European General Data Protection Regulation (GDPR), while not binding on us, does set the bar for good practice. Their rule is a *maximum* of 3 days from the time you LEARN a breach has happened to the time you notify the breachees. Is breachees a word?

To be fair to Gail Fenumiai and Kevin Meyer, there's no possible way they could be up to snuff on good breach practice. I regularly read Brian Krebs, Bruce Schneier, Troy Hunt, and other security expert blogs. They don't. They're far too busy ensuring that every eligible voter can vote, and that our votes are counted accurately. In that, they have done a fabulous job. I am almost always in the minority, not because votes were stolen, but because they weren't. And you have to give Kevin Meyer enormous credit for his hilarious Freudian slip:

This was a very unfortunate discovery. -- Lieutenant Governor Keven Meyer (Stories in the News, Ketchikan, Dec, 9, 2020, SITNews.US.)

If only no one had discovered the breach.

My work here is done.