I appreciate privacy concerns, but I'm far more worried about whether any privacy breach can yield instrumental harms.* And here, I'm having a hard time seeing it.
Imagine that you had the spreadsheet listing the claim number and home address for each house in Christchurch, but nothing else. How could you profit from that knowledge?
- Send fake invoices to EQC for payment. Claim to have done work on particular addresses and cite the EQC claim number.
- But: you're probably going to have to give EQC a bank account for transfers. If the homeowner catches wind of it, the fraudster would likely be found out fairly quickly. So your best bet would be to drive around looking for houses where construction work was already underway and to invoice for those addresses, hoping that the receipt would be paid in the confusion and that you could just switch to a different fake company every week. I doubt this would work out, but there's random draw chance that EQC might pay out on any individual invoice. Enough of these and you might get a bit out of it.
- You could try calling into EQC to redirect payments that should have been going to the homeowner, but this is really unlikely to work.
- You'd need to know enough about the claim to be able to make a plausible case;
- Name of the main claimant and enough identifying details to pass the first hurdle;
- Whether the house is Fletcher's or opt-out - if it's Fletcher's, I think EQC pays them directly. If it's opt-out, you'd need to know enough about the repairs to tell them something about the outstanding invoices you want sent to your new bank account.
- I bet you could get a lot of this out of Facebook pages for anybody listing a real address in Facebook.
- You'd need to be able to get through to EQC on the phone (hard), or send them letters with your new account information. In the latter case, they might notice a pile of letters all asking that payment be sent to some particular account. If you're phoning, you can always hang up if things aren't working out, so they only get the account number for the small set that work.
Bottom line: it's hard enough for legitimate claimants to get anything done through EQC; I doubt fraudsters could get much out of this kind of data breach. But maybe I underestimate their patience for sitting on hold, or their creativity.
* People shout a lot about privacy, then happily hand over massive amounts of private information in exchange for lollypops. If you're complaining about EQC privacy violations on your Facebook page, and you're doing it because of privacy per-se rather than because of fraud exploits, you're exactly the kind of person I'm talking about.
Update 1: Chatting with Paul Walker on the way out the door yesterday, I realized that the best mark is the homeowner rather than EQC. He suggested calling the homeowner to pry out more details that you could use with EQC. I then reckoned it made more sense to call the homeowners pretending to be EQC and saying the only thing left before final claim resolution was for them to wire over the deductible on their insurance claim so that EQC could pay the whole thing to Fletcher's at one go.
Update 2: There was way more information in the data breach than first reported:
But wouldn't it be nice if homeowners could get their own files:
Update 1: Chatting with Paul Walker on the way out the door yesterday, I realized that the best mark is the homeowner rather than EQC. He suggested calling the homeowner to pry out more details that you could use with EQC. I then reckoned it made more sense to call the homeowners pretending to be EQC and saying the only thing left before final claim resolution was for them to wire over the deductible on their insurance claim so that EQC could pay the whole thing to Fletcher's at one go.
Update 2: There was way more information in the data breach than first reported:
Staples said he was not the only person to see the email which listed the household's claim number, asbestos rating, EQC tolerance approval, which aspects of the claim were on hold, land information, whether the address was awaiting assessments, engineer's report, the EQC supervisor, the contractor's name and quote, and EQC's value of damage estimate.In the wrong hands, this could be rather damaging.
But wouldn't it be nice if homeowners could get their own files:
Staples also said he looked up the information for one of his clients on the list for whom his company had done repair work, costing $55,000.EQC had said $55,000 was too much and had cash settled for $30,000 with the homeowner. But the spreadsheet showed EQC has allocated $59,000 for repairs.
