Monday, 25 March 2013

EQC data - Updated

So EQC accidentally released a spreadsheet matching claim numbers to physical addresses for most people in Christchurch with an earthquake claim. The breach didn't have names. [Substantial update at end]

I appreciate privacy concerns, but I'm far more worried about whether any privacy breach can yield instrumental harms.* And here, I'm having a hard time seeing it.

Imagine that you had the spreadsheet listing the claim number and home address for each house in Christchurch, but nothing else. How could you profit from that knowledge?
  • Send fake invoices to EQC for payment. Claim to have done work on particular addresses and cite the EQC claim number. 
    • But: you're probably going to have to give EQC a bank account for transfers. If the homeowner catches wind of it, the fraudster would likely be found out fairly quickly. So your best bet would be to drive around looking for houses where construction work was already underway and to invoice for those addresses, hoping that the receipt would be paid in the confusion and that you could just switch to a different fake company every week. I doubt this would work out, but there's random draw chance that EQC might pay out on any individual invoice. Enough of these and you might get a bit out of it.
  • You could try calling into EQC to redirect payments that should have been going to the homeowner, but this is really unlikely to work. 
    • You'd need to know enough about the claim to be able to make a plausible case;
      • Name of the main claimant and enough identifying details to pass the first hurdle;
      • Whether the house is Fletcher's or opt-out - if it's Fletcher's, I think EQC pays them directly. If it's opt-out, you'd need to know enough about the repairs to tell them something about the outstanding invoices you want sent to your new bank account.
      • I bet you could get a lot of this out of Facebook pages for anybody listing a real address in Facebook.
    • You'd need to be able to get through to EQC on the phone (hard), or send them letters with your new account information. In the latter case, they might notice a pile of letters all asking that payment be sent to some particular account. If you're phoning, you can always hang up if things aren't working out, so they only get the account number for the small set that work.
Bottom line: it's hard enough for legitimate claimants to get anything done through EQC; I doubt fraudsters could get much out of this kind of data breach. But maybe I underestimate their patience for sitting on hold, or their creativity.

* People shout a lot about privacy, then happily hand over massive amounts of private information in exchange for lollypops. If you're complaining about EQC privacy violations on your Facebook page, and you're doing it because of privacy per-se rather than because of fraud exploits, you're exactly the kind of person I'm talking about.

Update 1: Chatting with Paul Walker on the way out the door yesterday, I realized that the best mark is the homeowner rather than EQC. He suggested calling the homeowner to pry out more details that you could use with EQC. I then reckoned it made more sense to call the homeowners pretending to be EQC and saying the only thing left before final claim resolution was for them to wire over the deductible on their insurance claim so that EQC could pay the whole thing to Fletcher's at one go.

Update 2: There was way more information in the data breach than first reported:
Staples said he was not the only person to see the email which listed the household's claim number, asbestos rating, EQC tolerance approval, which aspects of the claim were on hold, land information, whether the address was awaiting assessments, engineer's report, the EQC supervisor, the contractor's name and quote, and EQC's value of damage estimate.
In the wrong hands, this could be rather damaging.

But wouldn't it be nice if homeowners could get their own files:
Staples also said he looked up the information for one of his clients on the list for whom his company had done repair work, costing $55,000.
EQC had said $55,000 was too much and had cash settled for $30,000 with the homeowner. But the spreadsheet showed EQC has allocated $59,000 for repairs.


  1. It depends on what sort of harm. It wouldn't be possible to extract huge sums of money, and the take would be a tiny fraction of the total EQC payout, but I don't see why the first approach couldn't extract tens of thousands of dollars. You'd want multiple accounts, but I would think "trading as" accounts would work. I think you are underestimating the persistence and overestimating the risk-aversion of the fraudsters.

    Then there's phishing. You should be able to find out names and email addresses corresponding to a reasonable number of houses. You email them and ask for details needed to process their claim. The claim number provides added verisimilitude, especially if you've called EQC and talked to someone about the claim and can provide extra info. I see you've just tweeted a variant on this so I'll stop.

    The harm done by any of this on average would be small, but it would probably be newsworthy and lead to further red tape on the part of EQC.

  2. Ok. Here is the better exploit. Letters to home owners after using phone book to guess names. Ask for the $5k deductible on their insurance be wire transferred so the rest of the claim can be processed.

  3. "If you're complaining about EQC privacy violations on your Facebook page, and you're doing it because of privacy per-se rather than because of fraud exploits, you're exactly the kind of person I'm talking about."

    That's a really, really crap argument.

    Respecting privacy is about respecting people's control of their own privacy. There's a huge difference between voluntarily posting information to a website, and having information forcibly collected by a government agency being carelessly let loose into the world.

    The whole point about privacy is that people have very different attitudes about what is private to them and how they want to handle it. Just because you're open to some people in one area doesn't mean you want to be open to other people in another area.

    Sure, in this case the type of data lost doesn't seem like a major privacy leak but that's because most people would have no need to control it.

  4. If it were more than a table listing addresses and claim numbers, or if there were some other database out there using claim numbers as an anonymous identifier that then could be linked back to addresses because of this breach, I would agree with you entirely.

  5. I fail to really see the issue. Yes it's a mistake it was released but:
    * Mistakes happen

    * Damage to peoples houses, and that there will be an EQC claim # is hardly secret information, hell its probably the biggest topic of conversation in Chch for the last 2yrs. Dicussion of the weather is waay down, comparing EQC costs is the new smalltalk.

    * Since when is the appropriate response to such issues to immediately make it a political issue?
    * The only risks I see are to those pollies (you know who you are) who have made claims in the media about their EQC business, it could now be possible for the public to look up their address and see if they have been telling the truth.