Originally Posted by
needle
2-factor doesn't change the fact that personal details were compromised due to the breach. I don't see how this breach "is a reason" for 2-factor. There are many good reasons to use 2-factor, but it doesn't save you from lost personal data due to data breaches...
This.
On one hand, the general personal data constitute a treasure trove with which to perform impersonation and social engineering. It does not help that the Finnish ID number is non-random, used for basically everything, and so often blindly trusted.
And on the other hand, the customer numbers are of the ambiguous kind, like credit card numbers, where it's not really clear if it's supposed to be confidential or not, and thus, much like the Finnish ID number, it ends being trusted blindly trusted when it really should not.
Either ways, 2FA does not help here because passwords were supposedly not stolen. The problem is whenever the password is
not needed.