It’s time to build our own Equifax with blackjack and crypto | TechCrunch

https://techcrunch.com/2017/09/08/its-time-to-build-our-own-equifax-with-blackjack-and-crypto/?utm_source=tcfbpage&sr_share=facebook

This article talks about security breach that will affect verty many people in the USA. It can cause need to rethink the current sloppy security practices on many companies – the identifying data many companies use has now leaked out.

The private data of 143 million Equifax “customers” is now available for download. Have no doubt: This means you will be hacked. This means your SIM card can be spoofed. This means someone will try to get into your email and online accounts. This means someone will try to open a credit card in your name. 
First, we cannot allow our most precious data to be accessible via the last four digits of our social security number. 

Further, we must also outlaw SMS two-factor authentication. In fact, thanks to the data stolen from Equifax, that process can be easily broken.

Mistakes happen. Ultimately we must hold these companies that keep leaking sensitive data accountable for their fails. In short, it’s time for those who are careless big data to die.

USA might need to look outside the US for leadership in security. 

110 Comments

  1. Tomi Engdahl says:

    Security News This Week: Equifax Was Warned of Vulnerability Months Before Breach
    https://www.wired.com/story/equifax-warned-of-vulnerability-months-before-breach/

    Reply
  2. Tomi Engdahl says:

    Lessons from Equifax: Open Source Security & Data Privacy Compliance
    https://www.brighttalk.com/webcast/13983/286873?utm_campaign=Webinars&utm_content=62159126&utm_medium=social&utm_source=facebook

    The Equifax breach provided a unique look into “how” many breaches occur. In Equifax’s case, hackers exploited an unpatched Apache Struts component, resulting in the exposure of over 140 million consumer records. The exploit of this vulnerability highlights the need for visibility to open source in custom applications and just how ineffective traditional security solutions are when it comes to open source vulnerabilities.

    Further, while class action lawsuits have already begun, Equifax faces other regulatory challenges as well. The US Federal Trade Commission started investigations into the company’s security policies and controls that will likely result in financial penalties. Since the exposed data included non-US citizens, foreign data protection and data privacy regulations also come into play.

    Reply
  3. Tomi Engdahl says:

    Equifax Says Execs Unaware of Hack When They Sold Stock
    http://www.securityweek.com/equifax-says-execs-unaware-hack-when-they-sold-stock

    Equifax said Friday an internal review found that four executives who sold shares ahead of disclosure of a massive data breach at the credit agency were unaware of the incident ahead of the sale.

    The company released the findings of its review of the stock sales worth some $1.8 million just prior to public disclosure of the hack affecting sensitive data of some 145 million as well as some British and Canadian nationals.

    The “special committee” investigating for the company concluded that “none of the four executives had knowledge of the incident” and that none engaged in insider trading.

    The committee reviewed more than 55,000 documents including emails, text messages, phone logs and other records, according to a company statement.

    “I’m grateful for the timely and thorough review,” non-executive chairman Mark Feidler said in the statement.

    Reply
  4. Tomi Engdahl says:

    Equifax: Hack Related Expenses Cost Company $87.5 Million in Q3
    http://www.securityweek.com/equifax-hack-related-expenses-cost-company-875-million-q3

    Equifax on Thursday said that during the third quarter of 2017, it incurred $87.5 million in expenses related to the massive hack that was disclosed on September 7, 2017.

    The credit reporting agency provided a breakdown of expenses as follows: $55.5 million in product costs, $17.1 million professional fees—a good portion which likely was paid to FireEye’s Mandiant division, attorney’s, and any other firms hired as part of the incident investigation and response. Customer support costs was marked at $14.9 million.

    The expenses related to the cybersecurity incident, the company says, include “costs to investigate and remediate the cybersecurity incident and legal and other professional services related thereto, all of which were expensed as incurred.”

    The company also said that it would be liable for additional costs stemming from the free credit file monitoring and identity theft protection that it is offering all U.S. consumers.

    Reply
  5. Tomi Engdahl says:

    Wall Street Journal:
    At a congressional hearing, the interim Equifax CEO said he’s not sure if the company is encrypting consumer data stored on its computers

    Equifax CEO to Congress: Not Sure We Are Encrypting Data
    Interim chief should have asked his staff ‘the day he took over,’ analyst says
    https://www.wsj.com/articles/equifax-ceo-to-congress-not-sure-we-are-encrypting-data-1510180486

    Reply
  6. Tomi Engdahl says:

    Hayley Tsukayama / Washington Post:
    Equifax says it is facing 240 consumer class-action lawsuits, 60 government investigations, and has recorded $87.7M in hack related costs in Q3

    Equifax faces hundreds of class-action lawsuits and an SEC subpoena over the way it handled its data breach
    https://www.washingtonpost.com/news/the-switch/wp/2017/11/09/equifax-faces-hundreds-of-class-action-lawsuits-and-an-sec-subpoena-over-the-way-it-handled-its-data-breach/?utm_term=.4e989a290075

    Equifax, the credit reporting firm, is facing more than 240 class-action lawsuits from consumers — in addition to suits from shareholders and financial institutions — over the way it handled a massive data breach that affected 145.5 million Americans.

    The lawsuits were detailed in the company’s third-quarter earnings report Thursday, its first since revealing the breach in September. The incident prompted three top officials to leave the company, including former chief executive Richard Smith.

    Equifax also said in its filings that it had received subpoenas from the Securities and Exchange Commission, as well as the U.S. Attorney’s Office for the Northern District of Georgia “regarding trading activities by certain of our employees in relation to the cybersecurity incident.”

    To date, SEC Chairman Jay Clayton has not confirmed or denied that the SEC is investigating those executives for insider trading, according to the Associated Press.

    The credit bureau is also facing more than 60 government investigations from states, U.S. federal agencies and the British and Canadian governments, the earnings report revealed.

    Equifax estimates that the breach-related costs will total $87.5 million, including the cost of the free credit-monitoring services it provides to breach victims.

    Equifax reported $834.8 million in revenue in its third quarter, which is up 4 percent from the same time last year; analysts had expected this, as the bulk of the company’s money comes from selling services to other business, not consumers. Profits, however, were down 27 percent from the previous year at $96.3 million — in large part due to the breach.

    Reply
  7. Tomi Engdahl says:

    Lessons from Equifax: Open Source Security & Data Privacy Compliance
    https://www.brighttalk.com/webcast/13983/286873?utm_campaign=Webinars&utm_content=62159126&utm_medium=social&utm_source=facebook

    The Equifax breach provided a unique look into “how” many breaches occur. In Equifax’s case, hackers exploited an unpatched Apache Struts component, resulting in the exposure of over 140 million consumer records. The exploit of this vulnerability highlights the need for visibility to open source in custom applications and just how ineffective traditional security solutions are when it comes to open source vulnerabilities.

    Further, while class action lawsuits have already begun, Equifax faces other regulatory challenges as well. The US Federal Trade Commission started investigations into the company’s security policies and controls that will likely result in financial penalties. Since the exposed data included non-US citizens, foreign data protection and data privacy regulations also come into play

    Reply
  8. Tomi Engdahl says:

    Equifax Q3 results: Not as bad as you might have hoped – hack only cost biz about $87m
    Sales up, profits not so much
    https://www.theregister.co.uk/2017/11/10/equifax_q3_results/

    Reply
  9. Tomi Engdahl says:

    Did you know that the Apache Struts Vulnerability exploited by hackers to disastrous effect at Equifax existed in the code for over four years? This infographic outlines the vulnerability from bug to

    https://www.blackducksoftware.com/download/apache-struts-breach?utm_campaign=Black%20Duck%20Content&utm_content=61636186&utm_medium=social&utm_source=facebook

    Reply
  10. Tomi Engdahl says:

    Senators Propose New Breach Notification Law
    http://www.securityweek.com/senators-propose-new-breach-notification-law

    Senators Propose New Data Protection Bill Following Equifax and Uber Breaches

    Following the Equifax breach and the hidden Uber breach, three U.S. senators have introduced the Data Security and Breach Notification Act. Its purpose is to ensure better protection of personal information, and to provide a nationwide standard breach notification requirement. It is effectively a re-introduction of the 2015 bill of the same name.

    “The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage,” said Senator Baldwin.

    “We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” said Nelson. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”

    There are three noteworthy aspects to this bill: 30 days to disclose following a breach; up to five years in prison for failure to do so; and the FTC with NIST to draw up recommendations on the technology or methodologies necessary to avoid such sanctions.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*