The news of the recent Equifax breach has brought new insights and revelations into the world of identity theft. It has also led to the creation of new policies for the protection of personal information. With so many companies sharing a common vulnerability, it is important that consumers take steps to ensure that their personal data kept secure.
Cyberattacks are no longer an if, but a when situation
Cyberattacks are no longer an “if”, but a “when.” In fact, cyber attacks are increasing at an alarming rate. They affect individual internet users, businesses, government agencies, and many more. And they are causing trillions of dollars in damages each year.
Recent cyber-attacks have come from hackers, nation-states, and even hacktivist groups. These attackers are using phishing emails, malware infections, and compromised credentials to target systems and steal information.
A cybersecurity attack against dating app MeetMindful in January 2021 was particularly devastating. The attackers stole tokens to the Facebook account of all the account holders and also took their full names.
Another major attack on a dating website in March 2021 caused the company to pay $40 million to settle the lawsuit against its cyberattackers. That attack included the theft of data from almost 1.4 million people.
In 2022, the war between Russia and Ukraine exacerbated the global trend of cyberattacks. Russian state-sponsored hackers launched coordinated attacks on critical services in Ukraine.
According to the National Institute of Standards and Technology (NIST), cyber attacks increase each year. It’s estimated that 53 percent of them result in damages of $500,000.
Data breaches from cyber criminals have risen to become the most expensive category of cyber crime. As identity information exposed through cloud services, the risk of theft increases.
In addition to information theft, cyber attacks can include denial of service attacks, ransomware, and more. Various frameworks have created to help organizations protect themselves from these threats.
Hackers exploited an Equifax vulnerability
A recent article from Bloomberg Business week examines the Equifax breach from several perspectives. The analysis points to several clues regarding the nature of the stolen data.
Initially, the attackers gained access to the consumer complaint web portal. However, they moved on to other servers in the Equifax network. They gained access to additional databases that contained unencrypted usernames and passwords. In addition, they were able to find a database containing PII, including birth dates and Social Security numbers.
A few weeks after the breach, Equifax hired a security consulting firm called Mandiant to review its systems. As part of their analysis, they identified several flaws. One of these was the “Apache Struts” vulnerability, a software framework used by thousands of websites.
Although the vulnerability was known to the company’s IT department, it not acted upon. That is, until March 15, when a series of scans by the department revealed multiple vulnerable systems.
This prompted the company to take the steps needed to ensure the safety of its users. Specifically, Equifax created a “need to know” policy, which dictated that administrators apply patches to affected systems within 48 hours. On the same day, the company added new rules to its intrusion prevention system.
While these measures did not necessarily prevent the hack, they did demonstrate that the company did care about protecting its customers’ privacy. It also indicated that Equifax is more than just a service provider.
Credit freezes and monitoring services are still the best way to determine whether your personal data has stolen or your identity misused
A credit freeze is a tool that is design to prevent unauthorized access to your credit report. It is also a way to prevent thieves from opening new accounts in your name.
Whether you are worried about identity theft or want to protect yourself from other fraudulent actions, it’s worth taking a minute to learn about a credit freeze.
Several federal, state, and local agencies have access to your credit file. If you are suspicious of anything on your report, contact the agency to verify the claim.
Some states allow you to freeze your credit for free. Other states require you to pay a small fee.
You can freeze and unfreeze your credit at the same time, but it can be a little cumbersome. That’s why you should only freeze one account at a time.
The best way to protect your personal information is by using a variety of security measures. This includes keeping your home computer and other devices updated with antivirus software and locking down your mobile phones. Also, it’s a good idea to monitor your bank statements and credit card statements for unauthorized activity.
You can also create a system to keep track of your papers and records. For example, you could create a log of all your phone calls and record the date of each call. Or, you can use a virtual private network (VPN) when you are on public wi-fi.
Chicago filed a complaint alleging violations of Illinois Personal Information Privacy Act, Illinois Consumer Fraud and Deceptive Business Practices Act and the Chicago Consumer Fraud ordinance
When Equifax announced a massive data breach on September 7, 2017, consumers were unaware that criminals had acquired sensitive information. Fortunately, Equifax averted a major disaster and recovered materially from the incident. The company did however, suffer from a few glaring missteps in its attempts to protect the information of more than 145 million Americans.
For instance, Equifax failed to adequately patch the Apache Struts web application programming interface vulnerability that caused the breach. It also opted for the less-than-optimal route of using a mandatory arbitration clause to resolve the dispute. This may have been one of the biggest security blunders by a big name in the credit reporting industry.
In addition, Equifax misled its customers by representing its credit monitoring services as a freebie. As a result, the company incurred at least one legal lawsuit from the state of California. Another filed by the city of Chicago.
In other words, if not for the data breach, there’s a decent chance that the Equifax name would be synonymous with identity theft. Unfortunately, the company did little to ensure the safety of PII in the digital age.
To make matters worse, Equifax is facing a growing wave of consumer lawsuits from states and local governments. Some of these are aim at Equifax for failing to notify consumers of the magnitude of the data breach. Others are target at Experian and TransUnion for the same reason. Several states have weighed in on the matter, including Illinois, Massachusetts, and Indiana.
Jeffery trolls the dark web for stolen personal data
The Equifax breach is officially over a year old, but that doesn’t mean you can’t learn a thing or two from the scads of data breaches that plagued the industry for much, much longer. For example, last month marked the anniversary of a high-profile data breach that hit Marriott hotels, as well as the Equifax name. So far, we’ve learned the name of the CEO who managed the business, a few notable names in the credit card business, and the names of the perpetrators. We’ve also seen several new entrants to the fray take the stage. This is a good time to start thinking about your digital privacy and the nexus between the two.
What’s more, the company has been force to restructure and revaluate the way it collects and manages customer data. One of the most important changes is a new CEO named Mark Begor, who rewrote the company’s data security protocol. While the company’s recent past is a bit tainted by the data breaches, a new leadership team has a renewed sense of urgency to better safeguard customers’ data. Despite the best efforts, it appears that some Equifax employees remained steadfast in their belief that security was a privilege rather than a right. As a result, it’s not surprising that the company has already awarded a multimillion-dollar fraud-prevention contract.
Security measures are no longer an if, but a when situation
Equifax, a major American consumer reporting agency, suffered a massive data breach in early March. In addition to personally identifiable information (PII), the breach included names, Social Security numbers, and dates of birth. Approximately 145 million Americans affected.
Although the scope of the incident is still unknown, investigators believe the attackers gained access to the company’s consumer complaint web portal. They then moved to other servers and databases, where they were able to pull unencrypted usernames and passwords. Ultimately, they executed 9,000 database queries.
A month later, Equifax noticed suspicious activity in its network. As a result, it hired cybersecurity firm Mandiant to examine its systems. It learned that several of its systems were misconfigured. These weaknesses left it vulnerable to an attack.
After the discovery of the Apache Struts vulnerability, the Equifax IT department performed scans on its systems. The scans identified multiple vulnerable systems. However, they were not able to identify the systems that were most vulnerable.
During an April meeting, Equifax senior management discussed the Struts vulnerability and recommended that its information security team apply a patch to all the affected systems. However, the security team failed to follow up.
Following this, Equifax informed its customers about the data breach. It then notified the National Institute of Standards and Technology about the vulnerability, claiming that it was the highest-ranked. However, the company waited until September to publicly announce the breach.
Recommended readings:
- Dark Web Ad Claims – 20k Buys Insider Access To Telegram Servers
- Capital One Breach Conviction Exposes Scale of Cloud Entitlement Risk
Â
