Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

9/13/2017
12:30 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Solving the Problems of an Equifax

The Equifax breach has brought problems to businesses and consumers. Here are steps each can take to make it past the emergency.

The mushroom cloud from the Equifax hack fallout is causing a nuclear winter for consumers. Some of them don't know if they were hit, and are dreading the consequences. Others are no doubt angry that more could have been done to avoid the situation. Meanwhile, no one knows when the cloud will disperse.

In the meantime, I talked to Paige Schaffer, president and COO of identity protection services global unit with Generali Global Assistance, to find out about the nation's data protection health. Generali provides travel assistance, risk management and insurance, and global identity theft services.

SM: What more do you think the government can do to help consumers avoid data theft?
PS: Government entities should put in place regulations to protect personally identifiable information (PII) and other sensitive data that is collected, stored and transmitted. Payment card industry data security standard (PCI-DSS) protection has been implemented in the credit card industry since 2004, and we should have a similar strict regulation for PII, established as a requirement for everyone.

Paige Schaffer, President & COO, Identity and Digital Protection Services Global Unit, Generali  Global Assistance\r\n
Paige Schaffer, President & COO, Identity and Digital Protection Services Global Unit, Generali
Global Assistance

\r\n

Could the government be doing more? What about an overarching federal standard?
Yes. Despite the wide-reaching effects of data breaches, there are currently no uniform federal data breach laws in place to which organizations must adhere. This creates confusion and frustration for both companies and consumers, each seeking to define and interpret requirements and expectations. Businesses that experience data breaches must rely on their individual state's laws to determine which type of information triggers a consumer notice, as well as the content and timing and any restitution measures.

Companies with customers in multiple jurisdictions are left with the difficult task of interpreting inconsistencies between state laws. Most states have unique laws regarding when customers must be notified that their data was part of a breach. A federal standard would protect consumers much more effectively. What complicates matters is the fact that nationwide breach notification legislation that has been proposed in the past has sought to nullify existing state laws, thereby preventing states from passing consumer data protection laws in the future.

What does this breach say about the general health of the nation's consumer security, and how easily hackers are able to breach it?
Even in a vacuum, the Equifax breach would have been troubling given that it is reported to have affected hundreds of millions of consumers. In a larger context, it is even more alarming when considering identity theft and cybersecurity statistics that have been recently reported. Identity fraud cost consumers nearly $16 billion last year, up $1 billion from 2015, according to Javelin Strategy & Research.

According to the Identity Theft Resource Center [ITRC], in 2016 nearly 30 million records were exposed from over 700 data breaches, affecting companies across many industries in the US. In fact, the ITRC recently reported that nearly 800 breaches have been logged in 2017 year-to-date, with 63% of incidents resulting from hacking attacks. Clearly, data breaches do not discriminate by industry sector, and companies of all types -- and their customers -- are at risk.

Those stats make for depressing reading.
Loss of consumer confidence is a major issue, as nine out of ten adults agree that consumers have lost control over how their personal information is collected and used by companies, according to Pew Research. With 2017 on pace to reach an all-time high of approximately 1,500 reported data breaches, businesses and consumers alike need to be more prepared than ever to mitigate associated risks.


Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event – a free breakfast colocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

What legal recourse might consumers have if it's found that their stolen data results in loss of money, privacy or reputation?
Given the lack of federal data breach legislation, it is somewhat difficult to determine what courses of action are available. When a nationwide organization like Equifax experiences a breach, nearly 50 laws -- all different -- may apply. In the case of this particular breach, consumers must be especially cautious with respect to legal recourse.

Equifax may restrict consumers' legal rights, according to the terms of service on their website. Language within the terms of service prevents those who enroll in the Equifax breach assistance program from participating in any class-action lawsuits, one of which has already been filed by ClassAction.com.

The Consumer Financial Protection Bureau recently put in place a rule to ban arbitration clauses, as they were understood to do more harm than good to consumers. In the case of Equifax, this is absolutely the case as the legal language in the service terms restricts individuals impacted by the breach from attempting to -- justifiably -- recoup their financial losses. New York Attorney General Eric Schneiderman has already publicly denounced Equifax's attempt to limit consumers' rights, and others are sure to follow.

Beyond legal recourse, consumers should also be wary of using Equifax's help website as it requires entry of an individual's last name and the final six digits of their Social Security number. This is highly unusual.

What can consumers be doing right now?
In terms of immediate action, consumers should place a 90-day fraud alert with all three credit bureaus. This will prevent any creditors from opening a new line of credit in your name for the next 90 days without first contacting you for approval. Individuals impacted by the breach may also want to consider taking the more stringent approach of placing a freeze on their credit reports with all three bureaus. Unlike fraud alerts, credit freezes stay in place indefinitely, until the customer requests it to be removed.

And what about enterprises? They all profess to some level of security, how can they do better?
More advanced solutions include behavior-based technologies that detect and prevent breaches. For example, if a user or system manipulates an unusual number of files, that behavior will trigger an alert or remove the access rights associated with those files -- automatically protecting the information system and limiting the impact. Behavior-based solutions are currently available for several security tranches, including firewall, email management and file storage management. The most advanced of these utilize cloud-powered solutions that dynamically learn new patterns and apply them.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
CVE-2021-22155
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.