Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
12:30 PM
Simon Marshall
Simon Marshall
Simon Marshall

Solving the Problems of an Equifax

The Equifax breach has brought problems to businesses and consumers. Here are steps each can take to make it past the emergency.

The mushroom cloud from the Equifax hack fallout is causing a nuclear winter for consumers. Some of them don't know if they were hit, and are dreading the consequences. Others are no doubt angry that more could have been done to avoid the situation. Meanwhile, no one knows when the cloud will disperse.

In the meantime, I talked to Paige Schaffer, president and COO of identity protection services global unit with Generali Global Assistance, to find out about the nation's data protection health. Generali provides travel assistance, risk management and insurance, and global identity theft services.

SM: What more do you think the government can do to help consumers avoid data theft?
PS: Government entities should put in place regulations to protect personally identifiable information (PII) and other sensitive data that is collected, stored and transmitted. Payment card industry data security standard (PCI-DSS) protection has been implemented in the credit card industry since 2004, and we should have a similar strict regulation for PII, established as a requirement for everyone.

Paige Schaffer, President & COO, Identity and Digital Protection Services Global Unit, Generali  Global Assistance\r\n
Paige Schaffer, President & COO, Identity and Digital Protection Services Global Unit, Generali
Global Assistance


Could the government be doing more? What about an overarching federal standard?
Yes. Despite the wide-reaching effects of data breaches, there are currently no uniform federal data breach laws in place to which organizations must adhere. This creates confusion and frustration for both companies and consumers, each seeking to define and interpret requirements and expectations. Businesses that experience data breaches must rely on their individual state's laws to determine which type of information triggers a consumer notice, as well as the content and timing and any restitution measures.

Companies with customers in multiple jurisdictions are left with the difficult task of interpreting inconsistencies between state laws. Most states have unique laws regarding when customers must be notified that their data was part of a breach. A federal standard would protect consumers much more effectively. What complicates matters is the fact that nationwide breach notification legislation that has been proposed in the past has sought to nullify existing state laws, thereby preventing states from passing consumer data protection laws in the future.

What does this breach say about the general health of the nation's consumer security, and how easily hackers are able to breach it?
Even in a vacuum, the Equifax breach would have been troubling given that it is reported to have affected hundreds of millions of consumers. In a larger context, it is even more alarming when considering identity theft and cybersecurity statistics that have been recently reported. Identity fraud cost consumers nearly $16 billion last year, up $1 billion from 2015, according to Javelin Strategy & Research.

According to the Identity Theft Resource Center [ITRC], in 2016 nearly 30 million records were exposed from over 700 data breaches, affecting companies across many industries in the US. In fact, the ITRC recently reported that nearly 800 breaches have been logged in 2017 year-to-date, with 63% of incidents resulting from hacking attacks. Clearly, data breaches do not discriminate by industry sector, and companies of all types -- and their customers -- are at risk.

Those stats make for depressing reading.
Loss of consumer confidence is a major issue, as nine out of ten adults agree that consumers have lost control over how their personal information is collected and used by companies, according to Pew Research. With 2017 on pace to reach an all-time high of approximately 1,500 reported data breaches, businesses and consumers alike need to be more prepared than ever to mitigate associated risks.

Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event – a free breakfast colocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

What legal recourse might consumers have if it's found that their stolen data results in loss of money, privacy or reputation?
Given the lack of federal data breach legislation, it is somewhat difficult to determine what courses of action are available. When a nationwide organization like Equifax experiences a breach, nearly 50 laws -- all different -- may apply. In the case of this particular breach, consumers must be especially cautious with respect to legal recourse.

Equifax may restrict consumers' legal rights, according to the terms of service on their website. Language within the terms of service prevents those who enroll in the Equifax breach assistance program from participating in any class-action lawsuits, one of which has already been filed by ClassAction.com.

The Consumer Financial Protection Bureau recently put in place a rule to ban arbitration clauses, as they were understood to do more harm than good to consumers. In the case of Equifax, this is absolutely the case as the legal language in the service terms restricts individuals impacted by the breach from attempting to -- justifiably -- recoup their financial losses. New York Attorney General Eric Schneiderman has already publicly denounced Equifax's attempt to limit consumers' rights, and others are sure to follow.

Beyond legal recourse, consumers should also be wary of using Equifax's help website as it requires entry of an individual's last name and the final six digits of their Social Security number. This is highly unusual.

What can consumers be doing right now?
In terms of immediate action, consumers should place a 90-day fraud alert with all three credit bureaus. This will prevent any creditors from opening a new line of credit in your name for the next 90 days without first contacting you for approval. Individuals impacted by the breach may also want to consider taking the more stringent approach of placing a freeze on their credit reports with all three bureaus. Unlike fraud alerts, credit freezes stay in place indefinitely, until the customer requests it to be removed.

And what about enterprises? They all profess to some level of security, how can they do better?
More advanced solutions include behavior-based technologies that detect and prevent breaches. For example, if a user or system manipulates an unusual number of files, that behavior will trigger an alert or remove the access rights associated with those files -- automatically protecting the information system and limiting the impact. Behavior-based solutions are currently available for several security tranches, including firewall, email management and file storage management. The most advanced of these utilize cloud-powered solutions that dynamically learn new patterns and apply them.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file