Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

9/13/2017
12:30 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Solving the Problems of an Equifax

The Equifax breach has brought problems to businesses and consumers. Here are steps each can take to make it past the emergency.

The mushroom cloud from the Equifax hack fallout is causing a nuclear winter for consumers. Some of them don't know if they were hit, and are dreading the consequences. Others are no doubt angry that more could have been done to avoid the situation. Meanwhile, no one knows when the cloud will disperse.

In the meantime, I talked to Paige Schaffer, president and COO of identity protection services global unit with Generali Global Assistance, to find out about the nation's data protection health. Generali provides travel assistance, risk management and insurance, and global identity theft services.

SM: What more do you think the government can do to help consumers avoid data theft?
PS: Government entities should put in place regulations to protect personally identifiable information (PII) and other sensitive data that is collected, stored and transmitted. Payment card industry data security standard (PCI-DSS) protection has been implemented in the credit card industry since 2004, and we should have a similar strict regulation for PII, established as a requirement for everyone.

Could the government be doing more? What about an overarching federal standard?
Yes. Despite the wide-reaching effects of data breaches, there are currently no uniform federal data breach laws in place to which organizations must adhere. This creates confusion and frustration for both companies and consumers, each seeking to define and interpret requirements and expectations. Businesses that experience data breaches must rely on their individual state's laws to determine which type of information triggers a consumer notice, as well as the content and timing and any restitution measures.

Companies with customers in multiple jurisdictions are left with the difficult task of interpreting inconsistencies between state laws. Most states have unique laws regarding when customers must be notified that their data was part of a breach. A federal standard would protect consumers much more effectively. What complicates matters is the fact that nationwide breach notification legislation that has been proposed in the past has sought to nullify existing state laws, thereby preventing states from passing consumer data protection laws in the future.

What does this breach say about the general health of the nation's consumer security, and how easily hackers are able to breach it?
Even in a vacuum, the Equifax breach would have been troubling given that it is reported to have affected hundreds of millions of consumers. In a larger context, it is even more alarming when considering identity theft and cybersecurity statistics that have been recently reported. Identity fraud cost consumers nearly $16 billion last year, up $1 billion from 2015, according to Javelin Strategy & Research.

According to the Identity Theft Resource Center [ITRC], in 2016 nearly 30 million records were exposed from over 700 data breaches, affecting companies across many industries in the US. In fact, the ITRC recently reported that nearly 800 breaches have been logged in 2017 year-to-date, with 63% of incidents resulting from hacking attacks. Clearly, data breaches do not discriminate by industry sector, and companies of all types -- and their customers -- are at risk.

Those stats make for depressing reading.
Loss of consumer confidence is a major issue, as nine out of ten adults agree that consumers have lost control over how their personal information is collected and used by companies, according to Pew Research. With 2017 on pace to reach an all-time high of approximately 1,500 reported data breaches, businesses and consumers alike need to be more prepared than ever to mitigate associated risks.


Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event – a free breakfast colocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

What legal recourse might consumers have if it's found that their stolen data results in loss of money, privacy or reputation?
Given the lack of federal data breach legislation, it is somewhat difficult to determine what courses of action are available. When a nationwide organization like Equifax experiences a breach, nearly 50 laws -- all different -- may apply. In the case of this particular breach, consumers must be especially cautious with respect to legal recourse.

Equifax may restrict consumers' legal rights, according to the terms of service on their website. Language within the terms of service prevents those who enroll in the Equifax breach assistance program from participating in any class-action lawsuits, one of which has already been filed by ClassAction.com.

The Consumer Financial Protection Bureau recently put in place a rule to ban arbitration clauses, as they were understood to do more harm than good to consumers. In the case of Equifax, this is absolutely the case as the legal language in the service terms restricts individuals impacted by the breach from attempting to -- justifiably -- recoup their financial losses. New York Attorney General Eric Schneiderman has already publicly denounced Equifax's attempt to limit consumers' rights, and others are sure to follow.

Beyond legal recourse, consumers should also be wary of using Equifax's help website as it requires entry of an individual's last name and the final six digits of their Social Security number. This is highly unusual.

What can consumers be doing right now?
In terms of immediate action, consumers should place a 90-day fraud alert with all three credit bureaus. This will prevent any creditors from opening a new line of credit in your name for the next 90 days without first contacting you for approval. Individuals impacted by the breach may also want to consider taking the more stringent approach of placing a freeze on their credit reports with all three bureaus. Unlike fraud alerts, credit freezes stay in place indefinitely, until the customer requests it to be removed.

And what about enterprises? They all profess to some level of security, how can they do better?
More advanced solutions include behavior-based technologies that detect and prevent breaches. For example, if a user or system manipulates an unusual number of files, that behavior will trigger an alert or remove the access rights associated with those files -- automatically protecting the information system and limiting the impact. Behavior-based solutions are currently available for several security tranches, including firewall, email management and file storage management. The most advanced of these utilize cloud-powered solutions that dynamically learn new patterns and apply them.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13151
PUBLISHED: 2020-08-05
Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use ...
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...