Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

9/13/2017
12:30 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Solving the Problems of an Equifax

The Equifax breach has brought problems to businesses and consumers. Here are steps each can take to make it past the emergency.

The mushroom cloud from the Equifax hack fallout is causing a nuclear winter for consumers. Some of them don't know if they were hit, and are dreading the consequences. Others are no doubt angry that more could have been done to avoid the situation. Meanwhile, no one knows when the cloud will disperse.

In the meantime, I talked to Paige Schaffer, president and COO of identity protection services global unit with Generali Global Assistance, to find out about the nation's data protection health. Generali provides travel assistance, risk management and insurance, and global identity theft services.

SM: What more do you think the government can do to help consumers avoid data theft?
PS: Government entities should put in place regulations to protect personally identifiable information (PII) and other sensitive data that is collected, stored and transmitted. Payment card industry data security standard (PCI-DSS) protection has been implemented in the credit card industry since 2004, and we should have a similar strict regulation for PII, established as a requirement for everyone.

Could the government be doing more? What about an overarching federal standard?
Yes. Despite the wide-reaching effects of data breaches, there are currently no uniform federal data breach laws in place to which organizations must adhere. This creates confusion and frustration for both companies and consumers, each seeking to define and interpret requirements and expectations. Businesses that experience data breaches must rely on their individual state's laws to determine which type of information triggers a consumer notice, as well as the content and timing and any restitution measures.

Companies with customers in multiple jurisdictions are left with the difficult task of interpreting inconsistencies between state laws. Most states have unique laws regarding when customers must be notified that their data was part of a breach. A federal standard would protect consumers much more effectively. What complicates matters is the fact that nationwide breach notification legislation that has been proposed in the past has sought to nullify existing state laws, thereby preventing states from passing consumer data protection laws in the future.

What does this breach say about the general health of the nation's consumer security, and how easily hackers are able to breach it?
Even in a vacuum, the Equifax breach would have been troubling given that it is reported to have affected hundreds of millions of consumers. In a larger context, it is even more alarming when considering identity theft and cybersecurity statistics that have been recently reported. Identity fraud cost consumers nearly $16 billion last year, up $1 billion from 2015, according to Javelin Strategy & Research.

According to the Identity Theft Resource Center [ITRC], in 2016 nearly 30 million records were exposed from over 700 data breaches, affecting companies across many industries in the US. In fact, the ITRC recently reported that nearly 800 breaches have been logged in 2017 year-to-date, with 63% of incidents resulting from hacking attacks. Clearly, data breaches do not discriminate by industry sector, and companies of all types -- and their customers -- are at risk.

Those stats make for depressing reading.
Loss of consumer confidence is a major issue, as nine out of ten adults agree that consumers have lost control over how their personal information is collected and used by companies, according to Pew Research. With 2017 on pace to reach an all-time high of approximately 1,500 reported data breaches, businesses and consumers alike need to be more prepared than ever to mitigate associated risks.


Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event – a free breakfast colocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

What legal recourse might consumers have if it's found that their stolen data results in loss of money, privacy or reputation?
Given the lack of federal data breach legislation, it is somewhat difficult to determine what courses of action are available. When a nationwide organization like Equifax experiences a breach, nearly 50 laws -- all different -- may apply. In the case of this particular breach, consumers must be especially cautious with respect to legal recourse.

Equifax may restrict consumers' legal rights, according to the terms of service on their website. Language within the terms of service prevents those who enroll in the Equifax breach assistance program from participating in any class-action lawsuits, one of which has already been filed by ClassAction.com.

The Consumer Financial Protection Bureau recently put in place a rule to ban arbitration clauses, as they were understood to do more harm than good to consumers. In the case of Equifax, this is absolutely the case as the legal language in the service terms restricts individuals impacted by the breach from attempting to -- justifiably -- recoup their financial losses. New York Attorney General Eric Schneiderman has already publicly denounced Equifax's attempt to limit consumers' rights, and others are sure to follow.

Beyond legal recourse, consumers should also be wary of using Equifax's help website as it requires entry of an individual's last name and the final six digits of their Social Security number. This is highly unusual.

What can consumers be doing right now?
In terms of immediate action, consumers should place a 90-day fraud alert with all three credit bureaus. This will prevent any creditors from opening a new line of credit in your name for the next 90 days without first contacting you for approval. Individuals impacted by the breach may also want to consider taking the more stringent approach of placing a freeze on their credit reports with all three bureaus. Unlike fraud alerts, credit freezes stay in place indefinitely, until the customer requests it to be removed.

And what about enterprises? They all profess to some level of security, how can they do better?
More advanced solutions include behavior-based technologies that detect and prevent breaches. For example, if a user or system manipulates an unusual number of files, that behavior will trigger an alert or remove the access rights associated with those files -- automatically protecting the information system and limiting the impact. Behavior-based solutions are currently available for several security tranches, including firewall, email management and file storage management. The most advanced of these utilize cloud-powered solutions that dynamically learn new patterns and apply them.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting