Equifax Announces Another 2+ Million Were Affected By Breach

Equifax’s problems just keep getting worse.

Not long ago, the company suffered a major data breach that ultimately resulted in the CEO stepping down and a painful congressional grilling. Initial estimates placed the number of impacted users at some 143 million, but as the investigation has continued, it turns out that the numbers are even higher than initially feared. Based on the forensic team’s final report, as many as 145.5 million users were impacted.

In our modern society, there are many who would argue that your credit score is as important, if not more important than your social security number. To arrive at your score, the “Big Three” credit reporting agencies necessarily have to collect a large amount of sensitive information about people, so when they suffer from a breach, it’s bad, and in Equifax’s case, it just keeps getting worse.

Based on the latest information, the compromised data included names, social security numbers, birthdays, and addresses. If that wasn’t bad enough, some 200,000 customers saw their credit card information exposed, along with an unknown number of electronic documents containing PII.

Most of the impacted customers live in the United States, but approximately 80,000 were Canadians.

To put these numbers in full context, Equifax maintains files on more than 800 million people around the world, along with more than 90 million businesses, so the breach, while catastrophic in size, wasn’t nearly as bad as it could have been.

That’s small consolation to the millions who have been impacted, but it’s important to understand that as bad as the breach was, it was quite far from the worst case scenario.

In the aftermath of the breach, the company has come under fire by the US Government, which has charged that the company actually stands to profit from it by selling a credit monitoring service after giving impacted consumers one year free.

In light of the recent congressional hearings on the matter, the future of that program is unclear, but this breach, and its root cause (an unpatched Apache Struts 2 vulnerability) serves to underscore how easy it is for even big multinational companies to fall victim to a determined hacker.

Hackers Infiltrate Deloitte Accounting Firm

Deloitte is not exactly a household name. In fact, unless you use the company’s services, you may not have ever heard of them, even though they’re one of the largest accounting firms in the world.

The company has the distinction of having been named the best cybersecurity consultant company in the world in 2012, and yet, even with that distinction, the company fell victim to a hacking attack that saw their core systems breached.

Company officials became aware of the breach in March, but took great pains to keep their investigation, and details into the matter a closely guarded secret as they monitored the activity of the hackers and worked quietly to solve the problem.

That investigation revealed that the hackers were able to gain access to the company’s data via an email server, all because the admin whose account was compromised had failed to use two-factor authentication, meaning all the hackers had to do to gain access was to acquire a single password. They did so, and the rest is, as they say, history.

Over the span of months that the hacker was active, he was able to gain access to a broad spectrum of information relating to a number of the company’s larger clients, including user names, passwords, IP addresses, health information and architectural diagrams.

So far, six of Deloitte’s clients have been informed of the breach and the potential impact to them. In one of the few public statements made about the matter, a company spokesman reported the following:

• A comprehensive security review has been performed and completed, utilizing assets both inside the company and from third party vendors
• All impacted clients and the appropriate government officials have been contacted
• No disruption to any client’s business has occurred as a result of the breach

As you can see, then, the company has opted for a tight-lipped approach when it comes to releasing details about the breach. This may well work in their specific case, but it is probably not a model to base your own company’s response on in the aftermath of a successful hacking attack.

Literally Every Yahoo Email User Was Hacked In 2013 Breach

Late last year, Yahoo announced that it was the victim of the largest data breach in history. It impacted, by their initial estimates, fully one third of their user base, some one billion users.

As it turns out, Yahoo’s estimates were wildly inaccurate. Literally every person who had a Yahoo account in 2013 was impacted, making the total in the neighborhood of three billion accounts (yes, that’s billion, with a “B”).

If you’re a Yahoo user, and have had your account since 2013 or before, then your account was impacted, regardless of if you received a notification from the company.

You may be tempted to simply delete your account, especially if it’s one you no longer use on a regular basis, but don’t. Yahoo’s policy is to recycle defunct accounts after thirty days, meaning your account can be hijacked by anyone if you delete it.

The best bet is to change your password immediately and enable two-factor authentication to provide an added layer of protection.

Also, if you’re in the habit of using the same password across multiple websites, be sure to change any that share your Yahoo.com account’s password. One of the first things a hacker will try is to use compromised credentials on other accounts. If you don’t take immediate action, you’re essentially handing the hackers the keys to your digital kingdom and opening yourself up to identity theft, compromised bank accounts and credit cards and more.

In fact, this would be a great time to simply get out of the habit of using the same password across multiple web properties. It’s a bad habit, and if it’s one you’ve developed, then it’s time to make a change. True, it’s not as convenient, and having to remember multiple passwords can sometimes be annoying, but isn’t your digital security worth it?

Did Equifax Send Concerned Users To A Phishing Site?

By now, you’ve probably heard that Equifax recently suffered a massive data breach which left them with a considerable amount of egg on their faces.

The investigation into that matter is ongoing, and the company issued a video-based mea culpa to its customers, but unfortunately, the situation for the company just got worse. Here’s the basic timeline of events and where things stand so far:

• The first successful breach against Equifax occurred between May 2017 and July 29, when the intrusion was discovered.
• The secondary breach was just discovered this month, but actually occurred in March of 2017, before the main breach. The company maintains that the earlier attack had nothing to do with the most recent one, although a variety of anonymous sources claim that this is not the case.
• In both cases, Equifax retained the services of security company Mandiant to assist them with the investigation into the breaches
• As part of the company’s formal response to the breaches, they set up a website, “equifaxsecurity2017.com” which was designed as a portal that Equifax customers could use to see if they’ve been impacted by either breach.
• Unfortunately, the company recently sent out a tweet to its customers directing them to “securityequifax2017.com” which is a phishing site, almost certainly set up by the same hackers that attacked the company in the first place.

Equifax representatives quickly caught the mistake and deleted the tweet, but of course, the damage had already been done. As of today, Google Chrome now flags the phishing site as deceptive, but it is likely that at least some of Equifax’s customers clicked the link embedded in their tweet and found themselves on a bogus site.

The attack on Equifax, even considering the impact of the errant tweet, certainly wasn’t the largest hack we’ve seen in 2017 in terms of scope and scale. But it, taken together with the recent hack of the SEC’s EDGAR system, has done tremendous damage to the confidence in our economic system as a whole. Damage is done far beyond the physical size of the attacks and the total number of records impacted.

It’s too soon to say whether this represents a trend, with hackers pursuing some type of agenda-based strategy in preference for simple theft, but recent events could very well be interpreted in that way. Time will tell.

In any case, the answer to the question asked in the headline is yes. For a brief time, Equifax did indeed direct its users via Twitter, to a bogus site.

Many Consumers Would Withdraw Business From Companies If Data Breached

You’ve probably heard the phrase “the customer is always right” a thousand times. It’s a truism in the business world, except when it isn’t. A recent survey released by Gemalto reveals a dismaying dichotomy that’s costing businesses around the world big money.

Only 27 percent of consumers surveyed feel that businesses do enough to protect customer data, and an overwhelming 70 percent of them say that they’d take their business elsewhere if a company suffered a data breach.

Unfortunately, most consumers have exceedingly poor data security habits, with 56 percent admitting to using the same password across multiple web properties and 41 percent failing to take advantage of stronger security measures like two-factor authentication, even when offered by companies.

That puts businesses, rather unfairly, in the crosshairs. They cannot make their customers take advantage of the added security offered, and given the statistics above, they are forced to have to spend even more money since most consumers won’t take significant action to protect themselves or their own data.

Jason Hart, Gemalto’s CTO, had this to say on the matter:

“In the face of upcoming data regulations such as GDPR, it’s now up to businesses to ensure they are forcing security protocols on their customers to keep data secure. It’s no longer enough to offer these solutions as an option. These protocols must be mandatory from the start – otherwise, businesses will face not only financial consequences, but also potentially legal action from consumers.”

Digging more deeply into the details of the survey, we find that consumers trust social media sites the least when it comes to safeguarding their data, with 58 percent of respondents citing these companies as their biggest worry in terms of data security.

Curiously, 33 percent of those surveyed say they trust banks with their personal data, in spite of the fact that banks and other financial institutions are frequent targets and have suffered a number of high profile breaches in recent years.

Regardless, no matter what industry you’re in, if you get breached, your customers are likely to punish you for it, even if you offer them means to make their data more secure.

After Yet Another Equifax Hack, IRS Suspends Contract Worth $7.5M

Equifax just can’t seem to get out of its own way.

Not long ago, the company suffered a massive data breach which saw the sensitive information of more than 145 million consumers exposed.

As a result, congressional hearings were convened, and the CEO resigned in disgrace. Amazingly, though, despite these events, the IRS opted to award the company a contract worth $7.5 million for its help and expertise in verifying taxpayer identification to prevent identity theft.

The irony did not escape the notice of security professionals around the world, who wrote literally hundreds of Op-ed and protest pieces.

Then, Equifax got hacked again. The company’s website was found to have been hacked, redirecting users to a malicious site that sent them to download adware.

Almost as soon as the issue was discovered, Equifax took the page down, insisting that this latest hack was due to a third-party contractor and did not constitute another breach of their network. However, that explanation was insufficient to the IRS, which suspended the recently awarded contract in response.

The decision has real and immediate impact on the nation’s tax payers because it will prevent them from creating new accounts through the IRS’s “Secure Access” program, which provides taxpayer access to transcripts and other records. If you already have an account set up, you will not be impacted.

The decision to pull the contract was seen as a positive development by the congressional committee convened to hold hearings on the matter, which concluded that, given the company’s recent track record, there was no real way to argue that this somehow increased user security.

On the other hand, as was pointed out by IRS Commissioner John Koskinen, the move would prevent literally thousands of recent hurricane victims from accessing their tax information.

Both points are true, but it’s hard to see how it could be argued that pulling the contract was the wrong move, even if it temporarily inconveniences a small percentage of taxpayers.

Black Friday Brings Major Increase In Fraud

Retailers are gearing up for the year’s busiest shopping weekend, which runs from Black Friday to Cyber Monday, but another group is also gearing up.

Scammers.

Security experts are warning that retailers should brace for impact because the best estimates are that there could be as many as fifty million fraud-based attacks between those spectacularly busy shopping days.

The estimate is higher than it’s ever been, and is driven in large part by the sheer number of high profile data breeches that have occurred over the last twelve months.

Account data for hundreds of millions of users flooded the Dark Web on the heels of those attacks. The scammers happily stocked up on them and are more than ready for the holiday season.

According to details provided by ThreatMetrix, the attack will shake out something like this:

• In advance of Black Friday, the scammers will use bots to test the stolen credentials they’ve purchased, tossing the ones that no longer work, and keeping the ones that are still active.

• Once they’ve culled their lists, they’ll spend a bit of time conducting a few million test attacks.

• After they successfully test their software with the valid IDs, they’ll launch large-scale fraud attacks with new user account registrations and attempted fraudulent payments.

According to security researcher Vanita Pandey:

“Many e-commerce merchants choose to accept a greater degree of risk on these key days in order to accept more transactions and reduce the chance that good customers experience friction when placing orders….fraudsters see peak shopping days as the opportunity to make larger purchases/attempt to redeem bigger basket sizes, which are less likely to be flagged as suspicious in among the sea of other high value purchases being made by good customers.”

The long and the short of it is that if you expect to see a spike in sales during the Black Friday – Cyber Monday shopping weekend, brace for a big spike in fraud attempts, too.

Yet Another Credit Card Breach For Hyatt

Hotel giant Hyatt is in the crosshairs again, having suffered its second data breach in two years. Hyatt’s security team recently confirmed the breach as having occurred between March 18 and July 2 of 2017.

While the company has yet to release any information detailing the number of impacted users, simply stating that it was a “small percentage of guests,” we do know that the following information was stolen:

• Credit card numbers
• Cardholder names
• Expiration dates
• And internal verification codes

Of note, no other personal information was obtained, so your name, address, birthdate, etc. remain safe.

It’s also known that the breach impacted 41 of Hyatt’s facilities, spread over 11 countries, including the United States, Brazil, China, Colombia, Guam, India, Indonesia, Japan, Malaysia, Mexico, Puerto Rico, Saudi Arabia and South Korea.

Per Chuck Floyd, Hyatt’s President of Operations:

“Based on our investigation, we understand that such unauthorized access to card data was caused by the insertion of malicious software code from a third party onto certain hotel IT systems. Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue.

We worked quickly with leading third-party cybersecurity experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future.

As a result of implemented measures designed to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide.”

Interestingly, this statement is eerily similar to the one he was forced to issue last year after the first of the two data breaches.

While it’s understandable to try and put things in the best possible light after an attack like this, the words begin to ring hollow if the attacks keep happening, and it may be more difficult for Hyatt to regain consumer trust after this second incident.

DirecTV Genie DVR May Have A Major Vulnerability

If you have a Genie DVR system, you should be aware of a major security flaw in the firmware that could allow a hacker to take complete control over the device.

At issue is the equipment offered by AT&T as part of their free DireTV WVB Kit. Researchers of the ZDI initiative and Trend Micro discovered a zero-day vulnerability in one of the core components of the system, Linksys WVBR0-25, which is a Linux-powered wireless video bridge. It is this bridge that allows customers to connect up to eight Genie client boxes connected to television sets in customers’ homes.

Trend Micro researcher Ricky Lawshae took a deep dive into the firmware and was able to get the Linksys WVBR0-25 to divulge a wealth of information from the device’s web server, without requiring any sort of authentication whatsoever. There wasn’t even a login screen, just a wall of easy-to-access text, which included:

  • Customer WPS PIN
  • Connected clients
  • Processes currently running

And more. Lawshae had this to say after completing his investigation:

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated, remote root command injection vulnerability. It was at this point I became pretty frustrated.

The vendors involved here should have some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent simple yet impactful bugs from reaching unsuspecting consumers.”

It gets worse, though. When the ZDI Initiative reported this security flaw to the manufacturer, rather than issuing a patch to correct it, they simply ceased all communication. After more than six months of trying, and getting nowhere, ZDI decided to publicize the vulnerability in the hopes that doing so would finally prompt the company to take action.

Until they do, about your only option (aside from simply canceling your service) is to limit the number of devices that can interact with Linksys WVBR0-25 so as to limit your exposure.