The Equifax Breach

Published October 24, 2017

Data Security  is a major focal point for CAO because of the sensitive nature of the information that is gathered and maintained. It is crucial that the data is secured against targeted attacks and hacking, and viral infections. It is also as important that the staff of CAO understand it’s importance and take ownership of the security assurance process.

Daily, we hear of data breaches occurring all over the world, by even those organizations that we have confidence in to protect our information. As you can see, it is not easy and requires full compliance of everyone to help make security measures work. As we have found, with the most recent Equifax breach, because of a break in process, a breach occurred that affected millions.

____________________________________________________

Major Credit Reporting Bureau announced a Data Security Breach recently.  The breach was discovered July 29, 2017 and the unauthorized data access occurred from May through July, 2017.  The recent press release made by Equifax on September 8, 20-16 provides details of the following key facts:

  • A U.S. website application vulnerability was exploited by criminals to gain access to some files.
  • There is currently no evidence of unauthorized activity on core consumer or commercial credit reporting databases.  
  • The company is conducting an assessment and providing recommendations on next steps.
  • Social security numbers, birth dates, addresses and even driver's license numbers of approximately 143 Million people have been compromised.

The Identity Theft Resource Center ranked 2016 as a record year for data breaches. The San Diego-based nonprofit recorded 1,093 U.S. incidents, a 40 percent increase over the previous year. Here's a quick look at those breaches by industry sector:

  • Business: 494 incidents (45.2%)
  • Healthcare/medical: 377 (34.5%)
  • Education: 98 (9%)
  • Government/military: 72 (6.6%)
  • Banking/credit/financial: 52 (4.8%)

It might feel like cybercriminals keep coming up with new ways to steal data. But do they? The 2017 Verizon Data Breach Investigations Report identifies nine "patterns" that criminals use. They mostly remain consistent year after year and accounted for 88 percent of breaches.

 

How does it happen? Based on the report, here's how:

 

Insider and privilege misuse: Company insiders know the value of information and sometimes they steal it. Maybe they sell it or use it to start a new company. The theft of organizational resources accounts for 60% of data breaches.

 

Physical theft and loss: A laptop left in a hotel lobby can lead to a breach. More often, breaches involve paper documents. The loss of physical assets can be deliberate or accidental.

 

Denial of service: These attacks target networks and systems. Distributed denial of service attacks often target large organizations. The cyberattacks flood and overload systems, disrupting service.

 

Crimeware: This includes various types of malware-short for malicious software. For instance, ransomware attacks hold computer files hostage. Attackers seek payment to unlock them.

 

Web application attacks: When you sign up for a web application, you often share personal details. Attackers steal data such as names, addresses and other information and use them elsewhere.

 

Payment card skimmers: Criminals can place a skimming device on a credit card reader to steal personal and financial information. Two popular targets: ATMs and gas pump terminals.

 

Cyber-espionage: This is a malicious email linked to state-affiliated actors. The goal is to pierce a system and steal information over time.

 

Point-of-sale intrusions: Remote attacks target point-of-sale terminals and controllers. Restaurants and small businesses have seen increased assaults.

 

Miscellaneous errors: Accidents compromise data. This includes the inadvertent release or loss of anything containing sensitive data.

 

Everything else: This "pattern" has variety. Lately, it includes compromised email accounts, where a company "CEO" might order a wire transfer for a believable reason. When someone in company finance, say, follows the bogus directive and wires money to a criminal's account, it can have unbelievable results.

 

Resources

  • Click Here for the Equifax Security 2017 web page
  • Click Here for the Identity Theft Resource Center

 

CAO has secured SecurityMetrics to help mitigate CAO’s risk to Cyber Breaches and Crimes.

Back to Newsletter