The #DataInsecurity Digest | Issue 54

Issue 54 | October 18, 2017

#DataInsecurity Digest: Equifax aftermath continues; cyber veteran to head DHS

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: President Trump’s new pick to head DHS, cyber veteran Kirstjen Nielsen, will certainly have her hands full as the aftermath of the Equifax breach continues. Equifax grabbed new headlines this week when a second breach came to light. This time, hackers prompted visitors to Equifax’s website to download a fraudulent Adobe Flash update, which could compromise their computers. This recent revelation caused the IRS to pause a $7.1 million contract with Equifax over security concerns. Meanwhile, Hyatt Hotels was once again the subject of a point-of-sale data breach when 41 of its properties’ systems were attacked, leading to compromised customer credit card information. 

On to the clips!

—————–

Equifax breach 2.0. After compromising 145.5 million consumers’ sensitive data, Equifax is the subject of a second data breach. @dangoodin001 reports that “For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors’ computers with adware…” (Source: Ars Technica)

Equifax blames its vendor for the mistake. Equifax told Politico’s Morning Cybersecurity that the new breach was not a hack, but rather the result of faulty code used by a vendor. “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content.” (Source: Politico

IRS suspends contract with Equifax. After news broke of a second Equifax data breach, the IRS temporarily suspended its $7.1 million data security contract with the troubled credit bureau. The contract was meant to provide fraud prevention and taxpayer identification services for the IRS. @KathyKristof reports that “The agency does not believe that any data the IRS has shared with Equifax to date has been compromised, but the suspension was taken as ‘a precautionary step.’” (Source: CBS News

CEOs pivot their focus to cybersecurity. A KPMG LLP survey found that CEOs now rank cybersecurity as their top investment focus. “This is something a lot of us just didn’t have to worry about five years ago—someone else was handling that,” says Michael Riggs, chief executive of car-hauling company Jack Cooper Holdings Corp. But now, “any CEO who’s not putting this at the top of their priority list is crazy.” (Source: Wall Street Journal

Trump nominates cyber veteran Kirstjen Nielsen to head DHS. Last week former chief of staff at the Department of Homeland Security Kirstjen Nielson was picked by President Trump to lead DHS. @steveholland1 reports that, in addition to serving on George W. Bush’s White House Homeland Security Council, “Nielsen previously worked at a cyber think tank at George Washington University … and is considered well-versed in some of the more technical missions at the department, such as sharing cyber-threat information with the private sector.” (Source: Reuters

Breach du jour: Hyatt Hotels. Hyatt Hotels announced that 41 of its properties were the subject of a POS data breach. The breach compromised data including cardholder names, card numbers, expiration dates, and internal verification codes, from cards manually entered or swiped at the front desk. This is Hyatt’s second breach in as many years. “In late 2015 Hyatt said its payment processing system was infected with credit-card-stealing malware, that had affected 250 hotels in about 50 countries.” (Source: Reuters)

DPRK hackers target electric grid. The cybersecurity company FireEye released a report that linked North Korean hackers to a spear-phishing campaign targeting America’s electric grid. “There is no evidence that the hacking attempts were successful, but FireEye assessed that the targeting of electric utilities could be related to increasing tensions between the U.S. and North Korea, potentially foreshadowing a disruptive cyberattack.” (Source: NBC News

Suggested reading: Who is to blame when a data breach occurs? The council of Foreign Relations’ @robknake weighed in on this question with a solid rebuttal of Equifax’s dismissal of blame: “when companies like Equifax try to drum up sympathy by portraying themselves as the victim, we should all be extremely suspect. No one in corporate America should be surprised any longer that connecting their systems to the internet puts the data they hold at risk. All companies should recognize that protecting the data they hold is their responsibility.” @robknake argued that “[u]ltimately, the question of liability should not be about assigning blame, but how liability can be used in the interest of positive outcomes…If criminals can’t be held liable, or if doing so will not stop future breaches, there needs to be other ways to hold Equifax and other companies liable. If not, it’s the individual victims (you, me, all of us) who will be left holding the bag even though none of us ever asked Equifax to hold our data.” (Source: Council on Foreign Relations)

Events

February 28, 2018 – Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published October 18, 2017