Equifax Data Breach

Equifax, one of the three largest consumer credit reporting and financial services providers in the United States, released a statement announcing a data breach that involves the personal information of an estimated 143 million US consumers. The company stated that it discovered the breach on July 29 and further forensic analysis revealed it resulted from the exploitation of a web application vulnerability that was used to gain unauthorized access to files containing sensitive consumer information. This access reportedly occurred from mid-May through July 2017. The information accessed includes names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers.

Credit card numbers for 209,000 US consumers and dispute documents with personally identifying information for 182,000 US consumers, were also accessed. Rick Smith, the Chairman and CEO of Equifax, released a YouTube video and a FAQ sheet regarding the breach and is asking consumers to contact their call center at 866-447-7559, which the company set up to assist consumers who have additional questions. Equifax also launched the website which outlines the details of the data breach and provides additional resources for consumers. Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents were impacted. Equifax is offering free credit monitoring and identity theft protection for one year through TrustedID Premier to those affected by the breach.


The NJCCIC recommends all of our members assume their sensitive personal information was compromised in this breach or one of the many incidents that have occurred in recent years and take immediate action to protect themselves against identity theft. If you were affected by a recent data breach, we strongly urge you to enroll in the free credit monitoring service provided by the victim organization. While credit monitoring is helpful in detecting suspicious or malicious activity, consumers should also consider identity theft insurance, which covers losses incurred as a result of successful fraud. The NJCCIC also recommends our members consider placing a security freeze on their credit, closely monitor bank and credit card accounts using SMS or email alerting options, and report any fraudulent activity to the Federal Trade Commission and your local law enforcement agency as soon as possible. While it may be an inconvenience, a credit freeze will prevent unauthorized loans and lines of credit from being opened in your name and it can be lifted whenever legitimate credit inquiries are necessary.
Additionally, the NJCCIC encourages all organizations that use web applications to access and manage sensitive data review the NJCCIC threat analysis titled, “Web Apps: Vulnerable to Common Threats, Firewalls Recommended”, consider deploying a web application firewall, and regularly perform security audits of all web applications.


Botnet of Things

The relentless push to add connectivity to home gadgets has introduced a new risk into our society – the Botnet of Things. In October, 2016, a botnet of up to 100,000 hacked gadgets knocked-out Internet infrastructure provider Dyn, resulting in major website failures throughout the Internet.

Hackers are taking advantage of the growing number of webcams, DVRs, refrigerators, etc. that are connected to the Internet. These devices are not designed with security in mind and cannot be patched. The Internet of Things (IoT) is an insecure platform on which bad guys can initiate attacks for both profit and disruption. The BoTs will become larger and more powerful as the number of vulnerable devices increases.

In a perfect world, our devices would run only secure software and they would be connected only to secure networks. That’s not going to happen anytime soon so we are just going to have to live with our desire to have everything talk to everything.

For the complete story, see the article by Bruce Schneier in the MIT Technology Review https://www.technologyreview.com/s/603500/10-breakthrough-technologies-2017-botnets-of-things/