All Eyes on Equifax

As news around the world has reported, the Equifax data breach from mid-May through July resulted in the exposure of sensitive personal information of more than 143 million American consumers. Although this may not be the largest data breach ever, it has been regarded as one of the most significant breaches because of the sensitive information at risk: social security numbers, drivers’ license numbers, addresses, and more.

The Federal Trade Commission (FTC) confirmed this month that it is “actively investigating” the data breach due to the “intense public interest and potential impact” of the breach. The breach is also being investigated by the Department of Justice, Consumer Financial Protection Bureau, and the Securities and Exchange Commission. The investigations were the result of action by multiple senators and legislative committees highlighting the severity of the breach and the deficiencies of Equifax’s response, as well as threats by several states to bring suit against Equifax.

Senator Mark Warner (D-Va) sent a detailed letter to the acting head of the FTC calling for the investigation, and calling for the agency to scrutinize Equifax for the security lapses and its poor handling of customer service after the breach was disclosed. Specifically, Sen. Warner has stated: “The hack was awful but then [Equifax’s] response to the hack continued to show [Equifax’s] incompetence. This should be a new impetus to move.”

The investigations are expected to involve the alleged errors by Equifax leading up to the breach and in handling the breach. In addition to the company’s alleged cyber vulnerabilities which led to the breach, the investigations will also include potential insider trading by Equifax executives more than a month before the breach was made public and ambiguous language in Equifax’s Terms of Service, purporting to waive a consumer’s right to sue the service.

Most importantly, the FTC’s investigation of the Equifax breach could provide momentum for Congress to act on federal data privacy legislation. Although this legislation has been long pushed for by advocates and elected officials, the efforts have proved unsuccessful in recent years. Sen. Mark Warner has stated that he is working on efforts to pass a data breach notification law requiring companies to notify customers about a breach within a certain narrow time frame. Given the scope of the breach, and Equifax’s response, this may be the final straw to prompt a definitive reaction from Washington.

Recent Study Reveals Interesting Trends in Cyber Attacks in First Quarter of 2017

A recent study issued by Navigant Global Technology Solutions has indicated that “2017 is poised to be a year of significant awareness and development in the area of cybersecurity regulation.” The study indicates that the ferocity of cybersecurity attacks has continued unabated since 2016 and that 2017 is shaping up to be another “watershed year” for cybersecurity threats and attacks.

Statistics (Q1 2017):

  • The overall average breach size decreased from 58,882 records in Q3 2016 to 49,877 in Q4 2016.
  • Healthcare accounted for the largest percentage of reported data breaches (42.77%).
  • Hacking incidents were the most common type of breach.
  • An average of more than 4,000 ransomware attacks occurred per day.
  • 73% of IT security professionals at critical infrastructure utilities say their organizations have suffered a breach.

Additionally, there has been a significant increase in the number of security incidents caused by remote desktop protocol (“RDP”) hacking in the first quarter of 2017. Not surprising in light of the increasing “work-from-home” trend, this hacking technique involves technology to allow users and system administrators to remotely access computers that they are not physically able to access. The attackers gain access to the network through phishing emails or other social engineering techniques. The study also noted that TeamViewer, a major RDP provider, has also seen a spike in the number of RDP security breaches. However, TeamViewer and Navigant both note that the exposure is not due to a “flaw” in the technology, but rather the usage of poor password policies by users. Once again, the findings indicate that human error appears to be one of the most difficult problems to safeguard against.

The second quarter of 2017 is poised to be no exception to the spike in cybersecurity breaches. The 2016 tax year is coming to a close and a plethora of sensitive personal information is available to hackers across multiple platforms. Recognizing that a majority of cyber attacks are the result of the usage of poor/duplicative passwords by users, the use of “two-factor authentication” on all account logins continues to be a focus in designing effective cyber security programs.

Two-factor authentication (also referred to as “2FA”) is a process requiring two different authentication methods to prevent unauthorized access of private and sensitive information. The three main categories of authentication factors are: something you know (password, pin code, social security number); something you have (USB security token, bank card, key); and something you are (fingerprint, eye, voice, face). The two-factor authentication process requires two of these factors.

According to Symantec’s 2016 Internet Security Threat Report, 80% of breaches can be prevented by using multi-factor authentication. Thus, by using basic, two-factor authentication, an organization can immediately reduce its cybersecurity threat profile in a fast and meaningful way.

As we continue in 2017, these statistics and studies must inform the development of practical, effective means of combating countless threats to cyber security. Being attacked is only a question of when, not if. In cyber security, the best offense is a strong defense, including accommodations for the likelihood of human error.