The Equifax Mass Hack Serves as a Reminder for All to Take Action

Equifax, one of the “big three” credit-reporting agencies and a broker in personal-identifying data, announced September 7 “a cybersecurity incident,” as stated in a mea culpa by its Chairman and CEO Richard Smith.

Smith explained that hackers gained access to the names, dates of birth, SSN, addresses, and in some cases, driver’s license and credit card numbers of 143 million Americans. That is nearly half the United States’ population, many of which were unaware Equifax had their information to begin with. Equifax gets this data from creditors who report credit activity on individuals, rather than from the individuals themselves.

In response, the financial institutions reporting to Equifax, and the individuals about whom it tracks and rates will be filing lawsuits across the country. Two such lawsuits sprung up within hours of Equifax’s announcement. The complaints were filed in federals courts in Portland and Atlanta on behalf of nationwide classes. Large-scale litigation such as this is par for the course in the aftermath of high-profile data breaches, which can result in settlement payments up to hundreds of millions of dollars.

Just recently, Target agreed to payout over $39 million to settle litigation with banks and another $18.5 with consumers over a 2013 breach that exposed 40 million credit and debit cards and the personal information of about 60 million customers. Heartland, a credit card processing company, paid out over $110 million to credit card companies and individuals for a 2008 breach that exposed about 130 million credit and debit cards. And in June of this year, Anthem agreed to pay $115 million to settle litigation over a 2015 hacking that compromised about 79 million people’s personal information.

Equifax appears to have been bracing for such litigation during the five weeks between its discovery of the breach on July 29, and its disclosure to the public on September 7. During that time, it created a website that in theory allows individuals to check whether they are among the 44% of Americans affected by the breach. The website invites those affected to “Click the button below to continue your enrollment in TrustedID Premier”—an Equifax security monitoring service that is free, but only for one year. Notably, enrollment requires that you accept Equifax’s Terms of Use. Those terms seemingly required arbitration of all disputes, and waiver of the ability to bring or participate in a class action lawsuit, such as those filed in Portland and Atlanta.

That arbitration provision and class action waiver received heavy criticism and sparked an investigation by New York Attorney General Eric Schneiderman who called the provision “unacceptable and unenforceable.” Equifax subsequently updated its terms to remove the provision.

The website had other problems, however, that have not been resolved. It has been described as a marketing funnel for Equifax’s own credit protection service, the value of which is in serious question. Moreover, the website does not work.

It gives inconsistent reports to people, myself included. On September 7, the website stated that my information was not impacted. On September 8, it said it was. Others have experienced the same, or received “System Unavailable” messages. One has to question whether Equifax even knows the full extent of its breach.

As an individual, this is a reminder to protect yourself to the extent possible by creating strong passwords unique to each website, take advantage of advanced security features like two-step authentication, and consider ending relationships with businesses that do not offer advanced security options. If you believe you were affected by the Equifax breach, and there is nearly a 50/50 chance you were, consider instituting a credit freeze.

As a holder of consumer information, this is a reminder of the incredible focus that must be paid to securing your customers’ privacy. It is also a reminder to review your own customer agreements. Equifax was in a unique position because it did not have an agreement with the people whose information it carried. If you do, this is a good time to consider consulting with a lawyer as to whether you need an arbitration provision and class action waiver or, if such provisions are already in your agreements, whether they are legally current and, thus, enforceable.

Questions Remain as to Extent of HBO Cyberattack

On Monday, HBO acknowledged that it had been the victim of a cyberattack. The hacker(s) claiming responsibility use the alias “little.finger66,” a reference to HBO’s hit show, Game of Thrones.

The hackers accessed an estimated 1.5 terabytes of data. They have leaked full episodes of Ballers and Room 104, as well as a script from the upcoming episode of Game of Thrones. They promise that more is to come. HBO is working with law enforcement and private security firms to examine the extent of the breach and to protect its data.

HBO has expressed an intent to offer its employees credit monitoring, which raises questions as to whether human resources records were accessed. Thankfully for subscribers, at this time, there is no indication that the hackers accessed subscribers’ login credentials or payment information.

Also, luckily for HBO, it appears that HBO’s email system was not compromised in its entirety, unlike with the Sony Entertainment breach in 2014. The release of confidential and proprietary information following the Sony breach – such as executives’ salaries and embarrassing email communications – sent ripples through the entertainment industry and led Sony’s then co-chairman to resign. It also resulted in a class action lawsuit brought by certain Sony employees.

We will continue to monitor this story as it unfolds.

DLA Piper Falls Victim to Latest Cyberattack

After last month’s WannaCry ransomware attack infected thousands of businesses and individuals across the globe, law firms were identified as likely targets of future, similar attacks. On Tuesday, multinational firm DLA Piper became the latest victim of a major cyber hack.

The Petrwrap/Petya attack, which was found to have originated in the firm’s office in Spain, caused DLA’s network and phone system to be shut down. Employees were instructed to turn off their computers and to unplug their laptops from the network as a precaution. During the shutdown, a DLA Piper spokesperson said in a statement: “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.” DLA worked with external forensic experts, including the FBI and UK National Crime Agency, to get its systems back online and recover from the attack. Nonetheless, the firm’s lawyers were without access to company phones and email due to the lockdown.

In addition to DLA Piper, other large companies were hit, including Russian oil producer Rosneft and Danish shipping company Maersk. Though first reported in the Ukraine, where the most severe damage has been sustained, the virus quickly spread to the United States and Europe. United States-based pharmaceutical company Merck was also infected. DLA Piper has experienced effects of the attack in its offices globally.

While DLA Piper is the only law firm that has been reportedly attacked by the Petrwrap/Petya ransomware thus far, experts have indicated that law firms, generally, are attractive targets for hackers, as they maintain an abundance of highly-sensitive client information on their systems. Many smaller firms are vulnerable and easily exploited because they do not have the infrastructure to protect themselves against cyber threats. Yet, as can be seen, these increasingly pervasive attacks can cripple even the most prepared companies. In fact, DLA Piper, a firm with a global cybersecurity team, published an article in the wake of the WannaCry, titled “9 Things You Should Know to Protect Your Company from the Next Attack.”

Details about the Petrwrap/Petya ransomware, including how it is spread, are still being investigated. Researchers have reported that it is both similar to and different from WannaCry in various ways. Needless to say, in the face of another widespread attack, it is more important than ever for law firms to be vigilant against cyber threats.

 

Arizona Voter Registration Database Hacked by Email Designed to Look Like Employee

In this contentious election year, foreign hackers have taken a keen interest in the U.S. electoral system. Perhaps most memorable was this summer’s high-profile assault on Democratic National Committee computers, which exposed a number of unsavory emails and forced DNC Chairwoman Debbie Wasserman Schultz to step down. But state voter registration databases have also become popular targets for hackers looking to disrupt confidence in this year’s elections; over two dozen states have seen some form of cyberattack on their election systems this year. An apparent hacking attempt in June 2016 caused Arizona’s voter registration system to shut down for almost a week while state and federal officials investigated the source of the hack. The FBI later attributed the breach to Russian hackers.

Speaking at the Cambridge Cyber Summit this month, Arizona Secretary of State Michele Reagan revealed that the malware was traced to a highly sophisticated email designed to look like it came from an employee. Hackers used the email to obtain the username and password for a single election official, giving them access to Arizona’s entire voter registration database, which houses the personal information of more than four million Arizona residents. According to Secretary Reagan, election officials have taken several steps to protect Arizona’s election system from additional cyberattacks, including requiring employees to implement new and stronger passwords and multifactor authentication. Although Secretary Reagan has been adamant that hackers did not gain access to any mechanism for tallying votes, the mere possibility that election results could be compromised may be enough to cast doubt on this election, which some (including one major party candidate) have already alleged is “rigged.” This latest revelation from Arizona officials serves as yet another example of the importance of creating a culture of data security in the workplace and training employee–in all industries–to recognize the signs of fraudulent emails.

See Secretary of State Reagan’s complete interview here.

‘The Dark Overlord’ Places Healthcare Databases on Dark Web

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however,  is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?