This week’s data breach news covers two massive data breaches that have garnered attention on a national and international scale: Equifax and Marriott.
The Equifax breach, believed to have impacted 148 million U.S. consumers, has made headlines since it was discovered in September of 2017. The latest report related to the incident comes from a 14-month congressional investigation that suggests that Equifax could have prevented the breach had they followed proper security measures.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the staff majority report said. “As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.”
Equifax’s network allowed hackers to gain access to company data for 76 days, according to the House report. Lawmakers are still calling on Equifax to pay to make up for what’s been called a lack of preventative measures to stop the breach from occurring, including a breakdown in recommended security protocols.
The House committee report suggested that the breach was a result of having flaws in the company’s IT structure that did not implement proper communication between the IT policy development and operational department. This gap is believed to have delayed the necessary system patches. It’s believed that the hackers gained unencrypted data from Equifax’s systems 265 times, according to the report. Equifax is accused of not fixing the security vulnerabilities in a timely fashion.
According to the report, “Equifax security staff failed to notice the exfiltration of data because the device used to monitor network traffic had been inactive for 19 months due to an expired security certificate.”
“Equifax noticed additional suspicious traffic from a second IP address owned by a German ISP, but leased to a Chinese provider. These red flags caused Equifax to shut down the ACIS web portal for emergency maintenance. The cyber attack concluded when ACIS was taken offline,” the report noted.
In light of breaches like that experienced by Equifax, the committee also discussed the concept of reducing the use of social security numbers as a form of ID. This concept has been discussed in Washington, as it’s been suggested that SSNs are an outdated form to verify identities — particularly with their propensity to be involved in massive data breaches.
The Equifax breach has dominated headlines in the fraud ecosystem not just because of the total number of exposed records, but also because of the scope of what those records entailed. The nature of the sensitive details — including SSNs, credit card details and tax IDs — are what placed the incident on the list of worst corporate data breaches in the U.S.
In June of this year, Equifax agreed to a consent order from regulators from eight U.S. states. The order requires the credit reporting agency to provide regular reports on how it is actually improving its security measures. The agreement calls on Equifax to “to take specific action to protect confidential consumer information.”
The charge also calls on Equifax’s breach to “remediate the deficiencies and unsafe practices that contributed to the breach.” On top of those requirements, Equifax has agreed to be open to on-site regulatory reviews, and to be more transparent about how they identify future threats and security vulnerabilities. Equifax had 90 days to comply with those orders, and 30 days to improve how it audits and improve “standards and controls” for managing the software used to increase or update security. All of this was set to be reviewed by an independent security expert.
A new report from The New York Times indicates that the massive Marriott breach that could have impacted as many as 500 million people is likely the work of a Chinese hackers. The latest information on this breach, according to The Times, “was part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans.”
Within that scope, the breach is believed to have given hackers access to names, addresses, phone numbers, email addresses, passport numbers, birthdates, gender, Starwood loyalty program account information and reservation details. Marriott has indicated they will pay for replacement passports for impacted consumers.
Another report from The Chicago Tribune digs into the Chinese hacker tie, and said that one clue suggesting it was not hackers from the U.S. was that no credit cards tied to the breached data appear to have shown up on the dark web or other forums that a hacker would typically sell stolen credit card details and relevant personal credentials on.
While the latest details on this report indicate the breach was an attempt to gain personal information on U.S. citizens, there is still the possibility of payment data being exposed as part of the wider breach impact. It’s unknown at this point what payment data was stolen, but it’s believed that some payment card numbers and expiration dates were exposed. Marriott officials have indicated that the payment card numbers were encrypted in its system, but it’s unknown if the hackers were able to decrypt this information.
It’s been reported that this breach dates back to 2014 and was not detected until September 10, 2018. According to the FTC, Impacted properties include: Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, and other hotel and timeshare properties.
For financial institutions impacted by this, or any other data breach, the FTC has shared some tips to pass onto consumers. This includes the following four tips:
Check credit reports by visiting annualcreditreport.com. New accounts or unrecognized activity could be signs on ID theft. IdentityTheft.gov has tips on how to manage this issue.
Review payment card statements. For fraudulent charges, consumers should contact their card company or bank immediately and request a new card.
Sign up for fraud alerts on credit files. This will warn creditors about ID theft and alert any suspicious activity in a consumer’s name. This is free and lasts one year.
Consider a credit freeze on credit reports. This will make it more difficult for a fraudster to open a new account (but won’t prevent a hacker from making charges on current accounts).