Equifax is under attack again: last year’s data breach turned out to be much more serious
Last year, Equifax reported a massive cyber attack, which resulted in the abduction of personal data of 140 million people in the United States. Hackers gained access to names, addresses, social security numbers and credit cards.
However, last week it became known that the damage was greater than previously reported. The attackers also managed to steal email addresses, TIN and driver's license numbers. On the reaction of experts and the investigation - on.
/ Flickr / waferboard / CC
')
Information about the theft of other data was obtained from a document with the results of a forensic examination submitted to the Banking Committee of the US Senate by Equifax itself. This message triggered an acute reaction from the community.
After reviewing the document, Senator Elizabeth Warren (Elizabeth Warren) now requires that you provide details on each type of data that, according to Equifax, could have been stolen. And she wants to get an answer by the end of this week.
“The company continues to make controversial statements, to hide information from Congress and the public,” says Warren. “Equifax should tell you how serious the leak really was.” Meanwhile, residents of Hacker News have already made the assumption that the hacking of Equifax systems was total, and absolutely all stored personal data were compromised.
However, in response to the accusation, Equifax spokesperson Meredith Griffanti (Meredith Griffanti) noted that the bureau did not try to confuse the community in any way and last year revealed only information that affected most of the citizens. And in the report for the Committee, Equifax wanted to describe the whole situation "as transparently as possible."
Griffanti also said that the compromised data, about which it was decided to keep silent, belong only to a small group of people, and some information, such as passport numbers, was not stolen at all. Equifax also added that the total number of citizens affected by this story has not changed.
A few weeks after the announcement of a massive data leak, Equifax CEO Richard Smith resigned from his post. He was followed by the head of the security department and the head of the information department. Around the same time, Richard Cordray (Richard Cordray), head of the Consumer Financial Protection Bureau (CFPB), initiated an investigation into the incident to establish the causes of the incident and find the perpetrators.
However, in November last year, Richard Kordrei left his post and was replaced by Mick Mulvaney from the Donald Trump administration. And, as noted in Reuters, Mulvaney suspended the CFPB investigation against Equifax.
The representative of the White House Budget Office, John Chvartacki (John Czwartacki), said that CFPB has all the tools and resources to investigate the issue of the Equifax data leak, but the agency is not allowed to conduct an open investigation.
The community reacted negatively to this policy. Mozilla has even created a page to collect signatures in support of the petition to reopen the CFPB investigation. At the same time, a group of US senators sent a letter to CFPB management demanding that they resume work on the case and provide detailed information on investigative actions: drawing up subpoenas, an Equifax staff survey and on-site inspections.
A CFPB spokesperson said that they received this letter. He also noted that the Consumer Protection Bureau is conducting an investigation, and statements to the contrary are false. Therefore, how events will continue to evolve is not clear.
/ Flickr / nick gray / cc
In the United States, you can now receive reimbursement for expenses from a bank or a company that was caused by a leak, in a court of law. The public outcry associated with loud leaks of personal data is pushing the government to toughen responsibility for organizations at the legislative level.
In January of this year, two US senators proposed a bill that would allow the Federal Trade Commission to impose penalties on credit agencies that allowed the "discharge". And if such a law had already been in effect, Equifax would have to pay half a billion dollars. This amount is calculated at the rate of $ 100 for each citizen whose personal data was stolen by hackers, as well as $ 50 for each type of stolen PD - passport number, address, TIN and so on.
As for Russia, in our country the scale of penalties is more modest, but regulation may follow the example of the West. Soon, new measures can be taken to protect users from the consequences of such hacks - according to Vedomosti, the state plans to force companies working with personal data of citizens to insure against the risks of leakage of these PDs.
According to industry experts, such a program will allow developing cyber insurance standards applicable in Russian realities. The Ministry of Finance has already begun to work out the initiative. To decide whether such a law makes sense, the regulator should by July 2018.
However, last week it became known that the damage was greater than previously reported. The attackers also managed to steal email addresses, TIN and driver's license numbers. On the reaction of experts and the investigation - on.
/ Flickr / waferboard / CC
')
Information about the theft of other data was obtained from a document with the results of a forensic examination submitted to the Banking Committee of the US Senate by Equifax itself. This message triggered an acute reaction from the community.
After reviewing the document, Senator Elizabeth Warren (Elizabeth Warren) now requires that you provide details on each type of data that, according to Equifax, could have been stolen. And she wants to get an answer by the end of this week.
“The company continues to make controversial statements, to hide information from Congress and the public,” says Warren. “Equifax should tell you how serious the leak really was.” Meanwhile, residents of Hacker News have already made the assumption that the hacking of Equifax systems was total, and absolutely all stored personal data were compromised.
However, in response to the accusation, Equifax spokesperson Meredith Griffanti (Meredith Griffanti) noted that the bureau did not try to confuse the community in any way and last year revealed only information that affected most of the citizens. And in the report for the Committee, Equifax wanted to describe the whole situation "as transparently as possible."
Griffanti also said that the compromised data, about which it was decided to keep silent, belong only to a small group of people, and some information, such as passport numbers, was not stolen at all. Equifax also added that the total number of citizens affected by this story has not changed.
Incident Investigation Suspended
A few weeks after the announcement of a massive data leak, Equifax CEO Richard Smith resigned from his post. He was followed by the head of the security department and the head of the information department. Around the same time, Richard Cordray (Richard Cordray), head of the Consumer Financial Protection Bureau (CFPB), initiated an investigation into the incident to establish the causes of the incident and find the perpetrators.
However, in November last year, Richard Kordrei left his post and was replaced by Mick Mulvaney from the Donald Trump administration. And, as noted in Reuters, Mulvaney suspended the CFPB investigation against Equifax.
The representative of the White House Budget Office, John Chvartacki (John Czwartacki), said that CFPB has all the tools and resources to investigate the issue of the Equifax data leak, but the agency is not allowed to conduct an open investigation.
The community reacted negatively to this policy. Mozilla has even created a page to collect signatures in support of the petition to reopen the CFPB investigation. At the same time, a group of US senators sent a letter to CFPB management demanding that they resume work on the case and provide detailed information on investigative actions: drawing up subpoenas, an Equifax staff survey and on-site inspections.
A CFPB spokesperson said that they received this letter. He also noted that the Consumer Protection Bureau is conducting an investigation, and statements to the contrary are false. Therefore, how events will continue to evolve is not clear.
/ Flickr / nick gray / cc
Legal implications
In the United States, you can now receive reimbursement for expenses from a bank or a company that was caused by a leak, in a court of law. The public outcry associated with loud leaks of personal data is pushing the government to toughen responsibility for organizations at the legislative level.
In January of this year, two US senators proposed a bill that would allow the Federal Trade Commission to impose penalties on credit agencies that allowed the "discharge". And if such a law had already been in effect, Equifax would have to pay half a billion dollars. This amount is calculated at the rate of $ 100 for each citizen whose personal data was stolen by hackers, as well as $ 50 for each type of stolen PD - passport number, address, TIN and so on.
As for Russia, in our country the scale of penalties is more modest, but regulation may follow the example of the West. Soon, new measures can be taken to protect users from the consequences of such hacks - according to Vedomosti, the state plans to force companies working with personal data of citizens to insure against the risks of leakage of these PDs.
According to industry experts, such a program will allow developing cyber insurance standards applicable in Russian realities. The Ministry of Finance has already begun to work out the initiative. To decide whether such a law makes sense, the regulator should by July 2018.
Materials on the topic of our blog:
Source: https://habr.com/ru/post/349116/
All Articles