Musings and stuff about the

This is intended to be an old-fashioned “blog” about thoughts on the Equifax data breach. It will be ongoing so please check back regularly.

Topics

 

Media interviews and commentary

We are seeing shame hacking taken to a new level

(9/15/17) I have written a good bit about shame hacking and how hackers’ efforts to monetize their activities have evolved to their using shame, or embarrassment, as a tool to extort payments from their targets. This case seems to be taking it to a new level. For the last two days we have all seen the news about how Equifax’s failure to patch was the cause of the breach. Today, it got worse.

Now, apparently, the hackers are trying to play the role of “good guys” by telling the secrets of how they hacked Equifax, how easy it was, and just how negligent Equifax was in defending its network. Check out this story (which seems to be legit):  How Equifax got Hacked

Stop and think about this for a moment:

  • The hackers — the criminals who attacked Equifax and stole data from at least hundreds of thousands of people to potentially hundreds of millions of people — are now coming out and shaming Equifax for allowing them to do what they did.
  • Now I understand, with these revelations about its security practices, it is hard to feel sorry for Equifax and view it as the victim, and I’m not suggesting that we should. But let’s also not forget that Equifax was the company that was attacked — and now the attackers are the ones telling all to shame the company they attacked. We must keep this in perspective.
  • The problem is, we will not keep it in perspective and we as part of the masses will all start to dog pile Equifax even more for the juicy scoop that the hackers are revealing about the company they attacked and the hackers are stoking the flames: “if I have to release the information and make it public for these companies to finally acknowledge and admit their fuck ups (maybe not blame on apache flaw either) then I will” the hackers
  • I am all for learning any lessons that we can from this attack, even if from the hackers themselves, and I am all for really letting Equifax have it for what they did, but the one thing I am not for is making these hackers out to be heroes in the end. As ridiculous as this may seem, now on 9/15/17, it would not be unprecedented … please, please, please, do not make these guys out to be heroes because they are not. They are criminals.

This is taking shame hacking to a new level. This kind of taunting would get a college or NFL football player ejected from a game — and we the people will enjoy every bit of it!

Stay tuned, this is getting interesting …

Will I lead a consumer class action lawsuit against Equifax?

I have received more inquiries from people via calls, emails, and social media posts who are interested in pursuing a class action lawsuit against Equifax than I have following every other breach combined, by at least double or triple the numbers! However, while it is clear that people want their pound of flesh, it will not be me leading the charge.

Lawsuits and investigations against Equifax

Well-respected data breach class action attorney John Yanchunis has already filed one class action lawsuit and it would not surprise me to see another well-respected data breach class action firm Edelson PC bring one as well. You can also learn more about class action lawsuits that are filed at the Top Class Actions website.

My thoughts on the “chatbot” suing Equifax are in included in this article: Equifax’s Latest Legal Nightmare Might Be This Chatbot

The FTC has launched an investigation into the Equifax data breach.

Massachusettes’s attorney general said it will sue Equifax over the data breach.

What to do if you’re impacted by the Equifax data breach?

I doubt I could do a better job of giving you advice on this than the Federal Trade Commission can so check out their Consumer Information page that explains what to do and how to do it: The Equifax Data Breach: What to Do

One of the issues that has caused some confusion is the difference between a fraud alert and a credit freeze, which the FTC has also addressed: Fraud alerts vs. credit freezes: FTC FAQs

Here is the Equifax official page if you need it: www.equifaxsecurity2017.com

Given that data breaches are the new normal, I see no reason why we shouldn’t all have some form of credit monitoring as one more level of protecting ourselves. While Equifax is offering a year of free credit monitoring using its service, if you’re reluctant to sign up for Equifax’s free credit monitoring, you should sign up for somebody’s even if it means paying for it. My friend Todd Hindman works for ID Experts and they have a top-notch product: https://www2.idexpertscorp.com/

Here are some general talking points I used for a couple of media interviews on this (much of this came directly from the FTC website):

IDENTITY THEFT – HOW DO INDIVIDUALS PROTECT THEMSELVES

If you sign up for Equifax’s free credit monitoring, do you lose your right to sue?

No, you do not.

Equifax issued an official statement saying that you do not give up your right to sue if you sign up for its free credit monitoring:  Cybersecurity Incident & Important Consumer Information – Equifax:

[This week’s update]
Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier. We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.

[Last week’s update]

We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, http://www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.

What caused the Equifax data breach?

The Apache Foundation which oversees the use of open source software issued a statement alleging the breach was caused by Equifax’s failure to install a patch, or security update, that had been available for a couple of months: “The Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner”

https://twitter.com/GossiTheDog/status/839591998873079808

Now it appears that Equifax was also using the uber challenging authentication credentials of “admin/admin” to protect data in Argentina

What’s more important than the 3 things below? Prevention — as stated here!

3 Things Worth Learning from the Equifax Breach

The SecureWorld News Team talked with me about many of the lessons that can be learned from the Equifax data breach and winnowed it down to the following 3 takeaways that are discussed more thoroughly in the article:

  1. We need a uniform national breach notification law in the United States.
  2. When it comes to data breach response, “[i]t’s not about what you do right, as much as what you do not do wrong.”
  3. A mega breach keeps going, and going, and going.

Please take a look at the full article, 3 Things Worth Learning from the Equifax Breach, and let the SecureWorld News Team know what you think on TwitterFacebookLinkedIn, and Google+

Will Equifax be the “tipping point” for companies to take action on cybersecurity, much the way Target was the “tipping point” for awareness?

My friend Roberta Anderson and I had a conversation on Facebook in which she shared an article she wrote back in April 2014 (Business Forum: Target security breach could be a wake-up call) about the Target data breach being the tipping point for raising awareness about the need for cybersecurity and the risks of data breach. Her question to me was whether I thought Equifax would be another such tipping point. Here is the link to the Facebook post if you want to join the conversation.

Here is my response, also in the post above:

Roberta, that is an excellent article and some excellent questions you raise about Equifax. I recall back in 2011 hearing that year was the “Year of the Data Breach” because we thought, at the time, that with news of *some* data breaches making their way into the traditional news headlines it would be enough to jolt business leaders to start taking action. It wasn’t. As you predicted back in April 2014, it was going to be Target that really turned out to be the “tipping point” and I firmly believe that it was quite a watershed moment in the world of cybersecurity and data breach insofar as raising awareness is concerned. Unfortunately, it wasn’t enough. It wasn’t enough to move from mainstream awareness to mainstream action.

Now to the question of Equifax — will it be the “tipping point” that moves the needle from awareness to action? It very well could be for several reasons. First and foremost, people are pissed — really pissed — about a company that has made it’s business off of judging them and their “worthiness” now not only showing its unworthiness but also doing so at the expense of the people it has been judging — without their consent! In the world of perception and persuasion, that’s a horrible fact. I have seen this first hand — I have received two to three times more telephone calls, emails, texts, and social media messages asking me to bring a class action lawsuit against Equifax in less than a week than I have in the wake of every other data breach combined — COMBINED! People want their pound of flesh! Add to that the actions of the executives in selling their stock, post-breach (whether they knew or not), the perceived delay in notifying, and the extreme sensitivity of the data involved and you have the makings of a nuclear bomb of breach consequences which are already forming with the lawsuits, extended publicity, and congressional inquiries. But, will that be enough to move the needle to action? I don’t know … will their stock rebound? Will the congressional inquiry go the way of Yahoo’s CEO (who also received letters of inquiry from Congress)? Will the insurance cover much of the sting? Will the execs lose their jobs — without golden parachutes that provide them with better landings than most of us will ever have in our lives? Or, will somebody go to jail and, if so, under what theory?

Effective cybersecurity is hard and requires a commitment to a perpetual journey that has no final destination. That’s not a journey that most companies will truly commit to unless they are forced to do so — even if they *should*. Unless someone really pays the price for this Equifax incident, in a grand and public manner for all of the world to see (no, I’m not suggesting a public hangings — but something that will leave the imagery in the public’s mind the way those once did — like the Ford Pinto case), I just don’t know.

Will Equifax get hit for this data breach like Ford did for its “bean counting” in the Pinto case?

I wrote this post back in 2011 and we’re still waiting for the “message” to sent — will this be it? Data Breach — Who’s Gonna Get It?

Random Info

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Published by Shawn E. Tuma

Shawn Tuma is an attorney who is internationally recognized in cybersecurity, computer fraud and data privacy law, areas in which he has practiced for nearly two decades. He is a Partner at Spencer Fane, LLP where he regularly serves as outside cybersecurity and privacy counsel to a wide range of companies from small to midsized businesses to Fortune 100 enterprises. You can reach Shawn by telephone at 972.324.0317 or email him at stuma@spencerfane.com.

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Business Cyber Risk

Subscribe now to keep reading and get access to the full archive.

Continue reading