This is intended to be an old-fashioned “blog” about thoughts on the Equifax data breach. It will be ongoing so please check back regularly.
- Media interviews and commentary
- We are seeing shame hacking taken to a new level
- Will I lead a consumer class action lawsuit against Equifax?
- Lawsuits and investigations against Equifax
- What to do if you’re impacted by the Equifax data breach?
- If you sign up for Equifax’s free credit monitoring, do you lose your right to sue?
- What caused the Equifax data breach?
- What’s more important than the 3 things below? Prevention — as stated here!
- 3 Things Worth Learning from the Equifax Breach
- Will Equifax be the “tipping point” for companies to take action on cybersecurity, much the way Target was the “tipping point” for awareness?
- Will Equifax get hit for this data breach like Ford did for its “bean counting” in the Pinto case?
- Random Info
Media interviews and commentary
- News 570 KLIF Dallas – Fort Worth had Shawn Tuma on its Daily Dose to discuss the Equifax data breach and why it took over two months to install the security patch, patch management, and overall cybersecurity strategy
- News 570 KLIF Dallas – Fort Worth interviewed Shawn Tuma about the massive Equifax data breach, how to know if you’re a victim, and what to do if you are
- The Steve Gruber Show has guest Shawn Tuma on to discuss the massive Equifax data breach and what people should do to protect themselves
- The Equifax hack and how to protect yourself: Shawn Tuma explains on ABC tv in Rochester, Minnesota
- The Brett Winterble Show interviews Shawn Tuma about the massive Equifax data breach and what people should do to protect themselves
- Shawn Tuma discusses the Equifax data breach on WHO, WJIM, and KURV radio stations
- KFAB Morning News interviews Shawn Tuma about the Equifax hack and why everything is vulnerable
- Massive Equifax data breach explained by Shawn Tuma on WRVA Newsradio 1140
We are seeing shame hacking taken to a new level
(9/15/17) I have written a good bit about shame hacking and how hackers’ efforts to monetize their activities have evolved to their using shame, or embarrassment, as a tool to extort payments from their targets. This case seems to be taking it to a new level. For the last two days we have all seen the news about how Equifax’s failure to patch was the cause of the breach. Today, it got worse.
Now, apparently, the hackers are trying to play the role of “good guys” by telling the secrets of how they hacked Equifax, how easy it was, and just how negligent Equifax was in defending its network. Check out this story (which seems to be legit): How Equifax got Hacked
Stop and think about this for a moment:
- The hackers — the criminals who attacked Equifax and stole data from at least hundreds of thousands of people to potentially hundreds of millions of people — are now coming out and shaming Equifax for allowing them to do what they did.
- Now I understand, with these revelations about its security practices, it is hard to feel sorry for Equifax and view it as the victim, and I’m not suggesting that we should. But let’s also not forget that Equifax was the company that was attacked — and now the attackers are the ones telling all to shame the company they attacked. We must keep this in perspective.
- The problem is, we will not keep it in perspective and we as part of the masses will all start to dog pile Equifax even more for the juicy scoop that the hackers are revealing about the company they attacked and the hackers are stoking the flames: “if I have to release the information and make it public for these companies to finally acknowledge and admit their fuck ups (maybe not blame on apache flaw either) then I will” — the hackers
- I am all for learning any lessons that we can from this attack, even if from the hackers themselves, and I am all for really letting Equifax have it for what they did, but the one thing I am not for is making these hackers out to be heroes in the end. As ridiculous as this may seem, now on 9/15/17, it would not be unprecedented … please, please, please, do not make these guys out to be heroes because they are not. They are criminals.
This is taking shame hacking to a new level. This kind of taunting would get a college or NFL football player ejected from a game — and we the people will enjoy every bit of it!
Stay tuned, this is getting interesting …
Will I lead a consumer class action lawsuit against Equifax?
I have received more inquiries from people via calls, emails, and social media posts who are interested in pursuing a class action lawsuit against Equifax than I have following every other breach combined, by at least double or triple the numbers! However, while it is clear that people want their pound of flesh, it will not be me leading the charge.
Lawsuits and investigations against Equifax
Well-respected data breach class action attorney John Yanchunis has already filed one class action lawsuit and it would not surprise me to see another well-respected data breach class action firm Edelson PC bring one as well. You can also learn more about class action lawsuits that are filed at the Top Class Actions website.
My thoughts on the “chatbot” suing Equifax are in included in this article: Equifax’s Latest Legal Nightmare Might Be This Chatbot
What to do if you’re impacted by the Equifax data breach?
I doubt I could do a better job of giving you advice on this than the Federal Trade Commission can so check out their Consumer Information page that explains what to do and how to do it: The Equifax Data Breach: What to Do
One of the issues that has caused some confusion is the difference between a fraud alert and a credit freeze, which the FTC has also addressed: Fraud alerts vs. credit freezes: FTC FAQs
Here is the Equifax official page if you need it: www.equifaxsecurity2017.com
Given that data breaches are the new normal, I see no reason why we shouldn’t all have some form of credit monitoring as one more level of protecting ourselves. While Equifax is offering a year of free credit monitoring using its service, if you’re reluctant to sign up for Equifax’s free credit monitoring, you should sign up for somebody’s even if it means paying for it. My friend Todd Hindman works for ID Experts and they have a top-notch product: https://www2.idexpertscorp.com/
Here are some general talking points I used for a couple of media interviews on this (much of this came directly from the FTC website):
- According to FTC website: The Equifax Data Breach- What to Do – Consumer Information
- Included — determine if you were included: http://www.equifaxsecurity2017.com/
- assume you’re affected – even if not by Equifax, you probably are by another
- free credit monitoring — obtain it, from Equifax (they already have your info) or others
- ID Experts
- Credit reports — check them (http://www.annualcreditreport.com/)
- see problem: go to https://identitytheft.gov/
- Credit freeze — consider it — prevents people from opening accounts
- Existing financial accounts — monitor them, vigilantly
- Fraud alerts – consider using, especially if you do not use a credit freeze
- Taxes – file them early, before criminals try to get your refund
- Great resource: http://www.identitytheft.gov/Info-Lost-or-Stolen
- Included — determine if you were included: http://www.equifaxsecurity2017.com/
If you sign up for Equifax’s free credit monitoring, do you lose your right to sue?
No, you do not.
Equifax issued an official statement saying that you do not give up your right to sue if you sign up for its free credit monitoring: Cybersecurity Incident & Important Consumer Information – Equifax:
[This week’s update]
[Last week’s update]
What caused the Equifax data breach?
The Apache Foundation which oversees the use of open source software issued a statement alleging the breach was caused by Equifax’s failure to install a patch, or security update, that had been available for a couple of months: “The Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner”
Now it appears that Equifax was also using the uber challenging authentication credentials of “admin/admin” to protect data in Argentina …
ICYMI, Equifax forced to pull offline a huge database of consumer data guarded only by credentials "admin/admin" https://t.co/qsbcWct4pY
— briankrebs (@briankrebs) September 13, 2017
What’s more important than the 3 things below? Prevention — as stated here!
To be clear, I know patching Struts is not like patching windows. Dan's tweet below explains that. But still… https://t.co/PQzow6Rlm6
— Garin Pace (@Garin_Pace) September 14, 2017
— Shawn E. Tuma (@shawnetuma) September 14, 2017
3 Things Worth Learning from the Equifax Breach
The SecureWorld News Team talked with me about many of the lessons that can be learned from the Equifax data breach and winnowed it down to the following 3 takeaways that are discussed more thoroughly in the article:
- We need a uniform national breach notification law in the United States.
- When it comes to data breach response, “[i]t’s not about what you do right, as much as what you do not do wrong.”
- A mega breach keeps going, and going, and going.
Will Equifax be the “tipping point” for companies to take action on cybersecurity, much the way Target was the “tipping point” for awareness?
My friend Roberta Anderson and I had a conversation on Facebook in which she shared an article she wrote back in April 2014 (Business Forum: Target security breach could be a wake-up call) about the Target data breach being the tipping point for raising awareness about the need for cybersecurity and the risks of data breach. Her question to me was whether I thought Equifax would be another such tipping point. Here is the link to the Facebook post if you want to join the conversation.
Here is my response, also in the post above:
Roberta, that is an excellent article and some excellent questions you raise about Equifax. I recall back in 2011 hearing that year was the “Year of the Data Breach” because we thought, at the time, that with news of *some* data breaches making their way into the traditional news headlines it would be enough to jolt business leaders to start taking action. It wasn’t. As you predicted back in April 2014, it was going to be Target that really turned out to be the “tipping point” and I firmly believe that it was quite a watershed moment in the world of cybersecurity and data breach insofar as raising awareness is concerned. Unfortunately, it wasn’t enough. It wasn’t enough to move from mainstream awareness to mainstream action.
Now to the question of Equifax — will it be the “tipping point” that moves the needle from awareness to action? It very well could be for several reasons. First and foremost, people are pissed — really pissed — about a company that has made it’s business off of judging them and their “worthiness” now not only showing its unworthiness but also doing so at the expense of the people it has been judging — without their consent! In the world of perception and persuasion, that’s a horrible fact. I have seen this first hand — I have received two to three times more telephone calls, emails, texts, and social media messages asking me to bring a class action lawsuit against Equifax in less than a week than I have in the wake of every other data breach combined — COMBINED! People want their pound of flesh! Add to that the actions of the executives in selling their stock, post-breach (whether they knew or not), the perceived delay in notifying, and the extreme sensitivity of the data involved and you have the makings of a nuclear bomb of breach consequences which are already forming with the lawsuits, extended publicity, and congressional inquiries. But, will that be enough to move the needle to action? I don’t know … will their stock rebound? Will the congressional inquiry go the way of Yahoo’s CEO (who also received letters of inquiry from Congress)? Will the insurance cover much of the sting? Will the execs lose their jobs — without golden parachutes that provide them with better landings than most of us will ever have in our lives? Or, will somebody go to jail and, if so, under what theory?
Effective cybersecurity is hard and requires a commitment to a perpetual journey that has no final destination. That’s not a journey that most companies will truly commit to unless they are forced to do so — even if they *should*. Unless someone really pays the price for this Equifax incident, in a grand and public manner for all of the world to see (no, I’m not suggesting a public hangings — but something that will leave the imagery in the public’s mind the way those once did — like the Ford Pinto case), I just don’t know.
Will Equifax get hit for this data breach like Ford did for its “bean counting” in the Pinto case?
I wrote this post back in 2011 and we’re still waiting for the “message” to sent — will this be it? Data Breach — Who’s Gonna Get It?
- On Twiter check out these hashtags: #EquifaxDataBreach, #equifaxhack, and #equifax
- Everything you need to know to survive the Equifax data theft
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.