Equifax hacked, personal data of up to 143 million Americans exposed

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Cred­it-report­ing agency Equifax said hack­ers gained access to sen­si­tive per­son­al data—Social Secu­ri­ty num­bers, birth dates and home addresses—for up to 143 mil­lion Amer­i­cans, a major cyber­se­cu­ri­ty breach at a firm that serves as one of the three major clear­ing­hous­es for cred­it his­to­ries. Equifax said the breach began in May and con­tin­ued until it was dis­cov­ered in late July. It said hack­ers exploit­ed a “web­site appli­ca­tion vul­ner­a­bil­i­ty” and obtained per­son­al data about British and Cana­di­an con­sumers as well as Amer­i­cans. Social Secu­ri­ty num­bers and birth dates are par­tic­u­lar­ly sen­si­tive data, giv­ing those who pos­sess them the ingre­di­ents for iden­ti­ty fraud and oth­er crimes. Equifax also lost con­trol of an unspec­i­fied num­ber of driver’s licens­es, along with the cred­it card num­bers for 209,000 con­sumers and cred­it dis­pute doc­u­ments for 182,000 oth­ers. The com­pa­ny said it did not detect intru­sions into its “core con­sumer or com­mer­cial cred­it report­ing data­bas­es.” Equifax is one of the largest U.S.-based cred­it report­ing agen­cies that col­lect and ana­lyze detailed records of finan­cial data for records of a wide range of con­sumers world­wide.  Source: The Wash­ing­ton Post

SEC chief says smaller investors need more info on cyber crime, fraud

Reg­u­la­tors must do more to help mom-and-pop investors under­stand the risks posed by cyber crime and new tech­nolo­gies used to com­mit fraud, said Secu­ri­ties and Exchange Com­mis­sion Chair­man Jay Clay­ton. He said cyber­se­cu­ri­ty would be one of the top enforce­ment issues dur­ing his tenure at the head of the Wall Street reg­u­la­tor. “I am not com­fort­able that the Amer­i­can invest­ing pub­lic under­stands the sub­stan­tial risks that we face sys­tem­i­cal­ly from cyber issues,” he said. One con­cern relates to a rise in cas­es of infor­ma­tion being stolen by hack­ers to gain some sort of mar­ket advan­tage. Oth­er areas of focus include: ensur­ing finan­cial firms take the appro­pri­ate steps to safe­guard sen­si­tive infor­ma­tion; cyber-relat­ed dis­clo­sure fail­ures; and the grow­ing preva­lence of “ini­tial coin offer­ings (ICOs).” Source: Reuters

U.K. identity theft cases hit 500 a day

Iden­ti­ty theft has reached epi­dem­ic lev­els in the Unit­ed King­dom, with almost 500 per day, accord­ing to fraud pre­ven­tion ser­vice Cifas. In the first six months of the year, there were a record 89,000 cas­es, almost exclu­sive­ly online. The vast amount of per­son­al data avail­able on the inter­net com­bined with data breach­es is mak­ing it eas­i­er for bad guys. Source: The Guardian

Woman must serve 54 months, pay $1 million in identity theft case

A Sali­nas, Cal­i­for­nia, woman was sen­tenced to 54 months in prison for fil­ing false tax returns, aggra­vat­ed iden­ti­ty theft and mak­ing false state­ments to a fed­er­al­ly insured insti­tu­tion. Court fil­ings state that Eliz­a­beth Calderon admit­ted she assist­ed in prepar­ing and fil­ing more than 4,000 fed­er­al income tax returns from 2010 to 2013, many of which improp­er­ly report­ed false cred­its, false expens­es or deduc­tions, false fil­ing sta­tus or a com­bi­na­tion. She was ordered to pay $1,036,547 in resti­tu­tion. Source: The Cal­i­forn­ian

Be careful when donating to Harvey victims, DHS warns

The Depart­ment of Home­land Secu­ri­ty issued the alert urg­ing com­put­er users “to remain vig­i­lant for mali­cious cyber activ­i­ty seek­ing to cap­i­tal­ize on inter­est in Hur­ri­cane Har­vey.” This activ­i­ty could include fraud­u­lent emails mas­querad­ing as char­i­ty dona­tion requests that are designed to get tar­gets to click on a mali­cious link. “Fraud­u­lent emails will often con­tain links or attach­ments that direct users to phish­ing or mal­ware-infect­ed web­sites,” the alert says. Source: The Hill

European Commission proposes new safeguards for cybersecurity

The Euro­pean Com­mis­sion wants to bol­ster cyber­se­cu­ri­ty in the EU by increas­ing invest­ment in tech­nol­o­gy, set­ting stricter con­sumer safe­guards and step­ping up diplo­ma­cy to deter attacks by oth­er nations, among oth­er mea­sures. The com­mis­sion is due to announce its pro­pos­als in a report lat­er this month, a copy of which was obtained by Reuters. It also argues for greater nation­al and law enforce­ment coop­er­a­tion to halt incom­ing attacks. Source: Reuters

Hackers attack power companies, get deep into systems

In the past nine months, dozens of U.S. pow­er com­pa­nies were com­pro­mised by an orga­nized hack­ing group to the extent that some of the attacks could have sab­o­taged and shut down pro­duc­tion and dis­tri­b­u­tion, accord­ing to Syman­tec, a cyber­se­cu­ri­ty com­pa­ny that dis­cov­ered the attack. In some cas­es, this involved access to details about how the com­pa­ny oper­at­ed, engi­neer­ing plans and equip­ment, down to the lev­el of con­trol­ling valves, pipes or con­vey­er belts, said Vikram Thakur, prin­ci­pal research man­ag­er at Syman­tec. “It could have tak­en out the busi­ness for a peri­od of a day or two or maybe a month,” he said. Source: USA Today

Time Warner cable customers’ data exposed through app breach

Char­ter Com­mu­ni­ca­tions acknowl­edged it dis­cov­ered a data breach that made the pri­vate infor­ma­tion of some of its cus­tomers avail­able to out­siders. Those affect­ed were Time Warn­er Cable cus­tomers who used the My TWC app. The com­pa­ny says those still using the app should change their user names and pass­words. About 4 mil­lion records were exposed, though that doesn’t mean that it involved 4 mil­lion indi­vid­ual cus­tomers. Source: The Hol­ly­wood Reporter

Apple, India can’t agree on anti-spam rule for iPhones

Apple’s refusal to approve the Indi­an government’s anti-spam iPhone app is infu­ri­at­ing reg­u­la­tors, poten­tial­ly harm­ing the company’s efforts to sell more prod­ucts in the coun­try. The Tele­com Reg­u­la­to­ry Author­i­ty of India has been try­ing unsuc­cess­ful­ly to get its Do Not Dis­turb soft­ware includ­ed in the App Store. The pro­gram lets peo­ple share spam call and text mes­sage logs with the agency, which uses the data to alert mobile oper­a­tors to block the spam­mers. Apple has said the app vio­lates its pri­va­cy pol­i­cy, accord­ing to the reg­u­la­tor. Source: Bloomberg

Verizon offers rewards if customers share personal data

A new Ver­i­zon Com­mu­ni­ca­tions rewards pro­gram asks cus­tomers to give the car­ri­er access to their web-brows­ing his­to­ry in exchange for cred­its for spe­cial events such as tick­ets to movie pre­mieres. The pro­gram, dubbed Ver­i­zon Up, would give cus­tomers one credit—which can be redeemed against one reward—for every $300 they spend on their month­ly bill. The tele­com giant will then refer to users’ web brows­ing, app usage and device loca­tion to per­son­al­ize the rewards. Source: New York Busi­ness Journal

Researchers hack Siri, Alexa, other voice assistants with ultrasonics

Researchers from China’s Zhei­jiang Uni­ver­si­ty found a way to attack Siri, Alexa and oth­er voice assis­tants by feed­ing them com­mands in ultra­son­ic fre­quen­cies. Those are too high for humans to hear, but they’re audi­ble to the micro­phones on devices. With the tech­nique, researchers could get the AI assis­tants to open mali­cious web­sites and even your door if you had a smart lock con­nect­ed. The tech­nique is called Dol­phi­nAt­tack. Source: Engad­get

President seeks dismissal of hacked email lawsuit

Pres­i­dent Trump’s attor­neys asked a judge to toss out a law­suit that accus­es his 2016 cam­paign of con­spir­ing with Russ­ian oper­a­tives to pub­lish stolen Demo­c­ra­t­ic Nation­al Com­mit­tee infor­ma­tion on Wik­iLeaks. The case, filed by two Demo­c­ra­t­ic Par­ty donors and a for­mer DNC staff mem­ber, con­tends that the Trump cam­paign and Trump advis­er Roger Stone invad­ed their pri­va­cy by work­ing with Rus­sia to dis­sem­i­nate hacked DNC emails and oth­er cam­paign files. The plain­tiffs failed to pro­vide any “fac­tu­al grounds” that the Repub­li­can cam­paign “con­spired with Russ­ian agents” to pub­lish the stolen DNC data, the Trump attor­neys said. Source: Politi­co

Many major corporations’ websites vulnerable to hack attack

With noth­ing but a web brows­er and an inter­net con­nec­tion, attack­ers can hack the web­sites of at least 65 per­cent of For­tune 100 com­pa­nies by exploit­ing a vul­ner­a­bil­i­ty that’s exist­ed for near­ly a decade, accord­ing to a report by secu­ri­ty researchers. The vul­ner­a­bil­i­ty was dis­cov­ered in open-source soft­ware pack­age Apache Struts, which is a pro­gram­ming frame­work for build­ing web appli­ca­tions in Java. “All ver­sions of Struts since 2008 are affect­ed; all web appli­ca­tions using the framework’s pop­u­lar REST plu­g­in are vul­ner­a­ble,” accord­ing to researchers at the secu­ri­ty firm lgtm. Source: Quartz

Instagram exposures much larger than first reported

A bug that exposed Insta­gram users’ con­tact infor­ma­tion affect­ed a far greater num­ber of accounts than the com­pa­ny orig­i­nal­ly said. The bug allowed hack­ers to scrape email address­es and con­tact infor­ma­tion for mil­lions of accounts. While the com­pa­ny first said the hack was lim­it­ed to hold­ers of ver­i­fied accounts, it now says that non­ver­i­fied users were affect­ed, as well. Hack­ers estab­lished a search­able data­base named Dox­a­gram allow­ing users to search for vic­tims’ con­tact infor­ma­tion for $10 per search. Source: The Verge