169 posts categorized "Breach Notification" Feed

How To Check If Your Information Was Collected By Cambridge Analytica In The Facebook Breach

You've probably heard about the massive privacy and data security breach at Facebook.com where users' information, plus their friends' information was captured and shared with Cambridge Analytica. by an app created by an academic professor. Now, you want to know if your information was harvested.

How To Check

It's easy to check. Visit this Facebook Help Center page. If you are not signed into your Facebook account, then the page displays as:

Default version of Facebook Help page for users to determine if their information was collected by Cambridge Analytica. Click to view larger version

If you have already signed into your Facebook account and your information was not harvested, then the main column of the page displays:

Default version of Facebook Help page for users to determine if their information was collected by Cambridge Analytica. Click to view larger version

If your information was harvested, then the content under "Was My Information Shared?" will be different. It may display this:

"Based upon our investigation, you don't appear to have logged into "This Is Your Digital Life" with Facebook before we removed it from our platform in 2015. However, a friend of yours did log in. As a result, the following information was likely shared with "This Is Your Digital Life": Your public profile, page likes, date of birth, and current city"

Of course, if you logged into the "This Is Your Digital Life" app yourself, then the page content will say so, and list the data elements harvested. Reportedly, about 270,000 Facebook users logged into the app/quiz which then collected information for an estimated 87 million of those users' Facebook friends.

What To Do Next

There's not a lot you can do immediately. CNN Tech advised:

"Even if you delete your Facebook account, or remove third-party apps connected to your profile, the third-party apps will still have access to data they previously collected. Users have to contact the app individually to have the data be removed... According to a notice on affected accounts, the "small number of people" who accessed the app also shared their News Feed, timeline, posts and messages. A Facebook spokesperson confirmed that 1,500 users who logged into the app granted explicit access to their private message inbox... For now, the platform is directing people to their Settings page to see which apps are connected to their accounts, such as Uber and Netflix. Users can also disconnect those apps... Walt Mossberg, a veteran tech reporter and cofounder of tech website Recode, urged Facebook to let users know which friends accessed the app and when..."

Yeah, that! Facebook should inform affected users which of their friends contributed to the data leakage.

Of course, Facebook wants its users to keep using the service. Facebook announced on March 21st that it will, 1) investigate all apps that had access to large amounts of information and conduct full audits of any apps with suspicious activity; 2) inform users affected by apps that have misused their data; 3) disable an app's access to a member's information if that member hasn't used the app within the last three months; 4) change Login to "reduce the data that an app can request without app review to include only name, profile photo and email address;" 5) encourage members to manage the apps they use; and reward users who find vulnerabilities.

Those actions seem good, but too little too late. What can affected users do?

You have options. If you use Facebook, see these instructions by Consumer Reports to deactivate or delete your account. Some people I know simply stopped using Facebook, but left their accounts active. That doesn't seem wise. A better approach is to adjust the privacy settings on your Facebook account to get as much privacy and protections as possible.

Facebook has a new tool for members to review and disable, in bulk, all of the apps with access to their data. Follow these handy step-by-step instructions by Mashable. And, users should also disable the Facebook API platform for their account. If you use the Firefox web browser, then install the new Facebook Container add-on specifically designed to prevent Facebook from tracking you. Don't use Firefox? You might try the Privacy Badger add-on instead. I've used it happily for years.

Whatever you do, remember that lots of advertising networks and tech companies besides Facebook want to track your movements around the web. Some of those companies include internet service providers (ISPs), since the U.S. Federal Communications Commission (FCC) killed both broadband privacy and net neutrality in 2017.

A windfall for broadband providers, and terrible for consumers. You might contact your elected officials and demand that the FCC put broadband privacy and net neutrality protections back into place.


Security Experts: Breach At Panera Bread Affected Millions. Questions Linger About Vulnerability Fix

Panera Bread logo Apparently, Panera Bread experienced a massive data breach, which the restaurant chain's management allegedly ignored for months. CSO Online reported:

"Panera Bread’s website leaked millions of customer records in plain text for at least eight months, which is how long the company blew off the issues reported by security researcher Dylan Houlihan... Houlihan shared copies of email exchanges with Panera Bread CIO John Meister – who at first accused Houlihan of trying to run a scam when he first reported the security vulnerability back in August 2017... Exactly eight months after reporting the issue to Panera Bread, Houlihan turned to KrebsOnSecurity. Krebs spoke to Meister, and the website was briefly taken offline. Less than two hours later, Panera said it had fixed the problem."

Reportedly, the sensitive customer information leaked included usernames, first and last names, email addresses, phone numbers, home addresses, birthdays, the last four digits of saved credit card numbers, dietary restrictions, food preferences, and "social account integration information."

Security experts disagree about two key issues: a) whether or not the vulnerability was fixed, and b) the number of affected consumers. Panera Bread claimed about 10,000 customers were affected. Then, that number went up:

"After some more poking, Hold Security reported to Krebs that Panera didn’t just leak plain text records of 7 million customers; “the vulnerabilities also appear to have extended to Panera’s commercial division, which serves countless catering companies. At last count, the number of customer records exposed in this breach appears to exceed 37 million.”

A check earlier today of the public-facing pages at Panera's website failed to find a breach notice, which companies usually provide after a data breach. Not good. Shoppers need to know. Many states have breach notification laws.

Panera's behavior doesn't inspire much confidence. It's internal breach-detection mechanisms seem to have failed, and its post-breach response seemed unprepared, unfocused, and disinterested. What do you think?


Facebook Update: 87 Million Affected By Its Data Breach With Cambridge Analytica. Considerations For All Consumers

Facebook logo Facebook.com has dominated the news during the past three weeks. The news media have reported about many issues, but there are more -- whether or not you use Facebook. Things began about mid-March, when Bloomberg reported:

"Yes, Cambridge Analytica... violated rules when it obtained information from some 50 million Facebook profiles... the data came from someone who didn’t hack the system: a professor who originally told Facebook he wanted it for academic purposes. He set up a personality quiz using tools that let people log in with their Facebook accounts, then asked them to sign over access to their friend lists and likes before using the app. The 270,000 users of that app and their friend networks opened up private data on 50 million people... All of that was allowed under Facebook’s rules, until the professor handed the information off to a third party... "

So, an authorized user shared members' sensitive information with unauthorized users. Facebook confirmed these details on March 16:

"We are suspending Strategic Communication Laboratories (SCL), including their political data analytics firm, Cambridge Analytica (CA), from Facebook... In 2015, we learned that a psychology professor at the University of Cambridge named Dr. Aleksandr Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/CA, a firm that does political, government and military work around the globe. He also passed that data to Christopher Wylie of Eunoia Technologies, Inc.

Like all app developers, Kogan requested and gained access to information from people after they chose to download his app. His app, “thisisyourdigitallife,” offered a personality prediction, and billed itself on Facebook as “a research app used by psychologists.” Approximately 270,000 people downloaded the app. In so doing, they gave their consent for Kogan to access information such as the city they set on their profile, or content they had liked... When we learned of this violation in 2015, we removed his app from Facebook and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed. CA, Kogan and Wylie all certified to us that they destroyed the data... Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted..."

So, data that should have been deleted wasn't. Then, Facebook relied upon certifications from entities that had lied previously. Not good. Then, Facebook posted this addendum on March 17:

"The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked."

Why the rush to deny a breach? It seems wise to complete a thorough investigation before making such a claim. In the 11+ years I've written this blog, whenever unauthorized persons access data they shouldn't have, it's a breach. You can read about plenty of similar incidents where credit reporting agencies sold sensitive consumer data to ID-theft services and/or data brokers, who then re-sold that information to criminals and fraudsters. Seems like a breach to me.

Cambridge Analytica logo Facebook announced on March 19th that it had hired a digital forensics firm:

"... Stroz Friedberg, to conduct a comprehensive audit of Cambridge Analytica (CA). CA has agreed to comply and afford the firm complete access to their servers and systems. We have approached the other parties involved — Christopher Wylie and Aleksandr Kogan — and asked them to submit to an audit as well. Mr. Kogan has given his verbal agreement to do so. Mr. Wylie thus far has declined. This is part of a comprehensive internal and external review that we are conducting to determine the accuracy of the claims that the Facebook data in question still exists... Independent forensic auditors from Stroz Friedberg were on site at CA’s London office this evening. At the request of the UK Information Commissioner’s Office, which has announced it is pursuing a warrant to conduct its own on-site investigation, the Stroz Friedberg auditors stood down."

That's a good start. An audit would determine or not data which perpetrators said was destroyed, actually had been destroyed. However, Facebook seems to have built a leaky system which allows data harvesting:

"Hundreds of millions of Facebook users are likely to have had their private information harvested by companies that exploited the same terms as the firm that collected data and passed it on to CA, according to a new whistleblower. Sandy Parakilas, the platform operations manager at Facebook responsible for policing data breaches by third-party software developers between 2011 and 2012, told the Guardian he warned senior executives at the company that its lax approach to data protection risked a major breach..."

Reportedly, Parakilas added that Facebook, "did not use its enforcement mechanisms, including audits of external developers, to ensure data was not being misused." Not good. The incident makes one wonder what other developers, corporate, and academic users have violated Facebook's rules: shared sensitive Facebook members' data they shouldn't have.

Facebook announced on March 21st that it will, 1) investigate all apps that had access to large amounts of information and conduct full audits of any apps with suspicious activity; 2) inform users affected by apps that have misused their data; 3) disable an app's access to a member's information if that member hasn't used the app within the last three months; 4) change Login to "reduce the data that an app can request without app review to include only name, profile photo and email address;" 5) encourage members to manage the apps they use; and reward users who find vulnerabilities.

Those actions seem good, but too little too late. Facebook needs to do more... perhaps, revise its Terms Of Use to include large fines for violators of its data security rules. Meanwhile, there has been plenty of news about CA. The Guardian UK reported on March 19:

"The company at the centre of the Facebook data breach boasted of using honey traps, fake news campaigns and operations with ex-spies to swing election campaigns around the world, a new investigation reveals. Executives from Cambridge Analytica spoke to undercover reporters from Channel 4 News about the dark arts used by the company to help clients, which included entrapping rival candidates in fake bribery stings and hiring prostitutes to seduce them."

Geez. After these news reports surfaced, CA's board suspended Alexander Nix, its CEO, pending an internal investigation. So, besides Facebook's failure to secure sensitive members' information, another key issue seems to be the misuse of social media data by a company that openly brags about unethical, and perhaps illegal, behavior.

What else might be happening? The Intercept explained on March 30th that CA:

"... has marketed itself as classifying voters using five personality traits known as OCEAN — Openness, Conscientiousness, Extroversion, Agreeableness, and Neuroticism — the same model used by University of Cambridge researchers for in-house, non-commercial research. The question of whether OCEAN made a difference in the presidential election remains unanswered. Some have argued that big data analytics is a magic bullet for drilling into the psychology of individual voters; others are more skeptical. The predictive power of Facebook likes is not in dispute. A 2013 study by three of Kogan’s former colleagues at the University of Cambridge showed that likes alone could predict race with 95 percent accuracy and political party with 85 percent accuracy. Less clear is their power as a tool for targeted persuasion; CA has claimed that OCEAN scores can be used to drive voter and consumer behavior through “microtargeting,” meaning narrowly tailored messages..."

So, while experts disagree about the effectiveness of data analytics with political campaigns, it seems wise to assume that the practice will continue with improvements. Data analytics fueled by social media input means political campaigns can bypass traditional news media outlets to distribute information and disinformation. That highlights the need for Facebook (and other social media) to improve their data security and compliance audits.

While the UK Information Commissioner's Office aggressively investigates CA, things seem to move at a much slower pace in the USA. TechCrunch reported on April 4th:

"... Facebook’s founder Mark Zuckerberg believes North America users of his platform deserve a lower data protection standard than people everywhere else in the world. In a phone interview with Reuters yesterday Mark Zuckerberg declined to commit to universally implementing changes to the platform that are necessary to comply with the European Union’s incoming General Data Protection Regulation (GDPR). Rather, he said the company was working on a version of the law that would bring some European privacy guarantees worldwide — declining to specify to the reporter which parts of the law would not extend worldwide... Facebook’s leadership has previously implied the product changes it’s making to comply with GDPR’s incoming data protection standard would be extended globally..."

Do users in the USA want weaker data protections than users in other countries? I think not. I don't. Read for yourself the April 4th announcement by Facebook about changes to its terms of service and data policy. It didn't mention specific countries or regions; who gets what and where. Not good.

Mark Zuckerberg apologized and defended his company in a March 21st post:

"I want to share an update on the Cambridge Analytica situation -- including the steps we've already taken and our next steps to address this important issue. We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there's more to do, and we need to step up and do it... This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that... at the end of the day I'm responsible for what happens on our platform. I'm serious about doing what it takes to protect our community. While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn't change what happened in the past. We will learn from this experience to secure our platform further and make our community safer for everyone going forward."

Nice sounding words, but actions speak louder. Wired magazine said:

"Zuckerberg didn't mention in his Facebook post why it took him five days to respond to the scandal... The groundswell of outrage and attention following these revelations has been greater than anything Facebook predicted—or has experienced in its long history of data privacy scandals. By Monday, its stock price nosedived. On Tuesday, Facebook shareholders filed a lawsuit against the company in San Francisco, alleging that Facebook made "materially false and misleading statements" that led to significant losses this week. Meanwhile, in Washington, a bipartisan group of senators called on Zuckerberg to testify before the Senate Judiciary Committee. And the Federal Trade Commission also opened an investigation into whether Facebook had violated a 2011 consent decree, which required the company to notify users when their data was obtained by unauthorized sources."

Frankly, Zuckerberg has lost credibility with me. Why? Facebook's history suggests it can't (or won't) protect users' data it collects. Some of its privacy snafus: settlement of a lawsuit resulting from alleged privacy abuses by its Beacon advertising program, changed members' ad settings without notice nor consent, an advertising platform which allegedly facilitates abuses of older workers, health and privacy concerns about a new service for children ages 6 to 13, transparency concerns about political ads, and new lawsuits about the company's advertising platform. Plus, Zuckerberg made promises in January to clean up the service's advertising. Now, we have yet another apology.

In a press release this afternoon, Facebook revised upward the number affected by the Facebook/CA breach from 50 to 87 million persons. Most, about 70.6 million, are in the United States. The breakdown by country:

Number of affected persons by country in the Facebook - Cambridge Analytica breach. Click to view larger version

So, what should consumers do?

You have options. If you use Facebook, see these instructions by Consumer Reports to deactivate or delete your account. Some people I know simply stopped using Facebook, but left their accounts active. That doesn't seem wise. A better approach is to adjust the privacy settings on your Facebook account to get as much privacy and protections as possible.

Facebook has a new tool for members to review and disable, in bulk, all of the apps with access to their data. Follow these handy step-by-step instructions by Mashable. And, users should also disable the Facebook API platform for their account. If you use the Firefox web browser, then install the new Facebook Container new add-on specifically designed to prevent Facebook from tracking you. Don't use Firefox? You might try the Privacy Badger add-on instead. I've used it happily for years.

Of course, you should submit feedback directly to Facebook demanding that it extend GDPR privacy protections to your country, too. And, wise online users always read the terms and conditions of all Facebook quizzes before taking them.

Don't use Facebook? There are considerations for you, too; especially if you use a different social networking site (or app). Reportedly, Mark Zuckerberg, the CEO of Facebook, will testify before the U.S. Congress on April 11th. His upcoming testimony will be worth monitoring for everyone. Why? The outcome may prod Congress to act by passing new laws giving consumers in the USA data security and privacy protections equal to what's available in the United Kingdom. And, there may be demands for Cambridge Analytica executives to testify before Congress, too.

Or, consumers may demand stronger, faster action by the U.S. Federal Trade Commission (FTC), which announced on March 26th:

"The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers. Foremost among these tools is enforcement action against companies that fail to honor their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act. Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices."

An "open non-public investigation?" Either the investigation is public, or it isn't. Hopefully, an attorney will explain. And, that announcement read like weak tea. I expect more. Much more.

USA citizens may want stronger data security laws, especially if Facebook's solutions are less than satisfactory, it refuses to provide protections equal to those in the United Kingdom, or if it backtracks later on its promises. Thoughts? Comments?


Update: 2.4 Million More Persons Affected By Massive Data Breach At Equifax In 2017

Equifax logo Equifax, one of the three national credit reporting agencies, announced today that 2.4 million more persons were affected by its massive data breach in 2017. The March 1st announcement stated, in part:

"Equifax Inc. today announced that the company has confirmed the identities of U.S. consumers whose partial driver’s license information was taken. Equifax was able to identify these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider.

Through these additional efforts, Equifax was able to identify approximately 2.4 million U.S. consumers whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population discussed in the company’s prior disclosures about the incident. This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates... Today’s newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver’s license information..."

Equifax will notify the newly identified breach victims via U.S. Postal mail, and will offer them complimentary identity theft protection and credit file monitoring services.

The timeline for the massive breach: intrusions occurred in May (2017), Equifax staff first discovered the intrusions in July (2017); Equifax notified the publicy in September (2017); and now identified 2.4 million more breach victims (March, 2018).

Equifax said in September (2017) that 143 million persons were affected. That was about 44 percent of the United States population. In October (2017), Equifax revised upward the number affected by 2.5 million to 145.5 million persons. What's the new total? Equifax didn't have the guts to admit it in its March 1st announcement. Since the company doesn't seem to want to admit it, I'm going with 147.9 million persons affected -- about 45.6 percent of the population.

So, it took Equifax almost six months after its initial announcement to determine exactly who was affected during its massive data breach. This does not inspire confidence. Instead, it suggests that the company's internal systems and intrusion detection mechanisms failed miserably.

A breach investigation by U.S. Senator Elizabeth Warren (Democrat - Massachusetts) reported several failures:

  1. Equifax Set up a Flawed System to Prevent and Mitigate Data Security Problems
  2. Equifax Ignored Numerous Warnings of Risks to Sensitive Data
  3. Equifax Failed to Notify Consumers, Investors, and Regulators about the Breach in a Timely and Appropriate Fashion
  4. Equifax Took Advantage of Federal Contracting Loopholes and Failed to Adequately Protect Sensitive IRS Taxpayer Data
  5. Equifax’s Assistance and Information Provided to Consumers Following the Breach was Inadequate.

Equifax's latest breach update highlights item #3: the company's failure to promptly notify consumers. When consumers aren't notified promptly, they are unable to take action to protect their sensitive personal and payment information.

Have we heard the last from Equifax? Will it provide future updates with even more persons affected? I hope not, but the company's track record suggests otherwise.

Equifax has foisted upon the country a cluster f--k of epic proportions = #FUBAR. Businesses and consumers depend upon secure, reliable credit reports. The United States economy relies upon it, too. Equifax executives need to experience direct consequences: fines, terminations, and jail time. Without consequences, executives won't adequately secure sensitive personal and financial information -- and this will happen again. What do you think?


Uber: Data Breach Affected 57 Million Users. Some Say A Post Breach Coverup, Too

Uber logo Uber is in the news again. And not in a good way. The popular ride-sharing service experienced a data breach affecting 57 million users. While many companies experience data breaches, regulators say Uber went further and tried to cover it up.

First, details about the data breach. Bloomberg reported:

"Hackers stole the personal data of 57 million customers and drivers... Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers..."

Second, details about the coverup:

"... the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers... At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet."

Geez. Not tell regulators about a breach? Not tell affected users? 48 states have data breach notification laws requiring various levels of notifications. Consumers need notice in order to take action to protect themselves and their sensitive personal and payment information.

Third, Uber executives learned about the breach soon thereafter:

"Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. Kalanick declined to comment on the hack."

Reportedly, breach victims with stolen drivers license information will be offered free credit monitoring and identity theft services. Uber said that no Social Security numbers and credit card information was stolen during the breach, but one wonders if Uber and its executives can be trusted.

The company has a long history of sketchy behavior including the 'Greyball' worldwide program by executives to thwart code enforcement inspections by governments, dozens of employees fired or investigated for sexual harassment, a lawsuit descrbing how the company's mobile app allegedly scammed both riders and drivers, and privacy abuses with the 'God View' tool. TechCrunch reported that Uber:

"... reached a settlement with [New York State Attorney General] Schneiderman’s office in January 2016 over its abuse of private data in a rider-tracking system known as “God View” and its failure to disclose a previous data breach that took place in September 2014 in a timely manner."

Several regulators are investigating Uber's latest breach and alleged coverup. CNet reported:

"The New York State Attorney General has opened an investigation into the incident, which Uber made public Tuesday. Officials for Connecticut, Illinois and Massachusetts also confirmed they're investigating the hack. The New Mexico Attorney General sent Uber a letter asking for details of the hack and how the company responded. What's more, Uber appears to have broken a promise made in a Federal Trade Commission settlement not to mislead users about data privacy and security, a legal expert says... In addition to its agreement with the FTC, Uber is required to follow laws in New York and 47 other states that mandate companies to tell people when their drivers' license numbers are breached. Uber acknowledged Tuesday it had a legal requirement to disclose the breach."

The Financial Times reported that the U.K. Information Commissioner's Office is investigating the incident, along with the National Crime Agency and the National Cyber Security Centre. New data protection rules will go into effect in May, 2018 which will require companies to notify regulators within 72 hours of a cyber attack, or incur fines of up to 20 million Euro-dollars or 4 percent of annual global revenues.

Let's summarize the incident. It seems that a few months after settling a lawsuit about a data breach and its data security practices, the company had another data breach, paid the hackers to keep quiet about the breach and what they stole, and then allegedly chose not to tell affected users nor regulators about it, as required by prior settlement agreements, breach laws in most states, and breach laws in some international areas. Geez. What chutzpah!

What are your opinions of the incident? Can Uber and its executives be trusted?


Considerations For Consumers Affected By The Equifax Breach

Earlier this month, Discover sent me a replacement credit card. The letter with the replacement card stated:

"Notice of Data Breach
What happened: we recently learned your Discover card account might have been part of a data breach. Please know, this breach did not involve Discover card systems.
What we are doing to resolve: we are issuing you a new card with a new account number, security code, and expiration date to reduce the possibility of fraud on your account... So as a safety precaution, we are issuing you a new card to protect your Discover card account information from being misused"

Good. I like the proactive protection, and hope that the retailer absorbed the costs of replacement cards for all affected consumers like me. However, the letter from Discover didn't identify the retailer. I called Discover's customer service hotline. The phone representative wouldn't identify the retailer, either. I'd shopped at four retail stores during the past month, and assumed it was one of them. It wasn't.

Equifax logo On Saturday, I received via postal mail a breach notification letter from Equifax dated October 23, 2017:

"We are writing with regard to the cybersecurity incident Equifax announced on September 7, 2017. At Equifax, our priorities with regard to this incident are transparency and continuing to provide timely, reassuring support to every consumer. You are receiving this letter because the credit or debit card number used to pay for a freeze service, credit score, or disclosure of your Equifax credit file was accessed. We have no evidence that your credit file itself was accessed."

So, confirmation that it was Equifax's fault. What to make of this? Keep reading.

First, thanks Equifax for the postal mail notice. However, this isn't timely communication. Why? Equifax considers it's September 7th press release timely communication. How many consumers read Equifax press releases? Did you? My guess, most don't.

Thankfully, I read online newspapers and was aware of the breach soon after Equifax's September 7th announcement. Yet, my postal letter from Equifax arrived seven weeks after its September 7th press release (and almost three months after it first discovered the breach on July 29).  This incident is a reminder for consumers not to rely upon postal mail for breach notices. Many states' breach notice laws allow for companies to post public notices online in websites and/or in newspaper advertisements. This allows companies to skip (the expense of) mailing individual breach notices via postal mail.

The October 23rd Equifax breach letter also stated:

"On September 7, 2017, Equifax notified U.S. customers of the data security incident, including that 143 million U.S. consumers were impacted. On October 2, 2017, following the completion of the forensic portion of the investigation of the incident, Equifax announced that the review determined that approximately 2.5 million additional U.S. consumers were potentially impacted. Equifax also announced that credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182, 000 consumers were accessed."

So, I am one of the "lucky" 209,000 consumers in the United States whose payment information was exposed stolen in addition to other sensitive personal information. Thanks Equifax for failing to protect my sensitive personal -- and payment -- information you are entrusted to protect.

Second, to upgrade earlier this year from slow, antiquated DSL to fiber broadband from Verizon, I used my credit card to pay for a temporary lift of the security freeze on my Equifax credit report. Why did Equifax retain my payment information for this transaction? Why did it retain that payment information in a complete and UN-encrypted format?

Discover's Frequently Asked Questions page for merchants advises merchants to do the following to protect consumers' highly sensitive payment card information:

"Tips for protecting customer information: a) Truncate all credit card information; b) Avoid storing CID data in your records or within sales data; c) Secure your site; d) Store data securely; e) Protect your data with firewalls; f) Limit authorized use and require passwords; g) Avoid storing customer or credit card information on your web server
Refer to your Merchant Operating Regulations for further card-not-present (CNP) requirements for the submission of sales."

So, it seems that Equifax failed to follow Discover's data security guidelines for merchants. (Browse privacy guidelines for merchants by other card issuers.) I do not have any ongoing services or subscriptions with Equifax, so there seems to be no need for it to retain my full credit card payment information. Not good. I called the Equifax customer service hotline. The phone representative could not explain why Equifax retained my payment information. Not good.

Third, Equifax failed to customize the letter for my situation. In 2008, I placed security freezes on my credit reports at Equifax, Experian, and TransUnion. So, Equifax already knows I have a security freeze in place, and failed to customize the letter accordingly. Rather than explain what applies to customers in my situation, instead the letter repeated the same general fraud-prevention advice for all consumers: how to contact the FTC, visit annualcreditreport.com for free copies of credit reports, file a police report if a victim of identity theft, place a fraud alert or security freeze on my credit reports for protections, and how to lift/remove an existing security freeze. Not good.

This was fast becoming a crappy customer experience.

Fourth, while on the phone with Equifax's customer service I asked if the TrustedID Premier credit monitoring service it ofered would work with the security freezes in place at all three credit reporting agencies. The phone representative said yes, but that the "credit file lock feature" would not work. What's that? According to the Equifax FAQ page:

"What is the difference between a credit file lock and a security freeze?
At their most basic level, both prevent new creditors from accessing your Equifax credit report, unless you give permission or take an action such as removing, unlocking or lifting the freeze or lock. Both a security freeze and a credit file lock help prevent a lender or other creditor from accessing a consumer’s credit report to open unauthorized new accounts.

  • Security freezes were created in the early 2000’s, are subject to regulation by each state and use a PIN based system for authentication.
  • Credit file locks were created more recently, are mobile-enabled and use modern authentication techniques, such as username and passwords and one-time passcodes for better user experience."

So, the "credit file lock" feature is new and different from a security freeze. The new feature allows mobile users to easily and quickly unlock/lock your Equifax credit reports. That seems beneficial for consumers needing frequent and quick access to credit. According to the FAQ page, the new feature will be "free, for life." The above description gives the impression that security freezes are antiquated.

To further understand this new feature, I visited the TrustedID Premier Privacy Policy page, which stated:

"The types of personal information we collect and share depend on the product or service you have with us. This information can include: Social Security number and credit card information; Payment history and transaction history; Credit scores and credit history"

The "depend on the product or service you have" seems vague and broad. Just tell me! Plus, "transaction history" could include geo-location: where you bought something since some purchases are made at brick-and-mortar retail stores. It could also include when and where you use the "credit file lock" feature. So, even though the policy doesn't explicitly mention geo-location data collection, it seems wise to assume that it does. For the new "credit file lock" feature to work on your phone, it probably needs to know your location -- where you and your phone are.

So, this new feature seems to be a slick way for Equifax to collect (and archive) location data about when, where, the duration, and frequency of consumers' travels in the physical world -- something it couldn't get previously through the traditional security freeze process. Remember, any app on your smartphone can collect location data.

Plus, the "credit file lock" feature won't work with a security freeze in place. According to the customer service representative, consumers need to remove a security freeze for the credit file lock feature to work. This is a new, important wrinkle which consumers must understand in order to make informed decisions.

The representative said it would be free to remove the security freeze on my Equifax credit report in order to use the new feature. I asked if the TrustedID Premier service Equifax offers would work with credit reports from Innovis. The rep said no. The duration of my phone call was long since the representative needed to place me on hold and check with others in order to answer my questions. This did not instill confidence.

Plus, this lengthy question-and-answer page about Equifax's services indicates that many consumers (and perhaps some Equifax customer service representatives) don't fully understand the differences between security freezes, credit file locks, and other service features.

Fifth, the letter from Equifax did not mention any of the new threats nor the additional protection steps consumers must take, both of which you can read about in this October 10th blog post. Even though I've written about privacy, data breaches and credit monitor for the past 10+ years, like you there are new things to learn. It seems that Equifax is hoping that breach victims will take the easy route: enroll in TrustedID Premier -- which is free for now, but will likely cost you later.

Overall, for me it was a crappy post-breach customer experience with Equifax. I expected better -- better data security and a better post-breach support. Plenty of news articles have documented the security problems, failures, and post-breach problems with Equifax's breach site.

What are your opinions? What do you think of the new credit file lock feature? If you've used it, share your experience in the comments section below the image.

Overview of features. TrustedID Premier service. Click to view larger version


Security Researcher Finds Unprotected Voter Files Online Affecting Up To 1.8 Million Chicagoans

While looking for unprotected data in cloud storage services, a security researcher found unprotected information for as many as 1.8 million voters in Chicago. CBS Chicago reported:

"It was Friday Aug. 11 in Silicon Valley. John Hendren, a marketing representative for IT security firm UpGuard, was looking for insecure data in the cloud. He randomly plugged in "Chicago … db," for “Chicago database,” and hit the jackpot. He found names, addresses, birth dates, driver’s license numbers and the last four digits of Social Security numbers for up to 1.8 million Chicago voters..."

How the breach happened:

"Chicago’s vendor is ES&S, out of Omaha, Nebraska. The company has been paid more than $5 million since 2014 by the Chicago Board of Elections. The company placed the data folder on Amazon Web Services (AWS) with the wrong security settings, Tom Burt, the firm’s CEO, recently told Chicago officials. Burt says managers missed the gaffe, and the database remained online for six months, until UpGuard found it. Company officials say they don’t believe the information ended up on the “dark web” for identity thieves to attain..."

The CBE's breach notice (Adobe PDF) provided a more complete list of the data elements exposed:

"... The personal information contained in the back-up files included voter names, addresses, and dates of birth, and many voters’ driver’s license and State ID numbers and the last four digits of Social Security numbers. Upon discovery of the Incident, ES&S promptly took the AWS server off-line, secured the back-up files, and commenced a forensics investigation. ES&S also hired two specialized third-party vendors to conduct searches to determine whether any personal information stored on the back-up files was available on the Dark Web. The results of ES&S’ investigations have not uncovered any evidence that any voter’s personal information stored on the AWS server was misused..."

This is bad for several reasons. First, the data elements exposed or stolen are enough for cyber criminals to do sufficient damage to breach victims. Second, just because the post-breach investigation didn't find misuse of data doesn't mean there wasn't any. It simply means they didn't find any misuse.

Third, it would be unwise to assume that the breach wasn't that bad because only the last 4 digits of Social Security numbers were exposed. Security researchers have known for a long time that Social Security numbers are easy to guess:

"... a crook need only figure out where and when you were born--information often easily found on social networking sites like Facebook--to guess your number in as few as 1000 tries... Social Security numbers were never meant to be used for widespread identification. They were conceived solely to track taxes and benefits... Every Social Security number starts with three digits known as an "area number." Smaller states might have only one, whereas New York, for example, has 85. The next two digits are "group numbers," which can be anything from 01-99, but don't correspond to anything specific. The last four digits, the "serial number," are assigned sequentially..."

So, it's long past time to stop using the last four digits of Social Security numbers as identification. Fourth, the incident makes one wonder when -- if ever -- the unprotected data folder would have been discovered by ES&S or CBE, if the security researcher hadn't found it. That's unsettling. It calls into question the security methods and managerial oversight at ES&S.

This isn't the first breach at the Chicago Board of Elections (CBE). A CBE breach in 2012 exposed the sensitive personal information of at least 1,000 voters, after initial reports estimated the number of affected voters at 1.7 million. Before that, the CBE faced several lawsuits in 2007 claiming negligence after:

"... it distributed more than 100 computer disks containing Social Security numbers and other personal data on more than 1.3 million voters to alderman and ward committee members."

Reportedly, in 2016 foreign cyber criminals hacked the Illinois Board of Elections' voter registration system. A similar attack happened in Arizona. The main takeaway: voter registration databases are high-value targets.

So, strong data security measures and methods seem wise; if not necessary. The latest incident makes one wonder about: a) the data security language and provisions in CBE's outsourcing contract with ES&S, and b) the agency's vendor oversight.

Will Chicago residents demand better data security? I hope so. What do you think?


Whole Foods Says Data Breach 'Resolved'

Whole Foods Market logo During the weekend, Whole Foods Markets announced in a customer notification update that it had "resolved" a recent data breach involving the unauthorized access of customers' payment information in certain stores. The customer notification update stated:

"Whole Foods Market has resolved the incident previously announced on September 28, 2017, involving unauthorized access of payment card information used at certain venues such as tap rooms and full table-service restaurants located within some stores. These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected. Whole Foods Market learned of the unauthorized access on September 23, 2017. The company conducted an investigation, obtained the help of a leading cyber security forensics firm, and contacted law enforcement. Whole Foods Market replaced these point of sale systems for payment card transactions and stopped the unauthorized activity..."

Reportedly, the breach included about 100 locations. The company operates about 473 stores nationwide.

The breach method used by criminals and the types of payment information accessed:

"The investigation determined that unauthorized software was present on the point of sale system at certain venues. The software copied payment card information—which could have included payment card account number, card expiration date, internal verification code, and cardholder name—of customers who used a payment card at these venues at dates that vary by venue but are no earlier than March 10, 2017 and no later than September 28, 2017."

Earlier this year, Amazon acquired Whole Foods for about $13.7 billion. Whole Foods said that Amazon.com systems do not connect to the payment systems at Whole Foods stores, and that transactions on the Amazon.com site were not affected. An October 20, 2017 press release repeated most of the same information as the customer notification.

Besides the replacement of affected point-of-sale terminals, the customer notification did not elaborate about exactly how the breach was "resolved," how the malware was installed in the terminals, nor how the resolution will keep this type of breach from happening again. Often, a resolution includes the hardening of certain computer systems, improved malware detection software, improved managerial oversight, and/or the training of employees. This seems especially important for retail stores with multiple, exposed payment terminals.

Within the Whole Foods website, its September 28, 2017 press release headline links to the same October 20th customer information update. It seems the company deleted the September press release. Why do this? It makes it difficult for readers to determine what's new or changed since the September 28 disclosure.

Plus, hacking details matter. As readers of this blog know, unattended, free-standing payment terminals in retail stores have long been high-value targets for criminals armed with skimming devices. Was the malware introduced locally (e.g., manually by a person) at each terminal or centrally through the company's computer network? Sadly, the update did not explain. Hopefully, future updates will.

Until then, it's hard for customers to trust that the breach was fully "resolved." Replacing the affected terminals is no guarantee that the malware won't be re-introduced into the replacement terminals. If I continue to shop there, I'll use cash. What do you think?


Update: All Yahoo Accounts Hacked During Its Data Breach in 2013

Verizon Oath logo Yahoo, now within Verizon's Oath business unit, announced on Tuesday an update in the the number of accounts hacked during its massive data breach in 2013. The announcement stated:

"... [Yahoo] is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected... Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft... Yahoo is sending email notifications to the additional affected user accounts..."

That's 3 billion accounts hacked! It almost boggles the mind. Consumers with questions should also visit the Yahoo 2013 Account Security Page which has been updated with information released this week. Key information about the breach and consumers' data stolen:

"On December 14, 2016, Yahoo announced that, based on its analysis of data files provided by law enforcement, the company believed that an unauthorized party stole data associated with certain user accounts in August 2013... the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or un-encrypted security questions and answers. The investigation indicates that the information that was stolen did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected... No additional notifications regarding the cookie forging activity are being sent in connection with this update..."

Obviously, affected users should change their passwords, security questions, and security answers -- if they haven't already. Some consumers are confused about whether e-mail breach announcements they have received are authentic and truly from Yahoo. The tech company advised:

"... email from Yahoo about this issue will display the Yahoo icon Purple Y icon when viewed through the Yahoo website or Yahoo Mail app. Importantly, the email does not ask you to click on any links or contain attachments and does not request your personal information. If an email you received about this issue prompts you to click on a link, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information. Avoid clicking on links or downloading attachments from such suspicious emails."

Uncertain users should also check the official Yahoo breach notices by country. In June of this year, Verizon completed its acquisition of Yahoo! Inc. and announced then:

"Verizon has combined these assets with its existing AOL business to create a new subsidiary, Oath, a diverse house of more than 50 media and technology brands that engages more than a billion people around the world. The Oath portfolio includes HuffPost, Yahoo Sports, AOL.com, MAKERS, Tumblr, BUILD Studios, Yahoo Finance, Yahoo Mail and more, with a mission to build brands people love."

Reportedly, the Oath portfolio will include products, services, and apps covering content partnerships, virtual reality (VR), artificial intelligence (AI), and the Internet of Things (IoT).

In March of this year, the U.S. Department of Justice announced the indictment by a grand jury of four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses related to the massive hack of millions of Yahoo webmail accounts.

The announcement this week by Yahoo is a reminder of the importance of post-breach investigations and how long these investigations can take to uncover complete details about the hack. It is unwise to assume that everything is known at the time of the initial breach notification. It is also unwise to assume that companies can immediately improve their data security and systems after a massive breach.


Equifax: 2.5 Million More Persons Affected By Massive Data Breach

Equifax logo Equifax disclosed on Monday, October 2, that 2.5 more persons than originally announced were affected by its massive data breach earlier this year. According to the Equifax breach website:

"... cybersecurity firm Mandiant has completed the forensic portion of its investigation of the cybersecurity incident disclosed on September 7 to finalize the consumers potentially impacted... The completed review determined that approximately 2.5 million additional U.S. consumers were potentially impacted, for a total of 145.5 million. Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process."

The September breach announcement said that persons outside the United States may have been affected. The October 2nd update addressed that, too:

"The completed review also has concluded that there is no evidence the attackers accessed databases located outside of the United States. With respect to potentially impacted Canadian citizens, the company previously had stated that there may have been up to 100,000 Canadian citizens impacted... The completed review subsequently determined that personal information of approximately 8,000 Canadian consumers was impacted. In addition, it also was determined that some of the consumers with affected credit cards announced in the company’s initial statement are Canadian. The company will mail written notice to all of the potentially impacted Canadian citizens."

So, things are worse than originally announced in September: more United States citizens affected, fewer Canadian citizens affected overall but more Canadians' credit card information exposed, and we still don't know the number of United Kingdom residents affected:

"The forensic investigation related to United Kingdom consumers has been completed and the resulting information is now being analyzed in the United Kingdom. Equifax is continuing discussions with regulators in the United Kingdom regarding the scope of the company’s consumer notifications...

And, there's this statement by Paulino do Rego Barros, Jr., the newly appointed interim CEO (after former CEO Richard Smith resigned):

"... As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements..."

To review? That means Equifax has not finished the job of making its systems and websites more secure with security fixes based upon how the attackers broke in, which identify attacks earlier, and which prevent future breaches. As bad as this sounds, the reality is probably worse.

After testimony before Congress by former Equifax CEO Richard Smith, Wired documented "six fresh horrors" about the breach and the leisurely approach by the credit reporting agency's executives. First, this about the former CEO:

"... during Tuesday's hearing, former CEO Smith added that he first heard about "suspicious activity" in a customer-dispute portal, where Equifax tracks customer complaints and efforts to correct mistakes in their credit reports, on July 31. He moved to hire cybersecurity experts from the law firm King & Spalding to start investigating the issue on August 2. Smith claimed that, at that time, there was no indication that any customer's personally identifying information had been compromised. As it turns out, after repeated questions from lawmakers, Smith admitted he never asked at the time whether PII being affected was even a possibility. Smith further testified that he didn't ask for a briefing about the "suspicious activity" until August 15, almost two weeks after the special investigation began and 18 days after the initial red flag."

Didn't ask about PII? Geez! PII describes the set of data elements which are the most sensitive information about consumers. It's the business of being a credit reporting agency. Waited 2 weeks for a briefing? Not good either. And, that is a most generous description since some experts question whether the breach actually started in March -- about four months before the July event.

Wired reported the following about Smith's Congressional testimony and the March breach:

"Attackers initially got into the affected customer-dispute portal through a vulnerability in the Apache Struts platform, an open-source web application service popular with corporate clients. Apache disclosed and patched the relevant vulnerability on March 6... Smith said there are two reasons the customer-dispute portal didn't receive that patch, known to be critical, in time to prevent the breach. The first excuse Smith gave was "human error." He says there was a particular (unnamed) individual who knew that the portal needed to be patched but failed to notify the appropriate IT team. Second, Smith blamed a scanning system used to spot this sort of oversight that did not identify the customer-dispute portal as vulnerable. Smith said forensic investigators are still looking into why the scanner failed."

Geez! Sounds like a managerial failure, too. Nobody followed up with the unnamed persons responsible for patching the portal? And Equifax executives took a leisurely (and perhaps lackadaisical) approach to protecting sensitive information about consumers:

"When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers... It’s unclear exactly what of the pilfered data resided in the portal versus other parts of Equifax’s system, but it turns out that also didn’t matter much, given Equifax's attitude toward encryption overall. “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all," Smith replied. "There are varying levels of security techniques that the team deploys in different environments around the business."

Geez! So, we now have confirmation that the "core" information -- the most sensitive data about consumers -- in Equifax's databases is only partially encrypted.

Context matters. In January of this year, the Consumer Financial Protection Bureau (CFPB) took punitive action against TransUnion and Equifax for deceptive marketing practices involving credit scores and related subscription services. That action included $23.1 million in fines and penalties.

Thanks to member of Congress for asking the tough questions. No thanks to Equifax executives for taking lackadaisical approaches to data security. (TransUnion, Innovis, and Experian executives: are you watching? Learning what mistakes not to repeat?) Equifax has lost my trust.

Until Equifax hardens its systems (I prefer NSA-level hardness), it shouldn't be entrusted with consumers' sensitive personal and payment information. Consumers should be able to totally opt out of credit reporting agencies that fail with data security. This would allow the marketplace to govern things and stop the corporate socialism benefiting credit reporting agencies.

What are your opinions?

[Editor's note: this post was amended on October 7 with information about the CFPB fines.]


Bloomberg: Equifax Had A Data Breach In March, Too. More Questions Result

Equifax logo According to news reports, Equifax experienced another data breach earlier this year before the massive data breach it announced on September 7th where criminals gained unauthorized access to Equifax's systems and computers from May through then end of July, 2017. Bloomberg reported:

"Equifax Inc. learned about a major breach of its computer systems in March -- almost five months before the date it has publicly disclosed, according to three people familiar with the situation... Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said..."

Two major data breaches? What's happening? A news report by Bank Info Security may clarify things:

"... the Bloomberg story is "attempting to connect two separate cybersecurity events and suggesting the earlier event went unreported." Instead, Equifax says the breach described by Bloomberg was a "security incident involving a payroll-related service." The incident, which Equifax refers to as the "March event," was reported to customers, affected individuals and regulators, as well as covered by the media, it says. "Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related."

Equifax appears to refer a breach involving TALX its payroll, human resources, and tax services subsidiary formally known as Equifax Workforce Solutions. The Bank Info Security news report explained:

"In early March, Equifax began notifying individuals whose employers use TALX for payroll services that it had detected unauthorized access to its web-based portal. Employees use the TALX portal to access their W-2, which is the annual income reporting form that U.S. employees need to file their federal tax return. That's also a key document for fraudsters, because it puts them one step closer to being able to fraudulently file and claim a tax refund in someone else's name.

In the March attack, hackers had luck accessing TALX accounts by guessing registered users' personal questions, according to Equifax's breach notifications. By answering the questions correctly, fraudsters were able to reset a PIN needed to access an account. With the fresh PIN, they were able to obtain an electronic copy of victims' W-2. The unauthorized access incidents occurred between April 17, 2016, and March 29, 2017, Equifax says..."

It's frightening that the TALX breach went undetected for almost a year. Also, the Krebs On Security blog reported in May about the Equifax-TALX breach. However, the Bloomberg news report explored another hacking method criminals might have used in March:

"... one goal of the attackers was to use Equifax as a way into the computers of major banks, according to a fourth person familiar with the matter. This person said a large Canadian bank has determined that hackers claiming to sell celebrity profiles from Equifax on the dark web -- information that appears to be fraudulent, or recycled from other breaches -- did in fact steal the username and password for an application programming interface, or API, linking the bank’s back-end servers to Equifax.

According to the person and a Sept. 14 internal memo reviewed by Bloomberg, the gateway linked a test and development site used by the bank’s wealth management division to Equifax, allowing the two entities to share information digitally."

So, there was a breach in March. Was it the TALX hack, the hack via a bank, both, or something else? If the Bloomberg report is accurate, then the post-breach consequences listed probably apply:

"... will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives. If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading... New questions about Equifax’s timeline are also likely to become central to the crush of lawsuits being filed against the Atlanta-based company. Investigators and consumers alike want to know how a trusted custodian of so many Americans’ private data could let hackers gain access to the most important details of financial identity... the revelation of an earlier breach will likely raise questions for the company’s beleaguered executives over whether that [March] investigation was sufficiently thorough or if it was closed too soon. For example, Equifax has said that the hackers entered the company’s computer banks the second time through a flaw in the company’s web software that was known in March but not patched until the later activity was detected in July."

If true, then consumers are left with more questions: which bank(s)? What fixes have been implemented so this doesn't happen again? Why wasn't this disclosed sooner? How many consumers were affected? Exactly how did the hackers gain access? Was it the same or a different group of hackers? Which consumers' data elements were accessed/stolen?

The cynic in me wonders if Equifax executives are using its TALX breach as cover -- to avoid having to admit to another massive (and embarrassing) data breach.

Regardless of which news report is accurate, there are plenty of reasons for consumers to feel uneasy about Equifax's breach(es), data security protections, and breach notifications. Equifax is a custodian of extremely valuable and sensitive information about consumers. It makes money selling that information to potential lenders, and consumers have a right to have their questions answered fully.

Maybe the various investigations and inquiry by 31 states will provide answers for consumers. Or maybe Congress needs to hold hearings. It's been done before. What do you think?


Equifax Data Breach: 11 Reasons Why It Is Worse Than You Think

Equifax logo Equifax, one of the three major credit reporting agencies, announced on September 7 a massive data breach where criminals accessed the company's computer systems. How bad is it? It is instructive to analyze the text of Equifax's breach announcement:

"... a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed."

First, this is huge. Do the math 143 million persons is about 44 percent of the United States population of 325 million on July 4, 2017. So, almost half of the population was affected. Not good. But, there's more to this than size.

Second, the announcement stated "approximately." So, the true number could be lower or higher. The vagueness suggests that Equifax doesn't really know exactly how many consumers were affected. Not good. And, other details support this assumption that Equifax really doesn't know.

Third, the announcement stated "accessed." During the 10+ years I've written this blog, I've read dozens or hundreds of breach announcements. Many use this term. While the term may accurately describe what's Equifax knows, it also can be misleading. Criminals don't access companies' systems simply to window-shop or read files. They access systems to download and steal valuable information they can either use to make money, or resell to others. It's what online criminals do.

Fourth, the data elements accessed stolen allow criminals to do a lot of damage. That might include: a) obtain fraudulent loans or credit in breach victims' names; b) impersonate breach victims (it's called pretexting) to access online accounts; c) with online access withdraw money from victims' bank accounts; and much more. With online access, criminals can change passwords and take over victims' accounts effectively locking out victims.

Fifth, the breach investigation isn't finished:

"Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company's investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks."

The announcement didn't state when Equifax expected the investigation to be finished. Days? Weeks? Months? Not good.

Equifax hired an outside, independent technology firm to investigate its breach. That's what companies usually do during their post-breach response. This tiny bit of good news is quickly overshadowed by the bad. Without a completed breach investigation, Equifax can't really know whether the breach was caused by a technical systems problem, employee error, management oversight lapses, a sloppy or incompetent subcontractor, something else, or a combination of items. Only after a completed breach investigation can Equifax implement one or several fixes so this won't happen again. Not good.

Sixth, without knowing how criminals accessed their systems it is unlikely Equifax also can't know with certainty what data elements about consumers were stolen. More data elements could have been stolen, perhaps entire credit reports. Not good.

Seventh, it seems that Equifax's intrusion detection systems failed. Just look at the timeline. The breach started in mid-May and Equifax discovered it near the end of July. So, criminals had at least 2 full months to steal whatever they could find. Not good. Plus, after discovering the breach it would take Equifax another 5 weeks later to announce it. Why the delays? The breach announcement doesn't explain why. Not good.

Eighth, Equifax seems to take shortcuts with its breach notification:

"Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection."

Setting up a website to convey breach updates to consumers is a good thing, but using the site to notify consumers about the breach is not good for two reasons: a) the site requires consumers to enter many of the same sensitive, valuable data elements criminals want to steal; and b) it forces consumers to trust that the breach site is secure, when we know that the breach investigation is incomplete. This is a breach notification failure.

In the 10+ years I've written this blog, trustworthy companies notify breach victims via postal mail. Why won't Equifax notify all breach victims directly via postal mail? It has consumers' residential addresses in its databases. (That is a benefit for its lending customers.) So, the lack of data is not an excuse. Plus, the credit reporting agency is willing to notify some consumers directly:

"In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted."

Rather than notify all breach victims directly, Equifax seems to want to take shortcuts. Maybe it is to save money, laziness, or poor decisions by its executives. The announcement doesn't explain why, so consumers are left to draw their own conclusions. Not good.

Ninth, technologists have questioned the security of Equifax's new breach site. Ars Technica reported:

"... the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details..."

Reportedly, the domain name registration problem was fixed on Sunday. Still, Equifax's post-breach response appears amateurish. Meanwhile, data security problems persisted in its main website. According to Ars Technica:

"... in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks."

So, Equifax hasn't completed its breach investigation, doesn't know how its systems were hacked, has vulnerabilities in its main site, but wants consumers to trust that its breach site is secure. Not good.

Tenth, the Equifax announcement promoted its credit monitoring service (emphasis added):

"Equifax has established a dedicated website... to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers - all complimentary to U.S. consumers for one year."

One year? Are Equifax executives serious? Stolen consumers' credentials don't magically lose value after one year. Criminals will use stolen credentials (e.g., name, address, Social Security Number, birth date, etc.) as long as they can. Criminals will resell stolen data to other criminals as long as the data has value. In my opinion, Equifax should provide complimentary lifetime credit monitoring indefinitely to all breach victims.

Why lifetime? Because the data elements accessed stolen have ongoing value. The cynical part of me wonders if some finance executives have done the math. As long as credit reporting agency executives believe that one year of free credit monitoring will appease breach victims, it's cheaper to pay that cost (plus a few out-of-court settlements), rather than implement more robust data security.

Eleventh, there is a history of questionable decisions by Equifax executives. In 2007, it paid a $2.7 million fine for violating federal credit laws. In 2009, it paid a $65,000 fine to the state of Indiana for violating the state's security freeze law. In 2012, Equifax and some of its customers paid $1.6 million to settle allegations of improper list sales. Earlier this year, Equifax and TransUnion paid $23.1 million to settle allegations of deceptive advertising about credit scores.

This history provides some context to news reports that three Equifax executives sold about $1.8 million in stock after the breach was discovered and before the public breach announcement. Equifax stock fell about 13 percent after the breach announcement. The company said on Thursday that these executives didn't know about the intrusion when they sold shares. Even if true, the optics of this look absolutely terrible.

The whole sordid affair should be a reminder to consumers that we are the product. Credit reporting agencies' true customers are lenders - the companies that lend money and make loans to consumers. Equifax makes its money selling credit reports to lenders.

What to make of this? I see several considerations for consumers:

  1. Assume the worst. Every time you hear or read the word "accessed" by Equifax, replace it with "stolen." Then, make your data security decisions accordingly.
  2. If you don't trust the security of Equifax's breach site, then call the company instead via the hotline listed in the breach announcement (preferably using a landline phone) to see if you are affected.
  3. Carefully consider the advantages and disadvantages of Equifax's offer of free credit monitoring and identity theft protection. Equifax has been criticized for forcing arbitration on consumers who accept the free credit monitoring offer. In a September 11th update in its breach site, Equifax reversed course and said the arbitration clause and class-action waiver don't apply in this incident. Regardless, read the fine print before signing up. They may try to re-insert it later. If you don't know what it is, learn about arbitration. A variety of companies have inserted these clauses into their user agreements policies. You'll need to learn about arbitration anyway in order to make informed purchase decisions about other products and services.
  4. If you don't need credit, consider a Security Freeze to lock down your Equifax credit reports. Then, Equifax can't sell your credit report to lenders. You can do this at all three major credit reporting agencies. I did this several years ago after a data breach by a former employer. Know that a Security Freeze is not a cure-all, since it won't stop data breaches and it won't stop all forms of identity theft and fraud. To learn more, this blog has plenty of information about credit reporting agencies, credit monitoring services, fraud alerts for your credit reports, and security freezes.
  5. If you dislike Equifax's post-breach response, then contact your elected officials and demand that they pressure Equifax to do the right thing: a) notify all breach victims directly via postal mail; and b) implement better data security.
  6. Equifax's post-breach response makes me question whether the company is really up to the data security task -- it's responsibility -- to adequately protect consumers' sensitive information. All credit reporting agencies are high-value targets by criminals. If Equifax's executives didn't understand this before, they should now -- and take actions to demonstrate to consumers they realize the seriousness of the breach. Words are not enough.
  7. Consumers lack choices. Citizens cannot opt in nor opt out of the data collection by credit reporting agencies. (Consumers can opt out of pre-approved credit offers, but can't opt out of the data collection. There's a difference.) Also, the Equifax breach highlights the hypocrisy of pundits and politicians who object to the mandate within Obamacare (e.g., the Affordable Care Act) legislation -- some called it socialism -- while remaining remain silent about a similarly socialistic mandate with credit reporting.

While writing a post recently about misdeeds at Wells Fargo, I asked the question: "How much damage can one bank do?" Now, I find myself asking a similar question about Equifax: "How much damage can one company do?" Credit and lending are essential to the United States economy. In my opinion, all credit reporting agencies should have NSA-level data security for their networks and computer systems. The data they archive is that critical.

And: if you can't protect it, don't collect it. It's that simple.

As more issues emerge about this breach, I will address them in subsequent posts. What are your opinions of the Equifax breach? Did you lock down your credit reports with a Security Freeze?


The State of Massachusetts Data Breach Archive Is Available Online

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) announced the public availability online of its data breach notification archive. To comply with Massachusetts state laws enacted in 2007, companies and entities must notify both the OCABR and the Attorney General's Office anytime personal information is accidentally or intentionally compromised.

Consumer Affairs Undersecretary John Chapman stated:

“The Data Breach Notification Archive is a public record that the public and media have every right to view... Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records law, but also with Governor Baker’s commitment to greater transparency throughout the Executive Office.”

The OCABR breach archive includes a tabular listing of data breaches in Adobe PDF format. Each listing includes the following data elements: date the breach was reported, organization name, breach type, number of residents affected, types of sensitive personal data (e.g., Social Security Number, account number, driver's license identifier, credit card number) exposed or stolen, whether the organization offered free credit monitoring to affected residents, if the data was encrypted, and if the breach included mobile devices. The archive does not include the full text of the breach notification letters received. The breach archive also includes summary information:

Breaches and Residents Affected By Year
Year # Notifications # Affected Residents
2007 (Nov to Dec) 30 8,499
2008 413 700,918
2009 437 357,869
2010 473 1,015,693
2011 614 1,163,917
2012 1,139 326,411
2013 1,829 1,163,643
2014 1,603 354,130
2015 1,834 1,338,048
2016 1,866 188,809
Total 10,238 5,454,294

According to the Census Bureau, Massachusetts' population was just under 6.8 million in 2015. So, the total number of affected residents equals about 80 percent of the state's population.

Nebraska, Nevada, Rhode Island, and Tennessee recently strengthened their breach laws with expanded definitions, encryption, requirements to notify the state's attorney general, and requirements to notify affected persons within forty-five (45) days. While most states -- 46 have some type of breach laws, some (California, Indiana, Iowa, Maryland, Montana, New Hampshire, Oregon, Vermont, Washington, Wisconsin) post online breach notices they have received.

Some states' sites provide their breach archives using static Adobe PDF file formats. The better-designed sites make it easy for residents to search and view information about specific breach incidents. these sites feature interactive search mechanisms that allow users to enter the name of company or state agency, date range filters, and file download options compatible with spreadsheet software. Some states -- California, South Carolina, and Washington -- produce detailed breach reports explaining the breaches by industry, type, and cause.

Without the full text, interactive search, and filter mechanisms, the OCABR breach archive is a marginally helpful resource. Consumers can still use it to verify the breach notices they have received via postal mail, since identity thieves often send fake breach notices trying to trick consumers into revealing their sensitive personal information. Using the OCABR breach archive is slow and awkward, since users must download each PDF file and perform a text search for an organization with each file. Plus, the archive lacks both street address and company business unit information, making it impossible for users to distinguish between entries with the same organization name.

Basically, something is better than nothing.

What are your opinions of the breach archive by Massachusetts? If I missed any states that provide beach notices online, please share below.


Yahoo Announced Another Massive Data Breach. Has Begun Notifying Affected Users

Yahoo logo Yahoo announced on Wednesday a new data breach that affected as many as one billion users. The company believes this latest breach is different from its September 2016 breach. After law enforcement notified Yahoo in November about data files a third party claimed were stolen during the latest breach:

"... The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016."

The data elements stolen included full names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or un-encrypted security questions and answers. The announcement also said that no payment card data or bank account information was stolen.

Regardless, this is bad. First, Yahoo doesn't know how the criminals hacked its systems. So, it cannot prevent another breach. Second, law enforcement notified Yahoo. It's breach detection systems failed. Third, one billion is a lot of affected users. Fourth, the data elements stolen expose affected users to spam and attempted break-ins to their other online accounts. Cyber criminals will test stolen passwords at other sites to see where else they can access. It's what they do.

Fifth, Yahoo's stock price is falling again after news broke about the latest breach. Verizon has already said it will re-evaluate its acquisition offer based upon the latest news, or it may terminate the acquisition deal entirely.

Yahoo's breach announcement also disclosed:

"Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password. Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."

That's not good, either. The announcement did not disclose the name of the state-sponsored actor.

A reader of this blog shared the e-mail breach notice they received from Bob Lord, the Chief Information Security Officer at Yahoo. The breach notice contained much of the same content as the online announcement, but omitted the above information about forged cookies. The breach notice sent to users stated:

"From: Yahoo (Yahoo@communications.yahoo.com)
Sent: Wednesday, December 14, 2016 7:38 PM
Subject: Important Security Information for Yahoo Users

NOTICE OF DATA BREACH

Dear XXXXXXX,
We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.

What Happened?
Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.

What Information Was Involved?
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. Not all of these data elements may have been present for your account. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system we believe was affected.

What We Are Doing
We are taking action to protect our users:

  • We are requiring potentially affected users to change their passwords.
  • We invalidated unencrypted security questions and answers so that they cannot be used to access an account.
  • We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.

What You Can Do
We encourage you to follow these security recommendations:

  • Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
  • Review all of your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.

Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

For More Information
For more information about this issue and our security resources, please visit the Yahoo Security Issues FAQs page available at https://yahoo.com/security-update.

Protecting your information is important to us and we work continuously to strengthen our defenses.

Sincerely,

Bob Lord
Chief Information Security Officer
Yahoo"

What are your opinions of the latest breach at Yahoo? Is the company doing enough to protect users' information?


Yahoo Confirms Massive Data Breach. Unclear If Users At Its Outsourcing Clients Were Also Affected

Yahoo logo After reports about a rumored announcement, Yahoo confirmed late on Thursday a massive data breach affecting half a billion users -- 500 million persons. Yahoo believes the breach was performed by a "state-sponsored actor."

Data elements exposed and stolen during the breach include full names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, security questions and answers. The breach dated back to 2014. This is very serious, and by far the largest breach ever. The data elements stolen facilitate spam and a variety of scams; plus access to email contacts such as clients, customers, and patients.

Yahoo's breach announcement stated:

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter..."

Yahoo is in the process of notifying affected persons. Affected users should change their passwords, security questions, and answers.

The breach announcement did not state if users at outsourcing clients were affected. Other companies and entities can outsource their e-mail services to Yahoo, or to other e-mail providers offering similar services. One such company appears to be AT&T. The "AT&T Email Basics" page (see image below) references a co-branded AT&T-Yahoo website for AT&T customers to check their e-mail.

AT&T Email Basics page references Yahoo site for email. Click to view larger version I reached out to AT&T for a comment. A reply was not received by press time. If its email users were affected by the breach, then those users will probably want to know who is going to assist them, and what assistance will be offered.

Given the pending acquisition of Yahoo by Verizon, several AT&T customers already discussed in an online forum concerns about what might happen to their e-mail service operated by a competitor. (Verizon said on Thursday it learned about the breach two days ago.) If users at outsourcing clients were also affected by the breach, then this might add to their uncertainty.

If you received a breach notice from Yahoo, what is your opinion of the response?


4 States Strengthen Their Breach Notification Laws

The National Law Review summarized breach notification laws strengthened in four states: Nebraska, Nevada, Rhode Island, and Tennessee. The stronger laws include several changes: expanded definitions, encryption, requirements to notify the state's attorney general, and requirements to notify affected persons within forty-five (45) days.

Several states expanded their definitions of "personal information" to better protect consumers:

"Nevada now includes in its definition of “personal information” a medical identification number, a health insurance identification number, and a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that permits access to an online account. Similarly, Rhode Island now counts as “personal information” any medical information, health insurance information, and an email address in combination with any required security code, access code or password that allows access to an individual’s personal, medical, insurance or financial account..."

Some of the expanded definitions made by Tennessee:

"Tennessee broadened its definition of “unauthorized persons” to include an employee of a covered entity who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. Tennessee also removed the word “unencrypted” from its definition of “Breach of the security system” in order to ensure that partial encryption of compromised personal information does not evade the statute."

Read the rest of the changes in the National Law Review article.


Data Breaches At HEI Hotels & Resorts Affects 20 Properties In At Least 10 States

HEI Hotels and Resorts logo On Friday, Hei Hotels and Resorts (HEI) announced data breaches that affected 20 properties in 11 states. According to the company's breach notice, hackers installed malware within the company's payment processing systems to collect customers' payment data.

The payment information stolen included the names, payment card account numbers, card expiration dates, and verification codes of customers who used their payment cards at point-of-sale terminals. The list of hotels by state:

State City & Property
California La Jolla: San Diego Marriott La Jolla
Pasadena: The Westin Pasadena
San Diego: Renaissance San Diego Downtown Hotel
San Francisco: Le Meridien San Francisco
Santa Barbara: Hyatt Centri Santa Barbara
Colorado Snowmass Village: The Westin Snowmass Resort
District of Columbia Washington: The Westin Washington DC City Center
Florida Boca Raton: Boca Raton Marriott at Boca Center
Fort Lauderdale: The Westin Fort Lauderdale
Miami: Royal Palm South Beach Miami
Tampa: InterContinental Tampa Bay
Illinois Chicago: Hotel Chicago Downtown
Minnesota Minneapolis: The Hotel Minneapolis Autograph Collection
Minneapolis: The Westin Minneapolis
Pennsylvania Philadelphia: The Westin Philadelphia
Tennessee Nashville: Sheraton Music City Hotel
Texas Fort Worth: Dallas Fort Worth Marriott Hotel & Golf Club
Vermont Manchester Village; Equinox Resort Golf Resort & Spa
Virginia Arlington: Le Meridien Arlington
Arlington: Sheraton Pentagon City

The exact date of the breaches varied by property. Some breaches occurred as early as March, 2015 while others continued until as recent as June 17, 2016. A card processor notified HEI of the breach. The HEI breach notice stated:

"We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network. In addition, we have disabled the malware and are in the process of re configuring various components of our network and payment systems to enhance the security of these systems. We have contacted law enforcement and will continue to cooperate with their investigation. We are also coordinating with the banks and payment card companies. While we are continuing to review and enhance our security measures, the incident has now been contained and customers can safely use payment cards at all HEI properties."

HEI is notifying affected customers and consumers that may have been affected:

"... We recommend that customers review credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed. We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward. If they see anything they do not understand or that looks suspicious, or if they suspect that any fraudulent transactions have taken place, customers should immediately notify the issuer of the credit or debit card. In instances of payment card fraud, it is important to note that federal laws and cardholder policies may limit cardholders’ responsibility for fraudulent activity; we therefore recommend reporting any suspicious activity in a timely fashion to the bank that issued the card..."

The HEI breach notice contains more information for affected consumers to review their credit reports, place Fraud Alerts, and place Credit Freezes.

HEI appears to have been caught unprepared. It did not detect the intrusion, and its breach notice did not arrange for any free credit monitoring for affected consumers. Hopefully, more information is forthcoming.

If you received a breach notice from HEI, what are your opinions of the breach? Of HEI's response so far?


Data Breaches At Maryland Parking Garages Affect Thousands

Data breaches at three parking garages in downtown Annapolis, Maryland habe put the sensitive personal and payment data of thousands of consumers at risk. WJZ, the CBS affiliate in Annapolis, reported a:

"... preliminary investigation shows that the breach took place from December 23, 2015 to June 11, 2016 — nearly six months — at the Noah Hill, Gott’s Court and Knighton garages... The breach affects drivers who used the daily parking option, not those who have monthly plans or residents."

After learning about the breach, the city switched to cash-only payments. While the city responded quickly, questions remain. The news report did not mention when and how affected persons would be notified of the breach. A brief scan on Monday of the Annapolis Parking website didn't not find any breach notices. Consumers need to be notified promptly.

Also, the nature of the breach suggests that the payment terminals were compromised. Many consumers are probably thinking: I don't live in nor visit Annapolis, so no problem.

Well, big problem. We all visit and park our vehicles at downtown city locations. Some people visit more often than others. You don't have to look far to find breaches at parking garages in Chicago, Cleveland, and at this parking vendor which serves several cities.

This Annapolis parking-garage breach is a reminder of the vulnerability of payment terminals at all parking garages. Like the pumps at gas stations, parking garages have free-standing payment terminals that are unattended for long periods of time. This creates an opportunity for criminals to tamper with the terminals, and install skimming devices either inside or on the exterior of terminals. It is a popular tactic by criminals on both ATM machines and gas stations.

So, when you pay using a debit- or credit card at a parking garage, you are betting that the garage operator regularly inspects their payment terminals for skimming devices, and adequately protects their computer systems from hacks and malware.


LinkedIn Data Breach Was Larger And Worse Than Consumers First Told. 117 Million Persons Affected

LinkedIn.com logo The 2012 data breach at LinkedIn.com was far larger and worse than originally thought. Motherboard reported:

"A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users. The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach... The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords."

So, the breach included 167 records affecting as many persons, not 6.5 million. And, 117 million people are at risk now. To make matters worse, hackers have already cracked the encryption method LinkedIn.com used to protect users' passwords:

"The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked. One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours..."

And, the incident cast doubt on both LinkedIn.com's breach detection methods and the response by the company's executives:

"... LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate. Durzy, however, also admitted that the 6.5 million hashes that were posted online in 2012 were not necessarily all of the passwords stolen. “We don’t know how much was taken,” Durzy told me in a phone call. The lesson: For LinkedIn, the lesson is the same as four years ago: don’t store password in an insecure way..."

LinkedIn released a statement yesterday. Relevant portions:

"Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach... For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords... We're moving swiftly to address the release of additional data from a 2012 breach, specifically: We have begun to invalidate passwords for all accounts created prior to the 2012 breach​ that haven’t update​d​ their password since that breach. We will let individual members know​ ​if they need to reset their password. However, regularly changing your password is always a good idea..."

Many people use the LinkedIn.com social site to network with professionals in their field, and find jobs. If you use the site, experts advise consumers to change your password immediately and don't reuse the same password at multiple websites.