If you have not heard by other means, Equifax is reporting a data breach. A large number of people have had their data stolen.
Some words of caution:
Other data breaches in past are not reported until after the fact. In most of these cases the target (sic) is unaware until the data is posted, sold, or the list otherwise comes to the attention of the company. Then the process begins. Is this really our customer data? If so does similar data exist at other sites that could have been compromised? Can we use our logs, records, data to determine when and how this breach occurred? Then the notifications, remediation, and other processes begin.
The Yahoo breaches occurred when it was noted their list was for sale.
No matter of the security placed on the data, the insider threat always remains. A trusted employee walks the data out of the perimeter.
These breaches of personal information will continue. You can't prevent them. So being situationaly aware is probably your only option. Monitor your data, personal information, and Internet presence.
For the Equifax breach you are offered a service to monitor your account.
The Washington Post advises to proceed with caution.
The "Am I affected" web pages asks for personal information, as they should. They would need that information to determine if you were affected. But you are giving personal information to a site that has lost your information at least once. If this was an inside job or if the vulnerability that allowed the breach still exists the fact you've verified the stolen information has value.
To signup for the protection, you wave your rights to join a class action suit in future or take other legal actions. You waive those rights by agreeing to the Terms of Service. These Terms of Service are changing almost hourly, so read, understand, and keep a copy of the Terms of Service you have agreed to if you do agree.
Other advice on the Internet:
Monitor your identity, financial data, etc. via other means - you should be doing this anyway.
Increase awareness for email, phishing, SMS messaging, social media, etc. that might be using the stolen data to abuse any trust relationships.
UPDATE: It is reported that if/when you set an alert or freeze at Equifax you get a PIN to unfreeze or lift the alert. The PIN appears to not be random, but a number based on the date/time of the freeze or alert. a 10 digit pin with low entropy (and easily guessed) is not optimum.
In SIG meetings we mentioned vulnerabilities with Apache struts. The fix for these vulnerabilities usually required a rebuild of the webpage using struts. Not a trivial task with a complex site.
Be careful out there.
No comments:
Post a Comment