Equifax CEO Richard Smith steps down in aftermath of massive breach

Equifax Chairman and CEO Richard Smith stepped down Tuesday in the wake of a massive cybersecurity breach that exposed the birth dates, social security numbers, and other personal information of 143 million Equifax customers, The New York Times reports.

Paulino do Rego Barros Jr. will vacate his post as the company’s president of the Asia-Pacific region to assume the CEO duties in an interim capacity, the Times says. Equifax will consider candidates from both inside and outside the company as permanent replacements.

According to the Times, Mark Feidler will become chairman of the board.

“Speaking for everyone on the board, I sincerely apologize [for failing to protect the seized data],” Feidler said in a statement, per the Times. Feidler said, per the Times, that the board has formed a special committee to handle the breach.

Lawmakers, as well as the general public, have taken issue with Equifax’s failure to secure the data, and some have cast aspersions upon the company’s handling of the fallout that followed the breach.

Equifax set up a special-purpose website to provide information about the attack, and to help customers contain the damage. Among the website’s primary offerings was a tool by which a customer could enter his information and find out whether the breach had affected him. But the tool ran into a number of problems. Moreover, the company struggled to field the myriad calls that flooded its customer support lines.

The Times reports that three Equifax executives sold a combined $1.8 million worth of stock in the company in the days after the breach had been discovered but before it had been disclosed. Equifax said, per the Times, that the executives mentioned were unaware of the breach when they offloaded the shares.

Smith is the third prominent Equifax executive to vacate his post in response to the breach. The company’s chief information officer and chief security officer both stepped down September 14.

“Mr. Smith has been very cooperative and supportive of this approach,” Equifax spokesman Wyatt Jefferies said per the Times.

Smith had served as CEO since 2005. In his 12 years with the company, he more than doubled its annual revenue, the Times notes. He was renowned amongst Wall Street experts for his ability to develop innovative products, and for his sales acumen.

As of now, Equifax has not terminated Mr. Smith, but the terms reached prior to his departure allow the board to retroactively fire him for cause, the Times says. The company will provide neither severance nor accelerated vesting of stock options to Smith, and he will not receive a bonus for 2017 (Equifax awarded him $3-million bonuses in 2015 and 2016).

Smith will retain $18.4 million in pension benefits.

Smith is scheduled to appear at congressional meetings regarding the breach in the coming weeks: one held by the House Energy and Commerce Committee on October 3, the other by the Senate Banking, Housing and Urban Affairs Committee the following day.

Senator Brian Schatz of Hawaii, a leading member of the latter committee, issued a statement ordering Smith to appear for the appointment and admonishing the former executive for shirking his responsibility for the breach.

“A CEO walking out the door just days before he is to appear before Congress is an abdication of his responsibility,” Schatz said, according to the Times.

But, Jefferies, the Equifax spokesman, has indicated that Smith intends to comply with Congress’ demands. “If Congress asks him, he will go,” said Jefferies of Smith.

Schatz is one of the several senators who have, in the wake of the Equifax incident, advocated legislation that would give consumers more latitude to protect their credit information.

The FBI is currently leading a criminal investigation into the breach, the Times says, and attorneys general in 30 states have launched their own probes into the matter. On September 19, the Massachusetts Attorney General sued Equifax seeking civil damages and more compensation.

Featured image via Vimeo

Equifax stares down almost two dozen class actions after cyberattack

Credit reporting and monitoring company Equifax is facing at least 23 proposed class action lawsuits in the wake of its announcement Thursday that a cyber attack compromised the personal information of up to 143 million Equifax customers, USA Today reports.

Various law firms have filed suits in 14 different states as well as D.C., according to USA Today. More suits will likely come. Victimized customers may receive a pretrial settlement from Equifax, and/or may be entitled to some portion of any financially pejorative judgment levied against the firm.

“Equifax probably injured 143 million people, which is kind of a record…with 143 million people it doesn’t surprise me there are already 23 suits,” said John Coffee, who directs the Center on Corporate Governance at Columbia Law School.

USA Today notes that the number of people the breach potentially victimized represents 44 percent of the U.S. population.

“Assume that if you’re an American with a credit card or a mortgage, your data has been leaked,” Zach Whittaker, security editor for CBS’s ZDNet, tweeted.

Hackers carried out the attack from mid-May through July, seizing customers’ names, social security numbers, birth dates, addresses and, in some cases, driver’s license numbers. Equifax says it became aware of the breach in late July. The company alerted the public of the incident on September 7. In the interim, Equifax hired third-party consultants to investigate the crime and provide suggestions as to how the company might bolster its cyber-defenses.

Many of the lawsuits take issue with the lag time between Equifax’s discovery of the attack and the firm’s notification of the public. USA Today says one suit calls the delayed disclosure “willful, or at least negligent.” Another argues that the delay “deprived [consumers] of their opportunity to meaningfully consider and address issues related to the potential fraud, as well as to avail themselves of the remedies available under the FCRA (U.S. Fair Credit Reporting Act) to prevent further dissemination of their private information.”

The company would presumably argue that it was justified in assessing the nature and extent of the attack before alarming the public.

A third suit notes that Equifax fell victim to similar attacks earlier this year, as well as in 2013 and 2016. Therefore, said suit argues, Equifax “knew and should have known of the inadequacy of its own data security.”

Other filings take aim at TrustedID, an Equifax service that provides identity theft protection and credit monitoring. One document says the company “failed to disclose to consumers that it owned TrustedID,” and baited customers into signing up for the service.

To help customers identify whether their information was compromised by the attack, Equifax is offering free TrustedID service to all U.S. customers

New York Attorney General Eric Schneiderman, who is investigating the Equifax case, took issue with a clause in the agreement Equifax requires TrustedID members sign. The clause in question says that in signing up for TrustedID, a user waives his/her “right to bring or participate in any class action…or to share in any class action awards.”

“This language is unacceptable and unenforceable,” Schneiderman tweeted Friday. “My staff has already contacted @Equifax to demand that they remove it.”

Equifax subsequently explained that the waiver does not prohibit TouchID members from participating in class actions regarding the cyber security incident.

In addition to Schneiderman, other government entities are pursuing the Equifax case. USA Today obtained a copy of a letter Senators Omin Hatch and Ron Wyden, both of whom hold key positions on the Senate Committee on Finance, sent to Equifax requesting details about the attack and the manner in which the company is handling it.

The letter requests a timeline of the breach and asks how Equifax is identifying affected customers and what measures the company is taking to limit consumer harm. The document also asks Equifax to clarify the amount of information that was compromised.

Legal arguments must take place before the proposed suits achieve class action status. If the court grants class action status, USA Today says, a “federal panel on multi district litigation” will likely consolidate the suits into a single case, then assign that case to a judge, who would, in turn, appoint one law firm or a group of law firms as plaintiff counsel.

At the market’s close Tuesday, Equifax stock has dipped 18.7 percent since the original announcement. 4.7 percent of the drop has come since Monday morning when news of the proposed class actions broke.

Featured image via Pixabay

China is using quantum cryptography to produce unhackable transmissions

China has proven itself able to use quantum cryptography to produce what are essentially unhackable transmissions.

A Chinese group of researchers called the Quantum Experiments at Space Scale project, or QUESS, launched a quantum cryptography satellite into orbit in August last year.

This satellite has enabled the QUESS project to send quantum-encrypted messages from earth to the satellite — a record-setting distance of 1200 kilometers.

What is quantum cryptography?

But what makes this particular kind of encryption preferable to regular encryption?

Right now, regular encryption is generally considered safe since our computer technology hasn’t reached that level of sophistication. But some scientists predict that when quantum computing does become fully developed, traditional methods of encryption will no longer suffice to keep information secret.

According to the theory, quantum computers will move beyond our current computers, which rely on mathematics. Quantum computers will rely on the physical properties of sub-atomic particles. That’s why they are looking into methods of quantum encryption, which will be able to stand up to attempts to decode transmissions using quantum computers.

The specific technology the QUESS project used is called quantum key distribution, or QKD. Quantum encrypted messages are encrypted using a key generated by sending a random stream of photons between two communicating users. This method of encryption is essentially unbreakable because the behavior of photons is largely random, and because photons cannot be observed without interfering with their behavior and alerting the communicating parties.

You can learn more about quantum cryptography here.

What does this mean for the future of computing?

Not only is quantum cryptography a safe method of communication, it is also a tremendously effective one which is able to handle massive amounts of information. In the future, China envisages a whole network of people using quantum satellites to communicate at unprecedented levels of safety and speed.

QKD will allow people to send secret messages as never before. But many people worry that quantum cryptography will prove a mixed blessing. It will make it harder to hack into encrypted messages, yes. But what if a government needs to decrypt information for purposes of national security? Friends and enemies alike will be protected in this coming age of computers.

Malicious code can now jump from DNA to computers

We now live in a time in which you can use DNA to hack computer systems.

The discovery was made by a group of researchers at the University of Washington made up of both computer science and molecular biology specialists. They focus on how information is encoded not only in computer systems, but also in biological systems, and particularly in the overlap between the two.

The team of researchers originally launched the project because they noticed possible security vulnerabilities in the computer systems used at their university for DNA sequencing and analysis. The lab treated DNA samples were treated as non-threatening input, but the researchers could imagine a way to sneak code into the computer system via DNA. So they decided to hack the DNA sequencing computer system to prove it.

In this particular case, the group of researchers encoded a malicious program onto a synthetic strand of DNA only 176 bases long — a very small amount. Then a computer read and transcribed the DNA into binary code, which could then be read and executed by a computer. The researchers had already purposefully inserted certain vulnerabilities into the computer’s security system so that the computer wasn’t protected against the malicious code. In this case, the malicious code gave the researchers remote control over the infected computer.

The researchers could have simply chosen to infect the system using malware or remote access tools. Instead, they wanted to infiltrate the system using a virus to prove that it is a real vulnerability which warrants consideration.

The group stresses that they don’t believe there is any cause for alarm, as there is little immediate danger. However, they urge us to begin thinking about such possible threats now, before they become immediate threats.

Security concerns aside, the discovery is interesting in scientific terms. This experiment shows us how fully biological and computer code can overlap, and it invites us to imagine a world of fluid boundaries between life and computer.

You can read the whole paper here.

Featured Image via Pixabay

Cybersecurity Hero Who Stopped WannaCry Ransomware Arrested on Malware-Related Charges

Marcus Hutchins, the cybersecurity researcher who disabled the WannaCry ransomware, was arrested in Las Vegas Wednesday, August 2 following a July 12 indictment on charges of creating, distributing, and profiting from a malware program that could seize credit card numbers and other banking information, Reuters reported Friday via nasdaq.com.

On Friday, Judge Nancy Koppe set Hutchins’ bail at $30,000 dollars. Though she dismissed prosecutors’ claims that the 23-year-old British citizen was a flight risk, she ordered him to surrender his passport. During his bail period, Hutchins will be denied computer use and internet access, and his location will be tracked via GPS.

Koppe’s ruling came just half an hour before the court clerk’s office was to close for the weekend, so Hutchins’ lawyers did not have enough time to prepare the paperwork necessary for his release. Hutchins remained in custody over the weekend, but his lawyer, Adrian Lobo, expects him to be released Monday.

According to Lobo (per Reuters), a “variety of sources” around the world are offering support to Hutchins, who she says was blindsided by the accusations. Reuters says many of Hutchins’ fellow cybersecurity researchers have “rallied to his defense,” saying they “[do] not believe he [has] ever engaged in cyber crime.”

Hutchins is credited with having discovered and implemented a “kill switch” that thwarted the WannaCry ransomware attack, which infected computer systems at a number of prominent businesses throughout the world in May. In less than a day, the malware infected 250,000 computers in more than 150 countries, according to a report by CNBC. Its victims included the National Health Services of England and Scotland, FedEx, Honda, the Chinese public security bureau, and a number of universities around the world.

“He’s dedicated his life to researching malware and not trying to harm people,” Lobo said of Hutchins, per The Telegraph. “Using the internet for good is what he’s done.”

The July 12 indictment, linked to in a report by Iain Thompson of Britain’s The Register, remained classified until Hutchins arrest at Vegas’ McCarran International Airport but was released to the public after Hutchins was in custody. Filed in the Eastern District Court of Wisconsin, it alleges six counts relating to the creation and distribution of the Kronos malware. 

Upon obtaining bail, Lobo told Reuters, Hutchins will fly to Wisconsin to deal with court proceedings relating to the indictment.

The indictment accuses a co-defendant, whose name has been redacted, along with Hutchins. Lobo denied knowledge of the co-defendant’s identity, Reuters says.

According to Thompson, the indictment alleges that the co-defendant posted an instructional video describing how to use the malware and has sold or offered to sell the program for prices ranging from $2,000 to $3,000. The document further charges that Hutchins himself willfully sold the malware code in the US on June 11, 2015.

Thompson cites a July 2015 report by The Register that indicates Kronos was fetching prices as high as $7,000 dollars, making it one of the more expensive malware products available.

The high price reflects the sophistication of Kronos: the virus could bypass antivirus software and encrypt the commands inputted by its users. Moreover, potential buyers were offered a trial period prior to purchase.

The malware, which was active between July 2014 and July 2015, according to Reuters, specifically targeted Windows machines, infiltrating Internet Explorer, Firefox, and Google Chrome to steal victims’ banking information.

Lobo, per Reuters, says Hutchins is “doing well, considering what’s gone on.” He will plead not guilty to all charges. Prosecutors say he has admitted to crafting and selling Kronos, and claim to have records of chat logs between him and the co-defendant in which Hutchins discusses a transaction concerning the malware, according to The Telegraph.

However, The Register’s Thompson points out that “grand juries are indictment-issuing machines,” and that “there appears to be nothing concrete [to link] Hutchins to the Russian-language forum posts that advertised Kronos back in 2014.”

On July 13, 2014, the same day that the aforementioned Kronos help video was posted, Hutchins requested a sample of Kronos via Twitter, perhaps so that he could work to combat the malware. One may wonder why Hutchins would ask for a sample of a program he himself developed.

Hutchins was relatively unknown prior to his widely publicized thwarting of WannaCry in May. That story rocketed him to global heroism. If he is convicted in connection with the Kronos charges, he could plummet to global notoriety.

Featured image via Pexels

Data Breach Exposes Millions of Verizon Customer Records

Verizon’s partner Nice Systems suffered a data breach that exposed the records of 6 million customers. The data was accessed through an unprotected Amazon S3 storage server, leaving records compromised by customer service calls facilitator. Verizon claims that despite the data breach no loss or theft of customer information occurred.

The records in question are logs from residential customers who had called Verizon customer service within the past 6 months. The cause of the breach was a misconfigured security setting on the server that would enable anyone who knew the website address to access and download the files. This is exactly what happened as an employee of Nice Systems accessed the unprotected Amazon S3 storage server. Thankfully, Verizon reports that no external party had access to the data, minimizing the potential damage scope to the single employee that will bear the burdens of their responsibilities.

Each record included the customer’s name, mobile number, and significantly, the customer’s account PIN, along with their home address, email address, and their Verizon account balance. While some records were partially redacted to protect the security and privacy of customers, most were not. This means that anyone with access to the records could have impersonated a subscriber and been granted access to their account, or have sold the information to third parties that could find a use for the data provided.

Verizon and Nice Systems have reported an investigation into the security breach, commenting that the data was part of a “demo system,” but refusing further elaboration. Due to the undisclosed nature of the context regarding the statement, it is uncertain as to whether this is fact, presupposing that the breach did not have as large an impact as it could have, or simply damage control. The breach was first discovered by Chris Vickery, a research working for cybersecurity firm UpGuard, who noticed the breach on June 13th. After privately informing Verizon, an investigation was conducted and the data was finally secured on June 22nd, nine days after the breach was initially reported.

This is not the first case of a data breach with a major mobile carrier, and this is not the first security breach for Verizon. In 2015, data broker Experian experienced a major breach that resulted in the exposure of similar information for 15 million T-Mobile customers. And in 2016, Verizon’s enterprise unit had data stolen by hackers, resulting in the exposure of information regarding IT services to companies that are put up for sale online.

Verizon and all mobile carriers need to a great deal more investing into cybersecurity to ensure that their customer’s data is protected. Regardless of whether the data is stored on a third party site managed by a partner, the ones responsible for the damage caused by the data breach is Verizon themselves. Customers place their faith in Verizon to ensure that their privacy is maintained and considering that this is not the first time Verizon has suffered a data breach, it is certain that Verizon’s reputation has taken a hit.

Regardless of the severity of the consequences from a data breach, the trust that customers place in Verizon is minimal at best. Looking on the lighter side, that this server was a demo suggests that the impact will be reduced, but even then it shows customers of the efforts Verizon goes through to fulfill their corporate social contract to the customer. Needless to say, these cybersecurity methods need serious updating and securing if Nice Systems ever wants to be partnered with a mobile carrier again. Only time will tell as to whether Verizon and Nice Systems compensate the customers for the data breach, beginning with whether more customers will have important private information redacted to minimize potential damages in case of another data breach.

Featured Image via Flickr/Mike Mozart

Trump Hotels Customers’ Sensitive Information Breached

Trump Hotels announced Tuesday that data had been breached at 14 of its locations, including those in Las Vegas and Chicago, CNBC reports. Customers’ payment card numbers and security codes were seized by hackers who entered the systems of Sabre, a third party that manages reservations for Trump Hotels.

Lee Matthews of Forbes says hackers accessed Sabre’s SynXis Central Reservations system, which contains data pertaining to just 35,000 of Sabre’s 100,000 plus clients. A Sabre spokesperson told Matthews that “less than 15 percent of the average daily bookings on the Sabre Hospitality Solutions reservation system[…]were viewed””

Sabre learned of the attack in June, and disclosed it to Trump Hotels, whose systems the perpetrators accessed from August 10, 2016 to March 9, 2017, on June 5.

In Tuesday’s statement, Trump Hotels “recommends that affected individuals remain vigilant for incidents of fraud and identity theft by regularly reviewing account statements and monitoring free credit reports for any unauthorized activity.” If customers do detect unusual activity, the statement advises them to contact their financial institutions, law enforcement agencies, or the Federal Trade Commission.

Cybersecurity at Trump Hotels has been compromised at least three times in just over two years. According to a report by Jose Pagliery of CNN, Trump Hotels management acknowledged in September 2015 that computer systems at the hotel were infiltrated by a virus, which evidently monitored keystrokes and seized payment information, including credit card numbers, expiration dates, security codes, and cardholders’ names, as employees typed it into the computer. Trump Hotels was unsure whether that virus was able to access data stored on the computers, or merely intercept it as it was inputted.

The sensitive information of anyone who stayed at a Trump Hotels location between May 19, 2014 and June 2, 2015 may have been vulnerable, the company said, although “an independent forensic investigation has not conclusively determined [as of September 2015] that any particular customer’s payment card information was taken.”

A legal investigation spearheaded by New York Attorney General Eric Schneiderman found that Trump Hotels was aware of the 2015 breach as early as June of that year, when, Schneiderman’s report says, “a preliminary forensic investigation confirmed the existence of credit card targeting malware at multiple THC locations, including in the computer networks associated with New York, Las Vegas and Chicago hotels.” But the company failed to notify the public until September.

On April 4, 2016, the hotel chain said its computer systems had been compromised again, Pagliery reported on April 5 of that yearPagliery quoted Eric Trump as saying that Trump Hotels, “like virtually every other company these days, [is] routinely targeted by cyber terrorists whose only focus is to inflict harm on great American businesses.”

But apparently, Trump Hotels had taken no steps to reduce the size of the target on its own back: the company “never implemented the cybersecurity plan they were given to prevent a second attack,” The Huffington Post’s Christina Wilkie reported in September 2016.

Following Schneiderman’s investigation, Trump Hotels was ordered to pay $50,000 in a legal settlement due to the hotel chain’s failure to promptly notify the public of the 2015 hack and to shore up its cybersecurity in that attack’s aftermath

This most recent incident, of course, is not a direct breach of Trump Hotels security, but a result of vulnerabilities in the computer systems of a contractor with which Trump Hotels works closely. Still, Trump Hotels will no doubt be held responsible by customers whose information was stolen.

The hotel chain has indicated no intention of cutting ties with Sabre, but wary potential customers would presumably feel more confident about staying in Trump hotels if the company took some action to bolster its cybersecurity.

Yahoo User Info Still Up for Sale after System Hack

Back in 2013, Yahoo was hacked and over one billion users account information was stolen and put up for sale on the dark web. The offer stands as $200,000 or best offers. Even though the passwords are available, the dates of birth, telephone numbers and even security questions could be extremely useful if put in the wrong hands.

The Feds alerted Yahoo of the hack after seeing the information for sale on the cyber underground. Their investigation afterward led to the indictment of four men who they believed responsible. Yet even after the prosecutors unsealed indictments against the four men, the one billion user information still seems to be up for sale.

While these four men aren’t responsible for the 2013 hack, which earned the title of being the largest known breach of any company’s private security, they are, however, responsible for the second largest hack which took place just a year later.

Yet the Feds seem to be keeping the details of both investigations secret. Malcolm Palmore is in charge of the cyber security division in the Federal Bureau of Investigation and commented, “We’re not willing to comment right now if there is a connection between the two investigations.”

Although both events were done at separate times, they both tend to have one thing in common. The culprits allegedly responsible were Russian hackers. This is from cyber security experts who have been studying the attacks. The experts have deduced that both Yahoo attacks were connected to the Russian government and part of the data was used to send spam to Yahoo users.

One of the two men who were indicted for the 2014 Yahoo hacking, Alexsey Belan, is known as a tech expert who worked for two Russian intelligence officers. Belan also has a pretty long list of cyber crimes to add to his record. Yet his recent indictment, along with his three cohorts, failed to release how the gang managed to get access to Yahoo systems. It’s safe to say, however, that they aren’t novice hackers.

In fact, he was indicted back in 2012 for three felony charges that included hacking Zappos which is an online shoe store owned by Amazon. His hack of Zappos robbed nearly 24 million customers of their information. It was a year later that Balen hacked Evernote and Scribd used as digital storage services by millions of consumers. He was arrested in Greece but managed to post bail and flee to Russia.

Yet cyber security experts say that Yahoo incident back 2013 was conducted by different individuals. Those at InfoArmor, which is a cyber security firm located in Arizona, say that the hack could be attributed to a group named Group E. Reportedly Group E sold the whole database about three times. One of those times, InfoArmor believes, was in connection to the Russian government.

The two Russian intelligence agents that were indicted in connection with the 2014 Yahoo breach were accused of working with Belan and another hacker to hold their own spying operation. Yet the Russian government has since denied the allegations or involvement with the Yahoo hackings.

The F.B.I. did say that the entire hack on Yahoo’s systems started with a phishing attack. One of Yahoo’s employees was deceived into releasing info that opened the door for the entire scheme. The breach was recognized in 2014 but Yahoo security didn’t realize how severe the entire situation had become.

After telling the public about the breach in security, the company then prompted its users to change their passwords. It was not long afterward that all one billion accounts were posted for sale on the darkest part of the internet where all types of cyber criminals lurk. The sellers of the information even say that they retain continued access to Yahoo information. This was proved false when a cyber security agent posed as prospective buyer seeking proof of access and the thieves couldn’t produce any new account information.

Both hacks on Yahoo had a major impact on the deal the company was making with Verizon Communications. Yahoo had intended to sell to Verizon but after the hacks were made known to the public, Verizon wanted to drop its price down by $925 million from the original number. However, there was an announcement just last month that Verizon would only cut $350 million from its price.

This breach in security for Yahoo proves just how unsafe the internet can be. It’s advised that users change their password every ninety days. Security experts say its important not to use birthdays, pet names, or anything that will be easy for a hacker to guess. Yahoo says that since both incidents all potholes in its security system have been filled and, for the time being at least, users are safe.